_ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EEC2Ev: 62| 2| AlignmentBuffer() = default; _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE5clearEv: 71| 4| void clear() { 72| 4| zeroize_buffer(m_buffer.data(), m_buffer.size()); 73| 4| m_position = 0; 74| 4| } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EED2Ev: 64| 2| ~AlignmentBuffer() { secure_zeroize_buffer(m_buffer.data(), sizeof(T) * m_buffer.size()); } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE21handle_unaligned_dataERNS_12BufferSlicerE: 166| 2| [[nodiscard]] std::optional> handle_unaligned_data(BufferSlicer& slicer) { 167| | // When the final block is to be deferred, we would need to store and 168| | // hold a buffer that contains exactly one block until more data is 169| | // passed or it is explicitly consumed. 170| 2| const size_t defer = (defers_final_block()) ? 1 : 0; ------------------ | Branch (170:31): [True: 0, False: 2] ------------------ 171| | 172| 2| if(in_alignment() && slicer.remaining() >= m_buffer.size() + defer) { ------------------ | Branch (172:13): [True: 2, False: 0] | Branch (172:31): [True: 0, False: 2] ------------------ 173| | // We are currently in alignment and the passed-in data source 174| | // contains enough data to benefit from aligned processing. 175| | // Therefore, we don't copy anything into the intermittent buffer. 176| 0| return std::nullopt; 177| 0| } 178| | 179| | // Fill the buffer with as much input data as needed to reach alignment 180| | // or until the input source is depleted. 181| 2| const auto elements_to_consume = std::min(m_buffer.size() - m_position, slicer.remaining()); 182| 2| append(slicer.take(elements_to_consume)); 183| | 184| | // If we collected enough data, we push out one full block. When 185| | // deferring the final block is enabled, we additionally check that 186| | // more input data is available to continue processing a consecutive 187| | // block. 188| 2| if(ready_to_consume() && (!defers_final_block() || !slicer.empty())) { ------------------ | Branch (188:13): [True: 0, False: 2] | Branch (188:36): [True: 0, False: 0] | Branch (188:61): [True: 0, False: 0] ------------------ 189| 0| return consume(); 190| 2| } else { 191| 2| return std::nullopt; 192| 2| } 193| 2| } _ZNK5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE18defers_final_blockEv: 233| 2| constexpr bool defers_final_block() const { 234| 2| return FINAL_BLOCK_STRATEGY == AlignmentBufferFinalBlock::must_be_deferred; 235| 2| } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE6appendENSt3__14spanIKhLm18446744073709551615EEE: 90| 4| void append(std::span elements) { 91| 4| BOTAN_ASSERT_NOMSG(elements.size() <= elements_until_alignment()); ------------------ | | 77| 4| do { \ | | 78| 4| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 4| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 4] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 4| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 4] | | ------------------ ------------------ 92| 4| std::copy(elements.begin(), elements.end(), m_buffer.begin() + m_position); 93| 4| m_position += elements.size(); 94| 4| } _ZNK5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE24elements_until_alignmentEv: 221| 10| size_t elements_until_alignment() const { return m_buffer.size() - m_position; } _ZNK5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE16ready_to_consumeEv: 231| 8| bool ready_to_consume() const { return m_position == m_buffer.size(); } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE7consumeEv: 200| 2| [[nodiscard]] std::span consume() { 201| 2| BOTAN_ASSERT_NOMSG(ready_to_consume()); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 202| 2| m_position = 0; 203| 2| return m_buffer; 204| 2| } _ZNK5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE12in_alignmentEv: 226| 4| bool in_alignment() const { return m_position == 0; } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE18fill_up_with_zerosEv: 79| 2| void fill_up_with_zeros() { 80| 2| if(!ready_to_consume()) { ------------------ | Branch (80:13): [True: 2, False: 0] ------------------ 81| 2| zeroize_buffer(&m_buffer[m_position], elements_until_alignment()); 82| 2| m_position = m_buffer.size(); 83| 2| } 84| 2| } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE20directly_modify_lastEm: 113| 2| std::span directly_modify_last(size_t elements) { 114| 2| BOTAN_ASSERT_NOMSG(size() >= elements); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 115| 2| return std::span(m_buffer).last(elements); 116| 2| } _ZNK5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE4sizeEv: 217| 2| constexpr size_t size() const { return m_buffer.size(); } _ZNK5Botan17Barrett_Reduction4cubeERKNS_6BigIntE: 66| 3.41k| BigInt cube(const BigInt& x) const { return this->multiply(x, this->square(x)); } _ZNK5Botan17Barrett_Reduction12modulus_bitsEv: 71| 590| size_t modulus_bits() const { return m_modulus_bits; } _ZN5Botan17ct_expand_top_bitITkNSt3__117unsigned_integralEmEET_S2_: 28| 338M|BOTAN_FORCE_INLINE constexpr T ct_expand_top_bit(T a) { 29| 338M| const T top = CT::value_barrier(a >> (sizeof(T) * 8 - 1)); 30| 338M| return static_cast(0) - top; 31| 338M|} _ZN5Botan10ct_is_zeroITkNSt3__117unsigned_integralEmEET_S2_: 37| 298M|BOTAN_FORCE_INLINE constexpr T ct_is_zero(T x) { 38| 298M| return ct_expand_top_bit(~x & (x - 1)); 39| 298M|} _ZN5Botan6chooseITkNSt3__117unsigned_integralEmEET_S2_S2_S2_: 216| 399M|BOTAN_FORCE_INLINE constexpr T choose(T mask, T a, T b) { 217| | //return (mask & a) | (~mask & b); 218| 399M| return (b ^ (mask & (a ^ b))); 219| 399M|} _ZN5Botan8high_bitITkNSt3__117unsigned_integralEjEEmT_: 73| 2.67k|BOTAN_FORCE_INLINE constexpr size_t high_bit(T n) { 74| 2.67k| size_t hb = 0; 75| | 76| 16.0k| for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) { ------------------ | Branch (76:38): [True: 13.3k, False: 2.67k] ------------------ 77| | // Equivalent to: ((n >> s) == 0) ? 0 : s; 78| 13.3k| const size_t z = s - ct_if_is_zero_ret(n >> s, s); 79| 13.3k| hb += z; 80| 13.3k| n >>= z; 81| 13.3k| } 82| | 83| 2.67k| hb += n; 84| | 85| 2.67k| return hb; 86| 2.67k|} _ZN5Botan17ct_if_is_zero_retITkNSt3__117unsigned_integralEjEEmT_m: 45| 13.3k|BOTAN_FORCE_INLINE constexpr size_t ct_if_is_zero_ret(T x, size_t s) { 46| | /* 47| | Similar to `return ct_is_zero(x) & s` but has to account for possibility that 48| | sizeof(T) is smaller than sizeof(size_t) which would lead to incomplete masking 49| | */ 50| 13.3k| const T a = ~x & (x - 1); 51| 13.3k| const size_t a_top = static_cast(CT::value_barrier(a >> (sizeof(T) * 8 - 1))); 52| 13.3k| const size_t mask = static_cast(0) - a_top; 53| 13.3k| return mask & s; 54| 13.3k|} _ZN5Botan17ct_if_is_zero_retITkNSt3__117unsigned_integralEmEEmT_m: 45| 3.18M|BOTAN_FORCE_INLINE constexpr size_t ct_if_is_zero_ret(T x, size_t s) { 46| | /* 47| | Similar to `return ct_is_zero(x) & s` but has to account for possibility that 48| | sizeof(T) is smaller than sizeof(size_t) which would lead to incomplete masking 49| | */ 50| 3.18M| const T a = ~x & (x - 1); 51| 3.18M| const size_t a_top = static_cast(CT::value_barrier(a >> (sizeof(T) * 8 - 1))); 52| 3.18M| const size_t mask = static_cast(0) - a_top; 53| 3.18M| return mask & s; 54| 3.18M|} _ZN5Botan13is_power_of_2ITkNSt3__117unsigned_integralEmEEbT_: 62| 36.0k|BOTAN_FORCE_INLINE constexpr bool is_power_of_2(T arg) { 63| 36.0k| return (arg != 0) && (arg != 1) && ((arg & static_cast(arg - 1)) == 0); ------------------ | Branch (63:11): [True: 36.0k, False: 0] | Branch (63:25): [True: 36.0k, False: 0] | Branch (63:39): [True: 22.1k, False: 13.8k] ------------------ 64| 36.0k|} _ZN5Botan8high_bitITkNSt3__117unsigned_integralEmEEmT_: 73| 73.8k|BOTAN_FORCE_INLINE constexpr size_t high_bit(T n) { 74| 73.8k| size_t hb = 0; 75| | 76| 517k| for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) { ------------------ | Branch (76:38): [True: 443k, False: 73.8k] ------------------ 77| | // Equivalent to: ((n >> s) == 0) ? 0 : s; 78| 443k| const size_t z = s - ct_if_is_zero_ret(n >> s, s); 79| 443k| hb += z; 80| 443k| n >>= z; 81| 443k| } 82| | 83| 73.8k| hb += n; 84| | 85| 73.8k| return hb; 86| 73.8k|} _ZN5Botan9ceil_log2ITkNSt3__117unsigned_integralEmEEhT_QltstS2_Li32E: 142| 841|{ 143| 841| if(x >> (sizeof(T) * 8 - 1)) { ------------------ | Branch (143:7): [True: 0, False: 841] ------------------ 144| 0| return sizeof(T) * 8; 145| 0| } 146| | 147| 841| uint8_t result = 0; 148| 841| T compare = 1; 149| | 150| 9.86k| while(compare < x) { ------------------ | Branch (150:10): [True: 9.02k, False: 841] ------------------ 151| 9.02k| compare <<= 1; 152| 9.02k| result++; 153| 9.02k| } 154| | 155| 841| return result; 156| 841|} _ZN5Botan10ct_is_zeroITkNSt3__117unsigned_integralEhEET_S2_: 37| 612k|BOTAN_FORCE_INLINE constexpr T ct_is_zero(T x) { 38| 612k| return ct_expand_top_bit(~x & (x - 1)); 39| 612k|} _ZN5Botan17ct_expand_top_bitITkNSt3__117unsigned_integralEhEET_S2_: 28| 612k|BOTAN_FORCE_INLINE constexpr T ct_expand_top_bit(T a) { 29| 612k| const T top = CT::value_barrier(a >> (sizeof(T) * 8 - 1)); 30| 612k| return static_cast(0) - top; 31| 612k|} _ZN5Botan6chooseITkNSt3__117unsigned_integralEhEET_S2_S2_S2_: 216| 612k|BOTAN_FORCE_INLINE constexpr T choose(T mask, T a, T b) { 217| | //return (mask & a) | (~mask & b); 218| 612k| return (b ^ (mask & (a ^ b))); 219| 612k|} _ZN5Botan3ctzITkNSt3__117unsigned_integralEmEEmT_: 115| 390k|BOTAN_FORCE_INLINE constexpr size_t ctz(T n) { 116| | /* 117| | * If n == 0 then this function will compute 8*sizeof(T)-1, so 118| | * initialize lb to 1 if n == 0 to produce the expected result. 119| | */ 120| 390k| size_t lb = ct_if_is_zero_ret(n, 1); 121| | 122| 2.73M| for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) { ------------------ | Branch (122:38): [True: 2.34M, False: 390k] ------------------ 123| 2.34M| const T range = (static_cast(1) << s) - 1; 124| | // Equivalent to: ((n & range) == 0) ? s : 0; 125| 2.34M| const size_t z = ct_if_is_zero_ret(n & range, s); 126| 2.34M| lb += z; 127| 2.34M| n >>= z; 128| 2.34M| } 129| | 130| 390k| return lb; 131| 390k|} _ZN5Botan9ceil_log2ITkNSt3__117unsigned_integralEjEEhT_QltstS2_Li32E: 142| 68|{ 143| 68| if(x >> (sizeof(T) * 8 - 1)) { ------------------ | Branch (143:7): [True: 0, False: 68] ------------------ 144| 0| return sizeof(T) * 8; 145| 0| } 146| | 147| 68| uint8_t result = 0; 148| 68| T compare = 1; 149| | 150| 530| while(compare < x) { ------------------ | Branch (150:10): [True: 462, False: 68] ------------------ 151| 462| compare <<= 1; 152| 462| result++; 153| 462| } 154| | 155| 68| return result; 156| 68|} _ZN5Botan12ceil_tobytesITkNSt3__117unsigned_integralEjEET_S2_: 175| 136|BOTAN_FORCE_INLINE constexpr T ceil_tobytes(T bits) { 176| 136| return (bits + 7) / 8; 177| 136|} _ZN5Botan8majorityITkNSt3__117unsigned_integralEmEET_S2_S2_S2_: 222| 160|BOTAN_FORCE_INLINE constexpr T majority(T a, T b, T c) { 223| | /* 224| | Considering each bit of a, b, c individually 225| | 226| | If a xor b is set, then c is the deciding vote. 227| | 228| | If a xor b is not set then either a and b are both set or both unset. 229| | In either case the value of c doesn't matter, and examining b (or a) 230| | allows us to determine which case we are in. 231| | */ 232| 160| return choose(a ^ b, c, b); 233| 160|} _ZN5Botan10ct_is_zeroITkNSt3__117unsigned_integralEjEET_S2_: 37| 1.15k|BOTAN_FORCE_INLINE constexpr T ct_is_zero(T x) { 38| 1.15k| return ct_expand_top_bit(~x & (x - 1)); 39| 1.15k|} _ZN5Botan17ct_expand_top_bitITkNSt3__117unsigned_integralEjEET_S2_: 28| 123k|BOTAN_FORCE_INLINE constexpr T ct_expand_top_bit(T a) { 29| 123k| const T top = CT::value_barrier(a >> (sizeof(T) * 8 - 1)); 30| 123k| return static_cast(0) - top; 31| 123k|} _ZN5Botan13reverse_bytesITkNSt3__117unsigned_integralEmQooooooeqstT_Li1EeqstS2_Li2EeqstS2_Li4EeqstS2_Li8EEES2_S2_: 27| 208k|inline constexpr T reverse_bytes(T x) { 28| | if constexpr(sizeof(T) == 1) { 29| | return x; 30| | } else if constexpr(sizeof(T) == 2) { 31| |#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap16) 32| | return static_cast(__builtin_bswap16(x)); 33| |#else 34| | return static_cast((x << 8) | (x >> 8)); 35| |#endif 36| | } else if constexpr(sizeof(T) == 4) { 37| |#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap32) 38| | return static_cast(__builtin_bswap32(x)); 39| |#else 40| | // MSVC at least recognizes this as a bswap 41| | return static_cast(((x & 0x000000FF) << 24) | ((x & 0x0000FF00) << 8) | ((x & 0x00FF0000) >> 8) | 42| | ((x & 0xFF000000) >> 24)); 43| |#endif 44| 208k| } else if constexpr(sizeof(T) == 8) { 45| 208k|#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap64) 46| 208k| return static_cast(__builtin_bswap64(x)); 47| |#else 48| | uint32_t hi = static_cast(x >> 32); 49| | uint32_t lo = static_cast(x); 50| | 51| | hi = reverse_bytes(hi); 52| | lo = reverse_bytes(lo); 53| | 54| | return (static_cast(lo) << 32) | hi; 55| |#endif 56| 208k| } 57| 208k|} _ZN5Botan13reverse_bytesITkNSt3__117unsigned_integralEtQooooooeqstT_Li1EeqstS2_Li2EeqstS2_Li4EeqstS2_Li8EEES2_S2_: 27| 332|inline constexpr T reverse_bytes(T x) { 28| | if constexpr(sizeof(T) == 1) { 29| | return x; 30| 332| } else if constexpr(sizeof(T) == 2) { 31| 332|#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap16) 32| 332| return static_cast(__builtin_bswap16(x)); 33| |#else 34| | return static_cast((x << 8) | (x >> 8)); 35| |#endif 36| | } else if constexpr(sizeof(T) == 4) { 37| |#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap32) 38| | return static_cast(__builtin_bswap32(x)); 39| |#else 40| | // MSVC at least recognizes this as a bswap 41| | return static_cast(((x & 0x000000FF) << 24) | ((x & 0x0000FF00) << 8) | ((x & 0x00FF0000) >> 8) | 42| | ((x & 0xFF000000) >> 24)); 43| |#endif 44| | } else if constexpr(sizeof(T) == 8) { 45| |#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap64) 46| | return static_cast(__builtin_bswap64(x)); 47| |#else 48| | uint32_t hi = static_cast(x >> 32); 49| | uint32_t lo = static_cast(x); 50| | 51| | hi = reverse_bytes(hi); 52| | lo = reverse_bytes(lo); 53| | 54| | return (static_cast(lo) << 32) | hi; 55| |#endif 56| | } 57| 332|} _ZN5Botan12BufferSlicerC2ENSt3__14spanIKhLm18446744073709551615EEE: 25| 19.0k| explicit BufferSlicer(std::span buffer) : m_remaining(buffer) {} _ZNK5Botan12BufferSlicer5emptyEv: 68| 318k| bool empty() const { return m_remaining.empty(); } _ZN5Botan12BufferSlicer9take_byteEv: 57| 162k| uint8_t take_byte() { return take(1)[0]; } _ZN5Botan12BufferSlicer4takeEm: 37| 167k| std::span take(const size_t count) { 38| 167k| BOTAN_STATE_CHECK(remaining() >= count); ------------------ | | 51| 167k| do { \ | | 52| 167k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 167k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 167k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 167k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 167k] | | ------------------ ------------------ 39| 167k| auto result = m_remaining.first(count); 40| 167k| m_remaining = m_remaining.subspan(count); 41| 167k| return result; 42| 167k| } _ZNK5Botan12BufferSlicer9remainingEv: 66| 218k| size_t remaining() const { return m_remaining.size(); } _ZN5Botan12BufferSlicer9copy_intoENSt3__14spanIhLm18446744073709551615EEE: 59| 4.20k| void copy_into(std::span sink) { 60| 4.20k| const auto data = take(sink.size()); 61| 4.20k| std::copy(data.begin(), data.end(), sink.begin()); 62| 4.20k| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_18SphincsPublicSeed_EJEEEEEDam: 28| 2| auto copy(const size_t count) { 29| 2| const auto result = take(count); 30| 2| return ContainerT(result.begin(), result.end()); 31| 2| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_16SphincsTreeNode_EJEEEEEDam: 28| 2| auto copy(const size_t count) { 29| 2| const auto result = take(count); 30| 2| return ContainerT(result.begin(), result.end()); 31| 2| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_18SphincsSecretSeed_EJEEEEEDam: 28| 2| auto copy(const size_t count) { 29| 2| const auto result = take(count); 30| 2| return ContainerT(result.begin(), result.end()); 31| 2| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_17SphincsSecretPRF_EJEEEEEDam: 28| 2| auto copy(const size_t count) { 29| 2| const auto result = take(count); 30| 2| return ContainerT(result.begin(), result.end()); 31| 2| } _ZN5Botan12BufferSlicer4takeILm8EEENSt3__14spanIKhXT_EEEv: 45| 44.4k| std::span take() { 46| 44.4k| BOTAN_STATE_CHECK(remaining() >= count); ------------------ | | 51| 44.4k| do { \ | | 52| 44.4k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 44.4k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 44.4k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 44.4k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 44.4k] | | ------------------ ------------------ 47| 44.4k| auto result = m_remaining.first(); 48| 44.4k| m_remaining = m_remaining.subspan(count); 49| 44.4k| return result; 50| 44.4k| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_13KyberSeedRho_EJEEEEEDam: 28| 29| auto copy(const size_t count) { 29| 29| const auto result = take(count); 30| 29| return ContainerT(result.begin(), result.end()); 31| 29| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEEEDam: 28| 29| auto copy(const size_t count) { 29| 29| const auto result = take(count); 30| 29| return ContainerT(result.begin(), result.end()); 31| 29| } _ZN5Botan12BufferSlicer4takeILm4EEENSt3__14spanIKhXT_EEEv: 45| 5.63k| std::span take() { 46| 5.63k| BOTAN_STATE_CHECK(remaining() >= count); ------------------ | | 51| 5.63k| do { \ | | 52| 5.63k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 5.63k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 5.63k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 5.63k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 5.63k] | | ------------------ ------------------ 47| 5.63k| auto result = m_remaining.first(); 48| 5.63k| m_remaining = m_remaining.subspan(count); 49| 5.63k| return result; 50| 5.63k| } _ZN5Botan12BufferSlicer4takeILm3EEENSt3__14spanIKhXT_EEEv: 45| 1.02k| std::span take() { 46| 1.02k| BOTAN_STATE_CHECK(remaining() >= count); ------------------ | | 51| 1.02k| do { \ | | 52| 1.02k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 1.02k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 1.02k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 1.02k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 1.02k] | | ------------------ ------------------ 47| 1.02k| auto result = m_remaining.first(); 48| 1.02k| m_remaining = m_remaining.subspan(count); 49| 1.02k| return result; 50| 1.02k| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_28KyberImplicitRejectionValue_EJEEEEEDam: 28| 29| auto copy(const size_t count) { 29| 29| const auto result = take(count); 30| 29| return ContainerT(result.begin(), result.end()); 31| 29| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEEEDam: 28| 29| auto copy(const size_t count) { 29| 29| const auto result = take(count); 30| 29| return ContainerT(result.begin(), result.end()); 31| 29| } _ZN5Botan13BufferStufferC2ENSt3__14spanIhLm18446744073709551615EEE: 26| 906k| constexpr explicit BufferStuffer(std::span buffer) : m_buffer(buffer) {} _ZN5Botan13BufferStuffer6appendEhm: 64| 1.56k| constexpr void append(uint8_t b, size_t repeat = 1) { 65| 1.56k| auto sink = next(repeat); 66| 1.56k| std::fill(sink.begin(), sink.end(), b); 67| 1.56k| } _ZN5Botan13BufferStuffer4nextEm: 32| 1.13M| constexpr std::span next(size_t bytes) { 33| 1.13M| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 1.13M| do { \ | | 52| 1.13M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 1.13M| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 1.13M] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 1.13M| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 1.13M] | | ------------------ ------------------ 34| | 35| 1.13M| auto result = m_buffer.first(bytes); 36| 1.13M| m_buffer = m_buffer.subspan(bytes); 37| 1.13M| return result; 38| 1.13M| } _ZN5Botan13BufferStuffer6appendENSt3__14spanIKhLm18446744073709551615EEE: 59| 1.13M| constexpr void append(std::span buffer) { 60| 1.13M| auto sink = next(buffer.size()); 61| 1.13M| std::copy(buffer.begin(), buffer.end(), sink.begin()); 62| 1.13M| } _ZNK5Botan13BufferStuffer4fullEv: 69| 904k| constexpr bool full() const { return m_buffer.empty(); } _ZN5Botan13BufferStuffer4nextILm32EEENSt3__14spanIhXT_EEEv: 41| 814| constexpr std::span next() { 42| 814| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 814| do { \ | | 52| 814| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 814| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 814] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 814| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 814] | | ------------------ ------------------ 43| | 44| 814| auto result = m_buffer.first(); 45| 814| m_buffer = m_buffer.subspan(bytes); 46| 814| return result; 47| 814| } _ZN5Botan13BufferStuffer4nextILm48EEENSt3__14spanIhXT_EEEv: 41| 528| constexpr std::span next() { 42| 528| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 528| do { \ | | 52| 528| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 528| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 528] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 528| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 528] | | ------------------ ------------------ 43| | 44| 528| auto result = m_buffer.first(); 45| 528| m_buffer = m_buffer.subspan(bytes); 46| 528| return result; 47| 528| } _ZN5Botan13BufferStuffer4nextILm64EEENSt3__14spanIhXT_EEEv: 41| 276| constexpr std::span next() { 42| 276| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 276| do { \ | | 52| 276| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 276| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 276] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 276| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 276] | | ------------------ ------------------ 43| | 44| 276| auto result = m_buffer.first(); 45| 276| m_buffer = m_buffer.subspan(bytes); 46| 276| return result; 47| 276| } _ZN5Botan13BufferStuffer4nextILm24EEENSt3__14spanIhXT_EEEv: 41| 390| constexpr std::span next() { 42| 390| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 390| do { \ | | 52| 390| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 390| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 390] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 390| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 390] | | ------------------ ------------------ 43| | 44| 390| auto result = m_buffer.first(); 45| 390| m_buffer = m_buffer.subspan(bytes); 46| 390| return result; 47| 390| } _ZN5Botan13BufferStuffer4nextILm28EEENSt3__14spanIhXT_EEEv: 41| 264| constexpr std::span next() { 42| 264| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 264| do { \ | | 52| 264| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 264| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 264] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 264| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 264] | | ------------------ ------------------ 43| | 44| 264| auto result = m_buffer.first(); 45| 264| m_buffer = m_buffer.subspan(bytes); 46| 264| return result; 47| 264| } _ZN5Botan13BufferStuffer4nextILm66EEENSt3__14spanIhXT_EEEv: 41| 230| constexpr std::span next() { 42| 230| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 230| do { \ | | 52| 230| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 230| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 230] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 230| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 230] | | ------------------ ------------------ 43| | 44| 230| auto result = m_buffer.first(); 45| 230| m_buffer = m_buffer.subspan(bytes); 46| 230| return result; 47| 230| } base64.cpp:_ZN5Botan11base_decodeINS_12_GLOBAL__N_16Base64EEEmRKT_PhPKcmRmbb: 124| 114| bool ignore_ws = true) { 125| | // TODO(Botan4) Check if we can use just base. or Base:: here instead 126| 114| constexpr size_t decoding_bytes_in = std::remove_reference_t::decoding_bytes_in(); 127| 114| constexpr size_t decoding_bytes_out = std::remove_reference_t::decoding_bytes_out(); 128| | 129| 114| uint8_t* out_ptr = output; 130| 114| std::array decode_buf{}; 131| 114| size_t decode_buf_pos = 0; 132| 114| size_t final_truncate = 0; 133| | 134| 114| clear_mem(output, base.decode_max_output(input_length)); 135| | 136| 45.8k| for(size_t i = 0; i != input_length; ++i) { ------------------ | Branch (136:22): [True: 45.7k, False: 114] ------------------ 137| 45.7k| const uint8_t bin = base.lookup_binary_value(input[i]); 138| | 139| | // This call might throw Invalid_Argument 140| 45.7k| if(base.check_bad_char(bin, input[i], ignore_ws)) { ------------------ | Branch (140:10): [True: 7.62k, False: 38.1k] ------------------ 141| 7.62k| decode_buf[decode_buf_pos] = bin; 142| 7.62k| ++decode_buf_pos; 143| 7.62k| } 144| | 145| | /* 146| | * If we're at the end of the input, pad with 0s and truncate 147| | */ 148| 45.7k| if(final_inputs && (i == input_length - 1)) { ------------------ | Branch (148:10): [True: 45.7k, False: 23] | Branch (148:26): [True: 75, False: 45.6k] ------------------ 149| 75| if(decode_buf_pos) { ------------------ | Branch (149:13): [True: 40, False: 35] ------------------ 150| 122| for(size_t j = decode_buf_pos; j < decoding_bytes_in; ++j) { ------------------ | Branch (150:44): [True: 82, False: 40] ------------------ 151| 82| decode_buf[j] = 0; 152| 82| } 153| | 154| 40| final_truncate = decoding_bytes_in - decode_buf_pos; 155| 40| decode_buf_pos = decoding_bytes_in; 156| 40| } 157| 75| } 158| | 159| 45.7k| if(decode_buf_pos == decoding_bytes_in) { ------------------ | Branch (159:10): [True: 1.92k, False: 43.8k] ------------------ 160| 1.92k| base.decode(out_ptr, decode_buf.data()); 161| | 162| 1.92k| out_ptr += decoding_bytes_out; 163| 1.92k| decode_buf_pos = 0; 164| 1.92k| input_consumed = i + 1; 165| 1.92k| } 166| 45.7k| } 167| | 168| 4.55k| while(input_consumed < input_length && base.lookup_binary_value(input[input_consumed]) == 0x80) { ------------------ | Branch (168:10): [True: 4.45k, False: 96] | Branch (168:43): [True: 4.44k, False: 18] ------------------ 169| 4.44k| ++input_consumed; 170| 4.44k| } 171| | 172| 114| const size_t written = (out_ptr - output) - base.bytes_to_remove(final_truncate); 173| | 174| 114| return written; 175| 114|} base64.cpp:_ZN5Botan16base_decode_fullINS_12_GLOBAL__N_16Base64EEEmRKT_PhPKcmb: 178| 114|size_t base_decode_full(const Base& base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws) { 179| 114| size_t consumed = 0; 180| 114| const size_t written = base_decode(base, output, input, input_length, consumed, true, ignore_ws); 181| | 182| 114| if(consumed != input_length) { ------------------ | Branch (182:7): [True: 18, False: 96] ------------------ 183| 18| throw Invalid_Argument(base.name() + " decoding failed, input did not have full bytes"); 184| 18| } 185| | 186| 96| return written; 187| 114|} base64.cpp:_ZN5Botan18base_decode_to_vecINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_12_GLOBAL__N_16Base64EEET_RKT0_PKcmb: 190| 114|Vector base_decode_to_vec(const Base& base, const char input[], size_t input_length, bool ignore_ws) { 191| 114| const size_t output_length = base.decode_max_output(input_length); 192| 114| Vector bin(output_length); 193| | 194| 114| const size_t written = base_decode_full(base, bin.data(), input, input_length, ignore_ws); 195| | 196| 114| bin.resize(written); 197| 114| return bin; 198| 114|} _ZN5Botan6concatINS_6detail10AutoDetectETpTkNS_6ranges14spanable_rangeEJNSt3__16vectorIhNS4_9allocatorIhEEEERNS_6StrongIS8_NS_13KyberSeedRho_EJEEEEEEDaDpOT0_Q10all_same_vIDpNS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRSD_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISM_EESN_E4type10value_typeEE: 92| 29|{ 93| 29| if constexpr(std::same_as) { 94| | // Try to auto-detect a reasonable output type given the input ranges 95| 29| static_assert(sizeof...(Rs) > 0, "Cannot auto-detect the output type if not a single input range is provided."); 96| 29| using candidate_result_t = std::remove_cvref_t>>; 97| 29| using result_range_value_t = std::remove_cvref_t>; 98| | 99| | if constexpr((ranges::statically_spanable_range && ...)) { 100| | // If all input ranges have a static extent, we can calculate the total size at compile time 101| | // and therefore can use a statically sized output container. This is constexpr. 102| | constexpr size_t total_size = (decltype(std::span{ranges})::extent + ... + 0); 103| | using out_array_t = std::array; 104| | return detail::concatenate(std::forward(ranges)...); 105| 29| } else { 106| | // If at least one input range has a dynamic extent, we must use a dynamically allocated output container. 107| | // We assume that the user wants to use the first input range's container type as output type. 108| 29| static_assert( 109| 29| concepts::reservable_container, 110| 29| "First input range has static extent, but a dynamically allocated output range is required. Please explicitly specify a dynamically allocatable output type."); 111| 29| return detail::concatenate(std::forward(ranges)...); 112| 29| } 113| | } else { 114| | // The caller has explicitly specified the output type 115| | return detail::concatenate(std::forward(ranges)...); 116| | } 117| 29|} _ZN5Botan6detail11concatenateITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS3_9allocatorIhEEEETpTkNS2_14spanable_rangeEJS7_RNS_6StrongIS7_NS_13KyberSeedRho_EJEEEEEET_DpOT0_Qoosr8conceptsE20reservable_containerISC_Esr6rangesE25statically_spanable_rangeISC_E: 33| 29|{ 34| 29| OutR result{}; 35| | 36| | // Prepare and validate the output range and construct a lambda that does the 37| | // actual filling of the result buffer. 38| | // (if no input ranges are given, GCC claims that fill_fn is unused) 39| 29| [[maybe_unused]] auto fill_fn = [&] { 40| 29| if constexpr(concepts::reservable_container) { 41| | // dynamically allocate the correct result byte length 42| 29| const size_t total_size = (ranges.size() + ... + 0); 43| 29| result.reserve(total_size); 44| | 45| | // fill the result buffer using a back-inserter 46| 29| return [&result](auto&& range) { 47| 29| std::copy( 48| 29| std::ranges::begin(range), std::ranges::end(range), std::back_inserter(unwrap_strong_type(result))); 49| 29| }; 50| 29| } else { 51| 29| if constexpr((ranges::statically_spanable_range && ... && true)) { 52| | // all input ranges have a static extent, so check the total size at compile time 53| | // (work around an issue in MSVC that warns `total_size` is unused) 54| 29| [[maybe_unused]] constexpr size_t total_size = (decltype(std::span{ranges})::extent + ... + 0); 55| 29| static_assert(result.size() == total_size, "size of result buffer does not match the sum of input buffers"); 56| 29| } else { 57| | // at least one input range has a dynamic extent, so check the total size at runtime 58| 29| const size_t total_size = (ranges.size() + ... + 0); 59| 29| BOTAN_ARG_CHECK(result.size() == total_size, 60| 29| "result buffer has static extent that does not match the sum of input buffers"); 61| 29| } 62| | 63| | // fill the result buffer and hold the current output-iterator position 64| 29| return [itr = std::ranges::begin(result)](auto&& range) mutable { 65| 29| std::copy(std::ranges::begin(range), std::ranges::end(range), itr); 66| 29| std::advance(itr, std::ranges::size(range)); 67| 29| }; 68| 29| } 69| 29| }(); 70| | 71| | // perform the actual concatenation 72| 29| (fill_fn(std::forward(ranges)), ...); 73| | 74| 29| return result; 75| 29|} _ZZN5Botan6detail11concatenateITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS3_9allocatorIhEEEETpTkNS2_14spanable_rangeEJS7_RNS_6StrongIS7_NS_13KyberSeedRho_EJEEEEEET_DpOT0_Qoosr8conceptsE20reservable_containerISC_Esr6rangesE25statically_spanable_rangeISC_EENKUlvE_clEv: 39| 29| [[maybe_unused]] auto fill_fn = [&] { 40| 29| if constexpr(concepts::reservable_container) { 41| | // dynamically allocate the correct result byte length 42| 29| const size_t total_size = (ranges.size() + ... + 0); 43| 29| result.reserve(total_size); 44| | 45| | // fill the result buffer using a back-inserter 46| 29| return [&result](auto&& range) { 47| 29| std::copy( 48| 29| std::ranges::begin(range), std::ranges::end(range), std::back_inserter(unwrap_strong_type(result))); 49| 29| }; 50| | } else { 51| | if constexpr((ranges::statically_spanable_range && ... && true)) { 52| | // all input ranges have a static extent, so check the total size at compile time 53| | // (work around an issue in MSVC that warns `total_size` is unused) 54| | [[maybe_unused]] constexpr size_t total_size = (decltype(std::span{ranges})::extent + ... + 0); 55| | static_assert(result.size() == total_size, "size of result buffer does not match the sum of input buffers"); 56| | } else { 57| | // at least one input range has a dynamic extent, so check the total size at runtime 58| | const size_t total_size = (ranges.size() + ... + 0); 59| | BOTAN_ARG_CHECK(result.size() == total_size, 60| | "result buffer has static extent that does not match the sum of input buffers"); 61| | } 62| | 63| | // fill the result buffer and hold the current output-iterator position 64| | return [itr = std::ranges::begin(result)](auto&& range) mutable { 65| | std::copy(std::ranges::begin(range), std::ranges::end(range), itr); 66| | std::advance(itr, std::ranges::size(range)); 67| | }; 68| | } 69| 29| }(); _ZZZN5Botan6detail11concatenateITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS3_9allocatorIhEEEETpTkNS2_14spanable_rangeEJS7_RNS_6StrongIS7_NS_13KyberSeedRho_EJEEEEEET_DpOT0_Qoosr8conceptsE20reservable_containerISC_Esr6rangesE25statically_spanable_rangeISC_EENKUlvE_clEvENKUlOSC_E_clIS7_EEDaSH_: 46| 29| return [&result](auto&& range) { 47| 29| std::copy( 48| 29| std::ranges::begin(range), std::ranges::end(range), std::back_inserter(unwrap_strong_type(result))); 49| 29| }; _ZZZN5Botan6detail11concatenateITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS3_9allocatorIhEEEETpTkNS2_14spanable_rangeEJS7_RNS_6StrongIS7_NS_13KyberSeedRho_EJEEEEEET_DpOT0_Qoosr8conceptsE20reservable_containerISC_Esr6rangesE25statically_spanable_rangeISC_EENKUlvE_clEvENKUlOSC_E_clISB_EEDaSH_: 46| 29| return [&result](auto&& range) { 47| 29| std::copy( 48| 29| std::ranges::begin(range), std::ranges::end(range), std::back_inserter(unwrap_strong_type(result))); 49| 29| }; _ZN5Botan5CPUID3hasENS_10CPUFeatureE: 94| 35.7k| static bool has(CPUID::Feature feat) { return state().has_bit(feat.as_u32()); } _ZN5Botan5CPUID5stateEv: 156| 35.7k| static CPUID_Data& state() { 157| 35.7k| static CPUID::CPUID_Data g_cpuid; 158| 35.7k| return g_cpuid; 159| 35.7k| } _ZNK5Botan5CPUID10CPUID_Data7has_bitEj: 144| 35.7k| bool has_bit(uint32_t bit) const { return (m_processor_features & bit) == bit; } _ZN5Botan5CPUID3hasENS_10CPUFeatureES1_: 99| 4| static bool has(CPUID::Feature feat1, CPUID::Feature feat2) { 100| 4| return state().has_bit(feat1.as_u32() | feat2.as_u32()); 101| 4| } _ZN5Botan5CPUID6is_setEjNS_10CPUFeatureE: 127| 4| static inline bool is_set(uint32_t allowed, CPUID::Feature bit) { 128| 4| const uint32_t feat_bit = bit.as_u32(); 129| 4| return ((allowed & feat_bit) == feat_bit); 130| 4| } cpuid_x86.cpp:_ZN5Botan5CPUID6if_setIZNS0_10CPUID_Data19detect_cpu_featuresEjE16x86_CPUID_1_bitsEEjmT_NS_10CPUFeatureEj: 117| 6| static inline uint32_t if_set(uint64_t cpuid, T flag, CPUID::Feature bit, uint32_t allowed) { 118| 6| const uint64_t flag64 = static_cast(flag); 119| 6| if((cpuid & flag64) == flag64) { ------------------ | Branch (119:13): [True: 6, False: 0] ------------------ 120| 6| return (bit.as_u32() & allowed); 121| 6| } else { 122| 0| return 0; 123| 0| } 124| 6| } cpuid_x86.cpp:_ZN5Botan5CPUID6if_setIZNS0_10CPUID_Data19detect_cpu_featuresEjE16x86_CPUID_7_bitsEEjmT_NS_10CPUFeatureEj: 117| 8| static inline uint32_t if_set(uint64_t cpuid, T flag, CPUID::Feature bit, uint32_t allowed) { 118| 8| const uint64_t flag64 = static_cast(flag); 119| 8| if((cpuid & flag64) == flag64) { ------------------ | Branch (119:13): [True: 5, False: 3] ------------------ 120| 5| return (bit.as_u32() & allowed); 121| 5| } else { 122| 3| return 0; 123| 3| } 124| 8| } cpuid_x86.cpp:_ZN5Botan5CPUID6if_setIZNS0_10CPUID_Data19detect_cpu_featuresEjE18x86_CPUID_7_1_bitsEEjmT_NS_10CPUFeatureEj: 117| 3| static inline uint32_t if_set(uint64_t cpuid, T flag, CPUID::Feature bit, uint32_t allowed) { 118| 3| const uint64_t flag64 = static_cast(flag); 119| 3| if((cpuid & flag64) == flag64) { ------------------ | Branch (119:13): [True: 0, False: 3] ------------------ 120| 0| return (bit.as_u32() & allowed); 121| 3| } else { 122| 3| return 0; 123| 3| } 124| 3| } _ZNK5Botan10CPUFeature6as_u32Ev: 53| 35.7k| uint32_t as_u32() const { return static_cast(m_bit); } _ZN5Botan10CPUFeatureC2ENS0_3BitE: 51| 35.7k| CPUFeature(Bit b) : m_bit(b) {} // NOLINT(*-explicit-conversions) _ZN5Botan2CT6Choice9from_maskEm: 303| 8.83M| constexpr static Choice from_mask(underlying_type v) { return Choice(v); } _ZN5Botan2CT6Choice2noEv: 307| 465| constexpr static Choice no() { return Choice(0); } _ZNK5Botan2CT6ChoicentEv: 309| 3.47M| constexpr Choice operator!() const { return Choice(~value()); } _ZNK5Botan2CT6ChoiceaaERKS1_: 311| 4.42M| constexpr Choice operator&&(const Choice& other) const { return Choice(value() & other.value()); } _ZNK5Botan2CT6ChoiceooERKS1_: 313| 747k| constexpr Choice operator||(const Choice& other) const { return Choice(value() | other.value()); } _ZNK5Botan2CT6Choice7as_boolEv: 329| 3.48M| constexpr bool as_bool() const { return m_value != 0; } _ZNK5Botan2CT6Choice5valueEv: 332| 17.3M| constexpr underlying_type value() const { return value_barrier(m_value); } _ZN5Botan2CT6ChoiceC2Em: 341| 19.9M| constexpr explicit Choice(underlying_type v) : m_value(CT::value_barrier(v)) {} _ZN5Botan2CT4MaskImE7is_zeroEm: 437| 110M| static constexpr Mask is_zero(T x) { return Mask(ct_is_zero(value_barrier(x))); } _ZNK5Botan2CT4MaskImE5valueEv: 630| 299M| constexpr T value() const { return value_barrier(m_mask); } _ZNK5Botan2CT4MaskImEcoEv: 533| 48.5M| constexpr Mask operator~() const { return Mask(~value()); } _ZN5Botan2CT4MaskImE6expandEm: 392| 48.2M| static constexpr Mask expand(T v) { return ~Mask::is_zero(value_barrier(v)); } _ZN5Botan2CT6poisonImEEvPKT_m: 56| 2.78M|constexpr inline void poison(const T* p, size_t n) { 57| |#if defined(BOTAN_HAS_VALGRIND) 58| | if(!std::is_constant_evaluated()) { 59| | VALGRIND_MAKE_MEM_UNDEFINED(p, n * sizeof(T)); 60| | } 61| |#endif 62| | 63| 2.78M| BOTAN_UNUSED(p, n); ------------------ | | 144| 2.78M|#define BOTAN_UNUSED Botan::ignore_params ------------------ 64| 2.78M|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__16vectorImNS_16secure_allocatorImEEEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEnt17custom_poisonableISC_EEEvRKSC_: 121| 23.5k|constexpr void poison(const R& r) { 122| 23.5k| const std::span s{r}; 123| 23.5k| poison(s.data(), s.size()); 124| 23.5k|} _ZN5Botan2CT8unpoisonImEEvPKT_m: 67| 46.0M|constexpr inline void unpoison(const T* p, size_t n) { 68| |#if defined(BOTAN_HAS_VALGRIND) 69| | if(!std::is_constant_evaluated()) { 70| | VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T)); 71| | } 72| |#endif 73| | 74| 46.0M| BOTAN_UNUSED(p, n); ------------------ | | 144| 46.0M|#define BOTAN_UNUSED Botan::ignore_params ------------------ 75| 46.0M|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__16vectorImNS_16secure_allocatorImEEEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEnt19custom_unpoisonableISC_EEEvRKSC_: 128| 8.25M|constexpr void unpoison(const R& r) { 129| 8.25M| const std::span s{r}; 130| 8.25M| unpoison(s.data(), s.size()); 131| 8.25M|} _ZNK5Botan2CT4MaskImE6selectEmm: 548| 81.0M| constexpr T select(T x, T y) const { return choose(value(), x, y); } _ZNK5Botan2CT4MaskImE16conditional_swapImEEvRT_S5_QlestTL0__stS4_: 587| 6.28k| { 588| 6.28k| auto cnd = Mask(*this); 589| 6.28k| U t0 = cnd.select(y, x); 590| 6.28k| U t1 = cnd.select(x, y); 591| 6.28k| x = t0; 592| 6.28k| y = t1; 593| 6.28k| } _ZN5Botan2CT9all_zerosImEENS0_4MaskIT_EEPKS3_m: 785| 6.73M|constexpr inline CT::Mask all_zeros(const T elem[], size_t len) { 786| 6.73M| T sum = 0; 787| 54.7M| for(size_t i = 0; i != len; ++i) { ------------------ | Branch (787:22): [True: 47.9M, False: 6.73M] ------------------ 788| 47.9M| sum |= elem[i]; 789| 47.9M| } 790| 6.73M| return CT::Mask::is_zero(sum); 791| 6.73M|} _ZN5Botan2CT4MaskImEC2Em: 637| 216M| constexpr explicit Mask(T m) : m_mask(m) {} _ZNK5Botan2CT4MaskImE7as_boolEv: 614| 736k| constexpr bool as_bool() const { return unpoisoned_value() != 0; } _ZNK5Botan2CT4MaskImE16unpoisoned_valueEv: 598| 9.57M| constexpr T unpoisoned_value() const { 599| 9.57M| T r = value(); 600| 9.57M| CT::unpoison(r); 601| 9.57M| return r; 602| 9.57M| } _ZN5Botan2CT8unpoisonITkNSt3__18integralEmEEvRKT_: 112| 26.5M|constexpr void unpoison(const T& p) { 113| 26.5M| unpoison(&p, 1); 114| 26.5M|} _ZN5Botan2CTanENS0_4MaskImEES2_: 518| 284k| friend Mask operator&(Mask x, Mask y) { return Mask(x.value() & y.value()); } _ZN5Botan2CT4MaskImE8is_equalEmm: 442| 46.7M| static constexpr Mask is_equal(T x, T y) { 443| 46.7M| const T diff = value_barrier(x) ^ value_barrier(y); 444| 46.7M| return Mask::is_zero(diff); 445| 46.7M| } _ZNK5Botan2CT4MaskImE13if_set_returnEm: 538| 39.3M| constexpr T if_set_return(T x) const { return value() & x; } _ZN5Botan2CT4MaskImE5is_ltEmm: 450| 39.4M| static constexpr Mask is_lt(T x, T y) { 451| 39.4M| T u = x ^ ((x ^ y) | ((x - y) ^ x)); 452| 39.4M| return Mask::expand_top_bit(u); 453| 39.4M| } _ZN5Botan2CT4MaskImE14expand_top_bitEm: 415| 39.8M| static constexpr Mask expand_top_bit(T v) { return Mask(ct_expand_top_bit(v)); } _ZN5Botan2CT20conditional_copy_memImEENS0_4MaskIT_EES3_PS3_PKS3_S7_m: 738| 2.79M|constexpr inline Mask conditional_copy_mem(T cnd, T* dest, const T* if_set, const T* if_unset, size_t elems) { 739| 2.79M| const auto mask = CT::Mask::expand(cnd); 740| 2.79M| return CT::conditional_copy_mem(mask, dest, if_set, if_unset, elems); 741| 2.79M|} _ZN5Botan2CT20conditional_copy_memImEENS0_4MaskIT_EES4_PS3_PKS3_S7_m: 732| 2.79M|constexpr inline Mask conditional_copy_mem(Mask mask, T* dest, const T* if_set, const T* if_unset, size_t elems) { 733| 2.79M| mask.select_n(dest, if_set, if_unset, elems); 734| 2.79M| return mask; 735| 2.79M|} _ZNK5Botan2CT4MaskImE8select_nEPmPKmS5_m: 565| 44.1M| constexpr void select_n(T output[], const T x[], const T y[], size_t len) const { 566| 44.1M| const T mask = value(); 567| 307M| for(size_t i = 0; i != len; ++i) { ------------------ | Branch (567:28): [True: 263M, False: 44.1M] ------------------ 568| 263M| output[i] = choose(mask, x[i], y[i]); 569| 263M| } 570| 44.1M| } _ZNK5Botan2CT4MaskImE11select_maskES2_S2_: 559| 16.9M| Mask select_mask(Mask x, Mask y) const { return Mask(select(x.value(), y.value())); } _ZN5Botan2CT4MaskImEoRES2_: 510| 464k| Mask& operator|=(Mask o) { 511| 464k| m_mask |= o.value(); 512| 464k| return (*this); 513| 464k| } _ZN5Botan2CT4MaskImEaNES2_: 494| 2.41M| Mask& operator&=(Mask o) { 495| 2.41M| m_mask &= o.value(); 496| 2.41M| return (*this); 497| 2.41M| } _ZN5Botan2CT4MaskImE11expand_boolEb: 397| 583k| static constexpr Mask expand_bool(bool v) { return Mask::expand(static_cast(v)); } _ZN5Botan2CT4MaskIhE11expand_boolEb: 397| 612k| static constexpr Mask expand_bool(bool v) { return Mask::expand(static_cast(v)); } _ZN5Botan2CT4MaskIhE6expandEh: 392| 612k| static constexpr Mask expand(T v) { return ~Mask::is_zero(value_barrier(v)); } _ZN5Botan2CT4MaskIhE7is_zeroEh: 437| 612k| static constexpr Mask is_zero(T x) { return Mask(ct_is_zero(value_barrier(x))); } _ZN5Botan2CT4MaskIhEC2Eh: 637| 1.22M| constexpr explicit Mask(T m) : m_mask(m) {} _ZNK5Botan2CT4MaskIhEcoEv: 533| 612k| constexpr Mask operator~() const { return Mask(~value()); } _ZNK5Botan2CT4MaskIhE5valueEv: 630| 1.22M| constexpr T value() const { return value_barrier(m_mask); } _ZNK5Botan2CT4MaskIhE6selectEhh: 548| 612k| constexpr T select(T x, T y) const { return choose(value(), x, y); } _ZNK5Botan2CT4MaskImE9as_choiceEv: 619| 8.83M| constexpr CT::Choice as_choice() const { 620| 8.83M| if constexpr(sizeof(T) >= sizeof(Choice::underlying_type)) { 621| 8.83M| return CT::Choice::from_mask(static_cast(unpoisoned_value())); 622| | } else { 623| | return CT::Choice::from_int(unpoisoned_value()); 624| | } 625| 8.83M| } _ZN5Botan2CT4MaskImE6is_gteEmm: 468| 359k| static constexpr Mask is_gte(T x, T y) { return ~Mask::is_lt(x, y); } _ZN5Botan2CTorENS0_4MaskImEES2_: 528| 359k| friend Mask operator|(Mask x, Mask y) { return Mask(x.value() | y.value()); } _ZN5Botan2CTeoENS0_4MaskImEES2_: 523| 224| friend Mask operator^(Mask x, Mask y) { return Mask(x.value() ^ y.value()); } _ZN5Botan2CT6Choice8from_intIjQaasr3stdE17unsigned_integralIT_Entsr3stdE7same_asIbS3_EEES1_S3_: 268| 2.46M| constexpr static Choice from_int(T v) { 269| 2.46M| if constexpr(sizeof(T) <= sizeof(underlying_type)) { 270| 2.46M| return !Choice(ct_is_zero(v)); 271| | } else { 272| | // Mask of T that is either |0| or |1| 273| | const T v_is_0 = ct_is_zero(value_barrier(v)); 274| | 275| | // We want the mask to be set if v != 0 so we must check that 276| | // v_is_0 is itself zero. 277| | // 278| | // Also sizeof(T) may not equal sizeof(underlying_type) so we must 279| | // use ct_is_zero. It's ok to either truncate or 280| | // zero extend v_is_0 to 32 bits since we know it is |0| or |1| 281| | // so even just the low bit is sufficient. 282| | return Choice(ct_is_zero(static_cast(v_is_0))); 283| | } 284| 2.46M| } _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__14spanIKmLm18446744073709551615EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEnt17custom_poisonableISB_EEEvRKSB_: 121| 2.75M|constexpr void poison(const R& r) { 122| 2.75M| const std::span s{r}; 123| 2.75M| poison(s.data(), s.size()); 124| 2.75M|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__14spanIKmLm18446744073709551615EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEnt19custom_unpoisonableISB_EEEvRKSB_: 128| 2.75M|constexpr void unpoison(const R& r) { 129| 2.75M| const std::span s{r}; 130| 2.75M| unpoison(s.data(), s.size()); 131| 2.75M|} _ZN5Botan2CT4MaskImE15if_set_zero_outEPmm: 575| 3.54M| constexpr void if_set_zero_out(T buf[], size_t elems) { 576| 35.4M| for(size_t i = 0; i != elems; ++i) { ------------------ | Branch (576:28): [True: 31.8M, False: 3.54M] ------------------ 577| 31.8M| buf[i] = this->if_not_set_return(buf[i]); 578| 31.8M| } 579| 3.54M| } _ZNK5Botan2CT4MaskImE17if_not_set_returnEm: 543| 32.2M| constexpr T if_not_set_return(T x) const { return ~value() & x; } _ZN5Botan2CT22conditional_assign_memImEENS0_4MaskIT_EES3_PS3_PKS3_m: 749| 33.1M|constexpr inline Mask conditional_assign_mem(T cnd, T* dest, const T* src, size_t elems) { 750| 33.1M| const auto mask = CT::Mask::expand(cnd); 751| 33.1M| mask.select_n(dest, src, dest, elems); 752| 33.1M| return mask; 753| 33.1M|} _ZN5Botan2CT4MaskImE7clearedEv: 387| 44.3k| static constexpr Mask cleared() { return Mask(0); } _ZN5Botan2CT16driveby_unpoisonITkNS0_12unpoisonableEmEEDcOT_Qsr3stdE21is_rvalue_reference_vIDtfp_EE: 245| 1.35k|{ 246| 1.35k| unpoison(v); 247| 1.35k| return std::forward(v); 248| 1.35k|} _ZNK5Botan2CT6Choice12into_bitmaskImQaasr3stdE17unsigned_integralIT_Entsr3stdE7same_asIbS3_EEES3_v: 291| 3.50M| constexpr T into_bitmask() const { 292| 3.50M| if constexpr(sizeof(T) <= sizeof(underlying_type)) { 293| | // The inner mask is already |0| or |1| so just truncate 294| 3.50M| return static_cast(value()); 295| | } else { 296| | return ~ct_is_zero(value()); 297| | } 298| 3.50M| } _ZN5Botan2CT6poisonIhEEvPKT_m: 56| 1.35k|constexpr inline void poison(const T* p, size_t n) { 57| |#if defined(BOTAN_HAS_VALGRIND) 58| | if(!std::is_constant_evaluated()) { 59| | VALGRIND_MAKE_MEM_UNDEFINED(p, n * sizeof(T)); 60| | } 61| |#endif 62| | 63| 1.35k| BOTAN_UNUSED(p, n); ------------------ | | 144| 1.35k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 64| 1.35k|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 114|constexpr void poison(const T& x) { 139| 114| x._const_time_poison(); 140| 114|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 114|constexpr void poison_all(const Ts&... ts) { 202| 114| (poison(ts), ...); 203| 114|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 138| 342|constexpr void poison(const T& x) { 139| 342| x._const_time_poison(); 140| 342|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm4EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 1.61k|constexpr void poison(const R& r) { 122| 1.61k| const std::span s{r}; 123| 1.61k| poison(s.data(), s.size()); 124| 1.61k|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 114|constexpr void unpoison(const T& x) { 144| 114| x._const_time_unpoison(); 145| 114|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 114|constexpr void unpoison_all(const Ts&... ts) { 208| 114| (unpoison(ts), ...); 209| 114|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 143| 342|constexpr void unpoison(const T& x) { 144| 342| x._const_time_unpoison(); 145| 342|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm4EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 1.61k|constexpr void unpoison(const R& r) { 129| 1.61k| const std::span s{r}; 130| 1.61k| unpoison(s.data(), s.size()); 131| 1.61k|} _ZN5Botan2CT8unpoisonIhEEvPKT_m: 67| 1.54k|constexpr inline void unpoison(const T* p, size_t n) { 68| |#if defined(BOTAN_HAS_VALGRIND) 69| | if(!std::is_constant_evaluated()) { 70| | VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T)); 71| | } 72| |#endif 73| | 74| 1.54k| BOTAN_UNUSED(p, n); ------------------ | | 144| 1.54k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 75| 1.54k|} _ZN5Botan2CT8is_equalImEENS0_4MaskIT_EEPKS3_S6_m: 798| 1.77k|constexpr inline CT::Mask is_equal(const T x[], const T y[], size_t len) { 799| 1.77k| if(std::is_constant_evaluated()) { ------------------ | Branch (799:7): [Folded, False: 1.77k] ------------------ 800| 0| T difference = 0; 801| | 802| 0| for(size_t i = 0; i != len; ++i) { ------------------ | Branch (802:25): [True: 0, False: 0] ------------------ 803| 0| difference = difference | (x[i] ^ y[i]); 804| 0| } 805| | 806| 0| return CT::Mask::is_zero(difference); 807| 1.77k| } else { 808| 1.77k| volatile T difference = 0; 809| | 810| 10.7k| for(size_t i = 0; i != len; ++i) { ------------------ | Branch (810:25): [True: 8.93k, False: 1.77k] ------------------ 811| 8.93k| difference = difference | (x[i] ^ y[i]); 812| 8.93k| } 813| | 814| 1.77k| return CT::Mask::is_zero(difference); 815| 1.77k| } 816| 1.77k|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 137|constexpr void poison(const T& x) { 139| 137| x._const_time_poison(); 140| 137|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 137|constexpr void poison_all(const Ts&... ts) { 202| 137| (poison(ts), ...); 203| 137|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 138| 411|constexpr void poison(const T& x) { 139| 411| x._const_time_poison(); 140| 411|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm6EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 792|constexpr void poison(const R& r) { 122| 792| const std::span s{r}; 123| 792| poison(s.data(), s.size()); 124| 792|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 137|constexpr void unpoison(const T& x) { 144| 137| x._const_time_unpoison(); 145| 137|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 137|constexpr void unpoison_all(const Ts&... ts) { 208| 137| (unpoison(ts), ...); 209| 137|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 143| 411|constexpr void unpoison(const T& x) { 144| 411| x._const_time_unpoison(); 145| 411|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm6EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 792|constexpr void unpoison(const R& r) { 129| 792| const std::span s{r}; 130| 792| unpoison(s.data(), s.size()); 131| 792|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 138|constexpr void poison(const T& x) { 139| 138| x._const_time_poison(); 140| 138|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 138|constexpr void poison_all(const Ts&... ts) { 202| 138| (poison(ts), ...); 203| 138|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 138| 414|constexpr void poison(const T& x) { 139| 414| x._const_time_poison(); 140| 414|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm8EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 414|constexpr void poison(const R& r) { 122| 414| const std::span s{r}; 123| 414| poison(s.data(), s.size()); 124| 414|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 138|constexpr void unpoison(const T& x) { 144| 138| x._const_time_unpoison(); 145| 138|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 138|constexpr void unpoison_all(const Ts&... ts) { 208| 138| (unpoison(ts), ...); 209| 138|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 143| 414|constexpr void unpoison(const T& x) { 144| 414| x._const_time_unpoison(); 145| 414|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm8EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 414|constexpr void unpoison(const R& r) { 129| 414| const std::span s{r}; 130| 414| unpoison(s.data(), s.size()); 131| 414|} _ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6PCurve22GenericProjectivePointEEEvRKT_: 138| 315|constexpr void poison(const T& x) { 139| 315| x._const_time_poison(); 140| 315|} pcurves_generic.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6PCurve12_GLOBAL__N_112GenericFieldES4_S4_EQgtsZT_Li0EEEvDpRKT_: 201| 315|constexpr void poison_all(const Ts&... ts) { 202| 315| (poison(ts), ...); 203| 315|} pcurves_generic.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6PCurve12_GLOBAL__N_112GenericFieldEEEvRKT_: 138| 945|constexpr void poison(const T& x) { 139| 945| x._const_time_poison(); 140| 945|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm9EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 1.28k|constexpr void poison(const R& r) { 122| 1.28k| const std::span s{r}; 123| 1.28k| poison(s.data(), s.size()); 124| 1.28k|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6PCurve22GenericProjectivePointEEEvRKT_: 143| 315|constexpr void unpoison(const T& x) { 144| 315| x._const_time_unpoison(); 145| 315|} pcurves_generic.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6PCurve12_GLOBAL__N_112GenericFieldES4_S4_EQgtsZT_Li0EEEvDpRKT_: 207| 315|constexpr void unpoison_all(const Ts&... ts) { 208| 315| (unpoison(ts), ...); 209| 315|} pcurves_generic.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6PCurve12_GLOBAL__N_112GenericFieldEEEvRKT_: 143| 945|constexpr void unpoison(const T& x) { 144| 945| x._const_time_unpoison(); 145| 945|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm9EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 1.28k|constexpr void unpoison(const R& r) { 129| 1.28k| const std::span s{r}; 130| 1.28k| unpoison(s.data(), s.size()); 131| 1.28k|} pcurves_secp192r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 195|constexpr void poison(const T& x) { 139| 195| x._const_time_poison(); 140| 195|} pcurves_secp192r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 195|constexpr void poison_all(const Ts&... ts) { 202| 195| (poison(ts), ...); 203| 195|} pcurves_secp192r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 138| 585|constexpr void poison(const T& x) { 139| 585| x._const_time_poison(); 140| 585|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm3EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 585|constexpr void poison(const R& r) { 122| 585| const std::span s{r}; 123| 585| poison(s.data(), s.size()); 124| 585|} pcurves_secp192r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 195|constexpr void unpoison(const T& x) { 144| 195| x._const_time_unpoison(); 145| 195|} pcurves_secp192r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 195|constexpr void unpoison_all(const Ts&... ts) { 208| 195| (unpoison(ts), ...); 209| 195|} pcurves_secp192r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 143| 585|constexpr void unpoison(const T& x) { 144| 585| x._const_time_unpoison(); 145| 585|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm3EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 585|constexpr void unpoison(const R& r) { 129| 585| const std::span s{r}; 130| 585| unpoison(s.data(), s.size()); 131| 585|} pcurves_secp224r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 131|constexpr void poison(const T& x) { 139| 131| x._const_time_poison(); 140| 131|} pcurves_secp224r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 131|constexpr void poison_all(const Ts&... ts) { 202| 131| (poison(ts), ...); 203| 131|} pcurves_secp224r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 138| 393|constexpr void poison(const T& x) { 139| 393| x._const_time_poison(); 140| 393|} pcurves_secp224r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 131|constexpr void unpoison(const T& x) { 144| 131| x._const_time_unpoison(); 145| 131|} pcurves_secp224r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 131|constexpr void unpoison_all(const Ts&... ts) { 208| 131| (unpoison(ts), ...); 209| 131|} pcurves_secp224r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 143| 393|constexpr void unpoison(const T& x) { 144| 393| x._const_time_unpoison(); 145| 393|} pcurves_secp256k1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 134|constexpr void poison(const T& x) { 139| 134| x._const_time_poison(); 140| 134|} pcurves_secp256k1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 134|constexpr void poison_all(const Ts&... ts) { 202| 134| (poison(ts), ...); 203| 134|} pcurves_secp256k1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 138| 402|constexpr void poison(const T& x) { 139| 402| x._const_time_poison(); 140| 402|} pcurves_secp256k1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 134|constexpr void unpoison(const T& x) { 144| 134| x._const_time_unpoison(); 145| 134|} pcurves_secp256k1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 134|constexpr void unpoison_all(const Ts&... ts) { 208| 134| (unpoison(ts), ...); 209| 134|} pcurves_secp256k1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 143| 402|constexpr void unpoison(const T& x) { 144| 402| x._const_time_unpoison(); 145| 402|} pcurves_secp256r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS5_9secp256r16ParamsES6_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 159|constexpr void poison(const T& x) { 139| 159| x._const_time_poison(); 140| 159|} pcurves_secp256r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 159|constexpr void poison_all(const Ts&... ts) { 202| 159| (poison(ts), ...); 203| 159|} pcurves_secp256r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEEEEvRKT_: 138| 477|constexpr void poison(const T& x) { 139| 477| x._const_time_poison(); 140| 477|} pcurves_secp256r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS5_9secp256r16ParamsES6_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 159|constexpr void unpoison(const T& x) { 144| 159| x._const_time_unpoison(); 145| 159|} pcurves_secp256r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 159|constexpr void unpoison_all(const Ts&... ts) { 208| 159| (unpoison(ts), ...); 209| 159|} pcurves_secp256r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEEEEvRKT_: 143| 477|constexpr void unpoison(const T& x) { 144| 477| x._const_time_unpoison(); 145| 477|} pcurves_secp384r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS5_9secp384r16ParamsES6_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 127|constexpr void poison(const T& x) { 139| 127| x._const_time_poison(); 140| 127|} pcurves_secp384r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 127|constexpr void poison_all(const Ts&... ts) { 202| 127| (poison(ts), ...); 203| 127|} pcurves_secp384r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEEEEvRKT_: 138| 381|constexpr void poison(const T& x) { 139| 381| x._const_time_poison(); 140| 381|} pcurves_secp384r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS5_9secp384r16ParamsES6_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 127|constexpr void unpoison(const T& x) { 144| 127| x._const_time_unpoison(); 145| 127|} pcurves_secp384r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 127|constexpr void unpoison_all(const Ts&... ts) { 208| 127| (unpoison(ts), ...); 209| 127|} pcurves_secp384r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEEEEvRKT_: 143| 381|constexpr void unpoison(const T& x) { 144| 381| x._const_time_unpoison(); 145| 381|} pcurves_secp521r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 114|constexpr void poison(const T& x) { 139| 114| x._const_time_poison(); 140| 114|} pcurves_secp521r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 114|constexpr void poison_all(const Ts&... ts) { 202| 114| (poison(ts), ...); 203| 114|} pcurves_secp521r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 138| 342|constexpr void poison(const T& x) { 139| 342| x._const_time_poison(); 140| 342|} pcurves_secp521r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 114|constexpr void unpoison(const T& x) { 144| 114| x._const_time_unpoison(); 145| 114|} pcurves_secp521r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 114|constexpr void unpoison_all(const Ts&... ts) { 208| 114| (unpoison(ts), ...); 209| 114|} pcurves_secp521r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 143| 342|constexpr void unpoison(const T& x) { 144| 342| x._const_time_unpoison(); 145| 342|} _ZN5Botan2CT12poison_rangeITkNSt3__16ranges5rangeENS2_6vectorINS_14Montgomery_IntENS2_9allocatorIS5_EEEEQ10poisonableINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEEEvRKSC_: 181| 1.47k|constexpr void poison_range(const R& r) { 182| 23.5k| for(const auto& v : r) { ------------------ | Branch (182:22): [True: 23.5k, False: 1.47k] ------------------ 183| 23.5k| poison(v); 184| 23.5k| } 185| 1.47k|} _ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_14Montgomery_IntEEEvRKT_: 138| 23.5k|constexpr void poison(const T& x) { 139| 23.5k| x._const_time_poison(); 140| 23.5k|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_14Montgomery_IntEEEvRKT_: 143| 3.29k|constexpr void unpoison(const T& x) { 144| 3.29k| x._const_time_unpoison(); 145| 3.29k|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS_16secure_allocatorIhEEEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEnt19custom_unpoisonableISC_EEEvRKSC_: 128| 1|constexpr void unpoison(const R& r) { 129| 1| const std::span s{r}; 130| 1| unpoison(s.data(), s.size()); 131| 1|} _ZNK5Botan2CT4MaskIjE5valueEv: 630| 123k| constexpr T value() const { return value_barrier(m_mask); } _ZNK5Botan2CT4MaskIjE13if_set_returnEj: 538| 121k| constexpr T if_set_return(T x) const { return value() & x; } _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS_16secure_allocatorIhEEEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEnt17custom_poisonableISC_EEEvRKSC_: 121| 1|constexpr void poison(const R& r) { 122| 1| const std::span s{r}; 123| 1| poison(s.data(), s.size()); 124| 1|} _ZN5Botan2CT8unpoisonITkNSt3__18integralEbEEvRKT_: 112| 327k|constexpr void unpoison(const T& p) { 113| 327k| unpoison(&p, 1); 114| 327k|} _ZN5Botan2CT8unpoisonIbEEvPKT_m: 67| 327k|constexpr inline void unpoison(const T* p, size_t n) { 68| |#if defined(BOTAN_HAS_VALGRIND) 69| | if(!std::is_constant_evaluated()) { 70| | VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T)); 71| | } 72| |#endif 73| | 74| 327k| BOTAN_UNUSED(p, n); ------------------ | | 144| 327k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 75| 327k|} _ZN5Botan2CT4MaskIjEC2Ej: 637| 123k| constexpr explicit Mask(T m) : m_mask(m) {} _ZN5Botan2CT4MaskIjE8is_equalEjj: 442| 1.15k| static constexpr Mask is_equal(T x, T y) { 443| 1.15k| const T diff = value_barrier(x) ^ value_barrier(y); 444| 1.15k| return Mask::is_zero(diff); 445| 1.15k| } _ZN5Botan2CT4MaskIjE7is_zeroEj: 437| 1.15k| static constexpr Mask is_zero(T x) { return Mask(ct_is_zero(value_barrier(x))); } _ZN5Botan2CT16driveby_unpoisonITkNS0_12unpoisonableEbEEDcOT_Qsr3stdE21is_rvalue_reference_vIDtfp_EE: 245| 327k|{ 246| 327k| unpoison(v); 247| 327k| return std::forward(v); 248| 327k|} _ZN5Botan2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS7_EEEDaDpRKS7_: 222| 1|[[nodiscard]] constexpr auto scoped_poison(const Ts&... xs) { 223| 1| auto scope = scoped_cleanup([&] { unpoison_all(xs...); }); 224| 1| poison_all(xs...); 225| 1| return scope; 226| 1|} _ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQgtsZT_Li0EEEvDpRKT_: 201| 1|constexpr void poison_all(const Ts&... ts) { 202| 1| (poison(ts), ...); 203| 1|} _ZZN5Botan2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS7_EEEDaDpRKS7_ENKUlvE_clEv: 223| 1| auto scope = scoped_cleanup([&] { unpoison_all(xs...); }); _ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQgtsZT_Li0EEEvDpRKT_: 207| 1|constexpr void unpoison_all(const Ts&... ts) { 208| 1| (unpoison(ts), ...); 209| 1|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayIhLm56EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 1|constexpr void unpoison(const R& r) { 129| 1| const std::span s{r}; 130| 1| unpoison(s.data(), s.size()); 131| 1|} _ZN5Botan2CT4MaskImEeOES2_: 502| 448| Mask& operator^=(Mask o) { 503| 448| m_mask ^= o.value(); 504| 448| return (*this); 505| 448| } _ZN5Botan2CT4MaskIjE14expand_top_bitEj: 415| 121k| static constexpr Mask expand_top_bit(T v) { return Mask(ct_expand_top_bit(v)); } _ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS2_6DomainE0EEEEEvRKT_: 138| 888|constexpr void poison(const T& x) { 139| 888| x._const_time_poison(); 140| 888|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__14spanIiLm256EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 888|constexpr void poison(const R& r) { 122| 888| const std::span s{r}; 123| 888| poison(s.data(), s.size()); 124| 888|} _ZN5Botan2CT6poisonIiEEvPKT_m: 56| 888|constexpr inline void poison(const T* p, size_t n) { 57| |#if defined(BOTAN_HAS_VALGRIND) 58| | if(!std::is_constant_evaluated()) { 59| | VALGRIND_MAKE_MEM_UNDEFINED(p, n * sizeof(T)); 60| | } 61| |#endif 62| | 63| 888| BOTAN_UNUSED(p, n); ------------------ | | 144| 888|#define BOTAN_UNUSED Botan::ignore_params ------------------ 64| 888|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt17custom_poisonableISF_EEEvRKSF_: 121| 76|constexpr void poison(const R& r) { 122| 76| const std::span s{r}; 123| 76| poison(s.data(), s.size()); 124| 76|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS2_6DomainE0EEEEEvRKT_: 143| 304|constexpr void unpoison(const T& x) { 144| 304| x._const_time_unpoison(); 145| 304|} _ZN5Botan2CT14unpoison_rangeITkNSt3__16ranges5rangeENS2_6vectorINS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS5_6DomainE0EEENS2_9allocatorIS9_EEEEQ12unpoisonableINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvRKSG_: 189| 304|constexpr void unpoison_range(const R& r) { 190| 1.84k| for(const auto& v : r) { ------------------ | Branch (190:22): [True: 1.84k, False: 304] ------------------ 191| 1.84k| unpoison(v); 192| 1.84k| } 193| 304|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS2_6DomainE0EEEEEvRKT_: 143| 1.84k|constexpr void unpoison(const T& x) { 144| 1.84k| x._const_time_unpoison(); 145| 1.84k|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__14spanIiLm256EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 1.84k|constexpr void unpoison(const R& r) { 129| 1.84k| const std::span s{r}; 130| 1.84k| unpoison(s.data(), s.size()); 131| 1.84k|} _ZN5Botan2CT8unpoisonIiEEvPKT_m: 67| 1.84k|constexpr inline void unpoison(const T* p, size_t n) { 68| |#if defined(BOTAN_HAS_VALGRIND) 69| | if(!std::is_constant_evaluated()) { 70| | VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T)); 71| | } 72| |#endif 73| | 74| 1.84k| BOTAN_UNUSED(p, n); ------------------ | | 144| 1.84k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 75| 1.84k|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_28Dilithium_PrivateKeyInternalEEEvRKT_: 143| 76|constexpr void unpoison(const T& x) { 144| 76| x._const_time_unpoison(); 145| 76|} _ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15DilithiumSeedK_EJEEENS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNSA_6DomainE0EEESE_SE_EQgtsZT_Li0EEEvDpRKT_: 207| 76|constexpr void unpoison_all(const Ts&... ts) { 208| 76| (unpoison(ts), ...); 209| 76|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15DilithiumSeedK_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt19custom_unpoisonableISF_EEEvRKSF_: 128| 76|constexpr void unpoison(const R& r) { 129| 76| const std::span s{r}; 130| 76| unpoison(s.data(), s.size()); 131| 76|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt19custom_unpoisonableISF_EEEvRKSF_: 128| 76|constexpr void unpoison(const R& r) { 129| 76| const std::span s{r}; 130| 76| unpoison(s.data(), s.size()); 131| 76|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt19custom_unpoisonableISF_EEEvRKSF_: 128| 76|constexpr void unpoison(const R& r) { 129| 76| const std::span s{r}; 130| 76| unpoison(s.data(), s.size()); 131| 76|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__14spanIhLm32EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 2|constexpr void unpoison(const R& r) { 129| 2| const std::span s{r}; 130| 2| unpoison(s.data(), s.size()); 131| 2|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt17custom_poisonableISF_EEEvRKSF_: 121| 29|constexpr void poison(const R& r) { 122| 29| const std::span s{r}; 123| 29| poison(s.data(), s.size()); 124| 29|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt19custom_unpoisonableISF_EEEvRKSF_: 128| 29|constexpr void unpoison(const R& r) { 129| 29| const std::span s{r}; 130| 29| unpoison(s.data(), s.size()); 131| 29|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS2_6DomainE1EEEEEvRKT_: 143| 58|constexpr void unpoison(const T& x) { 144| 58| x._const_time_unpoison(); 145| 58|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS2_6DomainE1EEEEEvRKT_: 143| 192|constexpr void unpoison(const T& x) { 144| 192| x._const_time_unpoison(); 145| 192|} _ZN5Botan2CT14unpoison_rangeITkNSt3__16ranges5rangeENS2_6vectorINS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS5_6DomainE1EEENS2_9allocatorIS9_EEEEQ12unpoisonableINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvRKSG_: 189| 58|constexpr void unpoison_range(const R& r) { 190| 192| for(const auto& v : r) { ------------------ | Branch (190:22): [True: 192, False: 58] ------------------ 191| 192| unpoison(v); 192| 192| } 193| 58|} _ZN5Botan2CT8unpoisonIsEEvPKT_m: 67| 192|constexpr inline void unpoison(const T* p, size_t n) { 68| |#if defined(BOTAN_HAS_VALGRIND) 69| | if(!std::is_constant_evaluated()) { 70| | VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T)); 71| | } 72| |#endif 73| | 74| 192| BOTAN_UNUSED(p, n); ------------------ | | 144| 192|#define BOTAN_UNUSED Botan::ignore_params ------------------ 75| 192|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__14spanIsLm256EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 192|constexpr void unpoison(const R& r) { 129| 192| const std::span s{r}; 130| 192| unpoison(s.data(), s.size()); 131| 192|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_13KyberSeedRho_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt19custom_unpoisonableISF_EEEvRKSF_: 128| 29|constexpr void unpoison(const R& r) { 129| 29| const std::span s{r}; 130| 29| unpoison(s.data(), s.size()); 131| 29|} _ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEENS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNSA_6DomainE1EEESE_EQgtsZT_Li0EEEvDpRKT_: 207| 29|constexpr void unpoison_all(const Ts&... ts) { 208| 29| (unpoison(ts), ...); 209| 29|} _ZN5Botan2CT4MaskImE10expand_bitEmm: 421| 256| static constexpr Mask expand_bit(T v, size_t bit) { 422| 256| return CT::Mask::expand_top_bit(v << (sizeof(v) * 8 - 1 - bit)); 423| 256| } _ZN5Botan9Gf448Elem4zeroEv: 59| 1| static Gf448Elem zero() { return Gf448Elem(0); } _ZN5Botan9Gf448Elem3oneEv: 64| 2| static Gf448Elem one() { return Gf448Elem(1); } _ZN5Botan9Gf448Elem5wordsEv: 120| 2.24k| std::span words() { return m_x; } _ZNK5Botan9Gf448Elem5wordsEv: 128| 2.24k| std::span words() const { return m_x; } _ZNK5Botan18DilithiumConstants4modeEv: 162| 155| DilithiumMode mode() const { return m_mode; } _ZNK5Botan18DilithiumConstants16public_key_bytesEv: 152| 76| size_t public_key_bytes() const { return m_public_key_bytes; } _ZNK5Botan18DilithiumConstants20symmetric_primitivesEv: 167| 3.72k| Dilithium_Symmetric_Primitives_Base& symmetric_primitives() const { return *m_symmetric_primitives; } _ZN5Botan18DilithiumConstantsC2EOS0_: 96| 386| DilithiumConstants(DilithiumConstants&& other) = default; _ZNK5Botan18DilithiumConstants9is_ml_dsaEv: 104| 310| bool is_ml_dsa() const { return m_mode.is_ml_dsa(); } _ZNK5Botan18DilithiumConstants1kEv: 123| 859| uint8_t k() const { return m_k; } _ZNK5Botan18DilithiumConstants1lEv: 126| 3.46k| uint8_t l() const { return m_l; } _ZNK5Botan18DilithiumConstants13keypair_codecEv: 169| 79| Dilithium_Keypair_Codec& keypair_codec() const { return *m_keypair_codec; } _ZN5Botan18DilithiumConstantsC2ERKS0_: 94| 76| DilithiumConstants(const DilithiumConstants& other) : DilithiumConstants(other.m_mode) {} _ZNK5Botan18DilithiumConstants9is_modernEv: 100| 155| bool is_modern() const { return m_mode.is_modern(); } _ZNK5Botan18DilithiumConstants6is_aesEv: 102| 155| bool is_aes() const { return m_mode.is_aes(); } _ZNK5Botan18DilithiumConstants3etaEv: 129| 888| DilithiumEta eta() const { return m_eta; } _ZNK5Botan18DilithiumConstants21public_key_hash_bytesEv: 138| 155| size_t public_key_hash_bytes() const { return m_public_key_hash_bytes; } _ZNK5Botan18DilithiumConstants26commitment_hash_full_bytesEv: 141| 155| size_t commitment_hash_full_bytes() const { return m_commitment_hash_full_bytes; } _ZN5Botan27Dilithium_PublicKeyInternalC2ENS_18DilithiumConstantsENS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEENS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNSA_6DomainE0EEE: 42| 76| m_mode(std::move(mode)), 43| 76| m_rho(std::move(rho)), 44| 76| m_t1(std::move(t1)), 45| 76| m_tr(m_mode.symmetric_primitives().H(raw_pk())) { 46| 76| BOTAN_ASSERT_NOMSG(!m_rho.empty()); ------------------ | | 77| 76| do { \ | | 78| 76| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 76| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 76] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 76| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 76] | | ------------------ ------------------ 47| 76| BOTAN_ASSERT_NOMSG(m_t1.size() > 0); ------------------ | | 77| 76| do { \ | | 78| 76| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 76| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 76] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 76| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 76] | | ------------------ ------------------ 48| 76| } _ZNK5Botan27Dilithium_PublicKeyInternal6raw_pkEv: 51| 76| DilithiumSerializedPublicKey raw_pk() const { return Dilithium_Algos::encode_public_key(m_rho, m_t1, m_mode); } _ZNK5Botan28Dilithium_PrivateKeyInternal20_const_time_unpoisonEv: 104| 76| void _const_time_unpoison() const { 105| 76| CT::unpoison_all(m_signing_seed, m_s1, m_s2, m_t0); 106| 76| if(m_seed.has_value()) { ------------------ | Branch (106:13): [True: 76, False: 0] ------------------ 107| 76| CT::unpoison(m_seed.value()); 108| 76| } 109| 76| } _ZN5Botan28Dilithium_PrivateKeyInternalC2ENS_18DilithiumConstantsENSt3__18optionalINS_6StrongINS2_6vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEEENS4_IS8_NS_15DilithiumSeedK_EJEEENS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNSE_6DomainE0EEESI_SI_: 76| 76| m_mode(std::move(mode)), 77| 76| m_seed(std::move(seed)), 78| 76| m_signing_seed(std::move(signing_seed)), 79| 76| m_t0(std::move(t0)), 80| 76| m_s1(std::move(s1)), 81| 76| m_s2(std::move(s2)) {} _ZN5Botan23Dilithium_Keypair_CodecD2Ev: 27| 155| virtual ~Dilithium_Keypair_Codec() = default; _ZN5Botan19DilithiumPolyTraits3nttENSt3__14spanIiLm256EEE: 50| 412| static constexpr void ntt(std::span coeffs) { 51| 412| size_t j = 0; 52| 412| size_t k = 0; 53| | 54| 3.70k| for(size_t len = N / 2; len > 0; len >>= 1) { ------------------ | Branch (54:34): [True: 3.29k, False: 412] ------------------ 55| 108k| for(size_t start = 0; start < N; start = j + len) { ------------------ | Branch (55:35): [True: 105k, False: 3.29k] ------------------ 56| 105k| const T zeta = zetas[++k]; 57| 526k| for(j = start; j < start + len; ++j) { ------------------ | Branch (57:31): [True: 421k, False: 105k] ------------------ 58| | // Zetas contain the montgomery parameter 2^32 mod q 59| 421k| const T t = fqmul(zeta, coeffs[j + len]); 60| 421k| coeffs[j + len] = coeffs[j] - t; 61| 421k| coeffs[j] = coeffs[j] + t; 62| 421k| } 63| 105k| } 64| 3.29k| } 65| 412| } _ZN5Botan19DilithiumPolyTraits29montgomery_reduce_coefficientEl: 26| 1.71M| static constexpr T montgomery_reduce_coefficient(T2 a) { 27| 1.71M| const T2 t = static_cast(static_cast(static_cast(a)) * Q_inverse); 28| 1.71M| return static_cast((a - static_cast(t) * Q) >> (sizeof(T) * 8)); 29| 1.71M| } _ZN5Botan19DilithiumPolyTraits25poly_pointwise_montgomeryENSt3__14spanIiLm256EEENS2_IKiLm256EEES5_: 107| 2.68k| std::span rhs) { 108| 689k| for(size_t i = 0; i < N; ++i) { ------------------ | Branch (108:28): [True: 687k, False: 2.68k] ------------------ 109| 687k| result[i] = fqmul(lhs[i], rhs[i]); 110| 687k| } 111| 2.68k| } _ZN5Botan19DilithiumPolyTraits26barrett_reduce_coefficientEi: 31| 243k| static constexpr T barrett_reduce_coefficient(T a) { 32| | // 2**22 is roughly Q/2 and 2**23 is roughly Q 33| 243k| const T t = (a + (1 << 22)) >> 23; 34| 243k| a = a - t * Q; 35| 243k| return a; 36| 243k| } _ZN5Botan19DilithiumPolyTraits11inverse_nttENSt3__14spanIiLm256EEE: 78| 476| static constexpr void inverse_ntt(std::span coeffs) { 79| 476| size_t j = 0; 80| 476| size_t k = N; 81| 4.28k| for(size_t len = 1; len < N; len <<= 1) { ------------------ | Branch (81:30): [True: 3.80k, False: 476] ------------------ 82| 125k| for(size_t start = 0; start < N; start = j + len) { ------------------ | Branch (82:35): [True: 121k, False: 3.80k] ------------------ 83| 121k| const T zeta = -zetas[--k]; 84| 608k| for(j = start; j < start + len; ++j) { ------------------ | Branch (84:31): [True: 487k, False: 121k] ------------------ 85| 487k| const T t = coeffs[j]; 86| 487k| coeffs[j] = t + coeffs[j + len]; 87| 487k| coeffs[j + len] = t - coeffs[j + len]; 88| | // Zetas contain the montgomery parameter 2^32 mod q 89| 487k| coeffs[j + len] = fqmul(zeta, coeffs[j + len]); 90| 487k| } 91| 121k| } 92| 3.80k| } 93| | 94| 121k| for(auto& coeff : coeffs) { ------------------ | Branch (94:26): [True: 121k, False: 476] ------------------ 95| 121k| coeff = fqmul(coeff, F_WITH_MONTY_SQUARED); 96| 121k| } 97| 476| } _ZNK5Botan17DilithiumShakeXOF6XOF128ENSt3__14spanIKhLm18446744073709551615EEEt: 27| 2.68k| std::unique_ptr XOF128(std::span seed, uint16_t nonce) const override { 28| 2.68k| return createXOF("SHAKE-128", seed, nonce); 29| 2.68k| } _ZNK5Botan17DilithiumShakeXOF6XOF256ENSt3__14spanIKhLm18446744073709551615EEEt: 31| 888| std::unique_ptr XOF256(std::span seed, uint16_t nonce) const override { 32| 888| return createXOF("SHAKE-256", seed, nonce); 33| 888| } _ZN5Botan17DilithiumShakeXOFC2Ev: 18| 155| DilithiumShakeXOF() = default; _ZNK5Botan35Dilithium_Symmetric_Primitives_Base1HENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_29DilithiumSerializedPublicKey_EJEEEEE: 120| 76| DilithiumHashedPublicKey H(StrongSpan pk) const { 121| 76| return H_256(m_public_key_hash_bytes, pk); 122| 76| } _ZNK5Botan35Dilithium_Symmetric_Primitives_Base5H_256ITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_25DilithiumHashedPublicKey_EJEEETpTkNS_6ranges14spanable_rangeEJNS_10StrongSpanIKNS3_IS8_NS_29DilithiumSerializedPublicKey_EJEEEEEEEET_mDpRKT0_: 178| 76| OutT H_256(size_t outbytes, const InTs&... ins) const { 179| 76| auto xof = XOF::create_or_throw("SHAKE-256"); 180| 76| (xof->update(ins), ...); 181| 76| return xof->output(outbytes); 182| 76| } _ZNK5Botan35Dilithium_Symmetric_Primitives_Base1HENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEEE: 125| 76| StrongSpan seed) const { 126| 76| auto xof = XOF::create_or_throw("SHAKE-256"); 127| 76| xof->update(seed); 128| 76| if(auto domsep = seed_expansion_domain_separator()) { ------------------ | Branch (128:18): [True: 76, False: 0] ------------------ 129| 76| xof->update(domsep.value()); 130| 76| } 131| | 132| | // Note: The order of invocations in an initializer list is not 133| | // guaranteed by the C++ standard. Hence, we have to store the 134| | // results in variables to ensure the correct order of execution. 135| 76| auto rho = xof->output(DilithiumConstants::SEED_RHO_BYTES); 136| 76| auto rhoprime = xof->output(DilithiumConstants::SEED_RHOPRIME_BYTES); 137| 76| auto k = xof->output(DilithiumConstants::SEED_SIGNING_KEY_BYTES); 138| | 139| 76| return {std::move(rho), std::move(rhoprime), std::move(k)}; 140| 76| } _ZNK5Botan35Dilithium_Symmetric_Primitives_Base1HENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEEt: 153| 2.68k| std::unique_ptr H(StrongSpan seed, uint16_t nonce) const { 154| 2.68k| return m_xof_adapter->XOF128(seed, nonce); 155| 2.68k| } _ZNK5Botan35Dilithium_Symmetric_Primitives_Base1HENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEEEt: 157| 888| std::unique_ptr H(StrongSpan seed, uint16_t nonce) const { 158| 888| return m_xof_adapter->XOF256(seed, nonce); 159| 888| } _ZN5Botan12DilithiumXOFD2Ev: 86| 155| virtual ~DilithiumXOF() = default; _ZN5Botan35Dilithium_Symmetric_Primitives_BaseD2Ev: 103| 155| virtual ~Dilithium_Symmetric_Primitives_Base() = default; _ZNK5Botan13DL_PrivateKey5groupEv: 67| 44| const DL_Group& group() const { return m_group; } _ZN5Botan11carry_shiftEom: 139| 14.1k|inline uint64_t carry_shift(const uint128_t a, size_t shift) { 140| 14.1k| return static_cast(a >> shift); 141| 14.1k|} _ZN5Botan13combine_lowerEomom: 143| 4|inline uint64_t combine_lower(const uint128_t a, size_t s1, const uint128_t b, size_t s2) { 144| 4| return static_cast((a >> s1) | (b << s2)); 145| 4|} _ZNK5Botan17EC_Scalar_Data_BN5valueEv: 52| 1.17k| const BigInt& value() const { return m_v; } _ZN5Botan17EC_Scalar_Data_BNC2ENSt3__110shared_ptrIKNS_13EC_Group_DataEEENS_6BigIntE: 18| 1.10k| m_group(std::move(group)), m_v(std::move(v)) {} _ZNK5Botan22EC_AffinePoint_Data_BN15to_legacy_pointEv: 85| 64| EC_Point to_legacy_point() const override { return m_pt; } _ZNK5Botan13EC_Group_Data7p_bytesEv: 205| 212| size_t p_bytes() const { return (m_p_bits + 7) / 8; } _ZNK5Botan13EC_Group_Data11order_bytesEv: 209| 9.60k| size_t order_bytes() const { return m_order_bytes; } _ZNK5Botan13EC_Group_Data1pEv: 169| 502k| const BigInt& p() const { return m_p; } _ZNK5Botan13EC_Group_Data1aEv: 171| 667| const BigInt& a() const { return m_a; } _ZNK5Botan13EC_Group_Data1bEv: 173| 663| const BigInt& b() const { return m_b; } _ZNK5Botan13EC_Group_Data5orderEv: 175| 170| const BigInt& order() const { return m_order; } _ZNK5Botan13EC_Group_Data8cofactorEv: 177| 170| const BigInt& cofactor() const { return m_cofactor; } _ZNK5Botan13EC_Group_Data3oidEv: 165| 4.04k| const OID& oid() const { return m_oid; } _ZNK5Botan13EC_Group_Data5curveEv: 180| 1.56k| const CurveGFp& curve() const { return m_curve; } _ZNK5Botan13EC_Group_Data5montyEv: 184| 9.47M| const Montgomery_Params& monty() const { return m_monty; } _ZNK5Botan13EC_Group_Data7monty_aEv: 186| 66| const BigInt& monty_a() const { return m_a_r; } _ZNK5Botan13EC_Group_Data7monty_bEv: 188| 66| const BigInt& monty_b() const { return m_b_r; } _ZNK5Botan13EC_Group_Data7p_wordsEv: 201| 778k| size_t p_words() const { return m_p_words; } _ZNK5Botan13EC_Group_Data12a_is_minus_3Ev: 211| 39.2k| bool a_is_minus_3() const { return m_a_is_minus_3; } _ZNK5Botan13EC_Group_Data9a_is_zeroEv: 213| 209k| bool a_is_zero() const { return m_a_is_zero; } _ZNK5Botan13EC_Group_Data6pcurveEv: 282| 8.58k| const PCurve::PrimeOrderCurve& pcurve() const { 283| 8.58k| BOTAN_ASSERT_NONNULL(m_pcurve); ------------------ | | 116| 8.58k| do { \ | | 117| 8.58k| if((ptr) == nullptr) { \ | | ------------------ | | | Branch (117:10): [True: 0, False: 8.58k] | | ------------------ | | 118| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 119| 0| Botan::assertion_failure(#ptr " is not null", "", __func__, __FILE__, __LINE__); \ | | 120| 0| } \ | | 121| 8.58k| } while(0) | | ------------------ | | | Branch (121:12): [Folded, False: 8.58k] | | ------------------ ------------------ 284| 8.58k| return *m_pcurve; 285| 8.58k| } _ZN5Botan19EC_AffinePoint_DataD2Ev: 73| 1.63k| virtual ~EC_AffinePoint_Data() = default; _ZN5Botan14EC_Scalar_DataD2Ev: 38| 4.99k| virtual ~EC_Scalar_Data() = default; _ZNK5Botan17EC_Scalar_Data_PC5valueEv: 53| 3.50k| const auto& value() const { return m_v; } _ZN5Botan17EC_Scalar_Data_PCC2ENSt3__110shared_ptrIKNS_13EC_Group_DataEEENS_6PCurve15PrimeOrderCurve6ScalarE: 19| 3.88k| m_group(std::move(group)), m_v(std::move(v)) {} _ZNK5Botan17EC_PublicKey_Data5groupEv: 31| 1.63k| const EC_Group& group() const { return m_group; } _ZN5Botan17EC_PublicKey_DataC2ERKNS_8EC_GroupENSt3__14spanIKhLm18446744073709551615EEE: 29| 871| EC_PublicKey_Data(group, EC_AffinePoint(group, bytes)) {} _ZN5Botan20Ed25519_FieldElementC2Ev: 33| 2.93k| constexpr Ed25519_FieldElement() : m_fe{} {} _ZN5Botan20Ed25519_FieldElement4zeroEv: 35| 132| constexpr static Ed25519_FieldElement zero() { return Ed25519_FieldElement(); } _ZN5Botan20Ed25519_FieldElement3oneEv: 37| 260| constexpr static Ed25519_FieldElement one() { 38| 260| auto o = Ed25519_FieldElement(); 39| 260| o.m_fe[0] = 1; 40| 260| return o; 41| 260| } _ZN5BotanmlERKNS_20Ed25519_FieldElementES2_: 148| 948|inline Ed25519_FieldElement operator*(const Ed25519_FieldElement& x, const Ed25519_FieldElement& y) { 149| 948| return Ed25519_FieldElement::mul(x, y); 150| 948|} _ZN5BotanplERKNS_20Ed25519_FieldElementES2_: 140| 528|inline Ed25519_FieldElement operator+(const Ed25519_FieldElement& x, const Ed25519_FieldElement& y) { 141| 528| return Ed25519_FieldElement::add(x, y); 142| 528|} _ZN5Botan20Ed25519_FieldElement3addERKS0_S2_: 94| 528| static Ed25519_FieldElement add(const Ed25519_FieldElement& a, const Ed25519_FieldElement& b) { 95| 528| Ed25519_FieldElement z; 96| 5.80k| for(size_t i = 0; i != 10; ++i) { ------------------ | Branch (96:28): [True: 5.28k, False: 528] ------------------ 97| 5.28k| z.m_fe[i] = a.m_fe[i] + b.m_fe[i]; 98| 5.28k| } 99| 528| return z; 100| 528| } _ZN5BotanmiERKNS_20Ed25519_FieldElementES2_: 144| 408|inline Ed25519_FieldElement operator-(const Ed25519_FieldElement& x, const Ed25519_FieldElement& y) { 145| 408| return Ed25519_FieldElement::sub(x, y); 146| 408|} _ZN5Botan20Ed25519_FieldElement3subERKS0_S2_: 102| 408| static Ed25519_FieldElement sub(const Ed25519_FieldElement& a, const Ed25519_FieldElement& b) { 103| 408| Ed25519_FieldElement z; 104| 4.48k| for(size_t i = 0; i != 10; ++i) { ------------------ | Branch (104:28): [True: 4.08k, False: 408] ------------------ 105| 4.08k| z.m_fe[i] = a.m_fe[i] - b.m_fe[i]; 106| 4.08k| } 107| 408| return z; 108| 408| } _ZN5Botan20Ed25519_FieldElementixEm: 134| 53.7k| int32_t& operator[](size_t i) { return m_fe[i]; } _ZNK5Botan20Ed25519_FieldElementixEm: 132| 30.7k| int32_t operator[](size_t i) const { return m_fe[i]; } _ZN5BotanngERKNS_20Ed25519_FieldElementE: 152| 128|inline Ed25519_FieldElement operator-(const Ed25519_FieldElement& x) { 153| 128| return Ed25519_FieldElement::negate(x); 154| 128|} _ZN5Botan20Ed25519_FieldElement6negateERKS0_: 110| 128| static Ed25519_FieldElement negate(const Ed25519_FieldElement& a) { 111| 128| Ed25519_FieldElement z; 112| 1.40k| for(size_t i = 0; i != 10; ++i) { ------------------ | Branch (112:28): [True: 1.28k, False: 128] ------------------ 113| 1.28k| z.m_fe[i] = -a.m_fe[i]; 114| 1.28k| } 115| 128| return z; 116| 128| } _ZNK5Botan20Ed25519_FieldElement3sqrEv: 122| 28| Ed25519_FieldElement sqr() const { return sqr_iter(1); } _ZNK5Botan20Ed25519_FieldElement11is_negativeEv: 87| 2| bool is_negative() const { 88| | // TODO could avoid most of the serialize computation here 89| 2| std::array s = {}; 90| 2| this->serialize_to(s); 91| 2| return (s[0] & 0x01) == 0x01; 92| 2| } _ZN5Botan20Ed25519_FieldElementC2Ellllllllll: 60| 1.00k| int64_t h9) { 61| 1.00k| m_fe[0] = static_cast(h0); 62| 1.00k| m_fe[1] = static_cast(h1); 63| 1.00k| m_fe[2] = static_cast(h2); 64| 1.00k| m_fe[3] = static_cast(h3); 65| 1.00k| m_fe[4] = static_cast(h4); 66| 1.00k| m_fe[5] = static_cast(h5); 67| 1.00k| m_fe[6] = static_cast(h6); 68| 1.00k| m_fe[7] = static_cast(h7); 69| 1.00k| m_fe[8] = static_cast(h8); 70| 1.00k| m_fe[9] = static_cast(h9); 71| 1.00k| } _ZN5Botan5carryILm26ELl1EEEvRlS1_QaagtT_Li0EltT_Li64E: 29| 10.4k|{ 30| 10.4k| const int64_t X1 = (static_cast(1) << S); 31| 10.4k| const int64_t X2 = (static_cast(1) << (S - 1)); 32| 10.4k| const int64_t c = (h0 + X2) >> S; 33| 10.4k| h1 += c * MUL; 34| 10.4k| h0 -= c * X1; 35| 10.4k|} _ZN5Botan5carryILm25ELl1EEEvRlS1_QaagtT_Li0EltT_Li64E: 29| 5.95k|{ 30| 5.95k| const int64_t X1 = (static_cast(1) << S); 31| 5.95k| const int64_t X2 = (static_cast(1) << (S - 1)); 32| 5.95k| const int64_t c = (h0 + X2) >> S; 33| 5.95k| h1 += c * MUL; 34| 5.95k| h0 -= c * X1; 35| 5.95k|} _ZN5Botan5carryILm25ELl19EEEvRlS1_QaagtT_Li0EltT_Li64E: 29| 1.48k|{ 30| 1.48k| const int64_t X1 = (static_cast(1) << S); 31| 1.48k| const int64_t X2 = (static_cast(1) << (S - 1)); 32| 1.48k| const int64_t c = (h0 + X2) >> S; 33| 1.48k| h1 += c * MUL; 34| 1.48k| h0 -= c * X1; 35| 1.48k|} _ZN5Botan6carry0ILm26EEEvRiS1_QaagtT_Li0EltT_Li32E: 50| 20|{ 51| 20| const int32_t X1 = (static_cast(1) << S); 52| 20| const int32_t c = h0 >> S; 53| 20| h1 += c; 54| 20| h0 -= c * X1; 55| 20|} _ZN5Botan6carry0ILm25EEEvRiS1_QaagtT_Li0EltT_Li32E: 50| 16|{ 51| 16| const int32_t X1 = (static_cast(1) << S); 52| 16| const int32_t c = h0 >> S; 53| 16| h1 += c; 54| 16| h0 -= c * X1; 55| 16|} _ZN5Botan3fmtIJNSt3__112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEEEEES7_NS1_17basic_string_viewIcS4_EEDpRKT_: 53| 432|std::string fmt(std::string_view format, const T&... args) { 54| 432| std::ostringstream oss; 55| 432| oss.imbue(std::locale::classic()); 56| 432| fmt_detail::do_fmt(oss, format, args...); 57| 432| return oss.str(); 58| 432|} _ZN5Botan10fmt_detail6do_fmtINSt3__112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEEJEEEvRNS2_19basic_ostringstreamIcS5_S7_EENS2_17basic_string_viewIcS5_EERKT_DpRKT0_: 25| 432|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 432| size_t i = 0; 27| | 28| 7.57k| while(i < format.size()) { ------------------ | Branch (28:10): [True: 7.57k, False: 0] ------------------ 29| 7.57k| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 432, False: 7.14k] | Branch (29:30): [True: 432, False: 0] | Branch (29:59): [True: 432, False: 0] ------------------ 30| 432| oss << val; 31| 432| return do_fmt(oss, format.substr(i + 2), rest...); 32| 7.14k| } else { 33| 7.14k| oss << format[i]; 34| 7.14k| } 35| | 36| 7.14k| i += 1; 37| 7.14k| } 38| 432|} _ZN5Botan10fmt_detail6do_fmtERNSt3__119basic_ostringstreamIcNS1_11char_traitsIcEENS1_9allocatorIcEEEENS1_17basic_string_viewIcS4_EE: 20| 12.6k|inline void do_fmt(std::ostringstream& oss, std::string_view format) { 21| 12.6k| oss << format; 22| 12.6k|} _ZN5Botan3fmtIJNSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEEEENS1_12basic_stringIcS4_NS1_9allocatorIcEEEES5_DpRKT_: 53| 7.56k|std::string fmt(std::string_view format, const T&... args) { 54| 7.56k| std::ostringstream oss; 55| 7.56k| oss.imbue(std::locale::classic()); 56| 7.56k| fmt_detail::do_fmt(oss, format, args...); 57| 7.56k| return oss.str(); 58| 7.56k|} _ZN5Botan10fmt_detail6do_fmtINSt3__117basic_string_viewIcNS2_11char_traitsIcEEEEJEEEvRNS2_19basic_ostringstreamIcS5_NS2_9allocatorIcEEEES6_RKT_DpRKT0_: 25| 9.42k|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 9.42k| size_t i = 0; 27| | 28| 95.4k| while(i < format.size()) { ------------------ | Branch (28:10): [True: 95.4k, False: 0] ------------------ 29| 95.4k| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 9.42k, False: 85.9k] | Branch (29:30): [True: 9.42k, False: 0] | Branch (29:59): [True: 9.42k, False: 0] ------------------ 30| 9.42k| oss << val; 31| 9.42k| return do_fmt(oss, format.substr(i + 2), rest...); 32| 85.9k| } else { 33| 85.9k| oss << format[i]; 34| 85.9k| } 35| | 36| 85.9k| i += 1; 37| 85.9k| } 38| 9.42k|} _ZN5Botan3fmtIJNS_3OIDEEEENSt3__112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEENS2_17basic_string_viewIcS5_EEDpRKT_: 53| 1.78k|std::string fmt(std::string_view format, const T&... args) { 54| 1.78k| std::ostringstream oss; 55| 1.78k| oss.imbue(std::locale::classic()); 56| 1.78k| fmt_detail::do_fmt(oss, format, args...); 57| 1.78k| return oss.str(); 58| 1.78k|} _ZN5Botan10fmt_detail6do_fmtINS_3OIDEJEEEvRNSt3__119basic_ostringstreamIcNS3_11char_traitsIcEENS3_9allocatorIcEEEENS3_17basic_string_viewIcS6_EERKT_DpRKT0_: 25| 1.78k|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 1.78k| size_t i = 0; 27| | 28| 41.1k| while(i < format.size()) { ------------------ | Branch (28:10): [True: 41.1k, False: 0] ------------------ 29| 41.1k| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 1.78k, False: 39.3k] | Branch (29:30): [True: 1.78k, False: 0] | Branch (29:59): [True: 1.78k, False: 0] ------------------ 30| 1.78k| oss << val; 31| 1.78k| return do_fmt(oss, format.substr(i + 2), rest...); 32| 39.3k| } else { 33| 39.3k| oss << format[i]; 34| 39.3k| } 35| | 36| 39.3k| i += 1; 37| 39.3k| } 38| 1.78k|} _ZN5Botan3fmtIJPKcS2_S2_EEENSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEENS3_17basic_string_viewIcS6_EEDpRKT_: 53| 51|std::string fmt(std::string_view format, const T&... args) { 54| 51| std::ostringstream oss; 55| 51| oss.imbue(std::locale::classic()); 56| 51| fmt_detail::do_fmt(oss, format, args...); 57| 51| return oss.str(); 58| 51|} _ZN5Botan10fmt_detail6do_fmtIPKcJS3_S3_EEEvRNSt3__119basic_ostringstreamIcNS4_11char_traitsIcEENS4_9allocatorIcEEEENS4_17basic_string_viewIcS7_EERKT_DpRKT0_: 25| 51|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 51| size_t i = 0; 27| | 28| 51| while(i < format.size()) { ------------------ | Branch (28:10): [True: 51, False: 0] ------------------ 29| 51| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 51, False: 0] | Branch (29:30): [True: 51, False: 0] | Branch (29:59): [True: 51, False: 0] ------------------ 30| 51| oss << val; 31| 51| return do_fmt(oss, format.substr(i + 2), rest...); 32| 51| } else { 33| 0| oss << format[i]; 34| 0| } 35| | 36| 0| i += 1; 37| 0| } 38| 51|} _ZN5Botan10fmt_detail6do_fmtIPKcJS3_EEEvRNSt3__119basic_ostringstreamIcNS4_11char_traitsIcEENS4_9allocatorIcEEEENS4_17basic_string_viewIcS7_EERKT_DpRKT0_: 25| 51|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 51| size_t i = 0; 27| | 28| 255| while(i < format.size()) { ------------------ | Branch (28:10): [True: 255, False: 0] ------------------ 29| 255| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 51, False: 204] | Branch (29:30): [True: 51, False: 0] | Branch (29:59): [True: 51, False: 0] ------------------ 30| 51| oss << val; 31| 51| return do_fmt(oss, format.substr(i + 2), rest...); 32| 204| } else { 33| 204| oss << format[i]; 34| 204| } 35| | 36| 204| i += 1; 37| 204| } 38| 51|} _ZN5Botan10fmt_detail6do_fmtIPKcJEEEvRNSt3__119basic_ostringstreamIcNS4_11char_traitsIcEENS4_9allocatorIcEEEENS4_17basic_string_viewIcS7_EERKT_DpRKT0_: 25| 985|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 985| size_t i = 0; 27| | 28| 13.1k| while(i < format.size()) { ------------------ | Branch (28:10): [True: 13.1k, False: 0] ------------------ 29| 13.1k| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 985, False: 12.1k] | Branch (29:30): [True: 985, False: 0] | Branch (29:59): [True: 985, False: 0] ------------------ 30| 985| oss << val; 31| 985| return do_fmt(oss, format.substr(i + 2), rest...); 32| 12.1k| } else { 33| 12.1k| oss << format[i]; 34| 12.1k| } 35| | 36| 12.1k| i += 1; 37| 12.1k| } 38| 985|} _ZN5Botan10fmt_detail6do_fmtINSt3__117basic_string_viewIcNS2_11char_traitsIcEEEEJS6_EEEvRNS2_19basic_ostringstreamIcS5_NS2_9allocatorIcEEEES6_RKT_DpRKT0_: 25| 1.85k|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 1.85k| size_t i = 0; 27| | 28| 1.85k| while(i < format.size()) { ------------------ | Branch (28:10): [True: 1.85k, False: 0] ------------------ 29| 1.85k| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 1.85k, False: 0] | Branch (29:30): [True: 1.85k, False: 0] | Branch (29:59): [True: 1.85k, False: 0] ------------------ 30| 1.85k| oss << val; 31| 1.85k| return do_fmt(oss, format.substr(i + 2), rest...); 32| 1.85k| } else { 33| 0| oss << format[i]; 34| 0| } 35| | 36| 0| i += 1; 37| 0| } 38| 1.85k|} _ZN5Botan3fmtIJNSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEPKcEEENS1_12basic_stringIcS4_NS1_9allocatorIcEEEES5_DpRKT_: 53| 927|std::string fmt(std::string_view format, const T&... args) { 54| 927| std::ostringstream oss; 55| 927| oss.imbue(std::locale::classic()); 56| 927| fmt_detail::do_fmt(oss, format, args...); 57| 927| return oss.str(); 58| 927|} _ZN5Botan10fmt_detail6do_fmtINSt3__117basic_string_viewIcNS2_11char_traitsIcEEEEJPKcEEEvRNS2_19basic_ostringstreamIcS5_NS2_9allocatorIcEEEES6_RKT_DpRKT0_: 25| 927|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 927| size_t i = 0; 27| | 28| 927| while(i < format.size()) { ------------------ | Branch (28:10): [True: 927, False: 0] ------------------ 29| 927| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 927, False: 0] | Branch (29:30): [True: 927, False: 0] | Branch (29:59): [True: 927, False: 0] ------------------ 30| 927| oss << val; 31| 927| return do_fmt(oss, format.substr(i + 2), rest...); 32| 927| } else { 33| 0| oss << format[i]; 34| 0| } 35| | 36| 0| i += 1; 37| 0| } 38| 927|} _ZN5Botan3fmtIJNSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_EEENS1_12basic_stringIcS4_NS1_9allocatorIcEEEES5_DpRKT_: 53| 1.85k|std::string fmt(std::string_view format, const T&... args) { 54| 1.85k| std::ostringstream oss; 55| 1.85k| oss.imbue(std::locale::classic()); 56| 1.85k| fmt_detail::do_fmt(oss, format, args...); 57| 1.85k| return oss.str(); 58| 1.85k|} _ZN5Botan3fmtIJNSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEjEEENS1_12basic_stringIcS4_NS1_9allocatorIcEEEES5_DpRKT_: 53| 9|std::string fmt(std::string_view format, const T&... args) { 54| 9| std::ostringstream oss; 55| 9| oss.imbue(std::locale::classic()); 56| 9| fmt_detail::do_fmt(oss, format, args...); 57| 9| return oss.str(); 58| 9|} _ZN5Botan10fmt_detail6do_fmtINSt3__117basic_string_viewIcNS2_11char_traitsIcEEEEJjEEEvRNS2_19basic_ostringstreamIcS5_NS2_9allocatorIcEEEES6_RKT_DpRKT0_: 25| 9|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 9| size_t i = 0; 27| | 28| 9| while(i < format.size()) { ------------------ | Branch (28:10): [True: 9, False: 0] ------------------ 29| 9| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 9, False: 0] | Branch (29:30): [True: 9, False: 0] | Branch (29:59): [True: 9, False: 0] ------------------ 30| 9| oss << val; 31| 9| return do_fmt(oss, format.substr(i + 2), rest...); 32| 9| } else { 33| 0| oss << format[i]; 34| 0| } 35| | 36| 0| i += 1; 37| 0| } 38| 9|} _ZN5Botan10fmt_detail6do_fmtIjJEEEvRNSt3__119basic_ostringstreamIcNS2_11char_traitsIcEENS2_9allocatorIcEEEENS2_17basic_string_viewIcS5_EERKT_DpRKT0_: 25| 9|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 9| size_t i = 0; 27| | 28| 27| while(i < format.size()) { ------------------ | Branch (28:10): [True: 27, False: 0] ------------------ 29| 27| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 9, False: 18] | Branch (29:30): [True: 9, False: 0] | Branch (29:59): [True: 9, False: 0] ------------------ 30| 9| oss << val; 31| 9| return do_fmt(oss, format.substr(i + 2), rest...); 32| 18| } else { 33| 18| oss << format[i]; 34| 18| } 35| | 36| 18| i += 1; 37| 18| } 38| 9|} _ZN5Botan3fmtIJmPKcEEENSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEENS3_17basic_string_viewIcS6_EEDpRKT_: 53| 7|std::string fmt(std::string_view format, const T&... args) { 54| 7| std::ostringstream oss; 55| 7| oss.imbue(std::locale::classic()); 56| 7| fmt_detail::do_fmt(oss, format, args...); 57| 7| return oss.str(); 58| 7|} _ZN5Botan10fmt_detail6do_fmtImJPKcEEEvRNSt3__119basic_ostringstreamIcNS4_11char_traitsIcEENS4_9allocatorIcEEEENS4_17basic_string_viewIcS7_EERKT_DpRKT0_: 25| 7|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 7| size_t i = 0; 27| | 28| 98| while(i < format.size()) { ------------------ | Branch (28:10): [True: 98, False: 0] ------------------ 29| 98| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 7, False: 91] | Branch (29:30): [True: 7, False: 0] | Branch (29:59): [True: 7, False: 0] ------------------ 30| 7| oss << val; 31| 7| return do_fmt(oss, format.substr(i + 2), rest...); 32| 91| } else { 33| 91| oss << format[i]; 34| 91| } 35| | 36| 91| i += 1; 37| 91| } 38| 7|} _ZN5Botan11checked_mulITkNSt3__117unsigned_integralEmEENS1_8optionalIT_EES3_S3_: 46| 16.7M|constexpr inline std::optional checked_mul(T a, T b) { 47| | // Multiplication by 1U is a hack to work around C's insane 48| | // integer promotion rules. 49| | // https://stackoverflow.com/questions/24795651 50| 16.7M| const T r = (1U * a) * b; 51| | // If a == 0 then the multiply certainly did not overflow 52| | // Otherwise r / a == b unless overflow occurred 53| 16.7M| if(a != 0 && r / a != b) { ------------------ | Branch (53:7): [True: 16.7M, False: 0] | Branch (53:17): [True: 0, False: 16.7M] ------------------ 54| 0| return {}; 55| 0| } 56| 16.7M| return r; 57| 16.7M|} _ZN5Botan11checked_addITkNSt3__117unsigned_integralEjEENS1_8optionalIT_EES3_S3_: 19| 2.60k|constexpr inline std::optional checked_add(T a, T b) { 20| 2.60k| const T r = a + b; 21| 2.60k| if(r < a || r < b) { ------------------ | Branch (21:7): [True: 0, False: 2.60k] | Branch (21:16): [True: 0, False: 2.60k] ------------------ 22| 0| return {}; 23| 0| } 24| 2.60k| return r; 25| 2.60k|} _ZN5Botan13swar_in_rangeITkNSt3__117unsigned_integralEmEET_S2_S2_S2_: 114| 1.16M|constexpr T swar_in_range(T v, T lower, T upper) { 115| | // The constant 0x808080... as a T 116| 1.16M| constexpr T hi1 = (static_cast(-1) / 255) << 7; 117| | // The constant 0x7F7F7F... as a T 118| 1.16M| constexpr T lo7 = ~hi1; 119| | 120| 1.16M| const T sub = ((v | hi1) - (lower & lo7)) ^ ((v ^ (~lower)) & hi1); 121| 1.16M| const T a_lo = sub & lo7; 122| 1.16M| const T a_hi = sub & hi1; 123| 1.16M| return (lo7 - a_lo + upper) & hi1 & ~a_hi; 124| 1.16M|} _ZN5Botan23index_of_first_set_byteITkNSt3__117unsigned_integralEmEEmT_: 130| 1.11M|constexpr size_t index_of_first_set_byte(T v) { 131| | // The constant 0x010101... as a T 132| 1.11M| constexpr T lo1 = (static_cast(-1) / 255); 133| | // The constant 0x808080... as a T 134| 1.11M| constexpr T hi1 = lo1 << 7; 135| | // How many bits to shift in order to get the top byte 136| 1.11M| constexpr size_t bits = (sizeof(T) * 8) - 8; 137| | 138| 1.11M| return static_cast((((((v & hi1) - 1) & lo1) * lo1) >> bits) - 1); 139| 1.11M|} _ZN5Botan13KeccakPadding4sha3Ev: 24| 58| static constexpr KeccakPadding sha3() { return {.padding = 0b10 /* little-endian */, .bit_len = 2}; } _ZN5Botan13KeccakPadding5shakeEv: 27| 3.78k| static constexpr KeccakPadding shake() { return {.padding = 0b1111, .bit_len = 4}; } _ZN5Botan18Keccak_PermutationC2ENS0_6ConfigE: 69| 3.84k| Sponge({.bit_rate = state_bits() - config.capacity_bits, .initial_state = {}}), m_padding(config.padding) {} _ZN5Botan24Keccak_Permutation_roundEPmPKmm: 15| 428k|BOTAN_FORCE_INLINE void Keccak_Permutation_round(uint64_t T[25], const uint64_t A[25], uint64_t RC) { 16| 428k| const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20]; 17| 428k| const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21]; 18| 428k| const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22]; 19| 428k| const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23]; 20| 428k| const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24]; 21| | 22| 428k| const uint64_t D0 = rotl<1>(C0) ^ C3; 23| 428k| const uint64_t D1 = rotl<1>(C1) ^ C4; 24| 428k| const uint64_t D2 = rotl<1>(C2) ^ C0; 25| 428k| const uint64_t D3 = rotl<1>(C3) ^ C1; 26| 428k| const uint64_t D4 = rotl<1>(C4) ^ C2; 27| | 28| 428k| const uint64_t B00 = A[0] ^ D1; 29| 428k| const uint64_t B01 = rotl<44>(A[6] ^ D2); 30| 428k| const uint64_t B02 = rotl<43>(A[12] ^ D3); 31| 428k| const uint64_t B03 = rotl<21>(A[18] ^ D4); 32| 428k| const uint64_t B04 = rotl<14>(A[24] ^ D0); 33| 428k| T[0] = B00 ^ (~B01 & B02) ^ RC; 34| 428k| T[1] = B01 ^ (~B02 & B03); 35| 428k| T[2] = B02 ^ (~B03 & B04); 36| 428k| T[3] = B03 ^ (~B04 & B00); 37| 428k| T[4] = B04 ^ (~B00 & B01); 38| | 39| 428k| const uint64_t B05 = rotl<28>(A[3] ^ D4); 40| 428k| const uint64_t B06 = rotl<20>(A[9] ^ D0); 41| 428k| const uint64_t B07 = rotl<3>(A[10] ^ D1); 42| 428k| const uint64_t B08 = rotl<45>(A[16] ^ D2); 43| 428k| const uint64_t B09 = rotl<61>(A[22] ^ D3); 44| 428k| T[5] = B05 ^ (~B06 & B07); 45| 428k| T[6] = B06 ^ (~B07 & B08); 46| 428k| T[7] = B07 ^ (~B08 & B09); 47| 428k| T[8] = B08 ^ (~B09 & B05); 48| 428k| T[9] = B09 ^ (~B05 & B06); 49| | 50| 428k| const uint64_t B10 = rotl<1>(A[1] ^ D2); 51| 428k| const uint64_t B11 = rotl<6>(A[7] ^ D3); 52| 428k| const uint64_t B12 = rotl<25>(A[13] ^ D4); 53| 428k| const uint64_t B13 = rotl<8>(A[19] ^ D0); 54| 428k| const uint64_t B14 = rotl<18>(A[20] ^ D1); 55| 428k| T[10] = B10 ^ (~B11 & B12); 56| 428k| T[11] = B11 ^ (~B12 & B13); 57| 428k| T[12] = B12 ^ (~B13 & B14); 58| 428k| T[13] = B13 ^ (~B14 & B10); 59| 428k| T[14] = B14 ^ (~B10 & B11); 60| | 61| 428k| const uint64_t B15 = rotl<27>(A[4] ^ D0); 62| 428k| const uint64_t B16 = rotl<36>(A[5] ^ D1); 63| 428k| const uint64_t B17 = rotl<10>(A[11] ^ D2); 64| 428k| const uint64_t B18 = rotl<15>(A[17] ^ D3); 65| 428k| const uint64_t B19 = rotl<56>(A[23] ^ D4); 66| 428k| T[15] = B15 ^ (~B16 & B17); 67| 428k| T[16] = B16 ^ (~B17 & B18); 68| 428k| T[17] = B17 ^ (~B18 & B19); 69| 428k| T[18] = B18 ^ (~B19 & B15); 70| 428k| T[19] = B19 ^ (~B15 & B16); 71| | 72| 428k| const uint64_t B20 = rotl<62>(A[2] ^ D3); 73| 428k| const uint64_t B21 = rotl<55>(A[8] ^ D4); 74| 428k| const uint64_t B22 = rotl<39>(A[14] ^ D0); 75| 428k| const uint64_t B23 = rotl<41>(A[15] ^ D1); 76| 428k| const uint64_t B24 = rotl<2>(A[21] ^ D2); 77| 428k| T[20] = B20 ^ (~B21 & B22); 78| 428k| T[21] = B21 ^ (~B22 & B23); 79| 428k| T[22] = B22 ^ (~B23 & B24); 80| 428k| T[23] = B23 ^ (~B24 & B20); 81| 428k| T[24] = B24 ^ (~B20 & B21); 82| 428k|} _ZN5Botan11Kyber_Algos17PolynomialSamplerINS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEEC2ENS_10StrongSpanIKS9_EERKNS_14KyberConstantsE: 65| 29| m_seed(seed), m_mode(mode), m_nonce(0) {} _ZN5Botan11Kyber_Algos17PolynomialSamplerINS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEE33sample_polynomial_vector_cbd_eta1Ev: 67| 58| KyberPolyVec sample_polynomial_vector_cbd_eta1() { 68| 58| KyberPolyVec vec(m_mode.k()); 69| 192| for(auto& poly : vec) { ------------------ | Branch (69:25): [True: 192, False: 58] ------------------ 70| 192| sample_poly_cbd(poly, m_mode.eta1()); 71| 192| } 72| 58| return vec; 73| 58| } _ZN5Botan11Kyber_Algos17PolynomialSamplerINS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEE15sample_poly_cbdERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNSB_6DomainE0EEENS_14KyberConstants8KyberEtaE: 101| 192| void sample_poly_cbd(KyberPoly& poly, KyberConstants::KyberEta eta) { 102| 192| const auto randomness = [&] { 103| 192| switch(eta) { 104| 192| case KyberConstants::KyberEta::_2: 105| 192| return prf(2 * poly.size() / 4); 106| 192| case KyberConstants::KyberEta::_3: 107| 192| return prf(3 * poly.size() / 4); 108| 192| } 109| | 110| 192| BOTAN_ASSERT_UNREACHABLE(); 111| 192| }(); 112| | 113| 192| sample_polynomial_from_cbd(poly, eta, randomness); 114| 192| } _ZZN5Botan11Kyber_Algos17PolynomialSamplerINS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEE15sample_poly_cbdERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNSB_6DomainE0EEENS_14KyberConstants8KyberEtaEENKUlvE_clEv: 102| 192| const auto randomness = [&] { 103| 192| switch(eta) { ------------------ | Branch (103:20): [True: 192, False: 0] ------------------ 104| 176| case KyberConstants::KyberEta::_2: ------------------ | Branch (104:16): [True: 176, False: 16] ------------------ 105| 176| return prf(2 * poly.size() / 4); 106| 16| case KyberConstants::KyberEta::_3: ------------------ | Branch (106:16): [True: 16, False: 176] ------------------ 107| 16| return prf(3 * poly.size() / 4); 108| 192| } 109| | 110| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 111| 0| }(); _ZN5Botan11Kyber_Algos17PolynomialSamplerINS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEE3prfEm: 94| 192| KyberSamplingRandomness prf(size_t bytes) { 95| 192| const auto& sym = m_mode.symmetric_primitives(); 96| 192| auto seed_span = m_seed.get(); 97| 192| sym.setup_PRF(m_prf_xof, seed_span, m_nonce++); 98| 192| return m_prf_xof->output(bytes); 99| 192| } _ZN5Botan11Kyber_Algos24encode_polynomial_vectorITkNS_8concepts21resizable_byte_bufferENSt3__16vectorIhNS3_9allocatorIhEEEEEET_RKNS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS9_6DomainE1EEERKNS_14KyberConstantsE: 48| 29|T encode_polynomial_vector(const KyberPolyVecNTT& vec, const KyberConstants& mode) { 49| 29| T r(mode.polynomial_vector_bytes()); 50| 29| encode_polynomial_vector(r, vec); 51| 29| return r; 52| 29|} _ZNK5Botan14KyberConstants4modeEv: 73| 45| KyberMode mode() const { return m_mode; } _ZNK5Botan14KyberConstants1kEv: 81| 830| uint8_t k() const { return m_k; } _ZNK5Botan14KyberConstants23polynomial_vector_bytesEv: 99| 95| size_t polynomial_vector_bytes() const { return m_polynomial_vector_bytes; } _ZNK5Botan14KyberConstants22seed_private_key_bytesEv: 121| 37| size_t seed_private_key_bytes() const { return m_seed_private_key_bytes; } _ZN5Botan14KyberConstantsC2EOS0_: 69| 145| KyberConstants(KyberConstants&& other) = default; _ZNK5Botan14KyberConstants26expanded_private_key_bytesEv: 118| 8| size_t expanded_private_key_bytes() const { return m_expanded_private_key_bytes; } _ZN5Botan14KyberConstantsC2ERKS0_: 67| 29| KyberConstants(const KyberConstants& other) : KyberConstants(other.m_mode) {} _ZNK5Botan14KyberConstants4eta1Ev: 83| 192| KyberEta eta1() const { return m_eta1; } _ZNK5Botan14KyberConstants3d_uEv: 87| 66| KyberDu d_u() const { return m_du; } _ZNK5Botan14KyberConstants3d_vEv: 89| 66| KyberDv d_v() const { return m_dv; } _ZNK5Botan14KyberConstants16public_key_bytesEv: 114| 66| size_t public_key_bytes() const { return polynomial_vector_bytes() + SEED_BYTES; } _ZNK5Botan14KyberConstants20symmetric_primitivesEv: 125| 279| Kyber_Symmetric_Primitives& symmetric_primitives() const { return *m_symmetric_primitives; } _ZN5Botan11Kyber_Algos8load_le3ENSt3__14spanIKhLm3EEE: 24| 53.7k|inline uint32_t load_le3(std::span in) { 25| 53.7k| return Botan::load_le(std::array{in[0], in[1], in[2], 0}); 26| 53.7k|} _ZN5Botan19Kyber_Keypair_CodecD2Ev: 24| 29| virtual ~Kyber_Keypair_Codec() = default; _ZN5Botan24Kyber_PrivateKeyInternalC2ENS_14KyberConstantsENS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS2_6DomainE1EEENS_19KyberPrivateKeySeedE: 86| 29| m_mode(std::move(mode)), m_s(std::move(s)), m_seed(std::move(seed)) {} _ZN5Botan15KyberPolyTraits29montgomery_reduce_coefficientEi: 29| 409k| constexpr static T montgomery_reduce_coefficient(T2 a) { 30| 409k| const T u = static_cast(static_cast(a) * Q_inverse); 31| 409k| auto t = static_cast(u) * Q; 32| 409k| t = a - t; 33| 409k| t >>= sizeof(T) * 8; 34| 409k| return static_cast(t); 35| 409k| } _ZN5Botan15KyberPolyTraits26barrett_reduce_coefficientEs: 37| 98.3k| constexpr static T barrett_reduce_coefficient(T a) { 38| 98.3k| constexpr T2 v = ((1U << 26) + Q / 2) / Q; 39| 98.3k| const T t = static_cast(((v * a) >> 26) * Q); 40| 98.3k| return static_cast(a - t); 41| 98.3k| } _ZN5Botan15KyberPolyTraits3nttENSt3__14spanIsLm256EEE: 51| 192| constexpr static void ntt(std::span p) { 52| 1.53k| for(size_t len = N / 2, i = 0; len >= 2; len /= 2) { ------------------ | Branch (52:41): [True: 1.34k, False: 192] ------------------ 53| 25.7k| for(size_t start = 0, j = 0; start < N; start = j + len) { ------------------ | Branch (53:42): [True: 24.3k, False: 1.34k] ------------------ 54| 24.3k| const auto zeta = zetas[++i]; 55| 196k| for(j = start; j < start + len; ++j) { ------------------ | Branch (55:31): [True: 172k, False: 24.3k] ------------------ 56| 172k| const auto t = fqmul(zeta, p[j + len]); 57| 172k| p[j + len] = static_cast(p[j] - t); 58| 172k| p[j] = static_cast(p[j] + t); 59| 172k| } 60| 24.3k| } 61| 1.34k| } 62| | 63| 192| barrett_reduce(p); 64| 192| } _ZZN5Botan15KyberPolyTraits25poly_pointwise_montgomeryENSt3__14spanIsLm256EEENS2_IKsLm256EEES5_ENKUlT_E_clIS3_EEDaS6_: 111| 21.5k| auto Tq_elem_count = [](auto p) { return p.size() / 2; }; _ZZN5Botan15KyberPolyTraits25poly_pointwise_montgomeryENSt3__14spanIsLm256EEENS2_IKsLm256EEES5_ENKUlT_mE_clIS3_EEDaS6_m: 113| 42.4k| auto Tq_elem = [](auto p, size_t i) { 114| | if constexpr(std::is_const_v) { 115| | return std::array{p[2 * i], p[2 * i + 1]}; 116| 42.4k| } else { 117| 42.4k| return std::tuple{p[2 * i], p[2 * i + 1]}; 118| 42.4k| } 119| 42.4k| }; _ZZN5Botan15KyberPolyTraits25poly_pointwise_montgomeryENSt3__14spanIsLm256EEENS2_IKsLm256EEES5_ENKUlT_mE_clIS5_EEDaS6_m: 113| 84.9k| auto Tq_elem = [](auto p, size_t i) { 114| 84.9k| if constexpr(std::is_const_v) { 115| 84.9k| return std::array{p[2 * i], p[2 * i + 1]}; 116| | } else { 117| | return std::tuple{p[2 * i], p[2 * i + 1]}; 118| | } 119| 84.9k| }; _ZZN5Botan15KyberPolyTraits25poly_pointwise_montgomeryENSt3__14spanIsLm256EEENS2_IKsLm256EEES5_ENKUlT_T0_sE_clINS1_5arrayIsLm2EEESB_EENS1_5tupleIJssEEES6_S7_s: 106| 42.4k| auto basemul = [](const auto a, const auto b, const T zeta) -> std::tuple { 107| 42.4k| return {static_cast(fqmul(a[0], b[0]) + fqmul(fqmul(a[1], b[1]), zeta)), 108| 42.4k| static_cast(fqmul(a[0], b[1]) + fqmul(a[1], b[0]))}; 109| 42.4k| }; _ZN5Botan15KyberPolyTraits25poly_pointwise_montgomeryENSt3__14spanIsLm256EEENS2_IKsLm256EEES5_: 102| 332| std::span rhs) { 103| | /** 104| | * NIST FIPS 203, Algorithm 12 (BaseCaseMultiply) 105| | */ 106| 332| auto basemul = [](const auto a, const auto b, const T zeta) -> std::tuple { 107| 332| return {static_cast(fqmul(a[0], b[0]) + fqmul(fqmul(a[1], b[1]), zeta)), 108| 332| static_cast(fqmul(a[0], b[1]) + fqmul(a[1], b[0]))}; 109| 332| }; 110| | 111| 332| auto Tq_elem_count = [](auto p) { return p.size() / 2; }; 112| | 113| 332| auto Tq_elem = [](auto p, size_t i) { 114| 332| if constexpr(std::is_const_v) { 115| 332| return std::array{p[2 * i], p[2 * i + 1]}; 116| 332| } else { 117| 332| return std::tuple{p[2 * i], p[2 * i + 1]}; 118| 332| } 119| 332| }; 120| | 121| 21.5k| for(size_t i = 0; i < Tq_elem_count(result) / 2; ++i) { ------------------ | Branch (121:28): [True: 21.2k, False: 332] ------------------ 122| 21.2k| const T zeta = zetas[64 + i]; 123| 21.2k| const T nzeta = static_cast(-zeta); 124| 21.2k| Tq_elem(result, 2 * i) = basemul(Tq_elem(lhs, 2 * i), Tq_elem(rhs, 2 * i), zeta); 125| 21.2k| Tq_elem(result, 2 * i + 1) = basemul(Tq_elem(lhs, 2 * i + 1), Tq_elem(rhs, 2 * i + 1), nzeta); 126| 21.2k| } 127| 332| } _ZNK5Botan26Kyber_Symmetric_Primitives1HENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_25KyberSerializedPublicKey_EJEEEEE: 40| 29| KyberHashedPublicKey H(StrongSpan pk) const { 41| 29| return create_H()->process(pk); 42| 29| } _ZNK5Botan26Kyber_Symmetric_Primitives1GENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEEERKNS_14KyberConstantsE: 45| 29| const KyberConstants& mode) const { 46| 29| if(auto domsep = seed_expansion_domain_separator(mode)) { ------------------ | Branch (46:18): [True: 29, False: 0] ------------------ 47| 29| return G_split(seed, *domsep); 48| 29| } else { 49| 0| return G_split(seed); 50| 0| } 51| 29| } _ZNK5Botan26Kyber_Symmetric_Primitives9setup_XOFERNSt3__110unique_ptrINS_3XOFENS1_14default_deleteIS3_EEEENS_10StrongSpanIKNS_6StrongINS1_6vectorIhNS1_9allocatorIhEEEENS_13KyberSeedRho_EJEEEEENS1_5tupleIJhhEEE: 86| 332| std::tuple matrix_position) const { 87| 332| if(!xof) { ------------------ | Branch (87:13): [True: 29, False: 303] ------------------ 88| 29| xof = create_XOF(seed, matrix_position); 89| 303| } else { 90| 303| init_XOF(*xof, seed, matrix_position); 91| 303| } 92| 332| } _ZNK5Botan26Kyber_Symmetric_Primitives9setup_PRFERNSt3__110unique_ptrINS_3XOFENS1_14default_deleteIS3_EEEENS1_4spanIKhLm18446744073709551615EEEh: 95| 192| void setup_PRF(std::unique_ptr& xof, std::span seed, uint8_t nonce) const { 96| 192| if(!xof) { ------------------ | Branch (96:13): [True: 29, False: 163] ------------------ 97| 29| xof = create_PRF(seed, nonce); 98| 163| } else { 99| 163| init_PRF(*xof, seed, nonce); 100| 163| } 101| 192| } _ZNK5Botan26Kyber_Symmetric_Primitives7G_splitITkNS_8concepts22contiguous_strong_typeENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_13KyberSeedRho_EJEEETkNS2_22contiguous_strong_typeENS3_INS5_IhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEETpTkNS_6ranges16contiguous_rangeEJNS_10StrongSpanIKNS3_ISD_NS_20KyberSeedRandomness_EJEEEEENS4_5arrayIhLm1EEEEEENS4_4pairIT_T0_EEDpRKT1_: 107| 29| std::pair G_split(const InputTs&... inputs) const { 108| 29| auto g = create_G(); 109| 29| (g->update(inputs), ...); 110| 29| const auto s = g->final(); 111| | 112| 29| BufferSlicer bs(s); 113| 29| std::pair result; 114| 29| result.first = bs.copy(KyberConstants::SEED_BYTES); 115| 29| result.second = bs.copy(KyberConstants::SEED_BYTES); 116| 29| BOTAN_ASSERT_NOMSG(bs.empty()); ------------------ | | 77| 29| do { \ | | 78| 29| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 29| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 29] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 29| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 29] | | ------------------ ------------------ 117| 29| return result; 118| 29| } _ZN5Botan26Kyber_Symmetric_PrimitivesD2Ev: 30| 66| virtual ~Kyber_Symmetric_Primitives() = default; _ZN5Botan11make_uint16Ehh: 92| 332|inline constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1) { 93| 332| return static_cast((static_cast(i0) << 8) | i1); 94| 332|} _ZN5Botan11make_uint32Ehhhh: 104| 687k|inline constexpr uint32_t make_uint32(uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3) { 105| 687k| return ((static_cast(i0) << 24) | (static_cast(i1) << 16) | (static_cast(i2) << 8) | 106| 687k| (static_cast(i3))); 107| 687k|} _ZN5Botan12get_byte_varImEEhmT_: 69| 43.1k|inline constexpr uint8_t get_byte_var(size_t byte_num, T input) { 70| 43.1k| return static_cast(input >> (((~byte_num) & (sizeof(T) - 1)) << 3)); 71| 43.1k|} _ZN5Botan8store_beINS_6detail10AutoDetectEJRKmPhEEEDaDpOT0_: 745| 4.25k|inline constexpr auto store_be(ParamTs&&... params) { 746| 4.25k| return detail::store_any(std::forward(params)...); 747| 4.25k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS0_20unsigned_integralishEmQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asIT1_S5_EEEvS6_Ph: 711| 4.25k|inline constexpr void store_any(T in, uint8_t out[]) { 712| | // asserts that *out points to enough bytes to write into 713| 4.25k| store_any(in, std::span(out, sizeof(T))); 714| 4.25k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS0_20unsigned_integralishEmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm8EEEQsr3stdE7same_asIS4_T0_EEEvT1_OT2_: 646| 4.25k|inline constexpr void store_any(T in, OutR&& out_range) { 647| 4.25k| store_any(in, std::forward(out_range)); 648| 4.25k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm8EEEQnt15custom_storableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEEvS9_OT1_: 525| 44.0k|inline constexpr void store_any(WrappedInT wrapped_in, OutR&& out_range) { 526| 44.0k| const auto in = detail::unwrap_strong_type_or_enum(wrapped_in); 527| 44.0k| using InT = decltype(in); 528| 44.0k| ranges::assert_exact_byte_length(out_range); 529| 44.0k| const std::span out{out_range}; 530| | 531| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 532| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 533| | // in a `constexpr` context. 534| 44.0k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (534:7): [Folded, False: 44.0k] ------------------ 535| 0| return fallback_store_any(in, std::forward(out_range)); 536| 44.0k| } else { 537| | if constexpr(sizeof(InT) == 1) { 538| | out[0] = static_cast(in); 539| | } else if constexpr(endianness == std::endian::native) { 540| | typecast_copy(out, in); 541| 44.0k| } else { 542| 44.0k| static_assert(opposite(endianness) == std::endian::native); 543| 44.0k| typecast_copy(out, reverse_bytes(in)); 544| 44.0k| } 545| 44.0k| } 546| 44.0k|} _ZN5Botan6detail26unwrap_strong_type_or_enumITkNS0_20unsigned_integralishEmEEDaT_: 190| 44.1k|constexpr auto unwrap_strong_type_or_enum(InT t) { 191| | if constexpr(std::is_enum_v) { 192| | // TODO: C++23: use std::to_underlying(in) instead 193| | return static_cast>(t); 194| 44.1k| } else { 195| 44.1k| return Botan::unwrap_strong_type(t); 196| 44.1k| } 197| 44.1k|} _ZN5Botan7load_beImJNSt3__14spanIKhLm8EEEEEEDaDpOT0_: 504| 125k|inline constexpr auto load_be(ParamTs&&... params) { 505| 125k| return detail::load_any(std::forward(params)...); 506| 125k|} _ZN5Botan6detail8load_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_: 278| 137k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 137k| using OutT = detail::wrapped_type; 280| 137k| ranges::assert_exact_byte_length(in_range); 281| | 282| 137k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 137k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 137k| return fallback_load_any(std::forward(in_range)); 288| 137k| } else { 289| 137k| const std::span in{in_range}; 290| 137k| if constexpr(sizeof(OutT) == 1) { 291| 137k| return static_cast(in[0]); 292| 137k| } else if constexpr(endianness == std::endian::native) { 293| 137k| return typecast_copy(in); 294| 137k| } else { 295| 137k| static_assert(opposite(endianness) == std::endian::native); 296| 137k| return reverse_bytes(typecast_copy(in)); 297| 137k| } 298| 137k| } 299| 137k| }()); 300| 137k|} _ZN5Botan6detail24wrap_strong_type_or_enumITkNS0_20unsigned_integralishEmTkNSt3__117unsigned_integralEmEEDaT0_: 200| 212k|constexpr auto wrap_strong_type_or_enum(T t) { 201| | if constexpr(std::is_enum_v) { 202| | return static_cast(t); 203| 212k| } else { 204| 212k| return Botan::wrap_strong_type(t); 205| 212k| } 206| 212k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_ENKUlvE_clEv: 282| 137k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 137k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 137k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 137k| } else { 289| 137k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| | } else if constexpr(endianness == std::endian::native) { 293| | return typecast_copy(in); 294| 137k| } else { 295| 137k| static_assert(opposite(endianness) == std::endian::native); 296| 137k| return reverse_bytes(typecast_copy(in)); 297| 137k| } 298| 137k| } 299| 137k| }()); _ZN5Botan7load_beImJRNSt3__15arrayIhLm8EEEEEEDaDpOT0_: 504| 26.8k|inline constexpr auto load_be(ParamTs&&... params) { 505| 26.8k| return detail::load_any(std::forward(params)...); 506| 26.8k|} _ZN5Botan6detail8load_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_: 278| 26.8k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 26.8k| using OutT = detail::wrapped_type; 280| 26.8k| ranges::assert_exact_byte_length(in_range); 281| | 282| 26.8k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 26.8k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 26.8k| return fallback_load_any(std::forward(in_range)); 288| 26.8k| } else { 289| 26.8k| const std::span in{in_range}; 290| 26.8k| if constexpr(sizeof(OutT) == 1) { 291| 26.8k| return static_cast(in[0]); 292| 26.8k| } else if constexpr(endianness == std::endian::native) { 293| 26.8k| return typecast_copy(in); 294| 26.8k| } else { 295| 26.8k| static_assert(opposite(endianness) == std::endian::native); 296| 26.8k| return reverse_bytes(typecast_copy(in)); 297| 26.8k| } 298| 26.8k| } 299| 26.8k| }()); 300| 26.8k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_ENKUlvE_clEv: 282| 26.8k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 26.8k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 26.8k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 26.8k| } else { 289| 26.8k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| | } else if constexpr(endianness == std::endian::native) { 293| | return typecast_copy(in); 294| 26.8k| } else { 295| 26.8k| static_assert(opposite(endianness) == std::endian::native); 296| 26.8k| return reverse_bytes(typecast_copy(in)); 297| 26.8k| } 298| 26.8k| } 299| 26.8k| }()); _ZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm8EEETpTkNS0_20unsigned_integralishEJmEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_: 582| 39.8k|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, Ts... ins) { 583| 39.8k| ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(out); 584| 39.8k| auto store_one = [off = 0](auto o, T i) mutable { 585| 39.8k| store_any(i, o.subspan(off).template first()); 586| 39.8k| off += sizeof(T); 587| 39.8k| }; 588| | 589| 39.8k| (store_one(std::span{out}, ins), ...); 590| 39.8k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm8EEETpTkNS0_20unsigned_integralishEJmEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_ENUlTyS9_T_E_clImS7_EEDaS9_SE_: 584| 39.8k| auto store_one = [off = 0](auto o, T i) mutable { 585| 39.8k| store_any(i, o.subspan(off).template first()); 586| 39.8k| off += sizeof(T); 587| 39.8k| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__14spanIhLm32EEERNS3_5arrayImLm4EEEEEEDaDpOT0_: 745| 1.70k|inline constexpr auto store_be(ParamTs&&... params) { 746| 1.70k| return detail::store_any(std::forward(params)...); 747| 1.70k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm32EEETkNS5_14spanable_rangeENS2_5arrayImLm4EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_: 603| 1.70k|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 1.70k| ranges::assert_equal_byte_lengths(out, in); 605| 1.70k| using element_type = std::ranges::range_value_t; 606| | 607| 1.70k| auto store_elementwise = [&] { 608| 1.70k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1.70k| std::span out_s(out); 610| 1.70k| for(auto in_elem : in) { 611| 1.70k| store_any(out_s.template first(), in_elem); 612| 1.70k| out_s = out_s.subspan(bytes_per_element); 613| 1.70k| } 614| 1.70k| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 1.70k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 1.70k] ------------------ 620| 0| store_elementwise(); 621| 1.70k| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 1.70k| } else { 625| 1.70k| store_elementwise(); 626| 1.70k| } 627| 1.70k| } 628| 1.70k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm32EEETkNS5_14spanable_rangeENS2_5arrayImLm4EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_ENKUlvE_clEv: 607| 1.70k| auto store_elementwise = [&] { 608| 1.70k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1.70k| std::span out_s(out); 610| 6.80k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 6.80k, False: 1.70k] ------------------ 611| 6.80k| store_any(out_s.template first(), in_elem); 612| 6.80k| out_s = out_s.subspan(bytes_per_element); 613| 6.80k| } 614| 1.70k| }; _ZN5Botan7load_beImJPKhmEEEDaDpOT0_: 504| 11.8k|inline constexpr auto load_be(ParamTs&&... params) { 505| 11.8k| return detail::load_any(std::forward(params)...); 506| 11.8k|} _ZN5Botan6detail8load_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmEET0_PKhm: 454| 11.8k|inline constexpr OutT load_any(const uint8_t in[], size_t off) { 455| | // asserts that *in points to enough bytes to read at offset off 456| 11.8k| constexpr size_t out_size = sizeof(OutT); 457| 11.8k| return load_any(std::span(in + off * out_size, out_size)); 458| 11.8k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_: 278| 44.4k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 44.4k| using OutT = detail::wrapped_type; 280| 44.4k| ranges::assert_exact_byte_length(in_range); 281| | 282| 44.4k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 44.4k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 44.4k| return fallback_load_any(std::forward(in_range)); 288| 44.4k| } else { 289| 44.4k| const std::span in{in_range}; 290| 44.4k| if constexpr(sizeof(OutT) == 1) { 291| 44.4k| return static_cast(in[0]); 292| 44.4k| } else if constexpr(endianness == std::endian::native) { 293| 44.4k| return typecast_copy(in); 294| 44.4k| } else { 295| 44.4k| static_assert(opposite(endianness) == std::endian::native); 296| 44.4k| return reverse_bytes(typecast_copy(in)); 297| 44.4k| } 298| 44.4k| } 299| 44.4k| }()); 300| 44.4k|} _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__14spanIhLm48EEERNS3_5arrayImLm6EEEEEEDaDpOT0_: 745| 1.08k|inline constexpr auto store_be(ParamTs&&... params) { 746| 1.08k| return detail::store_any(std::forward(params)...); 747| 1.08k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm48EEETkNS5_14spanable_rangeENS2_5arrayImLm6EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_: 603| 1.08k|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 1.08k| ranges::assert_equal_byte_lengths(out, in); 605| 1.08k| using element_type = std::ranges::range_value_t; 606| | 607| 1.08k| auto store_elementwise = [&] { 608| 1.08k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1.08k| std::span out_s(out); 610| 1.08k| for(auto in_elem : in) { 611| 1.08k| store_any(out_s.template first(), in_elem); 612| 1.08k| out_s = out_s.subspan(bytes_per_element); 613| 1.08k| } 614| 1.08k| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 1.08k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 1.08k] ------------------ 620| 0| store_elementwise(); 621| 1.08k| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 1.08k| } else { 625| 1.08k| store_elementwise(); 626| 1.08k| } 627| 1.08k| } 628| 1.08k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm48EEETkNS5_14spanable_rangeENS2_5arrayImLm6EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_ENKUlvE_clEv: 607| 1.08k| auto store_elementwise = [&] { 608| 1.08k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1.08k| std::span out_s(out); 610| 6.53k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 6.53k, False: 1.08k] ------------------ 611| 6.53k| store_any(out_s.template first(), in_elem); 612| 6.53k| out_s = out_s.subspan(bytes_per_element); 613| 6.53k| } 614| 1.08k| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__14spanIhLm64EEERNS3_5arrayImLm8EEEEEEDaDpOT0_: 745| 556|inline constexpr auto store_be(ParamTs&&... params) { 746| 556| return detail::store_any(std::forward(params)...); 747| 556|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm64EEETkNS5_14spanable_rangeENS2_5arrayImLm8EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_: 603| 556|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 556| ranges::assert_equal_byte_lengths(out, in); 605| 556| using element_type = std::ranges::range_value_t; 606| | 607| 556| auto store_elementwise = [&] { 608| 556| constexpr size_t bytes_per_element = sizeof(element_type); 609| 556| std::span out_s(out); 610| 556| for(auto in_elem : in) { 611| 556| store_any(out_s.template first(), in_elem); 612| 556| out_s = out_s.subspan(bytes_per_element); 613| 556| } 614| 556| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 556| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 556] ------------------ 620| 0| store_elementwise(); 621| 556| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 556| } else { 625| 556| store_elementwise(); 626| 556| } 627| 556| } 628| 556|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm64EEETkNS5_14spanable_rangeENS2_5arrayImLm8EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_ENKUlvE_clEv: 607| 556| auto store_elementwise = [&] { 608| 556| constexpr size_t bytes_per_element = sizeof(element_type); 609| 556| std::span out_s(out); 610| 4.44k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 4.44k, False: 556] ------------------ 611| 4.44k| store_any(out_s.template first(), in_elem); 612| 4.44k| out_s = out_s.subspan(bytes_per_element); 613| 4.44k| } 614| 556| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__15arrayImLm9EEEEEEDaDpOT0_: 745| 1.92k|inline constexpr auto store_be(ParamTs&&... params) { 746| 1.92k| return detail::store_any(std::forward(params)...); 747| 1.92k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm9EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_: 663| 1.92k|inline constexpr auto store_any(InR&& in_range) { 664| 1.92k| auto out = []([[maybe_unused]] const auto& in) { 665| 1.92k| if constexpr(std::same_as) { 666| 1.92k| if constexpr(ranges::statically_spanable_range) { 667| 1.92k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 1.92k| return std::array(); 669| 1.92k| } else { 670| 1.92k| static_assert( 671| 1.92k| !std::same_as, 672| 1.92k| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 1.92k| } 674| 1.92k| } else if constexpr(concepts::resizable_byte_buffer) { 675| 1.92k| return OutR(std::span{in}.size_bytes()); 676| 1.92k| } else { 677| 1.92k| return OutR{}; 678| 1.92k| } 679| 1.92k| }(in_range); 680| | 681| 1.92k| store_any>(out, std::forward(in_range)); 682| 1.92k| return out; 683| 1.92k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm9EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSE_: 664| 1.92k| auto out = []([[maybe_unused]] const auto& in) { 665| 1.92k| if constexpr(std::same_as) { 666| 1.92k| if constexpr(ranges::statically_spanable_range) { 667| 1.92k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 1.92k| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 1.92k| }(in_range); _ZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm72EEETkNS4_14spanable_rangeENS6_ImLm9EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 1.92k|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 1.92k| ranges::assert_equal_byte_lengths(out, in); 605| 1.92k| using element_type = std::ranges::range_value_t; 606| | 607| 1.92k| auto store_elementwise = [&] { 608| 1.92k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1.92k| std::span out_s(out); 610| 1.92k| for(auto in_elem : in) { 611| 1.92k| store_any(out_s.template first(), in_elem); 612| 1.92k| out_s = out_s.subspan(bytes_per_element); 613| 1.92k| } 614| 1.92k| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 1.92k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 1.92k] ------------------ 620| 0| store_elementwise(); 621| 1.92k| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 1.92k| } else { 625| 1.92k| store_elementwise(); 626| 1.92k| } 627| 1.92k| } 628| 1.92k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm72EEETkNS4_14spanable_rangeENS6_ImLm9EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_ENKUlvE_clEv: 607| 1.92k| auto store_elementwise = [&] { 608| 1.92k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1.92k| std::span out_s(out); 610| 17.3k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 17.3k, False: 1.92k] ------------------ 611| 17.3k| store_any(out_s.template first(), in_elem); 612| 17.3k| out_s = out_s.subspan(bytes_per_element); 613| 17.3k| } 614| 1.92k| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__14spanIhLm24EEERNS3_5arrayImLm3EEEEEEDaDpOT0_: 745| 780|inline constexpr auto store_be(ParamTs&&... params) { 746| 780| return detail::store_any(std::forward(params)...); 747| 780|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm24EEETkNS5_14spanable_rangeENS2_5arrayImLm3EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_: 603| 780|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 780| ranges::assert_equal_byte_lengths(out, in); 605| 780| using element_type = std::ranges::range_value_t; 606| | 607| 780| auto store_elementwise = [&] { 608| 780| constexpr size_t bytes_per_element = sizeof(element_type); 609| 780| std::span out_s(out); 610| 780| for(auto in_elem : in) { 611| 780| store_any(out_s.template first(), in_elem); 612| 780| out_s = out_s.subspan(bytes_per_element); 613| 780| } 614| 780| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 780| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 780] ------------------ 620| 0| store_elementwise(); 621| 780| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 780| } else { 625| 780| store_elementwise(); 626| 780| } 627| 780| } 628| 780|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm24EEETkNS5_14spanable_rangeENS2_5arrayImLm3EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_ENKUlvE_clEv: 607| 780| auto store_elementwise = [&] { 608| 780| constexpr size_t bytes_per_element = sizeof(element_type); 609| 780| std::span out_s(out); 610| 2.34k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 2.34k, False: 780] ------------------ 611| 2.34k| store_any(out_s.template first(), in_elem); 612| 2.34k| out_s = out_s.subspan(bytes_per_element); 613| 2.34k| } 614| 780| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__15arrayImLm4EEEEEEDaDpOT0_: 745| 588|inline constexpr auto store_be(ParamTs&&... params) { 746| 588| return detail::store_any(std::forward(params)...); 747| 588|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm4EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_: 663| 588|inline constexpr auto store_any(InR&& in_range) { 664| 588| auto out = []([[maybe_unused]] const auto& in) { 665| 588| if constexpr(std::same_as) { 666| 588| if constexpr(ranges::statically_spanable_range) { 667| 588| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 588| return std::array(); 669| 588| } else { 670| 588| static_assert( 671| 588| !std::same_as, 672| 588| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 588| } 674| 588| } else if constexpr(concepts::resizable_byte_buffer) { 675| 588| return OutR(std::span{in}.size_bytes()); 676| 588| } else { 677| 588| return OutR{}; 678| 588| } 679| 588| }(in_range); 680| | 681| 588| store_any>(out, std::forward(in_range)); 682| 588| return out; 683| 588|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm4EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSE_: 664| 588| auto out = []([[maybe_unused]] const auto& in) { 665| 588| if constexpr(std::same_as) { 666| 588| if constexpr(ranges::statically_spanable_range) { 667| 588| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 588| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 588| }(in_range); _ZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm32EEETkNS4_14spanable_rangeENS6_ImLm4EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 588|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 588| ranges::assert_equal_byte_lengths(out, in); 605| 588| using element_type = std::ranges::range_value_t; 606| | 607| 588| auto store_elementwise = [&] { 608| 588| constexpr size_t bytes_per_element = sizeof(element_type); 609| 588| std::span out_s(out); 610| 588| for(auto in_elem : in) { 611| 588| store_any(out_s.template first(), in_elem); 612| 588| out_s = out_s.subspan(bytes_per_element); 613| 588| } 614| 588| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 588| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 588] ------------------ 620| 0| store_elementwise(); 621| 588| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 588| } else { 625| 588| store_elementwise(); 626| 588| } 627| 588| } 628| 588|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm32EEETkNS4_14spanable_rangeENS6_ImLm4EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_ENKUlvE_clEv: 607| 588| auto store_elementwise = [&] { 608| 588| constexpr size_t bytes_per_element = sizeof(element_type); 609| 588| std::span out_s(out); 610| 2.35k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 2.35k, False: 588] ------------------ 611| 2.35k| store_any(out_s.template first(), in_elem); 612| 2.35k| out_s = out_s.subspan(bytes_per_element); 613| 2.35k| } 614| 588| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRKhEEEDaDpOT0_: 745| 192|inline constexpr auto store_be(ParamTs&&... params) { 746| 192| return detail::store_any(std::forward(params)...); 747| 192|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETpTkNS0_20unsigned_integralishEJhEQ10all_same_vIDpT1_EEEDaS6_: 696| 192|inline constexpr auto store_any(Ts... ins) { 697| 192| return store_any(std::array{ins...}); 698| 192|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayIhLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_: 663| 192|inline constexpr auto store_any(InR&& in_range) { 664| 192| auto out = []([[maybe_unused]] const auto& in) { 665| 192| if constexpr(std::same_as) { 666| 192| if constexpr(ranges::statically_spanable_range) { 667| 192| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 192| return std::array(); 669| 192| } else { 670| 192| static_assert( 671| 192| !std::same_as, 672| 192| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 192| } 674| 192| } else if constexpr(concepts::resizable_byte_buffer) { 675| 192| return OutR(std::span{in}.size_bytes()); 676| 192| } else { 677| 192| return OutR{}; 678| 192| } 679| 192| }(in_range); 680| | 681| 192| store_any>(out, std::forward(in_range)); 682| 192| return out; 683| 192|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayIhLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSD_: 664| 192| auto out = []([[maybe_unused]] const auto& in) { 665| 192| if constexpr(std::same_as) { 666| 192| if constexpr(ranges::statically_spanable_range) { 667| 192| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 192| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 192| }(in_range); _ZN5Botan6detail9store_anyILNSt3__16endianE64206EhTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm1EEETkNS4_14spanable_rangeES7_Qoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISA_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEEEvOT1_RKSF_: 603| 192|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 192| ranges::assert_equal_byte_lengths(out, in); 605| 192| using element_type = std::ranges::range_value_t; 606| | 607| 192| auto store_elementwise = [&] { 608| 192| constexpr size_t bytes_per_element = sizeof(element_type); 609| 192| std::span out_s(out); 610| 192| for(auto in_elem : in) { 611| 192| store_any(out_s.template first(), in_elem); 612| 192| out_s = out_s.subspan(bytes_per_element); 613| 192| } 614| 192| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 192| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 192] ------------------ 620| 0| store_elementwise(); 621| 192| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 192| } else { 625| 192| store_elementwise(); 626| 192| } 627| 192| } 628| 192|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EhTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm1EEETkNS4_14spanable_rangeES7_Qoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISA_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEEEvOT1_RKSF_ENKUlvE_clEv: 607| 192| auto store_elementwise = [&] { 608| 192| constexpr size_t bytes_per_element = sizeof(element_type); 609| 192| std::span out_s(out); 610| 192| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 192, False: 192] ------------------ 611| 192| store_any(out_s.template first(), in_elem); 612| 192| out_s = out_s.subspan(bytes_per_element); 613| 192| } 614| 192| }; _ZN5Botan6detail9store_anyILNSt3__16endianE64206EhTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm1EEETpTkNS0_20unsigned_integralishEJhEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_: 582| 192|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, Ts... ins) { 583| 192| ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(out); 584| 192| auto store_one = [off = 0](auto o, T i) mutable { 585| 192| store_any(i, o.subspan(off).template first()); 586| 192| off += sizeof(T); 587| 192| }; 588| | 589| 192| (store_one(std::span{out}, ins), ...); 590| 192|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EhTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm1EEETpTkNS0_20unsigned_integralishEJhEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_ENUlTyS9_T_E_clIhS7_EEDaS9_SE_: 584| 192| auto store_one = [off = 0](auto o, T i) mutable { 585| 192| store_any(i, o.subspan(off).template first()); 586| 192| off += sizeof(T); 587| 192| }; _ZN5Botan6detail9store_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEhTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm1EEEQnt15custom_storableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEEvS9_OT1_: 525| 192|inline constexpr void store_any(WrappedInT wrapped_in, OutR&& out_range) { 526| 192| const auto in = detail::unwrap_strong_type_or_enum(wrapped_in); 527| 192| using InT = decltype(in); 528| 192| ranges::assert_exact_byte_length(out_range); 529| 192| const std::span out{out_range}; 530| | 531| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 532| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 533| | // in a `constexpr` context. 534| 192| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (534:7): [Folded, False: 192] ------------------ 535| 0| return fallback_store_any(in, std::forward(out_range)); 536| 192| } else { 537| 192| if constexpr(sizeof(InT) == 1) { 538| 192| out[0] = static_cast(in); 539| | } else if constexpr(endianness == std::endian::native) { 540| | typecast_copy(out, in); 541| | } else { 542| | static_assert(opposite(endianness) == std::endian::native); 543| | typecast_copy(out, reverse_bytes(in)); 544| | } 545| 192| } 546| 192|} _ZN5Botan6detail26unwrap_strong_type_or_enumITkNS0_20unsigned_integralishEhEEDaT_: 190| 192|constexpr auto unwrap_strong_type_or_enum(InT t) { 191| | if constexpr(std::is_enum_v) { 192| | // TODO: C++23: use std::to_underlying(in) instead 193| | return static_cast>(t); 194| 192| } else { 195| 192| return Botan::unwrap_strong_type(t); 196| 192| } 197| 192|} _ZN5Botan6detail24wrap_strong_type_or_enumITkNS0_20unsigned_integralishEjTkNSt3__117unsigned_integralEjEEDaT0_: 200| 59.3k|constexpr auto wrap_strong_type_or_enum(T t) { 201| | if constexpr(std::is_enum_v) { 202| | return static_cast(t); 203| 59.3k| } else { 204| 59.3k| return Botan::wrap_strong_type(t); 205| 59.3k| } 206| 59.3k|} _ZN5Botan6detail24wrap_strong_type_or_enumITkNS0_20unsigned_integralishEtTkNSt3__117unsigned_integralEtEEDaT0_: 200| 2.68k|constexpr auto wrap_strong_type_or_enum(T t) { 201| | if constexpr(std::is_enum_v) { 202| | return static_cast(t); 203| 2.68k| } else { 204| 2.68k| return Botan::wrap_strong_type(t); 205| 2.68k| } 206| 2.68k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEtTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm2EEEQnt15custom_storableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEEvS9_OT1_: 525| 332|inline constexpr void store_any(WrappedInT wrapped_in, OutR&& out_range) { 526| 332| const auto in = detail::unwrap_strong_type_or_enum(wrapped_in); 527| 332| using InT = decltype(in); 528| 332| ranges::assert_exact_byte_length(out_range); 529| 332| const std::span out{out_range}; 530| | 531| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 532| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 533| | // in a `constexpr` context. 534| 332| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (534:7): [Folded, False: 332] ------------------ 535| 0| return fallback_store_any(in, std::forward(out_range)); 536| 332| } else { 537| | if constexpr(sizeof(InT) == 1) { 538| | out[0] = static_cast(in); 539| | } else if constexpr(endianness == std::endian::native) { 540| | typecast_copy(out, in); 541| 332| } else { 542| 332| static_assert(opposite(endianness) == std::endian::native); 543| 332| typecast_copy(out, reverse_bytes(in)); 544| 332| } 545| 332| } 546| 332|} _ZN5Botan6detail26unwrap_strong_type_or_enumITkNS0_20unsigned_integralishEtEEDaT_: 190| 332|constexpr auto unwrap_strong_type_or_enum(InT t) { 191| | if constexpr(std::is_enum_v) { 192| | // TODO: C++23: use std::to_underlying(in) instead 193| | return static_cast>(t); 194| 332| } else { 195| 332| return Botan::unwrap_strong_type(t); 196| 332| } 197| 332|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm8EEEQnt15custom_storableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEEvS9_OT1_: 525| 4|inline constexpr void store_any(WrappedInT wrapped_in, OutR&& out_range) { 526| 4| const auto in = detail::unwrap_strong_type_or_enum(wrapped_in); 527| 4| using InT = decltype(in); 528| 4| ranges::assert_exact_byte_length(out_range); 529| 4| const std::span out{out_range}; 530| | 531| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 532| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 533| | // in a `constexpr` context. 534| 4| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (534:7): [Folded, False: 4] ------------------ 535| 0| return fallback_store_any(in, std::forward(out_range)); 536| 4| } else { 537| | if constexpr(sizeof(InT) == 1) { 538| | out[0] = static_cast(in); 539| 4| } else if constexpr(endianness == std::endian::native) { 540| 4| typecast_copy(out, in); 541| | } else { 542| | static_assert(opposite(endianness) == std::endian::native); 543| | typecast_copy(out, reverse_bytes(in)); 544| | } 545| 4| } 546| 4|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEjTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm4EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_: 278| 5.63k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 5.63k| using OutT = detail::wrapped_type; 280| 5.63k| ranges::assert_exact_byte_length(in_range); 281| | 282| 5.63k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 5.63k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 5.63k| return fallback_load_any(std::forward(in_range)); 288| 5.63k| } else { 289| 5.63k| const std::span in{in_range}; 290| 5.63k| if constexpr(sizeof(OutT) == 1) { 291| 5.63k| return static_cast(in[0]); 292| 5.63k| } else if constexpr(endianness == std::endian::native) { 293| 5.63k| return typecast_copy(in); 294| 5.63k| } else { 295| 5.63k| static_assert(opposite(endianness) == std::endian::native); 296| 5.63k| return reverse_bytes(typecast_copy(in)); 297| 5.63k| } 298| 5.63k| } 299| 5.63k| }()); 300| 5.63k|} _ZN5Botan11copy_out_beITkNS_6ranges14spanable_rangeENSt3__16vectorImNS_16secure_allocatorImEEEEEEvNS2_4spanIhLm18446744073709551615EEERKT_: 773| 2|inline void copy_out_be(std::span out, const InR& in) { 774| 2| using T = std::ranges::range_value_t; 775| 2| std::span in_s{in}; 776| 2| const auto remaining_bytes = detail::copy_out_any_word_aligned_portion(out, in_s); 777| | 778| | // copy remaining bytes as a partial word 779| 2| for(size_t i = 0; i < remaining_bytes; ++i) { ------------------ | Branch (779:22): [True: 0, False: 2] ------------------ 780| 0| out[i] = get_byte_var(i, in_s.front()); 781| 0| } 782| 2|} _ZN5Botan6detail33copy_out_any_word_aligned_portionILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmEEmRNS2_4spanIhLm18446744073709551615EEERNS4_IKT0_Lm18446744073709551615EEE: 752| 2|inline size_t copy_out_any_word_aligned_portion(std::span& out, std::span& in) { 753| 2| const size_t full_words = out.size() / sizeof(T); 754| 2| const size_t full_word_bytes = full_words * sizeof(T); 755| 2| const size_t remaining_bytes = out.size() - full_word_bytes; 756| 2| BOTAN_ASSERT_NOMSG(in.size_bytes() >= full_word_bytes + remaining_bytes); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 757| | 758| | // copy full words 759| 2| store_any(out.first(full_word_bytes), in.first(full_words)); 760| 2| out = out.subspan(full_word_bytes); 761| 2| in = in.subspan(full_words); 762| | 763| 2| return remaining_bytes; 764| 2|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm18446744073709551615EEETkNS4_14spanable_rangeENS6_IKmLm18446744073709551615EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 2|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 2| ranges::assert_equal_byte_lengths(out, in); 605| 2| using element_type = std::ranges::range_value_t; 606| | 607| 2| auto store_elementwise = [&] { 608| 2| constexpr size_t bytes_per_element = sizeof(element_type); 609| 2| std::span out_s(out); 610| 2| for(auto in_elem : in) { 611| 2| store_any(out_s.template first(), in_elem); 612| 2| out_s = out_s.subspan(bytes_per_element); 613| 2| } 614| 2| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 2| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 2] ------------------ 620| 0| store_elementwise(); 621| 2| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 2| } else { 625| 2| store_elementwise(); 626| 2| } 627| 2| } 628| 2|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm18446744073709551615EEETkNS4_14spanable_rangeENS6_IKmLm18446744073709551615EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_ENKUlvE_clEv: 607| 2| auto store_elementwise = [&] { 608| 2| constexpr size_t bytes_per_element = sizeof(element_type); 609| 2| std::span out_s(out); 610| 16| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 16, False: 2] ------------------ 611| 16| store_any(out_s.template first(), in_elem); 612| 16| out_s = out_s.subspan(bytes_per_element); 613| 16| } 614| 2| }; _ZN5Botan7load_leImJRPKhiEEEDaDpOT0_: 495| 1|inline constexpr auto load_le(ParamTs&&... params) { 496| 1| return detail::load_any(std::forward(params)...); 497| 1|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmEET0_PKhm: 454| 5|inline constexpr OutT load_any(const uint8_t in[], size_t off) { 455| | // asserts that *in points to enough bytes to read at offset off 456| 5| constexpr size_t out_size = sizeof(OutT); 457| 5| return load_any(std::span(in + off * out_size, out_size)); 458| 5|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_ENKUlvE_clEv: 282| 44.4k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 44.4k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 44.4k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 44.4k| } else { 289| 44.4k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| 44.4k| } else if constexpr(endianness == std::endian::native) { 293| 44.4k| return typecast_copy(in); 294| | } else { 295| | static_assert(opposite(endianness) == std::endian::native); 296| | return reverse_bytes(typecast_copy(in)); 297| | } 298| 44.4k| } 299| 44.4k| }()); _ZN5Botan7load_leImJPKhiEEEDaDpOT0_: 495| 4|inline constexpr auto load_le(ParamTs&&... params) { 496| 4| return detail::load_any(std::forward(params)...); 497| 4|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEjTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm4EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_ENKUlvE_clEv: 282| 5.63k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 5.63k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 5.63k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 5.63k| } else { 289| 5.63k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| 5.63k| } else if constexpr(endianness == std::endian::native) { 293| 5.63k| return typecast_copy(in); 294| | } else { 295| | static_assert(opposite(endianness) == std::endian::native); 296| | return reverse_bytes(typecast_copy(in)); 297| | } 298| 5.63k| } 299| 5.63k| }()); _ZN5Botan7load_leINS_6detail10AutoDetectEJRNSt3__15arrayIhLm8EEEEEEDaDpOT0_: 495| 4.20k|inline constexpr auto load_le(ParamTs&&... params) { 496| 4.20k| return detail::load_any(std::forward(params)...); 497| 4.20k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_: 397| 4.20k|inline constexpr auto load_any(InR&& in_range) { 398| 4.20k| auto out = []([[maybe_unused]] const auto& in) { 399| 4.20k| if constexpr(std::same_as) { 400| 4.20k| if constexpr(ranges::statically_spanable_range) { 401| 4.20k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 4.20k| using type = 405| 4.20k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 4.20k| static_assert( 412| 4.20k| !std::is_void_v, 413| 4.20k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 4.20k| return type{}; 416| 4.20k| } else { 417| 4.20k| static_assert( 418| 4.20k| !std::same_as, 419| 4.20k| "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| 4.20k| } 421| 4.20k| } else if constexpr(concepts::resizable_container) { 422| 4.20k| const size_t in_bytes = std::span{in}.size_bytes(); 423| 4.20k| constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| 4.20k| BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| 4.20k| "Input range is not word-aligned with the requested output range"); 426| 4.20k| return OutT(in_bytes / out_elem_bytes); 427| 4.20k| } else { 428| 4.20k| return OutT{}; 429| 4.20k| } 430| 4.20k| }(in_range); 431| | 432| 4.20k| using out_type = decltype(out); 433| 4.20k| if constexpr(unsigned_integralish) { 434| 4.20k| out = load_any(std::forward(in_range)); 435| | } else { 436| | static_assert(ranges::contiguous_range); 437| | using out_range_type = std::ranges::range_value_t; 438| | load_any(out, std::forward(in_range)); 439| | } 440| 4.20k| return out; 441| 4.20k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_ENKUlRKT_E_clIS8_EEDaSG_: 398| 4.20k| auto out = []([[maybe_unused]] const auto& in) { 399| 4.20k| if constexpr(std::same_as) { 400| 4.20k| if constexpr(ranges::statically_spanable_range) { 401| 4.20k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 4.20k| using type = 405| 4.20k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 4.20k| static_assert( 412| 4.20k| !std::is_void_v, 413| 4.20k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 4.20k| return type{}; 416| | } else { 417| | static_assert( 418| | !std::same_as, 419| | "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| | } 421| | } else if constexpr(concepts::resizable_container) { 422| | const size_t in_bytes = std::span{in}.size_bytes(); 423| | constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| | BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| | "Input range is not word-aligned with the requested output range"); 426| | return OutT(in_bytes / out_elem_bytes); 427| | } else { 428| | return OutT{}; 429| | } 430| 4.20k| }(in_range); _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_: 278| 4.20k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 4.20k| using OutT = detail::wrapped_type; 280| 4.20k| ranges::assert_exact_byte_length(in_range); 281| | 282| 4.20k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 4.20k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 4.20k| return fallback_load_any(std::forward(in_range)); 288| 4.20k| } else { 289| 4.20k| const std::span in{in_range}; 290| 4.20k| if constexpr(sizeof(OutT) == 1) { 291| 4.20k| return static_cast(in[0]); 292| 4.20k| } else if constexpr(endianness == std::endian::native) { 293| 4.20k| return typecast_copy(in); 294| 4.20k| } else { 295| 4.20k| static_assert(opposite(endianness) == std::endian::native); 296| 4.20k| return reverse_bytes(typecast_copy(in)); 297| 4.20k| } 298| 4.20k| } 299| 4.20k| }()); 300| 4.20k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_ENKUlvE_clEv: 282| 4.20k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 4.20k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 4.20k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 4.20k| } else { 289| 4.20k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| 4.20k| } else if constexpr(endianness == std::endian::native) { 293| 4.20k| return typecast_copy(in); 294| | } else { 295| | static_assert(opposite(endianness) == std::endian::native); 296| | return reverse_bytes(typecast_copy(in)); 297| | } 298| 4.20k| } 299| 4.20k| }()); _ZN5Botan7load_leINS_6detail10AutoDetectEJNSt3__14spanIKhLm8EEEEEEDaDpOT0_: 495| 44.4k|inline constexpr auto load_le(ParamTs&&... params) { 496| 44.4k| return detail::load_any(std::forward(params)...); 497| 44.4k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_: 397| 44.4k|inline constexpr auto load_any(InR&& in_range) { 398| 44.4k| auto out = []([[maybe_unused]] const auto& in) { 399| 44.4k| if constexpr(std::same_as) { 400| 44.4k| if constexpr(ranges::statically_spanable_range) { 401| 44.4k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 44.4k| using type = 405| 44.4k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 44.4k| static_assert( 412| 44.4k| !std::is_void_v, 413| 44.4k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 44.4k| return type{}; 416| 44.4k| } else { 417| 44.4k| static_assert( 418| 44.4k| !std::same_as, 419| 44.4k| "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| 44.4k| } 421| 44.4k| } else if constexpr(concepts::resizable_container) { 422| 44.4k| const size_t in_bytes = std::span{in}.size_bytes(); 423| 44.4k| constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| 44.4k| BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| 44.4k| "Input range is not word-aligned with the requested output range"); 426| 44.4k| return OutT(in_bytes / out_elem_bytes); 427| 44.4k| } else { 428| 44.4k| return OutT{}; 429| 44.4k| } 430| 44.4k| }(in_range); 431| | 432| 44.4k| using out_type = decltype(out); 433| 44.4k| if constexpr(unsigned_integralish) { 434| 44.4k| out = load_any(std::forward(in_range)); 435| | } else { 436| | static_assert(ranges::contiguous_range); 437| | using out_range_type = std::ranges::range_value_t; 438| | load_any(out, std::forward(in_range)); 439| | } 440| 44.4k| return out; 441| 44.4k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_ENKUlRKT_E_clIS9_EEDaSG_: 398| 44.4k| auto out = []([[maybe_unused]] const auto& in) { 399| 44.4k| if constexpr(std::same_as) { 400| 44.4k| if constexpr(ranges::statically_spanable_range) { 401| 44.4k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 44.4k| using type = 405| 44.4k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 44.4k| static_assert( 412| 44.4k| !std::is_void_v, 413| 44.4k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 44.4k| return type{}; 416| | } else { 417| | static_assert( 418| | !std::same_as, 419| | "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| | } 421| | } else if constexpr(concepts::resizable_container) { 422| | const size_t in_bytes = std::span{in}.size_bytes(); 423| | constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| | BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| | "Input range is not word-aligned with the requested output range"); 426| | return OutT(in_bytes / out_elem_bytes); 427| | } else { 428| | return OutT{}; 429| | } 430| 44.4k| }(in_range); _ZN5Botan8store_leINS_6detail10AutoDetectEJRmEEEDaDpOT0_: 736| 1.09M|inline constexpr auto store_le(ParamTs&&... params) { 737| 1.09M| return detail::store_any(std::forward(params)...); 738| 1.09M|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETpTkNS0_20unsigned_integralishEJmEQ10all_same_vIDpT1_EEEDaS6_: 696| 1.09M|inline constexpr auto store_any(Ts... ins) { 697| 1.09M| return store_any(std::array{ins...}); 698| 1.09M|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayImLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_: 663| 1.09M|inline constexpr auto store_any(InR&& in_range) { 664| 1.09M| auto out = []([[maybe_unused]] const auto& in) { 665| 1.09M| if constexpr(std::same_as) { 666| 1.09M| if constexpr(ranges::statically_spanable_range) { 667| 1.09M| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 1.09M| return std::array(); 669| 1.09M| } else { 670| 1.09M| static_assert( 671| 1.09M| !std::same_as, 672| 1.09M| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 1.09M| } 674| 1.09M| } else if constexpr(concepts::resizable_byte_buffer) { 675| 1.09M| return OutR(std::span{in}.size_bytes()); 676| 1.09M| } else { 677| 1.09M| return OutR{}; 678| 1.09M| } 679| 1.09M| }(in_range); 680| | 681| 1.09M| store_any>(out, std::forward(in_range)); 682| 1.09M| return out; 683| 1.09M|} _ZZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayImLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSD_: 664| 1.09M| auto out = []([[maybe_unused]] const auto& in) { 665| 1.09M| if constexpr(std::same_as) { 666| 1.09M| if constexpr(ranges::statically_spanable_range) { 667| 1.09M| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 1.09M| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 1.09M| }(in_range); _ZN5Botan6detail9store_anyILNSt3__16endianE57005EmTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm8EEETkNS4_14spanable_rangeENS6_ImLm1EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 1.13M|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 1.13M| ranges::assert_equal_byte_lengths(out, in); 605| 1.13M| using element_type = std::ranges::range_value_t; 606| | 607| 1.13M| auto store_elementwise = [&] { 608| 1.13M| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1.13M| std::span out_s(out); 610| 1.13M| for(auto in_elem : in) { 611| 1.13M| store_any(out_s.template first(), in_elem); 612| 1.13M| out_s = out_s.subspan(bytes_per_element); 613| 1.13M| } 614| 1.13M| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 1.13M| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 1.13M] ------------------ 620| 0| store_elementwise(); 621| 1.13M| } else { 622| 1.13M| if constexpr(endianness == std::endian::native && !custom_storable) { 623| 1.13M| typecast_copy(out, in); 624| | } else { 625| | store_elementwise(); 626| | } 627| 1.13M| } 628| 1.13M|} _ZN5Botan7load_leINS_6detail10AutoDetectEJNSt3__14spanIKhLm4EEEEEEDaDpOT0_: 495| 5.63k|inline constexpr auto load_le(ParamTs&&... params) { 496| 5.63k| return detail::load_any(std::forward(params)...); 497| 5.63k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm4EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_: 397| 5.63k|inline constexpr auto load_any(InR&& in_range) { 398| 5.63k| auto out = []([[maybe_unused]] const auto& in) { 399| 5.63k| if constexpr(std::same_as) { 400| 5.63k| if constexpr(ranges::statically_spanable_range) { 401| 5.63k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 5.63k| using type = 405| 5.63k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 5.63k| static_assert( 412| 5.63k| !std::is_void_v, 413| 5.63k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 5.63k| return type{}; 416| 5.63k| } else { 417| 5.63k| static_assert( 418| 5.63k| !std::same_as, 419| 5.63k| "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| 5.63k| } 421| 5.63k| } else if constexpr(concepts::resizable_container) { 422| 5.63k| const size_t in_bytes = std::span{in}.size_bytes(); 423| 5.63k| constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| 5.63k| BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| 5.63k| "Input range is not word-aligned with the requested output range"); 426| 5.63k| return OutT(in_bytes / out_elem_bytes); 427| 5.63k| } else { 428| 5.63k| return OutT{}; 429| 5.63k| } 430| 5.63k| }(in_range); 431| | 432| 5.63k| using out_type = decltype(out); 433| 5.63k| if constexpr(unsigned_integralish) { 434| 5.63k| out = load_any(std::forward(in_range)); 435| | } else { 436| | static_assert(ranges::contiguous_range); 437| | using out_range_type = std::ranges::range_value_t; 438| | load_any(out, std::forward(in_range)); 439| | } 440| 5.63k| return out; 441| 5.63k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm4EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_ENKUlRKT_E_clIS9_EEDaSG_: 398| 5.63k| auto out = []([[maybe_unused]] const auto& in) { 399| 5.63k| if constexpr(std::same_as) { 400| 5.63k| if constexpr(ranges::statically_spanable_range) { 401| 5.63k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 5.63k| using type = 405| 5.63k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 5.63k| static_assert( 412| 5.63k| !std::is_void_v, 413| 5.63k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 5.63k| return type{}; 416| | } else { 417| | static_assert( 418| | !std::same_as, 419| | "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| | } 421| | } else if constexpr(concepts::resizable_container) { 422| | const size_t in_bytes = std::span{in}.size_bytes(); 423| | constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| | BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| | "Input range is not word-aligned with the requested output range"); 426| | return OutT(in_bytes / out_elem_bytes); 427| | } else { 428| | return OutT{}; 429| | } 430| 5.63k| }(in_range); _ZN5Botan8store_leINS_6detail10AutoDetectEJRNSt3__15arrayImLm1EEEEEEDaDpOT0_: 736| 36.6k|inline constexpr auto store_le(ParamTs&&... params) { 737| 36.6k| return detail::store_any(std::forward(params)...); 738| 36.6k|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_: 663| 36.6k|inline constexpr auto store_any(InR&& in_range) { 664| 36.6k| auto out = []([[maybe_unused]] const auto& in) { 665| 36.6k| if constexpr(std::same_as) { 666| 36.6k| if constexpr(ranges::statically_spanable_range) { 667| 36.6k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 36.6k| return std::array(); 669| 36.6k| } else { 670| 36.6k| static_assert( 671| 36.6k| !std::same_as, 672| 36.6k| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 36.6k| } 674| 36.6k| } else if constexpr(concepts::resizable_byte_buffer) { 675| 36.6k| return OutR(std::span{in}.size_bytes()); 676| 36.6k| } else { 677| 36.6k| return OutR{}; 678| 36.6k| } 679| 36.6k| }(in_range); 680| | 681| 36.6k| store_any>(out, std::forward(in_range)); 682| 36.6k| return out; 683| 36.6k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSE_: 664| 36.6k| auto out = []([[maybe_unused]] const auto& in) { 665| 36.6k| if constexpr(std::same_as) { 666| 36.6k| if constexpr(ranges::statically_spanable_range) { 667| 36.6k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 36.6k| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 36.6k| }(in_range); _ZN5Botan7load_leINS_6detail10AutoDetectEJNSt3__15arrayIhLm2EEEEEEDaDpOT0_: 495| 2.68k|inline constexpr auto load_le(ParamTs&&... params) { 496| 2.68k| return detail::load_any(std::forward(params)...); 497| 2.68k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm2EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeIS9_Esr8conceptsE19resizable_containerIS9_E20unsigned_integralishINS9_10value_typeEEEEDaOT1_: 397| 2.68k|inline constexpr auto load_any(InR&& in_range) { 398| 2.68k| auto out = []([[maybe_unused]] const auto& in) { 399| 2.68k| if constexpr(std::same_as) { 400| 2.68k| if constexpr(ranges::statically_spanable_range) { 401| 2.68k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 2.68k| using type = 405| 2.68k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 2.68k| static_assert( 412| 2.68k| !std::is_void_v, 413| 2.68k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 2.68k| return type{}; 416| 2.68k| } else { 417| 2.68k| static_assert( 418| 2.68k| !std::same_as, 419| 2.68k| "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| 2.68k| } 421| 2.68k| } else if constexpr(concepts::resizable_container) { 422| 2.68k| const size_t in_bytes = std::span{in}.size_bytes(); 423| 2.68k| constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| 2.68k| BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| 2.68k| "Input range is not word-aligned with the requested output range"); 426| 2.68k| return OutT(in_bytes / out_elem_bytes); 427| 2.68k| } else { 428| 2.68k| return OutT{}; 429| 2.68k| } 430| 2.68k| }(in_range); 431| | 432| 2.68k| using out_type = decltype(out); 433| 2.68k| if constexpr(unsigned_integralish) { 434| 2.68k| out = load_any(std::forward(in_range)); 435| | } else { 436| | static_assert(ranges::contiguous_range); 437| | using out_range_type = std::ranges::range_value_t; 438| | load_any(out, std::forward(in_range)); 439| | } 440| 2.68k| return out; 441| 2.68k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm2EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeIS9_Esr8conceptsE19resizable_containerIS9_E20unsigned_integralishINS9_10value_typeEEEEDaOT1_ENKUlRKT_E_clIS8_EEDaSF_: 398| 2.68k| auto out = []([[maybe_unused]] const auto& in) { 399| 2.68k| if constexpr(std::same_as) { 400| 2.68k| if constexpr(ranges::statically_spanable_range) { 401| 2.68k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 2.68k| using type = 405| 2.68k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 2.68k| static_assert( 412| 2.68k| !std::is_void_v, 413| 2.68k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 2.68k| return type{}; 416| | } else { 417| | static_assert( 418| | !std::same_as, 419| | "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| | } 421| | } else if constexpr(concepts::resizable_container) { 422| | const size_t in_bytes = std::span{in}.size_bytes(); 423| | constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| | BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| | "Input range is not word-aligned with the requested output range"); 426| | return OutT(in_bytes / out_elem_bytes); 427| | } else { 428| | return OutT{}; 429| | } 430| 2.68k| }(in_range); _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEtTkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm2EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEES9_OT1_: 278| 2.68k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 2.68k| using OutT = detail::wrapped_type; 280| 2.68k| ranges::assert_exact_byte_length(in_range); 281| | 282| 2.68k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 2.68k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 2.68k| return fallback_load_any(std::forward(in_range)); 288| 2.68k| } else { 289| 2.68k| const std::span in{in_range}; 290| 2.68k| if constexpr(sizeof(OutT) == 1) { 291| 2.68k| return static_cast(in[0]); 292| 2.68k| } else if constexpr(endianness == std::endian::native) { 293| 2.68k| return typecast_copy(in); 294| 2.68k| } else { 295| 2.68k| static_assert(opposite(endianness) == std::endian::native); 296| 2.68k| return reverse_bytes(typecast_copy(in)); 297| 2.68k| } 298| 2.68k| } 299| 2.68k| }()); 300| 2.68k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEtTkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm2EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEES9_OT1_ENKUlvE_clEv: 282| 2.68k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 2.68k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 2.68k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 2.68k| } else { 289| 2.68k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| 2.68k| } else if constexpr(endianness == std::endian::native) { 293| 2.68k| return typecast_copy(in); 294| | } else { 295| | static_assert(opposite(endianness) == std::endian::native); 296| | return reverse_bytes(typecast_copy(in)); 297| | } 298| 2.68k| } 299| 2.68k| }()); _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayItLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSD_: 664| 332| auto out = []([[maybe_unused]] const auto& in) { 665| 332| if constexpr(std::same_as) { 666| 332| if constexpr(ranges::statically_spanable_range) { 667| 332| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 332| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 332| }(in_range); _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EtTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm2EEETpTkNS0_20unsigned_integralishEJtEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_ENUlTyS9_T_E_clItS7_EEDaS9_SE_: 584| 332| auto store_one = [off = 0](auto o, T i) mutable { 585| 332| store_any(i, o.subspan(off).template first()); 586| 332| off += sizeof(T); 587| 332| }; _ZN5Botan6detail9store_anyILNSt3__16endianE64206EtTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm2EEETpTkNS0_20unsigned_integralishEJtEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_: 582| 332|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, Ts... ins) { 583| 332| ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(out); 584| 332| auto store_one = [off = 0](auto o, T i) mutable { 585| 332| store_any(i, o.subspan(off).template first()); 586| 332| off += sizeof(T); 587| 332| }; 588| | 589| 332| (store_one(std::span{out}, ins), ...); 590| 332|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206EtTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm2EEETkNS4_14spanable_rangeENS6_ItLm1EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 332|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 332| ranges::assert_equal_byte_lengths(out, in); 605| 332| using element_type = std::ranges::range_value_t; 606| | 607| 332| auto store_elementwise = [&] { 608| 332| constexpr size_t bytes_per_element = sizeof(element_type); 609| 332| std::span out_s(out); 610| 332| for(auto in_elem : in) { 611| 332| store_any(out_s.template first(), in_elem); 612| 332| out_s = out_s.subspan(bytes_per_element); 613| 332| } 614| 332| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 332| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 332] ------------------ 620| 0| store_elementwise(); 621| 332| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 332| } else { 625| 332| store_elementwise(); 626| 332| } 627| 332| } 628| 332|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayItLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_: 663| 332|inline constexpr auto store_any(InR&& in_range) { 664| 332| auto out = []([[maybe_unused]] const auto& in) { 665| 332| if constexpr(std::same_as) { 666| 332| if constexpr(ranges::statically_spanable_range) { 667| 332| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 332| return std::array(); 669| 332| } else { 670| 332| static_assert( 671| 332| !std::same_as, 672| 332| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 332| } 674| 332| } else if constexpr(concepts::resizable_byte_buffer) { 675| 332| return OutR(std::span{in}.size_bytes()); 676| 332| } else { 677| 332| return OutR{}; 678| 332| } 679| 332| }(in_range); 680| | 681| 332| store_any>(out, std::forward(in_range)); 682| 332| return out; 683| 332|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETpTkNS0_20unsigned_integralishEJtEQ10all_same_vIDpT1_EEEDaS6_: 696| 332|inline constexpr auto store_any(Ts... ins) { 697| 332| return store_any(std::array{ins...}); 698| 332|} _ZN5Botan8store_beINS_6detail10AutoDetectEJtEEEDaDpOT0_: 745| 332|inline constexpr auto store_be(ParamTs&&... params) { 746| 332| return detail::store_any(std::forward(params)...); 747| 332|} _ZN5Botan7load_leINS_6detail10AutoDetectEJNSt3__15arrayIhLm4EEEEEEDaDpOT0_: 495| 53.7k|inline constexpr auto load_le(ParamTs&&... params) { 496| 53.7k| return detail::load_any(std::forward(params)...); 497| 53.7k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm4EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeIS9_Esr8conceptsE19resizable_containerIS9_E20unsigned_integralishINS9_10value_typeEEEEDaOT1_: 397| 53.7k|inline constexpr auto load_any(InR&& in_range) { 398| 53.7k| auto out = []([[maybe_unused]] const auto& in) { 399| 53.7k| if constexpr(std::same_as) { 400| 53.7k| if constexpr(ranges::statically_spanable_range) { 401| 53.7k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 53.7k| using type = 405| 53.7k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 53.7k| static_assert( 412| 53.7k| !std::is_void_v, 413| 53.7k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 53.7k| return type{}; 416| 53.7k| } else { 417| 53.7k| static_assert( 418| 53.7k| !std::same_as, 419| 53.7k| "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| 53.7k| } 421| 53.7k| } else if constexpr(concepts::resizable_container) { 422| 53.7k| const size_t in_bytes = std::span{in}.size_bytes(); 423| 53.7k| constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| 53.7k| BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| 53.7k| "Input range is not word-aligned with the requested output range"); 426| 53.7k| return OutT(in_bytes / out_elem_bytes); 427| 53.7k| } else { 428| 53.7k| return OutT{}; 429| 53.7k| } 430| 53.7k| }(in_range); 431| | 432| 53.7k| using out_type = decltype(out); 433| 53.7k| if constexpr(unsigned_integralish) { 434| 53.7k| out = load_any(std::forward(in_range)); 435| | } else { 436| | static_assert(ranges::contiguous_range); 437| | using out_range_type = std::ranges::range_value_t; 438| | load_any(out, std::forward(in_range)); 439| | } 440| 53.7k| return out; 441| 53.7k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm4EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeIS9_Esr8conceptsE19resizable_containerIS9_E20unsigned_integralishINS9_10value_typeEEEEDaOT1_ENKUlRKT_E_clIS8_EEDaSF_: 398| 53.7k| auto out = []([[maybe_unused]] const auto& in) { 399| 53.7k| if constexpr(std::same_as) { 400| 53.7k| if constexpr(ranges::statically_spanable_range) { 401| 53.7k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 53.7k| using type = 405| 53.7k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 53.7k| static_assert( 412| 53.7k| !std::is_void_v, 413| 53.7k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 53.7k| return type{}; 416| | } else { 417| | static_assert( 418| | !std::same_as, 419| | "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| | } 421| | } else if constexpr(concepts::resizable_container) { 422| | const size_t in_bytes = std::span{in}.size_bytes(); 423| | constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| | BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| | "Input range is not word-aligned with the requested output range"); 426| | return OutT(in_bytes / out_elem_bytes); 427| | } else { 428| | return OutT{}; 429| | } 430| 53.7k| }(in_range); _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEjTkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm4EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEES9_OT1_: 278| 53.7k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 53.7k| using OutT = detail::wrapped_type; 280| 53.7k| ranges::assert_exact_byte_length(in_range); 281| | 282| 53.7k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 53.7k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 53.7k| return fallback_load_any(std::forward(in_range)); 288| 53.7k| } else { 289| 53.7k| const std::span in{in_range}; 290| 53.7k| if constexpr(sizeof(OutT) == 1) { 291| 53.7k| return static_cast(in[0]); 292| 53.7k| } else if constexpr(endianness == std::endian::native) { 293| 53.7k| return typecast_copy(in); 294| 53.7k| } else { 295| 53.7k| static_assert(opposite(endianness) == std::endian::native); 296| 53.7k| return reverse_bytes(typecast_copy(in)); 297| 53.7k| } 298| 53.7k| } 299| 53.7k| }()); 300| 53.7k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEjTkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm4EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEES9_OT1_ENKUlvE_clEv: 282| 53.7k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 53.7k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 53.7k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 53.7k| } else { 289| 53.7k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| 53.7k| } else if constexpr(endianness == std::endian::native) { 293| 53.7k| return typecast_copy(in); 294| | } else { 295| | static_assert(opposite(endianness) == std::endian::native); 296| | return reverse_bytes(typecast_copy(in)); 297| | } 298| 53.7k| } 299| 53.7k| }()); _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EtTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm2EEETkNS4_14spanable_rangeENS6_ItLm1EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_ENKUlvE_clEv: 607| 332| auto store_elementwise = [&] { 608| 332| constexpr size_t bytes_per_element = sizeof(element_type); 609| 332| std::span out_s(out); 610| 332| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 332, False: 332] ------------------ 611| 332| store_any(out_s.template first(), in_elem); 612| 332| out_s = out_s.subspan(bytes_per_element); 613| 332| } 614| 332| }; _ZN5Botan8store_leINS_6detail10AutoDetectEJRPhmmmmEEEDaDpOT0_: 736| 1|inline constexpr auto store_le(ParamTs&&... params) { 737| 1| return detail::store_any(std::forward(params)...); 738| 1|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS0_20unsigned_integralishEmTpTkNS0_20unsigned_integralishEJmmmEQaaoosr3stdE7same_asIS4_T0_Esr3stdE7same_asIT1_S5_E10all_same_vIS6_DpT2_EEEvPhS6_S8_: 723| 1|inline constexpr void store_any(uint8_t out[], T0 in0, Ts... ins) { 724| 1| constexpr auto bytes = sizeof(in0) + (sizeof(ins) + ... + 0); 725| | // asserts that *out points to the correct amount of memory 726| 1| store_any(std::span(out, bytes), in0, ins...); 727| 1|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm32EEETpTkNS0_20unsigned_integralishEJmmmmEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_: 582| 1|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, Ts... ins) { 583| 1| ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(out); 584| 1| auto store_one = [off = 0](auto o, T i) mutable { 585| 1| store_any(i, o.subspan(off).template first()); 586| 1| off += sizeof(T); 587| 1| }; 588| | 589| 1| (store_one(std::span{out}, ins), ...); 590| 1|} _ZZN5Botan6detail9store_anyILNSt3__16endianE57005EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm32EEETpTkNS0_20unsigned_integralishEJmmmmEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_ENUlTyS9_T_E_clImS7_EEDaS9_SE_: 584| 4| auto store_one = [off = 0](auto o, T i) mutable { 585| 4| store_any(i, o.subspan(off).template first()); 586| 4| off += sizeof(T); 587| 4| }; _ZN5Botan7load_leINS_6detail10AutoDetectEJRNSt3__15arrayImLm7EEERNS3_4spanIKhLm56EEEEEEDaDpOT0_: 495| 2|inline constexpr auto load_le(ParamTs&&... params) { 496| 2| return detail::load_any(std::forward(params)...); 497| 2|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeERNS2_5arrayImLm7EEETkNS5_16contiguous_rangeIhEENS2_4spanIKhLm56EEEQaa20unsigned_integralishINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT1_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISR_SQ_EEEvOSH_RKT2_: 355| 2|inline constexpr void load_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 356| 2| ranges::assert_equal_byte_lengths(out, in); 357| 2| using element_type = std::ranges::range_value_t; 358| | 359| 2| auto load_elementwise = [&] { 360| 2| constexpr size_t bytes_per_element = sizeof(element_type); 361| 2| std::span in_s(in); 362| 2| for(auto& out_elem : out) { 363| 2| out_elem = load_any(in_s.template first()); 364| 2| in_s = in_s.subspan(bytes_per_element); 365| 2| } 366| 2| }; 367| | 368| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 369| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 370| | // in a `constexpr` context. 371| 2| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (371:7): [Folded, False: 2] ------------------ 372| 0| load_elementwise(); 373| 2| } else { 374| 2| if constexpr(endianness == std::endian::native && !custom_loadable) { 375| 2| typecast_copy(out, in); 376| | } else { 377| | load_elementwise(); 378| | } 379| 2| } 380| 2|} _ZN5Botan8store_leINS_6detail10AutoDetectEJRNSt3__14spanIhLm56EEENS3_5arrayImLm7EEEEEEDaDpOT0_: 736| 1|inline constexpr auto store_le(ParamTs&&... params) { 737| 1| return detail::store_any(std::forward(params)...); 738| 1|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm56EEETkNS5_14spanable_rangeENS2_5arrayImLm7EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_: 603| 1|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 1| ranges::assert_equal_byte_lengths(out, in); 605| 1| using element_type = std::ranges::range_value_t; 606| | 607| 1| auto store_elementwise = [&] { 608| 1| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1| std::span out_s(out); 610| 1| for(auto in_elem : in) { 611| 1| store_any(out_s.template first(), in_elem); 612| 1| out_s = out_s.subspan(bytes_per_element); 613| 1| } 614| 1| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 1| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 1] ------------------ 620| 0| store_elementwise(); 621| 1| } else { 622| 1| if constexpr(endianness == std::endian::native && !custom_storable) { 623| 1| typecast_copy(out, in); 624| | } else { 625| | store_elementwise(); 626| | } 627| 1| } 628| 1|} _ZN5Botan8store_leINS_6detail10AutoDetectEJRtEEEDaDpOT0_: 736| 3.57k|inline constexpr auto store_le(ParamTs&&... params) { 737| 3.57k| return detail::store_any(std::forward(params)...); 738| 3.57k|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETpTkNS0_20unsigned_integralishEJtEQ10all_same_vIDpT1_EEEDaS6_: 696| 3.57k|inline constexpr auto store_any(Ts... ins) { 697| 3.57k| return store_any(std::array{ins...}); 698| 3.57k|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayItLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_: 663| 3.57k|inline constexpr auto store_any(InR&& in_range) { 664| 3.57k| auto out = []([[maybe_unused]] const auto& in) { 665| 3.57k| if constexpr(std::same_as) { 666| 3.57k| if constexpr(ranges::statically_spanable_range) { 667| 3.57k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 3.57k| return std::array(); 669| 3.57k| } else { 670| 3.57k| static_assert( 671| 3.57k| !std::same_as, 672| 3.57k| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 3.57k| } 674| 3.57k| } else if constexpr(concepts::resizable_byte_buffer) { 675| 3.57k| return OutR(std::span{in}.size_bytes()); 676| 3.57k| } else { 677| 3.57k| return OutR{}; 678| 3.57k| } 679| 3.57k| }(in_range); 680| | 681| 3.57k| store_any>(out, std::forward(in_range)); 682| 3.57k| return out; 683| 3.57k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayItLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSD_: 664| 3.57k| auto out = []([[maybe_unused]] const auto& in) { 665| 3.57k| if constexpr(std::same_as) { 666| 3.57k| if constexpr(ranges::statically_spanable_range) { 667| 3.57k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 3.57k| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 3.57k| }(in_range); _ZN5Botan6detail9store_anyILNSt3__16endianE57005EtTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm2EEETkNS4_14spanable_rangeENS6_ItLm1EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 3.57k|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 3.57k| ranges::assert_equal_byte_lengths(out, in); 605| 3.57k| using element_type = std::ranges::range_value_t; 606| | 607| 3.57k| auto store_elementwise = [&] { 608| 3.57k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 3.57k| std::span out_s(out); 610| 3.57k| for(auto in_elem : in) { 611| 3.57k| store_any(out_s.template first(), in_elem); 612| 3.57k| out_s = out_s.subspan(bytes_per_element); 613| 3.57k| } 614| 3.57k| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 3.57k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 3.57k] ------------------ 620| 0| store_elementwise(); 621| 3.57k| } else { 622| 3.57k| if constexpr(endianness == std::endian::native && !custom_storable) { 623| 3.57k| typecast_copy(out, in); 624| | } else { 625| | store_elementwise(); 626| | } 627| 3.57k| } 628| 3.57k|} _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EEC2Ev: 42| 2| MerkleDamgard_Hash() { clear(); } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE5clearEv: 70| 4| void clear() { 71| 4| MD::init(m_digest); 72| 4| m_buffer.clear(); 73| 4| m_count = 0; 74| 4| } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE6updateENSt3__14spanIKhLm18446744073709551615EEE: 44| 2| void update(std::span input) { 45| 2| BufferSlicer in(input); 46| | 47| 4| while(!in.empty()) { ------------------ | Branch (47:16): [True: 2, False: 2] ------------------ 48| 2| if(const auto one_block = m_buffer.handle_unaligned_data(in)) { ------------------ | Branch (48:27): [True: 0, False: 2] ------------------ 49| 0| MD::compress_n(m_digest, one_block.value(), 1); 50| 0| } 51| | 52| 2| if(m_buffer.in_alignment()) { ------------------ | Branch (52:16): [True: 0, False: 2] ------------------ 53| 0| const auto [aligned_data, full_blocks] = m_buffer.aligned_data_to_process(in); 54| 0| if(full_blocks > 0) { ------------------ | Branch (54:19): [True: 0, False: 0] ------------------ 55| 0| MD::compress_n(m_digest, aligned_data, full_blocks); 56| 0| } 57| 0| } 58| 2| } 59| | 60| 2| m_count += input.size(); 61| 2| } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE5finalENSt3__14spanIhLm18446744073709551615EEE: 63| 2| void final(std::span output) { 64| 2| append_padding_bit(); 65| 2| append_counter_and_finalize(); 66| 2| copy_output(output); 67| 2| clear(); 68| 2| } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE18append_padding_bitEv: 77| 2| void append_padding_bit() { 78| 2| BOTAN_ASSERT_NOMSG(!m_buffer.ready_to_consume()); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 79| 2| if constexpr(MD::bit_endianness == MD_Endian::Big) { 80| 2| const uint8_t final_byte = 0x80; 81| 2| m_buffer.append({&final_byte, 1}); 82| | } else { 83| | const uint8_t final_byte = 0x01; 84| | m_buffer.append({&final_byte, 1}); 85| | } 86| 2| } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE27append_counter_and_finalizeEv: 88| 2| void append_counter_and_finalize() { 89| | // Compress the remaining data if the final data block does not provide 90| | // enough space for the counter bytes. 91| 2| if(m_buffer.elements_until_alignment() < MD::ctr_bytes) { ------------------ | Branch (91:13): [True: 0, False: 2] ------------------ 92| 0| m_buffer.fill_up_with_zeros(); 93| 0| MD::compress_n(m_digest, m_buffer.consume(), 1); 94| 0| } 95| | 96| | // Make sure that any remaining bytes in the very last block are zero. 97| 2| BOTAN_ASSERT_NOMSG(m_buffer.elements_until_alignment() >= MD::ctr_bytes); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 98| 2| m_buffer.fill_up_with_zeros(); 99| | 100| | // Replace a bunch of the right-most zero-padding with the counter bytes. 101| 2| const uint64_t bit_count = m_count * 8; 102| 2| auto last_bytes = m_buffer.directly_modify_last(sizeof(bit_count)); 103| 2| if constexpr(MD::byte_endianness == MD_Endian::Big) { 104| 2| store_be(bit_count, last_bytes.data()); 105| | } else { 106| | store_le(bit_count, last_bytes.data()); 107| | } 108| | 109| | // Compress the very last block. 110| 2| MD::compress_n(m_digest, m_buffer.consume(), 1); 111| 2| } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE11copy_outputENSt3__14spanIhLm18446744073709551615EEE: 113| 2| void copy_output(std::span output) { 114| 2| BOTAN_ASSERT_NOMSG(output.size() >= MD::output_bytes); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 115| | 116| 2| if constexpr(MD::byte_endianness == MD_Endian::Big) { 117| 2| copy_out_be(output.first(MD::output_bytes), m_digest); 118| | } else { 119| | copy_out_le(output.first(MD::output_bytes), m_digest); 120| | } 121| 2| } _ZN5Botan14zeroize_bufferITkNSt3__117unsigned_integralEmEEvPT_m: 37| 42.3M|inline void zeroize_buffer(T buf[], size_t n) { 38| 42.3M| if(n > 0) { ------------------ | Branch (38:7): [True: 40.4M, False: 1.89M] ------------------ 39| 40.4M| std::memset(buf, 0, sizeof(T) * n); 40| 40.4M| } 41| 42.3M|} _ZN5Botan21unchecked_copy_memoryITkNSt3__117unsigned_integralEmEEvPT_PKS2_m: 44| 4.88M|inline void unchecked_copy_memory(T* out, const T* in, size_t n) { 45| 4.88M| if(in != nullptr && out != nullptr && n > 0) { ------------------ | Branch (45:7): [True: 4.88M, False: 0] | Branch (45:24): [True: 4.88M, False: 0] | Branch (45:42): [True: 4.88M, False: 0] ------------------ 46| 4.88M| std::memmove(out, in, sizeof(T) * n); 47| 4.88M| } 48| 4.88M|} _ZN5Botan14zeroize_bufferITkNSt3__117unsigned_integralEhEEvPT_m: 37| 6|inline void zeroize_buffer(T buf[], size_t n) { 38| 6| if(n > 0) { ------------------ | Branch (38:7): [True: 6, False: 0] ------------------ 39| 6| std::memset(buf, 0, sizeof(T) * n); 40| 6| } 41| 6|} _ZN5Botan27ML_DSA_Symmetric_PrimitivesC2ERKNS_18DilithiumConstantsE: 65| 155| Dilithium_Symmetric_Primitives_Base(mode, std::make_unique()), 66| 155| m_seed_expansion_domain_separator({mode.k(), mode.l()}) {} _ZNK5Botan27ML_DSA_Symmetric_Primitives31seed_expansion_domain_separatorEv: 92| 76| std::optional> seed_expansion_domain_separator() const override { 93| 76| return m_seed_expansion_domain_separator; 94| 76| } _ZNK5Botan27ML_KEM_Symmetric_Primitives31seed_expansion_domain_separatorERKNS_14KyberConstantsE: 59| 29| std::optional> seed_expansion_domain_separator(const KyberConstants& mode) const override { 60| | // NIST FIPS 203, Algorithm 13 (K-PKE.KeyGen) 61| | // Byte 33 of the input to G is the module dimension k from {2,3,4}. 62| | // This is included to establish domain separation between the three 63| | // parameter sets 64| 29| return std::array{mode.k()}; 65| 29| } _ZNK5Botan27ML_KEM_Symmetric_Primitives8create_GEv: 67| 29| std::unique_ptr create_G() const override { return HashFunction::create_or_throw("SHA-3(512)"); } _ZNK5Botan27ML_KEM_Symmetric_Primitives8create_HEv: 69| 29| std::unique_ptr create_H() const override { return HashFunction::create_or_throw("SHA-3(256)"); } _ZNK5Botan27ML_KEM_Symmetric_Primitives10create_PRFENSt3__14spanIKhLm18446744073709551615EEEh: 79| 29| std::unique_ptr create_PRF(std::span seed, const uint8_t nonce) const override { 80| 29| auto xof = Botan::XOF::create_or_throw("SHAKE-256"); 81| 29| init_PRF(*xof, seed, nonce); 82| 29| return xof; 83| 29| } _ZNK5Botan27ML_KEM_Symmetric_Primitives8init_PRFERNS_3XOFENSt3__14spanIKhLm18446744073709551615EEEh: 85| 192| void init_PRF(Botan::XOF& xof, std::span seed, const uint8_t nonce) const override { 86| 192| xof.clear(); 87| 192| xof.update(seed); 88| 192| xof.update(store_be(nonce)); 89| 192| } _ZNK5Botan27ML_KEM_Symmetric_Primitives10create_XOFENSt3__14spanIKhLm18446744073709551615EEENS1_5tupleIJhhEEE: 92| 29| std::tuple matrix_position) const override { 93| 29| auto xof = Botan::XOF::create_or_throw("SHAKE-128"); 94| 29| init_XOF(*xof, seed, matrix_position); 95| 29| return xof; 96| 29| } _ZNK5Botan27ML_KEM_Symmetric_Primitives8init_XOFERNS_3XOFENSt3__14spanIKhLm18446744073709551615EEENS3_5tupleIJhhEEE: 100| 332| std::tuple matrix_position) const override { 101| 332| xof.clear(); 102| 332| xof.update(seed); 103| 332| xof.update(store_be(make_uint16(std::get<0>(matrix_position), std::get<1>(matrix_position)))); 104| 332| } _ZNK5Botan17Montgomery_Params1pEv: 41| 10.1M| const BigInt& p() const { return m_data->p(); } _ZNK5Botan17Montgomery_Params2R1Ev: 43| 9.55k| const BigInt& R1() const { return m_data->r1(); } _ZNK5Botan17Montgomery_Params2R2Ev: 45| 20.2k| const BigInt& R2() const { return m_data->r2(); } _ZNK5Botan17Montgomery_Params2R3Ev: 47| 1.11k| const BigInt& R3() const { return m_data->r3(); } _ZNK5Botan17Montgomery_Params6p_dashEv: 49| 10.1M| word p_dash() const { return m_data->p_dash(); } _ZNK5Botan17Montgomery_Params7p_wordsEv: 51| 11.3M| size_t p_words() const { return m_data->p_size(); } _ZNK5Botan17Montgomery_Params4Data1pEv: 76| 10.1M| const BigInt& p() const { return m_p; } _ZNK5Botan17Montgomery_Params4Data2r1Ev: 78| 9.55k| const BigInt& r1() const { return m_r1; } _ZNK5Botan17Montgomery_Params4Data2r2Ev: 80| 20.2k| const BigInt& r2() const { return m_r2; } _ZNK5Botan17Montgomery_Params4Data2r3Ev: 82| 1.11k| const BigInt& r3() const { return m_r3; } _ZNK5Botan17Montgomery_Params4Data6p_dashEv: 84| 10.1M| word p_dash() const { return m_p_dash; } _ZNK5Botan17Montgomery_Params4Data6p_sizeEv: 86| 11.3M| size_t p_size() const { return m_p_words; } _ZNK5Botan14Montgomery_Int4reprEv: 143| 1.72M| const secure_vector& repr() const { return m_v; } _ZNK5Botan14Montgomery_Int18_const_time_poisonEv: 159| 23.5k| void _const_time_poison() const { CT::poison(m_v); } _ZNK5Botan14Montgomery_Int20_const_time_unpoisonEv: 161| 3.29k| void _const_time_unpoison() const { CT::unpoison(m_v); } _ZNK5Botan14Montgomery_Int7_paramsEv: 163| 3.36k| const Montgomery_Params& _params() const { return m_params; } _ZN5Botan17monty_exp_vartimeERKNS_17Montgomery_ParamsERKNS_6BigIntES5_: 54| 1.89k|inline Montgomery_Int monty_exp_vartime(const Montgomery_Params& params_p, const BigInt& g, const BigInt& k) { 55| 1.89k| auto precomputed = monty_precompute(params_p, g, 4, false); 56| 1.89k| return monty_execute_vartime(*precomputed, k); 57| 1.89k|} _ZN5Botan10word8_add2ITkNS_8WordTypeEmEET_PS1_PKS1_S1_: 268| 471|inline constexpr auto word8_add2(W x[8], const W y[8], W carry) -> W { 269| 471|#if defined(BOTAN_MP_USE_X86_64_ASM) 270| 471| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (270:7): [True: 0, Folded] | Branch (270:36): [True: 0, Folded] ------------------ 271| 471| asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "adcq")) 272| 471| : [carry] "=r"(carry) 273| 471| : [x] "r"(x), [y] "r"(y), "0"(carry) 274| 471| : "cc", "memory"); 275| 471| return carry; 276| 471| } 277| 0|#endif 278| | 279| 0| x[0] = word_add(x[0], y[0], &carry); 280| 0| x[1] = word_add(x[1], y[1], &carry); 281| 0| x[2] = word_add(x[2], y[2], &carry); 282| 0| x[3] = word_add(x[3], y[3], &carry); 283| 0| x[4] = word_add(x[4], y[4], &carry); 284| 0| x[5] = word_add(x[5], y[5], &carry); 285| 0| x[6] = word_add(x[6], y[6], &carry); 286| 0| x[7] = word_add(x[7], y[7], &carry); 287| 0| return carry; 288| 471|} _ZN5Botan8word_addITkNS_8WordTypeEmEET_S1_S1_PS1_: 231| 62.4M|inline constexpr auto word_add(W x, W y, W* carry) -> W { 232| 62.4M|#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_addc) 233| 62.4M| if(!std::is_constant_evaluated()) { ------------------ | Branch (233:7): [True: 62.4M, Folded] ------------------ 234| | if constexpr(std::same_as) { 235| | return __builtin_addc(x, y, *carry & 1, carry); 236| 62.4M| } else if constexpr(std::same_as) { 237| 62.4M| return __builtin_addcl(x, y, *carry & 1, carry); 238| | } else if constexpr(std::same_as) { 239| | return __builtin_addcll(x, y, *carry & 1, carry); 240| | } 241| 62.4M| } 242| 0|#endif 243| | 244| | if constexpr(WordInfo::dword_is_native && use_dword_for_word_add) { 245| | /* 246| | TODO(Botan4) this is largely a performance hack for GCCs that don't 247| | support __builtin_addc, if we increase the minimum supported version of 248| | GCC to GCC 14 then we can remove this and not worry about it 249| | */ 250| | const W cb = *carry & 1; 251| | const auto s = typename WordInfo::dword(x) + y + cb; 252| | *carry = static_cast(s >> WordInfo::bits); 253| | return static_cast(s); 254| 62.4M| } else { 255| 62.4M| const W cb = *carry & 1; 256| 62.4M| W z = x + y; 257| 62.4M| W c1 = (z < x); 258| 62.4M| z += cb; 259| 62.4M| *carry = c1 | (z < cb); 260| 62.4M| return z; 261| 62.4M| } 262| 62.4M|} _ZN5Botan10word8_sub2ITkNS_8WordTypeEmEET_PS1_PKS1_S1_: 345| 1.53M|inline constexpr auto word8_sub2(W x[8], const W y[8], W carry) -> W { 346| 1.53M|#if defined(BOTAN_MP_USE_X86_64_ASM) 347| 1.53M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (347:7): [True: 0, Folded] | Branch (347:36): [True: 0, Folded] ------------------ 348| 1.53M| asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "sbbq")) 349| 1.53M| : [carry] "=r"(carry) 350| 1.53M| : [x] "r"(x), [y] "r"(y), "0"(carry) 351| 1.53M| : "cc", "memory"); 352| 1.53M| return carry; 353| 1.53M| } 354| 0|#endif 355| | 356| 0| x[0] = word_sub(x[0], y[0], &carry); 357| 0| x[1] = word_sub(x[1], y[1], &carry); 358| 0| x[2] = word_sub(x[2], y[2], &carry); 359| 0| x[3] = word_sub(x[3], y[3], &carry); 360| 0| x[4] = word_sub(x[4], y[4], &carry); 361| 0| x[5] = word_sub(x[5], y[5], &carry); 362| 0| x[6] = word_sub(x[6], y[6], &carry); 363| 0| x[7] = word_sub(x[7], y[7], &carry); 364| 0| return carry; 365| 1.53M|} _ZN5Botan8word_subITkNS_8WordTypeEmEET_S1_S1_PS1_: 320| 222M|inline constexpr auto word_sub(W x, W y, W* carry) -> W { 321| 222M|#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_subc) 322| 222M| if(!std::is_constant_evaluated()) { ------------------ | Branch (322:7): [True: 222M, Folded] ------------------ 323| | if constexpr(std::same_as) { 324| | return __builtin_subc(x, y, *carry & 1, carry); 325| 222M| } else if constexpr(std::same_as) { 326| 222M| return __builtin_subcl(x, y, *carry & 1, carry); 327| | } else if constexpr(std::same_as) { 328| | return __builtin_subcll(x, y, *carry & 1, carry); 329| | } 330| 222M| } 331| 0|#endif 332| | 333| 0| const W cb = *carry & 1; 334| 222M| W t0 = x - y; 335| 222M| W c1 = (t0 > x); 336| 222M| W z = t0 - cb; 337| 222M| *carry = c1 | (z > t0); 338| 222M| return z; 339| 222M|} _ZN5Botan10word8_sub3ITkNS_8WordTypeEmEET_PS1_PKS1_S4_S1_: 371| 15.1M|inline constexpr auto word8_sub3(W z[8], const W x[8], const W y[8], W carry) -> W { 372| 15.1M|#if defined(BOTAN_MP_USE_X86_64_ASM) 373| 15.1M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (373:7): [True: 0, Folded] | Branch (373:36): [True: 0, Folded] ------------------ 374| 15.1M| asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq")) 375| 15.1M| : [carry] "=r"(carry) 376| 15.1M| : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry) 377| 15.1M| : "cc", "memory"); 378| 15.1M| return carry; 379| 15.1M| } 380| 0|#endif 381| | 382| 0| z[0] = word_sub(x[0], y[0], &carry); 383| 0| z[1] = word_sub(x[1], y[1], &carry); 384| 0| z[2] = word_sub(x[2], y[2], &carry); 385| 0| z[3] = word_sub(x[3], y[3], &carry); 386| 0| z[4] = word_sub(x[4], y[4], &carry); 387| 0| z[5] = word_sub(x[5], y[5], &carry); 388| 0| z[6] = word_sub(x[6], y[6], &carry); 389| 0| z[7] = word_sub(x[7], y[7], &carry); 390| 0| return carry; 391| 15.1M|} _ZN5Botan10word8_add3ITkNS_8WordTypeEmEET_PS1_PKS1_S4_S1_: 294| 1.50M|inline constexpr auto word8_add3(W z[8], const W x[8], const W y[8], W carry) -> W { 295| 1.50M|#if defined(BOTAN_MP_USE_X86_64_ASM) 296| 1.50M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (296:7): [True: 0, Folded] | Branch (296:36): [True: 0, Folded] ------------------ 297| 1.50M| asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "adcq")) 298| 1.50M| : [carry] "=r"(carry) 299| 1.50M| : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry) 300| 1.50M| : "cc", "memory"); 301| 1.50M| return carry; 302| 1.50M| } 303| 0|#endif 304| | 305| 0| z[0] = word_add(x[0], y[0], &carry); 306| 0| z[1] = word_add(x[1], y[1], &carry); 307| 0| z[2] = word_add(x[2], y[2], &carry); 308| 0| z[3] = word_add(x[3], y[3], &carry); 309| 0| z[4] = word_add(x[4], y[4], &carry); 310| 0| z[5] = word_add(x[5], y[5], &carry); 311| 0| z[6] = word_add(x[6], y[6], &carry); 312| 0| z[7] = word_add(x[7], y[7], &carry); 313| 0| return carry; 314| 1.50M|} _ZN5Botan13word8_linmul3ITkNS_8WordTypeEmEET_PS1_PKS1_S1_S1_: 397| 33.8k|inline constexpr auto word8_linmul3(W z[8], const W x[8], W y, W carry) -> W { 398| 33.8k|#if defined(BOTAN_MP_USE_X86_64_ASM) 399| 33.8k| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (399:7): [True: 0, Folded] | Branch (399:36): [True: 0, Folded] ------------------ 400| 33.8k| asm(DO_8_TIMES(LINMUL_OP, "z") 401| 33.8k| : [carry] "=r"(carry) 402| 33.8k| : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry) 403| 33.8k| : "cc", "%rax", "%rdx", "memory"); 404| 33.8k| return carry; 405| 33.8k| } 406| 0|#endif 407| | 408| 0| z[0] = word_madd2(x[0], y, &carry); 409| 0| z[1] = word_madd2(x[1], y, &carry); 410| 0| z[2] = word_madd2(x[2], y, &carry); 411| 0| z[3] = word_madd2(x[3], y, &carry); 412| 0| z[4] = word_madd2(x[4], y, &carry); 413| 0| z[5] = word_madd2(x[5], y, &carry); 414| 0| z[6] = word_madd2(x[6], y, &carry); 415| 0| z[7] = word_madd2(x[7], y, &carry); 416| 0| return carry; 417| 33.8k|} _ZN5Botan10word_madd2ITkNS_8WordTypeEmEET_S1_S1_PS1_: 90| 9.04M|inline constexpr auto word_madd2(W a, W b, W* c) -> W { 91| 9.04M|#if defined(BOTAN_MP_USE_X86_64_ASM) 92| 9.04M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (92:7): [True: 0, Folded] | Branch (92:36): [True: 0, Folded] ------------------ 93| 9.04M| asm(R"( 94| 9.04M| mulq %[b] 95| 9.04M| addq %[c],%[a] 96| 9.04M| adcq $0,%[carry] 97| 9.04M| )" 98| 9.04M| : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*c) 99| 9.04M| : "0"(a), "1"(b), [c] "g"(*c) 100| 9.04M| : "cc"); 101| | 102| 9.04M| return a; 103| 9.04M| } 104| |#elif defined(BOTAN_MP_USE_AARCH64_ASM) 105| | if(std::same_as && !std::is_constant_evaluated()) { 106| | W lo = 0; 107| | W hi = 0; 108| | asm(R"( 109| | mul %[lo], %[a], %[b] 110| | umulh %[hi], %[a], %[b] 111| | adds %[lo], %[lo], %[c] 112| | adc %[hi], %[hi], xzr 113| | )" 114| | : [lo] "=&r"(lo), [hi] "=&r"(hi) 115| | : [a] "r"(a), [b] "r"(b), [c] "r"(*c) 116| | : "cc"); 117| | 118| | *c = hi; 119| | return lo; 120| | } 121| |#endif 122| | 123| 0| typedef typename WordInfo::dword dword; 124| 0| const dword s = dword(a) * b + *c; 125| 0| *c = static_cast(s >> WordInfo::bits); 126| 0| return static_cast(s); 127| 9.04M|} _ZN5Botan11word8_madd3ITkNS_8WordTypeEmEET_PS1_PKS1_S1_S1_: 423| 27.4M|inline constexpr auto word8_madd3(W z[8], const W x[8], W y, W carry) -> W { 424| 27.4M|#if defined(BOTAN_MP_USE_X86_64_ASM) 425| 27.4M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (425:7): [True: 0, Folded] | Branch (425:36): [True: 0, Folded] ------------------ 426| 27.4M| asm(DO_8_TIMES(MULADD_OP, "") 427| 27.4M| : [carry] "=r"(carry) 428| 27.4M| : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry) 429| 27.4M| : "cc", "%rax", "%rdx", "memory"); 430| 27.4M| return carry; 431| 27.4M| } 432| 0|#endif 433| | 434| 0| z[0] = word_madd3(x[0], y, z[0], &carry); 435| 0| z[1] = word_madd3(x[1], y, z[1], &carry); 436| 0| z[2] = word_madd3(x[2], y, z[2], &carry); 437| 0| z[3] = word_madd3(x[3], y, z[3], &carry); 438| 0| z[4] = word_madd3(x[4], y, z[4], &carry); 439| 0| z[5] = word_madd3(x[5], y, z[5], &carry); 440| 0| z[6] = word_madd3(x[6], y, z[6], &carry); 441| 0| z[7] = word_madd3(x[7], y, z[7], &carry); 442| 0| return carry; 443| 27.4M|} _ZN5Botan10word_madd3ITkNS_8WordTypeEmEET_S1_S1_S1_PS1_: 133| 141M|inline constexpr auto word_madd3(W a, W b, W c, W* d) -> W { 134| 141M|#if defined(BOTAN_MP_USE_X86_64_ASM) 135| 141M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (135:7): [True: 0, Folded] | Branch (135:36): [True: 0, Folded] ------------------ 136| 141M| asm(R"( 137| 141M| mulq %[b] 138| 141M| 139| 141M| addq %[c],%[a] 140| 141M| adcq $0,%[carry] 141| 141M| 142| 141M| addq %[d],%[a] 143| 141M| adcq $0,%[carry] 144| 141M| )" 145| 141M| : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*d) 146| 141M| : "0"(a), "1"(b), [c] "g"(c), [d] "g"(*d) 147| 141M| : "cc"); 148| | 149| 141M| return a; 150| 141M| } 151| |#elif defined(BOTAN_MP_USE_AARCH64_ASM) 152| | if(std::same_as && !std::is_constant_evaluated()) { 153| | W lo = 0; 154| | W hi = 0; 155| | asm(R"( 156| | mul %[lo], %[a], %[b] 157| | umulh %[hi], %[a], %[b] 158| | adds %[lo], %[lo], %[c] 159| | adc %[hi], %[hi], xzr 160| | adds %[lo], %[lo], %[d] 161| | adc %[hi], %[hi], xzr 162| | )" 163| | : [lo] "=&r"(lo), [hi] "=&r"(hi) 164| | : [a] "r"(a), [b] "r"(b), [c] "r"(c), [d] "r"(*d) 165| | : "cc"); 166| | 167| | *d = hi; 168| | return lo; 169| | } 170| |#endif 171| | 172| 0| typedef typename WordInfo::dword dword; 173| 0| const dword s = dword(a) * b + c + *d; 174| 0| *d = static_cast(s >> WordInfo::bits); 175| 0| return static_cast(s); 176| 141M|} _ZN5Botan5word3ImE3mulEmm: 460| 1.31G| inline constexpr void mul(W x, W y) { m_w += static_cast(x) * y; } _ZN5Botan5word3ImE7extractEv: 466| 413M| inline constexpr W extract() { 467| 413M| W r = static_cast(m_w); 468| 413M| m_w >>= WordInfo::bits; 469| 413M| return r; 470| 413M| } _ZN5Botan5word3ImE3addEm: 464| 244M| inline constexpr void add(W x) { m_w += x; } _ZN5Botan5word3ImE10monty_stepEmm: 472| 122M| inline constexpr W monty_step(W p0, W p_dash) { 473| 122M| const W w0 = static_cast(m_w); 474| 122M| const W r = w0 * p_dash; 475| 122M| mul(r, p0); 476| 122M| m_w >>= WordInfo::bits; 477| 122M| return r; 478| 122M| } _ZN5Botan5word3ImEC2Ev: 458| 50.0M| constexpr word3() : m_w(0) {} _ZN5Botan5word3ImE6mul_x2Emm: 462| 95.1M| inline constexpr void mul_x2(W x, W y) { m_w += static_cast(x) * y * 2; } _ZN5Botan11bigint_add2ITkNS_8WordTypeEmEET_PS1_mPKS1_m: 94| 132k|inline constexpr auto bigint_add2(W x[], size_t x_size, const W y[], size_t y_size) -> W { 95| 132k| W carry = 0; 96| | 97| 132k| BOTAN_ASSERT(x_size >= y_size, "Expected sizes"); ------------------ | | 64| 132k| do { \ | | 65| 132k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 132k| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 132k] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 132k| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 132k] | | ------------------ ------------------ 98| | 99| 132k| const size_t blocks = y_size - (y_size % 8); 100| | 101| 132k| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (101:22): [True: 471, False: 132k] ------------------ 102| 471| carry = word8_add2(x + i, y + i, carry); 103| 471| } 104| | 105| 397k| for(size_t i = blocks; i != y_size; ++i) { ------------------ | Branch (105:27): [True: 264k, False: 132k] ------------------ 106| 264k| x[i] = word_add(x[i], y[i], &carry); 107| 264k| } 108| | 109| 403k| for(size_t i = y_size; i != x_size; ++i) { ------------------ | Branch (109:27): [True: 271k, False: 132k] ------------------ 110| 271k| x[i] = word_add(x[i], static_cast(0), &carry); 111| 271k| } 112| | 113| 132k| return carry; 114| 132k|} _ZN5Botan10bigint_cmpITkNS_8WordTypeEmEEiPKT_mS3_m: 439| 2.89M|inline constexpr int32_t bigint_cmp(const W x[], size_t x_size, const W y[], size_t y_size) { 440| 2.89M| static_assert(sizeof(W) >= sizeof(uint32_t), "Size assumption"); 441| | 442| 2.89M| const W LT = static_cast(-1); 443| 2.89M| const W EQ = 0; 444| 2.89M| const W GT = 1; 445| | 446| 2.89M| const size_t common_elems = std::min(x_size, y_size); 447| | 448| 2.89M| W result = EQ; // until found otherwise 449| | 450| 24.9M| for(size_t i = 0; i != common_elems; i++) { ------------------ | Branch (450:22): [True: 22.0M, False: 2.89M] ------------------ 451| 22.0M| const auto is_eq = CT::Mask::is_equal(x[i], y[i]); 452| 22.0M| const auto is_lt = CT::Mask::is_lt(x[i], y[i]); 453| | 454| 22.0M| result = is_eq.select(result, is_lt.select(LT, GT)); 455| 22.0M| } 456| | 457| 2.89M| if(x_size < y_size) { ------------------ | Branch (457:7): [True: 4.24k, False: 2.89M] ------------------ 458| 4.24k| W mask = 0; 459| 18.6k| for(size_t i = x_size; i != y_size; i++) { ------------------ | Branch (459:30): [True: 14.4k, False: 4.24k] ------------------ 460| 14.4k| mask |= y[i]; 461| 14.4k| } 462| | 463| | // If any bits were set in high part of y, then x < y 464| 4.24k| result = CT::Mask::is_zero(mask).select(result, LT); 465| 2.89M| } else if(y_size < x_size) { ------------------ | Branch (465:14): [True: 16.0k, False: 2.87M] ------------------ 466| 16.0k| W mask = 0; 467| 56.8k| for(size_t i = y_size; i != x_size; i++) { ------------------ | Branch (467:30): [True: 40.7k, False: 16.0k] ------------------ 468| 40.7k| mask |= x[i]; 469| 40.7k| } 470| | 471| | // If any bits were set in high part of x, then x > y 472| 16.0k| result = CT::Mask::is_zero(mask).select(result, GT); 473| 16.0k| } 474| | 475| 2.89M| CT::unpoison(result); 476| 2.89M| BOTAN_DEBUG_ASSERT(result == LT || result == GT || result == EQ); ------------------ | | 130| 2.89M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 2.89M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 2.89M] | | ------------------ ------------------ 477| 2.89M| return static_cast(result); 478| 2.89M|} _ZN5Botan11bigint_sub2ITkNS_8WordTypeEmEET_PS1_mPKS1_m: 148| 2.82M|inline constexpr auto bigint_sub2(W x[], size_t x_size, const W y[], size_t y_size) -> W { 149| 2.82M| W borrow = 0; 150| | 151| 2.82M| BOTAN_ASSERT(x_size >= y_size, "Expected sizes"); ------------------ | | 64| 2.82M| do { \ | | 65| 2.82M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 2.82M| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 2.82M] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 2.82M| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 2.82M] | | ------------------ ------------------ 152| | 153| 2.82M| const size_t blocks = y_size - (y_size % 8); 154| | 155| 4.35M| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (155:22): [True: 1.53M, False: 2.82M] ------------------ 156| 1.53M| borrow = word8_sub2(x + i, y + i, borrow); 157| 1.53M| } 158| | 159| 15.2M| for(size_t i = blocks; i != y_size; ++i) { ------------------ | Branch (159:27): [True: 12.4M, False: 2.82M] ------------------ 160| 12.4M| x[i] = word_sub(x[i], y[i], &borrow); 161| 12.4M| } 162| | 163| 2.83M| for(size_t i = y_size; i != x_size; ++i) { ------------------ | Branch (163:27): [True: 9.24k, False: 2.82M] ------------------ 164| 9.24k| x[i] = word_sub(x[i], static_cast(0), &borrow); 165| 9.24k| } 166| | 167| 2.82M| return borrow; 168| 2.82M|} _ZN5Botan15bigint_sub2_revITkNS_8WordTypeEmEEvPT_PKS1_m: 174| 2.31k|inline constexpr void bigint_sub2_rev(W x[], const W y[], size_t y_size) { 175| 2.31k| W borrow = 0; 176| | 177| 13.0k| for(size_t i = 0; i != y_size; ++i) { ------------------ | Branch (177:22): [True: 10.7k, False: 2.31k] ------------------ 178| 10.7k| x[i] = word_sub(y[i], x[i], &borrow); 179| 10.7k| } 180| | 181| 2.31k| BOTAN_ASSERT(borrow == 0, "y must be greater than x"); ------------------ | | 64| 2.31k| do { \ | | 65| 2.31k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 2.31k| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 2.31k] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 2.31k| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 2.31k] | | ------------------ ------------------ 182| 2.31k|} _ZN5Botan11bigint_sub3ITkNS_8WordTypeEmEET_PS1_PKS1_mS4_m: 192| 14.5M|inline constexpr auto bigint_sub3(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W { 193| 14.5M| W borrow = 0; 194| | 195| 14.5M| BOTAN_ASSERT(x_size >= y_size, "Expected sizes"); ------------------ | | 64| 14.5M| do { \ | | 65| 14.5M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 14.5M| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 14.5M] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 14.5M| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 14.5M] | | ------------------ ------------------ 196| | 197| 14.5M| const size_t blocks = y_size - (y_size % 8); 198| | 199| 21.5M| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (199:22): [True: 6.99M, False: 14.5M] ------------------ 200| 6.99M| borrow = word8_sub3(z + i, x + i, y + i, borrow); 201| 6.99M| } 202| | 203| 52.3M| for(size_t i = blocks; i != y_size; ++i) { ------------------ | Branch (203:27): [True: 37.8M, False: 14.5M] ------------------ 204| 37.8M| z[i] = word_sub(x[i], y[i], &borrow); 205| 37.8M| } 206| | 207| 23.5M| for(size_t i = y_size; i != x_size; ++i) { ------------------ | Branch (207:27): [True: 9.08M, False: 14.5M] ------------------ 208| 9.08M| z[i] = word_sub(x[i], static_cast(0), &borrow); 209| 9.08M| } 210| | 211| 14.5M| return borrow; 212| 14.5M|} _ZN5Botan11bigint_add3ITkNS_8WordTypeEmEET_PS1_PKS1_mS4_m: 120| 5.59M|inline constexpr auto bigint_add3(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W { 121| 5.59M| if(x_size < y_size) { ------------------ | Branch (121:7): [True: 16.5k, False: 5.58M] ------------------ 122| 16.5k| return bigint_add3(z, y, y_size, x, x_size); 123| 16.5k| } 124| | 125| 5.58M| W carry = 0; 126| | 127| 5.58M| const size_t blocks = y_size - (y_size % 8); 128| | 129| 7.08M| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (129:22): [True: 1.50M, False: 5.58M] ------------------ 130| 1.50M| carry = word8_add3(z + i, x + i, y + i, carry); 131| 1.50M| } 132| | 133| 23.2M| for(size_t i = blocks; i != y_size; ++i) { ------------------ | Branch (133:27): [True: 17.6M, False: 5.58M] ------------------ 134| 17.6M| z[i] = word_add(x[i], y[i], &carry); 135| 17.6M| } 136| | 137| 5.68M| for(size_t i = y_size; i != x_size; ++i) { ------------------ | Branch (137:27): [True: 100k, False: 5.58M] ------------------ 138| 100k| z[i] = word_add(x[i], static_cast(0), &carry); 139| 100k| } 140| | 141| 5.58M| return carry; 142| 5.59M|} _ZN5Botan14bigint_cnd_addITkNS_8WordTypeEmEET_S1_PS1_PKS1_m: 45| 3.77M|inline constexpr W bigint_cnd_add(W cnd, W x[], const W y[], size_t size) { 46| 3.77M| const auto mask = CT::Mask::expand(cnd).value(); 47| | 48| 3.77M| W carry = 0; 49| | 50| 20.7M| for(size_t i = 0; i != size; ++i) { ------------------ | Branch (50:22): [True: 16.9M, False: 3.77M] ------------------ 51| 16.9M| x[i] = word_add(x[i], y[i] & mask, &carry); 52| 16.9M| } 53| | 54| 3.77M| return (mask & carry); 55| 3.77M|} _ZN5Botan14bigint_linmul3ITkNS_8WordTypeEmEEvPT_PKS1_mS1_: 416| 68.7k|inline constexpr void bigint_linmul3(W z[], const W x[], size_t x_size, W y) { 417| 68.7k| const size_t blocks = x_size - (x_size % 8); 418| | 419| 68.7k| W carry = 0; 420| | 421| 102k| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (421:22): [True: 33.8k, False: 68.7k] ------------------ 422| 33.8k| carry = word8_linmul3(z + i, x + i, y, carry); 423| 33.8k| } 424| | 425| 311k| for(size_t i = blocks; i != x_size; ++i) { ------------------ | Branch (425:27): [True: 242k, False: 68.7k] ------------------ 426| 242k| z[i] = word_madd2(x[i], y, &carry); 427| 242k| } 428| | 429| 68.7k| z[x_size] = carry; 430| 68.7k|} _ZN5Botan14bigint_linmul2ITkNS_8WordTypeEmEET_PS1_mS1_: 405| 839k|[[nodiscard]] inline constexpr auto bigint_linmul2(W x[], size_t x_size, W y) -> W { 406| 839k| W carry = 0; 407| | 408| 9.27M| for(size_t i = 0; i != x_size; ++i) { ------------------ | Branch (408:22): [True: 8.43M, False: 839k] ------------------ 409| 8.43M| x[i] = word_madd2(x[i], y, &carry); 410| 8.43M| } 411| | 412| 839k| return carry; 413| 839k|} _ZN5Botan14divide_precompImEC2Em: 574| 51.6k| explicit constexpr divide_precomp(W divisor) : m_divisor(divisor) { 575| 51.6k| BOTAN_ARG_CHECK(m_divisor != 0, "Division by zero"); ------------------ | | 35| 51.6k| do { \ | | 36| 51.6k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 51.6k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 51.6k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 51.6k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 51.6k] | | ------------------ ------------------ 576| 51.6k| } _ZNK5Botan14divide_precompImE16vartime_mod_2to1Emm: 644| 29.6k| inline constexpr W vartime_mod_2to1(W n1, W n0) const { 645| 29.6k| BOTAN_ASSERT_NOMSG(n1 < m_divisor); ------------------ | | 77| 29.6k| do { \ | | 78| 29.6k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 29.6k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 29.6k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 29.6k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 29.6k] | | ------------------ ------------------ 646| 29.6k| W q = this->vartime_div_2to1(n1, n0); 647| 29.6k| W carry = 0; 648| 29.6k| q = word_madd2(q, m_divisor, &carry); 649| 29.6k| return (n0 - q); 650| 29.6k| } _ZNK5Botan14divide_precompImE16vartime_div_2to1Emm: 581| 120k| inline constexpr W vartime_div_2to1(W n1, W n0) const { 582| 120k| BOTAN_ASSERT_NOMSG(n1 < m_divisor); ------------------ | | 77| 120k| do { \ | | 78| 120k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 120k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 120k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 120k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 120k] | | ------------------ ------------------ 583| | 584| 120k| if(m_divisor == WordInfo::max) { ------------------ | Branch (584:13): [True: 40.9k, False: 79.4k] ------------------ 585| 40.9k| return vartime_div_2to1_max_d(n1, n0); 586| 40.9k| } 587| | 588| 79.4k| if(m_divisor == WordInfo::top_bit) { ------------------ | Branch (588:13): [True: 3.02k, False: 76.4k] ------------------ 589| | // Simply a shift by N-1 bits 590| 3.02k| return (n1 << 1) | (n0 >> (WordInfo::bits - 1)); 591| 3.02k| } 592| | 593| 76.4k| if(!std::is_constant_evaluated()) { ------------------ | Branch (593:13): [True: 76.4k, Folded] ------------------ 594| 76.4k|#if defined(BOTAN_MP_USE_X86_64_ASM) 595| 76.4k| if constexpr(std::same_as) { 596| 76.4k| W quotient = 0; 597| 76.4k| W remainder = 0; 598| | // NOLINTNEXTLINE(*-no-assembler) 599| 76.4k| asm("divq %[v]" : "=a"(quotient), "=d"(remainder) : [v] "r"(m_divisor), "a"(n0), "d"(n1) : "cc"); 600| 76.4k| return quotient; 601| 76.4k| } 602| 0|#endif 603| | 604| 0|#if !defined(BOTAN_BUILD_COMPILER_IS_CLANGCL) 605| | 606| | /* clang-cl has a bug where on encountering a 128/64 division it emits 607| | * a call to __udivti3() but then fails to link the relevant builtin into 608| | * the binary, causing a link failure. Work around this by simply omitting 609| | * such code for clang-cl 610| | * 611| | * See https://github.com/llvm/llvm-project/issues/25679 612| | */ 613| 76.4k| if constexpr(WordInfo::dword_is_native) { 614| 76.4k| typename WordInfo::dword n = n1; 615| 76.4k| n <<= WordInfo::bits; 616| 76.4k| n |= n0; 617| 76.4k| return static_cast(n / m_divisor); 618| 76.4k| } 619| 76.4k|#endif 620| 76.4k| } 621| | 622| 0| W high = n1; 623| 76.4k| W quotient = 0; 624| | 625| 76.4k| for(size_t i = 0; i != WordInfo::bits; ++i) { ------------------ | Branch (625:28): [True: 0, False: 76.4k] ------------------ 626| 0| const W high_top_bit = high >> (WordInfo::bits - 1); 627| | 628| 0| high <<= 1; 629| 0| high |= (n0 >> (WordInfo::bits - 1 - i)) & 1; 630| 0| quotient <<= 1; 631| | 632| 0| if(high_top_bit || high >= m_divisor) { ------------------ | Branch (632:16): [True: 0, False: 0] | Branch (632:32): [True: 0, False: 0] ------------------ 633| 0| high -= m_divisor; 634| 0| quotient |= 1; 635| 0| } 636| 0| } 637| | 638| 76.4k| return quotient; 639| 79.4k| } _ZN5Botan14divide_precompImE22vartime_div_2to1_max_dEmm: 657| 40.9k| static inline constexpr W vartime_div_2to1_max_d(W n1, W n0) { 658| | /* 659| | Use k to refer to WordInfo::bits 660| | 661| | We are dividing n = (n1 * 2^k) + n0 by 2^k - 1 662| | 663| | Recall that 2^k = 1 (mod 2^k - 1) 664| | 665| | Rewrite n = n1*2^k + n0 as n1*(2^k - 1) + n1 + n0 666| | 667| | The result of dividing n by (2^k - 1) will be equal to 668| | (n1*(2^k-1) + n1 + n0) / (2^k-1) = 669| | n1 + ((n1 + n0) / (2^k-1) 670| | 671| | Use c to refer to ((n1 + n0) / (2^k-1)) 672| | 673| | If (n1 + n0) < (2^k - 1) then c is 0 674| | If (n1 + n0) >= (2^k - 1) then c is 1 675| | 676| | Since n1 < 2^k - 1 [*] and n0 <= 2^k - 1 it is impossible for (n1 + n0) / (2^k -1) 677| | to be greater than 1. 678| | 679| | [*] We require n1 be strictly less than the divisor to ensure that the 680| | output fits in a single word; this is checked at the start of vartime_div_2to1. 681| | */ 682| | 683| 40.9k| const W s = n0 + n1; 684| | // did n0 + n1 overflow? or does (n0 + n1) == 2^k - 1? if either, c == 1 685| 40.9k| if(s < n0 || s == WordInfo::max) { ------------------ | Branch (685:13): [True: 6.49k, False: 34.4k] | Branch (685:23): [True: 29, False: 34.4k] ------------------ 686| 6.52k| n1 += 1; 687| 6.52k| } 688| | 689| 40.9k| return n1; 690| 40.9k| } _ZN5Botan11bigint_shl1ITkNS_8WordTypeEmEEvPT_mmm: 309| 336k|inline constexpr void bigint_shl1(W x[], size_t x_size, size_t x_words, size_t shift) { 310| 336k| const size_t word_shift = shift / WordInfo::bits; 311| 336k| const size_t bit_shift = shift % WordInfo::bits; 312| | 313| 336k| BOTAN_ASSERT_NOMSG(word_shift <= x_size); ------------------ | | 77| 336k| do { \ | | 78| 336k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 336k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 336k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 336k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 336k] | | ------------------ ------------------ 314| 336k| BOTAN_ASSERT_NOMSG(x_words <= x_size - word_shift); ------------------ | | 77| 336k| do { \ | | 78| 336k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 336k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 336k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 336k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 336k] | | ------------------ ------------------ 315| | 316| 336k| unchecked_copy_memory(x + word_shift, x, x_words); 317| 336k| zeroize_buffer(x, word_shift); 318| | 319| 336k| const auto carry_mask = CT::Mask::expand(bit_shift); 320| 336k| const W carry_shift = carry_mask.if_set_return(WordInfo::bits - bit_shift); 321| | 322| 336k| W carry = 0; 323| 3.34M| for(size_t i = word_shift; i != x_size; ++i) { ------------------ | Branch (323:31): [True: 3.00M, False: 336k] ------------------ 324| 3.00M| const W w = x[i]; 325| 3.00M| x[i] = (w << bit_shift) | carry; 326| 3.00M| carry = carry_mask.if_set_return(w >> carry_shift); 327| 3.00M| } 328| 336k|} _ZN5Botan11bigint_shr1ITkNS_8WordTypeEmEEvPT_mm: 331| 1.64M|inline constexpr void bigint_shr1(W x[], size_t x_size, size_t shift) { 332| 1.64M| const size_t word_shift = shift / WordInfo::bits; 333| 1.64M| const size_t bit_shift = shift % WordInfo::bits; 334| | 335| 1.64M| const size_t top = x_size >= word_shift ? (x_size - word_shift) : 0; ------------------ | Branch (335:23): [True: 1.64M, False: 0] ------------------ 336| | 337| 1.64M| if(top > 0) { ------------------ | Branch (337:7): [True: 1.64M, False: 0] ------------------ 338| 1.64M| unchecked_copy_memory(x, x + word_shift, top); 339| 1.64M| } 340| 1.64M| zeroize_buffer(x + top, std::min(word_shift, x_size)); 341| | 342| 1.64M| const auto carry_mask = CT::Mask::expand(bit_shift); 343| 1.64M| const W carry_shift = carry_mask.if_set_return(WordInfo::bits - bit_shift); 344| | 345| 1.64M| W carry = 0; 346| | 347| 24.4M| for(size_t i = 0; i != top; ++i) { ------------------ | Branch (347:22): [True: 22.7M, False: 1.64M] ------------------ 348| 22.7M| const W w = x[top - i - 1]; 349| 22.7M| x[top - i - 1] = (w >> bit_shift) | carry; 350| 22.7M| carry = carry_mask.if_set_return(w << carry_shift); 351| 22.7M| } 352| 1.64M|} _ZN5Botan17bigint_monty_redcEPmPKmS2_mmS0_m: 924| 24.4M| word r[], const word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size) { 925| 24.4M| const size_t z_size = 2 * p_size; 926| | 927| 24.4M| BOTAN_ARG_CHECK(ws_size >= p_size, "Montgomery reduction workspace too small"); ------------------ | | 35| 24.4M| do { \ | | 36| 24.4M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 24.4M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 24.4M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 24.4M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 24.4M] | | ------------------ ------------------ 928| | 929| 24.4M| if(p_size == 4) { ------------------ | Branch (929:7): [True: 15.0M, False: 9.38M] ------------------ 930| 15.0M| bigint_monty_redc_4(r, z, p, p_dash, ws); 931| 15.0M| } else if(p_size == 6) { ------------------ | Branch (931:14): [True: 11.0k, False: 9.37M] ------------------ 932| 11.0k| bigint_monty_redc_6(r, z, p, p_dash, ws); 933| 9.37M| } else if(p_size == 8) { ------------------ | Branch (933:14): [True: 856, False: 9.36M] ------------------ 934| 856| bigint_monty_redc_8(r, z, p, p_dash, ws); 935| 9.36M| } else if(p_size == 12) { ------------------ | Branch (935:14): [True: 0, False: 9.36M] ------------------ 936| 0| bigint_monty_redc_12(r, z, p, p_dash, ws); 937| 9.36M| } else if(p_size == 16) { ------------------ | Branch (937:14): [True: 0, False: 9.36M] ------------------ 938| 0| bigint_monty_redc_16(r, z, p, p_dash, ws); 939| 9.36M| } else if(p_size == 24) { ------------------ | Branch (939:14): [True: 0, False: 9.36M] ------------------ 940| 0| bigint_monty_redc_24(r, z, p, p_dash, ws); 941| 9.36M| } else if(p_size == 32) { ------------------ | Branch (941:14): [True: 0, False: 9.36M] ------------------ 942| 0| bigint_monty_redc_32(r, z, p, p_dash, ws); 943| 9.36M| } else { 944| 9.36M| bigint_monty_redc_generic(r, z, z_size, p, p_size, p_dash, ws); 945| 9.36M| } 946| 24.4M|} _ZN5Botan25bigint_monty_redc_inplaceEPmPKmmmS0_m: 948| 10.1M|inline void bigint_monty_redc_inplace(word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size) { 949| 10.1M| bigint_monty_redc(z, z, p, p_size, p_dash, ws, ws_size); 950| 10.1M| zeroize_buffer(z + p_size, p_size); 951| 10.1M|} _ZN5Botan11bigint_shl2ITkNS_8WordTypeEmEEvPT_mPKS1_mm: 355| 37.9k|inline constexpr void bigint_shl2(W y[], size_t y_size, const W x[], size_t x_size, size_t shift) { 356| 37.9k| const size_t word_shift = shift / WordInfo::bits; 357| 37.9k| const size_t bit_shift = shift % WordInfo::bits; 358| | 359| 37.9k| BOTAN_ASSERT_NOMSG(word_shift <= y_size); ------------------ | | 77| 37.9k| do { \ | | 78| 37.9k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 37.9k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 37.9k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 37.9k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 37.9k] | | ------------------ ------------------ 360| 37.9k| BOTAN_ASSERT_NOMSG(x_size < y_size - word_shift); ------------------ | | 77| 37.9k| do { \ | | 78| 37.9k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 37.9k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 37.9k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 37.9k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 37.9k] | | ------------------ ------------------ 361| | 362| 37.9k| unchecked_copy_memory(y + word_shift, x, x_size); 363| 37.9k| zeroize_buffer(y, word_shift); 364| 37.9k| zeroize_buffer(y + word_shift + x_size, y_size - word_shift - x_size); 365| | 366| 37.9k| const auto carry_mask = CT::Mask::expand(bit_shift); 367| 37.9k| const W carry_shift = carry_mask.if_set_return(WordInfo::bits - bit_shift); 368| | 369| 37.9k| W carry = 0; 370| 226k| for(size_t i = word_shift; i != x_size + word_shift + 1; ++i) { ------------------ | Branch (370:31): [True: 188k, False: 37.9k] ------------------ 371| 188k| const W w = y[i]; 372| 188k| y[i] = (w << bit_shift) | carry; 373| 188k| carry = carry_mask.if_set_return(w >> carry_shift); 374| 188k| } 375| 37.9k|} _ZN5Botan11bigint_shr2ITkNS_8WordTypeEmEEvPT_mPKS1_mm: 378| 1.60k|inline constexpr void bigint_shr2(W y[], size_t y_size, const W x[], size_t x_size, size_t shift) { 379| 1.60k| const size_t word_shift = shift / WordInfo::bits; 380| 1.60k| const size_t bit_shift = shift % WordInfo::bits; 381| 1.60k| const size_t new_size = x_size < word_shift ? 0 : (x_size - word_shift); ------------------ | Branch (381:28): [True: 0, False: 1.60k] ------------------ 382| | 383| 1.60k| BOTAN_ASSERT_NOMSG(new_size <= y_size); ------------------ | | 77| 1.60k| do { \ | | 78| 1.60k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.60k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 1.60k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 1.60k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 1.60k] | | ------------------ ------------------ 384| | 385| 1.60k| if(new_size > 0) { ------------------ | Branch (385:7): [True: 1.60k, False: 0] ------------------ 386| 1.60k| unchecked_copy_memory(y, x + word_shift, new_size); 387| 1.60k| } 388| 1.60k| zeroize_buffer(y + new_size, y_size - new_size); 389| | 390| 1.60k| const auto carry_mask = CT::Mask::expand(bit_shift); 391| 1.60k| const W carry_shift = carry_mask.if_set_return(WordInfo::bits - bit_shift); 392| | 393| 1.60k| W carry = 0; 394| 9.87k| for(size_t i = new_size; i > 0; --i) { ------------------ | Branch (394:29): [True: 8.26k, False: 1.60k] ------------------ 395| 8.26k| W w = y[i - 1]; 396| 8.26k| y[i - 1] = (w >> bit_shift) | carry; 397| 8.26k| carry = carry_mask.if_set_return(w << carry_shift); 398| 8.26k| } 399| 1.60k|} _ZN5Botan15bigint_ct_is_eqITkNS_8WordTypeEmEENS_2CT4MaskIT_EEPKS3_mS6_m: 519| 29.8k|inline constexpr auto bigint_ct_is_eq(const W x[], size_t x_size, const W y[], size_t y_size) -> CT::Mask { 520| 29.8k| const size_t common_elems = std::min(x_size, y_size); 521| | 522| 29.8k| W diff = 0; 523| | 524| 311k| for(size_t i = 0; i != common_elems; i++) { ------------------ | Branch (524:22): [True: 281k, False: 29.8k] ------------------ 525| 281k| diff |= (x[i] ^ y[i]); 526| 281k| } 527| | 528| | // If any bits were set in high part of x/y, then they are not equal 529| 29.8k| if(x_size < y_size) { ------------------ | Branch (529:7): [True: 253, False: 29.5k] ------------------ 530| 1.78k| for(size_t i = x_size; i != y_size; i++) { ------------------ | Branch (530:30): [True: 1.53k, False: 253] ------------------ 531| 1.53k| diff |= y[i]; 532| 1.53k| } 533| 29.5k| } else if(y_size < x_size) { ------------------ | Branch (533:14): [True: 21.1k, False: 8.39k] ------------------ 534| 120k| for(size_t i = y_size; i != x_size; i++) { ------------------ | Branch (534:30): [True: 99.6k, False: 21.1k] ------------------ 535| 99.6k| diff |= x[i]; 536| 99.6k| } 537| 21.1k| } 538| | 539| 29.8k| return CT::Mask::is_zero(diff); 540| 29.8k|} _ZN5Botan15bigint_ct_is_ltITkNS_8WordTypeEmEENS_2CT4MaskIT_EEPKS3_mS6_mb: 487| 2.52M| -> CT::Mask { 488| 2.52M| const size_t common_elems = std::min(x_size, y_size); 489| | 490| 2.52M| auto is_lt = CT::Mask::expand(lt_or_equal); 491| | 492| 19.5M| for(size_t i = 0; i != common_elems; i++) { ------------------ | Branch (492:22): [True: 16.9M, False: 2.52M] ------------------ 493| 16.9M| const auto eq = CT::Mask::is_equal(x[i], y[i]); 494| 16.9M| const auto lt = CT::Mask::is_lt(x[i], y[i]); 495| 16.9M| is_lt = eq.select_mask(is_lt, lt); 496| 16.9M| } 497| | 498| 2.52M| if(x_size < y_size) { ------------------ | Branch (498:7): [True: 73.3k, False: 2.45M] ------------------ 499| 73.3k| W mask = 0; 500| 193k| for(size_t i = x_size; i != y_size; i++) { ------------------ | Branch (500:30): [True: 120k, False: 73.3k] ------------------ 501| 120k| mask |= y[i]; 502| 120k| } 503| | // If any bits were set in high part of y, then is_lt should be forced true 504| 73.3k| is_lt |= CT::Mask::expand(mask); 505| 2.45M| } else if(y_size < x_size) { ------------------ | Branch (505:14): [True: 2.41M, False: 38.1k] ------------------ 506| 2.41M| W mask = 0; 507| 28.4M| for(size_t i = y_size; i != x_size; i++) { ------------------ | Branch (507:30): [True: 26.0M, False: 2.41M] ------------------ 508| 26.0M| mask |= x[i]; 509| 26.0M| } 510| | 511| | // If any bits were set in high part of x, then is_lt should be false 512| 2.41M| is_lt &= CT::Mask::is_zero(mask); 513| 2.41M| } 514| | 515| 2.52M| return is_lt; 516| 2.52M|} _ZN5Botan15bigint_cnd_swapITkNS_8WordTypeEmEEvT_PS1_S2_m: 29| 582k|inline constexpr void bigint_cnd_swap(W cnd, W x[], W y[], size_t size) { 30| 582k| const auto mask = CT::Mask::expand(cnd); 31| | 32| 3.63M| for(size_t i = 0; i != size; ++i) { ------------------ | Branch (32:22): [True: 3.04M, False: 582k] ------------------ 33| 3.04M| const W a = x[i]; 34| 3.04M| const W b = y[i]; 35| 3.04M| x[i] = mask.select(b, a); 36| 3.04M| y[i] = mask.select(a, b); 37| 3.04M| } 38| 582k|} _ZN5Botan14bigint_sub_absITkNS_8WordTypeEmEENS_2CT4MaskIT_EEPS3_PKS3_S7_mS5_: 279| 2.75M|inline constexpr auto bigint_sub_abs(W z[], const W x[], const W y[], size_t N, W ws[]) -> CT::Mask { 280| | // Subtract in both direction then conditional copy out the result 281| | 282| 2.75M| W* ws0 = ws; 283| 2.75M| W* ws1 = ws + N; 284| | 285| 2.75M| W borrow0 = 0; 286| 2.75M| W borrow1 = 0; 287| | 288| 2.75M| const size_t blocks = N - (N % 8); 289| | 290| 4.20M| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (290:22): [True: 1.44M, False: 2.75M] ------------------ 291| 1.44M| borrow0 = word8_sub3(ws0 + i, x + i, y + i, borrow0); 292| 1.44M| borrow1 = word8_sub3(ws1 + i, y + i, x + i, borrow1); 293| 1.44M| } 294| | 295| 12.4M| for(size_t i = blocks; i != N; ++i) { ------------------ | Branch (295:27): [True: 9.67M, False: 2.75M] ------------------ 296| 9.67M| ws0[i] = word_sub(x[i], y[i], &borrow0); 297| 9.67M| ws1[i] = word_sub(y[i], x[i], &borrow1); 298| 9.67M| } 299| | 300| 2.75M| return CT::conditional_copy_mem(borrow0, z, ws1, ws0, N); 301| 2.75M|} _ZN5Botan14bigint_cnd_subITkNS_8WordTypeEmEET_S1_PS1_PKS1_m: 62| 610k|inline constexpr auto bigint_cnd_sub(W cnd, W x[], const W y[], size_t size) -> W { 63| 610k| const auto mask = CT::Mask::expand(cnd).value(); 64| | 65| 610k| W carry = 0; 66| | 67| 3.31M| for(size_t i = 0; i != size; ++i) { ------------------ | Branch (67:22): [True: 2.70M, False: 610k] ------------------ 68| 2.70M| x[i] = word_sub(x[i], y[i] & mask, &carry); 69| 2.70M| } 70| | 71| 610k| return (mask & carry); 72| 610k|} _ZN5Botan14bigint_cnd_absITkNS_8WordTypeEmEEvT_PS1_m: 80| 305k|inline constexpr void bigint_cnd_abs(W cnd, W x[], size_t size) { 81| 305k| const auto mask = CT::Mask::expand(cnd); 82| | 83| 305k| W carry = mask.if_set_return(1); 84| 1.65M| for(size_t i = 0; i != size; ++i) { ------------------ | Branch (84:22): [True: 1.35M, False: 305k] ------------------ 85| 1.35M| const W z = word_add(~x[i], static_cast(0), &carry); 86| 1.35M| x[i] = mask.select(z, x[i]); 87| 1.35M| } 88| 305k|} _ZN5Botan13monty_inverseITkNS_8WordTypeEmEET_S1_: 703| 5.36k|inline constexpr auto monty_inverse(W a) -> W { 704| 5.36k| BOTAN_ARG_CHECK(a % 2 == 1, "Cannot compute Montgomery inverse of an even integer"); ------------------ | | 35| 5.36k| do { \ | | 36| 5.36k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 5.36k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 5.36k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 5.36k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 5.36k] | | ------------------ ------------------ 705| | 706| | // Newton's Method, following https://lemire.me/blog/2017/09/18/computing-the-inverse-of-odd-integers/ 707| | 708| 5.36k| constexpr size_t iter = WordInfo::bits == 64 ? 4 : 3; ------------------ | Branch (708:28): [True: 0, Folded] ------------------ 709| | 710| | // Initial guess provides 5 bits of accuracy 711| 5.36k| W r = (3 * a) ^ 2; 712| | 713| | // Each iteration doubles the accuracy 714| 26.8k| for(size_t i = 0; i != iter; ++i) { ------------------ | Branch (714:22): [True: 21.4k, False: 5.36k] ------------------ 715| 21.4k| r = r * (2 - r * a); 716| 21.4k| } 717| | 718| | // Now invert in addition space 719| 5.36k| r = (WordInfo::max - r) + 1; 720| | 721| 5.36k| return r; 722| 5.36k|} _ZN5Botan22bigint_monty_maybe_subITkNS_8WordTypeEmEEvmPT_S1_PKS1_S4_: 225| 14.0M|inline constexpr void bigint_monty_maybe_sub(size_t N, W z[], W x0, const W x[], const W p[]) { 226| 14.0M| W borrow = 0; 227| | 228| 14.0M| const size_t blocks = N - (N % 8); 229| | 230| 19.2M| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (230:22): [True: 5.21M, False: 14.0M] ------------------ 231| 5.21M| borrow = word8_sub3(z + i, x + i, p + i, borrow); 232| 5.21M| } 233| | 234| 53.6M| for(size_t i = blocks; i != N; ++i) { ------------------ | Branch (234:27): [True: 39.6M, False: 14.0M] ------------------ 235| 39.6M| z[i] = word_sub(x[i], p[i], &borrow); 236| 39.6M| } 237| | 238| 14.0M| borrow = (x0 - borrow) > x0; 239| | 240| 14.0M| CT::conditional_assign_mem(borrow, z, x, N); 241| 14.0M|} _ZN5Botan9comba_sqrILm4ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 233k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 233k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 233k, Folded] ------------------ 856| 233k| if constexpr(std::same_as && N == 4) { 857| 233k| return bigint_comba_sqr4(z, x); 858| 233k| } 859| | if constexpr(std::same_as && N == 6) { 860| | return bigint_comba_sqr6(z, x); 861| | } 862| | if constexpr(std::same_as && N == 7) { 863| | return bigint_comba_sqr7(z, x); 864| | } 865| | if constexpr(std::same_as && N == 8) { 866| | return bigint_comba_sqr8(z, x); 867| | } 868| | if constexpr(std::same_as && N == 9) { 869| | return bigint_comba_sqr9(z, x); 870| | } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 233k| } 875| | 876| 0| word3 accum; 877| | 878| 233k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 0, False: 233k] ------------------ 879| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 0, False: 0] ------------------ 880| 0| const size_t end = std::min(N, i + 1); 881| | 882| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 0, False: 0] ------------------ 883| 0| accum.mul(x[j], x[i - j]); 884| 0| } 885| 0| z[i] = accum.extract(); 886| 0| } 887| 233k|} _ZN5Botan22bigint_monty_maybe_subILm4ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_: 254| 15.2M|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) { 255| 15.2M| W borrow = 0; 256| | 257| 76.2M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (257:22): [True: 60.9M, False: 15.2M] ------------------ 258| 60.9M| z[i] = word_sub(x[i], y[i], &borrow); 259| 60.9M| } 260| | 261| 15.2M| borrow = (x0 - borrow) > x0; 262| | 263| 15.2M| CT::conditional_assign_mem(borrow, z, x, N); 264| 15.2M|} _ZN5Botan9comba_mulILm4ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 273k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 273k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 273k, Folded] ------------------ 820| 273k| if constexpr(std::same_as && N == 4) { 821| 273k| return bigint_comba_mul4(z, x, y); 822| 273k| } 823| | if constexpr(std::same_as && N == 6) { 824| | return bigint_comba_mul6(z, x, y); 825| | } 826| | if constexpr(std::same_as && N == 7) { 827| | return bigint_comba_mul7(z, x, y); 828| | } 829| | if constexpr(std::same_as && N == 8) { 830| | return bigint_comba_mul8(z, x, y); 831| | } 832| | if constexpr(std::same_as && N == 9) { 833| | return bigint_comba_mul9(z, x, y); 834| | } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 273k| } 839| | 840| 0| word3 accum; 841| | 842| 273k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 0, False: 273k] ------------------ 843| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 0, False: 0] ------------------ 844| 0| const size_t end = std::min(N, i + 1); 845| | 846| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 0, False: 0] ------------------ 847| 0| accum.mul(x[j], y[i - j]); 848| 0| } 849| 0| z[i] = accum.extract(); 850| 0| } 851| 273k|} _ZN5Botan10shift_leftILm1ETkNS_8WordTypeEmLm4EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 25.8k|inline constexpr W shift_left(std::array& x) { 726| 25.8k| static_assert(N >= 1, "Invalid input size"); 727| 25.8k| static_assert(S > 0, "Zero shift not supported"); 728| 25.8k| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 25.8k| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 103k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 77.5k, False: 25.8k] ------------------ 733| 77.5k| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 77.5k| } 735| 25.8k| x[0] <<= S; 736| | 737| 25.8k| return carry; 738| 25.8k|} _ZN5Botan16read_window_bitsILm4EmLm4EEEmNSt3__14spanIKT0_XT1_EEEm: 1071| 7.29k|constexpr size_t read_window_bits(std::span words, size_t offset) { 1072| 7.29k| static_assert(WindowBits >= 1 && WindowBits <= 7); 1073| | 1074| 7.29k| constexpr uint8_t WindowMask = static_cast(1 << WindowBits) - 1; 1075| | 1076| 7.29k| constexpr size_t W_bits = sizeof(W) * 8; 1077| 7.29k| const auto bit_shift = offset % W_bits; 1078| 7.29k| const auto word_offset = words.size() - 1 - (offset / W_bits); 1079| | 1080| 7.29k| const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0; ------------------ | Branch (1080:36): [True: 7.29k, False: 0] | Branch (1080:74): [True: 0, False: 0] ------------------ 1081| | 1082| 7.29k| const auto w0 = words[word_offset]; 1083| | 1084| 7.29k| if(single_byte_window) { ------------------ | Branch (1084:7): [True: 7.29k, False: 0] ------------------ 1085| 7.29k| return (w0 >> bit_shift) & WindowMask; 1086| 7.29k| } else { 1087| | // Otherwise we must join two words and extract the result 1088| 0| const auto w1 = words[word_offset - 1]; 1089| 0| const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift))); 1090| 0| return combined & WindowMask; 1091| 0| } 1092| 7.29k|} _ZN5Botan11shift_rightILm1ETkNS_8WordTypeEmLm4EEET0_RNSt3__15arrayIS1_XT1_EEE: 741| 2.86k|inline constexpr W shift_right(std::array& x) { 742| 2.86k| static_assert(N >= 1, "Invalid input size"); 743| 2.86k| static_assert(S > 0, "Zero shift not supported"); 744| 2.86k| static_assert(S < WordInfo::bits, "Shift too large"); 745| | 746| 2.86k| const W carry = x[0] << (WordInfo::bits - S); 747| | 748| 11.4k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (748:22): [True: 8.59k, False: 2.86k] ------------------ 749| 8.59k| x[i] = (x[i] >> S) | (x[i + 1] << (WordInfo::bits - S)); 750| 8.59k| } 751| 2.86k| x[N - 1] >>= S; 752| | 753| 2.86k| return carry; 754| 2.86k|} _ZN5Botan16read_window_bitsILm7EhLm18446744073709551615EEEmNSt3__14spanIKT0_XT1_EEEm: 1071| 80.2k|constexpr size_t read_window_bits(std::span words, size_t offset) { 1072| 80.2k| static_assert(WindowBits >= 1 && WindowBits <= 7); 1073| | 1074| 80.2k| constexpr uint8_t WindowMask = static_cast(1 << WindowBits) - 1; 1075| | 1076| 80.2k| constexpr size_t W_bits = sizeof(W) * 8; 1077| 80.2k| const auto bit_shift = offset % W_bits; 1078| 80.2k| const auto word_offset = words.size() - 1 - (offset / W_bits); 1079| | 1080| 80.2k| const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0; ------------------ | Branch (1080:36): [True: 20.9k, False: 59.3k] | Branch (1080:74): [True: 1.30k, False: 58.0k] ------------------ 1081| | 1082| 80.2k| const auto w0 = words[word_offset]; 1083| | 1084| 80.2k| if(single_byte_window) { ------------------ | Branch (1084:7): [True: 22.2k, False: 58.0k] ------------------ 1085| 22.2k| return (w0 >> bit_shift) & WindowMask; 1086| 58.0k| } else { 1087| | // Otherwise we must join two words and extract the result 1088| 58.0k| const auto w1 = words[word_offset - 1]; 1089| 58.0k| const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift))); 1090| 58.0k| return combined & WindowMask; 1091| 58.0k| } 1092| 80.2k|} _ZN5Botan9comba_sqrILm6ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 180k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 180k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 180k, Folded] ------------------ 856| | if constexpr(std::same_as && N == 4) { 857| | return bigint_comba_sqr4(z, x); 858| | } 859| 180k| if constexpr(std::same_as && N == 6) { 860| 180k| return bigint_comba_sqr6(z, x); 861| 180k| } 862| | if constexpr(std::same_as && N == 7) { 863| | return bigint_comba_sqr7(z, x); 864| | } 865| | if constexpr(std::same_as && N == 8) { 866| | return bigint_comba_sqr8(z, x); 867| | } 868| | if constexpr(std::same_as && N == 9) { 869| | return bigint_comba_sqr9(z, x); 870| | } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 180k| } 875| | 876| 0| word3 accum; 877| | 878| 180k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 0, False: 180k] ------------------ 879| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 0, False: 0] ------------------ 880| 0| const size_t end = std::min(N, i + 1); 881| | 882| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 0, False: 0] ------------------ 883| 0| accum.mul(x[j], x[i - j]); 884| 0| } 885| 0| z[i] = accum.extract(); 886| 0| } 887| 180k|} _ZN5Botan22bigint_monty_maybe_subILm6ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_: 254| 267k|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) { 255| 267k| W borrow = 0; 256| | 257| 1.86M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (257:22): [True: 1.60M, False: 267k] ------------------ 258| 1.60M| z[i] = word_sub(x[i], y[i], &borrow); 259| 1.60M| } 260| | 261| 267k| borrow = (x0 - borrow) > x0; 262| | 263| 267k| CT::conditional_assign_mem(borrow, z, x, N); 264| 267k|} _ZN5Botan9comba_mulILm6ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 214k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 214k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 214k, Folded] ------------------ 820| | if constexpr(std::same_as && N == 4) { 821| | return bigint_comba_mul4(z, x, y); 822| | } 823| 214k| if constexpr(std::same_as && N == 6) { 824| 214k| return bigint_comba_mul6(z, x, y); 825| 214k| } 826| | if constexpr(std::same_as && N == 7) { 827| | return bigint_comba_mul7(z, x, y); 828| | } 829| | if constexpr(std::same_as && N == 8) { 830| | return bigint_comba_mul8(z, x, y); 831| | } 832| | if constexpr(std::same_as && N == 9) { 833| | return bigint_comba_mul9(z, x, y); 834| | } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 214k| } 839| | 840| 0| word3 accum; 841| | 842| 214k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 0, False: 214k] ------------------ 843| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 0, False: 0] ------------------ 844| 0| const size_t end = std::min(N, i + 1); 845| | 846| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 0, False: 0] ------------------ 847| 0| accum.mul(x[j], y[i - j]); 848| 0| } 849| 0| z[i] = accum.extract(); 850| 0| } 851| 214k|} _ZN5Botan10shift_leftILm1ETkNS_8WordTypeEmLm6EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 19.8k|inline constexpr W shift_left(std::array& x) { 726| 19.8k| static_assert(N >= 1, "Invalid input size"); 727| 19.8k| static_assert(S > 0, "Zero shift not supported"); 728| 19.8k| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 19.8k| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 119k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 99.2k, False: 19.8k] ------------------ 733| 99.2k| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 99.2k| } 735| 19.8k| x[0] <<= S; 736| | 737| 19.8k| return carry; 738| 19.8k|} _ZN5Botan16read_window_bitsILm5EmLm6EEEmNSt3__14spanIKT0_XT1_EEEm: 1071| 10.5k|constexpr size_t read_window_bits(std::span words, size_t offset) { 1072| 10.5k| static_assert(WindowBits >= 1 && WindowBits <= 7); 1073| | 1074| 10.5k| constexpr uint8_t WindowMask = static_cast(1 << WindowBits) - 1; 1075| | 1076| 10.5k| constexpr size_t W_bits = sizeof(W) * 8; 1077| 10.5k| const auto bit_shift = offset % W_bits; 1078| 10.5k| const auto word_offset = words.size() - 1 - (offset / W_bits); 1079| | 1080| 10.5k| const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0; ------------------ | Branch (1080:36): [True: 9.86k, False: 685] | Branch (1080:74): [True: 137, False: 548] ------------------ 1081| | 1082| 10.5k| const auto w0 = words[word_offset]; 1083| | 1084| 10.5k| if(single_byte_window) { ------------------ | Branch (1084:7): [True: 10.0k, False: 548] ------------------ 1085| 10.0k| return (w0 >> bit_shift) & WindowMask; 1086| 10.0k| } else { 1087| | // Otherwise we must join two words and extract the result 1088| 548| const auto w1 = words[word_offset - 1]; 1089| 548| const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift))); 1090| 548| return combined & WindowMask; 1091| 548| } 1092| 10.5k|} _ZN5Botan11shift_rightILm1ETkNS_8WordTypeEmLm6EEET0_RNSt3__15arrayIS1_XT1_EEE: 741| 2.21k|inline constexpr W shift_right(std::array& x) { 742| 2.21k| static_assert(N >= 1, "Invalid input size"); 743| 2.21k| static_assert(S > 0, "Zero shift not supported"); 744| 2.21k| static_assert(S < WordInfo::bits, "Shift too large"); 745| | 746| 2.21k| const W carry = x[0] << (WordInfo::bits - S); 747| | 748| 13.2k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (748:22): [True: 11.0k, False: 2.21k] ------------------ 749| 11.0k| x[i] = (x[i] >> S) | (x[i + 1] << (WordInfo::bits - S)); 750| 11.0k| } 751| 2.21k| x[N - 1] >>= S; 752| | 753| 2.21k| return carry; 754| 2.21k|} _ZN5Botan9comba_sqrILm8ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 126k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 126k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 126k, Folded] ------------------ 856| | if constexpr(std::same_as && N == 4) { 857| | return bigint_comba_sqr4(z, x); 858| | } 859| | if constexpr(std::same_as && N == 6) { 860| | return bigint_comba_sqr6(z, x); 861| | } 862| | if constexpr(std::same_as && N == 7) { 863| | return bigint_comba_sqr7(z, x); 864| | } 865| 126k| if constexpr(std::same_as && N == 8) { 866| 126k| return bigint_comba_sqr8(z, x); 867| 126k| } 868| | if constexpr(std::same_as && N == 9) { 869| | return bigint_comba_sqr9(z, x); 870| | } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 126k| } 875| | 876| 0| word3 accum; 877| | 878| 126k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 0, False: 126k] ------------------ 879| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 0, False: 0] ------------------ 880| 0| const size_t end = std::min(N, i + 1); 881| | 882| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 0, False: 0] ------------------ 883| 0| accum.mul(x[j], x[i - j]); 884| 0| } 885| 0| z[i] = accum.extract(); 886| 0| } 887| 126k|} _ZN5Botan22bigint_monty_maybe_subILm8ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_: 254| 311k|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) { 255| 311k| W borrow = 0; 256| | 257| 2.80M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (257:22): [True: 2.49M, False: 311k] ------------------ 258| 2.49M| z[i] = word_sub(x[i], y[i], &borrow); 259| 2.49M| } 260| | 261| 311k| borrow = (x0 - borrow) > x0; 262| | 263| 311k| CT::conditional_assign_mem(borrow, z, x, N); 264| 311k|} _ZN5Botan9comba_mulILm8ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 153k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 153k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 153k, Folded] ------------------ 820| | if constexpr(std::same_as && N == 4) { 821| | return bigint_comba_mul4(z, x, y); 822| | } 823| | if constexpr(std::same_as && N == 6) { 824| | return bigint_comba_mul6(z, x, y); 825| | } 826| | if constexpr(std::same_as && N == 7) { 827| | return bigint_comba_mul7(z, x, y); 828| | } 829| 153k| if constexpr(std::same_as && N == 8) { 830| 153k| return bigint_comba_mul8(z, x, y); 831| 153k| } 832| | if constexpr(std::same_as && N == 9) { 833| | return bigint_comba_mul9(z, x, y); 834| | } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 153k| } 839| | 840| 0| word3 accum; 841| | 842| 153k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 0, False: 153k] ------------------ 843| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 0, False: 0] ------------------ 844| 0| const size_t end = std::min(N, i + 1); 845| | 846| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 0, False: 0] ------------------ 847| 0| accum.mul(x[j], y[i - j]); 848| 0| } 849| 0| z[i] = accum.extract(); 850| 0| } 851| 153k|} _ZN5Botan10shift_leftILm1ETkNS_8WordTypeEmLm8EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 13.1k|inline constexpr W shift_left(std::array& x) { 726| 13.1k| static_assert(N >= 1, "Invalid input size"); 727| 13.1k| static_assert(S > 0, "Zero shift not supported"); 728| 13.1k| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 13.1k| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 105k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 92.3k, False: 13.1k] ------------------ 733| 92.3k| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 92.3k| } 735| 13.1k| x[0] <<= S; 736| | 737| 13.1k| return carry; 738| 13.1k|} _ZN5Botan16read_window_bitsILm5EmLm8EEEmNSt3__14spanIKT0_XT1_EEEm: 1071| 14.2k|constexpr size_t read_window_bits(std::span words, size_t offset) { 1072| 14.2k| static_assert(WindowBits >= 1 && WindowBits <= 7); 1073| | 1074| 14.2k| constexpr uint8_t WindowMask = static_cast(1 << WindowBits) - 1; 1075| | 1076| 14.2k| constexpr size_t W_bits = sizeof(W) * 8; 1077| 14.2k| const auto bit_shift = offset % W_bits; 1078| 14.2k| const auto word_offset = words.size() - 1 - (offset / W_bits); 1079| | 1080| 14.2k| const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0; ------------------ | Branch (1080:36): [True: 13.2k, False: 966] | Branch (1080:74): [True: 138, False: 828] ------------------ 1081| | 1082| 14.2k| const auto w0 = words[word_offset]; 1083| | 1084| 14.2k| if(single_byte_window) { ------------------ | Branch (1084:7): [True: 13.3k, False: 828] ------------------ 1085| 13.3k| return (w0 >> bit_shift) & WindowMask; 1086| 13.3k| } else { 1087| | // Otherwise we must join two words and extract the result 1088| 828| const auto w1 = words[word_offset - 1]; 1089| 828| const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift))); 1090| 828| return combined & WindowMask; 1091| 828| } 1092| 14.2k|} _ZN5Botan11shift_rightILm1ETkNS_8WordTypeEmLm8EEET0_RNSt3__15arrayIS1_XT1_EEE: 741| 1.42k|inline constexpr W shift_right(std::array& x) { 742| 1.42k| static_assert(N >= 1, "Invalid input size"); 743| 1.42k| static_assert(S > 0, "Zero shift not supported"); 744| 1.42k| static_assert(S < WordInfo::bits, "Shift too large"); 745| | 746| 1.42k| const W carry = x[0] << (WordInfo::bits - S); 747| | 748| 11.4k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (748:22): [True: 9.98k, False: 1.42k] ------------------ 749| 9.98k| x[i] = (x[i] >> S) | (x[i + 1] << (WordInfo::bits - S)); 750| 9.98k| } 751| 1.42k| x[N - 1] >>= S; 752| | 753| 1.42k| return carry; 754| 1.42k|} _ZN5Botan10shift_leftILm1ETkNS_8WordTypeEmLm9EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 3.10M|inline constexpr W shift_left(std::array& x) { 726| 3.10M| static_assert(N >= 1, "Invalid input size"); 727| 3.10M| static_assert(S > 0, "Zero shift not supported"); 728| 3.10M| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 3.10M| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 27.9M| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 24.8M, False: 3.10M] ------------------ 733| 24.8M| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 24.8M| } 735| 3.10M| x[0] <<= S; 736| | 737| 3.10M| return carry; 738| 3.10M|} _ZN5Botan22bigint_monty_maybe_subILm9ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_: 254| 3.12M|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) { 255| 3.12M| W borrow = 0; 256| | 257| 31.2M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (257:22): [True: 28.1M, False: 3.12M] ------------------ 258| 28.1M| z[i] = word_sub(x[i], y[i], &borrow); 259| 28.1M| } 260| | 261| 3.12M| borrow = (x0 - borrow) > x0; 262| | 263| 3.12M| CT::conditional_assign_mem(borrow, z, x, N); 264| 3.12M|} _ZN5Botan16read_window_bitsILm4EmLm18446744073709551615EEEmNSt3__14spanIKT0_XT1_EEEm: 1071| 48.4k|constexpr size_t read_window_bits(std::span words, size_t offset) { 1072| 48.4k| static_assert(WindowBits >= 1 && WindowBits <= 7); 1073| | 1074| 48.4k| constexpr uint8_t WindowMask = static_cast(1 << WindowBits) - 1; 1075| | 1076| 48.4k| constexpr size_t W_bits = sizeof(W) * 8; 1077| 48.4k| const auto bit_shift = offset % W_bits; 1078| 48.4k| const auto word_offset = words.size() - 1 - (offset / W_bits); 1079| | 1080| 48.4k| const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0; ------------------ | Branch (1080:36): [True: 48.4k, False: 0] | Branch (1080:74): [True: 0, False: 0] ------------------ 1081| | 1082| 48.4k| const auto w0 = words[word_offset]; 1083| | 1084| 48.4k| if(single_byte_window) { ------------------ | Branch (1084:7): [True: 48.4k, False: 0] ------------------ 1085| 48.4k| return (w0 >> bit_shift) & WindowMask; 1086| 48.4k| } else { 1087| | // Otherwise we must join two words and extract the result 1088| 0| const auto w1 = words[word_offset - 1]; 1089| 0| const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift))); 1090| 0| return combined & WindowMask; 1091| 0| } 1092| 48.4k|} _ZN5Botan11shift_rightILm1ETkNS_8WordTypeEmLm9EEET0_RNSt3__15arrayIS1_XT1_EEE: 741| 1.48k|inline constexpr W shift_right(std::array& x) { 742| 1.48k| static_assert(N >= 1, "Invalid input size"); 743| 1.48k| static_assert(S > 0, "Zero shift not supported"); 744| 1.48k| static_assert(S < WordInfo::bits, "Shift too large"); 745| | 746| 1.48k| const W carry = x[0] << (WordInfo::bits - S); 747| | 748| 13.3k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (748:22): [True: 11.8k, False: 1.48k] ------------------ 749| 11.8k| x[i] = (x[i] >> S) | (x[i + 1] << (WordInfo::bits - S)); 750| 11.8k| } 751| 1.48k| x[N - 1] >>= S; 752| | 753| 1.48k| return carry; 754| 1.48k|} _ZN5Botan9comba_sqrILm3ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 62.4k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 62.4k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 62.4k, Folded] ------------------ 856| | if constexpr(std::same_as && N == 4) { 857| | return bigint_comba_sqr4(z, x); 858| | } 859| | if constexpr(std::same_as && N == 6) { 860| | return bigint_comba_sqr6(z, x); 861| | } 862| | if constexpr(std::same_as && N == 7) { 863| | return bigint_comba_sqr7(z, x); 864| | } 865| | if constexpr(std::same_as && N == 8) { 866| | return bigint_comba_sqr8(z, x); 867| | } 868| | if constexpr(std::same_as && N == 9) { 869| | return bigint_comba_sqr9(z, x); 870| | } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 62.4k| } 875| | 876| 62.4k| word3 accum; 877| | 878| 437k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 374k, False: 62.4k] ------------------ 879| 374k| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 124k, False: 249k] ------------------ 880| 374k| const size_t end = std::min(N, i + 1); 881| | 882| 937k| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 562k, False: 374k] ------------------ 883| 562k| accum.mul(x[j], x[i - j]); 884| 562k| } 885| 374k| z[i] = accum.extract(); 886| 374k| } 887| 62.4k|} _ZN5Botan9comba_mulILm3ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 69.3k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 69.3k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 69.3k, Folded] ------------------ 820| | if constexpr(std::same_as && N == 4) { 821| | return bigint_comba_mul4(z, x, y); 822| | } 823| | if constexpr(std::same_as && N == 6) { 824| | return bigint_comba_mul6(z, x, y); 825| | } 826| | if constexpr(std::same_as && N == 7) { 827| | return bigint_comba_mul7(z, x, y); 828| | } 829| | if constexpr(std::same_as && N == 8) { 830| | return bigint_comba_mul8(z, x, y); 831| | } 832| | if constexpr(std::same_as && N == 9) { 833| | return bigint_comba_mul9(z, x, y); 834| | } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 69.3k| } 839| | 840| 69.3k| word3 accum; 841| | 842| 485k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 415k, False: 69.3k] ------------------ 843| 415k| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 138k, False: 277k] ------------------ 844| 415k| const size_t end = std::min(N, i + 1); 845| | 846| 1.03M| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 623k, False: 415k] ------------------ 847| 623k| accum.mul(x[j], y[i - j]); 848| 623k| } 849| 415k| z[i] = accum.extract(); 850| 415k| } 851| 69.3k|} _ZN5Botan22bigint_monty_maybe_subILm3ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_: 254| 14.2k|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) { 255| 14.2k| W borrow = 0; 256| | 257| 56.8k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (257:22): [True: 42.6k, False: 14.2k] ------------------ 258| 42.6k| z[i] = word_sub(x[i], y[i], &borrow); 259| 42.6k| } 260| | 261| 14.2k| borrow = (x0 - borrow) > x0; 262| | 263| 14.2k| CT::conditional_assign_mem(borrow, z, x, N); 264| 14.2k|} _ZN5Botan10shift_leftILm1ETkNS_8WordTypeEmLm3EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 5.03k|inline constexpr W shift_left(std::array& x) { 726| 5.03k| static_assert(N >= 1, "Invalid input size"); 727| 5.03k| static_assert(S > 0, "Zero shift not supported"); 728| 5.03k| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 5.03k| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 15.0k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 10.0k, False: 5.03k] ------------------ 733| 10.0k| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 10.0k| } 735| 5.03k| x[0] <<= S; 736| | 737| 5.03k| return carry; 738| 5.03k|} _ZN5Botan11shift_rightILm1ETkNS_8WordTypeEmLm3EEET0_RNSt3__15arrayIS1_XT1_EEE: 741| 514|inline constexpr W shift_right(std::array& x) { 742| 514| static_assert(N >= 1, "Invalid input size"); 743| 514| static_assert(S > 0, "Zero shift not supported"); 744| 514| static_assert(S < WordInfo::bits, "Shift too large"); 745| | 746| 514| const W carry = x[0] << (WordInfo::bits - S); 747| | 748| 1.54k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (748:22): [True: 1.02k, False: 514] ------------------ 749| 1.02k| x[i] = (x[i] >> S) | (x[i + 1] << (WordInfo::bits - S)); 750| 1.02k| } 751| 514| x[N - 1] >>= S; 752| | 753| 514| return carry; 754| 514|} _ZN5Botan10shift_leftILm32ETkNS_8WordTypeEmLm4EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 307|inline constexpr W shift_left(std::array& x) { 726| 307| static_assert(N >= 1, "Invalid input size"); 727| 307| static_assert(S > 0, "Zero shift not supported"); 728| 307| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 307| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 1.22k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 921, False: 307] ------------------ 733| 921| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 921| } 735| 307| x[0] <<= S; 736| | 737| 307| return carry; 738| 307|} _ZN5Botan13redc_crandallITkNS_8WordTypeEmLm4ETnT_Lm4294968273EEENSt3__15arrayIS1_XT0_EEENS2_4spanIKS1_XmlLi2ET0_EEE: 992| 127k|constexpr std::array redc_crandall(std::span z) { 993| 127k| static_assert(N >= 2); 994| | 995| 127k| std::array hi = {}; 996| | 997| | // hi = hi * c + lo 998| | 999| 127k| W carry = 0; 1000| 637k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (1000:22): [True: 509k, False: 127k] ------------------ 1001| 509k| hi[i] = word_madd3(z[i + N], C, z[i], &carry); 1002| 509k| } 1003| | 1004| | // hi += carry * C 1005| 127k| word carry_c[2] = {0}; 1006| 127k| carry_c[0] = word_madd2(carry, C, &carry_c[1]); 1007| | 1008| 127k| carry = bigint_add2(hi.data(), N, carry_c, 2); 1009| | 1010| 127k| constexpr W P0 = WordInfo::max - (C - 1); 1011| | 1012| 127k| std::array r = {}; 1013| | 1014| 127k| W borrow = 0; 1015| | 1016| | /* 1017| | * For undetermined reasons, on GCC (only) removing this asm block causes 1018| | * massive (up to 20%) performance regressions in secp256k1. 1019| | * 1020| | * The generated code without the asm seems quite reasonable, and timing 1021| | * repeated calls to redc_crandall with the cycle counter show that GCC 1022| | * computes it in about the same number of cycles with or without the asm. 1023| | * 1024| | * So the cause of the regression is unclear. But it is reproducible across 1025| | * machines and GCC versions. 1026| | */ 1027| |#if defined(BOTAN_MP_USE_X86_64_ASM) && defined(__GNUC__) && !defined(__clang__) 1028| | if constexpr(N == 4 && std::same_as) { 1029| | if(!std::is_constant_evaluated()) { 1030| | asm volatile(R"( 1031| | movq 0(%[x]), %[borrow] 1032| | subq %[p0], %[borrow] 1033| | movq %[borrow], 0(%[r]) 1034| | movq 8(%[x]), %[borrow] 1035| | sbbq $-1, %[borrow] 1036| | movq %[borrow], 8(%[r]) 1037| | movq 16(%[x]), %[borrow] 1038| | sbbq $-1, %[borrow] 1039| | movq %[borrow], 16(%[r]) 1040| | movq 24(%[x]), %[borrow] 1041| | sbbq $-1, %[borrow] 1042| | movq %[borrow], 24(%[r]) 1043| | sbbq %[borrow],%[borrow] 1044| | negq %[borrow] 1045| | )" 1046| | : [borrow] "=r"(borrow) 1047| | : [x] "r"(hi.data()), [p0] "r"(P0), [r] "r"(r.data()), "0"(borrow) 1048| | : "cc", "memory"); 1049| | 1050| | borrow = (carry - borrow) > carry; 1051| | CT::conditional_assign_mem(borrow, r.data(), hi.data(), N); 1052| | return r; 1053| | } 1054| | } 1055| |#endif 1056| | 1057| 127k| r[0] = word_sub(hi[0], P0, &borrow); 1058| 509k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (1058:22): [True: 382k, False: 127k] ------------------ 1059| 382k| r[i] = word_sub(hi[i], WordInfo::max, &borrow); 1060| 382k| } 1061| | 1062| 127k| borrow = (carry - borrow) > carry; 1063| | 1064| 127k| CT::conditional_assign_mem(borrow, r.data(), hi.data(), N); 1065| | 1066| 127k| return r; 1067| 127k|} _ZN5Botan9comba_sqrILm9ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 104k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 104k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 104k, Folded] ------------------ 856| | if constexpr(std::same_as && N == 4) { 857| | return bigint_comba_sqr4(z, x); 858| | } 859| | if constexpr(std::same_as && N == 6) { 860| | return bigint_comba_sqr6(z, x); 861| | } 862| | if constexpr(std::same_as && N == 7) { 863| | return bigint_comba_sqr7(z, x); 864| | } 865| | if constexpr(std::same_as && N == 8) { 866| | return bigint_comba_sqr8(z, x); 867| | } 868| 104k| if constexpr(std::same_as && N == 9) { 869| 104k| return bigint_comba_sqr9(z, x); 870| 104k| } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 104k| } 875| | 876| 0| word3 accum; 877| | 878| 104k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 0, False: 104k] ------------------ 879| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 0, False: 0] ------------------ 880| 0| const size_t end = std::min(N, i + 1); 881| | 882| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 0, False: 0] ------------------ 883| 0| accum.mul(x[j], x[i - j]); 884| 0| } 885| 0| z[i] = accum.extract(); 886| 0| } 887| 104k|} _ZN5Botan9comba_mulILm9ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 123k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 123k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 123k, Folded] ------------------ 820| | if constexpr(std::same_as && N == 4) { 821| | return bigint_comba_mul4(z, x, y); 822| | } 823| | if constexpr(std::same_as && N == 6) { 824| | return bigint_comba_mul6(z, x, y); 825| | } 826| | if constexpr(std::same_as && N == 7) { 827| | return bigint_comba_mul7(z, x, y); 828| | } 829| | if constexpr(std::same_as && N == 8) { 830| | return bigint_comba_mul8(z, x, y); 831| | } 832| 123k| if constexpr(std::same_as && N == 9) { 833| 123k| return bigint_comba_mul9(z, x, y); 834| 123k| } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 123k| } 839| | 840| 0| word3 accum; 841| | 842| 123k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 0, False: 123k] ------------------ 843| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 0, False: 0] ------------------ 844| 0| const size_t end = std::min(N, i + 1); 845| | 846| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 0, False: 0] ------------------ 847| 0| accum.mul(x[j], y[i - j]); 848| 0| } 849| 0| z[i] = accum.extract(); 850| 0| } 851| 123k|} _ZN5Botan10shift_leftILm16ETkNS_8WordTypeEmLm9EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 338|inline constexpr W shift_left(std::array& x) { 726| 338| static_assert(N >= 1, "Invalid input size"); 727| 338| static_assert(S > 0, "Zero shift not supported"); 728| 338| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 338| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 3.04k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 2.70k, False: 338] ------------------ 733| 2.70k| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 2.70k| } 735| 338| x[0] <<= S; 736| | 737| 338| return carry; 738| 338|} _ZN5Botan9comba_mulILm7ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 2.25k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 2.25k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 2.25k, Folded] ------------------ 820| | if constexpr(std::same_as && N == 4) { 821| | return bigint_comba_mul4(z, x, y); 822| | } 823| | if constexpr(std::same_as && N == 6) { 824| | return bigint_comba_mul6(z, x, y); 825| | } 826| 2.25k| if constexpr(std::same_as && N == 7) { 827| 2.25k| return bigint_comba_mul7(z, x, y); 828| 2.25k| } 829| | if constexpr(std::same_as && N == 8) { 830| | return bigint_comba_mul8(z, x, y); 831| | } 832| | if constexpr(std::same_as && N == 9) { 833| | return bigint_comba_mul9(z, x, y); 834| | } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 2.25k| } 839| | 840| 0| word3 accum; 841| | 842| 2.25k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 0, False: 2.25k] ------------------ 843| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 0, False: 0] ------------------ 844| 0| const size_t end = std::min(N, i + 1); 845| | 846| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 0, False: 0] ------------------ 847| 0| accum.mul(x[j], y[i - j]); 848| 0| } 849| 0| z[i] = accum.extract(); 850| 0| } 851| 2.25k|} _ZN5Botan9comba_sqrILm7ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 2.23k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 2.23k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 2.23k, Folded] ------------------ 856| | if constexpr(std::same_as && N == 4) { 857| | return bigint_comba_sqr4(z, x); 858| | } 859| | if constexpr(std::same_as && N == 6) { 860| | return bigint_comba_sqr6(z, x); 861| | } 862| 2.23k| if constexpr(std::same_as && N == 7) { 863| 2.23k| return bigint_comba_sqr7(z, x); 864| 2.23k| } 865| | if constexpr(std::same_as && N == 8) { 866| | return bigint_comba_sqr8(z, x); 867| | } 868| | if constexpr(std::same_as && N == 9) { 869| | return bigint_comba_sqr9(z, x); 870| | } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 2.23k| } 875| | 876| 0| word3 accum; 877| | 878| 2.23k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 0, False: 2.23k] ------------------ 879| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 0, False: 0] ------------------ 880| 0| const size_t end = std::min(N, i + 1); 881| | 882| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 0, False: 0] ------------------ 883| 0| accum.mul(x[j], x[i - j]); 884| 0| } 885| 0| z[i] = accum.extract(); 886| 0| } 887| 2.23k|} _ZN5Botan6PCurve15PrimeOrderCurve6ScalarD2Ev: 72| 11.6k| ~Scalar() = default; _ZN5Botan6PCurve15PrimeOrderCurve11AffinePointD2Ev: 100| 5.16k| ~AffinePoint() = default; _ZN5Botan6PCurve15PrimeOrderCurve15ProjectivePointD2Ev: 134| 1.56k| ~ProjectivePoint() = default; _ZN5Botan6PCurve15PrimeOrderCurve6ScalarC2EOS2_: 69| 5.83k| Scalar(Scalar&& other) = default; _ZN5Botan6PCurve15PrimeOrderCurve6ScalarC2ERKS2_: 68| 3.88k| Scalar(const Scalar& other) = default; _ZN5Botan6PCurve15PrimeOrderCurve11AffinePointC2EOS2_: 97| 3.13k| AffinePoint(AffinePoint&& other) = default; _ZNK5Botan6PCurve15PrimeOrderCurve6Scalar6_curveEv: 76| 5.45k| const auto& _curve() const { return m_curve; } _ZNK5Botan6PCurve15PrimeOrderCurve6Scalar6_valueEv: 78| 5.45k| const auto& _value() const { return m_value; } _ZN5Botan6PCurve15PrimeOrderCurve6Scalar7_createENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEE: 80| 1.94k| static Scalar _create(CurvePtr curve, StorageUnit v) { return Scalar(std::move(curve), v); } _ZN5Botan6PCurve15PrimeOrderCurve6ScalarC2ENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEE: 83| 1.94k| Scalar(CurvePtr curve, StorageUnit v) : m_curve(std::move(curve)), m_value(v) {} _ZNK5Botan6PCurve15PrimeOrderCurve11AffinePoint6_curveEv: 104| 3.59k| const auto& _curve() const { return m_curve; } _ZNK5Botan6PCurve15PrimeOrderCurve11AffinePoint2_xEv: 106| 3.59k| const auto& _x() const { return m_x; } _ZNK5Botan6PCurve15PrimeOrderCurve11AffinePoint2_yEv: 108| 3.59k| const auto& _y() const { return m_y; } _ZN5Botan6PCurve15PrimeOrderCurve11AffinePoint7_createENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEES8_: 110| 2.02k| static AffinePoint _create(CurvePtr curve, StorageUnit x, StorageUnit y) { 111| 2.02k| return AffinePoint(std::move(curve), x, y); 112| 2.02k| } _ZN5Botan6PCurve15PrimeOrderCurve11AffinePointC2ENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEES8_: 115| 2.02k| AffinePoint(CurvePtr curve, StorageUnit x, StorageUnit y) : m_curve(std::move(curve)), m_x(x), m_y(y) {} _ZNK5Botan6PCurve15PrimeOrderCurve15ProjectivePoint6_curveEv: 136| 1.56k| const auto& _curve() const { return m_curve; } _ZNK5Botan6PCurve15PrimeOrderCurve15ProjectivePoint2_xEv: 138| 1.56k| const auto& _x() const { return m_x; } _ZNK5Botan6PCurve15PrimeOrderCurve15ProjectivePoint2_yEv: 140| 1.56k| const auto& _y() const { return m_y; } _ZNK5Botan6PCurve15PrimeOrderCurve15ProjectivePoint2_zEv: 142| 1.56k| const auto& _z() const { return m_z; } _ZN5Botan6PCurve15PrimeOrderCurve15ProjectivePoint7_createENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEES8_S8_: 144| 1.56k| static ProjectivePoint _create(CurvePtr curve, StorageUnit x, StorageUnit y, StorageUnit z) { 145| 1.56k| return ProjectivePoint(std::move(curve), x, y, z); 146| 1.56k| } _ZN5Botan6PCurve15PrimeOrderCurve15ProjectivePointC2ENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEES8_S8_: 150| 1.56k| m_curve(std::move(curve)), m_x(x), m_y(y), m_z(z) {} _ZN5Botan6PCurve15PrimeOrderCurveD2Ev: 163| 465| virtual ~PrimeOrderCurve() = default; pcurves_brainpool256r1.cpp:_ZN5Botan11dbl_genericINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_RKT0_: 397| 833|inline constexpr ProjectivePoint dbl_generic(const ProjectivePoint& pt, const FieldElement& A) { 398| | // Cost: 1M + 3S + 1A + 1*3 399| 833| const auto z2 = pt.z().square(); 400| 833| const auto m = pt.x().square().mul3() + A * z2.square(); 401| | 402| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 403| 833| const auto y2 = pt.y().square(); 404| 833| const auto s = pt.x().mul4() * y2; 405| 833| const auto nx = m.square() - s.mul2(); 406| 833| const auto ny = m * (s - nx) - y2.square().mul8(); 407| 833| const auto nz = pt.y().mul2() * pt.z(); 408| | 409| 833| return ProjectivePoint(nx, ny, nz); 410| 833|} pcurves_brainpool256r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 735|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 735| const auto a_is_identity = a.is_identity(); 189| 735| const auto b_is_identity = b.is_identity(); 190| | 191| 735| const auto Z1Z1 = a.z().square(); 192| 735| const auto Z2Z2 = b.z().square(); 193| 735| const auto U1 = a.x() * Z2Z2; 194| 735| const auto U2 = b.x() * Z1Z1; 195| 735| const auto S1 = a.y() * b.z() * Z2Z2; 196| 735| const auto S2 = b.y() * a.z() * Z1Z1; 197| 735| const auto H = U2 - U1; 198| 735| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 735| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 735] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 735| const auto HH = H.square(); 215| 735| const auto HHH = H * HH; 216| 735| const auto V = U1 * HH; 217| 735| const auto t2 = r.square(); 218| 735| const auto t3 = V + V; 219| 735| const auto t4 = t2 - HHH; 220| 735| auto X3 = t4 - t3; 221| 735| const auto t5 = V - X3; 222| 735| const auto t6 = S1 * HHH; 223| 735| const auto t7 = r * t5; 224| 735| auto Y3 = t7 - t6; 225| 735| const auto t8 = b.z() * H; 226| 735| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 735| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 735| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 735| return ProjectivePoint(X3, Y3, Z3); 235| 735|} pcurves_brainpool256r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 1.56k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 1.56k, False: 1] ------------------ 117| 1.56k| any_identity = any_identity || pt.is_identity(); 118| 1.56k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 1.56k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 1.56k, False: 1] ------------------ 146| 1.56k| c.push_back(c[i - 1] * projective[i].z()); 147| 1.56k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 1.56k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 1.56k, False: 1] ------------------ 158| 1.56k| const auto& p = projective[i]; 159| | 160| 1.56k| const auto z_inv = s_inv * c[i - 1]; 161| 1.56k| const auto z2_inv = z_inv.square(); 162| 1.56k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 1.56k| s_inv = s_inv * p.z(); 165| | 166| 1.56k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 1.56k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_brainpool256r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveEEEDaRKNT_15ProjectivePointE: 76| 114|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| | if constexpr(curve_supports_fe_invert2) { 81| | const auto z2_inv = C::fe_invert2(pt.z()); 82| | const auto z3_inv = z2_inv.square() * pt.z(); 83| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| 114| } else { 85| 114| const auto z_inv = invert_field_element(pt.z()); 86| 114| const auto z2_inv = z_inv.square(); 87| 114| const auto z3_inv = z_inv * z2_inv; 88| 114| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| 114| } 90| 114|} pcurves_brainpool256r1.cpp:_ZN5Botan20invert_field_elementINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveEEEDaRKNT_12FieldElementE: 35| 114|inline constexpr auto invert_field_element(const typename C::FieldElement& fe) { 36| | if constexpr(curve_supports_fe_invert2) { 37| | return C::fe_invert2(fe) * fe; 38| 114| } else { 39| 114| return fe.invert(); 40| 114| } 41| 114|} pcurves_brainpool256r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_brainpool256r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 4.78k| const FieldElement& one) { 297| 4.78k| const auto a_is_identity = a.is_identity(); 298| 4.78k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 4.78k| auto by = b.y(); 307| 4.78k| by.conditional_assign(sub, by.negate()); 308| | 309| 4.78k| const auto Z1Z1 = a.z().square(); 310| 4.78k| const auto U2 = b.x() * Z1Z1; 311| 4.78k| const auto S2 = by * a.z() * Z1Z1; 312| 4.78k| const auto H = U2 - a.x(); 313| 4.78k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 4.78k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 4.78k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 4.78k| const auto HH = H.square(); 330| 4.78k| const auto HHH = H * HH; 331| 4.78k| const auto V = a.x() * HH; 332| 4.78k| const auto t2 = r.square(); 333| 4.78k| const auto t3 = V + V; 334| 4.78k| const auto t4 = t2 - HHH; 335| 4.78k| auto X3 = t4 - t3; 336| 4.78k| const auto t5 = V - X3; 337| 4.78k| const auto t6 = a.y() * HHH; 338| 4.78k| const auto t7 = r * t5; 339| 4.78k| auto Y3 = t7 - t6; 340| 4.78k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 4.78k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 4.78k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 4.78k| return ProjectivePoint(X3, Y3, Z3); 349| 4.78k|} pcurves_brainpool384r1.cpp:_ZN5Botan11dbl_genericINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_RKT0_: 397| 1.24k|inline constexpr ProjectivePoint dbl_generic(const ProjectivePoint& pt, const FieldElement& A) { 398| | // Cost: 1M + 3S + 1A + 1*3 399| 1.24k| const auto z2 = pt.z().square(); 400| 1.24k| const auto m = pt.x().square().mul3() + A * z2.square(); 401| | 402| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 403| 1.24k| const auto y2 = pt.y().square(); 404| 1.24k| const auto s = pt.x().mul4() * y2; 405| 1.24k| const auto nx = m.square() - s.mul2(); 406| 1.24k| const auto ny = m * (s - nx) - y2.square().mul8(); 407| 1.24k| const auto nz = pt.y().mul2() * pt.z(); 408| | 409| 1.24k| return ProjectivePoint(nx, ny, nz); 410| 1.24k|} pcurves_brainpool384r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 1.09k|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 1.09k| const auto a_is_identity = a.is_identity(); 189| 1.09k| const auto b_is_identity = b.is_identity(); 190| | 191| 1.09k| const auto Z1Z1 = a.z().square(); 192| 1.09k| const auto Z2Z2 = b.z().square(); 193| 1.09k| const auto U1 = a.x() * Z2Z2; 194| 1.09k| const auto U2 = b.x() * Z1Z1; 195| 1.09k| const auto S1 = a.y() * b.z() * Z2Z2; 196| 1.09k| const auto S2 = b.y() * a.z() * Z1Z1; 197| 1.09k| const auto H = U2 - U1; 198| 1.09k| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 1.09k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 1.09k] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 1.09k| const auto HH = H.square(); 215| 1.09k| const auto HHH = H * HH; 216| 1.09k| const auto V = U1 * HH; 217| 1.09k| const auto t2 = r.square(); 218| 1.09k| const auto t3 = V + V; 219| 1.09k| const auto t4 = t2 - HHH; 220| 1.09k| auto X3 = t4 - t3; 221| 1.09k| const auto t5 = V - X3; 222| 1.09k| const auto t6 = S1 * HHH; 223| 1.09k| const auto t7 = r * t5; 224| 1.09k| auto Y3 = t7 - t6; 225| 1.09k| const auto t8 = b.z() * H; 226| 1.09k| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 1.09k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 1.09k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 1.09k| return ProjectivePoint(X3, Y3, Z3); 235| 1.09k|} pcurves_brainpool384r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 2.33k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 2.33k, False: 1] ------------------ 117| 2.33k| any_identity = any_identity || pt.is_identity(); 118| 2.33k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 2.33k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 2.33k, False: 1] ------------------ 146| 2.33k| c.push_back(c[i - 1] * projective[i].z()); 147| 2.33k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 2.33k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 2.33k, False: 1] ------------------ 158| 2.33k| const auto& p = projective[i]; 159| | 160| 2.33k| const auto z_inv = s_inv * c[i - 1]; 161| 2.33k| const auto z2_inv = z_inv.square(); 162| 2.33k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 2.33k| s_inv = s_inv * p.z(); 165| | 166| 2.33k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 2.33k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_brainpool384r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveEEEDaRKNT_15ProjectivePointE: 76| 137|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| | if constexpr(curve_supports_fe_invert2) { 81| | const auto z2_inv = C::fe_invert2(pt.z()); 82| | const auto z3_inv = z2_inv.square() * pt.z(); 83| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| 137| } else { 85| 137| const auto z_inv = invert_field_element(pt.z()); 86| 137| const auto z2_inv = z_inv.square(); 87| 137| const auto z3_inv = z_inv * z2_inv; 88| 137| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| 137| } 90| 137|} pcurves_brainpool384r1.cpp:_ZN5Botan20invert_field_elementINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveEEEDaRKNT_12FieldElementE: 35| 137|inline constexpr auto invert_field_element(const typename C::FieldElement& fe) { 36| | if constexpr(curve_supports_fe_invert2) { 37| | return C::fe_invert2(fe) * fe; 38| 137| } else { 39| 137| return fe.invert(); 40| 137| } 41| 137|} pcurves_brainpool384r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_brainpool384r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 8.76k| const FieldElement& one) { 297| 8.76k| const auto a_is_identity = a.is_identity(); 298| 8.76k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 8.76k| auto by = b.y(); 307| 8.76k| by.conditional_assign(sub, by.negate()); 308| | 309| 8.76k| const auto Z1Z1 = a.z().square(); 310| 8.76k| const auto U2 = b.x() * Z1Z1; 311| 8.76k| const auto S2 = by * a.z() * Z1Z1; 312| 8.76k| const auto H = U2 - a.x(); 313| 8.76k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 8.76k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 8.76k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 8.76k| const auto HH = H.square(); 330| 8.76k| const auto HHH = H * HH; 331| 8.76k| const auto V = a.x() * HH; 332| 8.76k| const auto t2 = r.square(); 333| 8.76k| const auto t3 = V + V; 334| 8.76k| const auto t4 = t2 - HHH; 335| 8.76k| auto X3 = t4 - t3; 336| 8.76k| const auto t5 = V - X3; 337| 8.76k| const auto t6 = a.y() * HHH; 338| 8.76k| const auto t7 = r * t5; 339| 8.76k| auto Y3 = t7 - t6; 340| 8.76k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 8.76k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 8.76k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 8.76k| return ProjectivePoint(X3, Y3, Z3); 349| 8.76k|} pcurves_brainpool512r1.cpp:_ZN5Botan11dbl_genericINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_RKT0_: 397| 1.64k|inline constexpr ProjectivePoint dbl_generic(const ProjectivePoint& pt, const FieldElement& A) { 398| | // Cost: 1M + 3S + 1A + 1*3 399| 1.64k| const auto z2 = pt.z().square(); 400| 1.64k| const auto m = pt.x().square().mul3() + A * z2.square(); 401| | 402| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 403| 1.64k| const auto y2 = pt.y().square(); 404| 1.64k| const auto s = pt.x().mul4() * y2; 405| 1.64k| const auto nx = m.square() - s.mul2(); 406| 1.64k| const auto ny = m * (s - nx) - y2.square().mul8(); 407| 1.64k| const auto nz = pt.y().mul2() * pt.z(); 408| | 409| 1.64k| return ProjectivePoint(nx, ny, nz); 410| 1.64k|} pcurves_brainpool512r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 1.45k|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 1.45k| const auto a_is_identity = a.is_identity(); 189| 1.45k| const auto b_is_identity = b.is_identity(); 190| | 191| 1.45k| const auto Z1Z1 = a.z().square(); 192| 1.45k| const auto Z2Z2 = b.z().square(); 193| 1.45k| const auto U1 = a.x() * Z2Z2; 194| 1.45k| const auto U2 = b.x() * Z1Z1; 195| 1.45k| const auto S1 = a.y() * b.z() * Z2Z2; 196| 1.45k| const auto S2 = b.y() * a.z() * Z1Z1; 197| 1.45k| const auto H = U2 - U1; 198| 1.45k| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 1.45k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 1.45k] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 1.45k| const auto HH = H.square(); 215| 1.45k| const auto HHH = H * HH; 216| 1.45k| const auto V = U1 * HH; 217| 1.45k| const auto t2 = r.square(); 218| 1.45k| const auto t3 = V + V; 219| 1.45k| const auto t4 = t2 - HHH; 220| 1.45k| auto X3 = t4 - t3; 221| 1.45k| const auto t5 = V - X3; 222| 1.45k| const auto t6 = S1 * HHH; 223| 1.45k| const auto t7 = r * t5; 224| 1.45k| auto Y3 = t7 - t6; 225| 1.45k| const auto t8 = b.z() * H; 226| 1.45k| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 1.45k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 1.45k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 1.45k| return ProjectivePoint(X3, Y3, Z3); 235| 1.45k|} pcurves_brainpool512r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 3.10k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 3.10k, False: 1] ------------------ 117| 3.10k| any_identity = any_identity || pt.is_identity(); 118| 3.10k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 3.10k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 3.10k, False: 1] ------------------ 146| 3.10k| c.push_back(c[i - 1] * projective[i].z()); 147| 3.10k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 3.10k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 3.10k, False: 1] ------------------ 158| 3.10k| const auto& p = projective[i]; 159| | 160| 3.10k| const auto z_inv = s_inv * c[i - 1]; 161| 3.10k| const auto z2_inv = z_inv.square(); 162| 3.10k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 3.10k| s_inv = s_inv * p.z(); 165| | 166| 3.10k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 3.10k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_brainpool512r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveEEEDaRKNT_15ProjectivePointE: 76| 138|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| | if constexpr(curve_supports_fe_invert2) { 81| | const auto z2_inv = C::fe_invert2(pt.z()); 82| | const auto z3_inv = z2_inv.square() * pt.z(); 83| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| 138| } else { 85| 138| const auto z_inv = invert_field_element(pt.z()); 86| 138| const auto z2_inv = z_inv.square(); 87| 138| const auto z3_inv = z_inv * z2_inv; 88| 138| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| 138| } 90| 138|} pcurves_brainpool512r1.cpp:_ZN5Botan20invert_field_elementINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveEEEDaRKNT_12FieldElementE: 35| 138|inline constexpr auto invert_field_element(const typename C::FieldElement& fe) { 36| | if constexpr(curve_supports_fe_invert2) { 37| | return C::fe_invert2(fe) * fe; 38| 138| } else { 39| 138| return fe.invert(); 40| 138| } 41| 138|} pcurves_brainpool512r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_brainpool512r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 11.7k| const FieldElement& one) { 297| 11.7k| const auto a_is_identity = a.is_identity(); 298| 11.7k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 11.7k| auto by = b.y(); 307| 11.7k| by.conditional_assign(sub, by.negate()); 308| | 309| 11.7k| const auto Z1Z1 = a.z().square(); 310| 11.7k| const auto U2 = b.x() * Z1Z1; 311| 11.7k| const auto S2 = by * a.z() * Z1Z1; 312| 11.7k| const auto H = U2 - a.x(); 313| 11.7k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 11.7k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 11.7k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 11.7k| const auto HH = H.square(); 330| 11.7k| const auto HHH = H * HH; 331| 11.7k| const auto V = a.x() * HH; 332| 11.7k| const auto t2 = r.square(); 333| 11.7k| const auto t3 = V + V; 334| 11.7k| const auto t4 = t2 - HHH; 335| 11.7k| auto X3 = t4 - t3; 336| 11.7k| const auto t5 = V - X3; 337| 11.7k| const auto t6 = a.y() * HHH; 338| 11.7k| const auto t7 = r * t5; 339| 11.7k| auto Y3 = t7 - t6; 340| 11.7k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 11.7k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 11.7k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 11.7k| return ProjectivePoint(X3, Y3, Z3); 349| 11.7k|} pcurves_generic.cpp:_ZN5Botan22point_add_or_sub_mixedINS_6PCurve22GenericProjectivePointENS1_18GenericAffinePointENS1_12_GLOBAL__N_112GenericFieldEEET_RKS6_RKT0_NS_2CT6ChoiceERKT1_: 296| 12.0k| const FieldElement& one) { 297| 12.0k| const auto a_is_identity = a.is_identity(); 298| 12.0k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 12.0k| auto by = b.y(); 307| 12.0k| by.conditional_assign(sub, by.negate()); 308| | 309| 12.0k| const auto Z1Z1 = a.z().square(); 310| 12.0k| const auto U2 = b.x() * Z1Z1; 311| 12.0k| const auto S2 = by * a.z() * Z1Z1; 312| 12.0k| const auto H = U2 - a.x(); 313| 12.0k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 12.0k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 12.0k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 12.0k| const auto HH = H.square(); 330| 12.0k| const auto HHH = H * HH; 331| 12.0k| const auto V = a.x() * HH; 332| 12.0k| const auto t2 = r.square(); 333| 12.0k| const auto t3 = V + V; 334| 12.0k| const auto t4 = t2 - HHH; 335| 12.0k| auto X3 = t4 - t3; 336| 12.0k| const auto t5 = V - X3; 337| 12.0k| const auto t6 = a.y() * HHH; 338| 12.0k| const auto t7 = r * t5; 339| 12.0k| auto Y3 = t7 - t6; 340| 12.0k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 12.0k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 12.0k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 12.0k| return ProjectivePoint(X3, Y3, Z3); 349| 12.0k|} _ZN5Botan13dbl_a_minus_3INS_6PCurve22GenericProjectivePointEEET_RKS3_: 362| 250k|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 250k| const auto z2 = pt.z().square(); 368| 250k| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 250k| const auto y2 = pt.y().square(); 372| 250k| const auto s = pt.x().mul4() * y2; 373| 250k| const auto nx = m.square() - s.mul2(); 374| 250k| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 250k| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 250k| return ProjectivePoint(nx, ny, nz); 378| 250k|} _ZN5Botan10dbl_a_zeroINS_6PCurve22GenericProjectivePointEEET_RKS3_: 381| 2.51k|inline constexpr ProjectivePoint dbl_a_zero(const ProjectivePoint& pt) { 382| | // If a == 0 then 3*x^2 + a*z^4 == 3*x^2 383| | // Cost: 1S + 1*3 384| 2.51k| const auto m = pt.x().square().mul3(); 385| | 386| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 387| 2.51k| const auto y2 = pt.y().square(); 388| 2.51k| const auto s = pt.x().mul4() * y2; 389| 2.51k| const auto nx = m.square() - s.mul2(); 390| 2.51k| const auto ny = m * (s - nx) - y2.square().mul8(); 391| 2.51k| const auto nz = pt.y().mul2() * pt.z(); 392| | 393| 2.51k| return ProjectivePoint(nx, ny, nz); 394| 2.51k|} pcurves_generic.cpp:_ZN5Botan11dbl_genericINS_6PCurve22GenericProjectivePointENS1_12_GLOBAL__N_112GenericFieldEEET_RKS5_RKT0_: 397| 133k|inline constexpr ProjectivePoint dbl_generic(const ProjectivePoint& pt, const FieldElement& A) { 398| | // Cost: 1M + 3S + 1A + 1*3 399| 133k| const auto z2 = pt.z().square(); 400| 133k| const auto m = pt.x().square().mul3() + A * z2.square(); 401| | 402| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 403| 133k| const auto y2 = pt.y().square(); 404| 133k| const auto s = pt.x().mul4() * y2; 405| 133k| const auto nx = m.square() - s.mul2(); 406| 133k| const auto ny = m * (s - nx) - y2.square().mul8(); 407| 133k| const auto nz = pt.y().mul2() * pt.z(); 408| | 409| 133k| return ProjectivePoint(nx, ny, nz); 410| 133k|} pcurves_generic.cpp:_ZN5Botan20invert_field_elementINS_6PCurve12_GLOBAL__N_112GenericCurveEEEDaRKNT_12FieldElementE: 35| 315|inline constexpr auto invert_field_element(const typename C::FieldElement& fe) { 36| | if constexpr(curve_supports_fe_invert2) { 37| | return C::fe_invert2(fe) * fe; 38| 315| } else { 39| 315| return fe.invert(); 40| 315| } 41| 315|} pcurves_generic.cpp:_ZN5Botan9point_addINS_6PCurve22GenericProjectivePointENS1_12_GLOBAL__N_112GenericFieldEEET_RKS5_S7_: 187| 341k|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 341k| const auto a_is_identity = a.is_identity(); 189| 341k| const auto b_is_identity = b.is_identity(); 190| | 191| 341k| const auto Z1Z1 = a.z().square(); 192| 341k| const auto Z2Z2 = b.z().square(); 193| 341k| const auto U1 = a.x() * Z2Z2; 194| 341k| const auto U2 = b.x() * Z1Z1; 195| 341k| const auto S1 = a.y() * b.z() * Z2Z2; 196| 341k| const auto S2 = b.y() * a.z() * Z1Z1; 197| 341k| const auto H = U2 - U1; 198| 341k| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 341k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 341k] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 341k| const auto HH = H.square(); 215| 341k| const auto HHH = H * HH; 216| 341k| const auto V = U1 * HH; 217| 341k| const auto t2 = r.square(); 218| 341k| const auto t3 = V + V; 219| 341k| const auto t4 = t2 - HHH; 220| 341k| auto X3 = t4 - t3; 221| 341k| const auto t5 = V - X3; 222| 341k| const auto t6 = S1 * HHH; 223| 341k| const auto t7 = r * t5; 224| 341k| auto Y3 = t7 - t6; 225| 341k| const auto t8 = b.z() * H; 226| 341k| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 341k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 341k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 341k| return ProjectivePoint(X3, Y3, Z3); 235| 341k|} pcurves_generic.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_112GenericCurveEEEDaRKNT_15ProjectivePointE: 76| 315|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| | if constexpr(curve_supports_fe_invert2) { 81| | const auto z2_inv = C::fe_invert2(pt.z()); 82| | const auto z3_inv = z2_inv.square() * pt.z(); 83| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| 315| } else { 85| 315| const auto z_inv = invert_field_element(pt.z()); 86| 315| const auto z2_inv = z_inv.square(); 87| 315| const auto z3_inv = z_inv * z2_inv; 88| 315| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| 315| } 90| 315|} pcurves_generic.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_112GenericCurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 456|auto to_affine_batch(std::span projective) { 108| 456| using AffinePoint = typename C::AffinePoint; 109| | 110| 456| const size_t N = projective.size(); 111| 456| std::vector affine; 112| 456| affine.reserve(N); 113| | 114| 456| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 727k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 727k, False: 456] ------------------ 117| 727k| any_identity = any_identity || pt.is_identity(); 118| 727k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 456| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 456] | Branch (126:17): [True: 0, False: 456] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 456| } else { 134| 456| std::vector c; 135| 456| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 456| c.push_back(projective[0].z()); 145| 727k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 727k, False: 456] ------------------ 146| 727k| c.push_back(c[i - 1] * projective[i].z()); 147| 727k| } 148| | 149| 456| auto s_inv = [&]() { 150| 456| if constexpr(VariableTime) { 151| 456| return c[N - 1].invert_vartime(); 152| 456| } else { 153| 456| return invert_field_element(c[N - 1]); 154| 456| } 155| 456| }(); 156| | 157| 727k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 727k, False: 456] ------------------ 158| 727k| const auto& p = projective[i]; 159| | 160| 727k| const auto z_inv = s_inv * c[i - 1]; 161| 727k| const auto z2_inv = z_inv.square(); 162| 727k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 727k| s_inv = s_inv * p.z(); 165| | 166| 727k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 727k| } 168| | 169| 456| const auto z2_inv = s_inv.square(); 170| 456| const auto z3_inv = s_inv * z2_inv; 171| 456| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 456| std::reverse(affine.begin(), affine.end()); 173| 456| return affine; 174| 456| } 175| | 176| 0| return affine; 177| 456|} pcurves_generic.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_112GenericCurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 456| auto s_inv = [&]() { 150| 456| if constexpr(VariableTime) { 151| 456| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 456| }(); pcurves_secp192r1.cpp:_ZN5Botan13dbl_a_minus_3INS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EEEET_RKSE_: 362| 629|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 629| const auto z2 = pt.z().square(); 368| 629| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 629| const auto y2 = pt.y().square(); 372| 629| const auto s = pt.x().mul4() * y2; 373| 629| const auto nx = m.square() - s.mul2(); 374| 629| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 629| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 629| return ProjectivePoint(nx, ny, nz); 378| 629|} pcurves_secp192r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 555|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 555| const auto a_is_identity = a.is_identity(); 189| 555| const auto b_is_identity = b.is_identity(); 190| | 191| 555| const auto Z1Z1 = a.z().square(); 192| 555| const auto Z2Z2 = b.z().square(); 193| 555| const auto U1 = a.x() * Z2Z2; 194| 555| const auto U2 = b.x() * Z1Z1; 195| 555| const auto S1 = a.y() * b.z() * Z2Z2; 196| 555| const auto S2 = b.y() * a.z() * Z1Z1; 197| 555| const auto H = U2 - U1; 198| 555| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 555| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 555] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 555| const auto HH = H.square(); 215| 555| const auto HHH = H * HH; 216| 555| const auto V = U1 * HH; 217| 555| const auto t2 = r.square(); 218| 555| const auto t3 = V + V; 219| 555| const auto t4 = t2 - HHH; 220| 555| auto X3 = t4 - t3; 221| 555| const auto t5 = V - X3; 222| 555| const auto t6 = S1 * HHH; 223| 555| const auto t7 = r * t5; 224| 555| auto Y3 = t7 - t6; 225| 555| const auto t8 = b.z() * H; 226| 555| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 555| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 555| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 555| return ProjectivePoint(X3, Y3, Z3); 235| 555|} pcurves_secp192r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp192r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 1.18k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 1.18k, False: 1] ------------------ 117| 1.18k| any_identity = any_identity || pt.is_identity(); 118| 1.18k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 1.18k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 1.18k, False: 1] ------------------ 146| 1.18k| c.push_back(c[i - 1] * projective[i].z()); 147| 1.18k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 1.18k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 1.18k, False: 1] ------------------ 158| 1.18k| const auto& p = projective[i]; 159| | 160| 1.18k| const auto z_inv = s_inv * c[i - 1]; 161| 1.18k| const auto z2_inv = z_inv.square(); 162| 1.18k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 1.18k| s_inv = s_inv * p.z(); 165| | 166| 1.18k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 1.18k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp192r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp192r15CurveEEEDaRKNT_15ProjectivePointE: 76| 195|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 195| if constexpr(curve_supports_fe_invert2) { 81| 195| const auto z2_inv = C::fe_invert2(pt.z()); 82| 195| const auto z3_inv = z2_inv.square() * pt.z(); 83| 195| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 195|} pcurves_secp192r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp192r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp192r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 6.24k| const FieldElement& one) { 297| 6.24k| const auto a_is_identity = a.is_identity(); 298| 6.24k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 6.24k| auto by = b.y(); 307| 6.24k| by.conditional_assign(sub, by.negate()); 308| | 309| 6.24k| const auto Z1Z1 = a.z().square(); 310| 6.24k| const auto U2 = b.x() * Z1Z1; 311| 6.24k| const auto S2 = by * a.z() * Z1Z1; 312| 6.24k| const auto H = U2 - a.x(); 313| 6.24k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 6.24k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 6.24k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 6.24k| const auto HH = H.square(); 330| 6.24k| const auto HHH = H * HH; 331| 6.24k| const auto V = a.x() * HH; 332| 6.24k| const auto t2 = r.square(); 333| 6.24k| const auto t3 = V + V; 334| 6.24k| const auto t4 = t2 - HHH; 335| 6.24k| auto X3 = t4 - t3; 336| 6.24k| const auto t5 = V - X3; 337| 6.24k| const auto t6 = a.y() * HHH; 338| 6.24k| const auto t7 = r * t5; 339| 6.24k| auto Y3 = t7 - t6; 340| 6.24k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 6.24k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 6.24k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 6.24k| return ProjectivePoint(X3, Y3, Z3); 349| 6.24k|} pcurves_secp224r1.cpp:_ZN5Botan13dbl_a_minus_3INS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EEEET_RKSE_: 362| 731|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 731| const auto z2 = pt.z().square(); 368| 731| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 731| const auto y2 = pt.y().square(); 372| 731| const auto s = pt.x().mul4() * y2; 373| 731| const auto nx = m.square() - s.mul2(); 374| 731| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 731| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 731| return ProjectivePoint(nx, ny, nz); 378| 731|} pcurves_secp224r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 645|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 645| const auto a_is_identity = a.is_identity(); 189| 645| const auto b_is_identity = b.is_identity(); 190| | 191| 645| const auto Z1Z1 = a.z().square(); 192| 645| const auto Z2Z2 = b.z().square(); 193| 645| const auto U1 = a.x() * Z2Z2; 194| 645| const auto U2 = b.x() * Z1Z1; 195| 645| const auto S1 = a.y() * b.z() * Z2Z2; 196| 645| const auto S2 = b.y() * a.z() * Z1Z1; 197| 645| const auto H = U2 - U1; 198| 645| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 645| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 645] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 645| const auto HH = H.square(); 215| 645| const auto HHH = H * HH; 216| 645| const auto V = U1 * HH; 217| 645| const auto t2 = r.square(); 218| 645| const auto t3 = V + V; 219| 645| const auto t4 = t2 - HHH; 220| 645| auto X3 = t4 - t3; 221| 645| const auto t5 = V - X3; 222| 645| const auto t6 = S1 * HHH; 223| 645| const auto t7 = r * t5; 224| 645| auto Y3 = t7 - t6; 225| 645| const auto t8 = b.z() * H; 226| 645| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 645| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 645| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 645| return ProjectivePoint(X3, Y3, Z3); 235| 645|} pcurves_secp224r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp224r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 1.37k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 1.37k, False: 1] ------------------ 117| 1.37k| any_identity = any_identity || pt.is_identity(); 118| 1.37k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 1.37k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 1.37k, False: 1] ------------------ 146| 1.37k| c.push_back(c[i - 1] * projective[i].z()); 147| 1.37k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 1.37k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 1.37k, False: 1] ------------------ 158| 1.37k| const auto& p = projective[i]; 159| | 160| 1.37k| const auto z_inv = s_inv * c[i - 1]; 161| 1.37k| const auto z2_inv = z_inv.square(); 162| 1.37k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 1.37k| s_inv = s_inv * p.z(); 165| | 166| 1.37k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 1.37k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp224r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp224r15CurveEEEDaRKNT_15ProjectivePointE: 76| 131|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 131| if constexpr(curve_supports_fe_invert2) { 81| 131| const auto z2_inv = C::fe_invert2(pt.z()); 82| 131| const auto z3_inv = z2_inv.square() * pt.z(); 83| 131| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 131|} pcurves_secp224r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp224r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp224r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 4.84k| const FieldElement& one) { 297| 4.84k| const auto a_is_identity = a.is_identity(); 298| 4.84k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 4.84k| auto by = b.y(); 307| 4.84k| by.conditional_assign(sub, by.negate()); 308| | 309| 4.84k| const auto Z1Z1 = a.z().square(); 310| 4.84k| const auto U2 = b.x() * Z1Z1; 311| 4.84k| const auto S2 = by * a.z() * Z1Z1; 312| 4.84k| const auto H = U2 - a.x(); 313| 4.84k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 4.84k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 4.84k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 4.84k| const auto HH = H.square(); 330| 4.84k| const auto HHH = H * HH; 331| 4.84k| const auto V = a.x() * HH; 332| 4.84k| const auto t2 = r.square(); 333| 4.84k| const auto t3 = V + V; 334| 4.84k| const auto t4 = t2 - HHH; 335| 4.84k| auto X3 = t4 - t3; 336| 4.84k| const auto t5 = V - X3; 337| 4.84k| const auto t6 = a.y() * HHH; 338| 4.84k| const auto t7 = r * t5; 339| 4.84k| auto Y3 = t7 - t6; 340| 4.84k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 4.84k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 4.84k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 4.84k| return ProjectivePoint(X3, Y3, Z3); 349| 4.84k|} pcurves_secp256k1.cpp:_ZN5Botan10dbl_a_zeroINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EEEET_RKSE_: 381| 833|inline constexpr ProjectivePoint dbl_a_zero(const ProjectivePoint& pt) { 382| | // If a == 0 then 3*x^2 + a*z^4 == 3*x^2 383| | // Cost: 1S + 1*3 384| 833| const auto m = pt.x().square().mul3(); 385| | 386| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 387| 833| const auto y2 = pt.y().square(); 388| 833| const auto s = pt.x().mul4() * y2; 389| 833| const auto nx = m.square() - s.mul2(); 390| 833| const auto ny = m * (s - nx) - y2.square().mul8(); 391| 833| const auto nz = pt.y().mul2() * pt.z(); 392| | 393| 833| return ProjectivePoint(nx, ny, nz); 394| 833|} pcurves_secp256k1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 735|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 735| const auto a_is_identity = a.is_identity(); 189| 735| const auto b_is_identity = b.is_identity(); 190| | 191| 735| const auto Z1Z1 = a.z().square(); 192| 735| const auto Z2Z2 = b.z().square(); 193| 735| const auto U1 = a.x() * Z2Z2; 194| 735| const auto U2 = b.x() * Z1Z1; 195| 735| const auto S1 = a.y() * b.z() * Z2Z2; 196| 735| const auto S2 = b.y() * a.z() * Z1Z1; 197| 735| const auto H = U2 - U1; 198| 735| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 735| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 735] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 735| const auto HH = H.square(); 215| 735| const auto HHH = H * HH; 216| 735| const auto V = U1 * HH; 217| 735| const auto t2 = r.square(); 218| 735| const auto t3 = V + V; 219| 735| const auto t4 = t2 - HHH; 220| 735| auto X3 = t4 - t3; 221| 735| const auto t5 = V - X3; 222| 735| const auto t6 = S1 * HHH; 223| 735| const auto t7 = r * t5; 224| 735| auto Y3 = t7 - t6; 225| 735| const auto t8 = b.z() * H; 226| 735| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 735| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 735| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 735| return ProjectivePoint(X3, Y3, Z3); 235| 735|} pcurves_secp256k1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp256k15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 1.56k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 1.56k, False: 1] ------------------ 117| 1.56k| any_identity = any_identity || pt.is_identity(); 118| 1.56k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 1.56k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 1.56k, False: 1] ------------------ 146| 1.56k| c.push_back(c[i - 1] * projective[i].z()); 147| 1.56k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 1.56k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 1.56k, False: 1] ------------------ 158| 1.56k| const auto& p = projective[i]; 159| | 160| 1.56k| const auto z_inv = s_inv * c[i - 1]; 161| 1.56k| const auto z2_inv = z_inv.square(); 162| 1.56k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 1.56k| s_inv = s_inv * p.z(); 165| | 166| 1.56k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 1.56k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp256k1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp256k15CurveEEEDaRKNT_15ProjectivePointE: 76| 134|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 134| if constexpr(curve_supports_fe_invert2) { 81| 134| const auto z2_inv = C::fe_invert2(pt.z()); 82| 134| const auto z3_inv = z2_inv.square() * pt.z(); 83| 134| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 134|} pcurves_secp256k1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp256k15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp256k1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 5.62k| const FieldElement& one) { 297| 5.62k| const auto a_is_identity = a.is_identity(); 298| 5.62k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 5.62k| auto by = b.y(); 307| 5.62k| by.conditional_assign(sub, by.negate()); 308| | 309| 5.62k| const auto Z1Z1 = a.z().square(); 310| 5.62k| const auto U2 = b.x() * Z1Z1; 311| 5.62k| const auto S2 = by * a.z() * Z1Z1; 312| 5.62k| const auto H = U2 - a.x(); 313| 5.62k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 5.62k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 5.62k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 5.62k| const auto HH = H.square(); 330| 5.62k| const auto HHH = H * HH; 331| 5.62k| const auto V = a.x() * HH; 332| 5.62k| const auto t2 = r.square(); 333| 5.62k| const auto t3 = V + V; 334| 5.62k| const auto t4 = t2 - HHH; 335| 5.62k| auto X3 = t4 - t3; 336| 5.62k| const auto t5 = V - X3; 337| 5.62k| const auto t6 = a.y() * HHH; 338| 5.62k| const auto t7 = r * t5; 339| 5.62k| auto Y3 = t7 - t6; 340| 5.62k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 5.62k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 5.62k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 5.62k| return ProjectivePoint(X3, Y3, Z3); 349| 5.62k|} pcurves_secp256r1.cpp:_ZN5Botan13dbl_a_minus_3INS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEES8_EEEET_RKSE_: 362| 833|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 833| const auto z2 = pt.z().square(); 368| 833| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 833| const auto y2 = pt.y().square(); 372| 833| const auto s = pt.x().mul4() * y2; 373| 833| const auto nx = m.square() - s.mul2(); 374| 833| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 833| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 833| return ProjectivePoint(nx, ny, nz); 378| 833|} pcurves_secp256r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 735|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 735| const auto a_is_identity = a.is_identity(); 189| 735| const auto b_is_identity = b.is_identity(); 190| | 191| 735| const auto Z1Z1 = a.z().square(); 192| 735| const auto Z2Z2 = b.z().square(); 193| 735| const auto U1 = a.x() * Z2Z2; 194| 735| const auto U2 = b.x() * Z1Z1; 195| 735| const auto S1 = a.y() * b.z() * Z2Z2; 196| 735| const auto S2 = b.y() * a.z() * Z1Z1; 197| 735| const auto H = U2 - U1; 198| 735| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 735| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 735] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 735| const auto HH = H.square(); 215| 735| const auto HHH = H * HH; 216| 735| const auto V = U1 * HH; 217| 735| const auto t2 = r.square(); 218| 735| const auto t3 = V + V; 219| 735| const auto t4 = t2 - HHH; 220| 735| auto X3 = t4 - t3; 221| 735| const auto t5 = V - X3; 222| 735| const auto t6 = S1 * HHH; 223| 735| const auto t7 = r * t5; 224| 735| auto Y3 = t7 - t6; 225| 735| const auto t8 = b.z() * H; 226| 735| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 735| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 735| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 735| return ProjectivePoint(X3, Y3, Z3); 235| 735|} pcurves_secp256r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp256r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 1.56k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 1.56k, False: 1] ------------------ 117| 1.56k| any_identity = any_identity || pt.is_identity(); 118| 1.56k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 1.56k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 1.56k, False: 1] ------------------ 146| 1.56k| c.push_back(c[i - 1] * projective[i].z()); 147| 1.56k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 1.56k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 1.56k, False: 1] ------------------ 158| 1.56k| const auto& p = projective[i]; 159| | 160| 1.56k| const auto z_inv = s_inv * c[i - 1]; 161| 1.56k| const auto z2_inv = z_inv.square(); 162| 1.56k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 1.56k| s_inv = s_inv * p.z(); 165| | 166| 1.56k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 1.56k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp256r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp256r15CurveEEEDaRKNT_15ProjectivePointE: 76| 159|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 159| if constexpr(curve_supports_fe_invert2) { 81| 159| const auto z2_inv = C::fe_invert2(pt.z()); 82| 159| const auto z3_inv = z2_inv.square() * pt.z(); 83| 159| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 159|} pcurves_secp256r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp256r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp256r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 6.67k| const FieldElement& one) { 297| 6.67k| const auto a_is_identity = a.is_identity(); 298| 6.67k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 6.67k| auto by = b.y(); 307| 6.67k| by.conditional_assign(sub, by.negate()); 308| | 309| 6.67k| const auto Z1Z1 = a.z().square(); 310| 6.67k| const auto U2 = b.x() * Z1Z1; 311| 6.67k| const auto S2 = by * a.z() * Z1Z1; 312| 6.67k| const auto H = U2 - a.x(); 313| 6.67k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 6.67k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 6.67k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 6.67k| const auto HH = H.square(); 330| 6.67k| const auto HHH = H * HH; 331| 6.67k| const auto V = a.x() * HH; 332| 6.67k| const auto t2 = r.square(); 333| 6.67k| const auto t3 = V + V; 334| 6.67k| const auto t4 = t2 - HHH; 335| 6.67k| auto X3 = t4 - t3; 336| 6.67k| const auto t5 = V - X3; 337| 6.67k| const auto t6 = a.y() * HHH; 338| 6.67k| const auto t7 = r * t5; 339| 6.67k| auto Y3 = t7 - t6; 340| 6.67k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 6.67k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 6.67k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 6.67k| return ProjectivePoint(X3, Y3, Z3); 349| 6.67k|} pcurves_secp384r1.cpp:_ZN5Botan13dbl_a_minus_3INS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEES8_EEEET_RKSE_: 362| 1.24k|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 1.24k| const auto z2 = pt.z().square(); 368| 1.24k| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 1.24k| const auto y2 = pt.y().square(); 372| 1.24k| const auto s = pt.x().mul4() * y2; 373| 1.24k| const auto nx = m.square() - s.mul2(); 374| 1.24k| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 1.24k| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 1.24k| return ProjectivePoint(nx, ny, nz); 378| 1.24k|} pcurves_secp384r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 1.09k|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 1.09k| const auto a_is_identity = a.is_identity(); 189| 1.09k| const auto b_is_identity = b.is_identity(); 190| | 191| 1.09k| const auto Z1Z1 = a.z().square(); 192| 1.09k| const auto Z2Z2 = b.z().square(); 193| 1.09k| const auto U1 = a.x() * Z2Z2; 194| 1.09k| const auto U2 = b.x() * Z1Z1; 195| 1.09k| const auto S1 = a.y() * b.z() * Z2Z2; 196| 1.09k| const auto S2 = b.y() * a.z() * Z1Z1; 197| 1.09k| const auto H = U2 - U1; 198| 1.09k| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 1.09k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 1.09k] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 1.09k| const auto HH = H.square(); 215| 1.09k| const auto HHH = H * HH; 216| 1.09k| const auto V = U1 * HH; 217| 1.09k| const auto t2 = r.square(); 218| 1.09k| const auto t3 = V + V; 219| 1.09k| const auto t4 = t2 - HHH; 220| 1.09k| auto X3 = t4 - t3; 221| 1.09k| const auto t5 = V - X3; 222| 1.09k| const auto t6 = S1 * HHH; 223| 1.09k| const auto t7 = r * t5; 224| 1.09k| auto Y3 = t7 - t6; 225| 1.09k| const auto t8 = b.z() * H; 226| 1.09k| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 1.09k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 1.09k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 1.09k| return ProjectivePoint(X3, Y3, Z3); 235| 1.09k|} pcurves_secp384r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp384r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 2.33k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 2.33k, False: 1] ------------------ 117| 2.33k| any_identity = any_identity || pt.is_identity(); 118| 2.33k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 2.33k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 2.33k, False: 1] ------------------ 146| 2.33k| c.push_back(c[i - 1] * projective[i].z()); 147| 2.33k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 2.33k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 2.33k, False: 1] ------------------ 158| 2.33k| const auto& p = projective[i]; 159| | 160| 2.33k| const auto z_inv = s_inv * c[i - 1]; 161| 2.33k| const auto z2_inv = z_inv.square(); 162| 2.33k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 2.33k| s_inv = s_inv * p.z(); 165| | 166| 2.33k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 2.33k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp384r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp384r15CurveEEEDaRKNT_15ProjectivePointE: 76| 127|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 127| if constexpr(curve_supports_fe_invert2) { 81| 127| const auto z2_inv = C::fe_invert2(pt.z()); 82| 127| const auto z3_inv = z2_inv.square() * pt.z(); 83| 127| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 127|} pcurves_secp384r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp384r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp384r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 8.12k| const FieldElement& one) { 297| 8.12k| const auto a_is_identity = a.is_identity(); 298| 8.12k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 8.12k| auto by = b.y(); 307| 8.12k| by.conditional_assign(sub, by.negate()); 308| | 309| 8.12k| const auto Z1Z1 = a.z().square(); 310| 8.12k| const auto U2 = b.x() * Z1Z1; 311| 8.12k| const auto S2 = by * a.z() * Z1Z1; 312| 8.12k| const auto H = U2 - a.x(); 313| 8.12k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 8.12k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 8.12k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 8.12k| const auto HH = H.square(); 330| 8.12k| const auto HHH = H * HH; 331| 8.12k| const auto V = a.x() * HH; 332| 8.12k| const auto t2 = r.square(); 333| 8.12k| const auto t3 = V + V; 334| 8.12k| const auto t4 = t2 - HHH; 335| 8.12k| auto X3 = t4 - t3; 336| 8.12k| const auto t5 = V - X3; 337| 8.12k| const auto t6 = a.y() * HHH; 338| 8.12k| const auto t7 = r * t5; 339| 8.12k| auto Y3 = t7 - t6; 340| 8.12k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 8.12k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 8.12k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 8.12k| return ProjectivePoint(X3, Y3, Z3); 349| 8.12k|} pcurves_secp521r1.cpp:_ZN5Botan13dbl_a_minus_3INS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EEEET_RKSE_: 362| 1.64k|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 1.64k| const auto z2 = pt.z().square(); 368| 1.64k| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 1.64k| const auto y2 = pt.y().square(); 372| 1.64k| const auto s = pt.x().mul4() * y2; 373| 1.64k| const auto nx = m.square() - s.mul2(); 374| 1.64k| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 1.64k| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 1.64k| return ProjectivePoint(nx, ny, nz); 378| 1.64k|} pcurves_secp521r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 1.45k|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 1.45k| const auto a_is_identity = a.is_identity(); 189| 1.45k| const auto b_is_identity = b.is_identity(); 190| | 191| 1.45k| const auto Z1Z1 = a.z().square(); 192| 1.45k| const auto Z2Z2 = b.z().square(); 193| 1.45k| const auto U1 = a.x() * Z2Z2; 194| 1.45k| const auto U2 = b.x() * Z1Z1; 195| 1.45k| const auto S1 = a.y() * b.z() * Z2Z2; 196| 1.45k| const auto S2 = b.y() * a.z() * Z1Z1; 197| 1.45k| const auto H = U2 - U1; 198| 1.45k| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 1.45k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 1.45k] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 1.45k| const auto HH = H.square(); 215| 1.45k| const auto HHH = H * HH; 216| 1.45k| const auto V = U1 * HH; 217| 1.45k| const auto t2 = r.square(); 218| 1.45k| const auto t3 = V + V; 219| 1.45k| const auto t4 = t2 - HHH; 220| 1.45k| auto X3 = t4 - t3; 221| 1.45k| const auto t5 = V - X3; 222| 1.45k| const auto t6 = S1 * HHH; 223| 1.45k| const auto t7 = r * t5; 224| 1.45k| auto Y3 = t7 - t6; 225| 1.45k| const auto t8 = b.z() * H; 226| 1.45k| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 1.45k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 1.45k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 1.45k| return ProjectivePoint(X3, Y3, Z3); 235| 1.45k|} pcurves_secp521r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp521r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 3.10k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 3.10k, False: 1] ------------------ 117| 3.10k| any_identity = any_identity || pt.is_identity(); 118| 3.10k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 3.10k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 3.10k, False: 1] ------------------ 146| 3.10k| c.push_back(c[i - 1] * projective[i].z()); 147| 3.10k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 3.10k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 3.10k, False: 1] ------------------ 158| 3.10k| const auto& p = projective[i]; 159| | 160| 3.10k| const auto z_inv = s_inv * c[i - 1]; 161| 3.10k| const auto z2_inv = z_inv.square(); 162| 3.10k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 3.10k| s_inv = s_inv * p.z(); 165| | 166| 3.10k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 3.10k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp521r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp521r15CurveEEEDaRKNT_15ProjectivePointE: 76| 114|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 114| if constexpr(curve_supports_fe_invert2) { 81| 114| const auto z2_inv = C::fe_invert2(pt.z()); 82| 114| const auto z3_inv = z2_inv.square() * pt.z(); 83| 114| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 114|} pcurves_secp521r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp521r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp521r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 9.80k| const FieldElement& one) { 297| 9.80k| const auto a_is_identity = a.is_identity(); 298| 9.80k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 9.80k| auto by = b.y(); 307| 9.80k| by.conditional_assign(sub, by.negate()); 308| | 309| 9.80k| const auto Z1Z1 = a.z().square(); 310| 9.80k| const auto U2 = b.x() * Z1Z1; 311| 9.80k| const auto S2 = by * a.z() * Z1Z1; 312| 9.80k| const auto H = U2 - a.x(); 313| 9.80k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 9.80k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 9.80k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 9.80k| const auto HH = H.square(); 330| 9.80k| const auto HHH = H * HH; 331| 9.80k| const auto V = a.x() * HH; 332| 9.80k| const auto t2 = r.square(); 333| 9.80k| const auto t3 = V + V; 334| 9.80k| const auto t4 = t2 - HHH; 335| 9.80k| auto X3 = t4 - t3; 336| 9.80k| const auto t5 = V - X3; 337| 9.80k| const auto t6 = a.y() * HHH; 338| 9.80k| const auto t7 = r * t5; 339| 9.80k| auto Y3 = t7 - t6; 340| 9.80k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 9.80k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 9.80k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 9.80k| return ProjectivePoint(X3, Y3, Z3); 349| 9.80k|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve7_paramsEv: 113| 75.9M| const GenericCurveParams& _params() const { return *m_params; } pcurves_brainpool256r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 115| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 115| auto x = pt.x(); 1027| 115| auto y = pt.y(); 1028| 115| auto z = FieldElement::one(); 1029| | 1030| 115| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 115| return ProjectiveCurvePoint(x, y, z); 1033| 115| } pcurves_brainpool256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE1xEv: 971| 172k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE1yEv: 976| 167k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE3oneEv: 200| 5.01k| static constexpr Self one() { return Self(Rep::one()); } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E11FieldParamsEE3oneEv: 99| 5.01k| constexpr static std::array one() { return R1; } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 156k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 115| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 115| const W mask = cond.into_bitmask(); 412| | 413| 575| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 460, False: 115] ------------------ 414| 460| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 460| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 460| x.m_val[i] = nx; 417| 460| y.m_val[i] = ny; 418| 460| } 419| 115| } pcurves_brainpool256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE11is_identityEv: 928| 5.24k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE7is_zeroEv: 225| 29.3k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 6.69k| m_x(x), m_y(y), m_z(z) {} pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E3dblEv: 1121| 833| constexpr Self dbl() const { 1122| | if constexpr(Self::A_is_minus_3) { 1123| | return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| 833| } else { 1127| 833| return dbl_generic(*this, A); 1128| 833| } 1129| 833| } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E1zEv: 1172| 38.1k| constexpr const FieldElement& z() const { return m_z; } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE6squareEv: 426| 25.0k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 25.0k| std::array z; // NOLINT(*-member-init) 428| 25.0k| comba_sqr(z.data(), this->data()); 429| 25.0k| return Self(Rep::redc(z)); 430| 25.0k| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4dataEv: 896| 195k| constexpr const W* data() const { return m_val.data(); } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E11FieldParamsEE4redcERKNSt3__15arrayImLm8EEE: 104| 121k| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 121k| } else { 108| 121k| return monty_redc(z, P, P_dash); 109| 121k| } 110| 121k| } pcurves_brainpool256r1.cpp:_ZN5BotanplERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEESC_: 265| 7.59k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 7.59k| std::array t; // NOLINT(*-member-init) 267| | 268| 7.59k| W carry = 0; 269| 37.9k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 30.3k, False: 7.59k] ------------------ 270| 30.3k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 30.3k| } 272| | 273| 7.59k| std::array r; // NOLINT(*-member-init) 274| 7.59k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 7.59k| return Self(r); 276| 7.59k| } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E1xEv: 1162| 20.9k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4mul3Ev: 335| 833| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_brainpool256r1.cpp:_ZN5BotanmlERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEESC_: 346| 61.1k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 61.1k| std::array z; // NOLINT(*-member-init) 348| 61.1k| comba_mul(z.data(), a.data(), b.data()); 349| 61.1k| return Self(Rep::redc(z)); 350| 61.1k| } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E1yEv: 1167| 20.9k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4mul4Ev: 338| 833| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_brainpool256r1.cpp:_ZN5BotanmiERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEESC_: 281| 35.6k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 35.6k| std::array r; // NOLINT(*-member-init) 283| 35.6k| W carry = 0; 284| 178k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 142k, False: 35.6k] ------------------ 285| 142k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 142k| } 287| | 288| 35.6k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 35.6k| carry = 0; 291| | 292| 178k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 142k, False: 35.6k] ------------------ 293| 142k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 142k| } 295| | 296| 35.6k| return Self(r); 297| 35.6k| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4mul2Ev: 325| 6.66k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 6.66k| std::array t = value(); 327| 6.66k| const W carry = shift_left<1>(t); 328| | 329| 6.66k| std::array r; // NOLINT(*-member-init) 330| 6.66k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 6.66k| return Self(r); 332| 6.66k| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE5valueEv: 894| 6.66k| constexpr const std::array& value() const { return m_val; } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4mul8Ev: 341| 833| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_brainpool256r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_EESE_: 1064| 735| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 735| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 7.82k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 11.1k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 11.1k| const W mask = cond.into_bitmask(); 397| | 398| 55.8k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 44.6k, False: 11.1k] ------------------ 399| 44.6k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 44.6k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 44.6k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 44.6k| } 403| 11.1k| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE6invertEv: 538| 114| constexpr Self invert() const { return pow_vartime(Self::P_MINUS_2); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE11pow_vartimeERKNSt3__15arrayImLm4EEE: 477| 114| constexpr Self pow_vartime(const std::array& exp) const { 478| 114| constexpr size_t WindowBits = (Self::BITS <= 256) ? 4 : 5; ------------------ | Branch (478:40): [True: 0, Folded] ------------------ 479| 114| constexpr size_t WindowElements = (1 << WindowBits) - 1; 480| | 481| 114| constexpr size_t Windows = (Self::BITS + WindowBits - 1) / WindowBits; 482| | 483| | /* 484| | A simple fixed width window modular multiplication. 485| | 486| | TODO: investigate using sliding window here 487| | */ 488| | 489| 114| std::array tbl; 490| | 491| 114| tbl[0] = (*this); 492| | 493| 1.71k| for(size_t i = 1; i != WindowElements; ++i) { ------------------ | Branch (493:28): [True: 1.59k, False: 114] ------------------ 494| | // Conditional ok: table indexes are public here 495| 1.59k| if(i % 2 == 1) { ------------------ | Branch (495:16): [True: 798, False: 798] ------------------ 496| 798| tbl[i] = tbl[i / 2].square(); 497| 798| } else { 498| 798| tbl[i] = tbl[i - 1] * tbl[0]; 499| 798| } 500| 1.59k| } 501| | 502| 114| auto r = Self::one(); 503| | 504| 114| const size_t w0 = read_window_bits(std::span{exp}, (Windows - 1) * WindowBits); 505| | 506| | // Conditional ok: this function is variable time 507| 114| if(w0 > 0) { ------------------ | Branch (507:13): [True: 114, False: 0] ------------------ 508| 114| r = tbl[w0 - 1]; 509| 114| } 510| | 511| 7.29k| for(size_t i = 1; i != Windows; ++i) { ------------------ | Branch (511:28): [True: 7.18k, False: 114] ------------------ 512| 7.18k| r.square_n(WindowBits); 513| | 514| 7.18k| const size_t w = read_window_bits(std::span{exp}, (Windows - i - 1) * WindowBits); 515| | 516| | // Conditional ok: this function is variable time 517| 7.18k| if(w > 0) { ------------------ | Branch (517:16): [True: 6.72k, False: 456] ------------------ 518| 6.72k| r *= tbl[w - 1]; 519| 6.72k| } 520| 7.18k| } 521| | 522| 114| return r; 523| 114| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEC2Ev: 180| 1.71k| constexpr IntMod() : m_val({}) {} pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE8square_nEm: 439| 7.18k| constexpr void square_n(size_t n) { 440| 7.18k| std::array z; // NOLINT(*-member-init) 441| 35.9k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 28.7k, False: 7.18k] ------------------ 442| 28.7k| comba_sqr(z.data(), this->data()); 443| 28.7k| m_val = Rep::redc(z); 444| 28.7k| } 445| 7.18k| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEmLERKSA_: 355| 6.72k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 6.72k| std::array z; // NOLINT(*-member-init) 357| 6.72k| comba_mul(z.data(), data(), other.data()); 358| 6.72k| m_val = Rep::redc(z); 359| 6.72k| return (*this); 360| 6.72k| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 177| for(;;) { 618| | // Conditional ok: this function is variable time 619| 177| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 176] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 176| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 176| std::array r; // NOLINT(*-member-init) 640| 176| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 176| if(carry == 0) { ------------------ | Branch (643:16): [True: 94, False: 82] ------------------ 644| | // b > a 645| 94| b.m_val = r; 646| 94| x = nx; 647| 94| Self::_invert_vartime_div2_helper(b, x); 648| 94| } else { 649| | // We know this can't underflow because a > b 650| 82| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 82| a.m_val = r; 652| 82| y = nx; 653| 82| Self::_invert_vartime_div2_helper(a, y); 654| 82| } 655| 176| } 656| 1| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4zeroEv: 195| 9.80k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E11FieldParamsEE8from_repERKNSt3__15arrayImLm4EEE: 137| 229| constexpr static std::array from_rep(const std::array& z) { 138| 229| std::array ze = {}; 139| 229| copy_mem(std::span{ze}.template first(), z); 140| 229| return Self::redc(ze); 141| 229| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 178| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 178| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 553| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 375, False: 178] ------------------ 552| 375| shift_right<1>(a.m_val); 553| | 554| 375| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 375| if(borrow) { ------------------ | Branch (557:16): [True: 193, False: 182] ------------------ 558| 193| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 193| } 560| 375| } 561| 178| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE6negateEv: 452| 4.90k| constexpr Self negate() const { 453| 4.90k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 4.90k| std::array r; // NOLINT(*-member-init) 456| 4.90k| W carry = 0; 457| 24.5k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 19.6k, False: 4.90k] ------------------ 458| 19.6k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 19.6k| } 460| | 461| 4.90k| return Self(r); 462| 4.90k| } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E11FieldParamsEE6to_repERKNSt3__15arrayImLm4EEE: 115| 1| constexpr static std::array to_rep(const std::array& x) { 116| 1| std::array z; // NOLINT(*-member-init) 117| 1| comba_mul(z.data(), x.data(), R2.data()); 118| 1| return Self::redc(z); 119| 1| } pcurves_brainpool256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 6.81k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 570| std::array stash_value() const { 760| 570| static_assert(L >= N); 761| 570| std::array stash = {}; 762| 2.85k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 2.28k, False: 570] ------------------ 763| 2.28k| stash[i] = m_val[i]; 764| 2.28k| } 765| 570| return stash; 766| 570| } pcurves_brainpool256r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 114| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 114| const BlindedScalar scalar(s, rng); 1409| 114| return basemul_booth_exec(m_table, scalar, rng); 1410| 114| } pcurves_brainpool256r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 114| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 114| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 114, Folded] | Branch (1308:33): [True: 0, False: 114] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 114| } else { 1344| | // No RNG available, skip blinding 1345| 114| m_bytes.resize(C::Scalar::BYTES); 1346| 114| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 114| m_bits = C::Scalar::BITS; 1348| 114| } 1349| | 1350| 114| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 114| } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E12ScalarParamsEE8from_repERKNSt3__15arrayImLm4EEE: 137| 237| constexpr static std::array from_rep(const std::array& z) { 138| 237| std::array ze = {}; 139| 237| copy_mem(std::span{ze}.template first(), z); 140| 237| return Self::redc(ze); 141| 237| } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E12ScalarParamsEE4redcERKNSt3__15arrayImLm8EEE: 104| 361| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 361| } else { 108| 361| return monty_redc(z, P, P_dash); 109| 361| } 110| 361| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 237| constexpr void serialize_to(std::span bytes) const { 740| 237| auto v = Rep::from_rep(m_val); 741| 237| std::reverse(v.begin(), v.end()); 742| | 743| 237| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 237| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 237| } pcurves_brainpool256r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm7EE4bitsEv: 1305| 114| size_t bits() const { return m_bits; } pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 114| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 114| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 114| } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E6negateEv: 1134| 114| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 114| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE18_const_time_poisonEv: 889| 342| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_brainpool256r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm7EE10get_windowEm: 1353| 4.90k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 4.90k| return read_window_bits(std::span{m_bytes}, offset); 1356| 4.90k| } pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 4.78k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 4.78k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 4.78k| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 4.78k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 4.78k| const W mask = cond.into_bitmask(); 369| | 370| 23.9k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 19.1k, False: 4.78k] ------------------ 371| 19.1k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 19.1k| } 373| 4.78k| } pcurves_brainpool256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 4.90k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 4.90k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 4.90k| const size_t idx1 = static_cast(idx - 1); 960| 161k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 156k, False: 4.90k] ------------------ 961| 156k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 156k| result.conditional_assign(found, pts[i]); 963| 156k| } 964| | 965| 4.90k| return result; 966| 4.90k| } pcurves_brainpool256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE8identityERKSC_: 924| 4.90k| static constexpr Self identity(const Self& /*unused*/) { 925| 4.90k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 4.90k| } pcurves_brainpool256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 156k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 156k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 156k| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 156k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 156k| const W mask = cond.into_bitmask(); 382| | 383| 784k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 627k, False: 156k] ------------------ 384| 627k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 627k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 627k| } 387| 156k| } pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 456| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 456| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 456] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 456| } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 114| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 342| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_brainpool256r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm7EED2Ev: 1358| 114| ~BlindedScalarBits() { 1359| 114| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 114| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 114| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 360| static Self from_stash(const std::array& stash) { 775| 360| static_assert(L >= N); 776| 360| std::array val = {}; 777| 1.80k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 1.44k, False: 360] ------------------ 778| 1.44k| val[i] = stash[i]; 779| 1.44k| } 780| 360| return Self(val); 781| 360| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 484| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 228| constexpr void serialize_to(std::span bytes) const { 740| 228| auto v = Rep::from_rep(m_val); 741| 228| std::reverse(v.begin(), v.end()); 742| | 743| 228| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 228| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 228| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 123| std::array stash_value() const { 760| 123| static_assert(L >= N); 761| 123| std::array stash = {}; 762| 615| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 492, False: 123] ------------------ 763| 492| stash[i] = m_val[i]; 764| 492| } 765| 123| return stash; 766| 123| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 798| static Self from_stash(const std::array& stash) { 775| 798| static_assert(L >= N); 776| 798| std::array val = {}; 777| 3.99k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 3.19k, False: 798] ------------------ 778| 3.19k| val[i] = stash[i]; 779| 3.19k| } 780| 798| return Self(val); 781| 798| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE7is_zeroEv: 225| 247| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEeqERKSA_: 722| 114| constexpr CT::Choice operator==(const Self& other) const { 723| 114| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 114| } pcurves_brainpool256r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsENS_13MontgomeryRepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 114| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 124| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 124| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 124] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 124| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 124| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 124] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 124| return Self::from_words(words); 807| 124| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE10from_wordsILm4EEESA_NSt3__15arrayImXT_EEE: 211| 124| static constexpr Self from_words(std::array w) { 212| 124| if constexpr(L == N) { 213| 124| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 124| } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E12ScalarParamsEE6to_repERKNSt3__15arrayImLm4EEE: 115| 124| constexpr static std::array to_rep(const std::array& x) { 116| 124| std::array z; // NOLINT(*-member-init) 117| 124| comba_mul(z.data(), x.data(), R2.data()); 118| 124| return Self::redc(z); 119| 124| } pcurves_brainpool256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm65EEE: 941| 114| constexpr void serialize_to(std::span bytes) const { 942| 114| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 114| do { \ | | 52| 114| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 114| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 114] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 114| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 114] | | ------------------ ------------------ 943| 114| BufferStuffer pack(bytes); 944| 114| pack.append(0x04); 945| 114| x().serialize_to(pack.next()); 946| 114| y().serialize_to(pack.next()); 947| 114| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 114| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 114| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 114] | | ------------------ ------------------ 948| 114| } pcurves_brainpool384r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 138| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 138| auto x = pt.x(); 1027| 138| auto y = pt.y(); 1028| 138| auto z = FieldElement::one(); 1029| | 1030| 138| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 138| return ProjectiveCurvePoint(x, y, z); 1033| 138| } pcurves_brainpool384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE1xEv: 971| 312k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE1yEv: 976| 303k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE3oneEv: 200| 9.04k| static constexpr Self one() { return Self(Rep::one()); } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E11FieldParamsEE3oneEv: 99| 9.04k| constexpr static std::array one() { return R1; } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEC2ENSt3__15arrayImLm6EEE: 898| 270k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 138| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 138| const W mask = cond.into_bitmask(); 412| | 413| 966| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 828, False: 138] ------------------ 414| 828| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 828| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 828| x.m_val[i] = nx; 417| 828| y.m_val[i] = ny; 418| 828| } 419| 138| } pcurves_brainpool384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE11is_identityEv: 928| 9.31k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE7is_zeroEv: 225| 51.6k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 11.5k| m_x(x), m_y(y), m_z(z) {} pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E3dblEv: 1121| 1.24k| constexpr Self dbl() const { 1122| | if constexpr(Self::A_is_minus_3) { 1123| | return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| 1.24k| } else { 1127| 1.24k| return dbl_generic(*this, A); 1128| 1.24k| } 1129| 1.24k| } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E1zEv: 1172| 64.8k| constexpr const FieldElement& z() const { return m_z; } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE6squareEv: 426| 42.9k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 42.9k| std::array z; // NOLINT(*-member-init) 428| 42.9k| comba_sqr(z.data(), this->data()); 429| 42.9k| return Self(Rep::redc(z)); 430| 42.9k| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4dataEv: 896| 334k| constexpr const W* data() const { return m_val.data(); } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E11FieldParamsEE4redcERKNSt3__15arrayImLm12EEE: 104| 210k| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 210k| } else { 108| 210k| return monty_redc(z, P, P_dash); 109| 210k| } 110| 210k| } pcurves_brainpool384r1.cpp:_ZN5BotanplERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEESC_: 265| 12.8k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 12.8k| std::array t; // NOLINT(*-member-init) 267| | 268| 12.8k| W carry = 0; 269| 90.1k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 77.2k, False: 12.8k] ------------------ 270| 77.2k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 77.2k| } 272| | 273| 12.8k| std::array r; // NOLINT(*-member-init) 274| 12.8k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 12.8k| return Self(r); 276| 12.8k| } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E1xEv: 1162| 36.0k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4mul3Ev: 335| 1.24k| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_brainpool384r1.cpp:_ZN5BotanmlERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEESC_: 346| 104k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 104k| std::array z; // NOLINT(*-member-init) 348| 104k| comba_mul(z.data(), a.data(), b.data()); 349| 104k| return Self(Rep::redc(z)); 350| 104k| } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E1yEv: 1167| 36.0k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4mul4Ev: 338| 1.24k| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_brainpool384r1.cpp:_ZN5BotanmiERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEESC_: 281| 62.9k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 62.9k| std::array r; // NOLINT(*-member-init) 283| 62.9k| W carry = 0; 284| 440k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 377k, False: 62.9k] ------------------ 285| 377k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 377k| } 287| | 288| 62.9k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 62.9k| carry = 0; 291| | 292| 440k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 377k, False: 62.9k] ------------------ 293| 377k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 377k| } 295| | 296| 62.9k| return Self(r); 297| 62.9k| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4mul2Ev: 325| 9.92k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 9.92k| std::array t = value(); 327| 9.92k| const W carry = shift_left<1>(t); 328| | 329| 9.92k| std::array r; // NOLINT(*-member-init) 330| 9.92k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 9.92k| return Self(r); 332| 9.92k| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE5valueEv: 894| 9.92k| constexpr const std::array& value() const { return m_val; } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4mul8Ev: 341| 1.24k| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_brainpool384r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_EESE_: 1064| 1.09k| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 1.09k| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 13.2k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 19.8k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 19.8k| const W mask = cond.into_bitmask(); 397| | 398| 139k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 119k, False: 19.8k] ------------------ 399| 119k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 119k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 119k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 119k| } 403| 19.8k| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE6invertEv: 538| 137| constexpr Self invert() const { return pow_vartime(Self::P_MINUS_2); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE11pow_vartimeERKNSt3__15arrayImLm6EEE: 477| 137| constexpr Self pow_vartime(const std::array& exp) const { 478| 137| constexpr size_t WindowBits = (Self::BITS <= 256) ? 4 : 5; ------------------ | Branch (478:40): [Folded, False: 137] ------------------ 479| 137| constexpr size_t WindowElements = (1 << WindowBits) - 1; 480| | 481| 137| constexpr size_t Windows = (Self::BITS + WindowBits - 1) / WindowBits; 482| | 483| | /* 484| | A simple fixed width window modular multiplication. 485| | 486| | TODO: investigate using sliding window here 487| | */ 488| | 489| 137| std::array tbl; 490| | 491| 137| tbl[0] = (*this); 492| | 493| 4.24k| for(size_t i = 1; i != WindowElements; ++i) { ------------------ | Branch (493:28): [True: 4.11k, False: 137] ------------------ 494| | // Conditional ok: table indexes are public here 495| 4.11k| if(i % 2 == 1) { ------------------ | Branch (495:16): [True: 2.05k, False: 2.05k] ------------------ 496| 2.05k| tbl[i] = tbl[i / 2].square(); 497| 2.05k| } else { 498| 2.05k| tbl[i] = tbl[i - 1] * tbl[0]; 499| 2.05k| } 500| 4.11k| } 501| | 502| 137| auto r = Self::one(); 503| | 504| 137| const size_t w0 = read_window_bits(std::span{exp}, (Windows - 1) * WindowBits); 505| | 506| | // Conditional ok: this function is variable time 507| 137| if(w0 > 0) { ------------------ | Branch (507:13): [True: 137, False: 0] ------------------ 508| 137| r = tbl[w0 - 1]; 509| 137| } 510| | 511| 10.5k| for(size_t i = 1; i != Windows; ++i) { ------------------ | Branch (511:28): [True: 10.4k, False: 137] ------------------ 512| 10.4k| r.square_n(WindowBits); 513| | 514| 10.4k| const size_t w = read_window_bits(std::span{exp}, (Windows - i - 1) * WindowBits); 515| | 516| | // Conditional ok: this function is variable time 517| 10.4k| if(w > 0) { ------------------ | Branch (517:16): [True: 10.0k, False: 411] ------------------ 518| 10.0k| r *= tbl[w - 1]; 519| 10.0k| } 520| 10.4k| } 521| | 522| 137| return r; 523| 137| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEC2Ev: 180| 4.24k| constexpr IntMod() : m_val({}) {} pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE8square_nEm: 439| 10.4k| constexpr void square_n(size_t n) { 440| 10.4k| std::array z; // NOLINT(*-member-init) 441| 62.4k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 52.0k, False: 10.4k] ------------------ 442| 52.0k| comba_sqr(z.data(), this->data()); 443| 52.0k| m_val = Rep::redc(z); 444| 52.0k| } 445| 10.4k| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEmLERKSA_: 355| 10.0k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 10.0k| std::array z; // NOLINT(*-member-init) 357| 10.0k| comba_mul(z.data(), data(), other.data()); 358| 10.0k| m_val = Rep::redc(z); 359| 10.0k| return (*this); 360| 10.0k| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 262| for(;;) { 618| | // Conditional ok: this function is variable time 619| 262| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 261] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 261| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 261| std::array r; // NOLINT(*-member-init) 640| 261| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 261| if(carry == 0) { ------------------ | Branch (643:16): [True: 128, False: 133] ------------------ 644| | // b > a 645| 128| b.m_val = r; 646| 128| x = nx; 647| 128| Self::_invert_vartime_div2_helper(b, x); 648| 133| } else { 649| | // We know this can't underflow because a > b 650| 133| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 133| a.m_val = r; 652| 133| y = nx; 653| 133| Self::_invert_vartime_div2_helper(a, y); 654| 133| } 655| 261| } 656| 1| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4zeroEv: 195| 17.8k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E11FieldParamsEE8from_repERKNSt3__15arrayImLm6EEE: 137| 275| constexpr static std::array from_rep(const std::array& z) { 138| 275| std::array ze = {}; 139| 275| copy_mem(std::span{ze}.template first(), z); 140| 275| return Self::redc(ze); 141| 275| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 263| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 263| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 814| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 551, False: 263] ------------------ 552| 551| shift_right<1>(a.m_val); 553| | 554| 551| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 551| if(borrow) { ------------------ | Branch (557:16): [True: 291, False: 260] ------------------ 558| 291| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 291| } 560| 551| } 561| 263| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE6negateEv: 452| 8.90k| constexpr Self negate() const { 453| 8.90k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 8.90k| std::array r; // NOLINT(*-member-init) 456| 8.90k| W carry = 0; 457| 62.3k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 53.4k, False: 8.90k] ------------------ 458| 53.4k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 53.4k| } 460| | 461| 8.90k| return Self(r); 462| 8.90k| } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E11FieldParamsEE6to_repERKNSt3__15arrayImLm6EEE: 115| 1| constexpr static std::array to_rep(const std::array& x) { 116| 1| std::array z; // NOLINT(*-member-init) 117| 1| comba_mul(z.data(), x.data(), R2.data()); 118| 1| return Self::redc(z); 119| 1| } pcurves_brainpool384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 11.6k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 685| std::array stash_value() const { 760| 685| static_assert(L >= N); 761| 685| std::array stash = {}; 762| 4.79k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 4.11k, False: 685] ------------------ 763| 4.11k| stash[i] = m_val[i]; 764| 4.11k| } 765| 685| return stash; 766| 685| } pcurves_brainpool384r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 137| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 137| const BlindedScalar scalar(s, rng); 1409| 137| return basemul_booth_exec(m_table, scalar, rng); 1410| 137| } pcurves_brainpool384r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 137| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 137| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 137, Folded] | Branch (1308:33): [True: 0, False: 137] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 137| } else { 1344| | // No RNG available, skip blinding 1345| 137| m_bytes.resize(C::Scalar::BYTES); 1346| 137| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 137| m_bits = C::Scalar::BITS; 1348| 137| } 1349| | 1350| 137| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 137| } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E12ScalarParamsEE8from_repERKNSt3__15arrayImLm6EEE: 137| 292| constexpr static std::array from_rep(const std::array& z) { 138| 292| std::array ze = {}; 139| 292| copy_mem(std::span{ze}.template first(), z); 140| 292| return Self::redc(ze); 141| 292| } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E12ScalarParamsEE4redcERKNSt3__15arrayImLm12EEE: 104| 448| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 448| } else { 108| 448| return monty_redc(z, P, P_dash); 109| 448| } 110| 448| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm48EEE: 739| 292| constexpr void serialize_to(std::span bytes) const { 740| 292| auto v = Rep::from_rep(m_val); 741| 292| std::reverse(v.begin(), v.end()); 742| | 743| 292| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 292| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 292| } pcurves_brainpool384r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm7EE4bitsEv: 1305| 137| size_t bits() const { return m_bits; } pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 137| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 137| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 137| } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E6negateEv: 1134| 137| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 137| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE18_const_time_poisonEv: 889| 411| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_brainpool384r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm7EE10get_windowEm: 1353| 8.90k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 8.90k| return read_window_bits(std::span{m_bytes}, offset); 1356| 8.90k| } pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 8.76k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 8.76k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 8.76k| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 8.76k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 8.76k| const W mask = cond.into_bitmask(); 369| | 370| 61.3k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 52.6k, False: 8.76k] ------------------ 371| 52.6k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 52.6k| } 373| 8.76k| } pcurves_brainpool384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 8.90k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 8.90k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 8.90k| const size_t idx1 = static_cast(idx - 1); 960| 293k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 284k, False: 8.90k] ------------------ 961| 284k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 284k| result.conditional_assign(found, pts[i]); 963| 284k| } 964| | 965| 8.90k| return result; 966| 8.90k| } pcurves_brainpool384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE8identityERKSC_: 924| 8.90k| static constexpr Self identity(const Self& /*unused*/) { 925| 8.90k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 8.90k| } pcurves_brainpool384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 284k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 284k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 284k| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 284k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 284k| const W mask = cond.into_bitmask(); 382| | 383| 1.99M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 1.70M, False: 284k] ------------------ 384| 1.70M| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 1.70M| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 1.70M| } 387| 284k| } pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 548| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 548| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 548] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 548| } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 137| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 411| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_brainpool384r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm7EED2Ev: 1358| 137| ~BlindedScalarBits() { 1359| 137| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 137| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 137| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 447| static Self from_stash(const std::array& stash) { 775| 447| static_assert(L >= N); 776| 447| std::array val = {}; 777| 3.12k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 2.68k, False: 447] ------------------ 778| 2.68k| val[i] = stash[i]; 779| 2.68k| } 780| 447| return Self(val); 781| 447| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEEC2ENSt3__15arrayImLm6EEE: 898| 603| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm48EEE: 739| 274| constexpr void serialize_to(std::span bytes) const { 740| 274| auto v = Rep::from_rep(m_val); 741| 274| std::reverse(v.begin(), v.end()); 742| | 743| 274| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 274| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 274| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 155| std::array stash_value() const { 760| 155| static_assert(L >= N); 761| 155| std::array stash = {}; 762| 1.08k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 930, False: 155] ------------------ 763| 930| stash[i] = m_val[i]; 764| 930| } 765| 155| return stash; 766| 155| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 959| static Self from_stash(const std::array& stash) { 775| 959| static_assert(L >= N); 776| 959| std::array val = {}; 777| 6.71k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 5.75k, False: 959] ------------------ 778| 5.75k| val[i] = stash[i]; 779| 5.75k| } 780| 959| return Self(val); 781| 959| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE7is_zeroEv: 225| 311| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEeqERKSA_: 722| 137| constexpr CT::Choice operator==(const Self& other) const { 723| 137| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 137| } pcurves_brainpool384r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsENS_13MontgomeryRepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 137| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 156| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 156| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 156] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 156| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 156| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 156] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 156| return Self::from_words(words); 807| 156| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE10from_wordsILm6EEESA_NSt3__15arrayImXT_EEE: 211| 156| static constexpr Self from_words(std::array w) { 212| 156| if constexpr(L == N) { 213| 156| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 156| } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E12ScalarParamsEE6to_repERKNSt3__15arrayImLm6EEE: 115| 156| constexpr static std::array to_rep(const std::array& x) { 116| 156| std::array z; // NOLINT(*-member-init) 117| 156| comba_mul(z.data(), x.data(), R2.data()); 118| 156| return Self::redc(z); 119| 156| } pcurves_brainpool384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm97EEE: 941| 137| constexpr void serialize_to(std::span bytes) const { 942| 137| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 137| do { \ | | 52| 137| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 137| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 137] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 137| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 137] | | ------------------ ------------------ 943| 137| BufferStuffer pack(bytes); 944| 137| pack.append(0x04); 945| 137| x().serialize_to(pack.next()); 946| 137| y().serialize_to(pack.next()); 947| 137| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 137| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 137| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 137] | | ------------------ ------------------ 948| 137| } pcurves_brainpool512r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 139| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 139| auto x = pt.x(); 1027| 139| auto y = pt.y(); 1028| 139| auto z = FieldElement::one(); 1029| | 1030| 139| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 139| return ProjectiveCurvePoint(x, y, z); 1033| 139| } pcurves_brainpool512r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE1xEv: 971| 416k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool512r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE1yEv: 976| 404k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE3oneEv: 200| 12.0k| static constexpr Self one() { return Self(Rep::one()); } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E11FieldParamsEE3oneEv: 99| 12.0k| constexpr static std::array one() { return R1; } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEC2ENSt3__15arrayImLm8EEE: 898| 358k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 139| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 139| const W mask = cond.into_bitmask(); 412| | 413| 1.25k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 1.11k, False: 139] ------------------ 414| 1.11k| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 1.11k| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 1.11k| x.m_val[i] = nx; 417| 1.11k| y.m_val[i] = ny; 418| 1.11k| } 419| 139| } pcurves_brainpool512r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE11is_identityEv: 928| 12.2k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE7is_zeroEv: 225| 68.6k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 15.2k| m_x(x), m_y(y), m_z(z) {} pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E3dblEv: 1121| 1.64k| constexpr Self dbl() const { 1122| | if constexpr(Self::A_is_minus_3) { 1123| | return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| 1.64k| } else { 1127| 1.64k| return dbl_generic(*this, A); 1128| 1.64k| } 1129| 1.64k| } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E1zEv: 1172| 86.3k| constexpr const FieldElement& z() const { return m_z; } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE6squareEv: 426| 56.4k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 56.4k| std::array z; // NOLINT(*-member-init) 428| 56.4k| comba_sqr(z.data(), this->data()); 429| 56.4k| return Self(Rep::redc(z)); 430| 56.4k| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4dataEv: 896| 446k| constexpr const W* data() const { return m_val.data(); } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E11FieldParamsEE4redcERKNSt3__15arrayImLm16EEE: 104| 280k| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 280k| } else { 108| 280k| return monty_redc(z, P, P_dash); 109| 280k| } 110| 280k| } pcurves_brainpool512r1.cpp:_ZN5BotanplERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEESC_: 265| 17.1k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 17.1k| std::array t; // NOLINT(*-member-init) 267| | 268| 17.1k| W carry = 0; 269| 154k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 136k, False: 17.1k] ------------------ 270| 136k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 136k| } 272| | 273| 17.1k| std::array r; // NOLINT(*-member-init) 274| 17.1k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 17.1k| return Self(r); 276| 17.1k| } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E1xEv: 1162| 47.9k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4mul3Ev: 335| 1.64k| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_brainpool512r1.cpp:_ZN5BotanmlERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEESC_: 346| 139k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 139k| std::array z; // NOLINT(*-member-init) 348| 139k| comba_mul(z.data(), a.data(), b.data()); 349| 139k| return Self(Rep::redc(z)); 350| 139k| } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E1yEv: 1167| 47.9k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4mul4Ev: 338| 1.64k| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_brainpool512r1.cpp:_ZN5BotanmiERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEESC_: 281| 84.0k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 84.0k| std::array r; // NOLINT(*-member-init) 283| 84.0k| W carry = 0; 284| 756k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 672k, False: 84.0k] ------------------ 285| 672k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 672k| } 287| | 288| 84.0k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 84.0k| carry = 0; 291| | 292| 756k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 672k, False: 84.0k] ------------------ 293| 672k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 672k| } 295| | 296| 84.0k| return Self(r); 297| 84.0k| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4mul2Ev: 325| 13.1k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 13.1k| std::array t = value(); 327| 13.1k| const W carry = shift_left<1>(t); 328| | 329| 13.1k| std::array r; // NOLINT(*-member-init) 330| 13.1k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 13.1k| return Self(r); 332| 13.1k| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE5valueEv: 894| 13.1k| constexpr const std::array& value() const { return m_val; } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4mul8Ev: 341| 1.64k| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_brainpool512r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_EESE_: 1064| 1.45k| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 1.45k| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 17.7k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 26.5k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 26.5k| const W mask = cond.into_bitmask(); 397| | 398| 238k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 212k, False: 26.5k] ------------------ 399| 212k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 212k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 212k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 212k| } 403| 26.5k| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE6invertEv: 538| 138| constexpr Self invert() const { return pow_vartime(Self::P_MINUS_2); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE11pow_vartimeERKNSt3__15arrayImLm8EEE: 477| 138| constexpr Self pow_vartime(const std::array& exp) const { 478| 138| constexpr size_t WindowBits = (Self::BITS <= 256) ? 4 : 5; ------------------ | Branch (478:40): [Folded, False: 138] ------------------ 479| 138| constexpr size_t WindowElements = (1 << WindowBits) - 1; 480| | 481| 138| constexpr size_t Windows = (Self::BITS + WindowBits - 1) / WindowBits; 482| | 483| | /* 484| | A simple fixed width window modular multiplication. 485| | 486| | TODO: investigate using sliding window here 487| | */ 488| | 489| 138| std::array tbl; 490| | 491| 138| tbl[0] = (*this); 492| | 493| 4.27k| for(size_t i = 1; i != WindowElements; ++i) { ------------------ | Branch (493:28): [True: 4.14k, False: 138] ------------------ 494| | // Conditional ok: table indexes are public here 495| 4.14k| if(i % 2 == 1) { ------------------ | Branch (495:16): [True: 2.07k, False: 2.07k] ------------------ 496| 2.07k| tbl[i] = tbl[i / 2].square(); 497| 2.07k| } else { 498| 2.07k| tbl[i] = tbl[i - 1] * tbl[0]; 499| 2.07k| } 500| 4.14k| } 501| | 502| 138| auto r = Self::one(); 503| | 504| 138| const size_t w0 = read_window_bits(std::span{exp}, (Windows - 1) * WindowBits); 505| | 506| | // Conditional ok: this function is variable time 507| 138| if(w0 > 0) { ------------------ | Branch (507:13): [True: 138, False: 0] ------------------ 508| 138| r = tbl[w0 - 1]; 509| 138| } 510| | 511| 14.2k| for(size_t i = 1; i != Windows; ++i) { ------------------ | Branch (511:28): [True: 14.0k, False: 138] ------------------ 512| 14.0k| r.square_n(WindowBits); 513| | 514| 14.0k| const size_t w = read_window_bits(std::span{exp}, (Windows - i - 1) * WindowBits); 515| | 516| | // Conditional ok: this function is variable time 517| 14.0k| if(w > 0) { ------------------ | Branch (517:16): [True: 13.8k, False: 276] ------------------ 518| 13.8k| r *= tbl[w - 1]; 519| 13.8k| } 520| 14.0k| } 521| | 522| 138| return r; 523| 138| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEC2Ev: 180| 4.27k| constexpr IntMod() : m_val({}) {} pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE8square_nEm: 439| 14.0k| constexpr void square_n(size_t n) { 440| 14.0k| std::array z; // NOLINT(*-member-init) 441| 84.4k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 70.3k, False: 14.0k] ------------------ 442| 70.3k| comba_sqr(z.data(), this->data()); 443| 70.3k| m_val = Rep::redc(z); 444| 70.3k| } 445| 14.0k| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEmLERKSA_: 355| 13.8k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 13.8k| std::array z; // NOLINT(*-member-init) 357| 13.8k| comba_mul(z.data(), data(), other.data()); 358| 13.8k| m_val = Rep::redc(z); 359| 13.8k| return (*this); 360| 13.8k| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 366| for(;;) { 618| | // Conditional ok: this function is variable time 619| 366| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 365] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 365| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 365| std::array r; // NOLINT(*-member-init) 640| 365| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 365| if(carry == 0) { ------------------ | Branch (643:16): [True: 175, False: 190] ------------------ 644| | // b > a 645| 175| b.m_val = r; 646| 175| x = nx; 647| 175| Self::_invert_vartime_div2_helper(b, x); 648| 190| } else { 649| | // We know this can't underflow because a > b 650| 190| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 190| a.m_val = r; 652| 190| y = nx; 653| 190| Self::_invert_vartime_div2_helper(a, y); 654| 190| } 655| 365| } 656| 1| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4zeroEv: 195| 23.7k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E11FieldParamsEE8from_repERKNSt3__15arrayImLm8EEE: 137| 277| constexpr static std::array from_rep(const std::array& z) { 138| 277| std::array ze = {}; 139| 277| copy_mem(std::span{ze}.template first(), z); 140| 277| return Self::redc(ze); 141| 277| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 367| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 367| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 1.08k| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 713, False: 367] ------------------ 552| 713| shift_right<1>(a.m_val); 553| | 554| 713| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 713| if(borrow) { ------------------ | Branch (557:16): [True: 362, False: 351] ------------------ 558| 362| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 362| } 560| 713| } 561| 367| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE6negateEv: 452| 11.8k| constexpr Self negate() const { 453| 11.8k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 11.8k| std::array r; // NOLINT(*-member-init) 456| 11.8k| W carry = 0; 457| 106k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 94.9k, False: 11.8k] ------------------ 458| 94.9k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 94.9k| } 460| | 461| 11.8k| return Self(r); 462| 11.8k| } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E11FieldParamsEE6to_repERKNSt3__15arrayImLm8EEE: 115| 1| constexpr static std::array to_rep(const std::array& x) { 116| 1| std::array z; // NOLINT(*-member-init) 117| 1| comba_mul(z.data(), x.data(), R2.data()); 118| 1| return Self::redc(z); 119| 1| } pcurves_brainpool512r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 15.3k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 690| std::array stash_value() const { 760| 690| static_assert(L >= N); 761| 690| std::array stash = {}; 762| 6.21k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 5.52k, False: 690] ------------------ 763| 5.52k| stash[i] = m_val[i]; 764| 5.52k| } 765| 690| return stash; 766| 690| } pcurves_brainpool512r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 138| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 138| const BlindedScalar scalar(s, rng); 1409| 138| return basemul_booth_exec(m_table, scalar, rng); 1410| 138| } pcurves_brainpool512r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 138| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 138| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 138, Folded] | Branch (1308:33): [True: 0, False: 138] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| | if constexpr(ExcessBits > 0) { 1323| | constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| | mask[MaskWords - 1] &= ExcessMask; 1325| | } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 138| } else { 1344| | // No RNG available, skip blinding 1345| 138| m_bytes.resize(C::Scalar::BYTES); 1346| 138| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 138| m_bits = C::Scalar::BITS; 1348| 138| } 1349| | 1350| 138| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 138| } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E12ScalarParamsEE8from_repERKNSt3__15arrayImLm8EEE: 137| 280| constexpr static std::array from_rep(const std::array& z) { 138| 280| std::array ze = {}; 139| 280| copy_mem(std::span{ze}.template first(), z); 140| 280| return Self::redc(ze); 141| 280| } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E12ScalarParamsEE4redcERKNSt3__15arrayImLm16EEE: 104| 424| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 424| } else { 108| 424| return monty_redc(z, P, P_dash); 109| 424| } 110| 424| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm64EEE: 739| 280| constexpr void serialize_to(std::span bytes) const { 740| 280| auto v = Rep::from_rep(m_val); 741| 280| std::reverse(v.begin(), v.end()); 742| | 743| 280| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 280| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 280| } pcurves_brainpool512r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm7EE4bitsEv: 1305| 138| size_t bits() const { return m_bits; } pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 138| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 138| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 138| } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E6negateEv: 1134| 138| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 138| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE18_const_time_poisonEv: 889| 414| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_brainpool512r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm7EE10get_windowEm: 1353| 11.8k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 11.8k| return read_window_bits(std::span{m_bytes}, offset); 1356| 11.8k| } pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 11.7k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 11.7k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 11.7k| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 11.7k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 11.7k| const W mask = cond.into_bitmask(); 369| | 370| 105k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 93.8k, False: 11.7k] ------------------ 371| 93.8k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 93.8k| } 373| 11.7k| } pcurves_brainpool512r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 11.8k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 11.8k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 11.8k| const size_t idx1 = static_cast(idx - 1); 960| 391k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 379k, False: 11.8k] ------------------ 961| 379k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 379k| result.conditional_assign(found, pts[i]); 963| 379k| } 964| | 965| 11.8k| return result; 966| 11.8k| } pcurves_brainpool512r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE8identityERKSC_: 924| 11.8k| static constexpr Self identity(const Self& /*unused*/) { 925| 11.8k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 11.8k| } pcurves_brainpool512r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 379k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 379k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 379k| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 379k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 379k| const W mask = cond.into_bitmask(); 382| | 383| 3.41M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 3.03M, False: 379k] ------------------ 384| 3.03M| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 3.03M| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 3.03M| } 387| 379k| } pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 552| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 552| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 552] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 552| } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 138| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 414| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_brainpool512r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm7EED2Ev: 1358| 138| ~BlindedScalarBits() { 1359| 138| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 138| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 138| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 422| static Self from_stash(const std::array& stash) { 775| 422| static_assert(L >= N); 776| 422| std::array val = {}; 777| 3.79k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 3.37k, False: 422] ------------------ 778| 3.37k| val[i] = stash[i]; 779| 3.37k| } 780| 422| return Self(val); 781| 422| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEEC2ENSt3__15arrayImLm8EEE: 898| 566| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm64EEE: 739| 276| constexpr void serialize_to(std::span bytes) const { 740| 276| auto v = Rep::from_rep(m_val); 741| 276| std::reverse(v.begin(), v.end()); 742| | 743| 276| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 276| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 276| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 142| std::array stash_value() const { 760| 142| static_assert(L >= N); 761| 142| std::array stash = {}; 762| 1.27k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 1.13k, False: 142] ------------------ 763| 1.13k| stash[i] = m_val[i]; 764| 1.13k| } 765| 142| return stash; 766| 142| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 966| static Self from_stash(const std::array& stash) { 775| 966| static_assert(L >= N); 776| 966| std::array val = {}; 777| 8.69k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 7.72k, False: 966] ------------------ 778| 7.72k| val[i] = stash[i]; 779| 7.72k| } 780| 966| return Self(val); 781| 966| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE7is_zeroEv: 225| 286| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEeqERKSA_: 722| 138| constexpr CT::Choice operator==(const Self& other) const { 723| 138| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 138| } pcurves_brainpool512r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsENS_13MontgomeryRepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 138| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 144| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 144| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 144] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 144| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 144| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 144] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 144| return Self::from_words(words); 807| 144| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE10from_wordsILm8EEESA_NSt3__15arrayImXT_EEE: 211| 144| static constexpr Self from_words(std::array w) { 212| 144| if constexpr(L == N) { 213| 144| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 144| } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E12ScalarParamsEE6to_repERKNSt3__15arrayImLm8EEE: 115| 144| constexpr static std::array to_rep(const std::array& x) { 116| 144| std::array z; // NOLINT(*-member-init) 117| 144| comba_mul(z.data(), x.data(), R2.data()); 118| 144| return Self::redc(z); 119| 144| } pcurves_brainpool512r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm129EEE: 941| 138| constexpr void serialize_to(std::span bytes) const { 942| 138| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 138| do { \ | | 52| 138| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 138| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 138] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 138| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 138] | | ------------------ ------------------ 943| 138| BufferStuffer pack(bytes); 944| 138| pack.append(0x04); 945| 138| x().serialize_to(pack.next()); 946| 138| y().serialize_to(pack.next()); 947| 138| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 138| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 138| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 138] | | ------------------ ------------------ 948| 138| } pcurves_secp192r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS3_12Secp192r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 196| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 196| auto x = pt.x(); 1027| 196| auto y = pt.y(); 1028| 196| auto z = FieldElement::one(); 1029| | 1030| 196| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 196| return ProjectiveCurvePoint(x, y, z); 1033| 196| } pcurves_secp192r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1xEv: 971| 226k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp192r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1yEv: 976| 219k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE3oneEv: 200| 6.43k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEC2ENSt3__15arrayImLm3EEE: 898| 176k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 196| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 196| const W mask = cond.into_bitmask(); 412| | 413| 784| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 588, False: 196] ------------------ 414| 588| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 588| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 588| x.m_val[i] = nx; 417| 588| y.m_val[i] = ny; 418| 588| } 419| 196| } pcurves_secp192r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE11is_identityEv: 928| 7.02k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE7is_zeroEv: 225| 36.1k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 8.01k| m_x(x), m_y(y), m_z(z) {} pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3dblEv: 1121| 629| constexpr Self dbl() const { 1122| 629| if constexpr(Self::A_is_minus_3) { 1123| 629| return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 629| } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1zEv: 1172| 42.5k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6squareEv: 426| 26.0k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 26.0k| std::array z; // NOLINT(*-member-init) 428| 26.0k| comba_sqr(z.data(), this->data()); 429| 26.0k| return Self(Rep::redc(z)); 430| 26.0k| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4dataEv: 896| 207k| constexpr const W* data() const { return m_val.data(); } pcurves_secp192r1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 346| 66.9k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 66.9k| std::array z; // NOLINT(*-member-init) 348| 66.9k| comba_mul(z.data(), a.data(), b.data()); 349| 66.9k| return Self(Rep::redc(z)); 350| 66.9k| } pcurves_secp192r1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 281| 43.2k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 43.2k| std::array r; // NOLINT(*-member-init) 283| 43.2k| W carry = 0; 284| 173k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 129k, False: 43.2k] ------------------ 285| 129k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 129k| } 287| | 288| 43.2k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 43.2k| carry = 0; 291| | 292| 173k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 129k, False: 43.2k] ------------------ 293| 129k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 129k| } 295| | 296| 43.2k| return Self(r); 297| 43.2k| } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1xEv: 1162| 24.7k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul3Ev: 335| 629| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp192r1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 265| 8.58k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 8.58k| std::array t; // NOLINT(*-member-init) 267| | 268| 8.58k| W carry = 0; 269| 34.3k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 25.7k, False: 8.58k] ------------------ 270| 25.7k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 25.7k| } 272| | 273| 8.58k| std::array r; // NOLINT(*-member-init) 274| 8.58k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 8.58k| return Self(r); 276| 8.58k| } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1yEv: 1167| 24.1k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul4Ev: 338| 629| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul2Ev: 325| 5.03k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 5.03k| std::array t = value(); 327| 5.03k| const W carry = shift_left<1>(t); 328| | 329| 5.03k| std::array r; // NOLINT(*-member-init) 330| 5.03k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 5.03k| return Self(r); 332| 5.03k| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE5valueEv: 894| 5.03k| constexpr const std::array& value() const { return m_val; } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul8Ev: 341| 629| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp192r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EESE_: 1064| 555| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 555| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 8.53k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 13.7k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 13.7k| const W mask = cond.into_bitmask(); 397| | 398| 55.1k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 41.3k, False: 13.7k] ------------------ 399| 41.3k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 41.3k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 41.3k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 41.3k| } 403| 13.7k| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEmLERKSA_: 355| 2.14k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 2.14k| std::array z; // NOLINT(*-member-init) 357| 2.14k| comba_mul(z.data(), data(), other.data()); 358| 2.14k| m_val = Rep::redc(z); 359| 2.14k| return (*this); 360| 2.14k| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8square_nEm: 439| 1.75k| constexpr void square_n(size_t n) { 440| 1.75k| std::array z; // NOLINT(*-member-init) 441| 38.2k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 36.4k, False: 1.75k] ------------------ 442| 36.4k| comba_sqr(z.data(), this->data()); 443| 36.4k| m_val = Rep::redc(z); 444| 36.4k| } 445| 1.75k| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 144| for(;;) { 618| | // Conditional ok: this function is variable time 619| 144| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 143] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 143| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 143| std::array r; // NOLINT(*-member-init) 640| 143| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 143| if(carry == 0) { ------------------ | Branch (643:16): [True: 74, False: 69] ------------------ 644| | // b > a 645| 74| b.m_val = r; 646| 74| x = nx; 647| 74| Self::_invert_vartime_div2_helper(b, x); 648| 74| } else { 649| | // We know this can't underflow because a > b 650| 69| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 69| a.m_val = r; 652| 69| y = nx; 653| 69| Self::_invert_vartime_div2_helper(a, y); 654| 69| } 655| 143| } 656| 1| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4zeroEv: 195| 12.8k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 145| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 145| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 402| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 257, False: 145] ------------------ 552| 257| shift_right<1>(a.m_val); 553| | 554| 257| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 257| if(borrow) { ------------------ | Branch (557:16): [True: 110, False: 147] ------------------ 558| 110| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 110| } 560| 257| } 561| 145| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6negateEv: 452| 6.43k| constexpr Self negate() const { 453| 6.43k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 6.43k| std::array r; // NOLINT(*-member-init) 456| 6.43k| W carry = 0; 457| 25.7k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 19.3k, False: 6.43k] ------------------ 458| 19.3k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 19.3k| } 460| | 461| 6.43k| return Self(r); 462| 6.43k| } pcurves_secp192r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 8.20k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 975| std::array stash_value() const { 760| 975| static_assert(L >= N); 761| 975| std::array stash = {}; 762| 3.90k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 2.92k, False: 975] ------------------ 763| 2.92k| stash[i] = m_val[i]; 764| 2.92k| } 765| 975| return stash; 766| 975| } pcurves_secp192r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp192r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 195| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 195| const BlindedScalar scalar(s, rng); 1409| 195| return basemul_booth_exec(m_table, scalar, rng); 1410| 195| } pcurves_secp192r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp192r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 195| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 195| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 195, Folded] | Branch (1308:33): [True: 0, False: 195] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 195| } else { 1344| | // No RNG available, skip blinding 1345| 195| m_bytes.resize(C::Scalar::BYTES); 1346| 195| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 195| m_bits = C::Scalar::BITS; 1348| 195| } 1349| | 1350| 195| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 195| } pcurves_secp192r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS4_12Secp192r1RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm3EEE: 137| 390| constexpr static std::array from_rep(const std::array& z) { 138| 390| std::array ze = {}; 139| 390| copy_mem(std::span{ze}.template first(), z); 140| 390| return Self::redc(ze); 141| 390| } pcurves_secp192r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS4_12Secp192r1RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm6EEE: 104| 586| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 586| } else { 108| 586| return monty_redc(z, P, P_dash); 109| 586| } 110| 586| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm24EEE: 739| 390| constexpr void serialize_to(std::span bytes) const { 740| 390| auto v = Rep::from_rep(m_val); 741| 390| std::reverse(v.begin(), v.end()); 742| | 743| 390| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 390| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 390| } pcurves_secp192r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm7EE4bitsEv: 1305| 195| size_t bits() const { return m_bits; } pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 195| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 195| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 195| } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E6negateEv: 1134| 195| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 195| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18_const_time_poisonEv: 889| 585| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp192r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm7EE10get_windowEm: 1353| 6.43k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 6.43k| return read_window_bits(std::span{m_bytes}, offset); 1356| 6.43k| } pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 6.24k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 6.24k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 6.24k| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 6.24k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 6.24k| const W mask = cond.into_bitmask(); 369| | 370| 24.9k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 18.7k, False: 6.24k] ------------------ 371| 18.7k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 18.7k| } 373| 6.24k| } pcurves_secp192r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 6.43k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 6.43k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 6.43k| const size_t idx1 = static_cast(idx - 1); 960| 212k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 205k, False: 6.43k] ------------------ 961| 205k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 205k| result.conditional_assign(found, pts[i]); 963| 205k| } 964| | 965| 6.43k| return result; 966| 6.43k| } pcurves_secp192r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE8identityERKSC_: 924| 6.43k| static constexpr Self identity(const Self& /*unused*/) { 925| 6.43k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 6.43k| } pcurves_secp192r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 205k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 205k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 205k| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 205k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 205k| const W mask = cond.into_bitmask(); 382| | 383| 823k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 617k, False: 205k] ------------------ 384| 617k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 617k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 617k| } 387| 205k| } pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 780| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 780| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 780] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 780| } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 195| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 585| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp192r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm7EED2Ev: 1358| 195| ~BlindedScalarBits() { 1359| 195| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 195| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 195| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 585| static Self from_stash(const std::array& stash) { 775| 585| static_assert(L >= N); 776| 585| std::array val = {}; 777| 2.34k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 1.75k, False: 585] ------------------ 778| 1.75k| val[i] = stash[i]; 779| 1.75k| } 780| 585| return Self(val); 781| 585| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm3EEE: 898| 781| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm24EEE: 739| 390| constexpr void serialize_to(std::span bytes) const { 740| 390| auto v = Rep::from_rep(m_val); 741| 390| std::reverse(v.begin(), v.end()); 742| | 743| 390| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 390| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 390| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 195| std::array stash_value() const { 760| 195| static_assert(L >= N); 761| 195| std::array stash = {}; 762| 780| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 585, False: 195] ------------------ 763| 585| stash[i] = m_val[i]; 764| 585| } 765| 195| return stash; 766| 195| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 1.36k| static Self from_stash(const std::array& stash) { 775| 1.36k| static_assert(L >= N); 776| 1.36k| std::array val = {}; 777| 5.46k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 4.09k, False: 1.36k] ------------------ 778| 4.09k| val[i] = stash[i]; 779| 4.09k| } 780| 1.36k| return Self(val); 781| 1.36k| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE7is_zeroEv: 225| 391| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEeqERKSA_: 722| 195| constexpr CT::Choice operator==(const Self& other) const { 723| 195| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 195| } pcurves_secp192r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS3_12Secp192r1RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 195| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 196| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 196| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 196] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 196| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 196| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 196] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 196| return Self::from_words(words); 807| 196| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE10from_wordsILm3EEESB_NSt3__15arrayImXT_EEE: 211| 196| static constexpr Self from_words(std::array w) { 212| 196| if constexpr(L == N) { 213| 196| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 196| } pcurves_secp192r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS4_12Secp192r1RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm3EEE: 115| 196| constexpr static std::array to_rep(const std::array& x) { 116| 196| std::array z; // NOLINT(*-member-init) 117| 196| comba_mul(z.data(), x.data(), R2.data()); 118| 196| return Self::redc(z); 119| 196| } pcurves_secp192r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm49EEE: 941| 195| constexpr void serialize_to(std::span bytes) const { 942| 195| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 195| do { \ | | 52| 195| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 195| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 195] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 195| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 195] | | ------------------ ------------------ 943| 195| BufferStuffer pack(bytes); 944| 195| pack.append(0x04); 945| 195| x().serialize_to(pack.next()); 946| 195| y().serialize_to(pack.next()); 947| 195| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 195| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 195| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 195] | | ------------------ ------------------ 948| 195| } pcurves_secp224r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS3_12Secp224r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 132| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 132| auto x = pt.x(); 1027| 132| auto y = pt.y(); 1028| 132| auto z = FieldElement::one(); 1029| | 1030| 132| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 132| return ProjectiveCurvePoint(x, y, z); 1033| 132| } pcurves_secp224r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1xEv: 971| 174k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp224r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1yEv: 976| 170k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE3oneEv: 200| 4.97k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 150k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 132| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 132| const W mask = cond.into_bitmask(); 412| | 413| 660| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 528, False: 132] ------------------ 414| 528| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 528| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 528| x.m_val[i] = nx; 417| 528| y.m_val[i] = ny; 418| 528| } 419| 132| } pcurves_secp224r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE11is_identityEv: 928| 5.37k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE7is_zeroEv: 225| 29.2k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 6.61k| m_x(x), m_y(y), m_z(z) {} pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3dblEv: 1121| 731| constexpr Self dbl() const { 1122| 731| if constexpr(Self::A_is_minus_3) { 1123| 731| return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 731| } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1zEv: 1172| 36.9k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6squareEv: 426| 22.5k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 22.5k| std::array z; // NOLINT(*-member-init) 428| 22.5k| comba_sqr(z.data(), this->data()); 429| 22.5k| return Self(Rep::redc(z)); 430| 22.5k| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4dataEv: 896| 176k| constexpr const W* data() const { return m_val.data(); } pcurves_secp224r1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 346| 58.2k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 58.2k| std::array z; // NOLINT(*-member-init) 348| 58.2k| comba_mul(z.data(), a.data(), b.data()); 349| 58.2k| return Self(Rep::redc(z)); 350| 58.2k| } pcurves_secp224r1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 281| 35.8k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 35.8k| std::array r; // NOLINT(*-member-init) 283| 35.8k| W carry = 0; 284| 179k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 143k, False: 35.8k] ------------------ 285| 143k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 143k| } 287| | 288| 35.8k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 35.8k| carry = 0; 291| | 292| 179k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 143k, False: 35.8k] ------------------ 293| 143k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 143k| } 295| | 296| 35.8k| return Self(r); 297| 35.8k| } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1xEv: 1162| 21.2k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul3Ev: 335| 731| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp224r1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 265| 7.47k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 7.47k| std::array t; // NOLINT(*-member-init) 267| | 268| 7.47k| W carry = 0; 269| 37.3k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 29.8k, False: 7.47k] ------------------ 270| 29.8k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 29.8k| } 272| | 273| 7.47k| std::array r; // NOLINT(*-member-init) 274| 7.47k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 7.47k| return Self(r); 276| 7.47k| } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1yEv: 1167| 20.4k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul4Ev: 338| 731| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul2Ev: 325| 5.84k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 5.84k| std::array t = value(); 327| 5.84k| const W carry = shift_left<1>(t); 328| | 329| 5.84k| std::array r; // NOLINT(*-member-init) 330| 5.84k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 5.84k| return Self(r); 332| 5.84k| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE5valueEv: 894| 5.84k| constexpr const std::array& value() const { return m_val; } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul8Ev: 341| 731| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp224r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EESE_: 1064| 645| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 645| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 7.51k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 11.1k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 11.1k| const W mask = cond.into_bitmask(); 397| | 398| 55.5k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 44.4k, False: 11.1k] ------------------ 399| 44.4k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 44.4k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 44.4k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 44.4k| } 403| 11.1k| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEmLERKSA_: 355| 1.57k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 1.57k| std::array z; // NOLINT(*-member-init) 357| 1.57k| comba_mul(z.data(), data(), other.data()); 358| 1.57k| m_val = Rep::redc(z); 359| 1.57k| return (*this); 360| 1.57k| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8square_nEm: 439| 1.04k| constexpr void square_n(size_t n) { 440| 1.04k| std::array z; // NOLINT(*-member-init) 441| 29.6k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 28.5k, False: 1.04k] ------------------ 442| 28.5k| comba_sqr(z.data(), this->data()); 443| 28.5k| m_val = Rep::redc(z); 444| 28.5k| } 445| 1.04k| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 153| for(;;) { 618| | // Conditional ok: this function is variable time 619| 153| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 152] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 152| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 152| std::array r; // NOLINT(*-member-init) 640| 152| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 152| if(carry == 0) { ------------------ | Branch (643:16): [True: 81, False: 71] ------------------ 644| | // b > a 645| 81| b.m_val = r; 646| 81| x = nx; 647| 81| Self::_invert_vartime_div2_helper(b, x); 648| 81| } else { 649| | // We know this can't underflow because a > b 650| 71| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 71| a.m_val = r; 652| 71| y = nx; 653| 71| Self::_invert_vartime_div2_helper(a, y); 654| 71| } 655| 152| } 656| 1| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4zeroEv: 195| 9.95k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 154| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 154| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 479| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 325, False: 154] ------------------ 552| 325| shift_right<1>(a.m_val); 553| | 554| 325| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 325| if(borrow) { ------------------ | Branch (557:16): [True: 200, False: 125] ------------------ 558| 200| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 200| } 560| 325| } 561| 154| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6negateEv: 452| 4.98k| constexpr Self negate() const { 453| 4.98k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 4.98k| std::array r; // NOLINT(*-member-init) 456| 4.98k| W carry = 0; 457| 24.9k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 19.9k, False: 4.98k] ------------------ 458| 19.9k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 19.9k| } 460| | 461| 4.98k| return Self(r); 462| 4.98k| } pcurves_secp224r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 6.75k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 657| std::array stash_value() const { 760| 657| static_assert(L >= N); 761| 657| std::array stash = {}; 762| 3.28k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 2.62k, False: 657] ------------------ 763| 2.62k| stash[i] = m_val[i]; 764| 2.62k| } 765| 657| return stash; 766| 657| } pcurves_secp224r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp224r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 131| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 131| const BlindedScalar scalar(s, rng); 1409| 131| return basemul_booth_exec(m_table, scalar, rng); 1410| 131| } pcurves_secp224r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp224r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 131| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 131| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 131, Folded] | Branch (1308:33): [True: 0, False: 131] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 131| } else { 1344| | // No RNG available, skip blinding 1345| 131| m_bytes.resize(C::Scalar::BYTES); 1346| 131| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 131| m_bits = C::Scalar::BITS; 1348| 131| } 1349| | 1350| 131| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 131| } pcurves_secp224r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS4_12Secp224r1RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm4EEE: 137| 324| constexpr static std::array from_rep(const std::array& z) { 138| 324| std::array ze = {}; 139| 324| copy_mem(std::span{ze}.template first(), z); 140| 324| return Self::redc(ze); 141| 324| } pcurves_secp224r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS4_12Secp224r1RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm8EEE: 104| 518| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 518| } else { 108| 518| return monty_redc(z, P, P_dash); 109| 518| } 110| 518| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm28EEE: 739| 324| constexpr void serialize_to(std::span bytes) const { 740| 324| auto v = Rep::from_rep(m_val); 741| 324| std::reverse(v.begin(), v.end()); 742| | 743| | if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| | store_be(bytes, v); 745| 324| } else { 746| | // Remove leading zero bytes 747| 324| const auto padded_bytes = store_be(v); 748| 324| constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| 324| copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| 324| } 751| 324| } pcurves_secp224r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm7EE4bitsEv: 1305| 131| size_t bits() const { return m_bits; } pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 131| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 131| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 131| } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E6negateEv: 1134| 131| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 131| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18_const_time_poisonEv: 889| 393| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp224r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm7EE10get_windowEm: 1353| 4.97k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 4.97k| return read_window_bits(std::span{m_bytes}, offset); 1356| 4.97k| } pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 4.84k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 4.84k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 4.84k| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 4.84k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 4.84k| const W mask = cond.into_bitmask(); 369| | 370| 24.2k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 19.3k, False: 4.84k] ------------------ 371| 19.3k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 19.3k| } 373| 4.84k| } pcurves_secp224r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 4.97k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 4.97k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 4.97k| const size_t idx1 = static_cast(idx - 1); 960| 164k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 159k, False: 4.97k] ------------------ 961| 159k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 159k| result.conditional_assign(found, pts[i]); 963| 159k| } 964| | 965| 4.97k| return result; 966| 4.97k| } pcurves_secp224r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE8identityERKSC_: 924| 4.97k| static constexpr Self identity(const Self& /*unused*/) { 925| 4.97k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 4.97k| } pcurves_secp224r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 159k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 159k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 159k| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 159k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 159k| const W mask = cond.into_bitmask(); 382| | 383| 796k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 637k, False: 159k] ------------------ 384| 637k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 637k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 637k| } 387| 159k| } pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 524| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 524| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 524] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 524| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 112| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 112| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 112] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 112| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 112| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 4, False: 108] ------------------ 802| 4| return {}; 803| 4| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 108| return Self::from_words(words); 807| 112| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_wordsILm4EEESA_NSt3__15arrayImXT_EEE: 211| 108| static constexpr Self from_words(std::array w) { 212| 108| if constexpr(L == N) { 213| 108| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 108| } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 131| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 393| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp224r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm7EED2Ev: 1358| 131| ~BlindedScalarBits() { 1359| 131| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 131| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 131| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 517| static Self from_stash(const std::array& stash) { 775| 517| static_assert(L >= N); 776| 517| std::array val = {}; 777| 2.58k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 2.06k, False: 517] ------------------ 778| 2.06k| val[i] = stash[i]; 779| 2.06k| } 780| 517| return Self(val); 781| 517| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 711| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm28EEE: 739| 264| constexpr void serialize_to(std::span bytes) const { 740| 264| auto v = Rep::from_rep(m_val); 741| 264| std::reverse(v.begin(), v.end()); 742| | 743| | if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| | store_be(bytes, v); 745| 264| } else { 746| | // Remove leading zero bytes 747| 264| const auto padded_bytes = store_be(v); 748| 264| constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| 264| copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| 264| } 751| 264| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 193| std::array stash_value() const { 760| 193| static_assert(L >= N); 761| 193| std::array stash = {}; 762| 965| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 772, False: 193] ------------------ 763| 772| stash[i] = m_val[i]; 764| 772| } 765| 193| return stash; 766| 193| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 921| static Self from_stash(const std::array& stash) { 775| 921| static_assert(L >= N); 776| 921| std::array val = {}; 777| 4.60k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 3.68k, False: 921] ------------------ 778| 3.68k| val[i] = stash[i]; 779| 3.68k| } 780| 921| return Self(val); 781| 921| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE7is_zeroEv: 225| 387| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEeqERKSA_: 722| 184| constexpr CT::Choice operator==(const Self& other) const { 723| 184| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 184| } pcurves_secp224r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS3_12Secp224r1RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 184| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 195| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 195| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 195] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 195| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 195| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 1, False: 194] ------------------ 802| 1| return {}; 803| 1| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 194| return Self::from_words(words); 807| 195| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE10from_wordsILm4EEESB_NSt3__15arrayImXT_EEE: 211| 194| static constexpr Self from_words(std::array w) { 212| 194| if constexpr(L == N) { 213| 194| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 194| } pcurves_secp224r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS4_12Secp224r1RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm4EEE: 115| 194| constexpr static std::array to_rep(const std::array& x) { 116| 194| std::array z; // NOLINT(*-member-init) 117| 194| comba_mul(z.data(), x.data(), R2.data()); 118| 194| return Self::redc(z); 119| 194| } pcurves_secp224r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm57EEE: 941| 132| constexpr void serialize_to(std::span bytes) const { 942| 132| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 132| do { \ | | 52| 132| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 132| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 132] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 132| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 132] | | ------------------ ------------------ 943| 132| BufferStuffer pack(bytes); 944| 132| pack.append(0x04); 945| 132| x().serialize_to(pack.next()); 946| 132| y().serialize_to(pack.next()); 947| 132| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 132| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 132| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 132] | | ------------------ ------------------ 948| 132| } pcurves_secp256k1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS3_12Secp256k1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 135| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 135| auto x = pt.x(); 1027| 135| auto y = pt.y(); 1028| 135| auto z = FieldElement::one(); 1029| | 1030| 135| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 135| return ProjectiveCurvePoint(x, y, z); 1033| 135| } pcurves_secp256k1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1xEv: 971| 202k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp256k1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1yEv: 976| 196k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE3oneEv: 200| 5.76k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 170k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 135| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 135| const W mask = cond.into_bitmask(); 412| | 413| 675| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 540, False: 135] ------------------ 414| 540| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 540| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 540| x.m_val[i] = nx; 417| 540| y.m_val[i] = ny; 418| 540| } 419| 135| } pcurves_secp256k1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE11is_identityEv: 928| 6.16k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE7is_zeroEv: 225| 33.7k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 7.59k| m_x(x), m_y(y), m_z(z) {} pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3dblEv: 1121| 833| constexpr Self dbl() const { 1122| | if constexpr(Self::A_is_minus_3) { 1123| | return dbl_a_minus_3(*this); 1124| 833| } else if constexpr(Self::A_is_zero) { 1125| 833| return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 833| } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1xEv: 1162| 23.5k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6squareEv: 426| 25.3k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 25.3k| std::array z; // NOLINT(*-member-init) 428| 25.3k| comba_sqr(z.data(), this->data()); 429| 25.3k| return Self(Rep::redc(z)); 430| 25.3k| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4dataEv: 896| 202k| constexpr const W* data() const { return m_val.data(); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul3Ev: 335| 833| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp256k1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 265| 7.63k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 7.63k| std::array t; // NOLINT(*-member-init) 267| | 268| 7.63k| W carry = 0; 269| 38.1k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 30.5k, False: 7.63k] ------------------ 270| 30.5k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 30.5k| } 272| | 273| 7.63k| std::array r; // NOLINT(*-member-init) 274| 7.63k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 7.63k| return Self(r); 276| 7.63k| } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1yEv: 1167| 23.5k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp256k1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 346| 66.4k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 66.4k| std::array z; // NOLINT(*-member-init) 348| 66.4k| comba_mul(z.data(), a.data(), b.data()); 349| 66.4k| return Self(Rep::redc(z)); 350| 66.4k| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul4Ev: 338| 833| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp256k1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 281| 40.6k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 40.6k| std::array r; // NOLINT(*-member-init) 283| 40.6k| W carry = 0; 284| 203k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 162k, False: 40.6k] ------------------ 285| 162k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 162k| } 287| | 288| 40.6k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 40.6k| carry = 0; 291| | 292| 203k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 162k, False: 40.6k] ------------------ 293| 162k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 162k| } 295| | 296| 40.6k| return Self(r); 297| 40.6k| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul2Ev: 325| 6.66k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 6.66k| std::array t = value(); 327| 6.66k| const W carry = shift_left<1>(t); 328| | 329| 6.66k| std::array r; // NOLINT(*-member-init) 330| 6.66k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 6.66k| return Self(r); 332| 6.66k| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE5valueEv: 894| 6.66k| constexpr const std::array& value() const { return m_val; } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul8Ev: 341| 833| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1zEv: 1172| 41.6k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp256k1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EESE_: 1064| 735| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 735| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 8.66k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 12.8k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 12.8k| const W mask = cond.into_bitmask(); 397| | 398| 64.3k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 51.4k, False: 12.8k] ------------------ 399| 51.4k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 51.4k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 51.4k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 51.4k| } 403| 12.8k| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEmLERKSA_: 355| 1.74k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 1.74k| std::array z; // NOLINT(*-member-init) 357| 1.74k| comba_mul(z.data(), data(), other.data()); 358| 1.74k| m_val = Rep::redc(z); 359| 1.74k| return (*this); 360| 1.74k| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8square_nEm: 439| 1.74k| constexpr void square_n(size_t n) { 440| 1.74k| std::array z; // NOLINT(*-member-init) 441| 35.6k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 33.9k, False: 1.74k] ------------------ 442| 33.9k| comba_sqr(z.data(), this->data()); 443| 33.9k| m_val = Rep::redc(z); 444| 33.9k| } 445| 1.74k| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 176| for(;;) { 618| | // Conditional ok: this function is variable time 619| 176| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 175] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 175| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 175| std::array r; // NOLINT(*-member-init) 640| 175| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 175| if(carry == 0) { ------------------ | Branch (643:16): [True: 105, False: 70] ------------------ 644| | // b > a 645| 105| b.m_val = r; 646| 105| x = nx; 647| 105| Self::_invert_vartime_div2_helper(b, x); 648| 105| } else { 649| | // We know this can't underflow because a > b 650| 70| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 70| a.m_val = r; 652| 70| y = nx; 653| 70| Self::_invert_vartime_div2_helper(a, y); 654| 70| } 655| 175| } 656| 1| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4zeroEv: 195| 11.5k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 177| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 177| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 541| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 364, False: 177] ------------------ 552| 364| shift_right<1>(a.m_val); 553| | 554| 364| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 364| if(borrow) { ------------------ | Branch (557:16): [True: 186, False: 178] ------------------ 558| 186| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 186| } 560| 364| } 561| 177| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6negateEv: 452| 5.76k| constexpr Self negate() const { 453| 5.76k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 5.76k| std::array r; // NOLINT(*-member-init) 456| 5.76k| W carry = 0; 457| 28.8k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 23.0k, False: 5.76k] ------------------ 458| 23.0k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 23.0k| } 460| | 461| 5.76k| return Self(r); 462| 5.76k| } pcurves_secp256k1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 7.73k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 670| std::array stash_value() const { 760| 670| static_assert(L >= N); 761| 670| std::array stash = {}; 762| 3.35k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 2.68k, False: 670] ------------------ 763| 2.68k| stash[i] = m_val[i]; 764| 2.68k| } 765| 670| return stash; 766| 670| } pcurves_secp256k1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp256k1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 134| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 134| const BlindedScalar scalar(s, rng); 1409| 134| return basemul_booth_exec(m_table, scalar, rng); 1410| 134| } pcurves_secp256k1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp256k1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 134| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 134| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 134, Folded] | Branch (1308:33): [True: 0, False: 134] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 134| } else { 1344| | // No RNG available, skip blinding 1345| 134| m_bytes.resize(C::Scalar::BYTES); 1346| 134| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 134| m_bits = C::Scalar::BITS; 1348| 134| } 1349| | 1350| 134| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 134| } pcurves_secp256k1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS4_12Secp256k1RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm4EEE: 137| 288| constexpr static std::array from_rep(const std::array& z) { 138| 288| std::array ze = {}; 139| 288| copy_mem(std::span{ze}.template first(), z); 140| 288| return Self::redc(ze); 141| 288| } pcurves_secp256k1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS4_12Secp256k1RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm8EEE: 104| 443| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 443| } else { 108| 443| return monty_redc(z, P, P_dash); 109| 443| } 110| 443| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 288| constexpr void serialize_to(std::span bytes) const { 740| 288| auto v = Rep::from_rep(m_val); 741| 288| std::reverse(v.begin(), v.end()); 742| | 743| 288| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 288| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 288| } pcurves_secp256k1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm7EE4bitsEv: 1305| 134| size_t bits() const { return m_bits; } pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 134| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 134| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 134| } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E6negateEv: 1134| 134| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 134| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18_const_time_poisonEv: 889| 402| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp256k1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm7EE10get_windowEm: 1353| 5.76k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 5.76k| return read_window_bits(std::span{m_bytes}, offset); 1356| 5.76k| } pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 5.62k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 5.62k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 5.62k| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 5.62k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 5.62k| const W mask = cond.into_bitmask(); 369| | 370| 28.1k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 22.5k, False: 5.62k] ------------------ 371| 22.5k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 22.5k| } 373| 5.62k| } pcurves_secp256k1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 5.76k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 5.76k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 5.76k| const size_t idx1 = static_cast(idx - 1); 960| 190k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 184k, False: 5.76k] ------------------ 961| 184k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 184k| result.conditional_assign(found, pts[i]); 963| 184k| } 964| | 965| 5.76k| return result; 966| 5.76k| } pcurves_secp256k1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE8identityERKSC_: 924| 5.76k| static constexpr Self identity(const Self& /*unused*/) { 925| 5.76k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 5.76k| } pcurves_secp256k1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 184k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 184k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 184k| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 184k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 184k| const W mask = cond.into_bitmask(); 382| | 383| 921k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 737k, False: 184k] ------------------ 384| 737k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 737k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 737k| } 387| 184k| } pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 536| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 536| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 536] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 536| } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 134| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 402| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp256k1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm7EED2Ev: 1358| 134| ~BlindedScalarBits() { 1359| 134| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 134| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 134| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 442| static Self from_stash(const std::array& stash) { 775| 442| static_assert(L >= N); 776| 442| std::array val = {}; 777| 2.21k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 1.76k, False: 442] ------------------ 778| 1.76k| val[i] = stash[i]; 779| 1.76k| } 780| 442| return Self(val); 781| 442| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 597| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 268| constexpr void serialize_to(std::span bytes) const { 740| 268| auto v = Rep::from_rep(m_val); 741| 268| std::reverse(v.begin(), v.end()); 742| | 743| 268| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 268| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 268| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 154| std::array stash_value() const { 760| 154| static_assert(L >= N); 761| 154| std::array stash = {}; 762| 770| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 616, False: 154] ------------------ 763| 616| stash[i] = m_val[i]; 764| 616| } 765| 154| return stash; 766| 154| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 938| static Self from_stash(const std::array& stash) { 775| 938| static_assert(L >= N); 776| 938| std::array val = {}; 777| 4.69k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 3.75k, False: 938] ------------------ 778| 3.75k| val[i] = stash[i]; 779| 3.75k| } 780| 938| return Self(val); 781| 938| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE7is_zeroEv: 225| 309| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEeqERKSA_: 722| 134| constexpr CT::Choice operator==(const Self& other) const { 723| 134| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 134| } pcurves_secp256k1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS3_12Secp256k1RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 134| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 155| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 155| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 155] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 155| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 155| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 155] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 155| return Self::from_words(words); 807| 155| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE10from_wordsILm4EEESB_NSt3__15arrayImXT_EEE: 211| 155| static constexpr Self from_words(std::array w) { 212| 155| if constexpr(L == N) { 213| 155| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 155| } pcurves_secp256k1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS4_12Secp256k1RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm4EEE: 115| 155| constexpr static std::array to_rep(const std::array& x) { 116| 155| std::array z; // NOLINT(*-member-init) 117| 155| comba_mul(z.data(), x.data(), R2.data()); 118| 155| return Self::redc(z); 119| 155| } pcurves_secp256k1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm65EEE: 941| 134| constexpr void serialize_to(std::span bytes) const { 942| 134| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 134| do { \ | | 52| 134| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 134| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 134] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 134| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 134] | | ------------------ ------------------ 943| 134| BufferStuffer pack(bytes); 944| 134| pack.append(0x04); 945| 134| x().serialize_to(pack.next()); 946| 134| y().serialize_to(pack.next()); 947| 134| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 134| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 134| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 134] | | ------------------ ------------------ 948| 134| } pcurves_secp256r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS2_12Secp256r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 160| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 160| auto x = pt.x(); 1027| 160| auto y = pt.y(); 1028| 160| auto z = FieldElement::one(); 1029| | 1030| 160| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 160| return ProjectiveCurvePoint(x, y, z); 1033| 160| } pcurves_secp256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE1xEv: 971| 240k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE1yEv: 976| 233k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE3oneEv: 200| 6.83k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 196k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 160| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 160| const W mask = cond.into_bitmask(); 412| | 413| 800| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 640, False: 160] ------------------ 414| 640| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 640| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 640| x.m_val[i] = nx; 417| 640| y.m_val[i] = ny; 418| 640| } 419| 160| } pcurves_secp256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE11is_identityEv: 928| 7.31k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE7is_zeroEv: 225| 39.1k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 8.72k| m_x(x), m_y(y), m_z(z) {} pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E3dblEv: 1121| 833| constexpr Self dbl() const { 1122| 833| if constexpr(Self::A_is_minus_3) { 1123| 833| return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 833| } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E1zEv: 1172| 47.9k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE6squareEv: 426| 28.8k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 28.8k| std::array z; // NOLINT(*-member-init) 428| 28.8k| comba_sqr(z.data(), this->data()); 429| 28.8k| return Self(Rep::redc(z)); 430| 28.8k| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4dataEv: 896| 231k| constexpr const W* data() const { return m_val.data(); } pcurves_secp256r1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEESC_: 346| 75.6k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 75.6k| std::array z; // NOLINT(*-member-init) 348| 75.6k| comba_mul(z.data(), a.data(), b.data()); 349| 75.6k| return Self(Rep::redc(z)); 350| 75.6k| } pcurves_secp256r1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEESC_: 281| 47.8k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 47.8k| std::array r; // NOLINT(*-member-init) 283| 47.8k| W carry = 0; 284| 239k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 191k, False: 47.8k] ------------------ 285| 191k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 191k| } 287| | 288| 47.8k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 47.8k| carry = 0; 291| | 292| 239k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 191k, False: 47.8k] ------------------ 293| 191k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 191k| } 295| | 296| 47.8k| return Self(r); 297| 47.8k| } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E1xEv: 1162| 27.6k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4mul3Ev: 335| 833| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp256r1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEESC_: 265| 9.57k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 9.57k| std::array t; // NOLINT(*-member-init) 267| | 268| 9.57k| W carry = 0; 269| 47.8k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 38.2k, False: 9.57k] ------------------ 270| 38.2k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 38.2k| } 272| | 273| 9.57k| std::array r; // NOLINT(*-member-init) 274| 9.57k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 9.57k| return Self(r); 276| 9.57k| } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E1yEv: 1167| 26.8k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4mul4Ev: 338| 833| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4mul2Ev: 325| 6.66k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 6.66k| std::array t = value(); 327| 6.66k| const W carry = shift_left<1>(t); 328| | 329| 6.66k| std::array r; // NOLINT(*-member-init) 330| 6.66k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 6.66k| return Self(r); 332| 6.66k| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE5valueEv: 894| 6.66k| constexpr const std::array& value() const { return m_val; } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4mul8Ev: 341| 833| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp256r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_EESE_: 1064| 735| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 735| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 9.71k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 14.9k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 14.9k| const W mask = cond.into_bitmask(); 397| | 398| 74.9k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 59.9k, False: 14.9k] ------------------ 399| 59.9k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 59.9k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 59.9k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 59.9k| } 403| 14.9k| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEmLERKSA_: 355| 1.74k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 1.74k| std::array z; // NOLINT(*-member-init) 357| 1.74k| comba_mul(z.data(), data(), other.data()); 358| 1.74k| m_val = Rep::redc(z); 359| 1.74k| return (*this); 360| 1.74k| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE8square_nEm: 439| 1.43k| constexpr void square_n(size_t n) { 440| 1.43k| std::array z; // NOLINT(*-member-init) 441| 41.4k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 40.0k, False: 1.43k] ------------------ 442| 40.0k| comba_sqr(z.data(), this->data()); 443| 40.0k| m_val = Rep::redc(z); 444| 40.0k| } 445| 1.43k| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 176| for(;;) { 618| | // Conditional ok: this function is variable time 619| 176| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 175] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 175| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 175| std::array r; // NOLINT(*-member-init) 640| 175| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 175| if(carry == 0) { ------------------ | Branch (643:16): [True: 85, False: 90] ------------------ 644| | // b > a 645| 85| b.m_val = r; 646| 85| x = nx; 647| 85| Self::_invert_vartime_div2_helper(b, x); 648| 90| } else { 649| | // We know this can't underflow because a > b 650| 90| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 90| a.m_val = r; 652| 90| y = nx; 653| 90| Self::_invert_vartime_div2_helper(a, y); 654| 90| } 655| 175| } 656| 1| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4zeroEv: 195| 13.6k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 177| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 177| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 545| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 368, False: 177] ------------------ 552| 368| shift_right<1>(a.m_val); 553| | 554| 368| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 368| if(borrow) { ------------------ | Branch (557:16): [True: 129, False: 239] ------------------ 558| 129| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 129| } 560| 368| } 561| 177| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE6negateEv: 452| 6.83k| constexpr Self negate() const { 453| 6.83k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 6.83k| std::array r; // NOLINT(*-member-init) 456| 6.83k| W carry = 0; 457| 34.1k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 27.3k, False: 6.83k] ------------------ 458| 27.3k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 27.3k| } 460| | 461| 6.83k| return Self(r); 462| 6.83k| } pcurves_secp256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 8.88k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 795| std::array stash_value() const { 760| 795| static_assert(L >= N); 761| 795| std::array stash = {}; 762| 3.97k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 3.18k, False: 795] ------------------ 763| 3.18k| stash[i] = m_val[i]; 764| 3.18k| } 765| 795| return stash; 766| 795| } pcurves_secp256r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp256r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 159| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 159| const BlindedScalar scalar(s, rng); 1409| 159| return basemul_booth_exec(m_table, scalar, rng); 1410| 159| } pcurves_secp256r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp256r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 159| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 159| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 159, Folded] | Branch (1308:33): [True: 0, False: 159] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 159| } else { 1344| | // No RNG available, skip blinding 1345| 159| m_bytes.resize(C::Scalar::BYTES); 1346| 159| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 159| m_bits = C::Scalar::BITS; 1348| 159| } 1349| | 1350| 159| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 159| } pcurves_secp256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS3_12Secp256r1RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm4EEE: 137| 363| constexpr static std::array from_rep(const std::array& z) { 138| 363| std::array ze = {}; 139| 363| copy_mem(std::span{ze}.template first(), z); 140| 363| return Self::redc(ze); 141| 363| } pcurves_secp256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS3_12Secp256r1RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm8EEE: 104| 568| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 568| } else { 108| 568| return monty_redc(z, P, P_dash); 109| 568| } 110| 568| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 363| constexpr void serialize_to(std::span bytes) const { 740| 363| auto v = Rep::from_rep(m_val); 741| 363| std::reverse(v.begin(), v.end()); 742| | 743| 363| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 363| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 363| } pcurves_secp256r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm7EE4bitsEv: 1305| 159| size_t bits() const { return m_bits; } pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 159| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 159| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 159| } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E6negateEv: 1134| 159| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 159| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE18_const_time_poisonEv: 889| 477| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp256r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm7EE10get_windowEm: 1353| 6.83k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 6.83k| return read_window_bits(std::span{m_bytes}, offset); 1356| 6.83k| } pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 6.67k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 6.67k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 6.67k| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 6.67k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 6.67k| const W mask = cond.into_bitmask(); 369| | 370| 33.3k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 26.7k, False: 6.67k] ------------------ 371| 26.7k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 26.7k| } 373| 6.67k| } pcurves_secp256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 6.83k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 6.83k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 6.83k| const size_t idx1 = static_cast(idx - 1); 960| 225k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 218k, False: 6.83k] ------------------ 961| 218k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 218k| result.conditional_assign(found, pts[i]); 963| 218k| } 964| | 965| 6.83k| return result; 966| 6.83k| } pcurves_secp256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE8identityERKSC_: 924| 6.83k| static constexpr Self identity(const Self& /*unused*/) { 925| 6.83k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 6.83k| } pcurves_secp256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 218k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 218k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 218k| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 218k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 218k| const W mask = cond.into_bitmask(); 382| | 383| 1.09M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 875k, False: 218k] ------------------ 384| 875k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 875k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 875k| } 387| 218k| } pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 636| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 636| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 636] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 636| } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 159| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 477| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp256r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm7EED2Ev: 1358| 159| ~BlindedScalarBits() { 1359| 159| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 159| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 159| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 567| static Self from_stash(const std::array& stash) { 775| 567| static_assert(L >= N); 776| 567| std::array val = {}; 777| 2.83k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 2.26k, False: 567] ------------------ 778| 2.26k| val[i] = stash[i]; 779| 2.26k| } 780| 567| return Self(val); 781| 567| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 772| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 318| constexpr void serialize_to(std::span bytes) const { 740| 318| auto v = Rep::from_rep(m_val); 741| 318| std::reverse(v.begin(), v.end()); 742| | 743| 318| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 318| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 318| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 204| std::array stash_value() const { 760| 204| static_assert(L >= N); 761| 204| std::array stash = {}; 762| 1.02k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 816, False: 204] ------------------ 763| 816| stash[i] = m_val[i]; 764| 816| } 765| 204| return stash; 766| 204| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 1.11k| static Self from_stash(const std::array& stash) { 775| 1.11k| static_assert(L >= N); 776| 1.11k| std::array val = {}; 777| 5.56k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 4.45k, False: 1.11k] ------------------ 778| 4.45k| val[i] = stash[i]; 779| 4.45k| } 780| 1.11k| return Self(val); 781| 1.11k| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE7is_zeroEv: 225| 409| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEeqERKSA_: 722| 159| constexpr CT::Choice operator==(const Self& other) const { 723| 159| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 159| } pcurves_secp256r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS2_12Secp256r1RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 159| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 205| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 205| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 205] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 205| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 205| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 205] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 205| return Self::from_words(words); 807| 205| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE10from_wordsILm4EEESB_NSt3__15arrayImXT_EEE: 211| 205| static constexpr Self from_words(std::array w) { 212| 205| if constexpr(L == N) { 213| 205| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 205| } pcurves_secp256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS3_12Secp256r1RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm4EEE: 115| 205| constexpr static std::array to_rep(const std::array& x) { 116| 205| std::array z; // NOLINT(*-member-init) 117| 205| comba_mul(z.data(), x.data(), R2.data()); 118| 205| return Self::redc(z); 119| 205| } pcurves_secp256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm65EEE: 941| 159| constexpr void serialize_to(std::span bytes) const { 942| 159| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 159| do { \ | | 52| 159| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 159| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 159] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 159| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 159] | | ------------------ ------------------ 943| 159| BufferStuffer pack(bytes); 944| 159| pack.append(0x04); 945| 159| x().serialize_to(pack.next()); 946| 159| y().serialize_to(pack.next()); 947| 159| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 159| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 159| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 159] | | ------------------ ------------------ 948| 159| } pcurves_secp384r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS2_12Secp384r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 128| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 128| auto x = pt.x(); 1027| 128| auto y = pt.y(); 1028| 128| auto z = FieldElement::one(); 1029| | 1030| 128| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 128| return ProjectiveCurvePoint(x, y, z); 1033| 128| } pcurves_secp384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE1xEv: 971| 289k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE1yEv: 976| 281k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE3oneEv: 200| 8.25k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEC2ENSt3__15arrayImLm6EEE: 898| 250k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 128| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 128| const W mask = cond.into_bitmask(); 412| | 413| 896| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 768, False: 128] ------------------ 414| 768| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 768| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 768| x.m_val[i] = nx; 417| 768| y.m_val[i] = ny; 418| 768| } 419| 128| } pcurves_secp384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE11is_identityEv: 928| 8.63k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE7is_zeroEv: 225| 48.3k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 10.8k| m_x(x), m_y(y), m_z(z) {} pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E3dblEv: 1121| 1.24k| constexpr Self dbl() const { 1122| 1.24k| if constexpr(Self::A_is_minus_3) { 1123| 1.24k| return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 1.24k| } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E1zEv: 1172| 61.7k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE6squareEv: 426| 36.6k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 36.6k| std::array z; // NOLINT(*-member-init) 428| 36.6k| comba_sqr(z.data(), this->data()); 429| 36.6k| return Self(Rep::redc(z)); 430| 36.6k| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4dataEv: 896| 292k| constexpr const W* data() const { return m_val.data(); } pcurves_secp384r1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEESC_: 346| 97.6k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 97.6k| std::array z; // NOLINT(*-member-init) 348| 97.6k| comba_mul(z.data(), a.data(), b.data()); 349| 97.6k| return Self(Rep::redc(z)); 350| 97.6k| } pcurves_secp384r1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEESC_: 281| 60.3k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 60.3k| std::array r; // NOLINT(*-member-init) 283| 60.3k| W carry = 0; 284| 422k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 361k, False: 60.3k] ------------------ 285| 361k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 361k| } 287| | 288| 60.3k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 60.3k| carry = 0; 291| | 292| 422k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 361k, False: 60.3k] ------------------ 293| 361k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 361k| } 295| | 296| 60.3k| return Self(r); 297| 60.3k| } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E1xEv: 1162| 35.3k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4mul3Ev: 335| 1.24k| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp384r1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEESC_: 265| 12.2k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 12.2k| std::array t; // NOLINT(*-member-init) 267| | 268| 12.2k| W carry = 0; 269| 85.4k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 73.2k, False: 12.2k] ------------------ 270| 73.2k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 73.2k| } 272| | 273| 12.2k| std::array r; // NOLINT(*-member-init) 274| 12.2k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 12.2k| return Self(r); 276| 12.2k| } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E1yEv: 1167| 34.0k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4mul4Ev: 338| 1.24k| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4mul2Ev: 325| 9.92k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 9.92k| std::array t = value(); 327| 9.92k| const W carry = shift_left<1>(t); 328| | 329| 9.92k| std::array r; // NOLINT(*-member-init) 330| 9.92k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 9.92k| return Self(r); 332| 9.92k| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE5valueEv: 894| 9.92k| constexpr const std::array& value() const { return m_val; } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4mul8Ev: 341| 1.24k| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp384r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_EESE_: 1064| 1.09k| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 1.09k| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 12.6k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 18.5k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 18.5k| const W mask = cond.into_bitmask(); 397| | 398| 130k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 111k, False: 18.5k] ------------------ 399| 111k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 111k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 111k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 111k| } 403| 18.5k| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEmLERKSA_: 355| 1.65k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 1.65k| std::array z; // NOLINT(*-member-init) 357| 1.65k| comba_mul(z.data(), data(), other.data()); 358| 1.65k| m_val = Rep::redc(z); 359| 1.65k| return (*this); 360| 1.65k| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE8square_nEm: 439| 1.52k| constexpr void square_n(size_t n) { 440| 1.52k| std::array z; // NOLINT(*-member-init) 441| 49.9k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 48.3k, False: 1.52k] ------------------ 442| 48.3k| comba_sqr(z.data(), this->data()); 443| 48.3k| m_val = Rep::redc(z); 444| 48.3k| } 445| 1.52k| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 252| for(;;) { 618| | // Conditional ok: this function is variable time 619| 252| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 251] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 251| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 251| std::array r; // NOLINT(*-member-init) 640| 251| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 251| if(carry == 0) { ------------------ | Branch (643:16): [True: 118, False: 133] ------------------ 644| | // b > a 645| 118| b.m_val = r; 646| 118| x = nx; 647| 118| Self::_invert_vartime_div2_helper(b, x); 648| 133| } else { 649| | // We know this can't underflow because a > b 650| 133| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 133| a.m_val = r; 652| 133| y = nx; 653| 133| Self::_invert_vartime_div2_helper(a, y); 654| 133| } 655| 251| } 656| 1| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4zeroEv: 195| 16.5k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 253| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 253| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 809| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 556, False: 253] ------------------ 552| 556| shift_right<1>(a.m_val); 553| | 554| 556| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 556| if(borrow) { ------------------ | Branch (557:16): [True: 248, False: 308] ------------------ 558| 248| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 248| } 560| 556| } 561| 253| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE6negateEv: 452| 8.25k| constexpr Self negate() const { 453| 8.25k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 8.25k| std::array r; // NOLINT(*-member-init) 456| 8.25k| W carry = 0; 457| 57.7k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 49.5k, False: 8.25k] ------------------ 458| 49.5k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 49.5k| } 460| | 461| 8.25k| return Self(r); 462| 8.25k| } pcurves_secp384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 10.9k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 635| std::array stash_value() const { 760| 635| static_assert(L >= N); 761| 635| std::array stash = {}; 762| 4.44k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 3.81k, False: 635] ------------------ 763| 3.81k| stash[i] = m_val[i]; 764| 3.81k| } 765| 635| return stash; 766| 635| } pcurves_secp384r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp384r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 127| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 127| const BlindedScalar scalar(s, rng); 1409| 127| return basemul_booth_exec(m_table, scalar, rng); 1410| 127| } pcurves_secp384r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp384r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 127| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 127| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 127, Folded] | Branch (1308:33): [True: 0, False: 127] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 127| } else { 1344| | // No RNG available, skip blinding 1345| 127| m_bytes.resize(C::Scalar::BYTES); 1346| 127| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 127| m_bits = C::Scalar::BITS; 1348| 127| } 1349| | 1350| 127| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 127| } pcurves_secp384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS3_12Secp384r1RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm6EEE: 137| 269| constexpr static std::array from_rep(const std::array& z) { 138| 269| std::array ze = {}; 139| 269| copy_mem(std::span{ze}.template first(), z); 140| 269| return Self::redc(ze); 141| 269| } pcurves_secp384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS3_12Secp384r1RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm12EEE: 104| 412| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 412| } else { 108| 412| return monty_redc(z, P, P_dash); 109| 412| } 110| 412| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm48EEE: 739| 269| constexpr void serialize_to(std::span bytes) const { 740| 269| auto v = Rep::from_rep(m_val); 741| 269| std::reverse(v.begin(), v.end()); 742| | 743| 269| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 269| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 269| } pcurves_secp384r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm7EE4bitsEv: 1305| 127| size_t bits() const { return m_bits; } pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 127| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 127| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 127| } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E6negateEv: 1134| 127| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 127| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE18_const_time_poisonEv: 889| 381| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp384r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm7EE10get_windowEm: 1353| 8.25k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 8.25k| return read_window_bits(std::span{m_bytes}, offset); 1356| 8.25k| } pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 8.12k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 8.12k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 8.12k| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 8.12k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 8.12k| const W mask = cond.into_bitmask(); 369| | 370| 56.8k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 48.7k, False: 8.12k] ------------------ 371| 48.7k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 48.7k| } 373| 8.12k| } pcurves_secp384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 8.25k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 8.25k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 8.25k| const size_t idx1 = static_cast(idx - 1); 960| 272k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 264k, False: 8.25k] ------------------ 961| 264k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 264k| result.conditional_assign(found, pts[i]); 963| 264k| } 964| | 965| 8.25k| return result; 966| 8.25k| } pcurves_secp384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE8identityERKSC_: 924| 8.25k| static constexpr Self identity(const Self& /*unused*/) { 925| 8.25k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 8.25k| } pcurves_secp384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 264k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 264k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 264k| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 264k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 264k| const W mask = cond.into_bitmask(); 382| | 383| 1.84M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 1.58M, False: 264k] ------------------ 384| 1.58M| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 1.58M| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 1.58M| } 387| 264k| } pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 508| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 508| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 508] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 508| } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 127| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 381| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp384r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm7EED2Ev: 1358| 127| ~BlindedScalarBits() { 1359| 127| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 127| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 127| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 411| static Self from_stash(const std::array& stash) { 775| 411| static_assert(L >= N); 776| 411| std::array val = {}; 777| 2.87k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 2.46k, False: 411] ------------------ 778| 2.46k| val[i] = stash[i]; 779| 2.46k| } 780| 411| return Self(val); 781| 411| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm6EEE: 898| 554| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm48EEE: 739| 254| constexpr void serialize_to(std::span bytes) const { 740| 254| auto v = Rep::from_rep(m_val); 741| 254| std::reverse(v.begin(), v.end()); 742| | 743| 254| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 254| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 254| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 142| std::array stash_value() const { 760| 142| static_assert(L >= N); 761| 142| std::array stash = {}; 762| 994| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 852, False: 142] ------------------ 763| 852| stash[i] = m_val[i]; 764| 852| } 765| 142| return stash; 766| 142| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 889| static Self from_stash(const std::array& stash) { 775| 889| static_assert(L >= N); 776| 889| std::array val = {}; 777| 6.22k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 5.33k, False: 889] ------------------ 778| 5.33k| val[i] = stash[i]; 779| 5.33k| } 780| 889| return Self(val); 781| 889| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE7is_zeroEv: 225| 285| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEeqERKSA_: 722| 127| constexpr CT::Choice operator==(const Self& other) const { 723| 127| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 127| } pcurves_secp384r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS2_12Secp384r1RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 127| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 143| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 143| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 143] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 143| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 143| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 143] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 143| return Self::from_words(words); 807| 143| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE10from_wordsILm6EEESB_NSt3__15arrayImXT_EEE: 211| 143| static constexpr Self from_words(std::array w) { 212| 143| if constexpr(L == N) { 213| 143| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 143| } pcurves_secp384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS3_12Secp384r1RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm6EEE: 115| 143| constexpr static std::array to_rep(const std::array& x) { 116| 143| std::array z; // NOLINT(*-member-init) 117| 143| comba_mul(z.data(), x.data(), R2.data()); 118| 143| return Self::redc(z); 119| 143| } pcurves_secp384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm97EEE: 941| 127| constexpr void serialize_to(std::span bytes) const { 942| 127| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 127| do { \ | | 52| 127| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 127| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 127] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 127| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 127] | | ------------------ ------------------ 943| 127| BufferStuffer pack(bytes); 944| 127| pack.append(0x04); 945| 127| x().serialize_to(pack.next()); 946| 127| y().serialize_to(pack.next()); 947| 127| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 127| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 127| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 127] | | ------------------ ------------------ 948| 127| } pcurves_secp521r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS3_7P521RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 115| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 115| auto x = pt.x(); 1027| 115| auto y = pt.y(); 1028| 115| auto z = FieldElement::one(); 1029| | 1030| 115| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 115| return ProjectiveCurvePoint(x, y, z); 1033| 115| } pcurves_secp521r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1xEv: 971| 347k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp521r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1yEv: 976| 337k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE3oneEv: 200| 9.91k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEC2ENSt3__15arrayImLm9EEE: 898| 310k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 115| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 115| const W mask = cond.into_bitmask(); 412| | 413| 1.15k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 1.03k, False: 115] ------------------ 414| 1.03k| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 1.03k| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 1.03k| x.m_val[i] = nx; 417| 1.03k| y.m_val[i] = ny; 418| 1.03k| } 419| 115| } pcurves_secp521r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE11is_identityEv: 928| 10.2k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE7is_zeroEv: 225| 58.8k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 13.2k| m_x(x), m_y(y), m_z(z) {} pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3dblEv: 1121| 1.64k| constexpr Self dbl() const { 1122| 1.64k| if constexpr(Self::A_is_minus_3) { 1123| 1.64k| return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 1.64k| } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1zEv: 1172| 76.7k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6squareEv: 426| 45.6k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 45.6k| std::array z; // NOLINT(*-member-init) 428| 45.6k| comba_sqr(z.data(), this->data()); 429| 45.6k| return Self(Rep::redc(z)); 430| 45.6k| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4dataEv: 896| 361k| constexpr const W* data() const { return m_val.data(); } pcurves_secp521r1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 346| 121k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 121k| std::array z; // NOLINT(*-member-init) 348| 121k| comba_mul(z.data(), a.data(), b.data()); 349| 121k| return Self(Rep::redc(z)); 350| 121k| } pcurves_secp521r1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 281| 74.1k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 74.1k| std::array r; // NOLINT(*-member-init) 283| 74.1k| W carry = 0; 284| 741k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 667k, False: 74.1k] ------------------ 285| 667k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 667k| } 287| | 288| 74.1k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 74.1k| carry = 0; 291| | 292| 741k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 667k, False: 74.1k] ------------------ 293| 667k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 667k| } 295| | 296| 74.1k| return Self(r); 297| 74.1k| } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1xEv: 1162| 43.7k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul3Ev: 335| 1.64k| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp521r1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 265| 15.2k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 15.2k| std::array t; // NOLINT(*-member-init) 267| | 268| 15.2k| W carry = 0; 269| 152k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 137k, False: 15.2k] ------------------ 270| 137k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 137k| } 272| | 273| 15.2k| std::array r; // NOLINT(*-member-init) 274| 15.2k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 15.2k| return Self(r); 276| 15.2k| } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1yEv: 1167| 42.0k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul4Ev: 338| 1.64k| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul2Ev: 325| 13.1k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 13.1k| std::array t = value(); 327| 13.1k| const W carry = shift_left<1>(t); 328| | 329| 13.1k| std::array r; // NOLINT(*-member-init) 330| 13.1k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 13.1k| return Self(r); 332| 13.1k| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE5valueEv: 894| 13.1k| constexpr const std::array& value() const { return m_val; } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul8Ev: 341| 1.64k| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp521r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EESE_: 1064| 1.45k| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 1.45k| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 15.8k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 22.6k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 22.6k| const W mask = cond.into_bitmask(); 397| | 398| 226k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 203k, False: 22.6k] ------------------ 399| 203k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 203k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 203k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 203k| } 403| 22.6k| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEmLERKSA_: 355| 1.36k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 1.36k| std::array z; // NOLINT(*-member-init) 357| 1.36k| comba_mul(z.data(), data(), other.data()); 358| 1.36k| m_val = Rep::redc(z); 359| 1.36k| return (*this); 360| 1.36k| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8square_nEm: 439| 1.25k| constexpr void square_n(size_t n) { 440| 1.25k| std::array z; // NOLINT(*-member-init) 441| 60.3k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 59.0k, False: 1.25k] ------------------ 442| 59.0k| comba_sqr(z.data(), this->data()); 443| 59.0k| m_val = Rep::redc(z); 444| 59.0k| } 445| 1.25k| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 350| for(;;) { 618| | // Conditional ok: this function is variable time 619| 350| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 349] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 349| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 349| std::array r; // NOLINT(*-member-init) 640| 349| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 349| if(carry == 0) { ------------------ | Branch (643:16): [True: 170, False: 179] ------------------ 644| | // b > a 645| 170| b.m_val = r; 646| 170| x = nx; 647| 170| Self::_invert_vartime_div2_helper(b, x); 648| 179| } else { 649| | // We know this can't underflow because a > b 650| 179| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 179| a.m_val = r; 652| 179| y = nx; 653| 179| Self::_invert_vartime_div2_helper(a, y); 654| 179| } 655| 349| } 656| 1| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4zeroEv: 195| 19.8k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 351| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 351| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 1.09k| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 742, False: 351] ------------------ 552| 742| shift_right<1>(a.m_val); 553| | 554| 742| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 742| if(borrow) { ------------------ | Branch (557:16): [True: 109, False: 633] ------------------ 558| 109| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 109| } 560| 742| } 561| 351| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6negateEv: 452| 9.92k| constexpr Self negate() const { 453| 9.92k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 9.92k| std::array r; // NOLINT(*-member-init) 456| 9.92k| W carry = 0; 457| 99.2k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 89.2k, False: 9.92k] ------------------ 458| 89.2k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 89.2k| } 460| | 461| 9.92k| return Self(r); 462| 9.92k| } pcurves_secp521r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 13.3k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 572| std::array stash_value() const { 760| 572| static_assert(L >= N); 761| 572| std::array stash = {}; 762| 5.72k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 5.14k, False: 572] ------------------ 763| 5.14k| stash[i] = m_val[i]; 764| 5.14k| } 765| 572| return stash; 766| 572| } pcurves_secp521r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_7P521RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 114| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 114| const BlindedScalar scalar(s, rng); 1409| 114| return basemul_booth_exec(m_table, scalar, rng); 1410| 114| } pcurves_secp521r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_7P521RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 114| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 114| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 114, Folded] | Branch (1308:33): [True: 0, False: 114] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 114| } else { 1344| | // No RNG available, skip blinding 1345| 114| m_bytes.resize(C::Scalar::BYTES); 1346| 114| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 114| m_bits = C::Scalar::BITS; 1348| 114| } 1349| | 1350| 114| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 114| } pcurves_secp521r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS4_7P521RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm9EEE: 137| 314| constexpr static std::array from_rep(const std::array& z) { 138| 314| std::array ze = {}; 139| 314| copy_mem(std::span{ze}.template first(), z); 140| 314| return Self::redc(ze); 141| 314| } pcurves_secp521r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS4_7P521RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm18EEE: 104| 515| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 515| } else { 108| 515| return monty_redc(z, P, P_dash); 109| 515| } 110| 515| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm66EEE: 739| 314| constexpr void serialize_to(std::span bytes) const { 740| 314| auto v = Rep::from_rep(m_val); 741| 314| std::reverse(v.begin(), v.end()); 742| | 743| | if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| | store_be(bytes, v); 745| 314| } else { 746| | // Remove leading zero bytes 747| 314| const auto padded_bytes = store_be(v); 748| 314| constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| 314| copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| 314| } 751| 314| } pcurves_secp521r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm7EE4bitsEv: 1305| 114| size_t bits() const { return m_bits; } pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 114| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 114| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 114| } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E6negateEv: 1134| 114| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 114| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18_const_time_poisonEv: 889| 342| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp521r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm7EE10get_windowEm: 1353| 9.91k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 9.91k| return read_window_bits(std::span{m_bytes}, offset); 1356| 9.91k| } pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 9.80k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 9.80k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 9.80k| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 9.80k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 9.80k| const W mask = cond.into_bitmask(); 369| | 370| 98.0k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 88.2k, False: 9.80k] ------------------ 371| 88.2k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 88.2k| } 373| 9.80k| } pcurves_secp521r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 9.91k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 9.91k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 9.91k| const size_t idx1 = static_cast(idx - 1); 960| 327k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 317k, False: 9.91k] ------------------ 961| 317k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 317k| result.conditional_assign(found, pts[i]); 963| 317k| } 964| | 965| 9.91k| return result; 966| 9.91k| } pcurves_secp521r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE8identityERKSC_: 924| 9.91k| static constexpr Self identity(const Self& /*unused*/) { 925| 9.91k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 9.91k| } pcurves_secp521r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 317k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 317k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 317k| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 317k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 317k| const W mask = cond.into_bitmask(); 382| | 383| 3.17M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 2.85M, False: 317k] ------------------ 384| 2.85M| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 2.85M| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 2.85M| } 387| 317k| } pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 456| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 456| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 456] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 456| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 136| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 136| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 136] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 136| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 136| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 8, False: 128] ------------------ 802| 8| return {}; 803| 8| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 128| return Self::from_words(words); 807| 136| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_wordsILm9EEESA_NSt3__15arrayImXT_EEE: 211| 128| static constexpr Self from_words(std::array w) { 212| 128| if constexpr(L == N) { 213| 128| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 128| } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 114| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 342| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp521r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm7EED2Ev: 1358| 114| ~BlindedScalarBits() { 1359| 114| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 114| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 114| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 514| static Self from_stash(const std::array& stash) { 775| 514| static_assert(L >= N); 776| 514| std::array val = {}; 777| 5.14k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 4.62k, False: 514] ------------------ 778| 4.62k| val[i] = stash[i]; 779| 4.62k| } 780| 514| return Self(val); 781| 514| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm9EEE: 898| 715| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm66EEE: 739| 230| constexpr void serialize_to(std::span bytes) const { 740| 230| auto v = Rep::from_rep(m_val); 741| 230| std::reverse(v.begin(), v.end()); 742| | 743| | if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| | store_be(bytes, v); 745| 230| } else { 746| | // Remove leading zero bytes 747| 230| const auto padded_bytes = store_be(v); 748| 230| constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| 230| copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| 230| } 751| 230| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 200| std::array stash_value() const { 760| 200| static_assert(L >= N); 761| 200| std::array stash = {}; 762| 2.00k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 1.80k, False: 200] ------------------ 763| 1.80k| stash[i] = m_val[i]; 764| 1.80k| } 765| 200| return stash; 766| 200| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 802| static Self from_stash(const std::array& stash) { 775| 802| static_assert(L >= N); 776| 802| std::array val = {}; 777| 8.02k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 7.21k, False: 802] ------------------ 778| 7.21k| val[i] = stash[i]; 779| 7.21k| } 780| 802| return Self(val); 781| 802| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE7is_zeroEv: 225| 401| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEeqERKSA_: 722| 176| constexpr CT::Choice operator==(const Self& other) const { 723| 176| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 176| } pcurves_secp521r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS3_7P521RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 176| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 202| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 202| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 202] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 202| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 202| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 1, False: 201] ------------------ 802| 1| return {}; 803| 1| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 201| return Self::from_words(words); 807| 202| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE10from_wordsILm9EEESB_NSt3__15arrayImXT_EEE: 211| 201| static constexpr Self from_words(std::array w) { 212| 201| if constexpr(L == N) { 213| 201| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 201| } pcurves_secp521r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS4_7P521RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm9EEE: 115| 201| constexpr static std::array to_rep(const std::array& x) { 116| 201| std::array z; // NOLINT(*-member-init) 117| 201| comba_mul(z.data(), x.data(), R2.data()); 118| 201| return Self::redc(z); 119| 201| } pcurves_secp521r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm133EEE: 941| 115| constexpr void serialize_to(std::span bytes) const { 942| 115| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 115| do { \ | | 52| 115| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 115| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 115] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 115| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 115] | | ------------------ ------------------ 943| 115| BufferStuffer pack(bytes); 944| 115| pack.append(0x04); 945| 115| x().serialize_to(pack.next()); 946| 115| y().serialize_to(pack.next()); 947| 115| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 115| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 115| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 115] | | ------------------ ------------------ 948| 115| } pcurves_brainpool256r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 50| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 49, False: 1] ------------------ 270| 49| table.push_back(accum); 271| | 272| 1.56k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 1.51k, False: 49] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 1.51k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 784, False: 735] ------------------ 275| 784| table.emplace_back(table[i + j / 2].dbl()); 276| 784| } else { 277| 735| table.emplace_back(table[i + j - 1] + table[i]); 278| 735| } 279| 1.51k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 49| accum = table[i + WindowElements - 1].dbl(); 284| 49| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_brainpool256r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 114| RandomNumberGenerator& rng) { 309| 114| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 114| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 114| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 114| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 114| const size_t raw = w_bits << 1; 317| 114| const auto [tidx, tneg] = booth_recode(raw); 318| 114| const auto tbl_0 = table.first(WindowElements); 319| | 320| 114| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 114| pt.conditional_assign(tneg, pt.negate()); 322| 114| CT::poison(pt); 323| 114| pt.randomize_rep(rng); 324| 114| return pt; 325| 114| }(); 326| | 327| 4.90k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 4.78k, False: 114] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 4.78k| const size_t bit_pos = WindowBits * i - 1; 330| 4.78k| const size_t raw = scalar.get_window(bit_pos); 331| 4.78k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 4.78k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 4.78k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 4.78k| if(i <= 3) { ------------------ | Branch (338:10): [True: 342, False: 4.44k] ------------------ 339| 342| accum.randomize_rep(rng); 340| 342| } 341| 4.78k| } 342| | 343| 114| CT::unpoison(accum); 344| 114| return accum; 345| 114|} pcurves_brainpool256r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 114| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 114| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 114| const size_t raw = w_bits << 1; 317| 114| const auto [tidx, tneg] = booth_recode(raw); 318| 114| const auto tbl_0 = table.first(WindowElements); 319| | 320| 114| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 114| pt.conditional_assign(tneg, pt.negate()); 322| 114| CT::poison(pt); 323| 114| pt.randomize_rep(rng); 324| 114| return pt; 325| 114| }(); _ZN5Botan12booth_recodeILm6ETkNSt3__117unsigned_integralEmEENS1_4pairImNS_2CT6ChoiceEEET0_: 294| 80.2k|constexpr std::pair booth_recode(T x) { 295| 80.2k| static_assert(WindowBits >= 1 && WindowBits <= 8); 296| | 297| 80.2k| auto s_mask = CT::Mask::expand(x >> WindowBits); 298| 80.2k| const T neg_x = (1 << (WindowBits + 1)) - x - 1; 299| 80.2k| T d = s_mask.select(neg_x, x); 300| 80.2k| d = (d >> 1) + (d & 1); 301| | 302| 80.2k| return std::make_pair(static_cast(d), s_mask.as_choice()); 303| 80.2k|} _ZN5Botan20scalar_blinding_bitsEm: 41| 771|constexpr size_t scalar_blinding_bits(size_t scalar_bits) { 42| | // For blinding use 1/8 the order length for most curves; for P-521 we round down a bit 43| | // so the masked scalar fits exactly in 9 or 18 words. 44| | 45| 771| if(scalar_bits == 521) { ------------------ | Branch (45:7): [True: 51, False: 720] ------------------ 46| 51| return 55; 47| 720| } else { 48| 720| return scalar_bits / 8; 49| 720| } 50| 771|} pcurves_brainpool384r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 74| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 73, False: 1] ------------------ 270| 73| table.push_back(accum); 271| | 272| 2.33k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 2.26k, False: 73] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 2.26k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 1.16k, False: 1.09k] ------------------ 275| 1.16k| table.emplace_back(table[i + j / 2].dbl()); 276| 1.16k| } else { 277| 1.09k| table.emplace_back(table[i + j - 1] + table[i]); 278| 1.09k| } 279| 2.26k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 73| accum = table[i + WindowElements - 1].dbl(); 284| 73| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_brainpool384r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 137| RandomNumberGenerator& rng) { 309| 137| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 137| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 137| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 137| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 137| const size_t raw = w_bits << 1; 317| 137| const auto [tidx, tneg] = booth_recode(raw); 318| 137| const auto tbl_0 = table.first(WindowElements); 319| | 320| 137| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 137| pt.conditional_assign(tneg, pt.negate()); 322| 137| CT::poison(pt); 323| 137| pt.randomize_rep(rng); 324| 137| return pt; 325| 137| }(); 326| | 327| 8.90k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 8.76k, False: 137] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 8.76k| const size_t bit_pos = WindowBits * i - 1; 330| 8.76k| const size_t raw = scalar.get_window(bit_pos); 331| 8.76k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 8.76k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 8.76k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 8.76k| if(i <= 3) { ------------------ | Branch (338:10): [True: 411, False: 8.35k] ------------------ 339| 411| accum.randomize_rep(rng); 340| 411| } 341| 8.76k| } 342| | 343| 137| CT::unpoison(accum); 344| 137| return accum; 345| 137|} pcurves_brainpool384r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 137| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 137| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 137| const size_t raw = w_bits << 1; 317| 137| const auto [tidx, tneg] = booth_recode(raw); 318| 137| const auto tbl_0 = table.first(WindowElements); 319| | 320| 137| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 137| pt.conditional_assign(tneg, pt.negate()); 322| 137| CT::poison(pt); 323| 137| pt.randomize_rep(rng); 324| 137| return pt; 325| 137| }(); pcurves_brainpool512r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 98| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 97, False: 1] ------------------ 270| 97| table.push_back(accum); 271| | 272| 3.10k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 3.00k, False: 97] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 3.00k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 1.55k, False: 1.45k] ------------------ 275| 1.55k| table.emplace_back(table[i + j / 2].dbl()); 276| 1.55k| } else { 277| 1.45k| table.emplace_back(table[i + j - 1] + table[i]); 278| 1.45k| } 279| 3.00k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 97| accum = table[i + WindowElements - 1].dbl(); 284| 97| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_brainpool512r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 138| RandomNumberGenerator& rng) { 309| 138| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 138| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 138| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 138| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 138| const size_t raw = w_bits << 1; 317| 138| const auto [tidx, tneg] = booth_recode(raw); 318| 138| const auto tbl_0 = table.first(WindowElements); 319| | 320| 138| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 138| pt.conditional_assign(tneg, pt.negate()); 322| 138| CT::poison(pt); 323| 138| pt.randomize_rep(rng); 324| 138| return pt; 325| 138| }(); 326| | 327| 11.8k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 11.7k, False: 138] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 11.7k| const size_t bit_pos = WindowBits * i - 1; 330| 11.7k| const size_t raw = scalar.get_window(bit_pos); 331| 11.7k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 11.7k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 11.7k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 11.7k| if(i <= 3) { ------------------ | Branch (338:10): [True: 414, False: 11.3k] ------------------ 339| 414| accum.randomize_rep(rng); 340| 414| } 341| 11.7k| } 342| | 343| 138| CT::unpoison(accum); 344| 138| return accum; 345| 138|} pcurves_brainpool512r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 138| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 138| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 138| const size_t raw = w_bits << 1; 317| 138| const auto [tidx, tneg] = booth_recode(raw); 318| 138| const auto tbl_0 = table.first(WindowElements); 319| | 320| 138| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 138| pt.conditional_assign(tneg, pt.negate()); 322| 138| CT::poison(pt); 323| 138| pt.randomize_rep(rng); 324| 138| return pt; 325| 138| }(); pcurves_generic.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_112GenericCurveELm6ENS2_24GenericBlindedScalarBitsEEENT_15ProjectivePointENSt3__14spanIKNS5_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 315| RandomNumberGenerator& rng) { 309| 315| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 315| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 315| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 315| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 315| const size_t raw = w_bits << 1; 317| 315| const auto [tidx, tneg] = booth_recode(raw); 318| 315| const auto tbl_0 = table.first(WindowElements); 319| | 320| 315| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 315| pt.conditional_assign(tneg, pt.negate()); 322| 315| CT::poison(pt); 323| 315| pt.randomize_rep(rng); 324| 315| return pt; 325| 315| }(); 326| | 327| 12.3k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 12.0k, False: 315] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 12.0k| const size_t bit_pos = WindowBits * i - 1; 330| 12.0k| const size_t raw = scalar.get_window(bit_pos); 331| 12.0k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 12.0k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 12.0k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 12.0k| if(i <= 3) { ------------------ | Branch (338:10): [True: 945, False: 11.1k] ------------------ 339| 945| accum.randomize_rep(rng); 340| 945| } 341| 12.0k| } 342| | 343| 315| CT::unpoison(accum); 344| 315| return accum; 345| 315|} pcurves_generic.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_112GenericCurveELm6ENS2_24GenericBlindedScalarBitsEEENT_15ProjectivePointENSt3__14spanIKNS5_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 315| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 315| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 315| const size_t raw = w_bits << 1; 317| 315| const auto [tidx, tneg] = booth_recode(raw); 318| 315| const auto tbl_0 = table.first(WindowElements); 319| | 320| 315| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 315| pt.conditional_assign(tneg, pt.negate()); 322| 315| CT::poison(pt); 323| 315| pt.randomize_rep(rng); 324| 315| return pt; 325| 315| }(); pcurves_generic.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_112GenericCurveELm6EEENSt3__16vectorINT_11AffinePointENS4_9allocatorIS7_EEEERKS7_m: 254| 456|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 456| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 456| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 456| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 456| const size_t TableSize = Windows * WindowElements; 263| | 264| 456| std::vector table; 265| 456| table.reserve(TableSize); 266| | 267| 456| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 23.2k| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 22.7k, False: 456] ------------------ 270| 22.7k| table.push_back(accum); 271| | 272| 727k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 705k, False: 22.7k] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 705k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 363k, False: 341k] ------------------ 275| 363k| table.emplace_back(table[i + j / 2].dbl()); 276| 363k| } else { 277| 341k| table.emplace_back(table[i + j - 1] + table[i]); 278| 341k| } 279| 705k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 22.7k| accum = table[i + WindowElements - 1].dbl(); 284| 22.7k| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 456| return to_affine_batch(table); 288| 456|} pcurves_secp192r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 38| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 37, False: 1] ------------------ 270| 37| table.push_back(accum); 271| | 272| 1.18k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 1.14k, False: 37] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 1.14k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 592, False: 555] ------------------ 275| 592| table.emplace_back(table[i + j / 2].dbl()); 276| 592| } else { 277| 555| table.emplace_back(table[i + j - 1] + table[i]); 278| 555| } 279| 1.14k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 37| accum = table[i + WindowElements - 1].dbl(); 284| 37| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp192r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 195| RandomNumberGenerator& rng) { 309| 195| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 195| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 195| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 195| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 195| const size_t raw = w_bits << 1; 317| 195| const auto [tidx, tneg] = booth_recode(raw); 318| 195| const auto tbl_0 = table.first(WindowElements); 319| | 320| 195| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 195| pt.conditional_assign(tneg, pt.negate()); 322| 195| CT::poison(pt); 323| 195| pt.randomize_rep(rng); 324| 195| return pt; 325| 195| }(); 326| | 327| 6.43k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 6.24k, False: 195] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 6.24k| const size_t bit_pos = WindowBits * i - 1; 330| 6.24k| const size_t raw = scalar.get_window(bit_pos); 331| 6.24k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 6.24k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 6.24k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 6.24k| if(i <= 3) { ------------------ | Branch (338:10): [True: 585, False: 5.65k] ------------------ 339| 585| accum.randomize_rep(rng); 340| 585| } 341| 6.24k| } 342| | 343| 195| CT::unpoison(accum); 344| 195| return accum; 345| 195|} pcurves_secp192r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 195| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 195| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 195| const size_t raw = w_bits << 1; 317| 195| const auto [tidx, tneg] = booth_recode(raw); 318| 195| const auto tbl_0 = table.first(WindowElements); 319| | 320| 195| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 195| pt.conditional_assign(tneg, pt.negate()); 322| 195| CT::poison(pt); 323| 195| pt.randomize_rep(rng); 324| 195| return pt; 325| 195| }(); pcurves_secp224r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 44| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 43, False: 1] ------------------ 270| 43| table.push_back(accum); 271| | 272| 1.37k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 1.33k, False: 43] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 1.33k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 688, False: 645] ------------------ 275| 688| table.emplace_back(table[i + j / 2].dbl()); 276| 688| } else { 277| 645| table.emplace_back(table[i + j - 1] + table[i]); 278| 645| } 279| 1.33k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 43| accum = table[i + WindowElements - 1].dbl(); 284| 43| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp224r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 131| RandomNumberGenerator& rng) { 309| 131| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 131| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 131| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 131| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 131| const size_t raw = w_bits << 1; 317| 131| const auto [tidx, tneg] = booth_recode(raw); 318| 131| const auto tbl_0 = table.first(WindowElements); 319| | 320| 131| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 131| pt.conditional_assign(tneg, pt.negate()); 322| 131| CT::poison(pt); 323| 131| pt.randomize_rep(rng); 324| 131| return pt; 325| 131| }(); 326| | 327| 4.97k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 4.84k, False: 131] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 4.84k| const size_t bit_pos = WindowBits * i - 1; 330| 4.84k| const size_t raw = scalar.get_window(bit_pos); 331| 4.84k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 4.84k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 4.84k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 4.84k| if(i <= 3) { ------------------ | Branch (338:10): [True: 393, False: 4.45k] ------------------ 339| 393| accum.randomize_rep(rng); 340| 393| } 341| 4.84k| } 342| | 343| 131| CT::unpoison(accum); 344| 131| return accum; 345| 131|} pcurves_secp224r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 131| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 131| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 131| const size_t raw = w_bits << 1; 317| 131| const auto [tidx, tneg] = booth_recode(raw); 318| 131| const auto tbl_0 = table.first(WindowElements); 319| | 320| 131| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 131| pt.conditional_assign(tneg, pt.negate()); 322| 131| CT::poison(pt); 323| 131| pt.randomize_rep(rng); 324| 131| return pt; 325| 131| }(); pcurves_secp256k1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 50| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 49, False: 1] ------------------ 270| 49| table.push_back(accum); 271| | 272| 1.56k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 1.51k, False: 49] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 1.51k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 784, False: 735] ------------------ 275| 784| table.emplace_back(table[i + j / 2].dbl()); 276| 784| } else { 277| 735| table.emplace_back(table[i + j - 1] + table[i]); 278| 735| } 279| 1.51k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 49| accum = table[i + WindowElements - 1].dbl(); 284| 49| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp256k1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 134| RandomNumberGenerator& rng) { 309| 134| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 134| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 134| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 134| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 134| const size_t raw = w_bits << 1; 317| 134| const auto [tidx, tneg] = booth_recode(raw); 318| 134| const auto tbl_0 = table.first(WindowElements); 319| | 320| 134| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 134| pt.conditional_assign(tneg, pt.negate()); 322| 134| CT::poison(pt); 323| 134| pt.randomize_rep(rng); 324| 134| return pt; 325| 134| }(); 326| | 327| 5.76k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 5.62k, False: 134] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 5.62k| const size_t bit_pos = WindowBits * i - 1; 330| 5.62k| const size_t raw = scalar.get_window(bit_pos); 331| 5.62k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 5.62k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 5.62k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 5.62k| if(i <= 3) { ------------------ | Branch (338:10): [True: 402, False: 5.22k] ------------------ 339| 402| accum.randomize_rep(rng); 340| 402| } 341| 5.62k| } 342| | 343| 134| CT::unpoison(accum); 344| 134| return accum; 345| 134|} pcurves_secp256k1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 134| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 134| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 134| const size_t raw = w_bits << 1; 317| 134| const auto [tidx, tneg] = booth_recode(raw); 318| 134| const auto tbl_0 = table.first(WindowElements); 319| | 320| 134| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 134| pt.conditional_assign(tneg, pt.negate()); 322| 134| CT::poison(pt); 323| 134| pt.randomize_rep(rng); 324| 134| return pt; 325| 134| }(); pcurves_secp256r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 50| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 49, False: 1] ------------------ 270| 49| table.push_back(accum); 271| | 272| 1.56k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 1.51k, False: 49] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 1.51k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 784, False: 735] ------------------ 275| 784| table.emplace_back(table[i + j / 2].dbl()); 276| 784| } else { 277| 735| table.emplace_back(table[i + j - 1] + table[i]); 278| 735| } 279| 1.51k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 49| accum = table[i + WindowElements - 1].dbl(); 284| 49| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp256r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 159| RandomNumberGenerator& rng) { 309| 159| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 159| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 159| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 159| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 159| const size_t raw = w_bits << 1; 317| 159| const auto [tidx, tneg] = booth_recode(raw); 318| 159| const auto tbl_0 = table.first(WindowElements); 319| | 320| 159| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 159| pt.conditional_assign(tneg, pt.negate()); 322| 159| CT::poison(pt); 323| 159| pt.randomize_rep(rng); 324| 159| return pt; 325| 159| }(); 326| | 327| 6.83k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 6.67k, False: 159] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 6.67k| const size_t bit_pos = WindowBits * i - 1; 330| 6.67k| const size_t raw = scalar.get_window(bit_pos); 331| 6.67k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 6.67k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 6.67k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 6.67k| if(i <= 3) { ------------------ | Branch (338:10): [True: 477, False: 6.20k] ------------------ 339| 477| accum.randomize_rep(rng); 340| 477| } 341| 6.67k| } 342| | 343| 159| CT::unpoison(accum); 344| 159| return accum; 345| 159|} pcurves_secp256r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 159| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 159| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 159| const size_t raw = w_bits << 1; 317| 159| const auto [tidx, tneg] = booth_recode(raw); 318| 159| const auto tbl_0 = table.first(WindowElements); 319| | 320| 159| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 159| pt.conditional_assign(tneg, pt.negate()); 322| 159| CT::poison(pt); 323| 159| pt.randomize_rep(rng); 324| 159| return pt; 325| 159| }(); pcurves_secp384r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 74| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 73, False: 1] ------------------ 270| 73| table.push_back(accum); 271| | 272| 2.33k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 2.26k, False: 73] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 2.26k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 1.16k, False: 1.09k] ------------------ 275| 1.16k| table.emplace_back(table[i + j / 2].dbl()); 276| 1.16k| } else { 277| 1.09k| table.emplace_back(table[i + j - 1] + table[i]); 278| 1.09k| } 279| 2.26k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 73| accum = table[i + WindowElements - 1].dbl(); 284| 73| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp384r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 127| RandomNumberGenerator& rng) { 309| 127| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 127| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 127| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 127| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 127| const size_t raw = w_bits << 1; 317| 127| const auto [tidx, tneg] = booth_recode(raw); 318| 127| const auto tbl_0 = table.first(WindowElements); 319| | 320| 127| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 127| pt.conditional_assign(tneg, pt.negate()); 322| 127| CT::poison(pt); 323| 127| pt.randomize_rep(rng); 324| 127| return pt; 325| 127| }(); 326| | 327| 8.25k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 8.12k, False: 127] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 8.12k| const size_t bit_pos = WindowBits * i - 1; 330| 8.12k| const size_t raw = scalar.get_window(bit_pos); 331| 8.12k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 8.12k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 8.12k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 8.12k| if(i <= 3) { ------------------ | Branch (338:10): [True: 381, False: 7.74k] ------------------ 339| 381| accum.randomize_rep(rng); 340| 381| } 341| 8.12k| } 342| | 343| 127| CT::unpoison(accum); 344| 127| return accum; 345| 127|} pcurves_secp384r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 127| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 127| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 127| const size_t raw = w_bits << 1; 317| 127| const auto [tidx, tneg] = booth_recode(raw); 318| 127| const auto tbl_0 = table.first(WindowElements); 319| | 320| 127| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 127| pt.conditional_assign(tneg, pt.negate()); 322| 127| CT::poison(pt); 323| 127| pt.randomize_rep(rng); 324| 127| return pt; 325| 127| }(); pcurves_secp521r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 98| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 97, False: 1] ------------------ 270| 97| table.push_back(accum); 271| | 272| 3.10k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 3.00k, False: 97] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 3.00k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 1.55k, False: 1.45k] ------------------ 275| 1.55k| table.emplace_back(table[i + j / 2].dbl()); 276| 1.55k| } else { 277| 1.45k| table.emplace_back(table[i + j - 1] + table[i]); 278| 1.45k| } 279| 3.00k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 97| accum = table[i + WindowElements - 1].dbl(); 284| 97| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp521r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 114| RandomNumberGenerator& rng) { 309| 114| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 114| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 114| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 114| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 114| const size_t raw = w_bits << 1; 317| 114| const auto [tidx, tneg] = booth_recode(raw); 318| 114| const auto tbl_0 = table.first(WindowElements); 319| | 320| 114| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 114| pt.conditional_assign(tneg, pt.negate()); 322| 114| CT::poison(pt); 323| 114| pt.randomize_rep(rng); 324| 114| return pt; 325| 114| }(); 326| | 327| 9.91k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 9.80k, False: 114] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 9.80k| const size_t bit_pos = WindowBits * i - 1; 330| 9.80k| const size_t raw = scalar.get_window(bit_pos); 331| 9.80k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 9.80k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 9.80k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 9.80k| if(i <= 3) { ------------------ | Branch (338:10): [True: 342, False: 9.46k] ------------------ 339| 342| accum.randomize_rep(rng); 340| 342| } 341| 9.80k| } 342| | 343| 114| CT::unpoison(accum); 344| 114| return accum; 345| 114|} pcurves_secp521r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 114| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 114| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 114| const size_t raw = w_bits << 1; 317| 114| const auto [tidx, tneg] = booth_recode(raw); 318| 114| const auto tbl_0 = table.first(WindowElements); 319| | 320| 114| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 114| pt.conditional_assign(tneg, pt.negate()); 322| 114| CT::poison(pt); 323| 114| pt.randomize_rep(rng); 324| 114| return pt; 325| 114| }(); _ZN5Botan20solinas_correct_redcILm3ETkNS_8WordTypeEmEEvRNSt3__15arrayIT0_XT_EEERKS4_S7_: 84| 131k|constexpr inline void solinas_correct_redc(std::array& r, const std::array& P, const std::array& C) { 85| 131k| W borrow = 0; 86| 526k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (86:22): [True: 394k, False: 131k] ------------------ 87| 394k| r[i] = word_sub(r[i], C[i], &borrow); 88| 394k| } 89| | 90| | // borrow is either 0 or 1, perfect for setting up a mask without extra work 91| 131k| const W mask = CT::value_barrier(0 - borrow); 92| | 93| 131k| W carry = 0; 94| | 95| 526k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (95:22): [True: 394k, False: 131k] ------------------ 96| 394k| r[i] = word_add(r[i], P[i] & mask, &carry); 97| 394k| } 98| 131k|} _ZN5Botan10get_uint32ITkNS_8WordTypeEmEEjPKT_m: 33| 8.31M|constexpr uint32_t get_uint32(const W xw[], size_t i) { 34| 8.31M| static_assert(WordInfo::bits == 32 || WordInfo::bits == 64); 35| | 36| | if constexpr(WordInfo::bits == 32) { 37| | return xw[i]; 38| 8.31M| } else { 39| 8.31M| return static_cast(xw[i / 2] >> ((i % 2) * 32)); 40| 8.31M| } 41| 8.31M|} _ZN5Botan12SolinasAccumImLm4EEC2ERNSt3__15arrayImLm4EEE: 50| 257k| constexpr explicit SolinasAccum(std::array& r) : m_r(r) {} _ZN5Botan12SolinasAccumImLm4EE5accumEl: 52| 1.94M| constexpr void accum(int64_t v) { 53| 1.94M| BOTAN_DEBUG_ASSERT(m_idx < N32); ------------------ | | 130| 1.94M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 1.94M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 1.94M] | | ------------------ ------------------ 54| | 55| 1.94M| m_S += v; 56| 1.94M| const uint32_t r = static_cast(m_S); 57| 1.94M| m_S >>= 32; 58| | 59| | if constexpr(WordInfo::bits == 32) { 60| | m_r[m_idx] = r; 61| 1.94M| } else { 62| 1.94M| m_r[m_idx / 2] |= static_cast(r) << (32 * (m_idx % 2)); 63| 1.94M| } 64| | 65| 1.94M| m_idx += 1; 66| 1.94M| } _ZN5Botan12SolinasAccumImLm4EE11final_carryEl: 68| 257k| constexpr W final_carry(int64_t C) { 69| 257k| m_S += C; 70| 257k| BOTAN_DEBUG_ASSERT(m_S >= 0); ------------------ | | 130| 257k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 257k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 257k] | | ------------------ ------------------ 71| 257k| return static_cast(m_S); 72| 257k| } _ZN5Botan20solinas_correct_redcILm4ETkNS_8WordTypeEmEEvRNSt3__15arrayIT0_XT_EEERKS4_S7_: 84| 257k|constexpr inline void solinas_correct_redc(std::array& r, const std::array& P, const std::array& C) { 85| 257k| W borrow = 0; 86| 1.28M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (86:22): [True: 1.02M, False: 257k] ------------------ 87| 1.02M| r[i] = word_sub(r[i], C[i], &borrow); 88| 1.02M| } 89| | 90| | // borrow is either 0 or 1, perfect for setting up a mask without extra work 91| 257k| const W mask = CT::value_barrier(0 - borrow); 92| | 93| 257k| W carry = 0; 94| | 95| 1.28M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (95:22): [True: 1.02M, False: 257k] ------------------ 96| 1.02M| r[i] = word_add(r[i], P[i] & mask, &carry); 97| 1.02M| } 98| 257k|} _ZN5Botan12SolinasAccumImLm6EEC2ERNSt3__15arrayImLm6EEE: 50| 184k| constexpr explicit SolinasAccum(std::array& r) : m_r(r) {} _ZN5Botan12SolinasAccumImLm6EE5accumEl: 52| 2.21M| constexpr void accum(int64_t v) { 53| 2.21M| BOTAN_DEBUG_ASSERT(m_idx < N32); ------------------ | | 130| 2.21M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 2.21M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 2.21M] | | ------------------ ------------------ 54| | 55| 2.21M| m_S += v; 56| 2.21M| const uint32_t r = static_cast(m_S); 57| 2.21M| m_S >>= 32; 58| | 59| | if constexpr(WordInfo::bits == 32) { 60| | m_r[m_idx] = r; 61| 2.21M| } else { 62| 2.21M| m_r[m_idx / 2] |= static_cast(r) << (32 * (m_idx % 2)); 63| 2.21M| } 64| | 65| 2.21M| m_idx += 1; 66| 2.21M| } _ZN5Botan12SolinasAccumImLm6EE11final_carryEl: 68| 184k| constexpr W final_carry(int64_t C) { 69| 184k| m_S += C; 70| 184k| BOTAN_DEBUG_ASSERT(m_S >= 0); ------------------ | | 130| 184k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 184k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 184k] | | ------------------ ------------------ 71| 184k| return static_cast(m_S); 72| 184k| } _ZN5Botan20solinas_correct_redcILm6ETkNS_8WordTypeEmEEvRNSt3__15arrayIT0_XT_EEERKS4_S7_: 84| 184k|constexpr inline void solinas_correct_redc(std::array& r, const std::array& P, const std::array& C) { 85| 184k| W borrow = 0; 86| 1.29M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (86:22): [True: 1.10M, False: 184k] ------------------ 87| 1.10M| r[i] = word_sub(r[i], C[i], &borrow); 88| 1.10M| } 89| | 90| | // borrow is either 0 or 1, perfect for setting up a mask without extra work 91| 184k| const W mask = CT::value_barrier(0 - borrow); 92| | 93| 184k| W carry = 0; 94| | 95| 1.29M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (95:22): [True: 1.10M, False: 184k] ------------------ 96| 1.10M| r[i] = word_add(r[i], P[i] & mask, &carry); 97| 1.10M| } 98| 184k|} _ZN5Botan10monty_redcITkNS_8WordTypeEmLm4EEENSt3__15arrayIT_XT0_EEERKNS2_IS3_XmlLi2ET0_EEERKS4_S3_: 110| 123k| -> std::array { 111| 123k| static_assert(N >= 1); 112| | 113| 123k| std::array ws; // NOLINT(*-member-init) 114| 123k| std::array r; // NOLINT(*-member-init) 115| | 116| | // Conditional ok: the parameter size is public 117| 123k| if(!std::is_constant_evaluated()) { ------------------ | Branch (117:7): [True: 123k, Folded] ------------------ 118| | // This range ensures we cover fields of 256, 384 and 512 bits for both 32 and 64 bit words 119| 123k| if constexpr(N == 4) { 120| 123k| bigint_monty_redc_4(r.data(), z.data(), p.data(), p_dash, ws.data()); 121| 123k| return r; 122| | } else if constexpr(N == 6) { 123| | bigint_monty_redc_6(r.data(), z.data(), p.data(), p_dash, ws.data()); 124| | return r; 125| | } else if constexpr(N == 8) { 126| | bigint_monty_redc_8(r.data(), z.data(), p.data(), p_dash, ws.data()); 127| | return r; 128| | } else if constexpr(N == 12) { 129| | bigint_monty_redc_12(r.data(), z.data(), p.data(), p_dash, ws.data()); 130| | return r; 131| | } else if constexpr(N == 16) { 132| | bigint_monty_redc_16(r.data(), z.data(), p.data(), p_dash, ws.data()); 133| | return r; 134| | } 135| 123k| } 136| | 137| 0| word3 accum; 138| | 139| 123k| accum.add(z[0]); 140| | 141| 123k| ws[0] = accum.monty_step(p[0], p_dash); 142| | 143| 123k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (143:22): [True: 0, False: 123k] ------------------ 144| 0| for(size_t j = 0; j < i; ++j) { ------------------ | Branch (144:25): [True: 0, False: 0] ------------------ 145| 0| accum.mul(ws[j], p[i - j]); 146| 0| } 147| | 148| 0| accum.add(z[i]); 149| | 150| 0| ws[i] = accum.monty_step(p[0], p_dash); 151| 0| } 152| | 153| 123k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (153:22): [True: 0, False: 123k] ------------------ 154| 0| for(size_t j = i + 1; j != N; ++j) { ------------------ | Branch (154:29): [True: 0, False: 0] ------------------ 155| 0| accum.mul(ws[j], p[N + i - j]); 156| 0| } 157| | 158| 0| accum.add(z[N + i]); 159| | 160| 0| ws[i] = accum.extract(); 161| 0| } 162| | 163| 123k| accum.add(z[2 * N - 1]); 164| | 165| 123k| ws[N - 1] = accum.extract(); 166| | // w1 is the final part, which is not stored in the workspace 167| 123k| const W w1 = accum.extract(); 168| | 169| 123k| bigint_monty_maybe_sub(r.data(), w1, ws.data(), p.data()); 170| | 171| 123k| return r; 172| 123k|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm4ELm32EEEDaNSt3__14spanIKhXT1_EEE: 287| 484|inline constexpr auto bytes_to_words(std::span bytes) { 288| 484| static_assert(L <= WordInfo::bytes * N); 289| | 290| 484| std::array r = {}; 291| | 292| 484| constexpr size_t full_words = L / WordInfo::bytes; 293| 484| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 484| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 2.42k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 1.93k, False: 484] ------------------ 298| 1.93k| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 1.93k| } 300| | 301| | if constexpr(extra_bytes > 0) { 302| | constexpr size_t shift = extra_bytes * 8; 303| | shift_left(r); 304| | 305| | for(size_t i = 0; i != extra_bytes; ++i) { 306| | const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| | r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| | } 309| | } 310| | 311| 484| return r; 312| 484|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm8ELm64EEEDaNSt3__14spanIKhXT1_EEE: 287| 144|inline constexpr auto bytes_to_words(std::span bytes) { 288| 144| static_assert(L <= WordInfo::bytes * N); 289| | 290| 144| std::array r = {}; 291| | 292| 144| constexpr size_t full_words = L / WordInfo::bytes; 293| 144| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 144| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 1.29k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 1.15k, False: 144] ------------------ 298| 1.15k| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 1.15k| } 300| | 301| | if constexpr(extra_bytes > 0) { 302| | constexpr size_t shift = extra_bytes * 8; 303| | shift_left(r); 304| | 305| | for(size_t i = 0; i != extra_bytes; ++i) { 306| | const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| | r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| | } 309| | } 310| | 311| 144| return r; 312| 144|} _ZN5Botan10monty_redcITkNS_8WordTypeEmLm6EEENSt3__15arrayIT_XT0_EEERKNS2_IS3_XmlLi2ET0_EEERKS4_S3_: 110| 210k| -> std::array { 111| 210k| static_assert(N >= 1); 112| | 113| 210k| std::array ws; // NOLINT(*-member-init) 114| 210k| std::array r; // NOLINT(*-member-init) 115| | 116| | // Conditional ok: the parameter size is public 117| 210k| if(!std::is_constant_evaluated()) { ------------------ | Branch (117:7): [True: 210k, Folded] ------------------ 118| | // This range ensures we cover fields of 256, 384 and 512 bits for both 32 and 64 bit words 119| | if constexpr(N == 4) { 120| | bigint_monty_redc_4(r.data(), z.data(), p.data(), p_dash, ws.data()); 121| | return r; 122| 210k| } else if constexpr(N == 6) { 123| 210k| bigint_monty_redc_6(r.data(), z.data(), p.data(), p_dash, ws.data()); 124| 210k| return r; 125| | } else if constexpr(N == 8) { 126| | bigint_monty_redc_8(r.data(), z.data(), p.data(), p_dash, ws.data()); 127| | return r; 128| | } else if constexpr(N == 12) { 129| | bigint_monty_redc_12(r.data(), z.data(), p.data(), p_dash, ws.data()); 130| | return r; 131| | } else if constexpr(N == 16) { 132| | bigint_monty_redc_16(r.data(), z.data(), p.data(), p_dash, ws.data()); 133| | return r; 134| | } 135| 210k| } 136| | 137| 0| word3 accum; 138| | 139| 210k| accum.add(z[0]); 140| | 141| 210k| ws[0] = accum.monty_step(p[0], p_dash); 142| | 143| 210k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (143:22): [True: 0, False: 210k] ------------------ 144| 0| for(size_t j = 0; j < i; ++j) { ------------------ | Branch (144:25): [True: 0, False: 0] ------------------ 145| 0| accum.mul(ws[j], p[i - j]); 146| 0| } 147| | 148| 0| accum.add(z[i]); 149| | 150| 0| ws[i] = accum.monty_step(p[0], p_dash); 151| 0| } 152| | 153| 210k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (153:22): [True: 0, False: 210k] ------------------ 154| 0| for(size_t j = i + 1; j != N; ++j) { ------------------ | Branch (154:29): [True: 0, False: 0] ------------------ 155| 0| accum.mul(ws[j], p[N + i - j]); 156| 0| } 157| | 158| 0| accum.add(z[N + i]); 159| | 160| 0| ws[i] = accum.extract(); 161| 0| } 162| | 163| 210k| accum.add(z[2 * N - 1]); 164| | 165| 210k| ws[N - 1] = accum.extract(); 166| | // w1 is the final part, which is not stored in the workspace 167| 210k| const W w1 = accum.extract(); 168| | 169| 210k| bigint_monty_maybe_sub(r.data(), w1, ws.data(), p.data()); 170| | 171| 210k| return r; 172| 210k|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm6ELm48EEEDaNSt3__14spanIKhXT1_EEE: 287| 299|inline constexpr auto bytes_to_words(std::span bytes) { 288| 299| static_assert(L <= WordInfo::bytes * N); 289| | 290| 299| std::array r = {}; 291| | 292| 299| constexpr size_t full_words = L / WordInfo::bytes; 293| 299| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 299| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 2.09k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 1.79k, False: 299] ------------------ 298| 1.79k| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 1.79k| } 300| | 301| | if constexpr(extra_bytes > 0) { 302| | constexpr size_t shift = extra_bytes * 8; 303| | shift_left(r); 304| | 305| | for(size_t i = 0; i != extra_bytes; ++i) { 306| | const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| | r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| | } 309| | } 310| | 311| 299| return r; 312| 299|} _ZN5Botan10monty_redcITkNS_8WordTypeEmLm8EEENSt3__15arrayIT_XT0_EEERKNS2_IS3_XmlLi2ET0_EEERKS4_S3_: 110| 280k| -> std::array { 111| 280k| static_assert(N >= 1); 112| | 113| 280k| std::array ws; // NOLINT(*-member-init) 114| 280k| std::array r; // NOLINT(*-member-init) 115| | 116| | // Conditional ok: the parameter size is public 117| 280k| if(!std::is_constant_evaluated()) { ------------------ | Branch (117:7): [True: 280k, Folded] ------------------ 118| | // This range ensures we cover fields of 256, 384 and 512 bits for both 32 and 64 bit words 119| | if constexpr(N == 4) { 120| | bigint_monty_redc_4(r.data(), z.data(), p.data(), p_dash, ws.data()); 121| | return r; 122| | } else if constexpr(N == 6) { 123| | bigint_monty_redc_6(r.data(), z.data(), p.data(), p_dash, ws.data()); 124| | return r; 125| 280k| } else if constexpr(N == 8) { 126| 280k| bigint_monty_redc_8(r.data(), z.data(), p.data(), p_dash, ws.data()); 127| 280k| return r; 128| | } else if constexpr(N == 12) { 129| | bigint_monty_redc_12(r.data(), z.data(), p.data(), p_dash, ws.data()); 130| | return r; 131| | } else if constexpr(N == 16) { 132| | bigint_monty_redc_16(r.data(), z.data(), p.data(), p_dash, ws.data()); 133| | return r; 134| | } 135| 280k| } 136| | 137| 0| word3 accum; 138| | 139| 280k| accum.add(z[0]); 140| | 141| 280k| ws[0] = accum.monty_step(p[0], p_dash); 142| | 143| 280k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (143:22): [True: 0, False: 280k] ------------------ 144| 0| for(size_t j = 0; j < i; ++j) { ------------------ | Branch (144:25): [True: 0, False: 0] ------------------ 145| 0| accum.mul(ws[j], p[i - j]); 146| 0| } 147| | 148| 0| accum.add(z[i]); 149| | 150| 0| ws[i] = accum.monty_step(p[0], p_dash); 151| 0| } 152| | 153| 280k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (153:22): [True: 0, False: 280k] ------------------ 154| 0| for(size_t j = i + 1; j != N; ++j) { ------------------ | Branch (154:29): [True: 0, False: 0] ------------------ 155| 0| accum.mul(ws[j], p[N + i - j]); 156| 0| } 157| | 158| 0| accum.add(z[N + i]); 159| | 160| 0| ws[i] = accum.extract(); 161| 0| } 162| | 163| 280k| accum.add(z[2 * N - 1]); 164| | 165| 280k| ws[N - 1] = accum.extract(); 166| | // w1 is the final part, which is not stored in the workspace 167| 280k| const W w1 = accum.extract(); 168| | 169| 280k| bigint_monty_maybe_sub(r.data(), w1, ws.data(), p.data()); 170| | 171| 280k| return r; 172| 280k|} _ZN5Botan10monty_redcITkNS_8WordTypeEmLm3EEENSt3__15arrayIT_XT0_EEERKNS2_IS3_XmlLi2ET0_EEERKS4_S3_: 110| 586| -> std::array { 111| 586| static_assert(N >= 1); 112| | 113| 586| std::array ws; // NOLINT(*-member-init) 114| 586| std::array r; // NOLINT(*-member-init) 115| | 116| | // Conditional ok: the parameter size is public 117| 586| if(!std::is_constant_evaluated()) { ------------------ | Branch (117:7): [True: 586, Folded] ------------------ 118| | // This range ensures we cover fields of 256, 384 and 512 bits for both 32 and 64 bit words 119| | if constexpr(N == 4) { 120| | bigint_monty_redc_4(r.data(), z.data(), p.data(), p_dash, ws.data()); 121| | return r; 122| | } else if constexpr(N == 6) { 123| | bigint_monty_redc_6(r.data(), z.data(), p.data(), p_dash, ws.data()); 124| | return r; 125| | } else if constexpr(N == 8) { 126| | bigint_monty_redc_8(r.data(), z.data(), p.data(), p_dash, ws.data()); 127| | return r; 128| | } else if constexpr(N == 12) { 129| | bigint_monty_redc_12(r.data(), z.data(), p.data(), p_dash, ws.data()); 130| | return r; 131| 586| } else if constexpr(N == 16) { 132| 586| bigint_monty_redc_16(r.data(), z.data(), p.data(), p_dash, ws.data()); 133| 586| return r; 134| 586| } 135| 586| } 136| | 137| 586| word3 accum; 138| | 139| 586| accum.add(z[0]); 140| | 141| 586| ws[0] = accum.monty_step(p[0], p_dash); 142| | 143| 1.75k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (143:22): [True: 1.17k, False: 586] ------------------ 144| 2.93k| for(size_t j = 0; j < i; ++j) { ------------------ | Branch (144:25): [True: 1.75k, False: 1.17k] ------------------ 145| 1.75k| accum.mul(ws[j], p[i - j]); 146| 1.75k| } 147| | 148| 1.17k| accum.add(z[i]); 149| | 150| 1.17k| ws[i] = accum.monty_step(p[0], p_dash); 151| 1.17k| } 152| | 153| 1.75k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (153:22): [True: 1.17k, False: 586] ------------------ 154| 2.93k| for(size_t j = i + 1; j != N; ++j) { ------------------ | Branch (154:29): [True: 1.75k, False: 1.17k] ------------------ 155| 1.75k| accum.mul(ws[j], p[N + i - j]); 156| 1.75k| } 157| | 158| 1.17k| accum.add(z[N + i]); 159| | 160| 1.17k| ws[i] = accum.extract(); 161| 1.17k| } 162| | 163| 586| accum.add(z[2 * N - 1]); 164| | 165| 586| ws[N - 1] = accum.extract(); 166| | // w1 is the final part, which is not stored in the workspace 167| 586| const W w1 = accum.extract(); 168| | 169| 586| bigint_monty_maybe_sub(r.data(), w1, ws.data(), p.data()); 170| | 171| 586| return r; 172| 586|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm3ELm24EEEDaNSt3__14spanIKhXT1_EEE: 287| 196|inline constexpr auto bytes_to_words(std::span bytes) { 288| 196| static_assert(L <= WordInfo::bytes * N); 289| | 290| 196| std::array r = {}; 291| | 292| 196| constexpr size_t full_words = L / WordInfo::bytes; 293| 196| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 196| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 784| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 588, False: 196] ------------------ 298| 588| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 588| } 300| | 301| | if constexpr(extra_bytes > 0) { 302| | constexpr size_t shift = extra_bytes * 8; 303| | shift_left(r); 304| | 305| | for(size_t i = 0; i != extra_bytes; ++i) { 306| | const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| | r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| | } 309| | } 310| | 311| 196| return r; 312| 196|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm4ELm28EEEDaNSt3__14spanIKhXT1_EEE: 287| 307|inline constexpr auto bytes_to_words(std::span bytes) { 288| 307| static_assert(L <= WordInfo::bytes * N); 289| | 290| 307| std::array r = {}; 291| | 292| 307| constexpr size_t full_words = L / WordInfo::bytes; 293| 307| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 307| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 1.22k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 921, False: 307] ------------------ 298| 921| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 921| } 300| | 301| 307| if constexpr(extra_bytes > 0) { 302| 307| constexpr size_t shift = extra_bytes * 8; 303| 307| shift_left(r); 304| | 305| 1.53k| for(size_t i = 0; i != extra_bytes; ++i) { ------------------ | Branch (305:25): [True: 1.22k, False: 307] ------------------ 306| 1.22k| const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| 1.22k| r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| 1.22k| } 309| 307| } 310| | 311| 307| return r; 312| 307|} _ZN5Botan10monty_redcITkNS_8WordTypeEmLm9EEENSt3__15arrayIT_XT0_EEERKNS2_IS3_XmlLi2ET0_EEERKS4_S3_: 110| 515| -> std::array { 111| 515| static_assert(N >= 1); 112| | 113| 515| std::array ws; // NOLINT(*-member-init) 114| 515| std::array r; // NOLINT(*-member-init) 115| | 116| | // Conditional ok: the parameter size is public 117| 515| if(!std::is_constant_evaluated()) { ------------------ | Branch (117:7): [True: 515, Folded] ------------------ 118| | // This range ensures we cover fields of 256, 384 and 512 bits for both 32 and 64 bit words 119| | if constexpr(N == 4) { 120| | bigint_monty_redc_4(r.data(), z.data(), p.data(), p_dash, ws.data()); 121| | return r; 122| | } else if constexpr(N == 6) { 123| | bigint_monty_redc_6(r.data(), z.data(), p.data(), p_dash, ws.data()); 124| | return r; 125| | } else if constexpr(N == 8) { 126| | bigint_monty_redc_8(r.data(), z.data(), p.data(), p_dash, ws.data()); 127| | return r; 128| | } else if constexpr(N == 12) { 129| | bigint_monty_redc_12(r.data(), z.data(), p.data(), p_dash, ws.data()); 130| | return r; 131| 515| } else if constexpr(N == 16) { 132| 515| bigint_monty_redc_16(r.data(), z.data(), p.data(), p_dash, ws.data()); 133| 515| return r; 134| 515| } 135| 515| } 136| | 137| 515| word3 accum; 138| | 139| 515| accum.add(z[0]); 140| | 141| 515| ws[0] = accum.monty_step(p[0], p_dash); 142| | 143| 4.63k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (143:22): [True: 4.12k, False: 515] ------------------ 144| 22.6k| for(size_t j = 0; j < i; ++j) { ------------------ | Branch (144:25): [True: 18.5k, False: 4.12k] ------------------ 145| 18.5k| accum.mul(ws[j], p[i - j]); 146| 18.5k| } 147| | 148| 4.12k| accum.add(z[i]); 149| | 150| 4.12k| ws[i] = accum.monty_step(p[0], p_dash); 151| 4.12k| } 152| | 153| 4.63k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (153:22): [True: 4.12k, False: 515] ------------------ 154| 22.6k| for(size_t j = i + 1; j != N; ++j) { ------------------ | Branch (154:29): [True: 18.5k, False: 4.12k] ------------------ 155| 18.5k| accum.mul(ws[j], p[N + i - j]); 156| 18.5k| } 157| | 158| 4.12k| accum.add(z[N + i]); 159| | 160| 4.12k| ws[i] = accum.extract(); 161| 4.12k| } 162| | 163| 515| accum.add(z[2 * N - 1]); 164| | 165| 515| ws[N - 1] = accum.extract(); 166| | // w1 is the final part, which is not stored in the workspace 167| 515| const W w1 = accum.extract(); 168| | 169| 515| bigint_monty_maybe_sub(r.data(), w1, ws.data(), p.data()); 170| | 171| 515| return r; 172| 515|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm9ELm66EEEDaNSt3__14spanIKhXT1_EEE: 287| 338|inline constexpr auto bytes_to_words(std::span bytes) { 288| 338| static_assert(L <= WordInfo::bytes * N); 289| | 290| 338| std::array r = {}; 291| | 292| 338| constexpr size_t full_words = L / WordInfo::bytes; 293| 338| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 338| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 3.04k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 2.70k, False: 338] ------------------ 298| 2.70k| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 2.70k| } 300| | 301| 338| if constexpr(extra_bytes > 0) { 302| 338| constexpr size_t shift = extra_bytes * 8; 303| 338| shift_left(r); 304| | 305| 1.01k| for(size_t i = 0; i != extra_bytes; ++i) { ------------------ | Branch (305:25): [True: 676, False: 338] ------------------ 306| 676| const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| 676| r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| 676| } 309| 338| } 310| | 311| 338| return r; 312| 338|} pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE8instanceEv: 338| 1.17k| static std::shared_ptr instance() { 339| 1.17k| static auto g_curve = std::make_shared>(); 340| 1.17k| return g_curve; 341| 1.17k| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE19field_element_bytesEv: 36| 228| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 114| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 114| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 114| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 114| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 114| auto x_w = pt.x().template stash_value(); 372| 114| auto y_w = pt.y().template stash_value(); 373| 114| auto z_w = pt.z().template stash_value(); 374| 114| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 114| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 360| static typename C::Scalar from_stash(const Scalar& s) { 349| 360| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 360] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 360| return C::Scalar::from_stash(s._value()); 353| 360| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEE: 344| 123| static Scalar stash(const typename C::Scalar& s) { 345| 123| return Scalar::_create(instance(), s.template stash_value()); 346| 123| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 228| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 228| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 228] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 228| auto x = C::FieldElement::from_stash(pt._x()); 366| 228| auto y = C::FieldElement::from_stash(pt._y()); 367| 228| return typename C::AffinePoint(x, y); 368| 228| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 114| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 114| auto x_w = pt.x().template stash_value(); 357| 114| auto y_w = pt.y().template stash_value(); 358| 114| return AffinePoint::_create(instance(), x_w, y_w); 359| 114| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 9| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 9| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 9] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 9| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 9| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 9| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 9| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 9] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 9| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 9] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 9| return {}; 278| 9| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 124| std::optional deserialize_scalar(std::span bytes) const override { 225| 124| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 124, False: 0] ------------------ 226| 124| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 123, False: 1] ------------------ 227| 123| return stash(*scalar); 228| 123| } 229| 124| } 230| | 231| 1| return {}; 232| 124| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 114| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 114| auto affine = to_affine(from_stash(pt)); 194| | 195| 114| const auto y2 = affine.y().square(); 196| 114| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 114| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 114| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 114| do { \ | | 65| 114| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 114| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 114] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 114| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 114] | | ------------------ ------------------ 200| | 201| 114| return stash(affine); 202| 114| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 114| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 114| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 114] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 114| auto x = C::FieldElement::from_stash(pt._x()); 382| 114| auto y = C::FieldElement::from_stash(pt._y()); 383| 114| auto z = C::FieldElement::from_stash(pt._z()); 384| 114| return typename C::ProjectivePoint(x, y, z); 385| 114| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 114| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 114| return from_stash(pt).is_identity().as_bool(); 212| 114| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 114| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 114| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 114| do { \ | | 36| 114| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 114| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 114] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 114| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 114] | | ------------------ ------------------ 216| 114| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 114| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 123| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 123| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 123| do { \ | | 36| 123| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 123| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 123] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 123| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 123] | | ------------------ ------------------ 221| 123| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 123| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 123| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE8instanceEv: 338| 1.44k| static std::shared_ptr instance() { 339| 1.44k| static auto g_curve = std::make_shared>(); 340| 1.44k| return g_curve; 341| 1.44k| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE19field_element_bytesEv: 36| 274| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 137| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 137| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 137| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 137| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 137| auto x_w = pt.x().template stash_value(); 372| 137| auto y_w = pt.y().template stash_value(); 373| 137| auto z_w = pt.z().template stash_value(); 374| 137| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 137| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 447| static typename C::Scalar from_stash(const Scalar& s) { 349| 447| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 447] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 447| return C::Scalar::from_stash(s._value()); 353| 447| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEE: 344| 155| static Scalar stash(const typename C::Scalar& s) { 345| 155| return Scalar::_create(instance(), s.template stash_value()); 346| 155| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 274| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 274| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 274] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 274| auto x = C::FieldElement::from_stash(pt._x()); 366| 274| auto y = C::FieldElement::from_stash(pt._y()); 367| 274| return typename C::AffinePoint(x, y); 368| 274| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 137| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 137| auto x_w = pt.x().template stash_value(); 357| 137| auto y_w = pt.y().template stash_value(); 358| 137| return AffinePoint::_create(instance(), x_w, y_w); 359| 137| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 18| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 18| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 18] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 18| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 18| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 18| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 18| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 18] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 18| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 18] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 18| return {}; 278| 18| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 156| std::optional deserialize_scalar(std::span bytes) const override { 225| 156| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 156, False: 0] ------------------ 226| 156| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 155, False: 1] ------------------ 227| 155| return stash(*scalar); 228| 155| } 229| 156| } 230| | 231| 1| return {}; 232| 156| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 137| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 137| auto affine = to_affine(from_stash(pt)); 194| | 195| 137| const auto y2 = affine.y().square(); 196| 137| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 137| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 137| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 137| do { \ | | 65| 137| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 137| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 137] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 137| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 137] | | ------------------ ------------------ 200| | 201| 137| return stash(affine); 202| 137| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 137| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 137| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 137] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 137| auto x = C::FieldElement::from_stash(pt._x()); 382| 137| auto y = C::FieldElement::from_stash(pt._y()); 383| 137| auto z = C::FieldElement::from_stash(pt._z()); 384| 137| return typename C::ProjectivePoint(x, y, z); 385| 137| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 137| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 137| return from_stash(pt).is_identity().as_bool(); 212| 137| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 137| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 137| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 137| do { \ | | 36| 137| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 137| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 137] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 137| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 137] | | ------------------ ------------------ 216| 137| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 137| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 155| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 155| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 155| do { \ | | 36| 155| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 155| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 155] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 155| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 155] | | ------------------ ------------------ 221| 155| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 155| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 155| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE8instanceEv: 338| 1.39k| static std::shared_ptr instance() { 339| 1.39k| static auto g_curve = std::make_shared>(); 340| 1.39k| return g_curve; 341| 1.39k| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE19field_element_bytesEv: 36| 276| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 138| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 138| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 138| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 138| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 138| auto x_w = pt.x().template stash_value(); 372| 138| auto y_w = pt.y().template stash_value(); 373| 138| auto z_w = pt.z().template stash_value(); 374| 138| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 138| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 422| static typename C::Scalar from_stash(const Scalar& s) { 349| 422| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 422] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 422| return C::Scalar::from_stash(s._value()); 353| 422| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEE: 344| 142| static Scalar stash(const typename C::Scalar& s) { 345| 142| return Scalar::_create(instance(), s.template stash_value()); 346| 142| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 276| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 276| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 276] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 276| auto x = C::FieldElement::from_stash(pt._x()); 366| 276| auto y = C::FieldElement::from_stash(pt._y()); 367| 276| return typename C::AffinePoint(x, y); 368| 276| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 138| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 138| auto x_w = pt.x().template stash_value(); 357| 138| auto y_w = pt.y().template stash_value(); 358| 138| return AffinePoint::_create(instance(), x_w, y_w); 359| 138| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 4| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 4| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 4] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 4| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 4| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 4| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 4| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 4] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 4| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 4] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 4| return {}; 278| 4| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 144| std::optional deserialize_scalar(std::span bytes) const override { 225| 144| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 144, False: 0] ------------------ 226| 144| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 142, False: 2] ------------------ 227| 142| return stash(*scalar); 228| 142| } 229| 144| } 230| | 231| 2| return {}; 232| 144| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 138| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 138| auto affine = to_affine(from_stash(pt)); 194| | 195| 138| const auto y2 = affine.y().square(); 196| 138| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 138| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 138| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 138| do { \ | | 65| 138| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 138| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 138] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 138| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 138] | | ------------------ ------------------ 200| | 201| 138| return stash(affine); 202| 138| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 138| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 138| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 138] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 138| auto x = C::FieldElement::from_stash(pt._x()); 382| 138| auto y = C::FieldElement::from_stash(pt._y()); 383| 138| auto z = C::FieldElement::from_stash(pt._z()); 384| 138| return typename C::ProjectivePoint(x, y, z); 385| 138| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 138| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 138| return from_stash(pt).is_identity().as_bool(); 212| 138| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 138| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 138| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 138| do { \ | | 36| 138| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 138| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 138] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 138| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 138] | | ------------------ ------------------ 216| 138| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 138| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 142| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 142| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 142| do { \ | | 36| 142| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 142| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 142] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 142| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 142] | | ------------------ ------------------ 221| 142| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 142| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 142| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE8instanceEv: 338| 1.95k| static std::shared_ptr instance() { 339| 1.95k| static auto g_curve = std::make_shared>(); 340| 1.95k| return g_curve; 341| 1.95k| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE19field_element_bytesEv: 36| 390| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 195| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 195| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 195| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS3_12Secp192r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 195| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 195| auto x_w = pt.x().template stash_value(); 372| 195| auto y_w = pt.y().template stash_value(); 373| 195| auto z_w = pt.z().template stash_value(); 374| 195| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 195| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 585| static typename C::Scalar from_stash(const Scalar& s) { 349| 585| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 585] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 585| return C::Scalar::from_stash(s._value()); 353| 585| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp192r1RepEE12ScalarParamsEEEEE: 344| 195| static Scalar stash(const typename C::Scalar& s) { 345| 195| return Scalar::_create(instance(), s.template stash_value()); 346| 195| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 390| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 390| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 390] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 390| auto x = C::FieldElement::from_stash(pt._x()); 366| 390| auto y = C::FieldElement::from_stash(pt._y()); 367| 390| return typename C::AffinePoint(x, y); 368| 390| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS3_12Secp192r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 195| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 195| auto x_w = pt.x().template stash_value(); 357| 195| auto y_w = pt.y().template stash_value(); 358| 195| return AffinePoint::_create(instance(), x_w, y_w); 359| 195| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 196| std::optional deserialize_scalar(std::span bytes) const override { 225| 196| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 196, False: 0] ------------------ 226| 196| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 195, False: 1] ------------------ 227| 195| return stash(*scalar); 228| 195| } 229| 196| } 230| | 231| 1| return {}; 232| 196| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 195| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 195| auto affine = to_affine(from_stash(pt)); 194| | 195| 195| const auto y2 = affine.y().square(); 196| 195| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 195| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 195| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 195| do { \ | | 65| 195| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 195| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 195] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 195| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 195] | | ------------------ ------------------ 200| | 201| 195| return stash(affine); 202| 195| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 195| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 195| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 195] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 195| auto x = C::FieldElement::from_stash(pt._x()); 382| 195| auto y = C::FieldElement::from_stash(pt._y()); 383| 195| auto z = C::FieldElement::from_stash(pt._z()); 384| 195| return typename C::ProjectivePoint(x, y, z); 385| 195| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 195| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 195| return from_stash(pt).is_identity().as_bool(); 212| 195| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 195| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 195| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 195| do { \ | | 36| 195| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 195| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 195] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 195| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 195] | | ------------------ ------------------ 216| 195| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 195| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 195| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 195| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 195| do { \ | | 36| 195| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 195| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 195] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 195| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 195] | | ------------------ ------------------ 221| 195| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 195| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 195| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE8instanceEv: 338| 1.58k| static std::shared_ptr instance() { 339| 1.58k| static auto g_curve = std::make_shared>(); 340| 1.58k| return g_curve; 341| 1.58k| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE19field_element_bytesEv: 36| 264| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 131| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 131| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 131| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS3_12Secp224r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 131| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 131| auto x_w = pt.x().template stash_value(); 372| 131| auto y_w = pt.y().template stash_value(); 373| 131| auto z_w = pt.z().template stash_value(); 374| 131| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 131| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 517| static typename C::Scalar from_stash(const Scalar& s) { 349| 517| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 517] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 517| return C::Scalar::from_stash(s._value()); 353| 517| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp224r1RepEE12ScalarParamsEEEEE: 344| 193| static Scalar stash(const typename C::Scalar& s) { 345| 193| return Scalar::_create(instance(), s.template stash_value()); 346| 193| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 264| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 264| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 264] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 264| auto x = C::FieldElement::from_stash(pt._x()); 366| 264| auto y = C::FieldElement::from_stash(pt._y()); 367| 264| return typename C::AffinePoint(x, y); 368| 264| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS3_12Secp224r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 132| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 132| auto x_w = pt.x().template stash_value(); 357| 132| auto y_w = pt.y().template stash_value(); 358| 132| return AffinePoint::_create(instance(), x_w, y_w); 359| 132| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 62| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 62| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 62] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 62| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 62| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 62| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 62| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 62, False: 0] | Branch (253:50): [True: 56, False: 6] ------------------ 254| 56| const auto encoded_point = bytes.subspan(1); 255| 56| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 56| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 56| if(x && y) { ------------------ | Branch (258:16): [True: 55, False: 1] | Branch (258:21): [True: 53, False: 2] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 53| const auto lhs = (*y).square(); 261| 53| const auto rhs = C::x3_ax_b(*x); 262| 53| const auto valid = (lhs == rhs); 263| 53| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 1, False: 52] ------------------ 264| 1| return stash(typename C::AffinePoint(*x, *y)); 265| 1| } 266| 53| } 267| 56| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 6] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 61| return {}; 278| 62| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 195| std::optional deserialize_scalar(std::span bytes) const override { 225| 195| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 194, False: 1] ------------------ 226| 194| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 193, False: 1] ------------------ 227| 193| return stash(*scalar); 228| 193| } 229| 194| } 230| | 231| 2| return {}; 232| 195| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 131| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 131| auto affine = to_affine(from_stash(pt)); 194| | 195| 131| const auto y2 = affine.y().square(); 196| 131| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 131| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 131| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 131| do { \ | | 65| 131| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 131| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 131] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 131| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 131] | | ------------------ ------------------ 200| | 201| 131| return stash(affine); 202| 131| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 131| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 131| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 131] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 131| auto x = C::FieldElement::from_stash(pt._x()); 382| 131| auto y = C::FieldElement::from_stash(pt._y()); 383| 131| auto z = C::FieldElement::from_stash(pt._z()); 384| 131| return typename C::ProjectivePoint(x, y, z); 385| 131| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 132| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 132| return from_stash(pt).is_identity().as_bool(); 212| 132| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 132| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 132| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 132| do { \ | | 36| 132| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 132| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 132] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 132| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 132] | | ------------------ ------------------ 216| 132| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 132| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 193| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 193| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 193| do { \ | | 36| 193| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 193| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 193] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 193| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 193] | | ------------------ ------------------ 221| 193| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 193| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 193| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE8instanceEv: 338| 1.42k| static std::shared_ptr instance() { 339| 1.42k| static auto g_curve = std::make_shared>(); 340| 1.42k| return g_curve; 341| 1.42k| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE19field_element_bytesEv: 36| 268| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 134| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 134| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 134| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS3_12Secp256k1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 134| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 134| auto x_w = pt.x().template stash_value(); 372| 134| auto y_w = pt.y().template stash_value(); 373| 134| auto z_w = pt.z().template stash_value(); 374| 134| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 134| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 442| static typename C::Scalar from_stash(const Scalar& s) { 349| 442| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 442] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 442| return C::Scalar::from_stash(s._value()); 353| 442| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp256k1RepEE12ScalarParamsEEEEE: 344| 154| static Scalar stash(const typename C::Scalar& s) { 345| 154| return Scalar::_create(instance(), s.template stash_value()); 346| 154| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 268| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 268| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 268] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 268| auto x = C::FieldElement::from_stash(pt._x()); 366| 268| auto y = C::FieldElement::from_stash(pt._y()); 367| 268| return typename C::AffinePoint(x, y); 368| 268| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS3_12Secp256k1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 134| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 134| auto x_w = pt.x().template stash_value(); 357| 134| auto y_w = pt.y().template stash_value(); 358| 134| return AffinePoint::_create(instance(), x_w, y_w); 359| 134| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 20| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 20| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 20] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 20| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 20| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 20| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 20| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 20] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 20| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 20] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 20| return {}; 278| 20| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 155| std::optional deserialize_scalar(std::span bytes) const override { 225| 155| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 155, False: 0] ------------------ 226| 155| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 154, False: 1] ------------------ 227| 154| return stash(*scalar); 228| 154| } 229| 155| } 230| | 231| 1| return {}; 232| 155| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 134| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 134| auto affine = to_affine(from_stash(pt)); 194| | 195| 134| const auto y2 = affine.y().square(); 196| 134| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 134| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 134| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 134| do { \ | | 65| 134| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 134| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 134] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 134| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 134] | | ------------------ ------------------ 200| | 201| 134| return stash(affine); 202| 134| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 134| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 134| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 134] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 134| auto x = C::FieldElement::from_stash(pt._x()); 382| 134| auto y = C::FieldElement::from_stash(pt._y()); 383| 134| auto z = C::FieldElement::from_stash(pt._z()); 384| 134| return typename C::ProjectivePoint(x, y, z); 385| 134| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 134| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 134| return from_stash(pt).is_identity().as_bool(); 212| 134| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 134| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 134| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 134| do { \ | | 36| 134| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 134| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 134] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 134| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 134] | | ------------------ ------------------ 216| 134| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 134| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 154| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 154| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 154| do { \ | | 36| 154| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 154| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 154] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 154| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 154] | | ------------------ ------------------ 221| 154| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 154| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 154| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE8instanceEv: 338| 1.81k| static std::shared_ptr instance() { 339| 1.81k| static auto g_curve = std::make_shared>(); 340| 1.81k| return g_curve; 341| 1.81k| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE19field_element_bytesEv: 36| 318| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 159| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 159| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 159| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS2_12Secp256r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 159| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 159| auto x_w = pt.x().template stash_value(); 372| 159| auto y_w = pt.y().template stash_value(); 373| 159| auto z_w = pt.z().template stash_value(); 374| 159| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 159| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 567| static typename C::Scalar from_stash(const Scalar& s) { 349| 567| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 567] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 567| return C::Scalar::from_stash(s._value()); 353| 567| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp256r1RepEE12ScalarParamsEEEEE: 344| 204| static Scalar stash(const typename C::Scalar& s) { 345| 204| return Scalar::_create(instance(), s.template stash_value()); 346| 204| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 318| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 318| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 318] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 318| auto x = C::FieldElement::from_stash(pt._x()); 366| 318| auto y = C::FieldElement::from_stash(pt._y()); 367| 318| return typename C::AffinePoint(x, y); 368| 318| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS2_12Secp256r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 159| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 159| auto x_w = pt.x().template stash_value(); 357| 159| auto y_w = pt.y().template stash_value(); 358| 159| return AffinePoint::_create(instance(), x_w, y_w); 359| 159| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 45| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 45| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 45] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 45| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 45| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 45| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 45| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 45] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 45| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 45] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 45| return {}; 278| 45| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 205| std::optional deserialize_scalar(std::span bytes) const override { 225| 205| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 205, False: 0] ------------------ 226| 205| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 204, False: 1] ------------------ 227| 204| return stash(*scalar); 228| 204| } 229| 205| } 230| | 231| 1| return {}; 232| 205| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 159| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 159| auto affine = to_affine(from_stash(pt)); 194| | 195| 159| const auto y2 = affine.y().square(); 196| 159| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 159| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 159| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 159| do { \ | | 65| 159| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 159| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 159] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 159| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 159] | | ------------------ ------------------ 200| | 201| 159| return stash(affine); 202| 159| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 159| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 159| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 159] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 159| auto x = C::FieldElement::from_stash(pt._x()); 382| 159| auto y = C::FieldElement::from_stash(pt._y()); 383| 159| auto z = C::FieldElement::from_stash(pt._z()); 384| 159| return typename C::ProjectivePoint(x, y, z); 385| 159| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 159| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 159| return from_stash(pt).is_identity().as_bool(); 212| 159| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 159| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 159| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 159| do { \ | | 36| 159| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 159| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 159] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 159| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 159] | | ------------------ ------------------ 216| 159| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 159| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 204| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 204| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 204| do { \ | | 36| 204| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 204| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 204] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 204| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 204] | | ------------------ ------------------ 221| 204| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 204| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 204| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE8instanceEv: 338| 1.33k| static std::shared_ptr instance() { 339| 1.33k| static auto g_curve = std::make_shared>(); 340| 1.33k| return g_curve; 341| 1.33k| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE19field_element_bytesEv: 36| 254| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 127| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 127| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 127| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS2_12Secp384r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 127| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 127| auto x_w = pt.x().template stash_value(); 372| 127| auto y_w = pt.y().template stash_value(); 373| 127| auto z_w = pt.z().template stash_value(); 374| 127| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 127| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 411| static typename C::Scalar from_stash(const Scalar& s) { 349| 411| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 411] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 411| return C::Scalar::from_stash(s._value()); 353| 411| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp384r1RepEE12ScalarParamsEEEEE: 344| 142| static Scalar stash(const typename C::Scalar& s) { 345| 142| return Scalar::_create(instance(), s.template stash_value()); 346| 142| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 254| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 254| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 254] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 254| auto x = C::FieldElement::from_stash(pt._x()); 366| 254| auto y = C::FieldElement::from_stash(pt._y()); 367| 254| return typename C::AffinePoint(x, y); 368| 254| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS2_12Secp384r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 127| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 127| auto x_w = pt.x().template stash_value(); 357| 127| auto y_w = pt.y().template stash_value(); 358| 127| return AffinePoint::_create(instance(), x_w, y_w); 359| 127| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 15| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 15| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 15] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 15| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 15| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 15| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 15| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 15] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 15| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 15] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 15| return {}; 278| 15| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 143| std::optional deserialize_scalar(std::span bytes) const override { 225| 143| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 143, False: 0] ------------------ 226| 143| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 142, False: 1] ------------------ 227| 142| return stash(*scalar); 228| 142| } 229| 143| } 230| | 231| 1| return {}; 232| 143| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 127| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 127| auto affine = to_affine(from_stash(pt)); 194| | 195| 127| const auto y2 = affine.y().square(); 196| 127| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 127| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 127| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 127| do { \ | | 65| 127| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 127| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 127] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 127| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 127] | | ------------------ ------------------ 200| | 201| 127| return stash(affine); 202| 127| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 127| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 127| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 127] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 127| auto x = C::FieldElement::from_stash(pt._x()); 382| 127| auto y = C::FieldElement::from_stash(pt._y()); 383| 127| auto z = C::FieldElement::from_stash(pt._z()); 384| 127| return typename C::ProjectivePoint(x, y, z); 385| 127| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 127| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 127| return from_stash(pt).is_identity().as_bool(); 212| 127| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 127| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 127| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 127| do { \ | | 36| 127| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 127| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 127] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 127| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 127] | | ------------------ ------------------ 216| 127| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 127| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 142| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 142| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 142| do { \ | | 36| 142| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 142| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 142] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 142| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 142] | | ------------------ ------------------ 221| 142| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 142| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 142| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE8instanceEv: 338| 1.57k| static std::shared_ptr instance() { 339| 1.57k| static auto g_curve = std::make_shared>(); 340| 1.57k| return g_curve; 341| 1.57k| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE19field_element_bytesEv: 36| 230| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 114| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 114| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 114| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS3_7P521RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 114| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 114| auto x_w = pt.x().template stash_value(); 372| 114| auto y_w = pt.y().template stash_value(); 373| 114| auto z_w = pt.z().template stash_value(); 374| 114| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 114| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 514| static typename C::Scalar from_stash(const Scalar& s) { 349| 514| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 514] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 514| return C::Scalar::from_stash(s._value()); 353| 514| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_7P521RepEE12ScalarParamsEEEEE: 344| 200| static Scalar stash(const typename C::Scalar& s) { 345| 200| return Scalar::_create(instance(), s.template stash_value()); 346| 200| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 230| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 230| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 230] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 230| auto x = C::FieldElement::from_stash(pt._x()); 366| 230| auto y = C::FieldElement::from_stash(pt._y()); 367| 230| return typename C::AffinePoint(x, y); 368| 230| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS3_7P521RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 115| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 115| auto x_w = pt.x().template stash_value(); 357| 115| auto y_w = pt.y().template stash_value(); 358| 115| return AffinePoint::_create(instance(), x_w, y_w); 359| 115| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 86| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 86| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 86] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 86| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 86| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 86| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 86| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 73, False: 13] | Branch (253:50): [True: 68, False: 5] ------------------ 254| 68| const auto encoded_point = bytes.subspan(1); 255| 68| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 68| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 68| if(x && y) { ------------------ | Branch (258:16): [True: 66, False: 2] | Branch (258:21): [True: 62, False: 4] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 62| const auto lhs = (*y).square(); 261| 62| const auto rhs = C::x3_ax_b(*x); 262| 62| const auto valid = (lhs == rhs); 263| 62| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 1, False: 61] ------------------ 264| 1| return stash(typename C::AffinePoint(*x, *y)); 265| 1| } 266| 62| } 267| 68| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 18] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 85| return {}; 278| 86| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 202| std::optional deserialize_scalar(std::span bytes) const override { 225| 202| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 201, False: 1] ------------------ 226| 201| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 200, False: 1] ------------------ 227| 200| return stash(*scalar); 228| 200| } 229| 201| } 230| | 231| 2| return {}; 232| 202| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 114| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 114| auto affine = to_affine(from_stash(pt)); 194| | 195| 114| const auto y2 = affine.y().square(); 196| 114| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 114| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 114| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 114| do { \ | | 65| 114| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 114| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 114] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 114| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 114] | | ------------------ ------------------ 200| | 201| 114| return stash(affine); 202| 114| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 114| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 114| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 114] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 114| auto x = C::FieldElement::from_stash(pt._x()); 382| 114| auto y = C::FieldElement::from_stash(pt._y()); 383| 114| auto z = C::FieldElement::from_stash(pt._z()); 384| 114| return typename C::ProjectivePoint(x, y, z); 385| 114| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 115| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 115| return from_stash(pt).is_identity().as_bool(); 212| 115| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 115| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 115| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 115| do { \ | | 36| 115| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 115| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 115] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 115| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 115] | | ------------------ ------------------ 216| 115| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 115| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 200| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 200| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 200| do { \ | | 36| 200| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 200| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 200] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 200| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 200] | | ------------------ ------------------ 221| 200| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 200| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 200| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEC2EOS4_: 409| 912| PolynomialVector(ThisPolynomialVector&& other) noexcept = default; _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE4sizeEv: 414| 856| size_t size() const { return m_vec.size(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EED2Ev: 412| 1.36k| ~PolynomialVector() = default; _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EED2Ev: 274| 8.36k| ~Polynomial() = default; _ZN5Botan8CRYSTALS3nttITkNS0_14crystals_traitENS_19DilithiumPolyTraitsEEENS0_16PolynomialVectorIT_LNS0_6DomainE1EEENS3_IS4_LS5_0EEE: 574| 76|PolynomialVector ntt(PolynomialVector polyvec) { 575| 76| auto polyvec_ntt = detail::domain_cast(std::move(polyvec)); 576| 412| for(auto& poly : polyvec_ntt) { ------------------ | Branch (576:19): [True: 412, False: 76] ------------------ 577| 412| Trait::ntt(poly.coefficients()); 578| 412| } 579| 76| return polyvec_ntt; 580| 76|} _ZN5Botan8CRYSTALS6detail11domain_castILNS0_6DomainE1ETtTyTnS3_ENS0_16PolynomialVectorETkNS0_14crystals_traitENS_19DilithiumPolyTraitsELS3_0EQneT_T2_EET0_IT1_XT_EEOS6_IS7_XT2_EE: 163| 76|StructureT domain_cast(StructureT&& p) { 164| | // The public factory method `from_domain_cast` is just a workaround for 165| | // Xcode and NDK not understanding the friend declaration to allow this 166| | // to directly call the private constructor. 167| 76| return StructureT::from_domain_cast(std::move(p)); 168| 76|} _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EE16from_domain_castILS3_0EQneT0_TL0__EES4_ONS1_IS2_XT_EEE: 396| 76| static PolynomialVector from_domain_cast(PolynomialVector&& other) { 397| 76| return PolynomialVector(std::move(other)); 398| 76| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EEC2ILS3_0EQneT0_TL0__EEONS1_IS2_XT_EEE: 379| 76| m_polys_storage(std::move(other.m_polys_storage)) { 380| 76| BOTAN_DEBUG_ASSERT(m_polys_storage.size() % Trait::N == 0); ------------------ | | 130| 76| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 76| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 76] | | ------------------ ------------------ 381| 76| const size_t vecsize = m_polys_storage.size() / Trait::N; 382| 488| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (382:28): [True: 412, False: 76] ------------------ 383| 412| m_vec.emplace_back( 384| 412| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 385| 412| } 386| 76| } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EEC2EOS4_: 261| 7.68k| m_coeffs_storage(std::move(other.m_coeffs_storage)), m_coeffs(other.m_coeffs) {} _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EEC2ENSt3__14spanIiLm256EEE: 256| 3.57k| explicit Polynomial(std::span coeffs) : m_coeffs(coeffs) { BOTAN_DEBUG_ASSERT(!owns_storage()); } ------------------ | | 130| 3.57k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 3.57k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 3.57k] | | ------------------ ------------------ _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EED2Ev: 274| 11.2k| ~Polynomial() = default; _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EE5beginEv: 481| 76| decltype(auto) begin() { return m_vec.begin(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EE3endEv: 485| 76| decltype(auto) end() { return m_vec.end(); } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE5fqmulEii: 96| 1.71M| static constexpr T fqmul(T a, T b) { return DerivedT::montgomery_reduce_coefficient(static_cast(a) * b); } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EE12coefficientsEv: 302| 1.36k| std::span coefficients() { return m_coeffs; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEC2Em: 401| 380| explicit PolynomialVector(size_t vecsize) : m_polys_storage(vecsize * Trait::N) { 402| 2.63k| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (402:28): [True: 2.25k, False: 380] ------------------ 403| 2.25k| m_vec.emplace_back( 404| 2.25k| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 405| 2.25k| } 406| 380| } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EEC2EOS4_: 261| 5.63k| m_coeffs_storage(std::move(other.m_coeffs_storage)), m_coeffs(other.m_coeffs) {} _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EEC2ENSt3__14spanIiLm256EEE: 256| 2.72k| explicit Polynomial(std::span coeffs) : m_coeffs(coeffs) { BOTAN_DEBUG_ASSERT(!owns_storage()); } ------------------ | | 130| 2.72k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 2.72k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 2.72k] | | ------------------ ------------------ _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEixEm: 479| 244k| const Polynomial& operator[](size_t i) const { return m_vec[i]; } _ZNK5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EEixEm: 308| 243k| T operator[](size_t i) const { return m_coeffs[i]; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEixEm: 477| 243k| Polynomial& operator[](size_t i) { return m_vec[i]; } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EEixEm: 306| 243k| T& operator[](size_t i) { return m_coeffs[i]; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EED2Ev: 412| 704| ~PolynomialVector() = default; _ZN5Botan8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEED2Ev: 509| 76| ~PolynomialMatrix() = default; _ZN5Botan8CRYSTALSmlITkNS0_14crystals_traitENS_19DilithiumPolyTraitsEEENS0_16PolynomialVectorIT_LNS0_6DomainE1EEERKNS0_16PolynomialMatrixIS4_EERKS6_: 618| 76| const PolynomialVector& vec) { 619| 76| PolynomialVector result(mat.size()); 620| 552| for(size_t i = 0; i < mat.size(); ++i) { ------------------ | Branch (620:22): [True: 476, False: 76] ------------------ 621| 476| Trait::polyvec_pointwise_acc_montgomery(result[i].coefficients(), mat[i].coefficients(), vec.coefficients()); 622| 476| } 623| 76| return result; 624| 76|} _ZNK5Botan8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEE4sizeEv: 511| 628| size_t size() const { return m_mat.size(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EEC2Em: 401| 552| explicit PolynomialVector(size_t vecsize) : m_polys_storage(vecsize * Trait::N) { 402| 3.71k| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (402:28): [True: 3.16k, False: 552] ------------------ 403| 3.16k| m_vec.emplace_back( 404| 3.16k| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 405| 3.16k| } 406| 552| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE32polyvec_pointwise_acc_montgomeryENSt3__14spanIiLm256EEENS6_IKiLm18446744073709551615EEES9_: 131| 476| std::span v) { 132| 476| clear_mem(w); 133| 476| std::array t{}; 134| 3.16k| for(size_t i = 0; i < polys_in_polyvec(u); ++i) { ------------------ | Branch (134:28): [True: 2.68k, False: 476] ------------------ 135| 2.68k| DerivedT::poly_pointwise_montgomery(t, poly_in_polyvec(u, i), poly_in_polyvec(v, i)); 136| 2.68k| poly_add(w, w, t); 137| 2.68k| } 138| 476| barrett_reduce(w); 139| 476| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE16polys_in_polyvecENSt3__14spanIKiLm18446744073709551615EEE: 81| 3.16k| static constexpr size_t polys_in_polyvec(std::span polyvec) { 82| 3.16k| BOTAN_DEBUG_ASSERT(polyvec.size() % N == 0); ------------------ | | 130| 3.16k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 3.16k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 3.16k] | | ------------------ ------------------ 83| 3.16k| return polyvec.size() / N; 84| 3.16k| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE15poly_in_polyvecIKiQoosr3stdE7same_asINT_1TETL0__Esr3stdE7same_asIKS8_S9_EEENSt3__14spanIS7_Lm256EEENSC_IS7_Lm18446744073709551615EEEm: 89| 5.36k| static constexpr std::span poly_in_polyvec(std::span polyvec, size_t index) { 90| 5.36k| BOTAN_DEBUG_ASSERT(polyvec.size() % N == 0); ------------------ | | 130| 5.36k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 5.36k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 5.36k] | | ------------------ ------------------ 91| 5.36k| BOTAN_DEBUG_ASSERT(polyvec.size() / N > index); ------------------ | | 130| 5.36k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 5.36k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 5.36k] | | ------------------ ------------------ 92| 5.36k| auto polyspan = polyvec.subspan(index * N, N); 93| 5.36k| return std::span{polyspan.data(), polyspan.size()}; 94| 5.36k| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE8poly_addENSt3__14spanIiLm256EEENS6_IKiLm256EEES9_: 99| 3.16k| static constexpr void poly_add(std::span result, std::span lhs, std::span rhs) { 100| 812k| for(size_t i = 0; i < N; ++i) { ------------------ | Branch (100:28): [True: 808k, False: 3.16k] ------------------ 101| 808k| result[i] = lhs[i] + rhs[i]; 102| 808k| } 103| 3.16k| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE14barrett_reduceENSt3__14spanIiLm256EEE: 122| 952| constexpr static void barrett_reduce(std::span poly) { 123| 243k| for(auto& coeff : poly) { ------------------ | Branch (123:26): [True: 243k, False: 952] ------------------ 124| 243k| coeff = DerivedT::barrett_reduce_coefficient(coeff); 125| 243k| } 126| 952| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EEixEm: 477| 3.16k| Polynomial& operator[](size_t i) { return m_vec[i]; } _ZNK5Botan8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEEixEm: 522| 476| const PolynomialVector& operator[](size_t i) const { return m_mat[i]; } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EE12coefficientsEv: 445| 952| std::span coefficients() const { return m_polys_storage; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EE6reduceEv: 463| 76| ThisPolynomialVector& reduce() { 464| 476| for(auto& p : m_vec) { ------------------ | Branch (464:22): [True: 476, False: 76] ------------------ 465| 476| Trait::barrett_reduce(p.coefficients()); 466| 476| } 467| 76| return *this; 468| 76| } _ZN5Botan8CRYSTALS11inverse_nttITkNS0_14crystals_traitENS_19DilithiumPolyTraitsEEENS0_16PolynomialVectorIT_LNS0_6DomainE0EEENS3_IS4_LS5_1EEE: 583| 76|PolynomialVector inverse_ntt(PolynomialVector polyvec_ntt) { 584| 76| auto polyvec = detail::domain_cast(std::move(polyvec_ntt)); 585| 476| for(auto& poly : polyvec) { ------------------ | Branch (585:19): [True: 476, False: 76] ------------------ 586| 476| Trait::inverse_ntt(poly.coefficients()); 587| 476| } 588| 76| return polyvec; 589| 76|} _ZN5Botan8CRYSTALS6detail11domain_castILNS0_6DomainE0ETtTyTnS3_ENS0_16PolynomialVectorETkNS0_14crystals_traitENS_19DilithiumPolyTraitsELS3_1EQneT_T2_EET0_IT1_XT_EEOS6_IS7_XT2_EE: 163| 76|StructureT domain_cast(StructureT&& p) { 164| | // The public factory method `from_domain_cast` is just a workaround for 165| | // Xcode and NDK not understanding the friend declaration to allow this 166| | // to directly call the private constructor. 167| 76| return StructureT::from_domain_cast(std::move(p)); 168| 76|} _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE16from_domain_castILS3_1EQneT0_TL0__EES4_ONS1_IS2_XT_EEE: 396| 76| static PolynomialVector from_domain_cast(PolynomialVector&& other) { 397| 76| return PolynomialVector(std::move(other)); 398| 76| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEC2ILS3_1EQneT0_TL0__EEONS1_IS2_XT_EEE: 379| 76| m_polys_storage(std::move(other.m_polys_storage)) { 380| 76| BOTAN_DEBUG_ASSERT(m_polys_storage.size() % Trait::N == 0); ------------------ | | 130| 76| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 76| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 76] | | ------------------ ------------------ 381| 76| const size_t vecsize = m_polys_storage.size() / Trait::N; 382| 552| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (382:28): [True: 476, False: 76] ------------------ 383| 476| m_vec.emplace_back( 384| 476| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 385| 476| } 386| 76| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE5beginEv: 481| 228| decltype(auto) begin() { return m_vec.begin(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE3endEv: 485| 228| decltype(auto) end() { return m_vec.end(); } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE12coefficientsEv: 302| 1.90k| std::span coefficients() { return m_coeffs; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EEC2EOS4_: 409| 76| PolynomialVector(ThisPolynomialVector&& other) noexcept = default; _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE17conditional_add_qEv: 470| 76| ThisPolynomialVector& conditional_add_q() { 471| 476| for(auto& v : m_vec) { ------------------ | Branch (471:22): [True: 476, False: 76] ------------------ 472| 476| Trait::poly_cadd_q(v.coefficients()); 473| 476| } 474| 76| return *this; 475| 76| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE11poly_cadd_qENSt3__14spanIiLm256EEE: 112| 476| static constexpr void poly_cadd_q(std::span coeffs) { 113| 121k| for(auto& coeff : coeffs) { ------------------ | Branch (113:26): [True: 121k, False: 476] ------------------ 114| 121k| using unsigned_T = std::make_unsigned_t; 115| 121k| const auto is_negative = CT::Mask::expand_top_bit(static_cast(coeff)); 116| 121k| coeff += is_negative.if_set_return(Q); 117| 121k| } 118| 476| } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE5cloneEv: 418| 76| ThisPolynomialVector clone() const { 419| 76| ThisPolynomialVector res(size()); 420| | 421| | // The default-constructed PolynomialVector has set up res.m_vec to 422| | // point to res.m_polys_storage. Therefore we can just copy the data 423| | // into res.m_polys_storage to fill the non-owning polynomials. 424| 76| copy_mem(res.m_polys_storage, m_polys_storage); 425| | 426| 76| return res; 427| 76| } _ZNK5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE18_const_time_poisonEv: 330| 888| void _const_time_poison() const { CT::poison(m_coeffs); } _ZNK5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE12coefficientsEv: 304| 476| std::span coefficients() const { return m_coeffs; } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE20_const_time_unpoisonEv: 491| 304| void _const_time_unpoison() const { CT::unpoison_range(m_vec); } _ZNK5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE20_const_time_unpoisonEv: 332| 1.84k| void _const_time_unpoison() const { CT::unpoison(m_coeffs); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEpLERKS4_: 447| 76| ThisPolynomialVector& operator+=(const ThisPolynomialVector& other) { 448| 76| BOTAN_ASSERT(m_vec.size() == other.m_vec.size(), "cannot add polynomial vectors of differing lengths"); ------------------ | | 64| 76| do { \ | | 65| 76| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 76| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 76] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 76| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 76] | | ------------------ ------------------ 449| 552| for(size_t i = 0; i < m_vec.size(); ++i) { ------------------ | Branch (449:28): [True: 476, False: 76] ------------------ 450| 476| Trait::poly_add(m_vec[i].coefficients(), m_vec[i].coefficients(), other.m_vec[i].coefficients()); 451| 476| } 452| 76| return *this; 453| 76| } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE5beginEv: 310| 888| decltype(auto) begin() { return m_coeffs.begin(); } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE3endEv: 314| 888| decltype(auto) end() { return m_coeffs.end(); } _ZNK5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE4sizeEv: 276| 153k| constexpr size_t size() const { return m_coeffs.size(); } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE5beginEv: 483| 76| decltype(auto) begin() const { return m_vec.begin(); } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE3endEv: 487| 76| decltype(auto) end() const { return m_vec.end(); } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EE5beginEv: 310| 2.68k| decltype(auto) begin() { return m_coeffs.begin(); } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EE3endEv: 314| 2.68k| decltype(auto) end() { return m_coeffs.end(); } _ZN5Botan8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEEC2Emm: 513| 76| PolynomialMatrix(size_t rows, size_t cols) { 514| 76| m_mat.reserve(rows); 515| 552| for(size_t i = 0; i < rows; ++i) { ------------------ | Branch (515:28): [True: 476, False: 76] ------------------ 516| 476| m_mat.emplace_back(cols); 517| 476| } 518| 76| } _ZN5Botan8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEEixEm: 520| 2.68k| PolynomialVector& operator[](size_t i) { return m_mat[i]; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EED2Ev: 412| 328| ~PolynomialVector() = default; _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EED2Ev: 274| 1.74k| ~Polynomial() = default; _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EEC2Em: 401| 125| explicit PolynomialVector(size_t vecsize) : m_polys_storage(vecsize * Trait::N) { 402| 553| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (402:28): [True: 428, False: 125] ------------------ 403| 428| m_vec.emplace_back( 404| 428| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 405| 428| } 406| 125| } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EEC2EOS4_: 261| 1.12k| m_coeffs_storage(std::move(other.m_coeffs_storage)), m_coeffs(other.m_coeffs) {} _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EEC2ENSt3__14spanIsLm256EEE: 256| 620| explicit Polynomial(std::span coeffs) : m_coeffs(coeffs) { BOTAN_DEBUG_ASSERT(!owns_storage()); } ------------------ | | 130| 620| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 620| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 620] | | ------------------ ------------------ _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EEC2EOS4_: 409| 145| PolynomialVector(ThisPolynomialVector&& other) noexcept = default; _ZN5Botan8CRYSTALS16PolynomialMatrixINS_15KyberPolyTraitsEED2Ev: 509| 29| ~PolynomialMatrix() = default; _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE5fqmulEss: 96| 409k| static constexpr T fqmul(T a, T b) { return DerivedT::montgomery_reduce_coefficient(static_cast(a) * b); } _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE14barrett_reduceENSt3__14spanIsLm256EEE: 122| 384| constexpr static void barrett_reduce(std::span poly) { 123| 98.3k| for(auto& coeff : poly) { ------------------ | Branch (123:26): [True: 98.3k, False: 384] ------------------ 124| 98.3k| coeff = DerivedT::barrett_reduce_coefficient(coeff); 125| 98.3k| } 126| 384| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE0EE5beginEv: 481| 58| decltype(auto) begin() { return m_vec.begin(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE0EE3endEv: 485| 58| decltype(auto) end() { return m_vec.end(); } _ZNK5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE0EE4sizeEv: 276| 7.04k| constexpr size_t size() const { return m_coeffs.size(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE5beginEv: 481| 87| decltype(auto) begin() { return m_vec.begin(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE3endEv: 485| 87| decltype(auto) end() { return m_vec.end(); } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE5beginEv: 310| 428| decltype(auto) begin() { return m_coeffs.begin(); } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE3endEv: 314| 428| decltype(auto) end() { return m_coeffs.end(); } _ZNK5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE4sizeEv: 276| 6.24k| constexpr size_t size() const { return m_coeffs.size(); } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE20_const_time_unpoisonEv: 491| 58| void _const_time_unpoison() const { CT::unpoison_range(m_vec); } _ZNK5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE20_const_time_unpoisonEv: 332| 192| void _const_time_unpoison() const { CT::unpoison(m_coeffs); } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE5beginEv: 483| 29| decltype(auto) begin() const { return m_vec.begin(); } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE3endEv: 487| 29| decltype(auto) end() const { return m_vec.end(); } _ZNK5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EEixEm: 308| 24.5k| T operator[](size_t i) const { return m_coeffs[i]; } _ZNK5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE12coefficientsEv: 304| 96| std::span coefficients() const { return m_coeffs; } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE0EED2Ev: 274| 542| ~Polynomial() = default; _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE0EED2Ev: 412| 58| ~PolynomialVector() = default; _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE0EEC2Em: 401| 58| explicit PolynomialVector(size_t vecsize) : m_polys_storage(vecsize * Trait::N) { 402| 250| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (402:28): [True: 192, False: 58] ------------------ 403| 192| m_vec.emplace_back( 404| 192| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 405| 192| } 406| 58| } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE0EEC2EOS4_: 261| 350| m_coeffs_storage(std::move(other.m_coeffs_storage)), m_coeffs(other.m_coeffs) {} _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE0EEC2ENSt3__14spanIsLm256EEE: 256| 192| explicit Polynomial(std::span coeffs) : m_coeffs(coeffs) { BOTAN_DEBUG_ASSERT(!owns_storage()); } ------------------ | | 130| 192| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 192| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 192] | | ------------------ ------------------ _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE0EEixEm: 306| 49.1k| T& operator[](size_t i) { return m_coeffs[i]; } _ZN5Botan8CRYSTALS3nttITkNS0_14crystals_traitENS_15KyberPolyTraitsEEENS0_16PolynomialVectorIT_LNS0_6DomainE1EEENS3_IS4_LS5_0EEE: 574| 58|PolynomialVector ntt(PolynomialVector polyvec) { 575| 58| auto polyvec_ntt = detail::domain_cast(std::move(polyvec)); 576| 192| for(auto& poly : polyvec_ntt) { ------------------ | Branch (576:19): [True: 192, False: 58] ------------------ 577| 192| Trait::ntt(poly.coefficients()); 578| 192| } 579| 58| return polyvec_ntt; 580| 58|} _ZN5Botan8CRYSTALS6detail11domain_castILNS0_6DomainE1ETtTyTnS3_ENS0_16PolynomialVectorETkNS0_14crystals_traitENS_15KyberPolyTraitsELS3_0EQneT_T2_EET0_IT1_XT_EEOS6_IS7_XT2_EE: 163| 58|StructureT domain_cast(StructureT&& p) { 164| | // The public factory method `from_domain_cast` is just a workaround for 165| | // Xcode and NDK not understanding the friend declaration to allow this 166| | // to directly call the private constructor. 167| 58| return StructureT::from_domain_cast(std::move(p)); 168| 58|} _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE16from_domain_castILS3_0EQneT0_TL0__EES4_ONS1_IS2_XT_EEE: 396| 58| static PolynomialVector from_domain_cast(PolynomialVector&& other) { 397| 58| return PolynomialVector(std::move(other)); 398| 58| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EEC2ILS3_0EQneT0_TL0__EEONS1_IS2_XT_EEE: 379| 58| m_polys_storage(std::move(other.m_polys_storage)) { 380| 58| BOTAN_DEBUG_ASSERT(m_polys_storage.size() % Trait::N == 0); ------------------ | | 130| 58| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 58| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 58] | | ------------------ ------------------ 381| 58| const size_t vecsize = m_polys_storage.size() / Trait::N; 382| 250| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (382:28): [True: 192, False: 58] ------------------ 383| 192| m_vec.emplace_back( 384| 192| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 385| 192| } 386| 58| } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE12coefficientsEv: 302| 576| std::span coefficients() { return m_coeffs; } _ZN5Botan8CRYSTALSmlITkNS0_14crystals_traitENS_15KyberPolyTraitsEEENS0_16PolynomialVectorIT_LNS0_6DomainE1EEERKNS0_16PolynomialMatrixIS4_EERKS6_: 618| 29| const PolynomialVector& vec) { 619| 29| PolynomialVector result(mat.size()); 620| 125| for(size_t i = 0; i < mat.size(); ++i) { ------------------ | Branch (620:22): [True: 96, False: 29] ------------------ 621| 96| Trait::polyvec_pointwise_acc_montgomery(result[i].coefficients(), mat[i].coefficients(), vec.coefficients()); 622| 96| } 623| 29| return result; 624| 29|} _ZNK5Botan8CRYSTALS16PolynomialMatrixINS_15KyberPolyTraitsEE4sizeEv: 511| 154| size_t size() const { return m_mat.size(); } _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE32polyvec_pointwise_acc_montgomeryENSt3__14spanIsLm256EEENS6_IKsLm18446744073709551615EEES9_: 131| 96| std::span v) { 132| 96| clear_mem(w); 133| 96| std::array t{}; 134| 428| for(size_t i = 0; i < polys_in_polyvec(u); ++i) { ------------------ | Branch (134:28): [True: 332, False: 96] ------------------ 135| 332| DerivedT::poly_pointwise_montgomery(t, poly_in_polyvec(u, i), poly_in_polyvec(v, i)); 136| 332| poly_add(w, w, t); 137| 332| } 138| 96| barrett_reduce(w); 139| 96| } _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE16polys_in_polyvecENSt3__14spanIKsLm18446744073709551615EEE: 81| 428| static constexpr size_t polys_in_polyvec(std::span polyvec) { 82| 428| BOTAN_DEBUG_ASSERT(polyvec.size() % N == 0); ------------------ | | 130| 428| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 428| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 428] | | ------------------ ------------------ 83| 428| return polyvec.size() / N; 84| 428| } _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE15poly_in_polyvecIKsQoosr3stdE7same_asINT_1TETL0__Esr3stdE7same_asIKS8_S9_EEENSt3__14spanIS7_Lm256EEENSC_IS7_Lm18446744073709551615EEEm: 89| 664| static constexpr std::span poly_in_polyvec(std::span polyvec, size_t index) { 90| 664| BOTAN_DEBUG_ASSERT(polyvec.size() % N == 0); ------------------ | | 130| 664| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 664| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 664] | | ------------------ ------------------ 91| 664| BOTAN_DEBUG_ASSERT(polyvec.size() / N > index); ------------------ | | 130| 664| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 664| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 664] | | ------------------ ------------------ 92| 664| auto polyspan = polyvec.subspan(index * N, N); 93| 664| return std::span{polyspan.data(), polyspan.size()}; 94| 664| } _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE8poly_addENSt3__14spanIsLm256EEENS6_IKsLm256EEES9_: 99| 428| static constexpr void poly_add(std::span result, std::span lhs, std::span rhs) { 100| 109k| for(size_t i = 0; i < N; ++i) { ------------------ | Branch (100:28): [True: 109k, False: 428] ------------------ 101| 109k| result[i] = lhs[i] + rhs[i]; 102| 109k| } 103| 428| } _ZNK5Botan8CRYSTALS16PolynomialMatrixINS_15KyberPolyTraitsEEixEm: 522| 96| const PolynomialVector& operator[](size_t i) const { return m_mat[i]; } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE12coefficientsEv: 445| 192| std::span coefficients() const { return m_polys_storage; } _ZN5Botan8CRYSTALS10montgomeryITkNS0_14crystals_traitENS_15KyberPolyTraitsELNS0_6DomainE1EEENS0_16PolynomialVectorIT_XT0_EEES6_: 598| 29|PolynomialVector montgomery(PolynomialVector polyvec) { 599| 96| for(auto& p : polyvec) { ------------------ | Branch (599:16): [True: 96, False: 29] ------------------ 600| 96| detail::montgomery(p); 601| 96| } 602| 29| return polyvec; 603| 29|} _ZN5Botan8CRYSTALS6detail10montgomeryITkNS0_14crystals_traitENS_15KyberPolyTraitsELNS0_6DomainE1EEEvRNS0_10PolynomialIT_XT0_EEE: 540| 96|void montgomery(Polynomial& p) { 541| 24.5k| for(auto& c : p) { ------------------ | Branch (541:16): [True: 24.5k, False: 96] ------------------ 542| 24.5k| c = Trait::to_montgomery(c); 543| 24.5k| } 544| 96|} _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE13to_montgomeryEs: 120| 24.5k| static constexpr T to_montgomery(T a) { return fqmul(a, MONTY_SQUARED); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EEpLERKS4_: 447| 29| ThisPolynomialVector& operator+=(const ThisPolynomialVector& other) { 448| 29| BOTAN_ASSERT(m_vec.size() == other.m_vec.size(), "cannot add polynomial vectors of differing lengths"); ------------------ | | 64| 29| do { \ | | 65| 29| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 29| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 29] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 29| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 29] | | ------------------ ------------------ 449| 125| for(size_t i = 0; i < m_vec.size(); ++i) { ------------------ | Branch (449:28): [True: 96, False: 29] ------------------ 450| 96| Trait::poly_add(m_vec[i].coefficients(), m_vec[i].coefficients(), other.m_vec[i].coefficients()); 451| 96| } 452| 29| return *this; 453| 29| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE6reduceEv: 463| 29| ThisPolynomialVector& reduce() { 464| 96| for(auto& p : m_vec) { ------------------ | Branch (464:22): [True: 96, False: 29] ------------------ 465| 96| Trait::barrett_reduce(p.coefficients()); 466| 96| } 467| 29| return *this; 468| 29| } _ZN5Botan8CRYSTALS16PolynomialMatrixINS_15KyberPolyTraitsEEC2Emm: 513| 29| PolynomialMatrix(size_t rows, size_t cols) { 514| 29| m_mat.reserve(rows); 515| 125| for(size_t i = 0; i < rows; ++i) { ------------------ | Branch (515:28): [True: 96, False: 29] ------------------ 516| 96| m_mat.emplace_back(cols); 517| 96| } 518| 29| } _ZN5Botan8CRYSTALS16PolynomialMatrixINS_15KyberPolyTraitsEEixEm: 520| 332| PolynomialVector& operator[](size_t i) { return m_mat[i]; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EEixEm: 477| 428| Polynomial& operator[](size_t i) { return m_vec[i]; } _ZN5Botan8CRYSTALS4packILi1023ETkNS0_14crystals_traitENS_19DilithiumPolyTraitsELNS0_6DomainE0EEEvRKNS0_10PolynomialIT0_XT1_EEERNS_13BufferStufferE: 223| 476|constexpr void pack(const Polynomial& p, BufferStuffer& stuffer) { 224| 476| using unsigned_T = std::make_unsigned_t; 225| 476| pack(p, stuffer, [](typename PolyTrait::T x) { return static_cast(x); }); 226| 476|} _ZN5Botan8CRYSTALS4packILi1023ETkNS0_14crystals_traitENS_19DilithiumPolyTraitsELNS0_6DomainE0ETkNS0_12coeff_map_fnINT0_1TEEEZNS0_4packILi1023ETkNS0_14crystals_traitES2_LS3_0EEEvRKNS0_10PolynomialIS5_XT1_EEERNS_13BufferStufferEEUliE_EEvSB_SD_T2_: 117| 476|constexpr void pack(const Polynomial& p, BufferStuffer& stuffer, MapFnT map) { 118| 476| using trait = BitPackingTrait; 119| | 120| 476| BOTAN_DEBUG_ASSERT(stuffer.remaining_capacity() >= p.size() * trait::bits_per_coeff / 8); ------------------ | | 130| 476| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 476| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 476] | | ------------------ ------------------ 121| | 122| | // Bit-packing example that shows a coefficients' bit-pack that spills across 123| | // more than one 64-bit collectors. This illustrates the algorithm below. 124| | // 125| | // 0 64 128 126| | // Collectors (64 bits): | collectors[0] | collectors[1] | 127| | // | | | 128| | // Coefficients (11 bits): | c[0] | c[1] | c[2] | c[3] | c[4] | c[5] | c[6] | c[7] | | | | | ... 129| | // | | | 130| | // | < byte-aligned coefficient pack > | < byte-aligned pad. > | 131| | // | (one inner loop iteration) | 132| | // 0 88 (divisible by 8) 133| | 134| 30.9k| for(size_t i = 0; i < p.size(); i += trait::coeffs_per_pack) { ------------------ | Branch (134:22): [True: 30.4k, False: 476] ------------------ 135| | // The collectors array is filled with bit-packed coefficients to produce 136| | // a byte-aligned pack of coefficients. When coefficients fall onto the 137| | // boundary of two collectors, their bits must be split. 138| 30.4k| typename trait::collector_array collectors = {0}; 139| 152k| for(size_t j = 0, bit_offset = 0, c = 0; j < trait::coeffs_per_pack; ++j) { ------------------ | Branch (139:48): [True: 121k, False: 30.4k] ------------------ 140| | // Transform p[i] via a custom map function (that may be a NOOP). 141| 121k| const typename trait::unsigned_T mapped_coeff = map(p[i + j]); 142| 121k| const auto coeff_value = static_cast(mapped_coeff); 143| | 144| | // pack() is called only on data produced by us. If the values returned 145| | // by the map function are not in the range [0, range] we have a bug. 146| 121k| BOTAN_DEBUG_ASSERT(coeff_value <= range); ------------------ | | 130| 121k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 121k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 121k] | | ------------------ ------------------ 147| | 148| | // Bit-pack the coefficient into the collectors array and keep track of 149| | // the bit-offset within the current collector. Note that this might 150| | // shift some high-bits of the coefficient out of the current collector. 151| 121k| collectors[c] |= coeff_value << bit_offset; 152| 121k| bit_offset += trait::bits_per_coeff; 153| | 154| | // If the bit-offset now exceeds the collector's bit-width, we fill the 155| | // next collector with the high-bits that didn't fit into the previous. 156| | // The bit-offset is adjusted to now point into the new collector. 157| 121k| if(bit_offset > trait::bits_in_collector) { ------------------ | Branch (157:13): [True: 0, False: 121k] ------------------ 158| 0| bit_offset = bit_offset - trait::bits_in_collector; 159| 0| collectors[++c] = coeff_value >> (trait::bits_per_coeff - bit_offset); 160| 0| } 161| 121k| } 162| | 163| | // One byte-aligned pack of bit-packed coefficients is now stored in the 164| | // collectors and can be written to an output buffer. Note that we might 165| | // have to remove some padding bytes of unused collector space. 166| 30.4k| const auto bytes = store_le(collectors); 167| 30.4k| stuffer.append(std::span{bytes}.template first()); 168| 30.4k| } 169| 476|} _ZZN5Botan8CRYSTALS4packILi1023ETkNS0_14crystals_traitENS_19DilithiumPolyTraitsELNS0_6DomainE0EEEvRKNS0_10PolynomialIT0_XT1_EEERNS_13BufferStufferEENKUliE_clEi: 225| 121k| pack(p, stuffer, [](typename PolyTrait::T x) { return static_cast(x); }); _ZN5Botan8CRYSTALS4packILi3328ETkNS0_14crystals_traitENS_15KyberPolyTraitsELNS0_6DomainE1EEEvRKNS0_10PolynomialIT0_XT1_EEERNS_13BufferStufferE: 223| 96|constexpr void pack(const Polynomial& p, BufferStuffer& stuffer) { 224| 96| using unsigned_T = std::make_unsigned_t; 225| 96| pack(p, stuffer, [](typename PolyTrait::T x) { return static_cast(x); }); 226| 96|} _ZN5Botan8CRYSTALS4packILi3328ETkNS0_14crystals_traitENS_15KyberPolyTraitsELNS0_6DomainE1ETkNS0_12coeff_map_fnINT0_1TEEEZNS0_4packILi3328ETkNS0_14crystals_traitES2_LS3_1EEEvRKNS0_10PolynomialIS5_XT1_EEERNS_13BufferStufferEEUlsE_EEvSB_SD_T2_: 117| 96|constexpr void pack(const Polynomial& p, BufferStuffer& stuffer, MapFnT map) { 118| 96| using trait = BitPackingTrait; 119| | 120| 96| BOTAN_DEBUG_ASSERT(stuffer.remaining_capacity() >= p.size() * trait::bits_per_coeff / 8); ------------------ | | 130| 96| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 96| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 96] | | ------------------ ------------------ 121| | 122| | // Bit-packing example that shows a coefficients' bit-pack that spills across 123| | // more than one 64-bit collectors. This illustrates the algorithm below. 124| | // 125| | // 0 64 128 126| | // Collectors (64 bits): | collectors[0] | collectors[1] | 127| | // | | | 128| | // Coefficients (11 bits): | c[0] | c[1] | c[2] | c[3] | c[4] | c[5] | c[6] | c[7] | | | | | ... 129| | // | | | 130| | // | < byte-aligned coefficient pack > | < byte-aligned pad. > | 131| | // | (one inner loop iteration) | 132| | // 0 88 (divisible by 8) 133| | 134| 6.24k| for(size_t i = 0; i < p.size(); i += trait::coeffs_per_pack) { ------------------ | Branch (134:22): [True: 6.14k, False: 96] ------------------ 135| | // The collectors array is filled with bit-packed coefficients to produce 136| | // a byte-aligned pack of coefficients. When coefficients fall onto the 137| | // boundary of two collectors, their bits must be split. 138| 6.14k| typename trait::collector_array collectors = {0}; 139| 30.7k| for(size_t j = 0, bit_offset = 0, c = 0; j < trait::coeffs_per_pack; ++j) { ------------------ | Branch (139:48): [True: 24.5k, False: 6.14k] ------------------ 140| | // Transform p[i] via a custom map function (that may be a NOOP). 141| 24.5k| const typename trait::unsigned_T mapped_coeff = map(p[i + j]); 142| 24.5k| const auto coeff_value = static_cast(mapped_coeff); 143| | 144| | // pack() is called only on data produced by us. If the values returned 145| | // by the map function are not in the range [0, range] we have a bug. 146| 24.5k| BOTAN_DEBUG_ASSERT(coeff_value <= range); ------------------ | | 130| 24.5k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 24.5k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 24.5k] | | ------------------ ------------------ 147| | 148| | // Bit-pack the coefficient into the collectors array and keep track of 149| | // the bit-offset within the current collector. Note that this might 150| | // shift some high-bits of the coefficient out of the current collector. 151| 24.5k| collectors[c] |= coeff_value << bit_offset; 152| 24.5k| bit_offset += trait::bits_per_coeff; 153| | 154| | // If the bit-offset now exceeds the collector's bit-width, we fill the 155| | // next collector with the high-bits that didn't fit into the previous. 156| | // The bit-offset is adjusted to now point into the new collector. 157| 24.5k| if(bit_offset > trait::bits_in_collector) { ------------------ | Branch (157:13): [True: 0, False: 24.5k] ------------------ 158| 0| bit_offset = bit_offset - trait::bits_in_collector; 159| 0| collectors[++c] = coeff_value >> (trait::bits_per_coeff - bit_offset); 160| 0| } 161| 24.5k| } 162| | 163| | // One byte-aligned pack of bit-packed coefficients is now stored in the 164| | // collectors and can be written to an output buffer. Note that we might 165| | // have to remove some padding bytes of unused collector space. 166| 6.14k| const auto bytes = store_le(collectors); 167| 6.14k| stuffer.append(std::span{bytes}.template first()); 168| 6.14k| } 169| 96|} _ZZN5Botan8CRYSTALS4packILi3328ETkNS0_14crystals_traitENS_15KyberPolyTraitsELNS0_6DomainE1EEEvRKNS0_10PolynomialIT0_XT1_EEERNS_13BufferStufferEENKUlsE_clEs: 225| 24.5k| pack(p, stuffer, [](typename PolyTrait::T x) { return static_cast(x); }); _ZN5Botan6bitlenEm: 101| 841|constexpr auto bitlen(size_t x) { 102| 841| return ceil_log2(x + 1); 103| 841|} _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm894EEC2ES3_: 173| 2.68k| explicit Bounded_XOF(XofT xof) : m_xof(xof), m_bytes_consumed(0) {} dilithium_algos.cpp:_ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm894EE4nextILm3EZNS_15Dilithium_Algos12_GLOBAL__N_118sample_ntt_uniformENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNSA_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNSJ_6DomainE1EEEtRKNS_18DilithiumConstantsEE3$_0ZNS7_18sample_ntt_uniformESI_SO_tSR_E3$_1Qaasr3stdE9invocableITL0_0_NSA_5arrayIhXTL0__EEEEsr3stdE9invocableITL0_1_NSA_20__invoke_result_implIvJSU_SW_EE4typeEEEEDaRKT0_RKT1_: 195| 687k| const PredicateFnT& predicate = default_predicate>) { 196| 687k| while(true) { ------------------ | Branch (196:16): [True: 687k, Folded] ------------------ 197| 687k| auto output = transformer(take()); 198| 687k| if(predicate(output)) { ------------------ | Branch (198:16): [True: 687k, False: 718] ------------------ 199| 687k| return output; 200| 687k| } 201| 687k| } 202| 687k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm894EE4takeILm3EEENSt3__15arrayIhXT_EEEv: 206| 687k| constexpr std::array take() { 207| 687k| m_bytes_consumed += bytes; 208| 687k| if(m_bytes_consumed > bound) { ------------------ | Branch (208:13): [True: 0, False: 687k] ------------------ 209| 0| throw Internal_Error("XOF consumed more bytes than allowed"); 210| 0| } 211| 687k| return m_xof.template output(); 212| 687k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EEC2ES3_: 173| 888| explicit Bounded_XOF(XofT xof) : m_xof(xof), m_bytes_consumed(0) {} _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EE9next_byteIFbhEQsr3stdE9invocableITL0__hEEEDaOT_: 180| 163k| constexpr auto next_byte(PredicateFnT&& predicate = default_predicate<1, uint8_t>) { 181| 163k| return next<1>([](const auto bytes) { return bytes[0]; }, std::forward(predicate)); 182| 163k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EE4nextILm1EZNS4_9next_byteIFbhEQsr3stdE9invocableITL0__hEEEDaOT_EUlS9_E_S7_Qaasr3stdE9invocableITL0_0_NSt3__15arrayIhXTL0__EEEEsr3stdE9invocableITL0_1_NSD_20__invoke_result_implIvJSC_SF_EE4typeEEEEDaRKT0_RKT1_: 195| 163k| const PredicateFnT& predicate = default_predicate>) { 196| 163k| while(true) { ------------------ | Branch (196:16): [True: 163k, Folded] ------------------ 197| 163k| auto output = transformer(take()); 198| 163k| if(predicate(output)) { ------------------ | Branch (198:16): [True: 163k, False: 0] ------------------ 199| 163k| return output; 200| 163k| } 201| 163k| } 202| 163k| } _ZZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EE9next_byteIFbhEQsr3stdE9invocableITL0__hEEEDaOT_ENKUlS8_E_clINSt3__15arrayIhLm1EEEEEDaS8_: 181| 163k| return next<1>([](const auto bytes) { return bytes[0]; }, std::forward(predicate)); _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EE4takeILm1EEENSt3__15arrayIhXT_EEEv: 206| 163k| constexpr std::array take() { 207| 163k| m_bytes_consumed += bytes; 208| 163k| if(m_bytes_consumed > bound) { ------------------ | Branch (208:13): [True: 0, False: 163k] ------------------ 209| 0| throw Internal_Error("XOF consumed more bytes than allowed"); 210| 0| } 211| 163k| return m_xof.template output(); 212| 163k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EE17default_predicateILm1EhEEbT0_: 164| 163k| constexpr static bool default_predicate(T /*v*/) { 165| 163k| return true; 166| 163k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm840EEC2ES3_: 173| 332| explicit Bounded_XOF(XofT xof) : m_xof(xof), m_bytes_consumed(0) {} kyber_algos.cpp:_ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm840EE4nextILm3EZZNS_11Kyber_Algos12_GLOBAL__N_118sample_ntt_uniformERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS8_6DomainE1EEES3_EN3$_0clEvEUlT_E_FbNSt3__14pairINSH_8optionalItEESK_EEEQaasr3stdE9invocableITL0_0_NSH_5arrayIhXTL0__EEEEsr3stdE9invocableITL0_1_NSH_20__invoke_result_implIvJSN_SP_EE4typeEEEEDaRKT0_RKT1_: 195| 52.7k| const PredicateFnT& predicate = default_predicate>) { 196| 52.7k| while(true) { ------------------ | Branch (196:16): [True: 52.7k, Folded] ------------------ 197| 52.7k| auto output = transformer(take()); 198| 52.7k| if(predicate(output)) { ------------------ | Branch (198:16): [True: 52.7k, False: 0] ------------------ 199| 52.7k| return output; 200| 52.7k| } 201| 52.7k| } 202| 52.7k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm840EE4takeILm3EEENSt3__15arrayIhXT_EEEv: 206| 52.7k| constexpr std::array take() { 207| 52.7k| m_bytes_consumed += bytes; 208| 52.7k| if(m_bytes_consumed > bound) { ------------------ | Branch (208:13): [True: 0, False: 52.7k] ------------------ 209| 0| throw Internal_Error("XOF consumed more bytes than allowed"); 210| 0| } 211| 52.7k| return m_xof.template output(); 212| 52.7k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm840EE17default_predicateILm3ENSt3__14pairINS6_8optionalItEES9_EEEEbT0_: 164| 52.7k| constexpr static bool default_predicate(T /*v*/) { 165| 52.7k| return true; 166| 52.7k| } _ZN5Botan3rhoILm14ELm18ELm41ETkNSt3__117unsigned_integralEmEET2_S2_: 53| 160|BOTAN_FORCE_INLINE constexpr T rho(T x) { 54| 160| return rotr(x) ^ rotr(x) ^ rotr(x); 55| 160|} _ZN5Botan4rotrILm14ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan4rotrILm18ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan4rotrILm41ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan3rhoILm28ELm34ELm39ETkNSt3__117unsigned_integralEmEET2_S2_: 53| 160|BOTAN_FORCE_INLINE constexpr T rho(T x) { 54| 160| return rotr(x) ^ rotr(x) ^ rotr(x); 55| 160|} _ZN5Botan4rotrILm28ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan4rotrILm34ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan4rotrILm39ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan4rotlILm21ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm1ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 2.57M|{ 26| 2.57M| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 2.57M|} _ZN5Botan4rotlILm44ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm43ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm14ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm28ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm20ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm3ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm45ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm61ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm6ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm25ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm8ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm18ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm27ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm36ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm10ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm15ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm56ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm62ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm55ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm39ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm41ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan4rotlILm2ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 428k|{ 26| 428k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 428k|} _ZN5Botan8round_upEmm: 26| 42.9k|constexpr inline size_t round_up(size_t n, size_t align_to) { 27| | // Arguably returning n in this case would also be sensible 28| 42.9k| BOTAN_ARG_CHECK(align_to != 0, "align_to must not be 0"); ------------------ | | 35| 42.9k| do { \ | | 36| 42.9k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 42.9k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 42.9k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 42.9k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 42.9k] | | ------------------ ------------------ 29| | 30| 42.9k| if(n % align_to > 0) { ------------------ | Branch (30:7): [True: 40.1k, False: 2.83k] ------------------ 31| 40.1k| const size_t adj = align_to - (n % align_to); 32| 40.1k| BOTAN_ARG_CHECK(n + adj >= n, "Integer overflow during rounding"); ------------------ | | 35| 40.1k| do { \ | | 36| 40.1k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 40.1k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 40.1k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 40.1k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 40.1k] | | ------------------ ------------------ 33| 40.1k| n += adj; 34| 40.1k| } 35| 42.9k| return n; 36| 42.9k|} _ZNK5Botan9SCAN_Name9arg_countEv: 49| 3.84k| size_t arg_count() const { return m_args.size(); } _ZNK5Botan9SCAN_Name9algo_nameEv: 44| 5.25k| const std::string& algo_name() const { return m_alg_name; } _ZN5Botan14scoped_cleanupIZNS_2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS8_EEEDaDpRKS8_EUlvE_EC2ESC_: 26| 1| explicit scoped_cleanup(FunT cleanup) : m_cleanup(std::move(cleanup)) {} _ZN5Botan14scoped_cleanupIZNS_2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS8_EEEDaDpRKS8_EUlvE_EC2EOSD_: 31| 1| scoped_cleanup(scoped_cleanup&& other) noexcept : m_cleanup(std::move(other.m_cleanup)) { other.disengage(); } _ZN5Botan14scoped_cleanupIZNS_2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS8_EEEDaDpRKS8_EUlvE_E9disengageEv: 50| 1| void disengage() noexcept { m_cleanup.reset(); } _ZN5Botan14scoped_cleanupIZNS_2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS8_EEEDaDpRKS8_EUlvE_ED2Ev: 41| 2| ~scoped_cleanup() { 42| 2| if(m_cleanup.has_value()) { ------------------ | Branch (42:13): [True: 1, False: 1] ------------------ 43| 1| (*m_cleanup)(); // NOLINT(bugprone-exception-escape) clang-tidy bug 44| 1| } 45| 2| } _ZNK5Botan7SHA_51213output_lengthEv: 74| 2| size_t output_length() const override { return output_bytes; } _ZN5Botan9SHA2_64_FEmmmRmmmmS0_m: 42| 160| uint64_t A, uint64_t B, uint64_t C, uint64_t& D, uint64_t E, uint64_t F, uint64_t G, uint64_t& H, uint64_t M) { 43| 160| H += rho<14, 18, 41>(E) + choose(E, F, G) + M; 44| 160| D += H; 45| 160| H += rho<28, 34, 39>(A) + majority(A, B, C); 46| 160|} _ZNK5Botan5SHA_313output_lengthEv: 31| 58| size_t output_length() const override { return m_output_length; } _ZN5Botan13SHAKE_128_XOFC2Ev: 52| 2.71k| SHAKE_128_XOF() : SHAKE_XOF(256) {} _ZN5Botan13SHAKE_256_XOFC2Ev: 66| 1.06k| SHAKE_256_XOF() : SHAKE_XOF(512) {} _ZN5Botan9SIMD_2x64C2Ev: 50| 16| m_simd(_mm_setzero_si128()) 51| |#elif defined(BOTAN_SIMD_USE_SIMD128) 52| | m_simd(wasm_u64x2_const_splat(0)) 53| |#endif 54| 16| { 55| 16| } _ZN5Botan9SIMD_2x647load_beEPKv: 90| 16| static SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 load_be(const void* in) { return SIMD_2x64::load_le(in).bswap(); } _ZNK5Botan9SIMD_2x645bswapEv: 100| 16| SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 bswap() const { 101| 16|#if defined(BOTAN_SIMD_USE_SSSE3) 102| 16| const auto idx = _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7); 103| 16| return SIMD_2x64(_mm_shuffle_epi8(m_simd, idx)); 104| |#elif defined(BOTAN_SIMD_USE_SIMD128) 105| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 7, 6, 5, 4, 3, 2, 1, 0, 15, 14, 13, 12, 11, 10, 9, 8)); 106| |#endif 107| 16| } _ZN5Botan9SIMD_2x64C2EDv2_x: 316| 624| explicit BOTAN_FN_ISA_SIMD_2X64 SIMD_2x64(native_simd_type x) : m_simd(x) {} _ZNK5Botan9SIMD_2x64plERKS0_: 144| 272| SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 operator+(const SIMD_2x64& other) const { 145| 272| SIMD_2x64 retval(*this); 146| 272| retval += other; 147| 272| return retval; 148| 272| } _ZN5Botan9SIMD_2x64pLERKS0_: 156| 272| void BOTAN_FN_ISA_SIMD_2X64 operator+=(const SIMD_2x64& other) { 157| 272|#if defined(BOTAN_SIMD_USE_SSSE3) 158| 272| m_simd = _mm_add_epi64(m_simd, other.m_simd); 159| |#elif defined(BOTAN_SIMD_USE_SIMD128) 160| | m_simd = wasm_i64x2_add(m_simd, other.m_simd); 161| |#endif 162| 272| } _ZN5Botan9SIMD_2x647load_leEPKv: 82| 96| static SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 load_le(const void* in) { 83| 96|#if defined(BOTAN_SIMD_USE_SSSE3) 84| 96| return SIMD_2x64(_mm_loadu_si128(reinterpret_cast(in))); 85| |#elif defined(BOTAN_SIMD_USE_SIMD128) 86| | return SIMD_2x64(wasm_v128_load(in)); 87| |#endif 88| 96| } _ZNK5Botan9SIMD_2x648store_leEPm: 126| 80| void BOTAN_FN_ISA_SIMD_2X64 store_le(uint64_t out[2]) const { this->store_le(reinterpret_cast(out)); } _ZNK5Botan9SIMD_2x648store_leEPh: 128| 80| void BOTAN_FN_ISA_SIMD_2X64 store_le(uint8_t out[]) const { 129| 80|#if defined(BOTAN_SIMD_USE_SSSE3) 130| 80| _mm_storeu_si128(reinterpret_cast<__m128i*>(out), m_simd); 131| |#elif defined(BOTAN_SIMD_USE_SIMD128) 132| | wasm_v128_store(out, m_simd); 133| |#endif 134| 80| } _ZN5Botan9SIMD_2x647alignr8ERKS0_S2_: 240| 128| static SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 alignr8(const SIMD_2x64& a, const SIMD_2x64& b) { 241| 128|#if defined(BOTAN_SIMD_USE_SSSE3) 242| 128| return SIMD_2x64(_mm_alignr_epi8(a.m_simd, b.m_simd, 8)); 243| |#elif defined(BOTAN_SIMD_USE_SIMD128) 244| | return SIMD_2x64( 245| | wasm_i8x16_shuffle(b.m_simd, a.m_simd, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)); 246| |#endif 247| 128| } _ZNK5Botan9SIMD_2x644rotrILm1EEES0_vQaagtT_Li0EltT_Li64E: 184| 64| { 185| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 186| | if constexpr(ROT == 8) { 187| | auto tab = _mm_setr_epi8(1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8); 188| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 189| | } else if constexpr(ROT == 16) { 190| | auto tab = _mm_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9); 191| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 192| | } else if constexpr(ROT == 24) { 193| | auto tab = _mm_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10); 194| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 195| | } else if constexpr(ROT == 32) { 196| | auto tab = _mm_setr_epi8(4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11); 197| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 198| 64| } else { 199| 64| return SIMD_2x64(_mm_or_si128(_mm_srli_epi64(m_simd, static_cast(ROT)), 200| 64| _mm_slli_epi64(m_simd, static_cast(64 - ROT)))); 201| 64| } 202| |#elif defined(BOTAN_SIMD_USE_SIMD128) 203| | if constexpr(ROT == 8) { 204| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8)); 205| | } else if constexpr(ROT == 16) { 206| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9)); 207| | } else if constexpr(ROT == 24) { 208| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10)); 209| | } else if constexpr(ROT == 32) { 210| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11)); 211| | } else { 212| | return SIMD_2x64(wasm_v128_or(wasm_u64x2_shr(m_simd, ROT), wasm_i64x2_shl(m_simd, 64 - ROT))); 213| | } 214| |#endif 215| 64| } _ZNK5Botan9SIMD_2x64eoERKS0_: 150| 256| SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 operator^(const SIMD_2x64& other) const { 151| 256| SIMD_2x64 retval(*this); 152| 256| retval ^= other; 153| 256| return retval; 154| 256| } _ZN5Botan9SIMD_2x64eOERKS0_: 164| 256| void BOTAN_FN_ISA_SIMD_2X64 operator^=(const SIMD_2x64& other) { 165| 256|#if defined(BOTAN_SIMD_USE_SSSE3) 166| 256| m_simd = _mm_xor_si128(m_simd, other.m_simd); 167| |#elif defined(BOTAN_SIMD_USE_SIMD128) 168| | m_simd = wasm_v128_xor(m_simd, other.m_simd); 169| |#endif 170| 256| } _ZNK5Botan9SIMD_2x644rotrILm8EEES0_vQaagtT_Li0EltT_Li64E: 184| 64| { 185| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 186| 64| if constexpr(ROT == 8) { 187| 64| auto tab = _mm_setr_epi8(1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8); 188| 64| return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 189| | } else if constexpr(ROT == 16) { 190| | auto tab = _mm_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9); 191| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 192| | } else if constexpr(ROT == 24) { 193| | auto tab = _mm_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10); 194| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 195| | } else if constexpr(ROT == 32) { 196| | auto tab = _mm_setr_epi8(4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11); 197| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 198| | } else { 199| | return SIMD_2x64(_mm_or_si128(_mm_srli_epi64(m_simd, static_cast(ROT)), 200| | _mm_slli_epi64(m_simd, static_cast(64 - ROT)))); 201| | } 202| |#elif defined(BOTAN_SIMD_USE_SIMD128) 203| | if constexpr(ROT == 8) { 204| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8)); 205| | } else if constexpr(ROT == 16) { 206| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9)); 207| | } else if constexpr(ROT == 24) { 208| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10)); 209| | } else if constexpr(ROT == 32) { 210| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11)); 211| | } else { 212| | return SIMD_2x64(wasm_v128_or(wasm_u64x2_shr(m_simd, ROT), wasm_i64x2_shl(m_simd, 64 - ROT))); 213| | } 214| |#endif 215| 64| } _ZNK5Botan9SIMD_2x643shrILi7EEES0_v: 223| 64| SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 shr() const noexcept { 224| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 225| 64| return SIMD_2x64(_mm_srli_epi64(m_simd, SHIFT)); 226| |#elif defined(BOTAN_SIMD_USE_SIMD128) 227| | return SIMD_2x64(wasm_u64x2_shr(m_simd, SHIFT)); 228| |#endif 229| 64| } _ZNK5Botan9SIMD_2x644rotrILm19EEES0_vQaagtT_Li0EltT_Li64E: 184| 64| { 185| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 186| | if constexpr(ROT == 8) { 187| | auto tab = _mm_setr_epi8(1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8); 188| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 189| | } else if constexpr(ROT == 16) { 190| | auto tab = _mm_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9); 191| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 192| | } else if constexpr(ROT == 24) { 193| | auto tab = _mm_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10); 194| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 195| | } else if constexpr(ROT == 32) { 196| | auto tab = _mm_setr_epi8(4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11); 197| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 198| 64| } else { 199| 64| return SIMD_2x64(_mm_or_si128(_mm_srli_epi64(m_simd, static_cast(ROT)), 200| 64| _mm_slli_epi64(m_simd, static_cast(64 - ROT)))); 201| 64| } 202| |#elif defined(BOTAN_SIMD_USE_SIMD128) 203| | if constexpr(ROT == 8) { 204| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8)); 205| | } else if constexpr(ROT == 16) { 206| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9)); 207| | } else if constexpr(ROT == 24) { 208| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10)); 209| | } else if constexpr(ROT == 32) { 210| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11)); 211| | } else { 212| | return SIMD_2x64(wasm_v128_or(wasm_u64x2_shr(m_simd, ROT), wasm_i64x2_shl(m_simd, 64 - ROT))); 213| | } 214| |#endif 215| 64| } _ZNK5Botan9SIMD_2x644rotrILm61EEES0_vQaagtT_Li0EltT_Li64E: 184| 64| { 185| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 186| | if constexpr(ROT == 8) { 187| | auto tab = _mm_setr_epi8(1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8); 188| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 189| | } else if constexpr(ROT == 16) { 190| | auto tab = _mm_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9); 191| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 192| | } else if constexpr(ROT == 24) { 193| | auto tab = _mm_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10); 194| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 195| | } else if constexpr(ROT == 32) { 196| | auto tab = _mm_setr_epi8(4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11); 197| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 198| 64| } else { 199| 64| return SIMD_2x64(_mm_or_si128(_mm_srli_epi64(m_simd, static_cast(ROT)), 200| 64| _mm_slli_epi64(m_simd, static_cast(64 - ROT)))); 201| 64| } 202| |#elif defined(BOTAN_SIMD_USE_SIMD128) 203| | if constexpr(ROT == 8) { 204| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8)); 205| | } else if constexpr(ROT == 16) { 206| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9)); 207| | } else if constexpr(ROT == 24) { 208| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10)); 209| | } else if constexpr(ROT == 32) { 210| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11)); 211| | } else { 212| | return SIMD_2x64(wasm_v128_or(wasm_u64x2_shr(m_simd, ROT), wasm_i64x2_shl(m_simd, 64 - ROT))); 213| | } 214| |#endif 215| 64| } _ZNK5Botan9SIMD_2x643shrILi6EEES0_v: 223| 64| SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 shr() const noexcept { 224| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 225| 64| return SIMD_2x64(_mm_srli_epi64(m_simd, SHIFT)); 226| |#elif defined(BOTAN_SIMD_USE_SIMD128) 227| | return SIMD_2x64(wasm_u64x2_shr(m_simd, SHIFT)); 228| |#endif 229| 64| } _ZN5Botan6SpongeILm25EmE11state_bytesEv: 43| 3.84k| constexpr static size_t state_bytes() { return sizeof(state_t); } _ZN5Botan6SpongeILm25EmE10state_bitsEv: 45| 3.84k| constexpr static size_t state_bits() { return state_bytes() * 8; } _ZNK5Botan6SpongeILm25EmE9byte_rateEv: 49| 917k| constexpr size_t byte_rate() const { return m_bit_rate / 8; } _ZN5Botan6SpongeILm25EmEC2ENS1_6ConfigE: 39| 3.84k| constexpr explicit Sponge(Config config) : m_S(config.initial_state), m_S_cursor(0), m_bit_rate(config.bit_rate) { 40| 3.84k| BOTAN_ARG_CHECK(m_bit_rate % word_bits == 0 && m_bit_rate < words * word_bits, "Invalid sponge bit rate"); ------------------ | | 35| 3.84k| do { \ | | 36| 3.84k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 7.68k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 3.84k, False: 0] | | | Branch (37:12): [True: 3.84k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 3.84k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 3.84k] | | ------------------ ------------------ 41| 3.84k| } _ZN5Botan6SpongeILm25EmE5stateEv: 55| 1.34M| constexpr auto& state() { return m_S; } _ZN5Botan6SpongeILm25EmE12reset_cursorEv: 62| 4.88k| void reset_cursor() { m_S_cursor = 0; } _ZN5Botan6SpongeILm25EmE7_cursorEv: 59| 913k| size_t& _cursor() { return m_S_cursor; } _ZNK5Botan6SpongeILm25EmE6cursorEv: 57| 8.61k| size_t cursor() const { return m_S_cursor; } _ZN5Botan18absorb_into_spongeITkNS_6detail28SpongeLikeWithTrivialPermuteENS_18Keccak_PermutationEEEvRT_NSt3__14spanIKhLm18446744073709551615EEE: 233| 8.50k|inline void absorb_into_sponge(detail::SpongeLikeWithTrivialPermute auto& sponge, std::span input) { 234| 8.50k| absorb_into_sponge(sponge, input, [&sponge] { sponge.permute(); }); 235| 8.50k|} _ZN5Botan18absorb_into_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_18absorb_into_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIKhLm18446744073709551615EEEEUlvE_EEvS5_S9_RKT0_: 223| 8.50k| const detail::PermutationFn auto& permutation_fn) { 224| 8.50k| using word_t = typename SpongeT::word_t; 225| | 226| 8.50k| BufferSlicer input_slicer(input); 227| 8.50k| process_bytes_in_sponge(sponge, input.size(), permutation_fn, [&](word_t state_word, auto bounds) { 228| 8.50k| return state_word ^ bounds.read_from(input_slicer); 229| 8.50k| }); 230| 8.50k| BOTAN_ASSERT_NOMSG(input_slicer.empty()); ------------------ | | 77| 8.50k| do { \ | | 78| 8.50k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 8.50k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 8.50k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 8.50k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 8.50k] | | ------------------ ------------------ 231| 8.50k|} _ZN5Botan23process_bytes_in_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_18absorb_into_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIKhLm18446744073709551615EEEEUlvE_TkNS1_10ModifierFnIS4_EEZNS_18absorb_into_spongeITkNS1_10SpongeLikeES2_TkNS1_13PermutationFnESA_EEvS5_S9_RKT0_EUlmS4_E_EEvS5_mSF_RKT1_: 139| 8.50k| const detail::ModifierFn auto& modifier_fn) { 140| 8.50k| if(bytes_to_process == 0) { ------------------ | Branch (140:7): [True: 0, False: 8.50k] ------------------ 141| 0| return; 142| 0| } 143| | 144| 8.50k| constexpr auto word_bytes = SpongeT::word_bytes; 145| 8.50k| const auto byte_rate = sponge.byte_rate(); 146| 8.50k| auto& S = sponge.state(); 147| 8.50k| auto& cursor = sponge._cursor(); 148| | 149| | // If necessary, try to get aligned with the sponge state's words array 150| 8.50k| const auto bytes_out_of_word_alignment = static_cast(cursor % word_bytes); 151| 8.50k| if(bytes_out_of_word_alignment > 0) { ------------------ | Branch (151:7): [True: 0, False: 8.50k] ------------------ 152| 0| const auto bytes_until_word_alignment = word_bytes - bytes_out_of_word_alignment; 153| 0| const auto bytes_from_input = std::min(bytes_to_process, bytes_until_word_alignment); 154| 0| BOTAN_DEBUG_ASSERT(bytes_from_input < word_bytes); ------------------ | | 130| 0| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 0| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 0] | | ------------------ ------------------ 155| | 156| 0| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], 157| 0| detail::PartialWordBounds{ 158| 0| .offset = bytes_out_of_word_alignment, 159| 0| .length = bytes_from_input, 160| 0| }); 161| 0| cursor += bytes_from_input; 162| 0| bytes_to_process -= bytes_from_input; 163| | 164| 0| if(cursor == byte_rate) { ------------------ | Branch (164:10): [True: 0, False: 0] ------------------ 165| 0| permutation_fn(); 166| 0| cursor = 0; 167| 0| } 168| 0| } 169| | 170| | // If we didn't exhaust the bytes to process for this invocation, we should 171| | // be word-aligned with the sponge state now 172| 8.50k| BOTAN_DEBUG_ASSERT(bytes_to_process == 0 || cursor % word_bytes == 0); ------------------ | | 130| 8.50k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 8.50k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 8.50k] | | ------------------ ------------------ 173| | 174| | // Block-wise incorporation of the input data into the sponge state until 175| | // all input bytes are processed 176| 14.1k| while(bytes_to_process >= word_bytes) { ------------------ | Branch (176:10): [True: 5.67k, False: 8.50k] ------------------ 177| | // Process full words until we either run out of data or reach the 178| | // end of the current sponge state block 179| 50.1k| while(bytes_to_process >= word_bytes && cursor < byte_rate) { ------------------ | Branch (179:13): [True: 45.7k, False: 4.30k] | Branch (179:47): [True: 44.4k, False: 1.37k] ------------------ 180| 44.4k| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], detail::FullWordBounds{}); 181| 44.4k| cursor += word_bytes; 182| 44.4k| bytes_to_process -= word_bytes; 183| 44.4k| } 184| | 185| 5.67k| if(cursor == byte_rate) { ------------------ | Branch (185:10): [True: 1.37k, False: 4.30k] ------------------ 186| 1.37k| permutation_fn(); 187| 1.37k| cursor = 0; 188| 1.37k| } 189| 5.67k| } 190| | 191| | // Process the remaining bytes that don't fill an entire word. 192| | // Therefore, leaving the sponge state in an unaligned state that won't 193| | // need another permutation until the next call to process(). 194| 8.50k| BOTAN_DEBUG_ASSERT(bytes_to_process < word_bytes && cursor < byte_rate); ------------------ | | 130| 8.50k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 8.50k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 8.50k] | | ------------------ ------------------ 195| 8.50k| if(bytes_to_process > 0) { ------------------ | Branch (195:7): [True: 4.20k, False: 4.30k] ------------------ 196| 4.20k| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], 197| 4.20k| detail::PartialWordBounds{ 198| 4.20k| .offset = 0, 199| 4.20k| .length = bytes_to_process, 200| 4.20k| }); 201| 4.20k| cursor += bytes_to_process; 202| 4.20k| } 203| 8.50k|} _ZZN5Botan18absorb_into_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_18absorb_into_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIKhLm18446744073709551615EEEEUlvE_EEvS5_S9_RKT0_ENKUlmS4_E_clINS1_17PartialWordBoundsIS2_EEEEDamS4_: 227| 4.20k| process_bytes_in_sponge(sponge, input.size(), permutation_fn, [&](word_t state_word, auto bounds) { 228| 4.20k| return state_word ^ bounds.read_from(input_slicer); 229| 4.20k| }); _ZNK5Botan6detail17PartialWordBoundsINS_18Keccak_PermutationEE9read_fromERNS_12BufferSlicerE: 59| 4.20k| word_t read_from(BufferSlicer& slicer) const { 60| 4.20k| std::array partial_word_bytes{}; 61| 4.20k| slicer.copy_into(std::span{partial_word_bytes}.subspan(offset, length)); 62| 4.20k| return load_le(partial_word_bytes); 63| 4.20k| } _ZZN5Botan18absorb_into_spongeITkNS_6detail28SpongeLikeWithTrivialPermuteENS_18Keccak_PermutationEEEvRT_NSt3__14spanIKhLm18446744073709551615EEEENKUlvE_clEv: 234| 1.37k| absorb_into_sponge(sponge, input, [&sponge] { sponge.permute(); }); _ZZN5Botan18absorb_into_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_18absorb_into_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIKhLm18446744073709551615EEEEUlvE_EEvS5_S9_RKT0_ENKUlmS4_E_clINS1_14FullWordBoundsIS2_EEEEDamS4_: 227| 44.4k| process_bytes_in_sponge(sponge, input.size(), permutation_fn, [&](word_t state_word, auto bounds) { 228| 44.4k| return state_word ^ bounds.read_from(input_slicer); 229| 44.4k| }); _ZNK5Botan6detail14FullWordBoundsINS_18Keccak_PermutationEE9read_fromERNS_12BufferSlicerE: 97| 44.4k| word_t read_from(BufferSlicer& slicer) const { return load_le(slicer.take()); } _ZN5Botan19squeeze_from_spongeITkNS_6detail28SpongeLikeWithTrivialPermuteENS_18Keccak_PermutationEEEvRT_NSt3__14spanIhLm18446744073709551615EEE: 258| 904k|inline void squeeze_from_sponge(detail::SpongeLikeWithTrivialPermute auto& sponge, std::span output) { 259| 904k| squeeze_from_sponge(sponge, output, [&sponge] { sponge.permute(); }); 260| 904k|} _ZN5Botan19squeeze_from_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_19squeeze_from_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIhLm18446744073709551615EEEEUlvE_EEvS5_S8_RKT0_: 247| 904k| const detail::PermutationFn auto& permutation_fn) { 248| 904k| using word_t = typename SpongeT::word_t; 249| | 250| 904k| BufferStuffer output_stuffer(output); 251| 904k| process_bytes_in_sponge(sponge, output.size(), permutation_fn, [&](word_t state_word, auto bounds) { 252| 904k| bounds.write_into(output_stuffer, state_word); 253| 904k| return state_word; 254| 904k| }); 255| 904k| BOTAN_ASSERT_NOMSG(output_stuffer.full()); ------------------ | | 77| 904k| do { \ | | 78| 904k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 904k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 904k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 904k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 904k] | | ------------------ ------------------ 256| 904k|} _ZN5Botan23process_bytes_in_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_19squeeze_from_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIhLm18446744073709551615EEEEUlvE_TkNS1_10ModifierFnIS4_EEZNS_19squeeze_from_spongeITkNS1_10SpongeLikeES2_TkNS1_13PermutationFnES9_EEvS5_S8_RKT0_EUlmS4_E_EEvS5_mSE_RKT1_: 139| 904k| const detail::ModifierFn auto& modifier_fn) { 140| 904k| if(bytes_to_process == 0) { ------------------ | Branch (140:7): [True: 0, False: 904k] ------------------ 141| 0| return; 142| 0| } 143| | 144| 904k| constexpr auto word_bytes = SpongeT::word_bytes; 145| 904k| const auto byte_rate = sponge.byte_rate(); 146| 904k| auto& S = sponge.state(); 147| 904k| auto& cursor = sponge._cursor(); 148| | 149| | // If necessary, try to get aligned with the sponge state's words array 150| 904k| const auto bytes_out_of_word_alignment = static_cast(cursor % word_bytes); 151| 904k| if(bytes_out_of_word_alignment > 0) { ------------------ | Branch (151:7): [True: 790k, False: 114k] ------------------ 152| 790k| const auto bytes_until_word_alignment = word_bytes - bytes_out_of_word_alignment; 153| 790k| const auto bytes_from_input = std::min(bytes_to_process, bytes_until_word_alignment); 154| 790k| BOTAN_DEBUG_ASSERT(bytes_from_input < word_bytes); ------------------ | | 130| 790k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 790k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 790k] | | ------------------ ------------------ 155| | 156| 790k| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], 157| 790k| detail::PartialWordBounds{ 158| 790k| .offset = bytes_out_of_word_alignment, 159| 790k| .length = bytes_from_input, 160| 790k| }); 161| 790k| cursor += bytes_from_input; 162| 790k| bytes_to_process -= bytes_from_input; 163| | 164| 790k| if(cursor == byte_rate) { ------------------ | Branch (164:10): [True: 12.1k, False: 777k] ------------------ 165| 12.1k| permutation_fn(); 166| 12.1k| cursor = 0; 167| 12.1k| } 168| 790k| } 169| | 170| | // If we didn't exhaust the bytes to process for this invocation, we should 171| | // be word-aligned with the sponge state now 172| 904k| BOTAN_DEBUG_ASSERT(bytes_to_process == 0 || cursor % word_bytes == 0); ------------------ | | 130| 904k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 904k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 904k] | | ------------------ ------------------ 173| | 174| | // Block-wise incorporation of the input data into the sponge state until 175| | // all input bytes are processed 176| 905k| while(bytes_to_process >= word_bytes) { ------------------ | Branch (176:10): [True: 570, False: 904k] ------------------ 177| | // Process full words until we either run out of data or reach the 178| | // end of the current sponge state block 179| 5.94k| while(bytes_to_process >= word_bytes && cursor < byte_rate) { ------------------ | Branch (179:13): [True: 5.38k, False: 554] | Branch (179:47): [True: 5.37k, False: 16] ------------------ 180| 5.37k| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], detail::FullWordBounds{}); 181| 5.37k| cursor += word_bytes; 182| 5.37k| bytes_to_process -= word_bytes; 183| 5.37k| } 184| | 185| 570| if(cursor == byte_rate) { ------------------ | Branch (185:10): [True: 16, False: 554] ------------------ 186| 16| permutation_fn(); 187| 16| cursor = 0; 188| 16| } 189| 570| } 190| | 191| | // Process the remaining bytes that don't fill an entire word. 192| | // Therefore, leaving the sponge state in an unaligned state that won't 193| | // need another permutation until the next call to process(). 194| 904k| BOTAN_DEBUG_ASSERT(bytes_to_process < word_bytes && cursor < byte_rate); ------------------ | | 130| 904k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 904k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 904k] | | ------------------ ------------------ 195| 904k| if(bytes_to_process > 0) { ------------------ | Branch (195:7): [True: 299k, False: 605k] ------------------ 196| 299k| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], 197| 299k| detail::PartialWordBounds{ 198| 299k| .offset = 0, 199| 299k| .length = bytes_to_process, 200| 299k| }); 201| 299k| cursor += bytes_to_process; 202| 299k| } 203| 904k|} _ZZN5Botan19squeeze_from_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_19squeeze_from_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIhLm18446744073709551615EEEEUlvE_EEvS5_S8_RKT0_ENKUlmS4_E_clINS1_17PartialWordBoundsIS2_EEEEDamS4_: 251| 1.08M| process_bytes_in_sponge(sponge, output.size(), permutation_fn, [&](word_t state_word, auto bounds) { 252| 1.08M| bounds.write_into(output_stuffer, state_word); 253| 1.08M| return state_word; 254| 1.08M| }); _ZNK5Botan6detail17PartialWordBoundsINS_18Keccak_PermutationEE10write_intoERNS_13BufferStufferEm: 69| 1.08M| void write_into(BufferStuffer& stuffer, word_t partial_word) const { 70| 1.08M| const auto partial_word_bytes = store_le(partial_word); 71| 1.08M| stuffer.append(std::span{partial_word_bytes}.subspan(offset, length)); 72| 1.08M| } _ZZN5Botan19squeeze_from_spongeITkNS_6detail28SpongeLikeWithTrivialPermuteENS_18Keccak_PermutationEEEvRT_NSt3__14spanIhLm18446744073709551615EEEENKUlvE_clEv: 259| 12.1k| squeeze_from_sponge(sponge, output, [&sponge] { sponge.permute(); }); _ZZN5Botan19squeeze_from_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_19squeeze_from_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIhLm18446744073709551615EEEEUlvE_EEvS5_S8_RKT0_ENKUlmS4_E_clINS1_14FullWordBoundsIS2_EEEEDamS4_: 251| 5.37k| process_bytes_in_sponge(sponge, output.size(), permutation_fn, [&](word_t state_word, auto bounds) { 252| 5.37k| bounds.write_into(output_stuffer, state_word); 253| 5.37k| return state_word; 254| 5.37k| }); _ZNK5Botan6detail14FullWordBoundsINS_18Keccak_PermutationEE10write_intoERNS_13BufferStufferEm: 99| 5.37k| void write_into(BufferStuffer& stuffer, word_t full_word) const { stuffer.append(store_le(full_word)); } _ZN5Botan2CT13value_barrierITkNSt3__117unsigned_integralEmQntsr3stdE7same_asIbT_EEES3_S3_: 43| 930M|constexpr inline T value_barrier(T x) { 44| 930M| if(std::is_constant_evaluated()) { ------------------ | Branch (44:7): [Folded, False: 930M] ------------------ 45| 0| return x; 46| 930M| } else { 47| 930M|#if defined(BOTAN_CT_VALUE_BARRIER_USE_ASM) 48| | /* 49| | * We may want a "stronger" statement such as 50| | * asm volatile("" : "+r,m"(x) : : "memory); 51| | * (see https://theunixzoo.co.uk/blog/2021-10-14-preventing-optimisations.html) 52| | * however the current approach seems sufficient with current compilers, 53| | * and is minimally damaging with regards to degrading code generation. 54| | */ 55| 930M| asm("" : "+r"(x) : /* no input */); // NOLINT(*-no-assembler) 56| 930M| return x; 57| |#elif defined(BOTAN_CT_VALUE_BARRIER_USE_VOLATILE) 58| | volatile T vx = x; 59| | return vx; 60| |#else 61| | return x; 62| |#endif 63| 930M| } 64| 930M|} _ZN5Botan2CT13value_barrierITkNSt3__117unsigned_integralEjQntsr3stdE7same_asIbT_EEES3_S3_: 43| 262k|constexpr inline T value_barrier(T x) { 44| 262k| if(std::is_constant_evaluated()) { ------------------ | Branch (44:7): [Folded, False: 262k] ------------------ 45| 0| return x; 46| 262k| } else { 47| 262k|#if defined(BOTAN_CT_VALUE_BARRIER_USE_ASM) 48| | /* 49| | * We may want a "stronger" statement such as 50| | * asm volatile("" : "+r,m"(x) : : "memory); 51| | * (see https://theunixzoo.co.uk/blog/2021-10-14-preventing-optimisations.html) 52| | * however the current approach seems sufficient with current compilers, 53| | * and is minimally damaging with regards to degrading code generation. 54| | */ 55| 262k| asm("" : "+r"(x) : /* no input */); // NOLINT(*-no-assembler) 56| 262k| return x; 57| |#elif defined(BOTAN_CT_VALUE_BARRIER_USE_VOLATILE) 58| | volatile T vx = x; 59| | return vx; 60| |#else 61| | return x; 62| |#endif 63| 262k| } 64| 262k|} _ZN5Botan2CT13value_barrierITkNSt3__117unsigned_integralEhQntsr3stdE7same_asIbT_EEES3_S3_: 43| 3.06M|constexpr inline T value_barrier(T x) { 44| 3.06M| if(std::is_constant_evaluated()) { ------------------ | Branch (44:7): [Folded, False: 3.06M] ------------------ 45| 0| return x; 46| 3.06M| } else { 47| 3.06M|#if defined(BOTAN_CT_VALUE_BARRIER_USE_ASM) 48| | /* 49| | * We may want a "stronger" statement such as 50| | * asm volatile("" : "+r,m"(x) : : "memory); 51| | * (see https://theunixzoo.co.uk/blog/2021-10-14-preventing-optimisations.html) 52| | * however the current approach seems sufficient with current compilers, 53| | * and is minimally damaging with regards to degrading code generation. 54| | */ 55| 3.06M| asm("" : "+r"(x) : /* no input */); // NOLINT(*-no-assembler) 56| 3.06M| return x; 57| |#elif defined(BOTAN_CT_VALUE_BARRIER_USE_VOLATILE) 58| | volatile T vx = x; 59| | return vx; 60| |#else 61| | return x; 62| |#endif 63| 3.06M| } 64| 3.06M|} _ZN5Botan21Allocator_InitializerC2Ev: 50| 1| Allocator_Initializer() { initialize_allocator(); } _ZNK5Botan10BER_Object6is_setEv: 138| 165k| bool is_set() const { return m_type_tag != ASN1_Type::NoObject; } _ZNK5Botan10BER_Object7taggingEv: 140| 68.4k| uint32_t tagging() const { return type_tag() | class_tag(); } _ZNK5Botan10BER_Object8type_tagEv: 142| 72.1k| ASN1_Type type_tag() const { return m_type_tag; } _ZNK5Botan10BER_Object9class_tagEv: 144| 82.0k| ASN1_Class class_tag() const { return m_class_tag; } _ZNK5Botan10BER_Object4bitsEv: 150| 837k| const uint8_t* bits() const { return m_value.data(); } _ZNK5Botan10BER_Object6lengthEv: 152| 1.76M| size_t length() const { return m_value.size(); } _ZNK5Botan10BER_Object4dataEv: 154| 25.4k| std::span data() const { return std::span{m_value}; } _ZN5Botan10BER_Object12mutable_bitsEm: 171| 58.1k| uint8_t* mutable_bits(size_t length) { 172| 58.1k| m_value.resize(length); 173| 58.1k| return m_value.data(); 174| 58.1k| } _ZNK5Botan3OID5emptyEv: 265| 7.98k| bool empty() const { return m_id.empty(); } _ZNK5Botan3OID9has_valueEv: 271| 3.62k| bool has_value() const { return !empty(); } _ZNK5Botan3OIDeqERKS0_: 301| 42.4k| bool operator==(const OID& other) const { return m_id == other.m_id; } _ZNK5Botan19AlgorithmIdentifier3oidEv: 407| 12.0k| const OID& oid() const { return m_oid; } _ZNK5Botan19AlgorithmIdentifier10parametersEv: 409| 3.89k| const std::vector& parameters() const { return m_parameters; } _ZN5BotanorENS_10ASN1_ClassES0_: 78| 18.7k|inline ASN1_Class operator|(ASN1_Class x, ASN1_Class y) { 79| 18.7k| return static_cast(static_cast(x) | static_cast(y)); 80| 18.7k|} _ZN5BotanorENS_9ASN1_TypeENS_10ASN1_ClassE: 82| 68.4k|inline uint32_t operator|(ASN1_Type x, ASN1_Class y) { 83| 68.4k| return static_cast(x) | static_cast(y); 84| 68.4k|} _ZN5BotanorENS_10ASN1_ClassENS_9ASN1_TypeE: 86| 10.2k|inline uint32_t operator|(ASN1_Class x, ASN1_Type y) { 87| 10.2k| return static_cast(x) | static_cast(y); 88| 10.2k|} _ZN5BotanneERKNS_3OIDES2_: 342| 3.47k|inline bool operator!=(const OID& a, const OID& b) { 343| 3.47k| return !(a == b); 344| 3.47k|} _ZNKSt3__14hashIN5Botan3OIDEEclERKS2_: 441| 1.79k| size_t operator()(const Botan::OID& oid) const noexcept { return static_cast(oid.hash_code()); } _ZN5Botan3OIDC2Ev: 220| 24.2k| explicit OID() = default; _ZN5Botan11ASN1_ObjectC2Ev: 117| 78.3k| ASN1_Object() = default; _ZN5Botan11ASN1_ObjectD2Ev: 122| 81.7k| virtual ~ASN1_Object() = default; _ZN5Botan11ASN1_ObjectC2ERKS0_: 118| 2.75k| ASN1_Object(const ASN1_Object&) = default; _ZN5Botan11ASN1_ObjectaSERKS0_: 119| 2.58k| ASN1_Object& operator=(const ASN1_Object&) = default; _ZN5Botan19AlgorithmIdentifierC2Ev: 399| 13.8k| AlgorithmIdentifier() = default; _ZN5Botan11ASN1_ObjectC2EOS0_: 120| 626| ASN1_Object(ASN1_Object&&) = default; _ZN5Botan10BER_ObjectC2Ev: 130| 106k| BER_Object() = default; _ZN5Botan10BER_ObjectaSEOS0_: 135| 25.7k| BER_Object& operator=(BER_Object&& other) = default; _ZN5Botan10BER_ObjectC2EOS0_: 133| 24.3k| BER_Object(BER_Object&& other) = default; _ZN5Botan13ignore_paramsIJPKmmEEEvDpRKT_: 142| 48.7M|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJmEEEvDpRKT_: 142| 39.2k|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJNSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEEEEvDpRKT_: 142| 918|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJPKhmEEEvDpRKT_: 142| 2.90k|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJPKbmEEEvDpRKT_: 142| 327k|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJPKimEEEvDpRKT_: 142| 2.72k|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJPKsmEEEvDpRKT_: 142| 192|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJNSt3__14spanIKhLm18446744073709551615EEES4_EEEvDpRKT_: 142| 4.24k|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan11BER_Decoder6Limits3DEREv: 35| 13.3k| static Limits DER() { return Limits(false, 0); } _ZN5Botan11BER_Decoder6LimitsC2Ebm: 54| 13.3k| m_allow_ber(allow_ber), m_max_nested_indef(max_nested_indef) {} _ZN5Botan11BER_Decoder14start_sequenceEv: 160| 18.8k| BER_Decoder start_sequence() { return start_cons(ASN1_Type::Sequence, ASN1_Class::Universal); } _ZN5Botan11BER_Decoder6decodeERNS_6BigIntE: 230| 3.90k| BER_Decoder& decode(BigInt& out) { return decode(out, ASN1_Type::Integer, ASN1_Class::Universal); } _ZN5Botan11BER_Decoder6decodeINSt3__19allocatorIhEEEERS0_RNS2_6vectorIhT_EENS_9ASN1_TypeE: 242| 1.02k| BER_Decoder& decode(std::vector& out, ASN1_Type real_type) { 243| 1.02k| return decode(out, real_type, real_type, ASN1_Class::Universal); 244| 1.02k| } _ZN5Botan11BER_Decoder16decode_and_checkImEERS0_RKT_NSt3__117basic_string_viewIcNS6_11char_traitsIcEEEE: 327| 10.2k| BER_Decoder& decode_and_check(const T& expected, std::string_view error_msg) { 328| 10.2k| T actual; 329| 10.2k| decode(actual); 330| | 331| 10.2k| if(actual != expected) { ------------------ | Branch (331:13): [True: 83, False: 10.2k] ------------------ 332| 83| throw Decoding_Error(error_msg); 333| 83| } 334| | 335| 10.2k| return (*this); 336| 10.2k| } _ZN5Botan11BER_Decoder6decodeERm: 225| 10.2k| BER_Decoder& decode(size_t& out) { return decode(out, ASN1_Type::Integer, ASN1_Class::Universal); } _ZN5Botan11BER_Decoder16decode_and_checkINS_3OIDEEERS0_RKT_NSt3__117basic_string_viewIcNS7_11char_traitsIcEEEE: 327| 1.05k| BER_Decoder& decode_and_check(const T& expected, std::string_view error_msg) { 328| 1.05k| T actual; 329| 1.05k| decode(actual); 330| | 331| 1.05k| if(actual != expected) { ------------------ | Branch (331:13): [True: 15, False: 1.04k] ------------------ 332| 15| throw Decoding_Error(error_msg); 333| 15| } 334| | 335| 1.04k| return (*this); 336| 1.05k| } _ZN5Botan11BER_Decoder22decode_optional_stringINSt3__19allocatorIhEEEERS0_RNS2_6vectorIhT_EENS_9ASN1_TypeESA_NS_10ASN1_ClassE: 369| 1.03k| ASN1_Class class_tag = ASN1_Class::ContextSpecific) { 370| 1.03k| return decode_optional_string(out, real_type, static_cast(expected_tag), class_tag); 371| 1.03k| } _ZN5Botan11BER_Decoder22decode_optional_stringINSt3__19allocatorIhEEEERS0_RNS2_6vectorIhT_EENS_9ASN1_TypeEjNS_10ASN1_ClassE: 345| 1.03k| ASN1_Class class_tag = ASN1_Class::ContextSpecific) { 346| 1.03k| BER_Object obj = get_next_object(); 347| | 348| 1.03k| const ASN1_Type type_tag = static_cast(expected_tag); 349| | 350| 1.03k| if(obj.is_a(type_tag, class_tag)) { ------------------ | Branch (350:13): [True: 1.03k, False: 3] ------------------ 351| 1.03k| if(class_tag == ASN1_Class::ExplicitContextSpecific) { ------------------ | Branch (351:16): [True: 0, False: 1.03k] ------------------ 352| 0| BER_Decoder(obj, m_limits).decode(out, real_type).verify_end(); 353| 1.03k| } else { 354| 1.03k| push_back(std::move(obj)); 355| 1.03k| decode(out, real_type, type_tag, class_tag); 356| 1.03k| } 357| 1.03k| } else { 358| 3| out.clear(); 359| 3| push_back(std::move(obj)); 360| 3| } 361| | 362| 1.03k| return (*this); 363| 1.03k| } _ZN5Botan11BER_DecoderC2ERKNS_10BER_ObjectENS0_6LimitsE: 81| 1.44k| BER_Decoder(obj.data(), limits) {} _ZNK5Botan11BER_Decoder6Limits18allow_ber_encodingEv: 44| 144k| bool allow_ber_encoding() const { return m_allow_ber; } _ZNK5Botan11BER_Decoder6Limits20require_der_encodingEv: 46| 86.0k| bool require_der_encoding() const { return !allow_ber_encoding(); } _ZNK5Botan11BER_Decoder6limitsEv: 98| 18.7k| Limits limits() const { return m_limits; } _ZN5Botan11BER_Decoder6decodeINS_16secure_allocatorIhEEEERS0_RNSt3__16vectorIhT_EENS_9ASN1_TypeE: 242| 11.6k| BER_Decoder& decode(std::vector& out, ASN1_Type real_type) { 243| 11.6k| return decode(out, real_type, real_type, ASN1_Class::Universal); 244| 11.6k| } _ZN5Botan11BER_Decoder9raw_bytesINSt3__19allocatorIhEEEERS0_RNS2_6vectorIhT_EE: 203| 6.07k| BER_Decoder& raw_bytes(std::vector& out) { 204| 6.07k| out.clear(); 205| 478k| for(;;) { 206| 478k| if(auto next = this->read_next_byte()) { ------------------ | Branch (206:21): [True: 472k, False: 6.07k] ------------------ 207| 472k| out.push_back(*next); 208| 472k| } else { 209| 6.07k| break; 210| 6.07k| } 211| 478k| } 212| 6.07k| return (*this); 213| 6.07k| } _ZN5Botan11BER_Decoder15decode_optionalINS_3OIDEEERS0_RT_NS_9ASN1_TypeENS_10ASN1_ClassERKS4_: 285| 2.59k| BER_Decoder& decode_optional(T& out, ASN1_Type type_tag, ASN1_Class class_tag, const T& default_value = T()) { 286| 2.59k| std::optional optval; 287| 2.59k| this->decode_optional(optval, type_tag, class_tag); 288| 2.59k| out = optval ? *optval : default_value; ------------------ | Branch (288:16): [True: 553, False: 2.04k] ------------------ 289| 2.59k| return (*this); 290| 2.59k| } _ZN5Botan11BER_Decoder15decode_optionalINS_3OIDEEERS0_RNSt3__18optionalIT_EENS_9ASN1_TypeENS_10ASN1_ClassE: 394| 2.59k|BER_Decoder& BER_Decoder::decode_optional(std::optional& optval, ASN1_Type type_tag, ASN1_Class class_tag) { 395| 2.59k| BER_Object obj = get_next_object(); 396| | 397| 2.59k| if(obj.is_a(type_tag, class_tag)) { ------------------ | Branch (397:7): [True: 556, False: 2.03k] ------------------ 398| 556| T out{}; 399| 556| if(class_tag == ASN1_Class::ExplicitContextSpecific) { ------------------ | Branch (399:10): [True: 556, False: 0] ------------------ 400| 556| BER_Decoder(obj, m_limits).decode(out).verify_end(); 401| 556| } else { 402| 0| this->push_back(std::move(obj)); 403| 0| this->decode(out, type_tag, class_tag); 404| 0| } 405| 556| optval = std::move(out); 406| 2.03k| } else { 407| 2.03k| this->push_back(std::move(obj)); 408| 2.03k| optval = std::nullopt; 409| 2.03k| } 410| | 411| 2.59k| return (*this); 412| 2.59k|} _ZN5Botan11BER_Decoder22decode_optional_stringINS_16secure_allocatorIhEEEERS0_RNSt3__16vectorIhT_EENS_9ASN1_TypeEjNS_10ASN1_ClassE: 345| 2.58k| ASN1_Class class_tag = ASN1_Class::ContextSpecific) { 346| 2.58k| BER_Object obj = get_next_object(); 347| | 348| 2.58k| const ASN1_Type type_tag = static_cast(expected_tag); 349| | 350| 2.58k| if(obj.is_a(type_tag, class_tag)) { ------------------ | Branch (350:13): [True: 892, False: 1.69k] ------------------ 351| 892| if(class_tag == ASN1_Class::ExplicitContextSpecific) { ------------------ | Branch (351:16): [True: 892, False: 0] ------------------ 352| 892| BER_Decoder(obj, m_limits).decode(out, real_type).verify_end(); 353| 892| } else { 354| 0| push_back(std::move(obj)); 355| 0| decode(out, real_type, type_tag, class_tag); 356| 0| } 357| 1.69k| } else { 358| 1.69k| out.clear(); 359| 1.69k| push_back(std::move(obj)); 360| 1.69k| } 361| | 362| 2.58k| return (*this); 363| 2.58k| } _ZN5Botan6BigInt4zeroEv: 50| 37.9k| static BigInt zero() { return BigInt(); } _ZN5Botan6BigInt3oneEv: 55| 1.68k| static BigInt one() { return BigInt::from_u64(1); } _ZN5Botan6BigIntC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 98| 15.9k| explicit BigInt(std::string_view str) { *this = BigInt::from_string(str); } _ZN5Botan6BigIntC2ENSt3__14spanIKhLm18446744073709551615EEE: 139| 556| explicit BigInt(std::span bytes) { assign_from_bytes(bytes); } _ZN5Botan6BigIntC2EOS0_: 183| 61.8k| BigInt(BigInt&& other) noexcept { this->swap(other); } _ZN5Botan6BigIntD2Ev: 185| 8.46M| ~BigInt() { _const_time_unpoison(); } _ZN5Botan6BigIntaSEOS0_: 190| 3.18M| BigInt& operator=(BigInt&& other) noexcept { 191| 3.18M| if(this != &other) { ------------------ | Branch (191:13): [True: 3.18M, False: 0] ------------------ 192| 3.18M| this->swap(other); 193| 3.18M| } 194| | 195| 3.18M| return (*this); 196| 3.18M| } _ZN5Botan6BigInt4swapERS0_: 207| 5.15M| void swap(BigInt& other) noexcept { 208| 5.15M| m_data.swap(other.m_data); 209| 5.15M| std::swap(m_signedness, other.m_signedness); 210| 5.15M| } _ZN5Botan6BigInt8swap_regERNSt3__16vectorImNS_16secure_allocatorImEEEE: 214| 1.36M| BOTAN_DEPRECATED("Deprecated no replacement") void swap_reg(secure_vector& reg) { 215| 1.36M| m_data.swap(reg); 216| | // sign left unchanged 217| 1.36M| } _ZN5Botan6BigIntpLEm: 229| 2.22k| BigInt& operator+=(word y) { return add(&y, 1, Positive); } _ZN5Botan6BigIntmIEm: 241| 1.66k| BigInt& operator-=(word y) { return sub(&y, 1, Positive); } _ZN5Botan6BigInt3subEPKmmNS0_4SignE: 332| 74.9k| BigInt& sub(const word y[], size_t y_words, Sign sign) { 333| 74.9k| return add(y, y_words, sign == Positive ? Negative : Positive); ------------------ | Branch (333:33): [True: 74.9k, False: 0] ------------------ 334| 74.9k| } _ZN5Botan6BigInt5clearEv: 415| 39.4k| void clear() { 416| 39.4k| m_data.set_to_zero(); 417| 39.4k| m_signedness = Positive; 418| 39.4k| } _ZNK5Botan6BigInt7is_evenEv: 455| 9.35k| bool is_even() const { return !get_bit(0); } _ZNK5Botan6BigInt6is_oddEv: 461| 920k| bool is_odd() const { return get_bit(0); } _ZNK5Botan6BigInt6signumEv: 467| 17.5M| int signum() const { 468| 17.5M| if(sig_words() == 0) { ------------------ | Branch (468:13): [True: 15.5k, False: 17.5M] ------------------ 469| 15.5k| return 0; 470| 15.5k| } 471| 17.5M| return (sign() == Negative) ? -1 : 1; ------------------ | Branch (471:17): [True: 7.50k, False: 17.5M] ------------------ 472| 17.5M| } _ZNK5Botan6BigInt7is_zeroEv: 484| 1.59M| bool is_zero() const { return sig_words() == 0; } _ZN5Botan6BigInt7set_bitEm: 490| 18.5k| void set_bit(size_t n) { conditionally_set_bit(n, true); } _ZN5Botan6BigInt21conditionally_set_bitEmb: 500| 656k| void conditionally_set_bit(size_t n, bool set_it) { 501| 656k| const size_t which = n / (sizeof(word) * 8); 502| 656k| const word mask = static_cast(set_it) << (n % (sizeof(word) * 8)); 503| 656k| m_data.set_word_at(which, word_at(which) | mask); 504| 656k| } _ZNK5Botan6BigInt7get_bitEm: 523| 1.58M| bool get_bit(size_t n) const { return ((word_at(n / (sizeof(word) * 8)) >> (n % (sizeof(word) * 8))) & 1) == 1; } _ZNK5Botan6BigInt7word_atEm: 574| 27.2M| word word_at(size_t n) const { return m_data.get_word_at(n); } _ZN5Botan6BigInt11set_word_atEmm: 576| 12.8M| BOTAN_DEPRECATED("Deprecated no replacement") void set_word_at(size_t i, word w) { m_data.set_word_at(i, w); } _ZN5Botan6BigInt9set_wordsEPKmm: 578| 39.4k| BOTAN_DEPRECATED("Deprecated no replacement") void set_words(const word w[], size_t len) { 579| 39.4k| m_data.set_words(w, len); 580| 39.4k| } _ZNK5Botan6BigInt4signEv: 604| 22.3M| Sign sign() const { return (m_signedness); } _ZNK5Botan6BigInt12reverse_signEv: 609| 4.03k| Sign reverse_sign() const { 610| 4.03k| if(sign() == Positive) { ------------------ | Branch (610:13): [True: 3.23k, False: 793] ------------------ 611| 3.23k| return Negative; 612| 3.23k| } 613| 793| return Positive; 614| 4.03k| } _ZN5Botan6BigInt9flip_signEv: 619| 2.47k| BOTAN_DEPRECATED("Deprecated no replacement") void flip_sign() { set_sign(reverse_sign()); } _ZN5Botan6BigInt8set_signENS0_4SignE: 625| 1.69M| void set_sign(Sign sign) { 626| 1.69M| if(sign == Negative && is_zero()) { ------------------ | Branch (626:13): [True: 4.65k, False: 1.68M] | Branch (626:33): [True: 1.42k, False: 3.23k] ------------------ 627| 1.42k| sign = Positive; 628| 1.42k| } 629| | 630| 1.69M| m_signedness = sign; 631| 1.69M| } _ZNK5Botan6BigInt4sizeEv: 642| 87.0M| size_t size() const { return m_data.size(); } _ZNK5Botan6BigInt9sig_wordsEv: 648| 37.5M| size_t sig_words() const { return m_data.sig_words(); } _ZN5Botan6BigInt12mutable_dataEv: 673| 29.4M| BOTAN_DEPRECATED("Deprecated no replacement") word* mutable_data() { return m_data.mutable_data(); } _ZNK5Botan6BigInt4dataEv: 679| 13.8k| BOTAN_DEPRECATED("Deprecated no replacement") const word* data() const { return m_data.const_data(); } _ZN5Botan6BigInt15get_word_vectorEv: 684| 991k| BOTAN_DEPRECATED("Deprecated no replacement") secure_vector& get_word_vector() { 685| 991k| return m_data.mutable_vector(); 686| 991k| } _ZNK5Botan6BigInt7grow_toEm: 699| 11.5M| BOTAN_DEPRECATED("Deprecated no replacement") void grow_to(size_t n) const { m_data.grow_to(n); } _ZN5Botan6BigInt10power_of_2Em: 856| 7.08k| static BigInt power_of_2(size_t n) { 857| 7.08k| BigInt b; 858| 7.08k| b.set_bit(n); 859| 7.08k| return b; 860| 7.08k| } _ZN5Botan6BigInt6decodeEPKhm: 893| 960| BOTAN_DEPRECATED("Use BigInt::from_bytes") static BigInt decode(const uint8_t buf[], size_t length) { 894| 960| return BigInt::from_bytes(std::span{buf, length}); 895| 960| } _ZN5Botan6BigInt11encode_1363EPhmRKS0_: 940| 128| static void encode_1363(uint8_t out[], size_t bytes, const BigInt& n) { 941| 128| n.serialize_to(std::span{out, bytes}); 942| 128| } _ZNK5Botan6BigInt8_as_spanEv: 962| 1.19M| std::span _as_span() const { return m_data.const_span(); } _ZNK5Botan6BigInt5_dataEv: 972| 63.4M| const word* _data() const { return m_data.const_data(); } _ZN5Botan6BigInt18_assign_from_bytesENSt3__14spanIKhLm18446744073709551615EEE: 983| 13.8k| void _assign_from_bytes(std::span bytes) { assign_from_bytes(bytes); } _ZN5Botan6BigInt11_from_wordsERNSt3__16vectorImNS_16secure_allocatorImEEEE: 991| 2.75M| static BigInt _from_words(secure_vector& words) { 992| 2.75M| BigInt bn; 993| 2.75M| bn.m_data.swap(words); 994| 2.75M| return bn; 995| 2.75M| } _ZN5Botan6BigInt4Data12mutable_dataEv: 1022| 30.5M| word* mutable_data() { 1023| 30.5M| invalidate_sig_words(); 1024| 30.5M| return m_reg.data(); 1025| 30.5M| } _ZNK5Botan6BigInt4Data10const_dataEv: 1027| 71.9M| const word* const_data() const { return m_reg.data(); } _ZNK5Botan6BigInt4Data10const_spanEv: 1029| 1.19M| std::span const_span() const { return std::span{m_reg}; } _ZN5Botan6BigInt4Data14mutable_vectorEv: 1031| 991k| secure_vector& mutable_vector() { 1032| 991k| invalidate_sig_words(); 1033| 991k| return m_reg; 1034| 991k| } _ZNK5Botan6BigInt4Data11get_word_atEm: 1038| 27.2M| word get_word_at(size_t n) const { 1039| 27.2M| if(n < m_reg.size()) { ------------------ | Branch (1039:19): [True: 27.2M, False: 17.9k] ------------------ 1040| 27.2M| return m_reg[n]; 1041| 27.2M| } 1042| 17.9k| return 0; 1043| 27.2M| } _ZN5Botan6BigInt4Data11set_word_atEmm: 1045| 13.4M| void set_word_at(size_t i, word w) { 1046| 13.4M| invalidate_sig_words(); 1047| 13.4M| if(i >= m_reg.size()) { ------------------ | Branch (1047:19): [True: 878k, False: 12.6M] ------------------ 1048| 878k| if(w == 0) { ------------------ | Branch (1048:22): [True: 839k, False: 38.7k] ------------------ 1049| 839k| return; 1050| 839k| } 1051| 38.7k| grow_to(i + 1); 1052| 38.7k| } 1053| 12.6M| m_reg[i] = w; 1054| 12.6M| } _ZN5Botan6BigInt4Data9set_wordsEPKmm: 1056| 39.4k| void set_words(const word w[], size_t len) { 1057| 39.4k| invalidate_sig_words(); 1058| 39.4k| m_reg.assign(w, w + len); 1059| 39.4k| } _ZNK5Botan6BigInt4Data7grow_toEm: 1065| 11.6M| void grow_to(size_t n) const { 1066| 11.6M| if(n > size()) { ------------------ | Branch (1066:19): [True: 5.15M, False: 6.53M] ------------------ 1067| 5.15M| if(n <= m_reg.capacity()) { ------------------ | Branch (1067:22): [True: 621k, False: 4.53M] ------------------ 1068| 621k| m_reg.resize(n); 1069| 4.53M| } else { 1070| 4.53M| m_reg.resize(n + (8 - (n % 8))); 1071| 4.53M| } 1072| 5.15M| } 1073| 11.6M| } _ZNK5Botan6BigInt4Data4sizeEv: 1075| 108M| size_t size() const { return m_reg.size(); } _ZN5Botan6BigInt4Data4swapERS1_: 1090| 5.15M| void swap(Data& other) noexcept { 1091| 5.15M| m_reg.swap(other.m_reg); 1092| 5.15M| std::swap(m_sig_words, other.m_sig_words); 1093| 5.15M| } _ZN5Botan6BigInt4Data4swapERNSt3__16vectorImNS_16secure_allocatorImEEEE: 1095| 4.15M| void swap(secure_vector& reg) noexcept { 1096| 4.15M| m_reg.swap(reg); 1097| 4.15M| invalidate_sig_words(); 1098| 4.15M| } _ZNK5Botan6BigInt4Data20invalidate_sig_wordsEv: 1100| 49.2M| void invalidate_sig_words() const noexcept { m_sig_words = sig_words_npos; } _ZNK5Botan6BigInt4Data9sig_wordsEv: 1102| 37.5M| size_t sig_words() const { 1103| 37.5M| if(m_sig_words == sig_words_npos) { ------------------ | Branch (1103:19): [True: 13.9M, False: 23.5M] ------------------ 1104| 13.9M| m_sig_words = calc_sig_words(); 1105| 13.9M| } 1106| 37.5M| return m_sig_words; 1107| 37.5M| } _ZN5BotanplERKNS_6BigIntES2_: 1125| 883k|inline BigInt operator+(const BigInt& x, const BigInt& y) { 1126| 883k| return BigInt::add2(x, y._data(), y.sig_words(), y.sign()); 1127| 883k|} _ZN5BotanplERKNS_6BigIntEm: 1129| 2.81k|inline BigInt operator+(const BigInt& x, word y) { 1130| 2.81k| return BigInt::add2(x, &y, 1, BigInt::Positive); 1131| 2.81k|} _ZN5BotanmiERKNS_6BigIntES2_: 1137| 1.55k|inline BigInt operator-(const BigInt& x, const BigInt& y) { 1138| 1.55k| return BigInt::add2(x, y._data(), y.sig_words(), y.reverse_sign()); 1139| 1.55k|} _ZN5BotanmiERKNS_6BigIntEm: 1141| 5.34k|inline BigInt operator-(const BigInt& x, word y) { 1142| 5.34k| return BigInt::add2(x, &y, 1, BigInt::Negative); 1143| 5.34k|} _ZN5BotanmlEmRKNS_6BigIntE: 1148| 68.2k|inline BigInt operator*(word x, const BigInt& y) { 1149| 68.2k| return y * x; 1150| 68.2k|} _ZN5BotaneqERKNS_6BigIntES2_: 1162| 25.2k|inline bool operator==(const BigInt& a, const BigInt& b) { 1163| 25.2k| return a.is_equal(b); 1164| 25.2k|} _ZN5BotanneERKNS_6BigIntES2_: 1166| 4.60k|inline bool operator!=(const BigInt& a, const BigInt& b) { 1167| 4.60k| return !a.is_equal(b); 1168| 4.60k|} _ZN5BotangeERKNS_6BigIntES2_: 1174| 15.1k|inline bool operator>=(const BigInt& a, const BigInt& b) { 1175| 15.1k| return (a.cmp(b) >= 0); 1176| 15.1k|} _ZN5BotanltERKNS_6BigIntES2_: 1178| 59.1k|inline bool operator<(const BigInt& a, const BigInt& b) { 1179| 59.1k| return a.is_less_than(b); 1180| 59.1k|} _ZN5BotangtERKNS_6BigIntES2_: 1182| 47|inline bool operator>(const BigInt& a, const BigInt& b) { 1183| 47| return b.is_less_than(a); 1184| 47|} _ZN5BotaneqERKNS_6BigIntEm: 1186| 121k|inline bool operator==(const BigInt& a, word b) { 1187| 121k| return (a.cmp_word(b) == 0); 1188| 121k|} _ZN5BotanneERKNS_6BigIntEm: 1190| 70.5k|inline bool operator!=(const BigInt& a, word b) { 1191| 70.5k| return (a.cmp_word(b) != 0); 1192| 70.5k|} _ZN5BotanleERKNS_6BigIntEm: 1194| 3.78k|inline bool operator<=(const BigInt& a, word b) { 1195| 3.78k| return (a.cmp_word(b) <= 0); 1196| 3.78k|} _ZN5BotangeERKNS_6BigIntEm: 1198| 8.91k|inline bool operator>=(const BigInt& a, word b) { 1199| 8.91k| return (a.cmp_word(b) >= 0); 1200| 8.91k|} _ZN5BotanltERKNS_6BigIntEm: 1202| 20.0k|inline bool operator<(const BigInt& a, word b) { 1203| 20.0k| return (a.cmp_word(b) < 0); 1204| 20.0k|} _ZN5BotangtERKNS_6BigIntEm: 1206| 5.14k|inline bool operator>(const BigInt& a, word b) { 1207| 5.14k| return (a.cmp_word(b) > 0); 1208| 5.14k|} _ZNK5Botan6BigInt9serializeINSt3__16vectorIhNS2_9allocatorIhEEEEEET_m: 747| 286| T serialize(size_t len) const { 748| | // TODO this supports std::vector and secure_vector 749| | // it would be nice if this also could work with std::array as in 750| | // bn.serialize_to>(32); 751| 286| T out(len); 752| 286| this->serialize_to(out); 753| 286| return out; 754| 286| } _ZN5Botan6BigIntC2Ev: 45| 7.42M| BigInt() = default; _ZN5Botan6BigIntC2ERKS0_: 88| 958k| BigInt(const BigInt& other) = default; _ZN5Botan6BigIntaSERKS0_: 201| 2.01M| BigInt& operator=(const BigInt&) = default; _ZN5Botan20Buffered_Computation6updateEPKhm: 34| 2| void update(const uint8_t in[], size_t length) { add_data({in, length}); } _ZN5Botan20Buffered_Computation6updateENSt3__14spanIKhLm18446744073709551615EEE: 40| 87| void update(std::span in) { add_data(in); } _ZN5Botan20Buffered_Computation5finalEPh: 69| 2| void final(uint8_t out[]) { final_result({out, output_length()}); } _ZN5Botan20Buffered_Computation5finalITkNS_8concepts21resizable_byte_bufferENSt3__16vectorIhNS_16secure_allocatorIhEEEEEET_v: 77| 29| T final() { 78| 29| T output(output_length()); 79| 29| final_result(output); 80| 29| return output; 81| 29| } _ZN5Botan20Buffered_ComputationD2Ev: 130| 60| virtual ~Buffered_Computation() = default; _ZN5Botan20Buffered_Computation7processITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_21KyberHashedPublicKey_EJEEEEET_NS4_4spanIKhLm18446744073709551615EEE: 125| 29| T process(std::span in) { 126| 29| update(in); 127| 29| return final(); 128| 29| } _ZN5Botan20Buffered_Computation5finalITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_21KyberHashedPublicKey_EJEEEEET_v: 77| 29| T final() { 78| 29| T output(output_length()); 79| 29| final_result(output); 80| 29| return output; 81| 29| } _ZN5Botan8CurveGFp4swapERS0_: 69| 424k| void swap(CurveGFp& other) noexcept { std::swap(m_group, other.m_group); } _ZNK5Botan8CurveGFpeqERKS0_: 71| 279k| bool operator==(const CurveGFp& other) const { return (m_group == other.m_group); } _ZN5Botan8CurveGFpC2Ev: 62| 498k| CurveGFp() = default; _ZN5Botan17DataSource_MemoryC2ENSt3__14spanIKhLm18446744073709551615EEE: 141| 21.7k| explicit DataSource_Memory(std::span in) : m_source(in.begin(), in.end()), m_offset(0) {} _ZN5Botan10DataSourceC2Ev: 100| 40.4k| DataSource() = default; _ZN5Botan10DataSourceD2Ev: 101| 40.4k| virtual ~DataSource() = default; _ZN5Botan17DataSource_MemoryC2ENSt3__16vectorIhNS_16secure_allocatorIhEEEE: 135| 4| explicit DataSource_Memory(secure_vector in) : m_source(std::move(in)), m_offset(0) {} _ZN5Botan11DER_Encoder10add_objectENS_9ASN1_TypeENS_10ASN1_ClassENSt3__14spanIKhLm18446744073709551615EEE: 185| 2.60k| DER_Encoder& add_object(ASN1_Type type_tag, ASN1_Class class_tag, std::span rep) { 186| 2.60k| return add_object(type_tag, class_tag, rep.data(), rep.size()); 187| 2.60k| } _ZN5Botan11DER_Encoder10add_objectENS_9ASN1_TypeENS_10ASN1_ClassERKNSt3__16vectorIhNS3_9allocatorIhEEEE: 189| 2.60k| DER_Encoder& add_object(ASN1_Type type_tag, ASN1_Class class_tag, const std::vector& rep) { 190| 2.60k| return add_object(type_tag, class_tag, std::span{rep}); 191| 2.60k| } _ZN5Botan12DH_PublicKeyC2Ev: 68| 101| DH_PublicKey() = default; _ZNK5Botan13DilithiumMode19is_dilithium_round3Ev: 49| 155| bool is_dilithium_round3() const { return !is_ml_dsa(); } _ZNK5Botan13DilithiumMode4modeEv: 53| 465| Mode mode() const { return m_mode; } _ZN5Botan19Dilithium_PublicKeyC2Ev: 101| 79| Dilithium_PublicKey() = default; _ZN5Botan13DSA_PublicKeyC2Ev: 71| 128| DSA_PublicKey() = default; _ZNK5Botan14EC_AffinePoint5innerEv: 274| 1.63k| const EC_AffinePoint_Data& inner() const { return *m_point; } _ZNK5Botan8EC_Group5_dataEv: 458| 3.39k| const std::shared_ptr& _data() const { return m_data; } _ZN5Botan8EC_GroupC2EOS0_: 221| 4.12k| EC_Group(EC_Group&&) = default; _ZN5Botan8EC_PointC2EOS0_: 62| 128| EC_Point(EC_Point&& other) noexcept { this->swap(other); } _ZN5Botan8EC_PointaSEOS0_: 72| 354k| EC_Point& operator=(EC_Point&& other) noexcept { 73| 354k| if(this != &other) { ------------------ | Branch (73:13): [True: 354k, False: 0] ------------------ 74| 354k| this->swap(other); 75| 354k| } 76| 354k| return (*this); 77| 354k| } _ZNK5Botan8EC_Point7is_zeroEv: 163| 982k| bool is_zero() const { return m_z.is_zero(); } _ZNK5Botan8EC_Point5get_xEv: 238| 489k| BOTAN_DEPRECATED("Use affine coordinates only") const BigInt& get_x() const { return m_x; } _ZNK5Botan8EC_Point5get_yEv: 245| 489k| BOTAN_DEPRECATED("Use affine coordinates only") const BigInt& get_y() const { return m_y; } _ZNK5Botan8EC_Point4plusERKS0_RNSt3__16vectorINS_6BigIntENS3_9allocatorIS5_EEEE: 338| 279k| EC_Point plus(const EC_Point& other, std::vector& workspace) const { 339| 279k| EC_Point x = (*this); 340| 279k| x.add(other, workspace); 341| 279k| return x; 342| 279k| } _ZNK5Botan8EC_Point9get_curveEv: 361| 590| BOTAN_DEPRECATED("Deprecated no replacement") const CurveGFp& get_curve() const { return m_curve; } _ZN5Botan8EC_PointD2Ev: 79| 780k| ~EC_Point() = default; _ZN5Botan8EC_PointC2Ev: 46| 495k| EC_Point() = default; _ZN5Botan8EC_PointC2ERKS0_: 57| 280k| EC_Point(const EC_Point&) = default; _ZN5Botan8EC_PointaSERKS0_: 67| 279k| EC_Point& operator=(const EC_Point&) = default; _ZNK5Botan9EC_Scalar10is_nonzeroEv: 161| 2.49k| bool is_nonzero() const { return !is_zero(); } _ZNK5Botan9EC_Scalar6_innerEv: 244| 1.62k| const EC_Scalar_Data& _inner() const { return inner(); } _ZNK5Botan9EC_Scalar5innerEv: 253| 8.25k| const EC_Scalar_Data& inner() const { return *m_scalar; } _ZN5Botan12EC_PublicKeyC2Ev: 137| 3.66k| EC_PublicKey() = default; _ZN5Botan12EC_PublicKeyD2Ev: 42| 3.66k| ~EC_PublicKey() override = default; _ZN5Botan13EC_PrivateKeyD2Ev: 170| 1.63k| ~EC_PrivateKey() override = default; _ZN5Botan15ECDH_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 87| 1.39k| EC_PrivateKey(alg_id, key_bits) {} _ZN5Botan14ECDH_PublicKeyC2Ev: 67| 1.07k| ECDH_PublicKey() = default; _ZN5Botan16ECDSA_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 98| 2.27k| EC_PrivateKey(alg_id, key_bits) {} _ZN5Botan15ECDSA_PublicKeyC2Ev: 79| 2.27k| ECDSA_PublicKey() = default; _ZN5Botan17Ed25519_PublicKeyC2Ev: 60| 6| Ed25519_PublicKey() = default; _ZN5Botan15Ed448_PublicKeyC2Ev: 66| 2| Ed448_PublicKey() = default; _ZNK5Botan9Exception4whatEv: 94| 927| const char* what() const noexcept override { return m_msg.c_str(); } _ZN5Botan20GOST_3410_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 91| 2| EC_PrivateKey(alg_id, key_bits) {} _ZN5Botan19GOST_3410_PublicKeyC2Ev: 72| 2| GOST_3410_PublicKey() = default; _ZN5Botan15Kyber_PublicKeyD2Ev: 105| 37| ~Kyber_PublicKey() override = default; _ZNK5Botan9KyberMode4modeEv: 60| 66| Mode mode() const { return m_mode; } _ZN5Botan15Kyber_PublicKeyC2Ev: 135| 37| Kyber_PublicKey() = default; _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIhLm18446744073709551615EEETkNS1_16contiguous_rangeENS3_IKhLm18446744073709551615EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeENS8_IXsr21__is_primary_templateINS9_Iu14__remove_cvrefIDTclL_ZNSB_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSH_ISP_EESQ_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISU_EEEvOSC_RKSM_: 160| 1.38k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 1.38k| ranges::assert_equal_byte_lengths(out, in); 162| 1.38k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 1.38k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 1.38k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 1.38k, False: 0] ------------------ 165| 1.38k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 1.38k| } 167| 1.38k|} _ZN5Botan11clear_bytesEPvm: 101| 21.8M|inline constexpr void clear_bytes(void* ptr, size_t bytes) { 102| 21.8M| if(bytes > 0) { ------------------ | Branch (102:7): [True: 21.7M, False: 39.4k] ------------------ 103| 21.7M| std::memset(ptr, 0, bytes); 104| 21.7M| } 105| 21.8M|} _ZN5Botan9clear_memImEEvPT_m: 118| 4.75M|inline constexpr void clear_mem(T* ptr, size_t n) { 119| 4.75M| clear_bytes(ptr, sizeof(T) * n); 120| 4.75M|} _ZN5Botan8copy_memIhQsr3stdE12is_trivial_vIu7__decayIT_EEEEvPS1_PKS1_m: 144| 2.15M|inline constexpr void copy_mem(T* out, const T* in, size_t n) { 145| 2.15M| BOTAN_ASSERT_IMPLICATION(n > 0, in != nullptr && out != nullptr, "If n > 0 then args are not null"); ------------------ | | 103| 2.15M| do { \ | | 104| 2.15M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 105| 4.26M| if((expr1) && !(expr2)) { \ | | ------------------ | | | Branch (105:10): [True: 2.13M, False: 22.5k] | | | Branch (105:23): [True: 2.13M, False: 0] | | | Branch (105:23): [True: 2.13M, False: 0] | | ------------------ | | 106| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 107| 0| Botan::assertion_failure(#expr1 " implies " #expr2, msg, __func__, __FILE__, __LINE__); \ | | 108| 0| } \ | | 109| 2.15M| } while(0) | | ------------------ | | | Branch (109:12): [Folded, False: 2.15M] | | ------------------ ------------------ 146| | 147| 2.15M| if(in != nullptr && out != nullptr && n > 0) { ------------------ | Branch (147:7): [True: 2.15M, False: 28] | Branch (147:24): [True: 2.15M, False: 703] | Branch (147:42): [True: 2.13M, False: 21.8k] ------------------ 148| 2.13M| std::memmove(out, in, sizeof(T) * n); 149| 2.13M| } 150| 2.15M|} _ZN5Botan19secure_scrub_memoryITkNS_6ranges23contiguous_output_rangeERNSt3__16vectorIhNS2_9allocatorIhEEEEEEvOT_: 59| 130k|void secure_scrub_memory(ranges::contiguous_output_range auto&& data) { 60| 130k| secure_scrub_memory(std::ranges::data(data), ranges::size_bytes(data)); 61| 130k|} _ZN5Botan9clear_memIhEEvPT_m: 118| 18.3k|inline constexpr void clear_mem(T* ptr, size_t n) { 119| 18.3k| clear_bytes(ptr, sizeof(T) * n); 120| 18.3k|} _ZN5Botan8copy_memImQsr3stdE12is_trivial_vIu7__decayIT_EEEEvPS1_PKS1_m: 144| 3.74M|inline constexpr void copy_mem(T* out, const T* in, size_t n) { 145| 3.74M| BOTAN_ASSERT_IMPLICATION(n > 0, in != nullptr && out != nullptr, "If n > 0 then args are not null"); ------------------ | | 103| 3.74M| do { \ | | 104| 3.74M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 105| 7.48M| if((expr1) && !(expr2)) { \ | | ------------------ | | | Branch (105:10): [True: 3.74M, False: 0] | | | Branch (105:23): [True: 3.74M, False: 0] | | | Branch (105:23): [True: 3.74M, False: 0] | | ------------------ | | 106| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 107| 0| Botan::assertion_failure(#expr1 " implies " #expr2, msg, __func__, __FILE__, __LINE__); \ | | 108| 0| } \ | | 109| 3.74M| } while(0) | | ------------------ | | | Branch (109:12): [Folded, False: 3.74M] | | ------------------ ------------------ 146| | 147| 3.74M| if(in != nullptr && out != nullptr && n > 0) { ------------------ | Branch (147:7): [True: 3.74M, False: 0] | Branch (147:24): [True: 3.74M, False: 0] | Branch (147:42): [True: 3.74M, False: 0] ------------------ 148| 3.74M| std::memmove(out, in, sizeof(T) * n); 149| 3.74M| } 150| 3.74M|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERKNSt3__14spanIhLm8EEEmQaaaasr3stdE23is_trivially_copyable_vIT0_Entsr3std6rangesE5rangeIS7_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEEEvOSC_RKS7_: 199| 44.1k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromT& in) { 200| 44.1k| typecast_copy(out, std::span(&in, 1)); 201| 44.1k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERKNSt3__14spanIhLm8EEETkNS1_16contiguous_rangeENS3_IKmLm1EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISG_EESH_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS9_IXsr21__is_primary_templateINSA_Iu14__remove_cvrefIDTclL_ZNSC_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSI_ISQ_EESR_E4type10value_typeEEEEvOSN_RKSD_: 176| 44.1k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 44.1k| ranges::assert_equal_byte_lengths(out, in); 178| 44.1k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 44.1k|} _ZN5Botan13typecast_copyImTkNS_6ranges16contiguous_rangeENSt3__14spanIKhLm8EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vIS6_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEEES6_RKSB_: 210| 181k|inline constexpr ToT typecast_copy(const FromR& src) { 211| 181k| ToT dst; // NOLINT(*-member-init) 212| 181k| typecast_copy(dst, src); 213| 181k| return dst; 214| 181k|} _ZN5Botan13typecast_copyImTkNS_6ranges16contiguous_rangeENSt3__14spanIKhLm8EEEQaaaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIT_Entsr3std6rangesE5rangeISK_EEEvRSK_RKSA_: 188| 181k|inline constexpr void typecast_copy(ToT& out, const FromR& in) { 189| 181k| typecast_copy(std::span(&out, 1), in); 190| 181k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm1EEETkNS1_16contiguous_rangeENS3_IKhLm8EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEEEvOSL_RKSB_: 176| 181k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 181k| ranges::assert_equal_byte_lengths(out, in); 178| 181k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 181k|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanIhLm18446744073709551615EEETkNS1_16contiguous_rangeENS3_IKhLm18446744073709551615EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 28.8k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 28.8k| ranges::assert_equal_byte_lengths(out, in); 162| 28.8k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 28.8k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 28.8k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 28.8k, False: 1] ------------------ 165| 28.8k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 28.8k| } 167| 28.8k|} _ZN5Botan13typecast_copyImTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm8EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vIS5_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEEES5_RKSA_: 210| 31.0k|inline constexpr ToT typecast_copy(const FromR& src) { 211| 31.0k| ToT dst; // NOLINT(*-member-init) 212| 31.0k| typecast_copy(dst, src); 213| 31.0k| return dst; 214| 31.0k|} _ZN5Botan13typecast_copyImTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm8EEEQaaaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISC_EESD_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIT_Entsr3std6rangesE5rangeISJ_EEEvRSJ_RKS9_: 188| 31.0k|inline constexpr void typecast_copy(ToT& out, const FromR& in) { 189| 31.0k| typecast_copy(std::span(&out, 1), in); 190| 31.0k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm1EEETkNS1_16contiguous_rangeENS3_IhLm8EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS6_IXsr21__is_primary_templateINS7_Iu14__remove_cvrefIDTclL_ZNS9_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSF_ISN_EESO_E4type10value_typeEEEEvOSK_RKSA_: 176| 31.0k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 31.0k| ranges::assert_equal_byte_lengths(out, in); 178| 31.0k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 31.0k|} _ZN5Botan9clear_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm18446744073709551615EEEEEvOT_Qsr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRS5_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEE: 132| 2.75M|{ 133| 2.75M| clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem)); 134| 2.75M|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm18446744073709551615EEETkNS1_16contiguous_rangeENS3_IKmLm18446744073709551615EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 14.0k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 14.0k| ranges::assert_equal_byte_lengths(out, in); 162| 14.0k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 14.0k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 14.0k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 14.0k, False: 4] ------------------ 165| 14.0k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 14.0k| } 167| 14.0k|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__16vectorImNS_16secure_allocatorImEEEETkNS1_16contiguous_rangeENS2_4spanImLm18446744073709551615EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISH_EESI_E4type10value_typeENSA_IXsr21__is_primary_templateINSB_Iu14__remove_cvrefIDTclL_ZNSD_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSJ_ISR_EESS_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISW_EEEvOSE_RKSO_: 160| 663k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 663k| ranges::assert_equal_byte_lengths(out, in); 162| 663k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 663k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 663k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 663k, False: 0] ------------------ 165| 663k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 663k| } 167| 663k|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm4EEETkNS1_16contiguous_rangeENS2_5arrayImLm4EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 1.44k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 1.44k| ranges::assert_equal_byte_lengths(out, in); 162| 1.44k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 1.44k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 1.44k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 1.44k, False: 0] ------------------ 165| 1.44k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 1.44k| } 167| 1.44k|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm6EEETkNS1_16contiguous_rangeENS2_5arrayImLm6EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 836|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 836| ranges::assert_equal_byte_lengths(out, in); 162| 836| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 836] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 836| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 836, False: 0] ------------------ 165| 836| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 836| } 167| 836|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm8EEETkNS1_16contiguous_rangeENS2_5arrayImLm8EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 557|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 557| ranges::assert_equal_byte_lengths(out, in); 162| 557| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 557] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 557| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 557, False: 0] ------------------ 165| 557| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 557| } 167| 557|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm9EEETkNS1_16contiguous_rangeENS2_5arrayImLm9EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 1.69k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 1.69k| ranges::assert_equal_byte_lengths(out, in); 162| 1.69k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 1.69k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 1.69k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 1.69k, False: 0] ------------------ 165| 1.69k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 1.69k| } 167| 1.69k|} _ZN5Botan9clear_memITkNS_6ranges23contiguous_output_rangeERNSt3__15arrayImLm18EEEEEvOT_Qsr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRS6_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEE: 132| 14.2M|{ 133| 14.2M| clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem)); 134| 14.2M|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm3EEETkNS1_16contiguous_rangeENS2_5arrayImLm3EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 390|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 390| ranges::assert_equal_byte_lengths(out, in); 162| 390| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 390] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 390| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 390, False: 0] ------------------ 165| 390| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 390| } 167| 390|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIhLm28EEETkNS1_16contiguous_rangeENS3_IKhLm28EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeENS8_IXsr21__is_primary_templateINS9_Iu14__remove_cvrefIDTclL_ZNSB_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSH_ISP_EESQ_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISU_EEEvOSC_RKSM_: 160| 588|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 588| ranges::assert_equal_byte_lengths(out, in); 162| 588| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 588] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 588| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 588, False: 0] ------------------ 165| 588| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 588| } 167| 588|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIhLm66EEETkNS1_16contiguous_rangeENS3_IKhLm66EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeENS8_IXsr21__is_primary_templateINS9_Iu14__remove_cvrefIDTclL_ZNSB_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSH_ISP_EESQ_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISU_EEEvOSC_RKSM_: 160| 544|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 544| ranges::assert_equal_byte_lengths(out, in); 162| 544| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 544] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 544| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 544, False: 0] ------------------ 165| 544| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 544| } 167| 544|} _ZN5Botan13typecast_copyIjTkNS_6ranges16contiguous_rangeENSt3__14spanIKhLm4EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vIS6_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEEES6_RKSB_: 210| 5.63k|inline constexpr ToT typecast_copy(const FromR& src) { 211| 5.63k| ToT dst; // NOLINT(*-member-init) 212| 5.63k| typecast_copy(dst, src); 213| 5.63k| return dst; 214| 5.63k|} _ZN5Botan13typecast_copyIjTkNS_6ranges16contiguous_rangeENSt3__14spanIKhLm4EEEQaaaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIT_Entsr3std6rangesE5rangeISK_EEEvRSK_RKSA_: 188| 5.63k|inline constexpr void typecast_copy(ToT& out, const FromR& in) { 189| 5.63k| typecast_copy(std::span(&out, 1), in); 190| 5.63k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeENSt3__14spanIjLm1EEETkNS1_16contiguous_rangeENS3_IKhLm4EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEEEvOSL_RKSB_: 176| 5.63k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 5.63k| ranges::assert_equal_byte_lengths(out, in); 178| 5.63k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 5.63k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERKNSt3__14spanIhLm2EEEtQaaaasr3stdE23is_trivially_copyable_vIT0_Entsr3std6rangesE5rangeIS7_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEEEvOSC_RKS7_: 199| 332|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromT& in) { 200| 332| typecast_copy(out, std::span(&in, 1)); 201| 332|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERKNSt3__14spanIhLm2EEETkNS1_16contiguous_rangeENS3_IKtLm1EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISG_EESH_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS9_IXsr21__is_primary_templateINSA_Iu14__remove_cvrefIDTclL_ZNSC_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSI_ISQ_EESR_E4type10value_typeEEEEvOSN_RKSD_: 176| 332|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 332| ranges::assert_equal_byte_lengths(out, in); 178| 332| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 332|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERNSt3__15arrayIhLm8EEETkNS1_16contiguous_rangeENS3_ImLm1EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEEEvOSL_RKSB_: 176| 1.13M|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 1.13M| ranges::assert_equal_byte_lengths(out, in); 178| 1.13M| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 1.13M|} _ZN5Botan13typecast_copyIjTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm4EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vIS5_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEEES5_RKSA_: 210| 53.7k|inline constexpr ToT typecast_copy(const FromR& src) { 211| 53.7k| ToT dst; // NOLINT(*-member-init) 212| 53.7k| typecast_copy(dst, src); 213| 53.7k| return dst; 214| 53.7k|} _ZN5Botan13typecast_copyIjTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm4EEEQaaaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISC_EESD_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIT_Entsr3std6rangesE5rangeISJ_EEEvRSJ_RKS9_: 188| 53.7k|inline constexpr void typecast_copy(ToT& out, const FromR& in) { 189| 53.7k| typecast_copy(std::span(&out, 1), in); 190| 53.7k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeENSt3__14spanIjLm1EEETkNS1_16contiguous_rangeENS3_IhLm4EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS6_IXsr21__is_primary_templateINS7_Iu14__remove_cvrefIDTclL_ZNS9_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSF_ISN_EESO_E4type10value_typeEEEEvOSK_RKSA_: 176| 53.7k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 53.7k| ranges::assert_equal_byte_lengths(out, in); 178| 53.7k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 53.7k|} _ZN5Botan13typecast_copyItTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm2EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vIS5_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEEES5_RKSA_: 210| 2.68k|inline constexpr ToT typecast_copy(const FromR& src) { 211| 2.68k| ToT dst; // NOLINT(*-member-init) 212| 2.68k| typecast_copy(dst, src); 213| 2.68k| return dst; 214| 2.68k|} _ZN5Botan13typecast_copyItTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm2EEEQaaaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISC_EESD_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIT_Entsr3std6rangesE5rangeISJ_EEEvRSJ_RKS9_: 188| 2.68k|inline constexpr void typecast_copy(ToT& out, const FromR& in) { 189| 2.68k| typecast_copy(std::span(&out, 1), in); 190| 2.68k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeENSt3__14spanItLm1EEETkNS1_16contiguous_rangeENS3_IhLm2EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS6_IXsr21__is_primary_templateINS7_Iu14__remove_cvrefIDTclL_ZNS9_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSF_ISN_EESO_E4type10value_typeEEEEvOSK_RKSA_: 176| 2.68k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 2.68k| ranges::assert_equal_byte_lengths(out, in); 178| 2.68k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 2.68k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIhLm56EEETkNS1_16contiguous_rangeENS2_5arrayImLm7EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS8_IXsr21__is_primary_templateINS9_Iu14__remove_cvrefIDTclL_ZNSB_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSH_ISP_EESQ_E4type10value_typeEEEEvOSM_RKSC_: 176| 1|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 1| ranges::assert_equal_byte_lengths(out, in); 178| 1| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 1|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIhLm56EEETkNS1_16contiguous_rangeENS2_6vectorIhNS_16secure_allocatorIhEEEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISH_EESI_E4type10value_typeENSA_IXsr21__is_primary_templateINSB_Iu14__remove_cvrefIDTclL_ZNSD_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSJ_ISR_EESS_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISW_EEEvOSE_RKSO_: 160| 1|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 1| ranges::assert_equal_byte_lengths(out, in); 162| 1| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 1] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 1| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 1, False: 0] ------------------ 165| 1| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 1| } 167| 1|} _ZN5Botan13typecast_copyINS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEETkNS_6ranges16contiguous_rangeENS2_4spanIKhLm18446744073709551615EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vISB_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEESB_RKSG_: 210| 1|inline constexpr ToT typecast_copy(const FromR& src) { 211| 1| ToT dst; // NOLINT(*-member-init) 212| 1| typecast_copy(dst, src); 213| 1| return dst; 214| 1|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERNS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEETkNS1_16contiguous_rangeENS3_4spanIKhLm18446744073709551615EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINSC_IXsr21__is_primary_templateINSD_Iu14__remove_cvrefIDTclL_ZNSF_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSL_IST_EESU_E4type10value_typeEEEEvOSQ_RKSG_: 176| 1|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 1| ranges::assert_equal_byte_lengths(out, in); 178| 1| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 1|} _ZN5Botan9clear_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIiLm256EEEEEvOT_Qsr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRS6_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEE: 132| 476|{ 133| 476| clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem)); 134| 476|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__16vectorIiNS2_9allocatorIiEEEETkNS1_16contiguous_rangeES6_Qaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeENS8_IXsr21__is_primary_templateINS9_Iu14__remove_cvrefIDTclL_ZNSB_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSH_ISP_EESQ_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISU_EEEvOSC_RKSM_: 160| 76|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 76| ranges::assert_equal_byte_lengths(out, in); 162| 76| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 76] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 76| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 76, False: 0] ------------------ 165| 76| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 76| } 167| 76|} _ZN5Botan9clear_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIsLm256EEEEEvOT_Qsr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRS6_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEE: 132| 96|{ 133| 96| clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem)); 134| 96|} _ZN5Botan9clear_memIjEEvPT_m: 118| 6|inline constexpr void clear_mem(T* ptr, size_t n) { 119| 6| clear_bytes(ptr, sizeof(T) * n); 120| 6|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERNSt3__15arrayImLm7EEETkNS1_16contiguous_rangeENS2_4spanIKhLm56EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISG_EESH_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS9_IXsr21__is_primary_templateINSA_Iu14__remove_cvrefIDTclL_ZNSC_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSI_ISQ_EESR_E4type10value_typeEEEEvOSN_RKSD_: 176| 2|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 2| ranges::assert_equal_byte_lengths(out, in); 178| 2| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 2|} _ZN5Botan9clear_memITkNS_6ranges23contiguous_output_rangeERNSt3__15arrayImLm7EEEEEvOT_Qsr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRS6_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEE: 132| 8.06k|{ 133| 8.06k| clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem)); 134| 8.06k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERNSt3__15arrayIhLm2EEETkNS1_16contiguous_rangeENS3_ItLm1EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEEEvOSL_RKSB_: 176| 3.57k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 3.57k| ranges::assert_equal_byte_lengths(out, in); 178| 3.57k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 3.57k|} _ZN5Botan14Asymmetric_KeyD2Ev: 62| 4.08k| virtual ~Asymmetric_Key() = default; _ZN5Botan15PKCS8_ExceptionC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 30| 1.85k| explicit PKCS8_Exception(std::string_view error) : Decoding_Error("PKCS #8", error) {} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm18446744073709551615EEETpTkNS0_14spanable_rangeEJNS3_IKhLm18446744073709551615EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 30.2k|{ 101| 30.2k| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 30.2k| } else { 107| 30.2k| const size_t expected_size = s0.size_bytes(); 108| 30.2k| const bool correct_size = 109| 30.2k| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 30.2k| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 30.2k] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 30.2k| } 115| 30.2k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm18446744073709551615EEEEEmRKT_: 59| 60.5k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 60.5k| return std::span{r}.size_bytes(); 61| 60.5k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm32ETkNS0_14spanable_rangeENSt3__14spanIhLm32EEEEEvRKT0_: 77| 1|inline constexpr void assert_exact_byte_length(const R& r) { 78| 1| const std::span s{r}; 79| 1| if constexpr(statically_spanable_range) { 80| 1| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 1|} _ZN5Botan6ranges24assert_exact_byte_lengthILm32ETkNS0_14spanable_rangeENSt3__15arrayImLm4EEEEEvRKT0_: 77| 3.73k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 3.73k| const std::span s{r}; 79| 3.73k| if constexpr(statically_spanable_range) { 80| 3.73k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 3.73k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm32EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm4EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1.70k|{ 101| 1.70k| const std::span s0{r0}; 102| | 103| 1.70k| if constexpr(statically_spanable_range) { 104| 1.70k| constexpr size_t expected_size = s0.size_bytes(); 105| 1.70k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 1.70k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__16vectorIhNS2_9allocatorIhEEEEEEmRKT_: 59| 130k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 130k| return std::span{r}.size_bytes(); 61| 130k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm8ETkNS0_14spanable_rangeENSt3__14spanIhLm8EEEEEvRKT0_: 77| 114k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 114k| const std::span s{r}; 79| 114k| if constexpr(statically_spanable_range) { 80| 114k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 114k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm8EEETpTkNS0_14spanable_rangeEJNS3_IKmLm1EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 44.1k|{ 101| 44.1k| const std::span s0{r0}; 102| | 103| 44.1k| if constexpr(statically_spanable_range) { 104| 44.1k| constexpr size_t expected_size = s0.size_bytes(); 105| 44.1k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 44.1k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm8ETkNS0_14spanable_rangeENSt3__14spanIKmLm1EEEEEvRKT0_: 77| 44.1k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 44.1k| const std::span s{r}; 79| 44.1k| if constexpr(statically_spanable_range) { 80| 44.1k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 44.1k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm8EEEEEmRKT_: 59| 44.1k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 44.1k| return std::span{r}.size_bytes(); 61| 44.1k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm8ETkNS0_14spanable_rangeENSt3__14spanIKhLm8EEEEEvRKT0_: 77| 363k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 363k| const std::span s{r}; 79| 363k| if constexpr(statically_spanable_range) { 80| 363k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 363k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm1EEETpTkNS0_14spanable_rangeEJNS3_IKhLm8EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 181k|{ 101| 181k| const std::span s0{r0}; 102| | 103| 181k| if constexpr(statically_spanable_range) { 104| 181k| constexpr size_t expected_size = s0.size_bytes(); 105| 181k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 181k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm1EEEEEmRKT_: 59| 212k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 212k| return std::span{r}.size_bytes(); 61| 212k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm8ETkNS0_14spanable_rangeENSt3__15arrayIhLm8EEEEEvRKT0_: 77| 31.0k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 31.0k| const std::span s{r}; 79| 31.0k| if constexpr(statically_spanable_range) { 80| 31.0k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 31.0k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm1EEETpTkNS0_14spanable_rangeEJNS3_IhLm8EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 31.0k|{ 101| 31.0k| const std::span s0{r0}; 102| | 103| 31.0k| if constexpr(statically_spanable_range) { 104| 31.0k| constexpr size_t expected_size = s0.size_bytes(); 105| 31.0k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 31.0k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm18446744073709551615EEEEEmRKT_: 59| 2.77M|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 2.77M| return std::span{r}.size_bytes(); 61| 2.77M|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm18446744073709551615EEETpTkNS0_14spanable_rangeEJNS3_IKmLm18446744073709551615EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 14.0k|{ 101| 14.0k| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 14.0k| } else { 107| 14.0k| const size_t expected_size = s0.size_bytes(); 108| 14.0k| const bool correct_size = 109| 14.0k| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 14.0k| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 14.0k] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 14.0k| } 115| 14.0k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__16vectorImNS_16secure_allocatorImEEEETpTkNS0_14spanable_rangeEJNS2_4spanImLm18446744073709551615EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 663k|{ 101| 663k| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 663k| } else { 107| 663k| const size_t expected_size = s0.size_bytes(); 108| 663k| const bool correct_size = 109| 663k| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 663k| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 663k] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 663k| } 115| 663k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__16vectorImNS_16secure_allocatorImEEEEEEmRKT_: 59| 1.32M|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1.32M| return std::span{r}.size_bytes(); 61| 1.32M|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm4EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm4EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1.44k|{ 101| 1.44k| const std::span s0{r0}; 102| | 103| 1.44k| if constexpr(statically_spanable_range) { 104| 1.44k| constexpr size_t expected_size = s0.size_bytes(); 105| 1.44k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 1.44k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm4EEEEEmRKT_: 59| 2.88k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 2.88k| return std::span{r}.size_bytes(); 61| 2.88k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm8ETkNS0_14spanable_rangeENSt3__15arrayImLm1EEEEEvRKT0_: 77| 2.26M|inline constexpr void assert_exact_byte_length(const R& r) { 78| 2.26M| const std::span s{r}; 79| 2.26M| if constexpr(statically_spanable_range) { 80| 2.26M| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 2.26M|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm6EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm6EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 836|{ 101| 836| const std::span s0{r0}; 102| | 103| 836| if constexpr(statically_spanable_range) { 104| 836| constexpr size_t expected_size = s0.size_bytes(); 105| 836| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 836|} _ZN5Botan6ranges24assert_exact_byte_lengthILm48ETkNS0_14spanable_rangeENSt3__15arrayImLm6EEEEEvRKT0_: 77| 1.92k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 1.92k| const std::span s{r}; 79| 1.92k| if constexpr(statically_spanable_range) { 80| 1.92k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 1.92k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm6EEEEEmRKT_: 59| 1.67k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1.67k| return std::span{r}.size_bytes(); 61| 1.67k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm48EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm6EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1.08k|{ 101| 1.08k| const std::span s0{r0}; 102| | 103| 1.08k| if constexpr(statically_spanable_range) { 104| 1.08k| constexpr size_t expected_size = s0.size_bytes(); 105| 1.08k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 1.08k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm8EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm8EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 557|{ 101| 557| const std::span s0{r0}; 102| | 103| 557| if constexpr(statically_spanable_range) { 104| 557| constexpr size_t expected_size = s0.size_bytes(); 105| 557| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 557|} _ZN5Botan6ranges24assert_exact_byte_lengthILm64ETkNS0_14spanable_rangeENSt3__15arrayImLm8EEEEEvRKT0_: 77| 1.11k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 1.11k| const std::span s{r}; 79| 1.11k| if constexpr(statically_spanable_range) { 80| 1.11k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 1.11k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm8EEEEEmRKT_: 59| 1.11k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1.11k| return std::span{r}.size_bytes(); 61| 1.11k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm64EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm8EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 556|{ 101| 556| const std::span s0{r0}; 102| | 103| 556| if constexpr(statically_spanable_range) { 104| 556| constexpr size_t expected_size = s0.size_bytes(); 105| 556| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 556|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm9EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm9EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1.69k|{ 101| 1.69k| const std::span s0{r0}; 102| | 103| 1.69k| if constexpr(statically_spanable_range) { 104| 1.69k| constexpr size_t expected_size = s0.size_bytes(); 105| 1.69k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 1.69k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm72ETkNS0_14spanable_rangeENSt3__15arrayImLm9EEEEEvRKT0_: 77| 3.62k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 3.62k| const std::span s{r}; 79| 3.62k| if constexpr(statically_spanable_range) { 80| 3.62k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 3.62k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm9EEEEEmRKT_: 59| 3.39k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 3.39k| return std::span{r}.size_bytes(); 61| 3.39k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__15arrayImLm18EEEEEmRKT_: 59| 14.2M|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 14.2M| return std::span{r}.size_bytes(); 61| 14.2M|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayIhLm72EEETpTkNS0_14spanable_rangeEJNS3_ImLm9EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1.92k|{ 101| 1.92k| const std::span s0{r0}; 102| | 103| 1.92k| if constexpr(statically_spanable_range) { 104| 1.92k| constexpr size_t expected_size = s0.size_bytes(); 105| 1.92k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 1.92k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm3EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm3EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 390|{ 101| 390| const std::span s0{r0}; 102| | 103| 390| if constexpr(statically_spanable_range) { 104| 390| constexpr size_t expected_size = s0.size_bytes(); 105| 390| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 390|} _ZN5Botan6ranges24assert_exact_byte_lengthILm24ETkNS0_14spanable_rangeENSt3__15arrayImLm3EEEEEvRKT0_: 77| 1.17k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 1.17k| const std::span s{r}; 79| 1.17k| if constexpr(statically_spanable_range) { 80| 1.17k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 1.17k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm3EEEEEmRKT_: 59| 780|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 780| return std::span{r}.size_bytes(); 61| 780|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm24EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm3EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 780|{ 101| 780| const std::span s0{r0}; 102| | 103| 780| if constexpr(statically_spanable_range) { 104| 780| constexpr size_t expected_size = s0.size_bytes(); 105| 780| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 780|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayIhLm32EEETpTkNS0_14spanable_rangeEJNS3_ImLm4EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 588|{ 101| 588| const std::span s0{r0}; 102| | 103| 588| if constexpr(statically_spanable_range) { 104| 588| constexpr size_t expected_size = s0.size_bytes(); 105| 588| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 588|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm28EEETpTkNS0_14spanable_rangeEJNS3_IKhLm28EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 588|{ 101| 588| const std::span s0{r0}; 102| | 103| 588| if constexpr(statically_spanable_range) { 104| 588| constexpr size_t expected_size = s0.size_bytes(); 105| 588| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 588|} _ZN5Botan6ranges24assert_exact_byte_lengthILm28ETkNS0_14spanable_rangeENSt3__14spanIKhLm28EEEEEvRKT0_: 77| 588|inline constexpr void assert_exact_byte_length(const R& r) { 78| 588| const std::span s{r}; 79| 588| if constexpr(statically_spanable_range) { 80| 588| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 588|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm28EEEEEmRKT_: 59| 1.17k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1.17k| return std::span{r}.size_bytes(); 61| 1.17k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm66EEETpTkNS0_14spanable_rangeEJNS3_IKhLm66EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 544|{ 101| 544| const std::span s0{r0}; 102| | 103| 544| if constexpr(statically_spanable_range) { 104| 544| constexpr size_t expected_size = s0.size_bytes(); 105| 544| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 544|} _ZN5Botan6ranges24assert_exact_byte_lengthILm66ETkNS0_14spanable_rangeENSt3__14spanIKhLm66EEEEEvRKT0_: 77| 544|inline constexpr void assert_exact_byte_length(const R& r) { 78| 544| const std::span s{r}; 79| 544| if constexpr(statically_spanable_range) { 80| 544| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 544|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm66EEEEEmRKT_: 59| 1.08k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1.08k| return std::span{r}.size_bytes(); 61| 1.08k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayIhLm1EEETpTkNS0_14spanable_rangeEJS4_EEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 192|{ 101| 192| const std::span s0{r0}; 102| | 103| 192| if constexpr(statically_spanable_range) { 104| 192| constexpr size_t expected_size = s0.size_bytes(); 105| 192| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 192|} _ZN5Botan6ranges24assert_exact_byte_lengthILm1ETkNS0_14spanable_rangeENSt3__15arrayIhLm1EEEEEvRKT0_: 77| 192|inline constexpr void assert_exact_byte_length(const R& r) { 78| 192| const std::span s{r}; 79| 192| if constexpr(statically_spanable_range) { 80| 192| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 192|} _ZN5Botan6ranges24assert_exact_byte_lengthILm1ETkNS0_14spanable_rangeENSt3__14spanIhLm1EEEEEvRKT0_: 77| 384|inline constexpr void assert_exact_byte_length(const R& r) { 78| 384| const std::span s{r}; 79| 384| if constexpr(statically_spanable_range) { 80| 384| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 384|} _ZN5Botan6ranges24assert_exact_byte_lengthILm4ETkNS0_14spanable_rangeENSt3__14spanIhLm4EEEEEvRKT0_: 77| 53.7k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 53.7k| const std::span s{r}; 79| 53.7k| if constexpr(statically_spanable_range) { 80| 53.7k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 53.7k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm4ETkNS0_14spanable_rangeENSt3__14spanIKhLm4EEEEEvRKT0_: 77| 11.2k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 11.2k| const std::span s{r}; 79| 11.2k| if constexpr(statically_spanable_range) { 80| 11.2k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 11.2k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIjLm1EEETpTkNS0_14spanable_rangeEJNS3_IKhLm4EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 5.63k|{ 101| 5.63k| const std::span s0{r0}; 102| | 103| 5.63k| if constexpr(statically_spanable_range) { 104| 5.63k| constexpr size_t expected_size = s0.size_bytes(); 105| 5.63k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 5.63k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIjLm1EEEEEmRKT_: 59| 59.3k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 59.3k| return std::span{r}.size_bytes(); 61| 59.3k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanItLm1EEEEEmRKT_: 59| 2.68k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 2.68k| return std::span{r}.size_bytes(); 61| 2.68k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm2ETkNS0_14spanable_rangeENSt3__14spanIhLm2EEEEEvRKT0_: 77| 3.34k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 3.34k| const std::span s{r}; 79| 3.34k| if constexpr(statically_spanable_range) { 80| 3.34k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 3.34k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm2EEETpTkNS0_14spanable_rangeEJNS3_IKtLm1EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 332|{ 101| 332| const std::span s0{r0}; 102| | 103| 332| if constexpr(statically_spanable_range) { 104| 332| constexpr size_t expected_size = s0.size_bytes(); 105| 332| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 332|} _ZN5Botan6ranges24assert_exact_byte_lengthILm2ETkNS0_14spanable_rangeENSt3__14spanIKtLm1EEEEEvRKT0_: 77| 332|inline constexpr void assert_exact_byte_length(const R& r) { 78| 332| const std::span s{r}; 79| 332| if constexpr(statically_spanable_range) { 80| 332| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 332|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm2EEEEEmRKT_: 59| 332|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 332| return std::span{r}.size_bytes(); 61| 332|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm18446744073709551615EEETpTkNS0_14spanable_rangeEJNS3_IKmLm18446744073709551615EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 2|{ 101| 2| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 2| } else { 107| 2| const size_t expected_size = s0.size_bytes(); 108| 2| const bool correct_size = 109| 2| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 2| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 2] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 2| } 115| 2|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayIhLm8EEETpTkNS0_14spanable_rangeEJNS3_ImLm1EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 2.26M|{ 101| 2.26M| const std::span s0{r0}; 102| | 103| 2.26M| if constexpr(statically_spanable_range) { 104| 2.26M| constexpr size_t expected_size = s0.size_bytes(); 105| 2.26M| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 2.26M|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__15arrayIhLm8EEEEEmRKT_: 59| 1.13M|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1.13M| return std::span{r}.size_bytes(); 61| 1.13M|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIjLm1EEETpTkNS0_14spanable_rangeEJNS3_IhLm4EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 53.7k|{ 101| 53.7k| const std::span s0{r0}; 102| | 103| 53.7k| if constexpr(statically_spanable_range) { 104| 53.7k| constexpr size_t expected_size = s0.size_bytes(); 105| 53.7k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 53.7k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanItLm1EEETpTkNS0_14spanable_rangeEJNS3_IhLm2EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 2.68k|{ 101| 2.68k| const std::span s0{r0}; 102| | 103| 2.68k| if constexpr(statically_spanable_range) { 104| 2.68k| constexpr size_t expected_size = s0.size_bytes(); 105| 2.68k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 2.68k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__15arrayImLm7EEEEEmRKT_: 59| 8.07k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 8.07k| return std::span{r}.size_bytes(); 61| 8.07k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm56EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm7EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 2|{ 101| 2| const std::span s0{r0}; 102| | 103| 2| if constexpr(statically_spanable_range) { 104| 2| constexpr size_t expected_size = s0.size_bytes(); 105| 2| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 2|} _ZN5Botan6ranges24assert_exact_byte_lengthILm56ETkNS0_14spanable_rangeENSt3__15arrayImLm7EEEEEvRKT0_: 77| 2|inline constexpr void assert_exact_byte_length(const R& r) { 78| 2| const std::span s{r}; 79| 2| if constexpr(statically_spanable_range) { 80| 2| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 2|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm56EEEEEmRKT_: 59| 3|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 3| return std::span{r}.size_bytes(); 61| 3|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm56EEETpTkNS0_14spanable_rangeEJNS2_6vectorIhNS_16secure_allocatorIhEEEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1|{ 101| 1| const std::span s0{r0}; 102| | 103| 1| if constexpr(statically_spanable_range) { 104| 1| constexpr size_t expected_size = s0.size_bytes(); 105| 1| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 1|} _ZN5Botan6ranges24assert_exact_byte_lengthILm56ETkNS0_14spanable_rangeENSt3__16vectorIhNS_16secure_allocatorIhEEEEEEvRKT0_: 77| 1|inline constexpr void assert_exact_byte_length(const R& r) { 78| 1| const std::span s{r}; 79| | if constexpr(statically_spanable_range) { 80| | static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| 1| } else { 82| 1| if(s.size_bytes() != expected) { ------------------ | Branch (82:10): [True: 0, False: 1] ------------------ 83| 0| memory_region_size_violation(); 84| 0| } 85| 1| } 86| 1|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEETpTkNS0_14spanable_rangeEJNS3_4spanIKhLm18446744073709551615EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1|{ 101| 1| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 1| } else { 107| 1| const size_t expected_size = s0.size_bytes(); 108| 1| const bool correct_size = 109| 1| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 1| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 1] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 1| } 115| 1|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEEEEmRKT_: 59| 1|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1| return std::span{r}.size_bytes(); 61| 1|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIiLm256EEEEEmRKT_: 59| 476|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 476| return std::span{r}.size_bytes(); 61| 476|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__16vectorIiNS2_9allocatorIiEEEETpTkNS0_14spanable_rangeEJS6_EEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 76|{ 101| 76| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 76| } else { 107| 76| const size_t expected_size = s0.size_bytes(); 108| 76| const bool correct_size = 109| 76| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 76| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 76] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 76| } 115| 76|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__16vectorIiNS2_9allocatorIiEEEEEEmRKT_: 59| 152|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 152| return std::span{r}.size_bytes(); 61| 152|} _ZN5Botan6ranges24assert_exact_byte_lengthILm2ETkNS0_14spanable_rangeENSt3__15arrayIhLm2EEEEEvRKT0_: 77| 2.68k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 2.68k| const std::span s{r}; 79| 2.68k| if constexpr(statically_spanable_range) { 80| 2.68k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 2.68k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm2ETkNS0_14spanable_rangeENSt3__15arrayItLm1EEEEEvRKT0_: 77| 7.47k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 7.47k| const std::span s{r}; 79| 7.47k| if constexpr(statically_spanable_range) { 80| 7.47k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 7.47k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayIhLm2EEETpTkNS0_14spanable_rangeEJNS3_ItLm1EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 7.47k|{ 101| 7.47k| const std::span s0{r0}; 102| | 103| 7.47k| if constexpr(statically_spanable_range) { 104| 7.47k| constexpr size_t expected_size = s0.size_bytes(); 105| 7.47k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 7.47k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm4ETkNS0_14spanable_rangeENSt3__15arrayIhLm4EEEEEvRKT0_: 77| 53.7k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 53.7k| const std::span s{r}; 79| 53.7k| if constexpr(statically_spanable_range) { 80| 53.7k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 53.7k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIsLm256EEEEEmRKT_: 59| 96|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 96| return std::span{r}.size_bytes(); 61| 96|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayImLm7EEETpTkNS0_14spanable_rangeEJNS2_4spanIKhLm56EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 4|{ 101| 4| const std::span s0{r0}; 102| | 103| 4| if constexpr(statically_spanable_range) { 104| 4| constexpr size_t expected_size = s0.size_bytes(); 105| 4| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 4|} _ZN5Botan6ranges24assert_exact_byte_lengthILm56ETkNS0_14spanable_rangeENSt3__14spanIKhLm56EEEEEvRKT0_: 77| 4|inline constexpr void assert_exact_byte_length(const R& r) { 78| 4| const std::span s{r}; 79| 4| if constexpr(statically_spanable_range) { 80| 4| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 4|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__15arrayIhLm2EEEEEmRKT_: 59| 3.57k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 3.57k| return std::span{r}.size_bytes(); 61| 3.57k|} _ZNK5Botan8Null_RNG9is_seededEv: 352| 7.94k| bool is_seeded() const override { return false; } _ZN5Botan21RandomNumberGeneratorC2Ev: 54| 1.62k| RandomNumberGenerator() = default; _ZN5Botan13RSA_PublicKeyC2Ev: 87| 36| RSA_PublicKey() = default; _ZN5Botan16secure_allocatorIhE8allocateEm: 52| 121k| T* allocate(std::size_t n) { return static_cast(allocate_memory(n, sizeof(T))); } _ZN5Botan16secure_allocatorIhE10deallocateEPhm: 54| 121k| void deallocate(T* p, std::size_t n) { deallocate_memory(p, n, sizeof(T)); } _ZN5Botan16secure_allocatorImE10deallocateEPmm: 54| 16.6M| void deallocate(T* p, std::size_t n) { deallocate_memory(p, n, sizeof(T)); } _ZN5Botan16secure_allocatorImE8allocateEm: 52| 16.6M| T* allocate(std::size_t n) { return static_cast(allocate_memory(n, sizeof(T))); } _ZN5BotanneIhhEEbRKNS_16secure_allocatorIT_EERKNS1_IT0_EE: 63| 16.0k|inline bool operator!=(const secure_allocator& /*a*/, const secure_allocator& /*b*/) { 64| 16.0k| return false; 65| 16.0k|} _ZN5BotanpLIhNS_16secure_allocatorIhEES2_EERNSt3__16vectorIT_T0_EES8_RKNS4_IS5_T1_EE: 92| 2.35k|std::vector& operator+=(std::vector& out, const std::vector& in) { 93| 2.35k| out.insert(out.end(), in.begin(), in.end()); 94| 2.35k| return out; 95| 2.35k|} _ZNK5Botan18Sphincs_Parameters9hash_typeEv: 71| 17| Sphincs_Hash_Type hash_type() const { return m_hash_type; } _ZNK5Botan18Sphincs_Parameters13parameter_setEv: 76| 17| Sphincs_Parameter_Set parameter_set() const { return m_set; } _ZNK5Botan18Sphincs_Parameters1nEv: 96| 8| size_t n() const { return m_n; } _ZNK5Botan18Sphincs_Parameters16public_key_bytesEv: 195| 31| uint32_t public_key_bytes() const { return m_n * 2; } _ZNK5Botan18Sphincs_Parameters17private_key_bytesEv: 200| 23| uint32_t private_key_bytes() const { return m_n * 2 + public_key_bytes(); } _ZN5Botan18unwrap_strong_typeIRmEEDcOT_: 243| 44.1k|[[nodiscard]] constexpr decltype(auto) unwrap_strong_type(T&& t) { 244| 44.1k| if constexpr(!concepts::strong_type>) { 245| | // If the parameter type isn't a strong type, return it as is. 246| 44.1k| return std::forward(t); 247| | } else { 248| | // Unwrap the strong type and return the underlying value. 249| | return std::forward(t).get(); 250| | } 251| 44.1k|} _ZN5Botan16wrap_strong_typeImRmQoosr3stdE18constructible_fromIT_T0_Eaasr8conceptsE11strong_typeIS2_Esr3stdE18constructible_fromINS2_12wrapped_typeES3_EEEDcOS3_: 268| 212k|[[nodiscard]] constexpr decltype(auto) wrap_strong_type(ParamT&& t) { 269| 212k| if constexpr(std::same_as, T>) { 270| | // Noop, if the parameter type already is the desired return type. 271| 212k| return std::forward(t); 272| | } else if constexpr(std::constructible_from) { 273| | // Implicit conversion from the parameter type to the return type. 274| | return T{std::forward(t)}; 275| | } else { 276| | // Explicitly calling the wrapped type's constructor to support 277| | // implicit conversions on types that mark their constructors as explicit. 278| | static_assert(concepts::strong_type && std::constructible_from); 279| | return T{typename T::wrapped_type{std::forward(t)}}; 280| | } 281| 212k|} _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE4sizeEv: 141| 677| size_type size() const noexcept(noexcept(this->get().size())) { return this->get().size(); } _ZNKR5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE3getEv: 87| 1.14k| constexpr const T& get() const& { return m_value; } _ZN5Botan18unwrap_strong_typeIRNSt3__16vectorIhNS1_9allocatorIhEEEEEEDcOT_: 243| 58|[[nodiscard]] constexpr decltype(auto) unwrap_strong_type(T&& t) { 244| 58| if constexpr(!concepts::strong_type>) { 245| | // If the parameter type isn't a strong type, return it as is. 246| 58| return std::forward(t); 247| | } else { 248| | // Unwrap the strong type and return the underlying value. 249| | return std::forward(t).get(); 250| | } 251| 58|} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEED2Ev: 81| 638| ~Strong_Base() = default; _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEED2Ev: 81| 1.20k| ~Strong_Base() = default; _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEE4sizeEv: 141| 1.11k| size_type size() const noexcept(noexcept(this->get().size())) { return this->get().size(); } _ZNKR5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEE3getEv: 87| 1.79k| constexpr const T& get() const& { return m_value; } _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEC2Ev: 76| 33| Strong_Base() = default; _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEC2INS2_11__wrap_iterIPKhEEEET_SD_: 122| 33| Container_Strong_Adapter_Base(InputIt begin, InputIt end) : Container_Strong_Adapter_Base(T(begin, end)) {} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEC2ES6_: 83| 319| constexpr explicit Strong_Base(T v) : m_value(std::move(v)) {} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEaSEOS7_: 80| 33| Strong_Base& operator=(Strong_Base&&) noexcept = default; _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEC2EmQsr8conceptsE19resizable_containerIT_E: 119| 257| : Container_Strong_Adapter_Base(T(size)) {} _ZNR5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE3getEv: 85| 315| constexpr T& get() & { return m_value; } _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE3endEv: 129| 29| decltype(auto) end() noexcept(noexcept(this->get().end())) { return this->get().end(); } _ZN5Botan18unwrap_strong_typeIRhEEDcOT_: 243| 192|[[nodiscard]] constexpr decltype(auto) unwrap_strong_type(T&& t) { 244| 192| if constexpr(!concepts::strong_type>) { 245| | // If the parameter type isn't a strong type, return it as is. 246| 192| return std::forward(t); 247| | } else { 248| | // Unwrap the strong type and return the underlying value. 249| | return std::forward(t).get(); 250| | } 251| 192|} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEC2EOS7_: 78| 286| Strong_Base(Strong_Base&&) noexcept = default; _ZNK5Botan6detail14Strong_AdapterINSt3__16vectorIhNS2_9allocatorIhEEEEE4dataEv: 200| 391| decltype(auto) data() const noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2Ev: 76| 33| Strong_Base() = default; _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2INS2_11__wrap_iterIPKhEEEET_SD_: 122| 91| Container_Strong_Adapter_Base(InputIt begin, InputIt end) : Container_Strong_Adapter_Base(T(begin, end)) {} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2ES6_: 83| 514| constexpr explicit Strong_Base(T v) : m_value(std::move(v)) {} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEaSEOS7_: 80| 33| Strong_Base& operator=(Strong_Base&&) noexcept = default; _ZNR5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEE3getEv: 85| 344| constexpr T& get() & { return m_value; } _ZN5Botan6detail14Strong_AdapterINSt3__16vectorIhNS_16secure_allocatorIhEEEEE4dataEv: 198| 344| decltype(auto) data() noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2EOS7_: 78| 659| Strong_Base(Strong_Base&&) noexcept = default; _ZN5Botan6detail14Strong_AdapterINSt3__16vectorIhNS2_9allocatorIhEEEEE4dataEv: 198| 257| decltype(auto) data() noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZNK5Botan6detail14Strong_AdapterINSt3__16vectorIhNS_16secure_allocatorIhEEEEE4dataEv: 200| 688| decltype(auto) data() const noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE5beginEv: 125| 29| decltype(auto) begin() noexcept(noexcept(this->get().begin())) { return this->get().begin(); } _ZN5Botan16wrap_strong_typeIjRjQoosr3stdE18constructible_fromIT_T0_Eaasr8conceptsE11strong_typeIS2_Esr3stdE18constructible_fromINS2_12wrapped_typeES3_EEEDcOS3_: 268| 59.3k|[[nodiscard]] constexpr decltype(auto) wrap_strong_type(ParamT&& t) { 269| 59.3k| if constexpr(std::same_as, T>) { 270| | // Noop, if the parameter type already is the desired return type. 271| 59.3k| return std::forward(t); 272| | } else if constexpr(std::constructible_from) { 273| | // Implicit conversion from the parameter type to the return type. 274| | return T{std::forward(t)}; 275| | } else { 276| | // Explicitly calling the wrapped type's constructor to support 277| | // implicit conversions on types that mark their constructors as explicit. 278| | static_assert(concepts::strong_type && std::constructible_from); 279| | return T{typename T::wrapped_type{std::forward(t)}}; 280| | } 281| 59.3k|} _ZN5Botan16wrap_strong_typeItRtQoosr3stdE18constructible_fromIT_T0_Eaasr8conceptsE11strong_typeIS2_Esr3stdE18constructible_fromINS2_12wrapped_typeES3_EEEDcOS3_: 268| 2.68k|[[nodiscard]] constexpr decltype(auto) wrap_strong_type(ParamT&& t) { 269| 2.68k| if constexpr(std::same_as, T>) { 270| | // Noop, if the parameter type already is the desired return type. 271| 2.68k| return std::forward(t); 272| | } else if constexpr(std::constructible_from) { 273| | // Implicit conversion from the parameter type to the return type. 274| | return T{std::forward(t)}; 275| | } else { 276| | // Explicitly calling the wrapped type's constructor to support 277| | // implicit conversions on types that mark their constructors as explicit. 278| | static_assert(concepts::strong_type && std::constructible_from); 279| | return T{typename T::wrapped_type{std::forward(t)}}; 280| | } 281| 2.68k|} _ZN5Botan18unwrap_strong_typeIRtEEDcOT_: 243| 332|[[nodiscard]] constexpr decltype(auto) unwrap_strong_type(T&& t) { 244| 332| if constexpr(!concepts::strong_type>) { 245| | // If the parameter type isn't a strong type, return it as is. 246| 332| return std::forward(t); 247| | } else { 248| | // Unwrap the strong type and return the underlying value. 249| | return std::forward(t).get(); 250| | } 251| 332|} _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2EmQsr8conceptsE19resizable_containerIT_E: 119| 344| : Container_Strong_Adapter_Base(T(size)) {} _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__15arrayIhLm56EEEE5beginEv: 127| 1| decltype(auto) begin() const noexcept(noexcept(this->get().begin())) { return this->get().begin(); } _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__15arrayIhLm56EEEE3endEv: 131| 1| decltype(auto) end() const noexcept(noexcept(this->get().end())) { return this->get().end(); } _ZNK5Botan6detail14Strong_AdapterINSt3__15arrayIhLm56EEEE4dataEv: 200| 2| decltype(auto) data() const noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__15arrayIhLm56EEEE4sizeEv: 141| 2| size_type size() const noexcept(noexcept(this->get().size())) { return this->get().size(); } _ZN5Botan6detail14Strong_AdapterINSt3__15arrayIhLm56EEEE4dataEv: 198| 1| decltype(auto) data() noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZNR5Botan6detail11Strong_BaseINSt3__15arrayIhLm56EEEE3getEv: 85| 3| constexpr T& get() & { return m_value; } _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__15arrayIhLm56EEEEixIiEEDcOT_: 167| 2| decltype(auto) operator[](U&& i) noexcept(noexcept(this->get().operator[](i))) { 168| 2| return this->get()[std::forward(i)]; 169| 2| } _ZNKR5Botan6detail11Strong_BaseINSt3__15arrayIhLm56EEEE3getEv: 87| 456| constexpr const T& get() const& { return m_value; } _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__15arrayIhLm56EEEEixImEEDcOT_: 162| 448| decltype(auto) operator[](U&& i) const noexcept(noexcept(this->get().operator[](i))) { 163| 448| return this->get()[std::forward(i)]; 164| 448| } _ZN5Botan6detail11Strong_BaseINSt3__15arrayIhLm56EEEEC2ES4_: 83| 1| constexpr explicit Strong_Base(T v) : m_value(std::move(v)) {} _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_29DilithiumSerializedPublicKey_EJEEEE4dataEv: 712| 76| decltype(auto) data() const noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_29DilithiumSerializedPublicKey_EJEEEE4sizeEv: 714| 76| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_29DilithiumSerializedPublicKey_EJEEEEC2ERS9_: 675| 76| StrongSpan(T& strong) : m_span(strong) {} _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE5emptyEvQsr8conceptsE9has_emptyIT_E: 145| 76| { 146| 76| return this->get().empty(); 147| 76| } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEC2ERS9_: 675| 152| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEEC2ERS9_: 675| 76| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEE4dataEv: 710| 76| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEE4sizeEv: 714| 76| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEE4dataEv: 710| 2.76k| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEE4sizeEv: 714| 2.76k| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEE4dataEv: 710| 888| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEE4sizeEv: 714| 888| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEEC2ERS9_: 675| 76| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan6detail14Strong_AdapterINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2ENS2_4spanIKhLm18446744073709551615EEE: 188| 79| Strong_Adapter(T(span.begin(), span.end())) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_13KyberSeedRho_EJEEEEC2ERS9_: 675| 29| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_25KyberSerializedPublicKey_EJEEEE4dataEv: 710| 29| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_25KyberSerializedPublicKey_EJEEEE4sizeEv: 714| 29| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_13KyberSeedRho_EJEEEE4dataEv: 710| 332| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_13KyberSeedRho_EJEEEE4sizeEv: 714| 361| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEE4dataEv: 712| 29| decltype(auto) data() const noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEE4sizeEv: 714| 29| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEE4dataEv: 710| 192| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEE4sizeEv: 714| 192| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEEC2ERS9_: 675| 29| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEEC2ERS9_: 675| 29| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEE3getEv: 708| 192| underlying_span get() { return m_span; } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEEC2ERS9_: 675| 192| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_25KyberSerializedPublicKey_EJEEEEC2ERS9_: 675| 29| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan24Key_Length_SpecificationC2Em: 28| 4.24k| explicit Key_Length_Specification(size_t keylen) : m_min_keylen(keylen), m_max_keylen(keylen), m_keylen_mod(1) {} _ZNK5Botan24Key_Length_Specification15valid_keylengthEm: 43| 4.24k| bool valid_keylength(size_t length) const { 44| 4.24k| return ((length >= m_min_keylen) && (length <= m_max_keylen) && (length % m_keylen_mod == 0)); ------------------ | Branch (44:18): [True: 4.24k, False: 0] | Branch (44:46): [True: 4.24k, False: 0] | Branch (44:74): [True: 4.24k, False: 0] ------------------ 45| 4.24k| } _ZN5Botan16X25519_PublicKeyC2Ev: 52| 9| X25519_PublicKey() = default; _ZN5Botan14X448_PublicKeyC2Ev: 57| 1| X448_PublicKey() = default; _ZN5Botan3XOF5clearEv: 64| 524| void clear() { 65| 524| m_xof_started = false; 66| 524| reset(); 67| 524| } _ZN5Botan3XOF6updateENSt3__14spanIKhLm18446744073709551615EEE: 140| 8.42k| void update(std::span input) { 141| 8.42k| if(!m_xof_started) { ------------------ | Branch (141:13): [True: 4.24k, False: 4.17k] ------------------ 142| | // If the user didn't start() before the first input, we enforce 143| | // it with a default value, here. 144| 4.24k| start(); 145| 4.24k| } 146| 8.42k| add_data(input); 147| 8.42k| } _ZN5Botan3XOFD2Ev: 31| 3.78k| virtual ~XOF() = default; _ZNK5Botan3XOF8key_specEv: 97| 4.24k| virtual Key_Length_Specification key_spec() const { 98| | // Keys are not supported by default 99| 4.24k| return Key_Length_Specification(0); 100| 4.24k| } _ZNK5Botan3XOF17valid_salt_lengthEm: 89| 4.24k| virtual bool valid_salt_length(size_t salt_len) const { 90| | // Salts are not supported by default 91| 4.24k| return salt_len == 0; 92| 4.24k| } _ZN5Botan3XOF6outputITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_25DilithiumHashedPublicKey_EJEEEEET_m: 153| 76| T output(size_t bytes) { 154| 76| T out(bytes); 155| 76| generate_bytes(out); 156| 76| return out; 157| 76| } _ZN5Botan3XOF6outputITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEET_m: 153| 76| T output(size_t bytes) { 154| 76| T out(bytes); 155| 76| generate_bytes(out); 156| 76| return out; 157| 76| } _ZN5Botan3XOF6outputITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEEET_m: 153| 76| T output(size_t bytes) { 154| 76| T out(bytes); 155| 76| generate_bytes(out); 156| 76| return out; 157| 76| } _ZN5Botan3XOF6outputITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15DilithiumSeedK_EJEEEEET_m: 153| 76| T output(size_t bytes) { 154| 76| T out(bytes); 155| 76| generate_bytes(out); 156| 76| return out; 157| 76| } _ZN5Botan3XOF6outputILm1EEENSt3__15arrayIhXT_EEEv: 163| 163k| std::array output() { 164| 163k| std::array out; // NOLINT(*-member-init) 165| 163k| generate_bytes(out); 166| 163k| return out; 167| 163k| } _ZN5Botan3XOF6outputILm3EEENSt3__15arrayIhXT_EEEv: 163| 740k| std::array output() { 164| 740k| std::array out; // NOLINT(*-member-init) 165| 740k| generate_bytes(out); 166| 740k| return out; 167| 740k| } _ZN5Botan3XOF6outputITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEEET_m: 153| 192| T output(size_t bytes) { 154| 192| T out(bytes); 155| 192| generate_bytes(out); 156| 192| return out; 157| 192| } LLVMFuzzerInitialize: 28| 2|extern "C" int LLVMFuzzerInitialize(int* /*argc*/, char*** /*argv*/) { 29| | /* 30| | * This disables the mlock pool, as overwrites within the pool are 31| | * opaque to ASan or other instrumentation. 32| | */ 33| 2| ::setenv("BOTAN_MLOCK_POOL_SIZE", "0", 1); 34| 2| return 0; 35| 2|} LLVMFuzzerTestOneInput: 39| 6.95k|extern "C" int LLVMFuzzerTestOneInput(const uint8_t in[], size_t len) { 40| 6.95k| if(len <= max_fuzzer_input_size) { ------------------ | Branch (40:7): [True: 6.94k, False: 9] ------------------ 41| 6.94k| try { 42| 6.94k| fuzz(std::span(in, len)); 43| 6.94k| } catch(const std::exception& e) { 44| 0| std::cerr << "Uncaught exception from fuzzer driver " << e.what() << "\n"; 45| 0| abort(); 46| 0| } catch(...) { 47| 0| std::cerr << "Uncaught exception from fuzzer driver (unknown type)\n"; 48| 0| abort(); 49| 0| } 50| 6.94k| } 51| 6.95k| return 0; 52| 6.95k|} _Z4fuzzNSt3__14spanIKhLm18446744073709551615EEE: 14| 6.94k|void fuzz(std::span in) { 15| 6.94k| try { 16| 6.94k| Botan::DataSource_Memory input(in); 17| 6.94k| Botan::PKCS8::load_key(input); 18| 6.94k| } catch(const Botan::Exception& e) {} 19| | 20| | /* 21| | * This avoids OOMs in OSS-Fuzz caused by storing precomputations 22| | * for thousands of curves randomly generated by the fuzzer. 23| | * 24| | * TODO(Botan4) we can remove this call once support for explicit curves 25| | * is removed 26| | */ 27| 6.94k| Botan::EC_Group::clear_registered_curve_data(); 28| 6.94k|} _ZN5Botan19AlgorithmIdentifier11decode_fromERNS_11BER_DecoderE: 82| 6.12k|void AlgorithmIdentifier::decode_from(BER_Decoder& codec) { 83| 6.12k| codec.start_sequence().decode(m_oid).raw_bytes(m_parameters).end_cons(); 84| 6.12k|} _ZN5Botan10BER_ObjectD2Ev: 27| 130k|BER_Object::~BER_Object() { 28| 130k| secure_scrub_memory(m_value); 29| 130k|} _ZNK5Botan10BER_Object11assert_is_aENS_9ASN1_TypeENS_10ASN1_ClassENSt3__117basic_string_viewIcNS3_11char_traitsIcEEEE: 34| 46.3k|void BER_Object::assert_is_a(ASN1_Type expected_type_tag, ASN1_Class expected_class_tag, std::string_view descr) const { 35| 46.3k| if(!this->is_a(expected_type_tag, expected_class_tag)) { ------------------ | Branch (35:7): [True: 221, False: 46.1k] ------------------ 36| 221| std::stringstream msg; 37| | 38| 221| msg << "Tag mismatch when decoding " << descr << " got "; 39| | 40| 221| if(m_class_tag == ASN1_Class::NoObject && m_type_tag == ASN1_Type::NoObject) { ------------------ | Branch (40:10): [True: 33, False: 188] | Branch (40:49): [True: 33, False: 0] ------------------ 41| 33| msg << "EOF"; 42| 188| } else { 43| 188| if(m_class_tag == ASN1_Class::Universal || m_class_tag == ASN1_Class::Constructed) { ------------------ | Branch (43:13): [True: 60, False: 128] | Branch (43:53): [True: 90, False: 38] ------------------ 44| 150| msg << asn1_tag_to_string(m_type_tag); 45| 150| } else { 46| 38| msg << std::to_string(static_cast(m_type_tag)); 47| 38| } 48| | 49| 188| msg << "/" << asn1_class_to_string(m_class_tag); 50| 188| } 51| | 52| 221| msg << " expected "; 53| | 54| 221| if(expected_class_tag == ASN1_Class::Universal || expected_class_tag == ASN1_Class::Constructed) { ------------------ | Branch (54:10): [True: 192, False: 29] | Branch (54:57): [True: 29, False: 0] ------------------ 55| 221| msg << asn1_tag_to_string(expected_type_tag); 56| 221| } else { 57| 0| msg << std::to_string(static_cast(expected_type_tag)); 58| 0| } 59| | 60| 221| msg << "/" << asn1_class_to_string(expected_class_tag); 61| | 62| 221| throw BER_Decoding_Error(msg.str()); 63| 221| } 64| 46.3k|} _ZNK5Botan10BER_Object4is_aENS_9ASN1_TypeENS_10ASN1_ClassE: 66| 52.6k|bool BER_Object::is_a(ASN1_Type expected_type_tag, ASN1_Class expected_class_tag) const { 67| 52.6k| return (m_type_tag == expected_type_tag && m_class_tag == expected_class_tag); ------------------ | Branch (67:12): [True: 48.6k, False: 3.94k] | Branch (67:47): [True: 48.6k, False: 13] ------------------ 68| 52.6k|} _ZN5Botan10BER_Object11set_taggingENS_9ASN1_TypeENS_10ASN1_ClassE: 74| 61.3k|void BER_Object::set_tagging(ASN1_Type type_tag, ASN1_Class class_tag) { 75| 61.3k| m_type_tag = type_tag; 76| 61.3k| m_class_tag = class_tag; 77| 61.3k|} _ZN5Botan20asn1_class_to_stringENS_10ASN1_ClassE: 79| 409|std::string asn1_class_to_string(ASN1_Class type) { 80| 409| switch(type) { 81| 252| case ASN1_Class::Universal: ------------------ | Branch (81:7): [True: 252, False: 157] ------------------ 82| 252| return "UNIVERSAL"; 83| 119| case ASN1_Class::Constructed: ------------------ | Branch (83:7): [True: 119, False: 290] ------------------ 84| 119| return "CONSTRUCTED"; 85| 7| case ASN1_Class::ContextSpecific: ------------------ | Branch (85:7): [True: 7, False: 402] ------------------ 86| 7| return "CONTEXT_SPECIFIC"; 87| 4| case ASN1_Class::Application: ------------------ | Branch (87:7): [True: 4, False: 405] ------------------ 88| 4| return "APPLICATION"; 89| 1| case ASN1_Class::Private: ------------------ | Branch (89:7): [True: 1, False: 408] ------------------ 90| 1| return "PRIVATE"; 91| 0| case ASN1_Class::NoObject: ------------------ | Branch (91:7): [True: 0, False: 409] ------------------ 92| 0| return "NO_OBJECT"; 93| 26| default: ------------------ | Branch (93:7): [True: 26, False: 383] ------------------ 94| 26| return "CLASS(" + std::to_string(static_cast(type)) + ")"; 95| 409| } 96| 409|} _ZN5Botan18asn1_tag_to_stringENS_9ASN1_TypeE: 98| 419|std::string asn1_tag_to_string(ASN1_Type type) { 99| 419| switch(type) { 100| 32| case ASN1_Type::Sequence: ------------------ | Branch (100:7): [True: 32, False: 387] ------------------ 101| 32| return "SEQUENCE"; 102| | 103| 4| case ASN1_Type::Set: ------------------ | Branch (103:7): [True: 4, False: 415] ------------------ 104| 4| return "SET"; 105| | 106| 2| case ASN1_Type::PrintableString: ------------------ | Branch (106:7): [True: 2, False: 417] ------------------ 107| 2| return "PRINTABLE STRING"; 108| | 109| 5| case ASN1_Type::NumericString: ------------------ | Branch (109:7): [True: 5, False: 414] ------------------ 110| 5| return "NUMERIC STRING"; 111| | 112| 1| case ASN1_Type::Ia5String: ------------------ | Branch (112:7): [True: 1, False: 418] ------------------ 113| 1| return "IA5 STRING"; 114| | 115| 1| case ASN1_Type::TeletexString: ------------------ | Branch (115:7): [True: 1, False: 418] ------------------ 116| 1| return "T61 STRING"; 117| | 118| 3| case ASN1_Type::Utf8String: ------------------ | Branch (118:7): [True: 3, False: 416] ------------------ 119| 3| return "UTF8 STRING"; 120| | 121| 2| case ASN1_Type::VisibleString: ------------------ | Branch (121:7): [True: 2, False: 417] ------------------ 122| 2| return "VISIBLE STRING"; 123| | 124| 1| case ASN1_Type::BmpString: ------------------ | Branch (124:7): [True: 1, False: 418] ------------------ 125| 1| return "BMP STRING"; 126| | 127| 1| case ASN1_Type::UniversalString: ------------------ | Branch (127:7): [True: 1, False: 418] ------------------ 128| 1| return "UNIVERSAL STRING"; 129| | 130| 1| case ASN1_Type::UtcTime: ------------------ | Branch (130:7): [True: 1, False: 418] ------------------ 131| 1| return "UTC TIME"; 132| | 133| 1| case ASN1_Type::GeneralizedTime: ------------------ | Branch (133:7): [True: 1, False: 418] ------------------ 134| 1| return "GENERALIZED TIME"; 135| | 136| 37| case ASN1_Type::OctetString: ------------------ | Branch (136:7): [True: 37, False: 382] ------------------ 137| 37| return "OCTET STRING"; 138| | 139| 18| case ASN1_Type::BitString: ------------------ | Branch (139:7): [True: 18, False: 401] ------------------ 140| 18| return "BIT STRING"; 141| | 142| 1| case ASN1_Type::Enumerated: ------------------ | Branch (142:7): [True: 1, False: 418] ------------------ 143| 1| return "ENUMERATED"; 144| | 145| 159| case ASN1_Type::Integer: ------------------ | Branch (145:7): [True: 159, False: 260] ------------------ 146| 159| return "INTEGER"; 147| | 148| 2| case ASN1_Type::Null: ------------------ | Branch (148:7): [True: 2, False: 417] ------------------ 149| 2| return "NULL"; 150| | 151| 3| case ASN1_Type::ObjectId: ------------------ | Branch (151:7): [True: 3, False: 416] ------------------ 152| 3| return "OBJECT"; 153| | 154| 6| case ASN1_Type::Boolean: ------------------ | Branch (154:7): [True: 6, False: 413] ------------------ 155| 6| return "BOOLEAN"; 156| | 157| 6| case ASN1_Type::NoObject: ------------------ | Branch (157:7): [True: 6, False: 413] ------------------ 158| 6| return "NO_OBJECT"; 159| | 160| 133| default: ------------------ | Branch (160:7): [True: 133, False: 286] ------------------ 161| 133| return "TAG(" + std::to_string(static_cast(type)) + ")"; 162| 419| } 163| 419|} _ZN5Botan18BER_Decoding_ErrorC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 168| 771|BER_Decoding_Error::BER_Decoding_Error(std::string_view err) : Decoding_Error(fmt("BER: {}", err)) {} _ZN5Botan11BER_Bad_TagC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEj: 170| 9|BER_Bad_Tag::BER_Bad_Tag(std::string_view str, uint32_t tagging) : BER_Decoding_Error(fmt("{}: {}", str, tagging)) {} _ZN5Botan4ASN19maybe_BERERNS_10DataSourceE: 197| 6.94k|bool maybe_BER(DataSource& source) { 198| 6.94k| uint8_t first_u8 = 0; 199| 6.94k| if(source.peek_byte(first_u8) == 0) { ------------------ | Branch (199:7): [True: 0, False: 6.94k] ------------------ 200| 0| BOTAN_ASSERT_EQUAL(source.read_byte(first_u8), 0, "Expected EOF"); ------------------ | | 90| 0| do { \ | | 91| 0| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 92| 0| if((expr1) != (expr2)) { \ | | ------------------ | | | Branch (92:10): [True: 0, False: 0] | | ------------------ | | 93| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 94| 0| Botan::assertion_failure(#expr1 " == " #expr2, assertion_made, __func__, __FILE__, __LINE__); \ | | 95| 0| } \ | | 96| 0| } while(0) | | ------------------ | | | Branch (96:12): [Folded, False: 0] | | ------------------ ------------------ 201| 0| throw Stream_IO_Error("ASN1::maybe_BER: Source was empty"); 202| 0| } 203| | 204| 6.94k| const auto cons_seq = static_cast(ASN1_Class::Constructed) | static_cast(ASN1_Type::Sequence); 205| 6.94k| return first_u8 == cons_seq; 206| 6.94k|} _ZN5Botan3OID11from_stringENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 86| 17|OID OID::from_string(std::string_view str) { 87| 17| if(str.empty()) { ------------------ | Branch (87:7): [True: 0, False: 17] ------------------ 88| 0| throw Invalid_Argument("OID::from_string argument must be non-empty"); 89| 0| } 90| | 91| 17| OID o = OID_Map::global_registry().str2oid(str); 92| 17| if(o.has_value()) { ------------------ | Branch (92:7): [True: 17, False: 0] ------------------ 93| 17| return o; 94| 17| } 95| | 96| | // Try to parse as a dotted decimal 97| 0| try { 98| 0| return OID(str); 99| 0| } catch(...) {} 100| | 101| 0| throw Lookup_Error(fmt("No OID associated with name '{}'", str)); 102| 0|} _ZN5Botan3OIDC2ESt16initializer_listIjE: 104| 40.2k|OID::OID(std::initializer_list init) : m_id(init) { 105| 40.2k| oid_valid_check(m_id); 106| 40.2k|} _ZNK5Botan3OID9to_stringEv: 125| 1.90k|std::string OID::to_string() const { 126| 1.90k| std::ostringstream out; 127| | 128| 71.3k| for(size_t i = 0; i != m_id.size(); ++i) { ------------------ | Branch (128:22): [True: 69.4k, False: 1.90k] ------------------ 129| | // avoid locale issues with integer formatting 130| 69.4k| out << std::to_string(m_id[i]); 131| 69.4k| if(i != m_id.size() - 1) { ------------------ | Branch (131:10): [True: 67.5k, False: 1.90k] ------------------ 132| 67.5k| out << "."; 133| 67.5k| } 134| 69.4k| } 135| | 136| 1.90k| return out.str(); 137| 1.90k|} _ZNK5Botan3OID19to_formatted_stringEv: 139| 4.34k|std::string OID::to_formatted_string() const { 140| 4.34k| std::string s = this->human_name_or_empty(); 141| 4.34k| if(!s.empty()) { ------------------ | Branch (141:7): [True: 4.34k, False: 0] ------------------ 142| 4.34k| return s; 143| 4.34k| } 144| 0| return this->to_string(); 145| 4.34k|} _ZNK5Botan3OID19human_name_or_emptyEv: 147| 12.9k|std::string OID::human_name_or_empty() const { 148| 12.9k| return OID_Map::global_registry().oid2str(*this); 149| 12.9k|} _ZNK5Botan3OID7matchesESt16initializer_listIjE: 155| 11.4k|bool OID::matches(std::initializer_list other) const { 156| | // TODO: once all target compilers support it, use std::ranges::equal 157| 11.4k| return std::equal(m_id.begin(), m_id.end(), other.begin(), other.end()); 158| 11.4k|} _ZNK5Botan3OID9hash_codeEv: 160| 14.7k|uint64_t OID::hash_code() const { 161| | // If this is changed also update gen_oids.py to match 162| 14.7k| uint64_t hash = 0x621F302327D9A49A; 163| 203k| for(auto id : m_id) { ------------------ | Branch (163:16): [True: 203k, False: 14.7k] ------------------ 164| 203k| hash *= 193; 165| 203k| hash += id; 166| 203k| } 167| 14.7k| return hash; 168| 14.7k|} _ZNK5Botan3OID11encode_intoERNS_11DER_EncoderE: 183| 2.60k|void OID::encode_into(DER_Encoder& der) const { 184| 2.60k| if(m_id.size() < 2) { ------------------ | Branch (184:7): [True: 0, False: 2.60k] ------------------ 185| 0| throw Invalid_Argument("OID::encode_into: OID is invalid"); 186| 0| } 187| | 188| 2.60k| auto append = [](std::vector& encoding, uint32_t z) { 189| 2.60k| if(z <= 0x7F) { 190| 2.60k| encoding.push_back(static_cast(z)); 191| 2.60k| } else { 192| 2.60k| const size_t z7 = (high_bit(z) + 7 - 1) / 7; 193| | 194| 2.60k| for(size_t j = 0; j != z7; ++j) { 195| 2.60k| uint8_t zp = static_cast(z >> (7 * (z7 - j - 1)) & 0x7F); 196| | 197| 2.60k| if(j != z7 - 1) { 198| 2.60k| zp |= 0x80; 199| 2.60k| } 200| | 201| 2.60k| encoding.push_back(zp); 202| 2.60k| } 203| 2.60k| } 204| 2.60k| }; 205| | 206| 2.60k| std::vector encoding; 207| | 208| | // We know 40 * root can't overflow because root is between 0 and 2 209| 2.60k| auto first = checked_add(40 * m_id[0], m_id[1]); 210| 2.60k| BOTAN_ASSERT_NOMSG(first.has_value()); ------------------ | | 77| 2.60k| do { \ | | 78| 2.60k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2.60k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2.60k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2.60k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2.60k] | | ------------------ ------------------ 211| | 212| 2.60k| append(encoding, *first); 213| | 214| 14.7k| for(size_t i = 2; i != m_id.size(); ++i) { ------------------ | Branch (214:22): [True: 12.1k, False: 2.60k] ------------------ 215| 12.1k| append(encoding, m_id[i]); 216| 12.1k| } 217| 2.60k| der.add_object(ASN1_Type::ObjectId, ASN1_Class::Universal, encoding); 218| 2.60k|} _ZN5Botan3OID11decode_fromERNS_11BER_DecoderE: 223| 10.2k|void OID::decode_from(BER_Decoder& decoder) { 224| 10.2k| const BER_Object obj = decoder.get_next_object(); 225| 10.2k| if(obj.tagging() != (ASN1_Class::Universal | ASN1_Type::ObjectId)) { ------------------ | Branch (225:7): [True: 9, False: 10.2k] ------------------ 226| 9| throw BER_Bad_Tag("Error decoding OID, unknown tag", obj.tagging()); 227| 9| } 228| | 229| 10.2k| if(obj.length() == 0) { ------------------ | Branch (229:7): [True: 1, False: 10.2k] ------------------ 230| 1| throw BER_Decoding_Error("OID encoding is too short"); 231| 1| } 232| | 233| 10.2k| auto consume = [](BufferSlicer& data) -> uint32_t { 234| 10.2k| BOTAN_ASSERT_NOMSG(!data.empty()); 235| 10.2k| uint32_t b = data.take_byte(); 236| | 237| 10.2k| if(b > 0x7F) { 238| 10.2k| b &= 0x7F; 239| | 240| | // Even BER requires that the OID have minimal length, ie that 241| | // the first byte of a multibyte encoding cannot be zero 242| | // See X.690 section 8.19.2 243| 10.2k| if(b == 0) { 244| 10.2k| throw Decoding_Error("Leading zero byte in multibyte OID encoding"); 245| 10.2k| } 246| | 247| 10.2k| while(true) { 248| 10.2k| if(data.empty()) { 249| 10.2k| throw Decoding_Error("Truncated OID value"); 250| 10.2k| } 251| | 252| 10.2k| const uint8_t next = data.take_byte(); 253| 10.2k| const bool more = (next & 0x80) == 0x80; 254| 10.2k| const uint8_t value = next & 0x7F; 255| | 256| 10.2k| if((b >> (32 - 7)) != 0) { 257| 10.2k| throw Decoding_Error("OID component overflow"); 258| 10.2k| } 259| | 260| 10.2k| b = (b << 7) | value; 261| | 262| 10.2k| if(!more) { 263| 10.2k| break; 264| 10.2k| } 265| 10.2k| } 266| 10.2k| } 267| | 268| 10.2k| return b; 269| 10.2k| }; 270| | 271| 10.2k| BufferSlicer data(obj.data()); 272| 10.2k| std::vector parts; 273| 146k| while(!data.empty()) { ------------------ | Branch (273:10): [True: 136k, False: 10.2k] ------------------ 274| 136k| const uint32_t comp = consume(data); 275| | 276| 136k| if(parts.empty()) { ------------------ | Branch (276:10): [True: 10.2k, False: 126k] ------------------ 277| | // divide into root and second arc 278| | 279| 10.2k| const uint32_t root_arc = [](uint32_t b0) -> uint32_t { 280| 10.2k| if(b0 < 40) { 281| 10.2k| return 0; 282| 10.2k| } else if(b0 < 80) { 283| 10.2k| return 1; 284| 10.2k| } else { 285| 10.2k| return 2; 286| 10.2k| } 287| 10.2k| }(comp); 288| | 289| 10.2k| parts.push_back(root_arc); 290| 10.2k| BOTAN_ASSERT_NOMSG(comp >= 40 * root_arc); ------------------ | | 77| 10.2k| do { \ | | 78| 10.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 10.2k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 10.2k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 10.2k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 10.2k] | | ------------------ ------------------ 291| 10.2k| parts.push_back(comp - 40 * root_arc); 292| 126k| } else { 293| 126k| parts.push_back(comp); 294| 126k| } 295| 136k| } 296| | 297| 10.2k| m_id = parts; 298| 10.2k|} _ZN5BotanlsERNSt3__113basic_ostreamIcNS0_11char_traitsIcEEEERKNS_3OIDE: 300| 1.78k|std::ostream& operator<<(std::ostream& out, const OID& oid) { 301| 1.78k| out << oid.to_string(); 302| 1.78k| return out; 303| 1.78k|} asn1_oid.cpp:_ZN5Botan12_GLOBAL__N_115oid_valid_checkENSt3__14spanIKjLm18446744073709551615EEE: 26| 40.2k|void oid_valid_check(std::span oid) { 27| 40.2k| BOTAN_ARG_CHECK(oid.size() >= 2, "OID too short to be valid"); ------------------ | | 35| 40.2k| do { \ | | 36| 40.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 40.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 40.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 40.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 40.2k] | | ------------------ ------------------ 28| 40.2k| BOTAN_ARG_CHECK(oid[0] <= 2, "OID root out of range"); ------------------ | | 35| 40.2k| do { \ | | 36| 40.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 40.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 40.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 40.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 40.2k] | | ------------------ ------------------ 29| 40.2k| BOTAN_ARG_CHECK(oid[1] <= 39 || oid[0] == 2, "OID second arc too large"); ------------------ | | 35| 40.2k| do { \ | | 36| 40.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 40.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 40.2k, False: 0] | | | Branch (37:12): [True: 0, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 40.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 40.2k] | | ------------------ ------------------ 30| | // This last is a limitation of using 32 bit integers when decoding 31| | // not a limitation of ASN.1 object identifiers in general 32| 40.2k| BOTAN_ARG_CHECK(oid[1] <= 0xFFFFFFAF, "OID second arc too large"); ------------------ | | 35| 40.2k| do { \ | | 36| 40.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 40.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 40.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 40.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 40.2k] | | ------------------ ------------------ 33| 40.2k|} asn1_oid.cpp:_ZZNK5Botan3OID11encode_intoERNS_11DER_EncoderEENK3$_0clERNSt3__16vectorIhNS4_9allocatorIhEEEEj: 188| 14.7k| auto append = [](std::vector& encoding, uint32_t z) { 189| 14.7k| if(z <= 0x7F) { ------------------ | Branch (189:10): [True: 12.0k, False: 2.67k] ------------------ 190| 12.0k| encoding.push_back(static_cast(z)); 191| 12.0k| } else { 192| 2.67k| const size_t z7 = (high_bit(z) + 7 - 1) / 7; 193| | 194| 8.01k| for(size_t j = 0; j != z7; ++j) { ------------------ | Branch (194:28): [True: 5.34k, False: 2.67k] ------------------ 195| 5.34k| uint8_t zp = static_cast(z >> (7 * (z7 - j - 1)) & 0x7F); 196| | 197| 5.34k| if(j != z7 - 1) { ------------------ | Branch (197:16): [True: 2.67k, False: 2.67k] ------------------ 198| 2.67k| zp |= 0x80; 199| 2.67k| } 200| | 201| 5.34k| encoding.push_back(zp); 202| 5.34k| } 203| 2.67k| } 204| 14.7k| }; asn1_oid.cpp:_ZZN5Botan3OID11decode_fromERNS_11BER_DecoderEENK3$_0clERNS_12BufferSlicerE: 233| 136k| auto consume = [](BufferSlicer& data) -> uint32_t { 234| 136k| BOTAN_ASSERT_NOMSG(!data.empty()); ------------------ | | 77| 136k| do { \ | | 78| 136k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 136k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 136k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 136k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 136k] | | ------------------ ------------------ 235| 136k| uint32_t b = data.take_byte(); 236| | 237| 136k| if(b > 0x7F) { ------------------ | Branch (237:10): [True: 21.9k, False: 114k] ------------------ 238| 21.9k| b &= 0x7F; 239| | 240| | // Even BER requires that the OID have minimal length, ie that 241| | // the first byte of a multibyte encoding cannot be zero 242| | // See X.690 section 8.19.2 243| 21.9k| if(b == 0) { ------------------ | Branch (243:13): [True: 1, False: 21.9k] ------------------ 244| 1| throw Decoding_Error("Leading zero byte in multibyte OID encoding"); 245| 1| } 246| | 247| 26.2k| while(true) { ------------------ | Branch (247:16): [True: 26.2k, Folded] ------------------ 248| 26.2k| if(data.empty()) { ------------------ | Branch (248:16): [True: 12, False: 26.2k] ------------------ 249| 12| throw Decoding_Error("Truncated OID value"); 250| 12| } 251| | 252| 26.2k| const uint8_t next = data.take_byte(); 253| 26.2k| const bool more = (next & 0x80) == 0x80; 254| 26.2k| const uint8_t value = next & 0x7F; 255| | 256| 26.2k| if((b >> (32 - 7)) != 0) { ------------------ | Branch (256:16): [True: 22, False: 26.2k] ------------------ 257| 22| throw Decoding_Error("OID component overflow"); 258| 22| } 259| | 260| 26.2k| b = (b << 7) | value; 261| | 262| 26.2k| if(!more) { ------------------ | Branch (262:16): [True: 21.9k, False: 4.33k] ------------------ 263| 21.9k| break; 264| 21.9k| } 265| 26.2k| } 266| 21.9k| } 267| | 268| 136k| return b; 269| 136k| }; asn1_oid.cpp:_ZZN5Botan3OID11decode_fromERNS_11BER_DecoderEENK3$_1clEj: 279| 10.2k| const uint32_t root_arc = [](uint32_t b0) -> uint32_t { 280| 10.2k| if(b0 < 40) { ------------------ | Branch (280:16): [True: 1.15k, False: 9.08k] ------------------ 281| 1.15k| return 0; 282| 9.08k| } else if(b0 < 80) { ------------------ | Branch (282:23): [True: 7.98k, False: 1.09k] ------------------ 283| 7.98k| return 1; 284| 7.98k| } else { 285| 1.09k| return 2; 286| 1.09k| } 287| 10.2k| }(comp); _ZN5Botan11BER_DecoderD2Ev: 366| 33.5k|BER_Decoder::~BER_Decoder() = default; _ZN5Botan11BER_Decoder10verify_endEv: 381| 11.1k|BER_Decoder& BER_Decoder::verify_end() { 382| 11.1k| return verify_end("BER_Decoder::verify_end called, but data remains"); 383| 11.1k|} _ZN5Botan11BER_Decoder10verify_endENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 388| 11.1k|BER_Decoder& BER_Decoder::verify_end(std::string_view err) { 389| 11.1k| if(!m_source->end_of_data() || m_pushed.is_set()) { ------------------ | Branch (389:7): [True: 28, False: 11.1k] | Branch (389:35): [True: 0, False: 11.1k] ------------------ 390| 28| throw Decoding_Error(err); 391| 28| } 392| 11.1k| return (*this); 393| 11.1k|} _ZN5Botan11BER_Decoder17discard_remainingEv: 398| 6.11k|BER_Decoder& BER_Decoder::discard_remaining() { 399| 6.11k| m_pushed = BER_Object(); 400| 6.11k| uint8_t buf = 0; 401| 172k| while(m_source->read_byte(buf) != 0) {} ------------------ | Branch (401:10): [True: 166k, False: 6.11k] ------------------ 402| 6.11k| return (*this); 403| 6.11k|} _ZN5Botan11BER_Decoder14read_next_byteEv: 405| 478k|std::optional BER_Decoder::read_next_byte() { 406| 478k| BOTAN_ASSERT_NOMSG(m_source != nullptr); ------------------ | | 77| 478k| do { \ | | 78| 478k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 478k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 478k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 478k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 478k] | | ------------------ ------------------ 407| 478k| uint8_t b = 0; 408| 478k| if(m_source->read_byte(b) != 0) { ------------------ | Branch (408:7): [True: 472k, False: 6.07k] ------------------ 409| 472k| return b; 410| 472k| } else { 411| 6.07k| return {}; 412| 6.07k| } 413| 478k|} _ZN5Botan11BER_Decoder16peek_next_objectEv: 415| 3.66k|const BER_Object& BER_Decoder::peek_next_object() { 416| 3.66k| if(!m_pushed.is_set()) { ------------------ | Branch (416:7): [True: 3.66k, False: 0] ------------------ 417| 3.66k| m_pushed = get_next_object(); 418| 3.66k| } 419| | 420| 3.66k| return m_pushed; 421| 3.66k|} _ZN5Botan11BER_Decoder15get_next_objectEv: 426| 66.9k|BER_Object BER_Decoder::get_next_object() { 427| 66.9k| BER_Object next; 428| | 429| 66.9k| if(m_pushed.is_set()) { ------------------ | Branch (429:7): [True: 5.59k, False: 61.3k] ------------------ 430| 5.59k| std::swap(next, m_pushed); 431| 5.59k| return next; 432| 5.59k| } 433| | 434| 61.3k| for(;;) { 435| 61.3k| ASN1_Type type_tag = ASN1_Type::NoObject; 436| 61.3k| ASN1_Class class_tag = ASN1_Class::NoObject; 437| 61.3k| decode_tag(m_source, type_tag, class_tag); 438| 61.3k| next.set_tagging(type_tag, class_tag); 439| 61.3k| if(next.is_set() == false) { // no more objects ------------------ | Branch (439:10): [True: 2.76k, False: 58.5k] ------------------ 440| 2.76k| return next; 441| 2.76k| } 442| | 443| 58.5k| const size_t allow_indef = m_limits.allow_ber_encoding() ? m_limits.max_nested_indefinite_length() : 0; ------------------ | Branch (443:34): [True: 0, False: 58.5k] ------------------ 444| 58.5k| const bool der_mode = m_limits.require_der_encoding(); 445| 58.5k| const auto dl = decode_length(m_source, allow_indef, der_mode, is_constructed(class_tag)); 446| | 447| | // Per X.690 8.1.5 the only valid EOC encoding is the two-octet 448| | // sequence 0x00 0x00. Reject any other length encoding on a tag of 449| | // (Eoc, Universal) before we consume the "content" bytes. 450| 58.5k| if(type_tag == ASN1_Type::Eoc && class_tag == ASN1_Class::Universal && ------------------ | Branch (450:10): [True: 625, False: 57.9k] | Branch (450:40): [True: 51, False: 574] ------------------ 451| 51| (dl.content_length() != 0 || dl.indefinite_length())) { ------------------ | Branch (451:11): [True: 39, False: 12] | Branch (451:39): [True: 0, False: 12] ------------------ 452| 39| throw BER_Decoding_Error("EOC marker with non-zero length"); 453| 39| } 454| | 455| 58.5k| if(!m_source->check_available(dl.total_length())) { ------------------ | Branch (455:10): [True: 208, False: 58.3k] ------------------ 456| 208| throw BER_Decoding_Error("Value truncated"); 457| 208| } 458| | 459| 58.3k| uint8_t* out = next.mutable_bits(dl.content_length()); 460| 58.3k| if(m_source->read(out, dl.content_length()) != dl.content_length()) { ------------------ | Branch (460:10): [True: 0, False: 58.3k] ------------------ 461| 0| throw BER_Decoding_Error("Value truncated"); 462| 0| } 463| | 464| 58.3k| if(dl.indefinite_length()) { ------------------ | Branch (464:10): [True: 0, False: 58.3k] ------------------ 465| | // After reading the data consume the 2-byte EOC 466| 0| uint8_t eoc[2] = {0xFF, 0xFF}; 467| 0| if(m_source->read(eoc, 2) != 2 || eoc[0] != 0x00 || eoc[1] != 0x00) { ------------------ | Branch (467:13): [True: 0, False: 0] | Branch (467:44): [True: 0, False: 0] | Branch (467:62): [True: 0, False: 0] ------------------ 468| 0| throw BER_Decoding_Error("Missing or malformed EOC marker"); 469| 0| } 470| 0| } 471| | 472| 58.3k| if(next.tagging() == static_cast(ASN1_Type::Eoc)) { ------------------ | Branch (472:10): [True: 12, False: 58.3k] ------------------ 473| 12| if(m_limits.require_der_encoding()) { ------------------ | Branch (473:13): [True: 12, False: 0] ------------------ 474| 12| throw BER_Decoding_Error("Detected EOC marker in DER structure"); 475| 12| } 476| 0| continue; 477| 58.3k| } else { 478| 58.3k| break; 479| 58.3k| } 480| 58.3k| } 481| | 482| 58.3k| return next; 483| 61.3k|} _ZN5Botan11BER_Decoder9push_backEONS_10BER_ObjectE: 507| 4.76k|void BER_Decoder::push_back(BER_Object&& obj) { 508| 4.76k| if(m_pushed.is_set()) { ------------------ | Branch (508:7): [True: 0, False: 4.76k] ------------------ 509| 0| throw Invalid_State("BER_Decoder: Only one push back is allowed"); 510| 0| } 511| 4.76k| m_pushed = std::move(obj); 512| 4.76k|} _ZN5Botan11BER_Decoder10start_consENS_9ASN1_TypeENS_10ASN1_ClassE: 514| 18.8k|BER_Decoder BER_Decoder::start_cons(ASN1_Type type_tag, ASN1_Class class_tag) { 515| 18.8k| BER_Object obj = get_next_object(); 516| 18.8k| obj.assert_is_a(type_tag, class_tag | ASN1_Class::Constructed); 517| 18.8k| BER_Decoder child(std::move(obj), this); 518| 18.8k| return child; 519| 18.8k|} _ZN5Botan11BER_Decoder8end_consEv: 524| 17.7k|BER_Decoder& BER_Decoder::end_cons() { 525| 17.7k| if(m_parent == nullptr) { ------------------ | Branch (525:7): [True: 0, False: 17.7k] ------------------ 526| 0| throw Invalid_State("BER_Decoder::end_cons called with null parent"); 527| 0| } 528| 17.7k| if(!m_source->end_of_data() || m_pushed.is_set()) { ------------------ | Branch (528:7): [True: 33, False: 17.7k] | Branch (528:35): [True: 28, False: 17.6k] ------------------ 529| 61| throw Decoding_Error("BER_Decoder::end_cons called with data left"); 530| 61| } 531| 17.6k| return (*m_parent); 532| 17.7k|} _ZN5Botan11BER_DecoderC2EONS_10BER_ObjectEPS0_: 535| 18.7k| m_limits(parent != nullptr ? parent->limits() : BER_Decoder::Limits::BER()), m_parent(parent) { ------------------ | Branch (535:16): [True: 18.7k, False: 0] ------------------ 536| 18.7k| m_data_src = std::make_unique(std::move(obj)); 537| 18.7k| m_source = m_data_src.get(); 538| 18.7k|} _ZN5Botan11BER_DecoderC2ERNS_10DataSourceENS0_6LimitsE: 543| 4|BER_Decoder::BER_Decoder(DataSource& src, Limits limits) : m_limits(limits), m_source(&src) {} _ZN5Botan11BER_DecoderC2ENSt3__14spanIKhLm18446744073709551615EEENS0_6LimitsE: 548| 14.8k|BER_Decoder::BER_Decoder(std::span buf, Limits limits) : m_limits(limits) { 549| 14.8k| m_data_src = std::make_unique(buf); 550| 14.8k| m_source = m_data_src.get(); 551| 14.8k|} _ZN5Botan11BER_Decoder6decodeERNS_11ASN1_ObjectENS_9ASN1_TypeENS_10ASN1_ClassE: 560| 16.3k|BER_Decoder& BER_Decoder::decode(ASN1_Object& obj, ASN1_Type /*unused*/, ASN1_Class /*unused*/) { 561| 16.3k| obj.decode_from(*this); 562| 16.3k| return (*this); 563| 16.3k|} _ZN5Botan11BER_Decoder26decode_octet_string_bigintERNS_6BigIntE: 577| 2.07k|BER_Decoder& BER_Decoder::decode_octet_string_bigint(BigInt& out) { 578| 2.07k| secure_vector out_vec; 579| 2.07k| decode(out_vec, ASN1_Type::OctetString); 580| 2.07k| out = BigInt::from_bytes(out_vec); 581| 2.07k| return (*this); 582| 2.07k|} _ZN5Botan11BER_Decoder6decodeERmNS_9ASN1_TypeENS_10ASN1_ClassE: 610| 10.2k|BER_Decoder& BER_Decoder::decode(size_t& out, ASN1_Type type_tag, ASN1_Class class_tag) { 611| 10.2k| BigInt integer; 612| 10.2k| decode(integer, type_tag, class_tag); 613| | 614| 10.2k| if(integer.signum() < 0) { ------------------ | Branch (614:7): [True: 58, False: 10.2k] ------------------ 615| 58| throw BER_Decoding_Error("Decoded small integer value was negative"); 616| 58| } 617| | 618| 10.2k| if(integer.bits() > 32) { ------------------ | Branch (618:7): [True: 47, False: 10.1k] ------------------ 619| 47| throw BER_Decoding_Error("Decoded integer value larger than expected"); 620| 47| } 621| | 622| 10.1k| out = 0; 623| 49.6k| for(size_t i = 0; i != 4; ++i) { ------------------ | Branch (623:22): [True: 39.4k, False: 10.1k] ------------------ 624| 39.4k| out = (out << 8) | integer.byte_at(3 - i); 625| 39.4k| } 626| | 627| 10.1k| return (*this); 628| 10.2k|} _ZN5Botan11BER_Decoder6decodeERNS_6BigIntENS_9ASN1_TypeENS_10ASN1_ClassE: 660| 14.1k|BER_Decoder& BER_Decoder::decode(BigInt& out, ASN1_Type type_tag, ASN1_Class class_tag) { 661| 14.1k| const BER_Object obj = get_next_object(); 662| 14.1k| obj.assert_is_a(type_tag, class_tag); 663| | 664| | // DER requires minimal INTEGER encoding (X.690 section 8.3.2) 665| 14.1k| if(m_limits.require_der_encoding()) { ------------------ | Branch (665:7): [True: 13.8k, False: 385] ------------------ 666| 13.8k| if(obj.length() == 0) { ------------------ | Branch (666:10): [True: 2, False: 13.8k] ------------------ 667| 2| throw BER_Decoding_Error("Detected empty INTEGER encoding in DER structure"); 668| 2| } 669| 13.8k| if(obj.length() > 1) { ------------------ | Branch (669:10): [True: 2.93k, False: 10.8k] ------------------ 670| 2.93k| if(obj.bits()[0] == 0x00 && (obj.bits()[1] & 0x80) == 0) { ------------------ | Branch (670:13): [True: 1.13k, False: 1.79k] | Branch (670:38): [True: 5, False: 1.12k] ------------------ 671| 5| throw BER_Decoding_Error("Detected non-minimal INTEGER encoding in DER structure"); 672| 5| } 673| 2.92k| if(obj.bits()[0] == 0xFF && (obj.bits()[1] & 0x80) != 0) { ------------------ | Branch (673:13): [True: 17, False: 2.91k] | Branch (673:38): [True: 2, False: 15] ------------------ 674| 2| throw BER_Decoding_Error("Detected non-minimal INTEGER encoding in DER structure"); 675| 2| } 676| 2.92k| } 677| 13.8k| } 678| | 679| 14.1k| if(obj.length() == 0) { ------------------ | Branch (679:7): [True: 0, False: 14.1k] ------------------ 680| 0| out.clear(); 681| 14.1k| } else { 682| 14.1k| const uint8_t first = obj.bits()[0]; 683| 14.1k| const bool negative = (first & 0x80) == 0x80; 684| | 685| 14.1k| if(negative) { ------------------ | Branch (685:10): [True: 91, False: 14.0k] ------------------ 686| 91| secure_vector vec(obj.bits(), obj.bits() + obj.length()); 687| 464| for(size_t i = obj.length(); i > 0; --i) { ------------------ | Branch (687:39): [True: 464, False: 0] ------------------ 688| 464| const bool gt0 = (vec[i - 1] > 0); 689| 464| vec[i - 1] -= 1; 690| 464| if(gt0) { ------------------ | Branch (690:16): [True: 91, False: 373] ------------------ 691| 91| break; 692| 91| } 693| 464| } 694| 6.26k| for(size_t i = 0; i != obj.length(); ++i) { ------------------ | Branch (694:28): [True: 6.17k, False: 91] ------------------ 695| 6.17k| vec[i] = ~vec[i]; 696| 6.17k| } 697| 91| out._assign_from_bytes(vec); 698| 91| out.flip_sign(); 699| 14.0k| } else { 700| 14.0k| out._assign_from_bytes(obj.data()); 701| 14.0k| } 702| 14.1k| } 703| | 704| 14.1k| return (*this); 705| 14.1k|} _ZN5Botan11BER_Decoder6decodeERNSt3__16vectorIhNS_16secure_allocatorIhEEEENS_9ASN1_TypeES7_NS_10ASN1_ClassE: 769| 11.6k| ASN1_Class class_tag) { 770| 11.6k| if(real_type != ASN1_Type::OctetString && real_type != ASN1_Type::BitString) { ------------------ | Branch (770:7): [True: 892, False: 10.7k] | Branch (770:46): [True: 0, False: 892] ------------------ 771| 0| throw BER_Bad_Tag("Bad tag for {BIT,OCTET} STRING", static_cast(real_type)); 772| 0| } 773| | 774| 11.6k| asn1_decode_binary_string( 775| 11.6k| buffer, get_next_object(), real_type, type_tag, class_tag, m_limits.require_der_encoding()); 776| 11.6k| return (*this); 777| 11.6k|} _ZN5Botan11BER_Decoder6decodeERNSt3__16vectorIhNS1_9allocatorIhEEEENS_9ASN1_TypeES7_NS_10ASN1_ClassE: 782| 2.05k| ASN1_Class class_tag) { 783| 2.05k| if(real_type != ASN1_Type::OctetString && real_type != ASN1_Type::BitString) { ------------------ | Branch (783:7): [True: 1.03k, False: 1.02k] | Branch (783:46): [True: 0, False: 1.03k] ------------------ 784| 0| throw BER_Bad_Tag("Bad tag for {BIT,OCTET} STRING", static_cast(real_type)); 785| 0| } 786| | 787| 2.05k| asn1_decode_binary_string( 788| 2.05k| buffer, get_next_object(), real_type, type_tag, class_tag, m_limits.require_der_encoding()); 789| 2.05k| return (*this); 790| 2.05k|} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_110decode_tagEPNS_10DataSourceERNS_9ASN1_TypeERNS_10ASN1_ClassE: 27| 61.3k|size_t decode_tag(DataSource* ber, ASN1_Type& type_tag, ASN1_Class& class_tag) { 28| 61.3k| auto b = ber->read_byte(); 29| | 30| 61.3k| if(!b) { ------------------ | Branch (30:7): [True: 2.76k, False: 58.5k] ------------------ 31| 2.76k| type_tag = ASN1_Type::NoObject; 32| 2.76k| class_tag = ASN1_Class::NoObject; 33| 2.76k| return 0; 34| 2.76k| } 35| | 36| 58.5k| if((*b & 0x1F) != 0x1F) { ------------------ | Branch (36:7): [True: 58.2k, False: 283] ------------------ 37| 58.2k| type_tag = ASN1_Type(*b & 0x1F); 38| 58.2k| class_tag = ASN1_Class(*b & 0xE0); 39| 58.2k| return 1; 40| 58.2k| } 41| | 42| 283| size_t tag_bytes = 1; 43| 283| class_tag = ASN1_Class(*b & 0xE0); 44| | 45| 283| uint32_t tag_buf = 0; 46| 969| while(true) { ------------------ | Branch (46:10): [True: 969, Folded] ------------------ 47| 969| b = ber->read_byte(); 48| 969| if(!b) { ------------------ | Branch (48:10): [True: 18, False: 951] ------------------ 49| 18| throw BER_Decoding_Error("Long-form tag truncated"); 50| 18| } 51| 951| if((tag_buf >> 24) != 0) { ------------------ | Branch (51:10): [True: 12, False: 939] ------------------ 52| 12| throw BER_Decoding_Error("Long-form tag overflowed 32 bits"); 53| 12| } 54| | // This is required even by BER (see X.690 section 8.1.2.4.2 sentence c). 55| | // Bits 7-1 of the first subsequent octet must not be all zero; this rules 56| | // out both 0x80 (continuation with no data) and 0x00 (a long-form encoding 57| | // of tag value 0, which collides with the EOC marker). 58| 939| if(tag_bytes == 1 && (*b & 0x7F) == 0) { ------------------ | Branch (58:10): [True: 281, False: 658] | Branch (58:28): [True: 1, False: 280] ------------------ 59| 1| throw BER_Decoding_Error("Long form tag with leading zero"); 60| 1| } 61| 938| ++tag_bytes; 62| 938| tag_buf = (tag_buf << 7) | (*b & 0x7F); 63| 938| if((*b & 0x80) == 0) { ------------------ | Branch (63:10): [True: 252, False: 686] ------------------ 64| 252| break; 65| 252| } 66| 938| } 67| | // Per X.690 8.1.2.2, tag values 0-30 shall be encoded in the short form. 68| | // Long-form encoding is reserved for tag values >= 31 (X.690 8.1.2.3). 69| | // This is unconditional and applies to BER as well as DER. 70| 252| if(tag_buf <= 30) { ------------------ | Branch (70:7): [True: 6, False: 246] ------------------ 71| 6| throw BER_Decoding_Error("Long-form tag encoding used for small tag value"); 72| 6| } 73| | 74| 246| if(tag_buf == static_cast(ASN1_Type::NoObject)) { ------------------ | Branch (74:7): [True: 1, False: 245] ------------------ 75| 1| throw BER_Decoding_Error("Tag value collides with internal sentinel"); 76| 1| } 77| | 78| | // NOLINTNEXTLINE(clang-analyzer-optin.core.EnumCastOutOfRange) 79| 245| type_tag = ASN1_Type(tag_buf); 80| 245| return tag_bytes; 81| 246|} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_113decode_lengthEPNS_10DataSourceEmbb: 126| 58.5k|BerDecodedLength decode_length(DataSource* ber, size_t allow_indef, bool der_mode, bool constructed) { 127| 58.5k| uint8_t b = 0; 128| 58.5k| if(ber->read_byte(b) == 0) { ------------------ | Branch (128:7): [True: 58, False: 58.4k] ------------------ 129| 58| throw BER_Decoding_Error("Length field not found"); 130| 58| } 131| 58.4k| if((b & 0x80) == 0) { ------------------ | Branch (131:7): [True: 52.6k, False: 5.82k] ------------------ 132| 52.6k| return BerDecodedLength(b, 1); 133| 52.6k| } 134| | 135| 5.82k| const size_t num_length_bytes = (b & 0x7F); 136| 5.82k| if(num_length_bytes > 4) { ------------------ | Branch (136:7): [True: 26, False: 5.80k] ------------------ 137| 26| throw BER_Decoding_Error("Length field is too large"); 138| 26| } 139| | 140| 5.80k| const size_t field_size = 1 + num_length_bytes; 141| | 142| 5.80k| if(num_length_bytes == 0) { ------------------ | Branch (142:7): [True: 12, False: 5.78k] ------------------ 143| 12| if(der_mode) { ------------------ | Branch (143:10): [True: 12, False: 0] ------------------ 144| 12| throw BER_Decoding_Error("Detected indefinite-length encoding in DER structure"); 145| 12| } else if(!constructed) { ------------------ | Branch (145:17): [True: 0, False: 0] ------------------ 146| | // Indefinite length is only valid for constructed types (X.690 8.1.3.2) 147| 0| throw BER_Decoding_Error("Indefinite-length encoding used with non-constructed type"); 148| 0| } else if(allow_indef == 0) { ------------------ | Branch (148:17): [True: 0, False: 0] ------------------ 149| 0| throw BER_Decoding_Error("Nested EOC markers too deep, rejecting to avoid stack exhaustion"); 150| 0| } else { 151| | // find_eoc returns bytes up to and including the EOC marker. 152| | // Return the content length; the caller consumes the EOC separately. 153| 0| const size_t eoc_len = find_eoc(ber, /*base_offset=*/0, allow_indef - 1); 154| 0| if(eoc_len < 2) { ------------------ | Branch (154:13): [True: 0, False: 0] ------------------ 155| 0| throw BER_Decoding_Error("Invalid EOC encoding"); 156| 0| } 157| 0| return BerDecodedLength::indefinite(eoc_len - 2, field_size); 158| 0| } 159| 12| } 160| | 161| 5.78k| size_t length = 0; 162| | 163| 14.8k| for(size_t i = 0; i != num_length_bytes; ++i) { ------------------ | Branch (163:22): [True: 9.09k, False: 5.77k] ------------------ 164| 9.09k| if(ber->read_byte(b) == 0) { ------------------ | Branch (164:10): [True: 9, False: 9.08k] ------------------ 165| 9| throw BER_Decoding_Error("Corrupted length field"); 166| 9| } 167| | // Can't overflow since we already checked that num_length_bytes <= 4 168| 9.08k| length = (length << 8) | b; 169| 9.08k| } 170| | 171| | // DER requires shortest possible length encoding 172| 5.77k| if(der_mode) { ------------------ | Branch (172:7): [True: 5.77k, False: 0] ------------------ 173| 5.77k| if(length < 128) { ------------------ | Branch (173:10): [True: 7, False: 5.77k] ------------------ 174| 7| throw BER_Decoding_Error("Detected non-canonical length encoding in DER structure"); 175| 7| } 176| 5.77k| if(num_length_bytes > 1 && length < (size_t(1) << ((num_length_bytes - 1) * 8))) { ------------------ | Branch (176:10): [True: 3.16k, False: 2.61k] | Branch (176:34): [True: 2, False: 3.15k] ------------------ 177| 2| throw BER_Decoding_Error("Detected non-canonical length encoding in DER structure"); 178| 2| } 179| 5.77k| } 180| | 181| 5.77k| return BerDecodedLength(length, field_size); 182| 5.77k|} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_116BerDecodedLengthC2Emm: 99| 58.4k| BerDecodedLength(content_length, field_length, false) {} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_116BerDecodedLengthC2Emmb: 116| 58.4k| m_content_length(content_length), m_field_length(field_length), m_indefinite(indefinite) {} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_114is_constructedENS_10ASN1_ClassE: 20| 72.1k|bool is_constructed(ASN1_Class class_tag) { 21| 72.1k| return (static_cast(class_tag) & static_cast(ASN1_Class::Constructed)) != 0; 22| 72.1k|} ber_dec.cpp:_ZNK5Botan12_GLOBAL__N_116BerDecodedLength14content_lengthEv: 105| 174k| size_t content_length() const { return m_content_length; } ber_dec.cpp:_ZNK5Botan12_GLOBAL__N_116BerDecodedLength17indefinite_lengthEv: 112| 58.1k| bool indefinite_length() const { return m_indefinite; } ber_dec.cpp:_ZNK5Botan12_GLOBAL__N_116BerDecodedLength12total_lengthEv: 108| 58.3k| size_t total_length() const { return m_indefinite ? m_content_length + 2 : m_content_length; } ------------------ | Branch (108:44): [True: 0, False: 58.3k] ------------------ ber_dec.cpp:_ZN5Botan12_GLOBAL__N_120DataSource_BERObjectC2EONS_10BER_ObjectE: 357| 18.7k| explicit DataSource_BERObject(BER_Object&& obj) : m_obj(std::move(obj)) {} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_120DataSource_BERObject4readEPhm: 327| 789k| size_t read(uint8_t out[], size_t length) override { 328| 789k| BOTAN_ASSERT_NOMSG(m_offset <= m_obj.length()); ------------------ | | 77| 789k| do { \ | | 78| 789k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 789k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 789k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 789k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 789k] | | ------------------ ------------------ 329| 789k| const size_t got = std::min(m_obj.length() - m_offset, length); 330| 789k| copy_mem(out, m_obj.bits() + m_offset, got); 331| 789k| m_offset += got; 332| 789k| return got; 333| 789k| } ber_dec.cpp:_ZN5Botan12_GLOBAL__N_120DataSource_BERObject15check_availableEm: 348| 43.6k| bool check_available(size_t n) override { 349| 43.6k| BOTAN_ASSERT_NOMSG(m_offset <= m_obj.length()); ------------------ | | 77| 43.6k| do { \ | | 78| 43.6k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 43.6k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 43.6k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 43.6k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 43.6k] | | ------------------ ------------------ 350| 43.6k| return (n <= (m_obj.length() - m_offset)); 351| 43.6k| } ber_dec.cpp:_ZNK5Botan12_GLOBAL__N_120DataSource_BERObject11end_of_dataEv: 353| 17.8k| bool end_of_data() const override { return get_bytes_read() == m_obj.length(); } ber_dec.cpp:_ZNK5Botan12_GLOBAL__N_120DataSource_BERObject14get_bytes_readEv: 355| 17.8k| size_t get_bytes_read() const override { return m_offset; } ber_dec.cpp:_ZN5Botan12_GLOBAL__N_125asn1_decode_binary_stringINS_16secure_allocatorIhEEEEvRNSt3__16vectorIhT_EERKNS_10BER_ObjectENS_9ASN1_TypeESC_NS_10ASN1_ClassEb: 719| 11.6k| bool require_der) { 720| 11.6k| obj.assert_is_a(type_tag, class_tag); 721| | 722| | // DER requires BIT STRING and OCTET STRING to use primitive encoding 723| 11.6k| if(require_der && is_constructed(obj)) { ------------------ | Branch (723:7): [True: 11.5k, False: 36] | Branch (723:22): [True: 0, False: 11.5k] ------------------ 724| 0| throw BER_Decoding_Error("Detected constructed string encoding in DER structure"); 725| 0| } 726| | 727| 11.6k| if(real_type == ASN1_Type::OctetString) { ------------------ | Branch (727:7): [True: 10.6k, False: 927] ------------------ 728| 10.6k| buffer.assign(obj.bits(), obj.bits() + obj.length()); 729| 10.6k| } else { 730| 927| if(obj.length() == 0) { ------------------ | Branch (730:10): [True: 1, False: 926] ------------------ 731| 1| throw BER_Decoding_Error("Invalid BIT STRING"); 732| 1| } 733| | 734| 926| const uint8_t unused_bits = obj.bits()[0]; 735| | 736| 926| if(unused_bits >= 8) { ------------------ | Branch (736:10): [True: 4, False: 922] ------------------ 737| 4| throw BER_Decoding_Error("Bad number of unused bits in BIT STRING"); 738| 4| } 739| | 740| | // Empty BIT STRING with unused bits > 0 ... 741| 922| if(unused_bits > 0 && obj.length() < 2) { ------------------ | Branch (741:10): [True: 19, False: 903] | Branch (741:29): [True: 1, False: 18] ------------------ 742| 1| throw BER_Decoding_Error("Invalid BIT STRING"); 743| 1| } 744| | 745| | // DER requires unused bits in BIT STRING to be zero (X.690 section 11.2.2) 746| 921| if(require_der && unused_bits > 0) { ------------------ | Branch (746:10): [True: 885, False: 36] | Branch (746:25): [True: 18, False: 867] ------------------ 747| 18| const uint8_t last_byte = obj.bits()[obj.length() - 1]; 748| 18| if((last_byte & ((1 << unused_bits) - 1)) != 0) { ------------------ | Branch (748:13): [True: 3, False: 15] ------------------ 749| 3| throw BER_Decoding_Error("Detected non-zero padding bits in BIT STRING in DER structure"); 750| 3| } 751| 18| } 752| | 753| 918| buffer.resize(obj.length() - 1); 754| | 755| 918| if(obj.length() > 1) { ------------------ | Branch (755:10): [True: 881, False: 37] ------------------ 756| 881| copy_mem(buffer.data(), obj.bits() + 1, obj.length() - 1); 757| 881| } 758| 918| } 759| 11.6k|} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_114is_constructedERKNS_10BER_ObjectE: 709| 13.6k|bool is_constructed(const BER_Object& obj) { 710| 13.6k| return is_constructed(obj.class_tag()); 711| 13.6k|} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_125asn1_decode_binary_stringINSt3__19allocatorIhEEEEvRNS2_6vectorIhT_EERKNS_10BER_ObjectENS_9ASN1_TypeESC_NS_10ASN1_ClassEb: 719| 2.05k| bool require_der) { 720| 2.05k| obj.assert_is_a(type_tag, class_tag); 721| | 722| | // DER requires BIT STRING and OCTET STRING to use primitive encoding 723| 2.05k| if(require_der && is_constructed(obj)) { ------------------ | Branch (723:7): [True: 2.05k, False: 0] | Branch (723:22): [True: 0, False: 2.05k] ------------------ 724| 0| throw BER_Decoding_Error("Detected constructed string encoding in DER structure"); 725| 0| } 726| | 727| 2.05k| if(real_type == ASN1_Type::OctetString) { ------------------ | Branch (727:7): [True: 1.02k, False: 1.03k] ------------------ 728| 1.02k| buffer.assign(obj.bits(), obj.bits() + obj.length()); 729| 1.03k| } else { 730| 1.03k| if(obj.length() == 0) { ------------------ | Branch (730:10): [True: 1, False: 1.03k] ------------------ 731| 1| throw BER_Decoding_Error("Invalid BIT STRING"); 732| 1| } 733| | 734| 1.03k| const uint8_t unused_bits = obj.bits()[0]; 735| | 736| 1.03k| if(unused_bits >= 8) { ------------------ | Branch (736:10): [True: 2, False: 1.03k] ------------------ 737| 2| throw BER_Decoding_Error("Bad number of unused bits in BIT STRING"); 738| 2| } 739| | 740| | // Empty BIT STRING with unused bits > 0 ... 741| 1.03k| if(unused_bits > 0 && obj.length() < 2) { ------------------ | Branch (741:10): [True: 7, False: 1.02k] | Branch (741:29): [True: 2, False: 5] ------------------ 742| 2| throw BER_Decoding_Error("Invalid BIT STRING"); 743| 2| } 744| | 745| | // DER requires unused bits in BIT STRING to be zero (X.690 section 11.2.2) 746| 1.02k| if(require_der && unused_bits > 0) { ------------------ | Branch (746:10): [True: 1.02k, False: 0] | Branch (746:25): [True: 5, False: 1.02k] ------------------ 747| 5| const uint8_t last_byte = obj.bits()[obj.length() - 1]; 748| 5| if((last_byte & ((1 << unused_bits) - 1)) != 0) { ------------------ | Branch (748:13): [True: 1, False: 4] ------------------ 749| 1| throw BER_Decoding_Error("Detected non-zero padding bits in BIT STRING in DER structure"); 750| 1| } 751| 5| } 752| | 753| 1.02k| buffer.resize(obj.length() - 1); 754| | 755| 1.02k| if(obj.length() > 1) { ------------------ | Branch (755:10): [True: 1.02k, False: 1] ------------------ 756| 1.02k| copy_mem(buffer.data(), obj.bits() + 1, obj.length() - 1); 757| 1.02k| } 758| 1.02k| } 759| 2.05k|} _ZN5Botan11DER_EncoderC2ERNSt3__16vectorIhNS1_9allocatorIhEEEE: 72| 2.60k|DER_Encoder::DER_Encoder(std::vector& vec) { 73| 2.60k| m_append_output = [&vec](const uint8_t b[], size_t l) { vec.insert(vec.end(), b, b + l); }; 74| 2.60k|} _ZN5Botan11DER_Encoder10add_objectENS_9ASN1_TypeENS_10ASN1_ClassEPKhm: 244| 2.60k|DER_Encoder& DER_Encoder::add_object(ASN1_Type type_tag, ASN1_Class class_tag, const uint8_t rep[], size_t length) { 245| 2.60k| std::vector hdr; 246| 2.60k| encode_tag(hdr, type_tag, class_tag); 247| 2.60k| encode_length(hdr, length); 248| | 249| 2.60k| if(!m_subsequences.empty()) { ------------------ | Branch (249:7): [True: 0, False: 2.60k] ------------------ 250| 0| m_subsequences[m_subsequences.size() - 1].add_bytes(hdr.data(), hdr.size(), rep, length); 251| 2.60k| } else if(m_append_output) { ------------------ | Branch (251:14): [True: 2.60k, False: 0] ------------------ 252| 2.60k| m_append_output(hdr.data(), hdr.size()); 253| 2.60k| m_append_output(rep, length); 254| 2.60k| } else { 255| 0| m_default_outbuf += hdr; 256| 0| m_default_outbuf += std::make_pair(rep, length); 257| 0| } 258| | 259| 2.60k| return (*this); 260| 2.60k|} _ZN5Botan11DER_Encoder6encodeERKNS_11ASN1_ObjectE: 365| 2.60k|DER_Encoder& DER_Encoder::encode(const ASN1_Object& obj) { 366| 2.60k| obj.encode_into(*this); 367| 2.60k| return (*this); 368| 2.60k|} der_enc.cpp:_ZN5Botan12_GLOBAL__N_110encode_tagERNSt3__16vectorIhNS1_9allocatorIhEEEENS_9ASN1_TypeENS_10ASN1_ClassE: 25| 2.60k|void encode_tag(std::vector& encoded_tag, ASN1_Type type_tag_e, ASN1_Class class_tag_e) { 26| 2.60k| const uint32_t type_tag = static_cast(type_tag_e); 27| 2.60k| const uint32_t class_tag = static_cast(class_tag_e); 28| | 29| 2.60k| if((class_tag | 0xE0) != 0xE0) { ------------------ | Branch (29:7): [True: 0, False: 2.60k] ------------------ 30| 0| throw Encoding_Error(fmt("DER_Encoder: Invalid class tag {}", std::to_string(class_tag))); 31| 0| } 32| | 33| 2.60k| if(type_tag <= 30) { ------------------ | Branch (33:7): [True: 2.60k, False: 0] ------------------ 34| 2.60k| encoded_tag.push_back(static_cast(type_tag | class_tag)); 35| 2.60k| } else { 36| 0| size_t blocks = high_bit(static_cast(type_tag)) + 6; 37| 0| blocks = (blocks - (blocks % 7)) / 7; 38| | 39| 0| BOTAN_ASSERT_NOMSG(blocks > 0); ------------------ | | 77| 0| do { \ | | 78| 0| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 0| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 0| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 0] | | ------------------ ------------------ 40| | 41| 0| encoded_tag.push_back(static_cast(class_tag | 0x1F)); 42| 0| for(size_t i = 0; i != blocks - 1; ++i) { ------------------ | Branch (42:25): [True: 0, False: 0] ------------------ 43| 0| encoded_tag.push_back(0x80 | ((type_tag >> 7 * (blocks - i - 1)) & 0x7F)); 44| 0| } 45| 0| encoded_tag.push_back(type_tag & 0x7F); 46| 0| } 47| 2.60k|} der_enc.cpp:_ZN5Botan12_GLOBAL__N_113encode_lengthERNSt3__16vectorIhNS1_9allocatorIhEEEEm: 52| 2.60k|void encode_length(std::vector& encoded_length, size_t length) { 53| 2.60k| if(length <= 127) { ------------------ | Branch (53:7): [True: 2.60k, False: 0] ------------------ 54| 2.60k| encoded_length.push_back(static_cast(length)); 55| 2.60k| } else { 56| 0| const size_t bytes_needed = significant_bytes(length); 57| | 58| 0| encoded_length.push_back(static_cast(0x80 | bytes_needed)); 59| | 60| 0| for(size_t i = sizeof(length) - bytes_needed; i < sizeof(length); ++i) { ------------------ | Branch (60:53): [True: 0, False: 0] ------------------ 61| 0| encoded_length.push_back(get_byte_var(i, length)); 62| 0| } 63| 0| } 64| 2.60k|} der_enc.cpp:_ZZN5Botan11DER_EncoderC1ERNSt3__16vectorIhNS1_9allocatorIhEEEEENK3$_0clEPKhm: 73| 5.20k| m_append_output = [&vec](const uint8_t b[], size_t l) { vec.insert(vec.end(), b, b + l); }; _ZN5Botan7OID_MapC2Ev: 11| 1|OID_Map::OID_Map() { 12| 1| m_str2oid = OID_Map::load_str2oid_map(); 13| 1| m_oid2str = OID_Map::load_oid2str_map(); 14| 1|} _ZN5Botan7OID_Map15global_registryEv: 16| 12.9k|OID_Map& OID_Map::global_registry() { 17| 12.9k| static OID_Map g_map; 18| 12.9k| return g_map; 19| 12.9k|} _ZN5Botan7OID_Map7oid2strERKNS_3OIDE: 69| 12.9k|std::string OID_Map::oid2str(const OID& oid) { 70| 12.9k| if(auto name = lookup_static_oid(oid)) { ------------------ | Branch (70:12): [True: 11.1k, False: 1.78k] ------------------ 71| 11.1k| return std::string(*name); 72| 11.1k| } 73| | 74| 1.78k| const lock_guard_type lock(m_mutex); 75| | 76| 1.78k| auto i = m_oid2str.find(oid); 77| 1.78k| if(i != m_oid2str.end()) { ------------------ | Branch (77:7): [True: 0, False: 1.78k] ------------------ 78| 0| return i->second; 79| 0| } 80| | 81| 1.78k| return ""; 82| 1.78k|} _ZN5Botan7OID_Map7str2oidENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 84| 17|OID OID_Map::str2oid(std::string_view str) { 85| 17| if(auto oid = lookup_static_oid_name(str)) { ------------------ | Branch (85:12): [True: 17, False: 0] ------------------ 86| 17| return std::move(*oid); 87| 17| } 88| | 89| 0| const lock_guard_type lock(m_mutex); 90| 0| auto i = m_str2oid.find(std::string(str)); 91| 0| if(i != m_str2oid.end()) { ------------------ | Branch (91:7): [True: 0, False: 0] ------------------ 92| 0| return i->second; 93| 0| } 94| | 95| 0| return OID(); 96| 0|} _ZN5Botan7OID_Map17lookup_static_oidERKNS_3OIDE: 48| 12.9k|std::optional OID_Map::lookup_static_oid(const OID& oid) { 49| 12.9k| const uint32_t hc = static_cast(oid.hash_code() % 858701); 50| | 51| 12.9k| switch(hc) { 52| 3| case 0x01506: ------------------ | Branch (52:7): [True: 3, False: 12.9k] ------------------ 53| 3| return if_match(oid, {1, 2, 840, 10045, 4, 3, 1}, "ECDSA/SHA-224"); 54| 3| case 0x01507: ------------------ | Branch (54:7): [True: 3, False: 12.9k] ------------------ 55| 3| return if_match(oid, {1, 2, 840, 10045, 4, 3, 2}, "ECDSA/SHA-256"); 56| 3| case 0x01508: ------------------ | Branch (56:7): [True: 3, False: 12.9k] ------------------ 57| 3| return if_match(oid, {1, 2, 840, 10045, 4, 3, 3}, "ECDSA/SHA-384"); 58| 3| case 0x01509: ------------------ | Branch (58:7): [True: 3, False: 12.9k] ------------------ 59| 3| return if_match(oid, {1, 2, 840, 10045, 4, 3, 4}, "ECDSA/SHA-512"); 60| 1| case 0x04C1E: ------------------ | Branch (60:7): [True: 1, False: 12.9k] ------------------ 61| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 3029, 1, 2, 1}, "ElGamal"); 62| 1| case 0x04E61: ------------------ | Branch (62:7): [True: 1, False: 12.9k] ------------------ 63| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 3029, 1, 5, 1}, "OpenPGP.Curve25519"); 64| 3| case 0x0779B: ------------------ | Branch (64:7): [True: 3, False: 12.9k] ------------------ 65| 3| return if_match(oid, {1, 2, 840, 113549, 2, 5}, "MD5"); 66| 3| case 0x0779D: ------------------ | Branch (66:7): [True: 3, False: 12.9k] ------------------ 67| 3| return if_match(oid, {1, 2, 840, 113549, 2, 7}, "HMAC(SHA-1)"); 68| 3| case 0x0779E: ------------------ | Branch (68:7): [True: 3, False: 12.9k] ------------------ 69| 3| return if_match(oid, {1, 2, 840, 113549, 2, 8}, "HMAC(SHA-224)"); 70| 3| case 0x0779F: ------------------ | Branch (70:7): [True: 3, False: 12.9k] ------------------ 71| 3| return if_match(oid, {1, 2, 840, 113549, 2, 9}, "HMAC(SHA-256)"); 72| 3| case 0x077A0: ------------------ | Branch (72:7): [True: 3, False: 12.9k] ------------------ 73| 3| return if_match(oid, {1, 2, 840, 113549, 2, 10}, "HMAC(SHA-384)"); 74| 3| case 0x077A1: ------------------ | Branch (74:7): [True: 3, False: 12.9k] ------------------ 75| 3| return if_match(oid, {1, 2, 840, 113549, 2, 11}, "HMAC(SHA-512)"); 76| 3| case 0x077A3: ------------------ | Branch (76:7): [True: 3, False: 12.9k] ------------------ 77| 3| return if_match(oid, {1, 2, 840, 113549, 2, 13}, "HMAC(SHA-512-256)"); 78| 3| case 0x0785E: ------------------ | Branch (78:7): [True: 3, False: 12.9k] ------------------ 79| 3| return if_match(oid, {1, 2, 840, 113549, 3, 7}, "TripleDES/CBC"); 80| 1| case 0x0C904: ------------------ | Branch (80:7): [True: 1, False: 12.9k] ------------------ 81| 1| return if_match(oid, {1, 0, 14888, 3, 0, 5}, "ECKCDSA"); 82| 1| case 0x11547: ------------------ | Branch (82:7): [True: 1, False: 12.9k] ------------------ 83| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 1}, "SphincsPlus-shake-128s-r3.1"); 84| 1| case 0x11548: ------------------ | Branch (84:7): [True: 1, False: 12.9k] ------------------ 85| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 2}, "SphincsPlus-shake-128f-r3.1"); 86| 1| case 0x11549: ------------------ | Branch (86:7): [True: 1, False: 12.9k] ------------------ 87| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 3}, "SphincsPlus-shake-192s-r3.1"); 88| 1| case 0x1154A: ------------------ | Branch (88:7): [True: 1, False: 12.9k] ------------------ 89| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 4}, "SphincsPlus-shake-192f-r3.1"); 90| 1| case 0x1154B: ------------------ | Branch (90:7): [True: 1, False: 12.9k] ------------------ 91| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 5}, "SphincsPlus-shake-256s-r3.1"); 92| 1| case 0x1154C: ------------------ | Branch (92:7): [True: 1, False: 12.9k] ------------------ 93| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 6}, "SphincsPlus-shake-256f-r3.1"); 94| 1| case 0x11608: ------------------ | Branch (94:7): [True: 1, False: 12.9k] ------------------ 95| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 1}, "SphincsPlus-sha2-128s-r3.1"); 96| 1| case 0x11609: ------------------ | Branch (96:7): [True: 1, False: 12.9k] ------------------ 97| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 2}, "SphincsPlus-sha2-128f-r3.1"); 98| 1| case 0x1160A: ------------------ | Branch (98:7): [True: 1, False: 12.9k] ------------------ 99| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 3}, "SphincsPlus-sha2-192s-r3.1"); 100| 1| case 0x1160B: ------------------ | Branch (100:7): [True: 1, False: 12.9k] ------------------ 101| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 4}, "SphincsPlus-sha2-192f-r3.1"); 102| 1| case 0x1160C: ------------------ | Branch (102:7): [True: 1, False: 12.9k] ------------------ 103| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 5}, "SphincsPlus-sha2-256s-r3.1"); 104| 1| case 0x1160D: ------------------ | Branch (104:7): [True: 1, False: 12.9k] ------------------ 105| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 6}, "SphincsPlus-sha2-256f-r3.1"); 106| 1| case 0x116C9: ------------------ | Branch (106:7): [True: 1, False: 12.9k] ------------------ 107| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 1}, "SphincsPlus-haraka-128s-r3.1"); 108| 1| case 0x116CA: ------------------ | Branch (108:7): [True: 1, False: 12.9k] ------------------ 109| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 2}, "SphincsPlus-haraka-128f-r3.1"); 110| 1| case 0x116CB: ------------------ | Branch (110:7): [True: 1, False: 12.9k] ------------------ 111| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 3}, "SphincsPlus-haraka-192s-r3.1"); 112| 1| case 0x116CC: ------------------ | Branch (112:7): [True: 1, False: 12.9k] ------------------ 113| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 4}, "SphincsPlus-haraka-192f-r3.1"); 114| 1| case 0x116CD: ------------------ | Branch (114:7): [True: 1, False: 12.9k] ------------------ 115| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 5}, "SphincsPlus-haraka-256s-r3.1"); 116| 1| case 0x116CE: ------------------ | Branch (116:7): [True: 1, False: 12.9k] ------------------ 117| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 6}, "SphincsPlus-haraka-256f-r3.1"); 118| 1| case 0x1533B: ------------------ | Branch (118:7): [True: 1, False: 12.9k] ------------------ 119| 1| return if_match(oid, {1, 2, 156, 10197, 1, 104, 2}, "SM4/CBC"); 120| 1| case 0x15341: ------------------ | Branch (120:7): [True: 1, False: 12.9k] ------------------ 121| 1| return if_match(oid, {1, 2, 156, 10197, 1, 104, 8}, "SM4/GCM"); 122| 1| case 0x1539D: ------------------ | Branch (122:7): [True: 1, False: 12.9k] ------------------ 123| 1| return if_match(oid, {1, 2, 156, 10197, 1, 104, 100}, "SM4/OCB"); 124| 3| case 0x187D7: ------------------ | Branch (124:7): [True: 3, False: 12.9k] ------------------ 125| 3| return if_match(oid, {1, 3, 14, 3, 2, 7}, "DES/CBC"); 126| 3| case 0x187EA: ------------------ | Branch (126:7): [True: 3, False: 12.9k] ------------------ 127| 3| return if_match(oid, {1, 3, 14, 3, 2, 26}, "SHA-1"); 128| 11| case 0x19933: ------------------ | Branch (128:7): [True: 11, False: 12.9k] ------------------ 129| 11| return if_match(oid, {1, 3, 132, 0, 8}, "secp160r1"); 130| 9| case 0x19934: ------------------ | Branch (130:7): [True: 9, False: 12.9k] ------------------ 131| 9| return if_match(oid, {1, 3, 132, 0, 9}, "secp160k1"); 132| 162| case 0x19935: ------------------ | Branch (132:7): [True: 162, False: 12.7k] ------------------ 133| 162| return if_match(oid, {1, 3, 132, 0, 10}, "secp256k1"); 134| 12| case 0x19949: ------------------ | Branch (134:7): [True: 12, False: 12.9k] ------------------ 135| 12| return if_match(oid, {1, 3, 132, 0, 30}, "secp160r2"); 136| 7| case 0x1994A: ------------------ | Branch (136:7): [True: 7, False: 12.9k] ------------------ 137| 7| return if_match(oid, {1, 3, 132, 0, 31}, "secp192k1"); 138| 502| case 0x1994B: ------------------ | Branch (138:7): [True: 502, False: 12.4k] ------------------ 139| 502| return if_match(oid, {1, 3, 132, 0, 32}, "secp224k1"); 140| 218| case 0x1994C: ------------------ | Branch (140:7): [True: 218, False: 12.7k] ------------------ 141| 218| return if_match(oid, {1, 3, 132, 0, 33}, "secp224r1"); 142| 152| case 0x1994D: ------------------ | Branch (142:7): [True: 152, False: 12.7k] ------------------ 143| 152| return if_match(oid, {1, 3, 132, 0, 34}, "secp384r1"); 144| 290| case 0x1994E: ------------------ | Branch (144:7): [True: 290, False: 12.6k] ------------------ 145| 290| return if_match(oid, {1, 3, 132, 0, 35}, "secp521r1"); 146| 2.78k| case 0x199F8: ------------------ | Branch (146:7): [True: 2.78k, False: 10.1k] ------------------ 147| 2.78k| return if_match(oid, {1, 3, 132, 1, 12}, "ECDH"); 148| 1| case 0x1E7BF: ------------------ | Branch (148:7): [True: 1, False: 12.9k] ------------------ 149| 1| return if_match(oid, {1, 2, 156, 10197, 1, 301, 1}, "SM2"); 150| 1| case 0x1E7C0: ------------------ | Branch (150:7): [True: 1, False: 12.9k] ------------------ 151| 1| return if_match(oid, {1, 2, 156, 10197, 1, 301, 2}, "SM2_Kex"); 152| 1| case 0x1E7C1: ------------------ | Branch (152:7): [True: 1, False: 12.9k] ------------------ 153| 1| return if_match(oid, {1, 2, 156, 10197, 1, 301, 3}, "SM2_Enc"); 154| 1| case 0x21960: ------------------ | Branch (154:7): [True: 1, False: 12.9k] ------------------ 155| 1| return if_match(oid, {1, 3, 36, 3, 3, 1, 2}, "RSA/PKCS1v15(RIPEMD-160)"); 156| 1| case 0x2198A: ------------------ | Branch (156:7): [True: 1, False: 12.9k] ------------------ 157| 1| return if_match(oid, {1, 2, 840, 113533, 7, 66, 10}, "CAST-128/CBC"); 158| 1| case 0x2198F: ------------------ | Branch (158:7): [True: 1, False: 12.9k] ------------------ 159| 1| return if_match(oid, {1, 2, 840, 113533, 7, 66, 15}, "KeyWrap.CAST-128"); 160| 19| case 0x227C0: ------------------ | Branch (160:7): [True: 19, False: 12.9k] ------------------ 161| 19| return if_match(oid, {1, 3, 101, 110}, "X25519"); 162| 7| case 0x227C1: ------------------ | Branch (162:7): [True: 7, False: 12.9k] ------------------ 163| 7| return if_match(oid, {1, 3, 101, 111}, "X448"); 164| 13| case 0x227C2: ------------------ | Branch (164:7): [True: 13, False: 12.9k] ------------------ 165| 13| return if_match(oid, {1, 3, 101, 112}, "Ed25519"); 166| 5| case 0x227C3: ------------------ | Branch (166:7): [True: 5, False: 12.9k] ------------------ 167| 5| return if_match(oid, {1, 3, 101, 113}, "Ed448"); 168| 1| case 0x27565: ------------------ | Branch (168:7): [True: 1, False: 12.9k] ------------------ 169| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 48, 1, 1}, "PKIX.OCSP.BasicResponse"); 170| 1| case 0x27569: ------------------ | Branch (170:7): [True: 1, False: 12.9k] ------------------ 171| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 48, 1, 5}, "PKIX.OCSP.NoCheck"); 172| 1| case 0x29F7C: ------------------ | Branch (172:7): [True: 1, False: 12.9k] ------------------ 173| 1| return if_match(oid, {1, 2, 410, 200004, 1, 100, 4, 3}, "ECKCDSA/SHA-1"); 174| 1| case 0x29F7D: ------------------ | Branch (174:7): [True: 1, False: 12.9k] ------------------ 175| 1| return if_match(oid, {1, 2, 410, 200004, 1, 100, 4, 4}, "ECKCDSA/SHA-224"); 176| 1| case 0x29F7E: ------------------ | Branch (176:7): [True: 1, False: 12.9k] ------------------ 177| 1| return if_match(oid, {1, 2, 410, 200004, 1, 100, 4, 5}, "ECKCDSA/SHA-256"); 178| 1| case 0x2AC3B: ------------------ | Branch (178:7): [True: 1, False: 12.9k] ------------------ 179| 1| return if_match(oid, {2, 5, 29, 32, 0}, "X509v3.AnyPolicy"); 180| 1| case 0x2B000: ------------------ | Branch (180:7): [True: 1, False: 12.9k] ------------------ 181| 1| return if_match(oid, {2, 5, 29, 37, 0}, "X509v3.AnyExtendedKeyUsage"); 182| 4.52k| case 0x2B5C9: ------------------ | Branch (182:7): [True: 4.52k, False: 8.39k] ------------------ 183| 4.52k| return if_match(oid, {1, 2, 840, 10045, 2, 1}, "ECDSA"); 184| 9| case 0x2B74B: ------------------ | Branch (184:7): [True: 9, False: 12.9k] ------------------ 185| 9| return if_match(oid, {1, 2, 840, 10045, 4, 1}, "ECDSA/SHA-1"); 186| 203| case 0x3474A: ------------------ | Branch (186:7): [True: 203, False: 12.7k] ------------------ 187| 203| return if_match(oid, {1, 2, 840, 10046, 2, 1}, "DH"); 188| 1| case 0x38D6D: ------------------ | Branch (188:7): [True: 1, False: 12.9k] ------------------ 189| 1| return if_match(oid, {1, 2, 643, 7, 1, 2, 1, 1, 1}, "gost_256A"); 190| 1| case 0x38D6E: ------------------ | Branch (190:7): [True: 1, False: 12.9k] ------------------ 191| 1| return if_match(oid, {1, 2, 643, 7, 1, 2, 1, 1, 2}, "gost_256B"); 192| 1| case 0x38E2E: ------------------ | Branch (192:7): [True: 1, False: 12.9k] ------------------ 193| 1| return if_match(oid, {1, 2, 643, 7, 1, 2, 1, 2, 1}, "gost_512A"); 194| 1| case 0x38E2F: ------------------ | Branch (194:7): [True: 1, False: 12.9k] ------------------ 195| 1| return if_match(oid, {1, 2, 643, 7, 1, 2, 1, 2, 2}, "gost_512B"); 196| 3| case 0x38F2C: ------------------ | Branch (196:7): [True: 3, False: 12.9k] ------------------ 197| 3| return if_match(oid, {1, 2, 643, 2, 2, 3}, "GOST-34.10/GOST-R-34.11-94"); 198| 3| case 0x38F3C: ------------------ | Branch (198:7): [True: 3, False: 12.9k] ------------------ 199| 3| return if_match(oid, {1, 2, 643, 2, 2, 19}, "GOST-34.10"); 200| 1| case 0x3D7B8: ------------------ | Branch (200:7): [True: 1, False: 12.9k] ------------------ 201| 1| return if_match(oid, {0, 3, 4401, 5, 3, 1, 9, 6}, "Camellia-128/GCM"); 202| 1| case 0x3D7CC: ------------------ | Branch (202:7): [True: 1, False: 12.9k] ------------------ 203| 1| return if_match(oid, {0, 3, 4401, 5, 3, 1, 9, 26}, "Camellia-192/GCM"); 204| 1| case 0x3D7E0: ------------------ | Branch (204:7): [True: 1, False: 12.9k] ------------------ 205| 1| return if_match(oid, {0, 3, 4401, 5, 3, 1, 9, 46}, "Camellia-256/GCM"); 206| 3| case 0x3F20F: ------------------ | Branch (206:7): [True: 3, False: 12.9k] ------------------ 207| 3| return if_match(oid, {1, 3, 36, 3, 2, 1}, "RIPEMD-160"); 208| 1| case 0x4266E: ------------------ | Branch (208:7): [True: 1, False: 12.9k] ------------------ 209| 1| return if_match(oid, {0, 4, 0, 127, 0, 15, 1, 1, 13, 0}, "XMSS"); 210| 1| case 0x478C4: ------------------ | Branch (210:7): [True: 1, False: 12.9k] ------------------ 211| 1| return if_match(oid, {1, 2, 410, 200004, 1, 4}, "SEED/CBC"); 212| 1| case 0x47D98: ------------------ | Branch (212:7): [True: 1, False: 12.9k] ------------------ 213| 1| return if_match(oid, {1, 2, 156, 10197, 1, 301}, "sm2p256v1"); 214| 1| case 0x47DFC: ------------------ | Branch (214:7): [True: 1, False: 12.9k] ------------------ 215| 1| return if_match(oid, {1, 2, 156, 10197, 1, 401}, "SM3"); 216| 1| case 0x47E60: ------------------ | Branch (216:7): [True: 1, False: 12.9k] ------------------ 217| 1| return if_match(oid, {1, 2, 156, 10197, 1, 501}, "SM2_Sig/SM3"); 218| 1| case 0x47E63: ------------------ | Branch (218:7): [True: 1, False: 12.9k] ------------------ 219| 1| return if_match(oid, {1, 2, 156, 10197, 1, 504}, "RSA/PKCS1v15(SM3)"); 220| 1| case 0x52B13: ------------------ | Branch (220:7): [True: 1, False: 12.9k] ------------------ 221| 1| return if_match(oid, {1, 2, 643, 3, 131, 1, 1}, "GOST.INN"); 222| 1| case 0x635AE: ------------------ | Branch (222:7): [True: 1, False: 12.9k] ------------------ 223| 1| return if_match(oid, {1, 2, 250, 1, 223, 101, 256, 1}, "frp256v1"); 224| 1| case 0x6A784: ------------------ | Branch (224:7): [True: 1, False: 12.9k] ------------------ 225| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 1}, "PKCS12.KeyBag"); 226| 1| case 0x6A785: ------------------ | Branch (226:7): [True: 1, False: 12.9k] ------------------ 227| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 2}, "PKCS12.PKCS8ShroudedKeyBag"); 228| 1| case 0x6A786: ------------------ | Branch (228:7): [True: 1, False: 12.9k] ------------------ 229| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 3}, "PKCS12.CertBag"); 230| 1| case 0x6A787: ------------------ | Branch (230:7): [True: 1, False: 12.9k] ------------------ 231| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 4}, "PKCS12.CRLBag"); 232| 1| case 0x6A788: ------------------ | Branch (232:7): [True: 1, False: 12.9k] ------------------ 233| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 5}, "PKCS12.SecretBag"); 234| 1| case 0x6A789: ------------------ | Branch (234:7): [True: 1, False: 12.9k] ------------------ 235| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 6}, "PKCS12.SafeContentsBag"); 236| 1| case 0x6EB86: ------------------ | Branch (236:7): [True: 1, False: 12.9k] ------------------ 237| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 6, 1}, "GOST-34.10-2012-256/SHA-256"); 238| 1| case 0x6EC47: ------------------ | Branch (238:7): [True: 1, False: 12.9k] ------------------ 239| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 7, 1}, "Kyber-512-r3"); 240| 1| case 0x6EC48: ------------------ | Branch (240:7): [True: 1, False: 12.9k] ------------------ 241| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 7, 2}, "Kyber-768-r3"); 242| 1| case 0x6EC49: ------------------ | Branch (242:7): [True: 1, False: 12.9k] ------------------ 243| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 7, 3}, "Kyber-1024-r3"); 244| 1| case 0x6EDC9: ------------------ | Branch (244:7): [True: 1, False: 12.9k] ------------------ 245| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 9, 1}, "Dilithium-4x4-r3"); 246| 1| case 0x6EDCA: ------------------ | Branch (246:7): [True: 1, False: 12.9k] ------------------ 247| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 9, 2}, "Dilithium-6x5-r3"); 248| 1| case 0x6EDCB: ------------------ | Branch (248:7): [True: 1, False: 12.9k] ------------------ 249| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 9, 3}, "Dilithium-8x7-r3"); 250| 1| case 0x6EE8A: ------------------ | Branch (250:7): [True: 1, False: 12.9k] ------------------ 251| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 10, 1}, "Dilithium-4x4-AES-r3"); 252| 1| case 0x6EE8B: ------------------ | Branch (252:7): [True: 1, False: 12.9k] ------------------ 253| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 10, 2}, "Dilithium-6x5-AES-r3"); 254| 1| case 0x6EE8C: ------------------ | Branch (254:7): [True: 1, False: 12.9k] ------------------ 255| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 10, 3}, "Dilithium-8x7-AES-r3"); 256| 1| case 0x6EF4B: ------------------ | Branch (256:7): [True: 1, False: 12.9k] ------------------ 257| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 11, 1}, "Kyber-512-90s-r3"); 258| 1| case 0x6EF4C: ------------------ | Branch (258:7): [True: 1, False: 12.9k] ------------------ 259| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 11, 2}, "Kyber-768-90s-r3"); 260| 1| case 0x6EF4D: ------------------ | Branch (260:7): [True: 1, False: 12.9k] ------------------ 261| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 11, 3}, "Kyber-1024-90s-r3"); 262| 1| case 0x6F18E: ------------------ | Branch (262:7): [True: 1, False: 12.9k] ------------------ 263| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 14, 1}, "FrodoKEM-640-SHAKE"); 264| 1| case 0x6F18F: ------------------ | Branch (264:7): [True: 1, False: 12.9k] ------------------ 265| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 14, 2}, "FrodoKEM-976-SHAKE"); 266| 1| case 0x6F190: ------------------ | Branch (266:7): [True: 1, False: 12.9k] ------------------ 267| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 14, 3}, "FrodoKEM-1344-SHAKE"); 268| 1| case 0x6F24F: ------------------ | Branch (268:7): [True: 1, False: 12.9k] ------------------ 269| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 15, 1}, "FrodoKEM-640-AES"); 270| 1| case 0x6F250: ------------------ | Branch (270:7): [True: 1, False: 12.9k] ------------------ 271| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 15, 2}, "FrodoKEM-976-AES"); 272| 1| case 0x6F251: ------------------ | Branch (272:7): [True: 1, False: 12.9k] ------------------ 273| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 15, 3}, "FrodoKEM-1344-AES"); 274| 1| case 0x6F310: ------------------ | Branch (274:7): [True: 1, False: 12.9k] ------------------ 275| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 16, 1}, "eFrodoKEM-640-SHAKE"); 276| 1| case 0x6F311: ------------------ | Branch (276:7): [True: 1, False: 12.9k] ------------------ 277| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 16, 2}, "eFrodoKEM-976-SHAKE"); 278| 1| case 0x6F312: ------------------ | Branch (278:7): [True: 1, False: 12.9k] ------------------ 279| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 16, 3}, "eFrodoKEM-1344-SHAKE"); 280| 1| case 0x6F3D1: ------------------ | Branch (280:7): [True: 1, False: 12.9k] ------------------ 281| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 17, 1}, "eFrodoKEM-640-AES"); 282| 1| case 0x6F3D2: ------------------ | Branch (282:7): [True: 1, False: 12.9k] ------------------ 283| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 17, 2}, "eFrodoKEM-976-AES"); 284| 1| case 0x6F3D3: ------------------ | Branch (284:7): [True: 1, False: 12.9k] ------------------ 285| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 17, 3}, "eFrodoKEM-1344-AES"); 286| 1| case 0x6F492: ------------------ | Branch (286:7): [True: 1, False: 12.9k] ------------------ 287| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 1}, "ClassicMcEliece_6688128pc"); 288| 1| case 0x6F493: ------------------ | Branch (288:7): [True: 1, False: 12.9k] ------------------ 289| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 2}, "ClassicMcEliece_6688128pcf"); 290| 1| case 0x6F494: ------------------ | Branch (290:7): [True: 1, False: 12.9k] ------------------ 291| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 3}, "ClassicMcEliece_6960119pc"); 292| 1| case 0x6F495: ------------------ | Branch (292:7): [True: 1, False: 12.9k] ------------------ 293| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 4}, "ClassicMcEliece_6960119pcf"); 294| 1| case 0x6F496: ------------------ | Branch (294:7): [True: 1, False: 12.9k] ------------------ 295| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 5}, "ClassicMcEliece_8192128pc"); 296| 1| case 0x6F497: ------------------ | Branch (296:7): [True: 1, False: 12.9k] ------------------ 297| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 6}, "ClassicMcEliece_8192128pcf"); 298| 1| case 0x6F79D: ------------------ | Branch (298:7): [True: 1, False: 12.9k] ------------------ 299| 1| return if_match(oid, {2, 16, 840, 1, 113730, 1, 13}, "Certificate Comment"); 300| 1| case 0x701A0: ------------------ | Branch (300:7): [True: 1, False: 12.9k] ------------------ 301| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 2, 1}, "ECGDSA"); 302| 1| case 0x70322: ------------------ | Branch (302:7): [True: 1, False: 12.9k] ------------------ 303| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 1}, "ECGDSA/RIPEMD-160"); 304| 1| case 0x70323: ------------------ | Branch (304:7): [True: 1, False: 12.9k] ------------------ 305| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 2}, "ECGDSA/SHA-1"); 306| 1| case 0x70324: ------------------ | Branch (306:7): [True: 1, False: 12.9k] ------------------ 307| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 3}, "ECGDSA/SHA-224"); 308| 1| case 0x70325: ------------------ | Branch (308:7): [True: 1, False: 12.9k] ------------------ 309| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 4}, "ECGDSA/SHA-256"); 310| 1| case 0x70326: ------------------ | Branch (310:7): [True: 1, False: 12.9k] ------------------ 311| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 5}, "ECGDSA/SHA-384"); 312| 2| case 0x70327: ------------------ | Branch (312:7): [True: 2, False: 12.9k] ------------------ 313| 2| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 6}, "ECGDSA/SHA-512"); 314| 1| case 0x72B21: ------------------ | Branch (314:7): [True: 1, False: 12.9k] ------------------ 315| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 1, 1}, "GOST-34.10-2012-256"); 316| 1| case 0x72B22: ------------------ | Branch (316:7): [True: 1, False: 12.9k] ------------------ 317| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 1, 2}, "GOST-34.10-2012-512"); 318| 1| case 0x72BE3: ------------------ | Branch (318:7): [True: 1, False: 12.9k] ------------------ 319| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 2, 2}, "Streebog-256"); 320| 1| case 0x72BE4: ------------------ | Branch (320:7): [True: 1, False: 12.9k] ------------------ 321| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 2, 3}, "Streebog-512"); 322| 1| case 0x72CA4: ------------------ | Branch (322:7): [True: 1, False: 12.9k] ------------------ 323| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 3, 2}, "GOST-34.10-2012-256/Streebog-256"); 324| 1| case 0x72CA5: ------------------ | Branch (324:7): [True: 1, False: 12.9k] ------------------ 325| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 3, 3}, "GOST-34.10-2012-512/Streebog-512"); 326| 1| case 0x7C7C7: ------------------ | Branch (326:7): [True: 1, False: 12.9k] ------------------ 327| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 22, 1}, "PKCS9.X509Certificate"); 328| 1| case 0x7C7C8: ------------------ | Branch (328:7): [True: 1, False: 12.9k] ------------------ 329| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 22, 2}, "PKCS9.SDSICertificate"); 330| 1| case 0x7C888: ------------------ | Branch (330:7): [True: 1, False: 12.9k] ------------------ 331| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 23, 1}, "PKCS9.X509CRL"); 332| 3| case 0x7E10F: ------------------ | Branch (332:7): [True: 3, False: 12.9k] ------------------ 333| 3| return if_match(oid, {2, 5, 4, 3}, "X520.CommonName"); 334| 5| case 0x7E110: ------------------ | Branch (334:7): [True: 5, False: 12.9k] ------------------ 335| 5| return if_match(oid, {2, 5, 4, 4}, "X520.Surname"); 336| 3| case 0x7E111: ------------------ | Branch (336:7): [True: 3, False: 12.9k] ------------------ 337| 3| return if_match(oid, {2, 5, 4, 5}, "X520.SerialNumber"); 338| 3| case 0x7E112: ------------------ | Branch (338:7): [True: 3, False: 12.9k] ------------------ 339| 3| return if_match(oid, {2, 5, 4, 6}, "X520.Country"); 340| 3| case 0x7E113: ------------------ | Branch (340:7): [True: 3, False: 12.9k] ------------------ 341| 3| return if_match(oid, {2, 5, 4, 7}, "X520.Locality"); 342| 3| case 0x7E114: ------------------ | Branch (342:7): [True: 3, False: 12.9k] ------------------ 343| 3| return if_match(oid, {2, 5, 4, 8}, "X520.State"); 344| 3| case 0x7E115: ------------------ | Branch (344:7): [True: 3, False: 12.9k] ------------------ 345| 3| return if_match(oid, {2, 5, 4, 9}, "X520.StreetAddress"); 346| 3| case 0x7E116: ------------------ | Branch (346:7): [True: 3, False: 12.9k] ------------------ 347| 3| return if_match(oid, {2, 5, 4, 10}, "X520.Organization"); 348| 3| case 0x7E117: ------------------ | Branch (348:7): [True: 3, False: 12.9k] ------------------ 349| 3| return if_match(oid, {2, 5, 4, 11}, "X520.OrganizationalUnit"); 350| 5| case 0x7E118: ------------------ | Branch (350:7): [True: 5, False: 12.9k] ------------------ 351| 5| return if_match(oid, {2, 5, 4, 12}, "X520.Title"); 352| 3| case 0x7E136: ------------------ | Branch (352:7): [True: 3, False: 12.9k] ------------------ 353| 3| return if_match(oid, {2, 5, 4, 42}, "X520.GivenName"); 354| 3| case 0x7E137: ------------------ | Branch (354:7): [True: 3, False: 12.9k] ------------------ 355| 3| return if_match(oid, {2, 5, 4, 43}, "X520.Initials"); 356| 3| case 0x7E138: ------------------ | Branch (356:7): [True: 3, False: 12.9k] ------------------ 357| 3| return if_match(oid, {2, 5, 4, 44}, "X520.GenerationalQualifier"); 358| 3| case 0x7E13A: ------------------ | Branch (358:7): [True: 3, False: 12.9k] ------------------ 359| 3| return if_match(oid, {2, 5, 4, 46}, "X520.DNQualifier"); 360| 3| case 0x7E14D: ------------------ | Branch (360:7): [True: 3, False: 12.9k] ------------------ 361| 3| return if_match(oid, {2, 5, 4, 65}, "X520.Pseudonym"); 362| 3| case 0x7F3F3: ------------------ | Branch (362:7): [True: 3, False: 12.9k] ------------------ 363| 3| return if_match(oid, {2, 5, 29, 14}, "X509v3.SubjectKeyIdentifier"); 364| 3| case 0x7F3F4: ------------------ | Branch (364:7): [True: 3, False: 12.9k] ------------------ 365| 3| return if_match(oid, {2, 5, 29, 15}, "X509v3.KeyUsage"); 366| 3| case 0x7F3F5: ------------------ | Branch (366:7): [True: 3, False: 12.9k] ------------------ 367| 3| return if_match(oid, {2, 5, 29, 16}, "X509v3.PrivateKeyUsagePeriod"); 368| 3| case 0x7F3F6: ------------------ | Branch (368:7): [True: 3, False: 12.9k] ------------------ 369| 3| return if_match(oid, {2, 5, 29, 17}, "X509v3.SubjectAlternativeName"); 370| 3| case 0x7F3F7: ------------------ | Branch (370:7): [True: 3, False: 12.9k] ------------------ 371| 3| return if_match(oid, {2, 5, 29, 18}, "X509v3.IssuerAlternativeName"); 372| 3| case 0x7F3F8: ------------------ | Branch (372:7): [True: 3, False: 12.9k] ------------------ 373| 3| return if_match(oid, {2, 5, 29, 19}, "X509v3.BasicConstraints"); 374| 3| case 0x7F3F9: ------------------ | Branch (374:7): [True: 3, False: 12.9k] ------------------ 375| 3| return if_match(oid, {2, 5, 29, 20}, "X509v3.CRLNumber"); 376| 3| case 0x7F3FA: ------------------ | Branch (376:7): [True: 3, False: 12.9k] ------------------ 377| 3| return if_match(oid, {2, 5, 29, 21}, "X509v3.ReasonCode"); 378| 3| case 0x7F3FC: ------------------ | Branch (378:7): [True: 3, False: 12.9k] ------------------ 379| 3| return if_match(oid, {2, 5, 29, 23}, "X509v3.HoldInstructionCode"); 380| 3| case 0x7F3FD: ------------------ | Branch (380:7): [True: 3, False: 12.9k] ------------------ 381| 3| return if_match(oid, {2, 5, 29, 24}, "X509v3.InvalidityDate"); 382| 3| case 0x7F401: ------------------ | Branch (382:7): [True: 3, False: 12.9k] ------------------ 383| 3| return if_match(oid, {2, 5, 29, 28}, "X509v3.CRLIssuingDistributionPoint"); 384| 3| case 0x7F403: ------------------ | Branch (384:7): [True: 3, False: 12.9k] ------------------ 385| 3| return if_match(oid, {2, 5, 29, 30}, "X509v3.NameConstraints"); 386| 3| case 0x7F404: ------------------ | Branch (386:7): [True: 3, False: 12.9k] ------------------ 387| 3| return if_match(oid, {2, 5, 29, 31}, "X509v3.CRLDistributionPoints"); 388| 3| case 0x7F405: ------------------ | Branch (388:7): [True: 3, False: 12.9k] ------------------ 389| 3| return if_match(oid, {2, 5, 29, 32}, "X509v3.CertificatePolicies"); 390| 3| case 0x7F408: ------------------ | Branch (390:7): [True: 3, False: 12.9k] ------------------ 391| 3| return if_match(oid, {2, 5, 29, 35}, "X509v3.AuthorityKeyIdentifier"); 392| 3| case 0x7F409: ------------------ | Branch (392:7): [True: 3, False: 12.9k] ------------------ 393| 3| return if_match(oid, {2, 5, 29, 36}, "X509v3.PolicyConstraints"); 394| 3| case 0x7F40A: ------------------ | Branch (394:7): [True: 3, False: 12.9k] ------------------ 395| 3| return if_match(oid, {2, 5, 29, 37}, "X509v3.ExtendedKeyUsage"); 396| 3| case 0x7F41D: ------------------ | Branch (396:7): [True: 3, False: 12.9k] ------------------ 397| 3| return if_match(oid, {2, 5, 29, 56}, "X509v3.NoRevocationAvailable"); 398| 1| case 0x80B84: ------------------ | Branch (398:7): [True: 1, False: 12.9k] ------------------ 399| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 1}, "AES-128/OCB"); 400| 1| case 0x80B85: ------------------ | Branch (400:7): [True: 1, False: 12.9k] ------------------ 401| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 2}, "AES-192/OCB"); 402| 1| case 0x80B86: ------------------ | Branch (402:7): [True: 1, False: 12.9k] ------------------ 403| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 3}, "AES-256/OCB"); 404| 1| case 0x80B87: ------------------ | Branch (404:7): [True: 1, False: 12.9k] ------------------ 405| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 4}, "Serpent/OCB"); 406| 1| case 0x80B88: ------------------ | Branch (406:7): [True: 1, False: 12.9k] ------------------ 407| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 5}, "Twofish/OCB"); 408| 2| case 0x80B89: ------------------ | Branch (408:7): [True: 2, False: 12.9k] ------------------ 409| 2| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 6}, "Camellia-128/OCB"); 410| 1| case 0x80B8A: ------------------ | Branch (410:7): [True: 1, False: 12.9k] ------------------ 411| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 7}, "Camellia-192/OCB"); 412| 1| case 0x80B8B: ------------------ | Branch (412:7): [True: 1, False: 12.9k] ------------------ 413| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 8}, "Camellia-256/OCB"); 414| 1| case 0x80D06: ------------------ | Branch (414:7): [True: 1, False: 12.9k] ------------------ 415| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 1}, "AES-128/SIV"); 416| 1| case 0x80D07: ------------------ | Branch (416:7): [True: 1, False: 12.9k] ------------------ 417| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 2}, "AES-192/SIV"); 418| 1| case 0x80D08: ------------------ | Branch (418:7): [True: 1, False: 12.9k] ------------------ 419| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 3}, "AES-256/SIV"); 420| 1| case 0x80D09: ------------------ | Branch (420:7): [True: 1, False: 12.9k] ------------------ 421| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 4}, "Serpent/SIV"); 422| 1| case 0x80D0A: ------------------ | Branch (422:7): [True: 1, False: 12.9k] ------------------ 423| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 5}, "Twofish/SIV"); 424| 1| case 0x80D0B: ------------------ | Branch (424:7): [True: 1, False: 12.9k] ------------------ 425| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 6}, "Camellia-128/SIV"); 426| 1| case 0x80D0C: ------------------ | Branch (426:7): [True: 1, False: 12.9k] ------------------ 427| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 7}, "Camellia-192/SIV"); 428| 1| case 0x80D0D: ------------------ | Branch (428:7): [True: 1, False: 12.9k] ------------------ 429| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 8}, "Camellia-256/SIV"); 430| 1| case 0x80D0E: ------------------ | Branch (430:7): [True: 1, False: 12.9k] ------------------ 431| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 9}, "SM4/SIV"); 432| 1| case 0x84C6A: ------------------ | Branch (432:7): [True: 1, False: 12.9k] ------------------ 433| 1| return if_match(oid, {1, 2, 392, 200011, 61, 1, 1, 1, 2}, "Camellia-128/CBC"); 434| 1| case 0x84C6B: ------------------ | Branch (434:7): [True: 1, False: 12.9k] ------------------ 435| 1| return if_match(oid, {1, 2, 392, 200011, 61, 1, 1, 1, 3}, "Camellia-192/CBC"); 436| 1| case 0x84C6C: ------------------ | Branch (436:7): [True: 1, False: 12.9k] ------------------ 437| 1| return if_match(oid, {1, 2, 392, 200011, 61, 1, 1, 1, 4}, "Camellia-256/CBC"); 438| 1| case 0x88CD3: ------------------ | Branch (438:7): [True: 1, False: 12.9k] ------------------ 439| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 16, 3, 6}, "KeyWrap.TripleDES"); 440| 1| case 0x88CD5: ------------------ | Branch (440:7): [True: 1, False: 12.9k] ------------------ 441| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 16, 3, 8}, "Compression.Zlib"); 442| 1| case 0x88CDE: ------------------ | Branch (442:7): [True: 1, False: 12.9k] ------------------ 443| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 16, 3, 17}, "HSS-LMS"); 444| 1| case 0x88CDF: ------------------ | Branch (444:7): [True: 1, False: 12.9k] ------------------ 445| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 16, 3, 18}, "ChaCha20Poly1305"); 446| 3| case 0x92296: ------------------ | Branch (446:7): [True: 3, False: 12.9k] ------------------ 447| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 2}, "AES-128/CBC"); 448| 3| case 0x92299: ------------------ | Branch (448:7): [True: 3, False: 12.9k] ------------------ 449| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 5}, "KeyWrap.AES-128"); 450| 3| case 0x9229A: ------------------ | Branch (450:7): [True: 3, False: 12.9k] ------------------ 451| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 6}, "AES-128/GCM"); 452| 3| case 0x9229B: ------------------ | Branch (452:7): [True: 3, False: 12.9k] ------------------ 453| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 7}, "AES-128/CCM"); 454| 3| case 0x922AA: ------------------ | Branch (454:7): [True: 3, False: 12.9k] ------------------ 455| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 22}, "AES-192/CBC"); 456| 3| case 0x922AD: ------------------ | Branch (456:7): [True: 3, False: 12.9k] ------------------ 457| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 25}, "KeyWrap.AES-192"); 458| 3| case 0x922AE: ------------------ | Branch (458:7): [True: 3, False: 12.9k] ------------------ 459| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 26}, "AES-192/GCM"); 460| 3| case 0x922AF: ------------------ | Branch (460:7): [True: 3, False: 12.9k] ------------------ 461| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 27}, "AES-192/CCM"); 462| 3| case 0x922BE: ------------------ | Branch (462:7): [True: 3, False: 12.9k] ------------------ 463| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 42}, "AES-256/CBC"); 464| 3| case 0x922C1: ------------------ | Branch (464:7): [True: 3, False: 12.9k] ------------------ 465| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 45}, "KeyWrap.AES-256"); 466| 3| case 0x922C2: ------------------ | Branch (466:7): [True: 3, False: 12.9k] ------------------ 467| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 46}, "AES-256/GCM"); 468| 3| case 0x922C3: ------------------ | Branch (468:7): [True: 3, False: 12.9k] ------------------ 469| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 47}, "AES-256/CCM"); 470| 3| case 0x92356: ------------------ | Branch (470:7): [True: 3, False: 12.9k] ------------------ 471| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 1}, "SHA-256"); 472| 3| case 0x92357: ------------------ | Branch (472:7): [True: 3, False: 12.9k] ------------------ 473| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 2}, "SHA-384"); 474| 3| case 0x92358: ------------------ | Branch (474:7): [True: 3, False: 12.9k] ------------------ 475| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 3}, "SHA-512"); 476| 3| case 0x92359: ------------------ | Branch (476:7): [True: 3, False: 12.9k] ------------------ 477| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 4}, "SHA-224"); 478| 3| case 0x9235B: ------------------ | Branch (478:7): [True: 3, False: 12.9k] ------------------ 479| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 6}, "SHA-512-256"); 480| 3| case 0x9235C: ------------------ | Branch (480:7): [True: 3, False: 12.9k] ------------------ 481| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 7}, "SHA-3(224)"); 482| 3| case 0x9235D: ------------------ | Branch (482:7): [True: 3, False: 12.9k] ------------------ 483| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 8}, "SHA-3(256)"); 484| 3| case 0x9235E: ------------------ | Branch (484:7): [True: 3, False: 12.9k] ------------------ 485| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 9}, "SHA-3(384)"); 486| 3| case 0x9235F: ------------------ | Branch (486:7): [True: 3, False: 12.9k] ------------------ 487| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 10}, "SHA-3(512)"); 488| 3| case 0x92360: ------------------ | Branch (488:7): [True: 3, False: 12.9k] ------------------ 489| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 11}, "SHAKE-128"); 490| 3| case 0x92361: ------------------ | Branch (490:7): [True: 3, False: 12.9k] ------------------ 491| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 12}, "SHAKE-256"); 492| 4| case 0x92417: ------------------ | Branch (492:7): [True: 4, False: 12.9k] ------------------ 493| 4| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 1}, "DSA/SHA-224"); 494| 3| case 0x92418: ------------------ | Branch (494:7): [True: 3, False: 12.9k] ------------------ 495| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 2}, "DSA/SHA-256"); 496| 3| case 0x92419: ------------------ | Branch (496:7): [True: 3, False: 12.9k] ------------------ 497| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 3}, "DSA/SHA-384"); 498| 4| case 0x9241A: ------------------ | Branch (498:7): [True: 4, False: 12.9k] ------------------ 499| 4| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 4}, "DSA/SHA-512"); 500| 3| case 0x9241B: ------------------ | Branch (500:7): [True: 3, False: 12.9k] ------------------ 501| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 5}, "DSA/SHA-3(224)"); 502| 5| case 0x9241C: ------------------ | Branch (502:7): [True: 5, False: 12.9k] ------------------ 503| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 6}, "DSA/SHA-3(256)"); 504| 4| case 0x9241D: ------------------ | Branch (504:7): [True: 4, False: 12.9k] ------------------ 505| 4| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 7}, "DSA/SHA-3(384)"); 506| 3| case 0x9241E: ------------------ | Branch (506:7): [True: 3, False: 12.9k] ------------------ 507| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 8}, "DSA/SHA-3(512)"); 508| 3| case 0x9241F: ------------------ | Branch (508:7): [True: 3, False: 12.9k] ------------------ 509| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 9}, "ECDSA/SHA-3(224)"); 510| 3| case 0x92420: ------------------ | Branch (510:7): [True: 3, False: 12.9k] ------------------ 511| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 10}, "ECDSA/SHA-3(256)"); 512| 3| case 0x92421: ------------------ | Branch (512:7): [True: 3, False: 12.9k] ------------------ 513| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 11}, "ECDSA/SHA-3(384)"); 514| 3| case 0x92422: ------------------ | Branch (514:7): [True: 3, False: 12.9k] ------------------ 515| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 12}, "ECDSA/SHA-3(512)"); 516| 5| case 0x92423: ------------------ | Branch (516:7): [True: 5, False: 12.9k] ------------------ 517| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 13}, "RSA/PKCS1v15(SHA-3(224))"); 518| 41| case 0x92424: ------------------ | Branch (518:7): [True: 41, False: 12.8k] ------------------ 519| 41| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 14}, "RSA/PKCS1v15(SHA-3(256))"); 520| 5| case 0x92425: ------------------ | Branch (520:7): [True: 5, False: 12.9k] ------------------ 521| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 15}, "RSA/PKCS1v15(SHA-3(384))"); 522| 3| case 0x92426: ------------------ | Branch (522:7): [True: 3, False: 12.9k] ------------------ 523| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 16}, "RSA/PKCS1v15(SHA-3(512))"); 524| 40| case 0x92427: ------------------ | Branch (524:7): [True: 40, False: 12.8k] ------------------ 525| 40| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 17}, "ML-DSA-4x4"); 526| 130| case 0x92428: ------------------ | Branch (526:7): [True: 130, False: 12.7k] ------------------ 527| 130| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 18}, "ML-DSA-6x5"); 528| 70| case 0x92429: ------------------ | Branch (528:7): [True: 70, False: 12.8k] ------------------ 529| 70| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 19}, "ML-DSA-8x7"); 530| 13| case 0x9242A: ------------------ | Branch (530:7): [True: 13, False: 12.9k] ------------------ 531| 13| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 20}, "SLH-DSA-SHA2-128s"); 532| 5| case 0x9242B: ------------------ | Branch (532:7): [True: 5, False: 12.9k] ------------------ 533| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 21}, "SLH-DSA-SHA2-128f"); 534| 5| case 0x9242C: ------------------ | Branch (534:7): [True: 5, False: 12.9k] ------------------ 535| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 22}, "SLH-DSA-SHA2-192s"); 536| 9| case 0x9242D: ------------------ | Branch (536:7): [True: 9, False: 12.9k] ------------------ 537| 9| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 23}, "SLH-DSA-SHA2-192f"); 538| 5| case 0x9242E: ------------------ | Branch (538:7): [True: 5, False: 12.9k] ------------------ 539| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 24}, "SLH-DSA-SHA2-256s"); 540| 5| case 0x9242F: ------------------ | Branch (540:7): [True: 5, False: 12.9k] ------------------ 541| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 25}, "SLH-DSA-SHA2-256f"); 542| 9| case 0x92430: ------------------ | Branch (542:7): [True: 9, False: 12.9k] ------------------ 543| 9| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 26}, "SLH-DSA-SHAKE-128s"); 544| 5| case 0x92431: ------------------ | Branch (544:7): [True: 5, False: 12.9k] ------------------ 545| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 27}, "SLH-DSA-SHAKE-128f"); 546| 5| case 0x92432: ------------------ | Branch (546:7): [True: 5, False: 12.9k] ------------------ 547| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 28}, "SLH-DSA-SHAKE-192s"); 548| 5| case 0x92433: ------------------ | Branch (548:7): [True: 5, False: 12.9k] ------------------ 549| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 29}, "SLH-DSA-SHAKE-192f"); 550| 9| case 0x92434: ------------------ | Branch (550:7): [True: 9, False: 12.9k] ------------------ 551| 9| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 30}, "SLH-DSA-SHAKE-256s"); 552| 5| case 0x92435: ------------------ | Branch (552:7): [True: 5, False: 12.9k] ------------------ 553| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 31}, "SLH-DSA-SHAKE-256f"); 554| 16| case 0x924D8: ------------------ | Branch (554:7): [True: 16, False: 12.9k] ------------------ 555| 16| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 4, 1}, "ML-KEM-512"); 556| 40| case 0x924D9: ------------------ | Branch (556:7): [True: 40, False: 12.8k] ------------------ 557| 40| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 4, 2}, "ML-KEM-768"); 558| 58| case 0x924DA: ------------------ | Branch (558:7): [True: 58, False: 12.8k] ------------------ 559| 58| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 4, 3}, "ML-KEM-1024"); 560| 1| case 0x9479F: ------------------ | Branch (560:7): [True: 1, False: 12.9k] ------------------ 561| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 1, 1}, "PKIX.AuthorityInformationAccess"); 562| 1| case 0x947A5: ------------------ | Branch (562:7): [True: 1, False: 12.9k] ------------------ 563| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 1, 7}, "PKIX.IpAddrBlocks"); 564| 1| case 0x947A6: ------------------ | Branch (564:7): [True: 1, False: 12.9k] ------------------ 565| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 1, 8}, "PKIX.AutonomousSysIds"); 566| 1| case 0x947B8: ------------------ | Branch (566:7): [True: 1, False: 12.9k] ------------------ 567| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 1, 26}, "PKIX.TNAuthList"); 568| 1| case 0x94921: ------------------ | Branch (568:7): [True: 1, False: 12.9k] ------------------ 569| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 1}, "PKIX.ServerAuth"); 570| 1| case 0x94922: ------------------ | Branch (570:7): [True: 1, False: 12.9k] ------------------ 571| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 2}, "PKIX.ClientAuth"); 572| 1| case 0x94923: ------------------ | Branch (572:7): [True: 1, False: 12.9k] ------------------ 573| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 3}, "PKIX.CodeSigning"); 574| 1| case 0x94924: ------------------ | Branch (574:7): [True: 1, False: 12.9k] ------------------ 575| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 4}, "PKIX.EmailProtection"); 576| 1| case 0x94925: ------------------ | Branch (576:7): [True: 1, False: 12.9k] ------------------ 577| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 5}, "PKIX.IPsecEndSystem"); 578| 1| case 0x94926: ------------------ | Branch (578:7): [True: 1, False: 12.9k] ------------------ 579| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 6}, "PKIX.IPsecTunnel"); 580| 1| case 0x94927: ------------------ | Branch (580:7): [True: 1, False: 12.9k] ------------------ 581| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 7}, "PKIX.IPsecUser"); 582| 1| case 0x94928: ------------------ | Branch (582:7): [True: 1, False: 12.9k] ------------------ 583| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 8}, "PKIX.TimeStamping"); 584| 1| case 0x94929: ------------------ | Branch (584:7): [True: 1, False: 12.9k] ------------------ 585| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 9}, "PKIX.OCSPSigning"); 586| 1| case 0x94CEA: ------------------ | Branch (586:7): [True: 1, False: 12.9k] ------------------ 587| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 8, 5}, "PKIX.XMPPAddr"); 588| 1| case 0x954DB: ------------------ | Branch (588:7): [True: 1, False: 12.9k] ------------------ 589| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 311, 20, 2, 2}, "Microsoft SmartcardLogon"); 590| 1| case 0x954DC: ------------------ | Branch (590:7): [True: 1, False: 12.9k] ------------------ 591| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 311, 20, 2, 3}, "Microsoft UPN"); 592| 1| case 0x96B0E: ------------------ | Branch (592:7): [True: 1, False: 12.9k] ------------------ 593| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 48, 1}, "PKIX.OCSP"); 594| 1| case 0x96B0F: ------------------ | Branch (594:7): [True: 1, False: 12.9k] ------------------ 595| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 48, 2}, "PKIX.CertificateAuthorityIssuers"); 596| 1| case 0x96C77: ------------------ | Branch (596:7): [True: 1, False: 12.9k] ------------------ 597| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 1, 3}, "PBE-SHA1-3DES"); 598| 1| case 0x96C78: ------------------ | Branch (598:7): [True: 1, False: 12.9k] ------------------ 599| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 1, 4}, "PBE-SHA1-2DES"); 600| 39| case 0x9A008: ------------------ | Branch (600:7): [True: 39, False: 12.8k] ------------------ 601| 39| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 1}, "brainpool160r1"); 602| 6| case 0x9A00A: ------------------ | Branch (602:7): [True: 6, False: 12.9k] ------------------ 603| 6| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 3}, "brainpool192r1"); 604| 81| case 0x9A00C: ------------------ | Branch (604:7): [True: 81, False: 12.8k] ------------------ 605| 81| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 5}, "brainpool224r1"); 606| 128| case 0x9A00E: ------------------ | Branch (606:7): [True: 128, False: 12.7k] ------------------ 607| 128| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 7}, "brainpool256r1"); 608| 57| case 0x9A010: ------------------ | Branch (608:7): [True: 57, False: 12.8k] ------------------ 609| 57| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 9}, "brainpool320r1"); 610| 159| case 0x9A012: ------------------ | Branch (610:7): [True: 159, False: 12.7k] ------------------ 611| 159| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 11}, "brainpool384r1"); 612| 148| case 0x9A014: ------------------ | Branch (612:7): [True: 148, False: 12.7k] ------------------ 613| 148| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 13}, "brainpool512r1"); 614| 1| case 0xA0D61: ------------------ | Branch (614:7): [True: 1, False: 12.9k] ------------------ 615| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 3}, "McEliece"); 616| 1| case 0xA0D63: ------------------ | Branch (616:7): [True: 1, False: 12.9k] ------------------ 617| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 5}, "XMSS-draft6"); 618| 1| case 0xA0D66: ------------------ | Branch (618:7): [True: 1, False: 12.9k] ------------------ 619| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 8}, "XMSS-draft12"); 620| 1| case 0xA0D6B: ------------------ | Branch (620:7): [True: 1, False: 12.9k] ------------------ 621| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 13}, "HSS-LMS-Private-Key"); 622| 1| case 0xA0EE1: ------------------ | Branch (622:7): [True: 1, False: 12.9k] ------------------ 623| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 1}, "Serpent/CBC"); 624| 1| case 0xA0EE2: ------------------ | Branch (624:7): [True: 1, False: 12.9k] ------------------ 625| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2}, "Threefish-512/CBC"); 626| 1| case 0xA0EE3: ------------------ | Branch (626:7): [True: 1, False: 12.9k] ------------------ 627| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 3}, "Twofish/CBC"); 628| 1| case 0xA0F45: ------------------ | Branch (628:7): [True: 1, False: 12.9k] ------------------ 629| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 101}, "Serpent/GCM"); 630| 1| case 0xA0F46: ------------------ | Branch (630:7): [True: 1, False: 12.9k] ------------------ 631| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 102}, "Twofish/GCM"); 632| 1| case 0xA0FA2: ------------------ | Branch (632:7): [True: 1, False: 12.9k] ------------------ 633| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 4, 1}, "numsp256d1"); 634| 1| case 0xA0FA3: ------------------ | Branch (634:7): [True: 1, False: 12.9k] ------------------ 635| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 4, 2}, "numsp384d1"); 636| 1| case 0xA0FA4: ------------------ | Branch (636:7): [True: 1, False: 12.9k] ------------------ 637| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 4, 3}, "numsp512d1"); 638| 1| case 0xA244B: ------------------ | Branch (638:7): [True: 1, False: 12.9k] ------------------ 639| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 1}, "ClassicMcEliece_348864"); 640| 1| case 0xA244C: ------------------ | Branch (640:7): [True: 1, False: 12.9k] ------------------ 641| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 2}, "ClassicMcEliece_348864f"); 642| 1| case 0xA244D: ------------------ | Branch (642:7): [True: 1, False: 12.9k] ------------------ 643| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 3}, "ClassicMcEliece_460896"); 644| 1| case 0xA244E: ------------------ | Branch (644:7): [True: 1, False: 12.9k] ------------------ 645| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 4}, "ClassicMcEliece_460896f"); 646| 1| case 0xA244F: ------------------ | Branch (646:7): [True: 1, False: 12.9k] ------------------ 647| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 5}, "ClassicMcEliece_6688128"); 648| 1| case 0xA2450: ------------------ | Branch (648:7): [True: 1, False: 12.9k] ------------------ 649| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 6}, "ClassicMcEliece_6688128f"); 650| 1| case 0xA2451: ------------------ | Branch (650:7): [True: 1, False: 12.9k] ------------------ 651| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 7}, "ClassicMcEliece_6960119"); 652| 1| case 0xA2452: ------------------ | Branch (652:7): [True: 1, False: 12.9k] ------------------ 653| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 8}, "ClassicMcEliece_6960119f"); 654| 1| case 0xA2453: ------------------ | Branch (654:7): [True: 1, False: 12.9k] ------------------ 655| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 9}, "ClassicMcEliece_8192128"); 656| 1| case 0xA2454: ------------------ | Branch (656:7): [True: 1, False: 12.9k] ------------------ 657| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 10}, "ClassicMcEliece_8192128f"); 658| 3| case 0xAF989: ------------------ | Branch (658:7): [True: 3, False: 12.9k] ------------------ 659| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 1}, "RSA"); 660| 3| case 0xAF98A: ------------------ | Branch (660:7): [True: 3, False: 12.9k] ------------------ 661| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 2}, "RSA/PKCS1v15(MD2)"); 662| 3| case 0xAF98C: ------------------ | Branch (662:7): [True: 3, False: 12.9k] ------------------ 663| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 4}, "RSA/PKCS1v15(MD5)"); 664| 3| case 0xAF98D: ------------------ | Branch (664:7): [True: 3, False: 12.9k] ------------------ 665| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 5}, "RSA/PKCS1v15(SHA-1)"); 666| 3| case 0xAF98F: ------------------ | Branch (666:7): [True: 3, False: 12.9k] ------------------ 667| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 7}, "RSA/OAEP"); 668| 3| case 0xAF990: ------------------ | Branch (668:7): [True: 3, False: 12.9k] ------------------ 669| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 8}, "MGF1"); 670| 3| case 0xAF992: ------------------ | Branch (670:7): [True: 3, False: 12.9k] ------------------ 671| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 10}, "RSA/PSS"); 672| 3| case 0xAF993: ------------------ | Branch (672:7): [True: 3, False: 12.9k] ------------------ 673| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 11}, "RSA/PKCS1v15(SHA-256)"); 674| 3| case 0xAF994: ------------------ | Branch (674:7): [True: 3, False: 12.9k] ------------------ 675| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 12}, "RSA/PKCS1v15(SHA-384)"); 676| 3| case 0xAF995: ------------------ | Branch (676:7): [True: 3, False: 12.9k] ------------------ 677| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 13}, "RSA/PKCS1v15(SHA-512)"); 678| 3| case 0xAF996: ------------------ | Branch (678:7): [True: 3, False: 12.9k] ------------------ 679| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 14}, "RSA/PKCS1v15(SHA-224)"); 680| 3| case 0xAF998: ------------------ | Branch (680:7): [True: 3, False: 12.9k] ------------------ 681| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 16}, "RSA/PKCS1v15(SHA-512-256)"); 682| 3| case 0xAFC98: ------------------ | Branch (682:7): [True: 3, False: 12.9k] ------------------ 683| 3| return if_match(oid, {1, 2, 840, 113549, 1, 5, 12}, "PKCS5.PBKDF2"); 684| 3| case 0xAFC99: ------------------ | Branch (684:7): [True: 3, False: 12.9k] ------------------ 685| 3| return if_match(oid, {1, 2, 840, 113549, 1, 5, 13}, "PBE-PKCS5v20"); 686| 3| case 0xAFE0F: ------------------ | Branch (686:7): [True: 3, False: 12.9k] ------------------ 687| 3| return if_match(oid, {1, 2, 840, 113549, 1, 7, 1}, "PKCS7.Data"); 688| 3| case 0xAFE14: ------------------ | Branch (688:7): [True: 3, False: 12.9k] ------------------ 689| 3| return if_match(oid, {1, 2, 840, 113549, 1, 7, 6}, "PKCS7.EncryptedData"); 690| 3| case 0xAFF91: ------------------ | Branch (690:7): [True: 3, False: 12.9k] ------------------ 691| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 1}, "PKCS9.EmailAddress"); 692| 3| case 0xAFF92: ------------------ | Branch (692:7): [True: 3, False: 12.9k] ------------------ 693| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 2}, "PKCS9.UnstructuredName"); 694| 3| case 0xAFF93: ------------------ | Branch (694:7): [True: 3, False: 12.9k] ------------------ 695| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 3}, "PKCS9.ContentType"); 696| 3| case 0xAFF94: ------------------ | Branch (696:7): [True: 3, False: 12.9k] ------------------ 697| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 4}, "PKCS9.MessageDigest"); 698| 3| case 0xAFF97: ------------------ | Branch (698:7): [True: 3, False: 12.9k] ------------------ 699| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 7}, "PKCS9.ChallengePassword"); 700| 3| case 0xAFF9E: ------------------ | Branch (700:7): [True: 3, False: 12.9k] ------------------ 701| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 14}, "PKCS9.ExtensionRequest"); 702| 3| case 0xAFFA4: ------------------ | Branch (702:7): [True: 3, False: 12.9k] ------------------ 703| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 20}, "PKCS9.FriendlyName"); 704| 3| case 0xAFFA5: ------------------ | Branch (704:7): [True: 3, False: 12.9k] ------------------ 705| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 21}, "PKCS9.LocalKeyId"); 706| 1| case 0xC0226: ------------------ | Branch (706:7): [True: 1, False: 12.9k] ------------------ 707| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 11591, 4, 11}, "Scrypt"); 708| 1| case 0xC0A67: ------------------ | Branch (708:7): [True: 1, False: 12.9k] ------------------ 709| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 11591, 15, 1}, "OpenPGP.Ed25519"); 710| 3| case 0xC4CE5: ------------------ | Branch (710:7): [True: 3, False: 12.9k] ------------------ 711| 3| return if_match(oid, {1, 2, 643, 100, 1}, "GOST.OGRN"); 712| 3| case 0xC4D53: ------------------ | Branch (712:7): [True: 3, False: 12.9k] ------------------ 713| 3| return if_match(oid, {1, 2, 643, 100, 111}, "GOST.SubjectSigningTool"); 714| 3| case 0xC4D54: ------------------ | Branch (714:7): [True: 3, False: 12.9k] ------------------ 715| 3| return if_match(oid, {1, 2, 643, 100, 112}, "GOST.IssuerSigningTool"); 716| 206| case 0xC9C50: ------------------ | Branch (716:7): [True: 206, False: 12.7k] ------------------ 717| 206| return if_match(oid, {1, 2, 840, 10045, 3, 1, 1}, "secp192r1"); 718| 38| case 0xC9C51: ------------------ | Branch (718:7): [True: 38, False: 12.8k] ------------------ 719| 38| return if_match(oid, {1, 2, 840, 10045, 3, 1, 2}, "x962_p192v2"); 720| 44| case 0xC9C52: ------------------ | Branch (720:7): [True: 44, False: 12.8k] ------------------ 721| 44| return if_match(oid, {1, 2, 840, 10045, 3, 1, 3}, "x962_p192v3"); 722| 72| case 0xC9C53: ------------------ | Branch (722:7): [True: 72, False: 12.8k] ------------------ 723| 72| return if_match(oid, {1, 2, 840, 10045, 3, 1, 4}, "x962_p239v1"); 724| 32| case 0xC9C54: ------------------ | Branch (724:7): [True: 32, False: 12.8k] ------------------ 725| 32| return if_match(oid, {1, 2, 840, 10045, 3, 1, 5}, "x962_p239v2"); 726| 50| case 0xC9C55: ------------------ | Branch (726:7): [True: 50, False: 12.8k] ------------------ 727| 50| return if_match(oid, {1, 2, 840, 10045, 3, 1, 6}, "x962_p239v3"); 728| 247| case 0xC9C56: ------------------ | Branch (728:7): [True: 247, False: 12.6k] ------------------ 729| 247| return if_match(oid, {1, 2, 840, 10045, 3, 1, 7}, "secp256r1"); 730| 3| case 0xCFA13: ------------------ | Branch (730:7): [True: 3, False: 12.9k] ------------------ 731| 3| return if_match(oid, {1, 2, 840, 10040, 4, 1}, "DSA"); 732| 237| case 0xCFA15: ------------------ | Branch (732:7): [True: 237, False: 12.6k] ------------------ 733| 237| return if_match(oid, {1, 2, 840, 10040, 4, 3}, "DSA/SHA-1"); 734| 1.44k| default: ------------------ | Branch (734:7): [True: 1.44k, False: 11.4k] ------------------ 735| 1.44k| return {}; 736| 12.9k| } 737| 12.9k|} _ZN5Botan7OID_Map22lookup_static_oid_nameENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 740| 17|std::optional OID_Map::lookup_static_oid_name(std::string_view req) { 741| 17| const uint32_t hc = hash_oid_name(req); 742| | 743| 17| switch(hc) { 744| 0| case 0x00545: ------------------ | Branch (744:7): [True: 0, False: 17] ------------------ 745| 0| return if_match(req, "Twofish/GCM", {1, 3, 6, 1, 4, 1, 25258, 3, 102}); 746| 0| case 0x00CF3: ------------------ | Branch (746:7): [True: 0, False: 17] ------------------ 747| 0| return if_match(req, "SphincsPlus-sha2-192f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 4}); 748| 0| case 0x015FE: ------------------ | Branch (748:7): [True: 0, False: 17] ------------------ 749| 0| return if_match(req, "FrodoKEM-640-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 14, 1}); 750| 0| case 0x01F9E: ------------------ | Branch (750:7): [True: 0, False: 17] ------------------ 751| 0| return if_match(req, "MD5", {1, 2, 840, 113549, 2, 5}); 752| 0| case 0x02293: ------------------ | Branch (752:7): [True: 0, False: 17] ------------------ 753| 0| return if_match(req, "SphincsPlus-shake-192f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 4}); 754| 0| case 0x02B93: ------------------ | Branch (754:7): [True: 0, False: 17] ------------------ 755| 0| return if_match(req, "Microsoft SmartcardLogon", {1, 3, 6, 1, 4, 1, 311, 20, 2, 2}); 756| 0| case 0x041D5: ------------------ | Branch (756:7): [True: 0, False: 17] ------------------ 757| 0| return if_match(req, "secp160k1", {1, 3, 132, 0, 9}); 758| 0| case 0x044B3: ------------------ | Branch (758:7): [True: 0, False: 17] ------------------ 759| 0| return if_match(req, "Camellia-256/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 8}); 760| 0| case 0x048B2: ------------------ | Branch (760:7): [True: 0, False: 17] ------------------ 761| 0| return if_match(req, "secp160r1", {1, 3, 132, 0, 8}); 762| 0| case 0x048B3: ------------------ | Branch (762:7): [True: 0, False: 17] ------------------ 763| 0| return if_match(req, "secp160r2", {1, 3, 132, 0, 30}); 764| 0| case 0x05CDA: ------------------ | Branch (764:7): [True: 0, False: 17] ------------------ 765| 0| return if_match(req, "X520.Country", {2, 5, 4, 6}); 766| 0| case 0x07783: ------------------ | Branch (766:7): [True: 0, False: 17] ------------------ 767| 0| return if_match(req, "PKIX.ServerAuth", {1, 3, 6, 1, 5, 5, 7, 3, 1}); 768| 0| case 0x086C7: ------------------ | Branch (768:7): [True: 0, False: 17] ------------------ 769| 0| return if_match(req, "numsp384d1", {1, 3, 6, 1, 4, 1, 25258, 4, 2}); 770| 0| case 0x08A92: ------------------ | Branch (770:7): [True: 0, False: 17] ------------------ 771| 0| return if_match(req, "RSA/PKCS1v15(SHA-1)", {1, 2, 840, 113549, 1, 1, 5}); 772| 0| case 0x09EA0: ------------------ | Branch (772:7): [True: 0, False: 17] ------------------ 773| 0| return if_match(req, "DES/CBC", {1, 3, 14, 3, 2, 7}); 774| 0| case 0x0B2D6: ------------------ | Branch (774:7): [True: 0, False: 17] ------------------ 775| 0| return if_match(req, "ECDSA/SHA-3(512)", {2, 16, 840, 1, 101, 3, 4, 3, 12}); 776| 0| case 0x0BA72: ------------------ | Branch (776:7): [True: 0, False: 17] ------------------ 777| 0| return if_match(req, "SphincsPlus-sha2-128s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 1}); 778| 0| case 0x0BE23: ------------------ | Branch (778:7): [True: 0, False: 17] ------------------ 779| 0| return if_match(req, "ECGDSA", {1, 3, 36, 3, 3, 2, 5, 2, 1}); 780| 0| case 0x0C109: ------------------ | Branch (780:7): [True: 0, False: 17] ------------------ 781| 0| return if_match(req, "PKCS9.FriendlyName", {1, 2, 840, 113549, 1, 9, 20}); 782| 0| case 0x0D012: ------------------ | Branch (782:7): [True: 0, False: 17] ------------------ 783| 0| return if_match(req, "SphincsPlus-shake-128s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 1}); 784| 0| case 0x0DCE9: ------------------ | Branch (784:7): [True: 0, False: 17] ------------------ 785| 0| return if_match(req, "ClassicMcEliece_8192128f", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 10}); 786| 0| case 0x0E52A: ------------------ | Branch (786:7): [True: 0, False: 17] ------------------ 787| 0| return if_match(req, "numsp512d1", {1, 3, 6, 1, 4, 1, 25258, 4, 3}); 788| 0| case 0x0F9CC: ------------------ | Branch (788:7): [True: 0, False: 17] ------------------ 789| 0| return if_match(req, "PKCS9.UnstructuredName", {1, 2, 840, 113549, 1, 9, 2}); 790| 0| case 0x0FF45: ------------------ | Branch (790:7): [True: 0, False: 17] ------------------ 791| 0| return if_match(req, "Camellia-256/GCM", {0, 3, 4401, 5, 3, 1, 9, 46}); 792| 0| case 0x1033D: ------------------ | Branch (792:7): [True: 0, False: 17] ------------------ 793| 0| return if_match(req, "DSA/SHA-3(384)", {2, 16, 840, 1, 101, 3, 4, 3, 7}); 794| 0| case 0x1139D: ------------------ | Branch (794:7): [True: 0, False: 17] ------------------ 795| 0| return if_match(req, "secp192k1", {1, 3, 132, 0, 31}); 796| 0| case 0x113D6: ------------------ | Branch (796:7): [True: 0, False: 17] ------------------ 797| 0| return if_match(req, "X520.DNQualifier", {2, 5, 4, 46}); 798| 0| case 0x11A7A: ------------------ | Branch (798:7): [True: 0, False: 17] ------------------ 799| 0| return if_match(req, "secp192r1", {1, 2, 840, 10045, 3, 1, 1}); 800| 0| case 0x12096: ------------------ | Branch (800:7): [True: 0, False: 17] ------------------ 801| 0| return if_match(req, "SM2_Kex", {1, 2, 156, 10197, 1, 301, 2}); 802| 0| case 0x13FC1: ------------------ | Branch (802:7): [True: 0, False: 17] ------------------ 803| 0| return if_match(req, "X520.GenerationalQualifier", {2, 5, 4, 44}); 804| 0| case 0x1445B: ------------------ | Branch (804:7): [True: 0, False: 17] ------------------ 805| 0| return if_match(req, "PKCS5.PBKDF2", {1, 2, 840, 113549, 1, 5, 12}); 806| 0| case 0x1495D: ------------------ | Branch (806:7): [True: 0, False: 17] ------------------ 807| 0| return if_match(req, "eFrodoKEM-1344-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 17, 3}); 808| 0| case 0x14E30: ------------------ | Branch (808:7): [True: 0, False: 17] ------------------ 809| 0| return if_match(req, "ClassicMcEliece_460896", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 3}); 810| 0| case 0x14FB1: ------------------ | Branch (810:7): [True: 0, False: 17] ------------------ 811| 0| return if_match(req, "XMSS-draft12", {1, 3, 6, 1, 4, 1, 25258, 1, 8}); 812| 0| case 0x156E3: ------------------ | Branch (812:7): [True: 0, False: 17] ------------------ 813| 0| return if_match(req, "Compression.Zlib", {1, 2, 840, 113549, 1, 9, 16, 3, 8}); 814| 0| case 0x1579E: ------------------ | Branch (814:7): [True: 0, False: 17] ------------------ 815| 0| return if_match(req, "Streebog-512", {1, 2, 643, 7, 1, 1, 2, 3}); 816| 0| case 0x1701A: ------------------ | Branch (816:7): [True: 0, False: 17] ------------------ 817| 0| return if_match(req, "X509v3.AnyExtendedKeyUsage", {2, 5, 29, 37, 0}); 818| 0| case 0x175EF: ------------------ | Branch (818:7): [True: 0, False: 17] ------------------ 819| 0| return if_match(req, "Kyber-1024-90s-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 11, 3}); 820| 0| case 0x17709: ------------------ | Branch (820:7): [True: 0, False: 17] ------------------ 821| 0| return if_match(req, "X520.GivenName", {2, 5, 4, 42}); 822| 0| case 0x17AD9: ------------------ | Branch (822:7): [True: 0, False: 17] ------------------ 823| 0| return if_match(req, "RSA/PKCS1v15(SM3)", {1, 2, 156, 10197, 1, 504}); 824| 1| case 0x17CE2: ------------------ | Branch (824:7): [True: 1, False: 16] ------------------ 825| 1| return if_match(req, "SLH-DSA-SHA2-256f", {2, 16, 840, 1, 101, 3, 4, 3, 25}); 826| 1| case 0x17CEF: ------------------ | Branch (826:7): [True: 1, False: 16] ------------------ 827| 1| return if_match(req, "SLH-DSA-SHA2-256s", {2, 16, 840, 1, 101, 3, 4, 3, 24}); 828| 0| case 0x18618: ------------------ | Branch (828:7): [True: 0, False: 17] ------------------ 829| 0| return if_match(req, "FrodoKEM-976-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 15, 2}); 830| 0| case 0x19480: ------------------ | Branch (830:7): [True: 0, False: 17] ------------------ 831| 0| return if_match(req, "eFrodoKEM-1344-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 16, 3}); 832| 0| case 0x1958A: ------------------ | Branch (832:7): [True: 0, False: 17] ------------------ 833| 0| return if_match(req, "X509v3.InvalidityDate", {2, 5, 29, 24}); 834| 0| case 0x19851: ------------------ | Branch (834:7): [True: 0, False: 17] ------------------ 835| 0| return if_match(req, "DSA/SHA-1", {1, 2, 840, 10040, 4, 3}); 836| 0| case 0x1B2E7: ------------------ | Branch (836:7): [True: 0, False: 17] ------------------ 837| 0| return if_match(req, "KeyWrap.AES-128", {2, 16, 840, 1, 101, 3, 4, 1, 5}); 838| 0| case 0x1B9BE: ------------------ | Branch (838:7): [True: 0, False: 17] ------------------ 839| 0| return if_match(req, "KeyWrap.AES-192", {2, 16, 840, 1, 101, 3, 4, 1, 25}); 840| 0| case 0x1D439: ------------------ | Branch (840:7): [True: 0, False: 17] ------------------ 841| 0| return if_match(req, "SphincsPlus-haraka-192f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 4}); 842| 0| case 0x2065B: ------------------ | Branch (842:7): [True: 0, False: 17] ------------------ 843| 0| return if_match(req, "KeyWrap.CAST-128", {1, 2, 840, 113533, 7, 66, 15}); 844| 0| case 0x216A0: ------------------ | Branch (844:7): [True: 0, False: 17] ------------------ 845| 0| return if_match(req, "ML-KEM-512", {2, 16, 840, 1, 101, 3, 4, 4, 1}); 846| 0| case 0x2216B: ------------------ | Branch (846:7): [True: 0, False: 17] ------------------ 847| 0| return if_match(req, "GOST-34.10-2012-512", {1, 2, 643, 7, 1, 1, 1, 2}); 848| 0| case 0x22C2C: ------------------ | Branch (848:7): [True: 0, False: 17] ------------------ 849| 0| return if_match(req, "ElGamal", {1, 3, 6, 1, 4, 1, 3029, 1, 2, 1}); 850| 0| case 0x2559A: ------------------ | Branch (850:7): [True: 0, False: 17] ------------------ 851| 0| return if_match(req, "X520.Initials", {2, 5, 4, 43}); 852| 0| case 0x271AC: ------------------ | Branch (852:7): [True: 0, False: 17] ------------------ 853| 0| return if_match(req, "PKIX.AutonomousSysIds", {1, 3, 6, 1, 5, 5, 7, 1, 8}); 854| 0| case 0x2808B: ------------------ | Branch (854:7): [True: 0, False: 17] ------------------ 855| 0| return if_match(req, "PKCS7.Data", {1, 2, 840, 113549, 1, 7, 1}); 856| 0| case 0x281B8: ------------------ | Branch (856:7): [True: 0, False: 17] ------------------ 857| 0| return if_match(req, "SphincsPlus-haraka-128s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 1}); 858| 0| case 0x29999: ------------------ | Branch (858:7): [True: 0, False: 17] ------------------ 859| 0| return if_match(req, "DSA/SHA-3(256)", {2, 16, 840, 1, 101, 3, 4, 3, 6}); 860| 0| case 0x2A83D: ------------------ | Branch (860:7): [True: 0, False: 17] ------------------ 861| 0| return if_match(req, "SHA-224", {2, 16, 840, 1, 101, 3, 4, 2, 4}); 862| 0| case 0x2AB30: ------------------ | Branch (862:7): [True: 0, False: 17] ------------------ 863| 0| return if_match(req, "SHA-256", {2, 16, 840, 1, 101, 3, 4, 2, 1}); 864| 0| case 0x2ABEF: ------------------ | Branch (864:7): [True: 0, False: 17] ------------------ 865| 0| return if_match(req, "KeyWrap.AES-256", {2, 16, 840, 1, 101, 3, 4, 1, 45}); 866| 0| case 0x2BAEF: ------------------ | Branch (866:7): [True: 0, False: 17] ------------------ 867| 0| return if_match(req, "SM2_Sig/SM3", {1, 2, 156, 10197, 1, 501}); 868| 0| case 0x2C39A: ------------------ | Branch (868:7): [True: 0, False: 17] ------------------ 869| 0| return if_match(req, "ECGDSA/RIPEMD-160", {1, 3, 36, 3, 3, 2, 5, 4, 1}); 870| 0| case 0x2C54F: ------------------ | Branch (870:7): [True: 0, False: 17] ------------------ 871| 0| return if_match(req, "ECDSA/SHA-3(224)", {2, 16, 840, 1, 101, 3, 4, 3, 9}); 872| 0| case 0x2EEA6: ------------------ | Branch (872:7): [True: 0, False: 17] ------------------ 873| 0| return if_match(req, "RSA/PKCS1v15(RIPEMD-160)", {1, 3, 36, 3, 3, 1, 2}); 874| 0| case 0x2EFBA: ------------------ | Branch (874:7): [True: 0, False: 17] ------------------ 875| 0| return if_match(req, "Kyber-512-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 7, 1}); 876| 0| case 0x2F0AD: ------------------ | Branch (876:7): [True: 0, False: 17] ------------------ 877| 0| return if_match(req, "PKCS7.EncryptedData", {1, 2, 840, 113549, 1, 7, 6}); 878| 0| case 0x2F219: ------------------ | Branch (878:7): [True: 0, False: 17] ------------------ 879| 0| return if_match(req, "PBE-SHA1-2DES", {1, 2, 840, 113549, 1, 12, 1, 4}); 880| 1| case 0x3133E: ------------------ | Branch (880:7): [True: 1, False: 16] ------------------ 881| 1| return if_match(req, "SLH-DSA-SHA2-128f", {2, 16, 840, 1, 101, 3, 4, 3, 21}); 882| 3| case 0x3134B: ------------------ | Branch (882:7): [True: 3, False: 14] ------------------ 883| 3| return if_match(req, "SLH-DSA-SHA2-128s", {2, 16, 840, 1, 101, 3, 4, 3, 20}); 884| 0| case 0x3160D: ------------------ | Branch (884:7): [True: 0, False: 17] ------------------ 885| 0| return if_match(req, "RSA/PKCS1v15(SHA-3(224))", {2, 16, 840, 1, 101, 3, 4, 3, 13}); 886| 0| case 0x319E0: ------------------ | Branch (886:7): [True: 0, False: 17] ------------------ 887| 0| return if_match(req, "GOST-34.10-2012-256/Streebog-256", {1, 2, 643, 7, 1, 1, 3, 2}); 888| 0| case 0x31B3D: ------------------ | Branch (888:7): [True: 0, False: 17] ------------------ 889| 0| return if_match(req, "HMAC(SHA-512)", {1, 2, 840, 113549, 2, 11}); 890| 0| case 0x31C6D: ------------------ | Branch (890:7): [True: 0, False: 17] ------------------ 891| 0| return if_match(req, "secp384r1", {1, 3, 132, 0, 34}); 892| 0| case 0x32899: ------------------ | Branch (892:7): [True: 0, False: 17] ------------------ 893| 0| return if_match(req, "TripleDES/CBC", {1, 2, 840, 113549, 3, 7}); 894| 0| case 0x33D04: ------------------ | Branch (894:7): [True: 0, False: 17] ------------------ 895| 0| return if_match(req, "PKCS12.SecretBag", {1, 2, 840, 113549, 1, 12, 10, 1, 5}); 896| 0| case 0x3615D: ------------------ | Branch (896:7): [True: 0, False: 17] ------------------ 897| 0| return if_match(req, "FrodoKEM-976-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 14, 2}); 898| 0| case 0x361B8: ------------------ | Branch (898:7): [True: 0, False: 17] ------------------ 899| 0| return if_match(req, "Ed25519", {1, 3, 101, 112}); 900| 0| case 0x3649D: ------------------ | Branch (900:7): [True: 0, False: 17] ------------------ 901| 0| return if_match(req, "SHAKE-128", {2, 16, 840, 1, 101, 3, 4, 2, 11}); 902| 0| case 0x36693: ------------------ | Branch (902:7): [True: 0, False: 17] ------------------ 903| 0| return if_match(req, "ClassicMcEliece_348864", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 1}); 904| 0| case 0x373C7: ------------------ | Branch (904:7): [True: 0, False: 17] ------------------ 905| 0| return if_match(req, "ML-DSA-4x4", {2, 16, 840, 1, 101, 3, 4, 3, 17}); 906| 0| case 0x3750B: ------------------ | Branch (906:7): [True: 0, False: 17] ------------------ 907| 0| return if_match(req, "ClassicMcEliece_8192128", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 9}); 908| 0| case 0x39890: ------------------ | Branch (908:7): [True: 0, False: 17] ------------------ 909| 0| return if_match(req, "Ed448", {1, 3, 101, 113}); 910| 0| case 0x3A438: ------------------ | Branch (910:7): [True: 0, False: 17] ------------------ 911| 0| return if_match(req, "SHA-384", {2, 16, 840, 1, 101, 3, 4, 2, 2}); 912| 0| case 0x3A963: ------------------ | Branch (912:7): [True: 0, False: 17] ------------------ 913| 0| return if_match(req, "DH", {1, 2, 840, 10046, 2, 1}); 914| 0| case 0x3AC83: ------------------ | Branch (914:7): [True: 0, False: 17] ------------------ 915| 0| return if_match(req, "MGF1", {1, 2, 840, 113549, 1, 1, 8}); 916| 0| case 0x3ACBA: ------------------ | Branch (916:7): [True: 0, False: 17] ------------------ 917| 0| return if_match(req, "X509v3.IssuerAlternativeName", {2, 5, 29, 18}); 918| 0| case 0x3B273: ------------------ | Branch (918:7): [True: 0, False: 17] ------------------ 919| 0| return if_match(req, "KeyWrap.TripleDES", {1, 2, 840, 113549, 1, 9, 16, 3, 6}); 920| 0| case 0x3B91E: ------------------ | Branch (920:7): [True: 0, False: 17] ------------------ 921| 0| return if_match(req, "X509v3.PrivateKeyUsagePeriod", {2, 5, 29, 16}); 922| 1| case 0x3BC8A: ------------------ | Branch (922:7): [True: 1, False: 16] ------------------ 923| 1| return if_match(req, "SLH-DSA-SHAKE-192f", {2, 16, 840, 1, 101, 3, 4, 3, 29}); 924| 1| case 0x3BC97: ------------------ | Branch (924:7): [True: 1, False: 16] ------------------ 925| 1| return if_match(req, "SLH-DSA-SHAKE-192s", {2, 16, 840, 1, 101, 3, 4, 3, 28}); 926| 0| case 0x3D127: ------------------ | Branch (926:7): [True: 0, False: 17] ------------------ 927| 0| return if_match(req, "DSA", {1, 2, 840, 10040, 4, 1}); 928| 0| case 0x3E249: ------------------ | Branch (928:7): [True: 0, False: 17] ------------------ 929| 0| return if_match(req, "HSS-LMS", {1, 2, 840, 113549, 1, 9, 16, 3, 17}); 930| 0| case 0x3E7D5: ------------------ | Branch (930:7): [True: 0, False: 17] ------------------ 931| 0| return if_match(req, "RSA/PKCS1v15(SHA-3(256))", {2, 16, 840, 1, 101, 3, 4, 3, 14}); 932| 0| case 0x3F748: ------------------ | Branch (932:7): [True: 0, False: 17] ------------------ 933| 0| return if_match(req, "GOST.OGRN", {1, 2, 643, 100, 1}); 934| 0| case 0x3F99F: ------------------ | Branch (934:7): [True: 0, False: 17] ------------------ 935| 0| return if_match(req, "X509v3.BasicConstraints", {2, 5, 29, 19}); 936| 0| case 0x40726: ------------------ | Branch (936:7): [True: 0, False: 17] ------------------ 937| 0| return if_match(req, "SHA-3(512)", {2, 16, 840, 1, 101, 3, 4, 2, 10}); 938| 0| case 0x407BF: ------------------ | Branch (938:7): [True: 0, False: 17] ------------------ 939| 0| return if_match(req, "ML-KEM-768", {2, 16, 840, 1, 101, 3, 4, 4, 2}); 940| 0| case 0x41334: ------------------ | Branch (940:7): [True: 0, False: 17] ------------------ 941| 0| return if_match(req, "ECDSA/SHA-3(384)", {2, 16, 840, 1, 101, 3, 4, 3, 11}); 942| 0| case 0x42DF3: ------------------ | Branch (942:7): [True: 0, False: 17] ------------------ 943| 0| return if_match(req, "X509v3.CRLDistributionPoints", {2, 5, 29, 31}); 944| 0| case 0x437FB: ------------------ | Branch (944:7): [True: 0, False: 17] ------------------ 945| 0| return if_match(req, "brainpool160r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 1}); 946| 0| case 0x441F5: ------------------ | Branch (946:7): [True: 0, False: 17] ------------------ 947| 0| return if_match(req, "gost_256A", {1, 2, 643, 7, 1, 2, 1, 1, 1}); 948| 0| case 0x441F6: ------------------ | Branch (948:7): [True: 0, False: 17] ------------------ 949| 0| return if_match(req, "gost_256B", {1, 2, 643, 7, 1, 2, 1, 1, 2}); 950| 0| case 0x44221: ------------------ | Branch (950:7): [True: 0, False: 17] ------------------ 951| 0| return if_match(req, "GOST-34.10-2012-512/Streebog-512", {1, 2, 643, 7, 1, 1, 3, 3}); 952| 0| case 0x44322: ------------------ | Branch (952:7): [True: 0, False: 17] ------------------ 953| 0| return if_match(req, "ClassicMcEliece_6960119pc", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 3}); 954| 0| case 0x44973: ------------------ | Branch (954:7): [True: 0, False: 17] ------------------ 955| 0| return if_match(req, "Kyber-512-90s-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 11, 1}); 956| 0| case 0x45C27: ------------------ | Branch (956:7): [True: 0, False: 17] ------------------ 957| 0| return if_match(req, "RSA/PKCS1v15(SHA-512-256)", {1, 2, 840, 113549, 1, 1, 16}); 958| 0| case 0x45C85: ------------------ | Branch (958:7): [True: 0, False: 17] ------------------ 959| 0| return if_match(req, "X509v3.ReasonCode", {2, 5, 29, 21}); 960| 0| case 0x45DA5: ------------------ | Branch (960:7): [True: 0, False: 17] ------------------ 961| 0| return if_match(req, "SHAKE-256", {2, 16, 840, 1, 101, 3, 4, 2, 12}); 962| 0| case 0x4663C: ------------------ | Branch (962:7): [True: 0, False: 17] ------------------ 963| 0| return if_match(req, "X509v3.PolicyConstraints", {2, 5, 29, 36}); 964| 0| case 0x480F7: ------------------ | Branch (964:7): [True: 0, False: 17] ------------------ 965| 0| return if_match(req, "Serpent/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 4}); 966| 0| case 0x48627: ------------------ | Branch (966:7): [True: 0, False: 17] ------------------ 967| 0| return if_match(req, "Dilithium-4x4-AES-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 10, 1}); 968| 0| case 0x48861: ------------------ | Branch (968:7): [True: 0, False: 17] ------------------ 969| 0| return if_match(req, "ChaCha20Poly1305", {1, 2, 840, 113549, 1, 9, 16, 3, 18}); 970| 0| case 0x4A292: ------------------ | Branch (970:7): [True: 0, False: 17] ------------------ 971| 0| return if_match(req, "frp256v1", {1, 2, 250, 1, 223, 101, 256, 1}); 972| 0| case 0x4A9EE: ------------------ | Branch (972:7): [True: 0, False: 17] ------------------ 973| 0| return if_match(req, "ClassicMcEliece_6960119f", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 8}); 974| 0| case 0x4BF87: ------------------ | Branch (974:7): [True: 0, False: 17] ------------------ 975| 0| return if_match(req, "PKIX.TNAuthList", {1, 3, 6, 1, 5, 5, 7, 1, 26}); 976| 0| case 0x4C088: ------------------ | Branch (976:7): [True: 0, False: 17] ------------------ 977| 0| return if_match(req, "eFrodoKEM-976-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 17, 2}); 978| 0| case 0x4C513: ------------------ | Branch (978:7): [True: 0, False: 17] ------------------ 979| 0| return if_match(req, "DSA/SHA-224", {2, 16, 840, 1, 101, 3, 4, 3, 1}); 980| 0| case 0x4C806: ------------------ | Branch (980:7): [True: 0, False: 17] ------------------ 981| 0| return if_match(req, "DSA/SHA-256", {2, 16, 840, 1, 101, 3, 4, 3, 2}); 982| 0| case 0x4D740: ------------------ | Branch (982:7): [True: 0, False: 17] ------------------ 983| 0| return if_match(req, "X509v3.AnyPolicy", {2, 5, 29, 32, 0}); 984| 0| case 0x4DE49: ------------------ | Branch (984:7): [True: 0, False: 17] ------------------ 985| 0| return if_match(req, "RSA/PKCS1v15(SHA-512)", {1, 2, 840, 113549, 1, 1, 13}); 986| 0| case 0x4ED5D: ------------------ | Branch (986:7): [True: 0, False: 17] ------------------ 987| 0| return if_match(req, "CAST-128/CBC", {1, 2, 840, 113533, 7, 66, 10}); 988| 0| case 0x4FCDC: ------------------ | Branch (988:7): [True: 0, False: 17] ------------------ 989| 0| return if_match(req, "RSA", {1, 2, 840, 113549, 1, 1, 1}); 990| 0| case 0x501CB: ------------------ | Branch (990:7): [True: 0, False: 17] ------------------ 991| 0| return if_match(req, "ECDSA/SHA-224", {1, 2, 840, 10045, 4, 3, 1}); 992| 0| case 0x50395: ------------------ | Branch (992:7): [True: 0, False: 17] ------------------ 993| 0| return if_match(req, "GOST-34.10/GOST-R-34.11-94", {1, 2, 643, 2, 2, 3}); 994| 0| case 0x504BE: ------------------ | Branch (994:7): [True: 0, False: 17] ------------------ 995| 0| return if_match(req, "ECDSA/SHA-256", {1, 2, 840, 10045, 4, 3, 2}); 996| 0| case 0x509C3: ------------------ | Branch (996:7): [True: 0, False: 17] ------------------ 997| 0| return if_match(req, "brainpool192r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 3}); 998| 0| case 0x509F9: ------------------ | Branch (998:7): [True: 0, False: 17] ------------------ 999| 0| return if_match(req, "PKCS9.ContentType", {1, 2, 840, 113549, 1, 9, 3}); 1000| 0| case 0x50B26: ------------------ | Branch (1000:7): [True: 0, False: 17] ------------------ 1001| 0| return if_match(req, "FrodoKEM-640-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 15, 1}); 1002| 0| case 0x50D78: ------------------ | Branch (1002:7): [True: 0, False: 17] ------------------ 1003| 0| return if_match(req, "x962_p192v2", {1, 2, 840, 10045, 3, 1, 2}); 1004| 0| case 0x50D79: ------------------ | Branch (1004:7): [True: 0, False: 17] ------------------ 1005| 0| return if_match(req, "x962_p192v3", {1, 2, 840, 10045, 3, 1, 3}); 1006| 0| case 0x51DC6: ------------------ | Branch (1006:7): [True: 0, False: 17] ------------------ 1007| 0| return if_match(req, "AES-128/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 1}); 1008| 0| case 0x52DB6: ------------------ | Branch (1008:7): [True: 0, False: 17] ------------------ 1009| 0| return if_match(req, "HMAC(SHA-224)", {1, 2, 840, 113549, 2, 8}); 1010| 0| case 0x53E11: ------------------ | Branch (1010:7): [True: 0, False: 17] ------------------ 1011| 0| return if_match(req, "FrodoKEM-1344-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 14, 3}); 1012| 0| case 0x54012: ------------------ | Branch (1012:7): [True: 0, False: 17] ------------------ 1013| 0| return if_match(req, "PKIX.TimeStamping", {1, 3, 6, 1, 5, 5, 7, 3, 8}); 1014| 0| case 0x5407A: ------------------ | Branch (1014:7): [True: 0, False: 17] ------------------ 1015| 0| return if_match(req, "Serpent/CBC", {1, 3, 6, 1, 4, 1, 25258, 3, 1}); 1016| 0| case 0x5576D: ------------------ | Branch (1016:7): [True: 0, False: 17] ------------------ 1017| 0| return if_match(req, "SphincsPlus-sha2-128f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 2}); 1018| 0| case 0x55EF6: ------------------ | Branch (1018:7): [True: 0, False: 17] ------------------ 1019| 0| return if_match(req, "AES-192/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 2}); 1020| 0| case 0x55FFA: ------------------ | Branch (1020:7): [True: 0, False: 17] ------------------ 1021| 0| return if_match(req, "ML-DSA-6x5", {2, 16, 840, 1, 101, 3, 4, 3, 18}); 1022| 0| case 0x56826: ------------------ | Branch (1022:7): [True: 0, False: 17] ------------------ 1023| 0| return if_match(req, "brainpool320r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 9}); 1024| 0| case 0x56D0D: ------------------ | Branch (1024:7): [True: 0, False: 17] ------------------ 1025| 0| return if_match(req, "SphincsPlus-shake-128f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 2}); 1026| 0| case 0x57077: ------------------ | Branch (1026:7): [True: 0, False: 17] ------------------ 1027| 0| return if_match(req, "XMSS-draft6", {1, 3, 6, 1, 4, 1, 25258, 1, 5}); 1028| 0| case 0x5818B: ------------------ | Branch (1028:7): [True: 0, False: 17] ------------------ 1029| 0| return if_match(req, "ECGDSA/SHA-224", {1, 3, 36, 3, 3, 2, 5, 4, 3}); 1030| 0| case 0x5847E: ------------------ | Branch (1030:7): [True: 0, False: 17] ------------------ 1031| 0| return if_match(req, "ECGDSA/SHA-256", {1, 3, 36, 3, 3, 2, 5, 4, 4}); 1032| 0| case 0x5898B: ------------------ | Branch (1032:7): [True: 0, False: 17] ------------------ 1033| 0| return if_match(req, "SHA-512", {2, 16, 840, 1, 101, 3, 4, 2, 3}); 1034| 0| case 0x58991: ------------------ | Branch (1034:7): [True: 0, False: 17] ------------------ 1035| 0| return if_match(req, "PKIX.OCSP.NoCheck", {1, 3, 6, 1, 5, 5, 7, 48, 1, 5}); 1036| 0| case 0x59717: ------------------ | Branch (1036:7): [True: 0, False: 17] ------------------ 1037| 0| return if_match(req, "X509v3.SubjectKeyIdentifier", {2, 5, 29, 14}); 1038| 0| case 0x5A1E1: ------------------ | Branch (1038:7): [True: 0, False: 17] ------------------ 1039| 0| return if_match(req, "PKCS12.KeyBag", {1, 2, 840, 113549, 1, 12, 10, 1, 1}); 1040| 0| case 0x5A570: ------------------ | Branch (1040:7): [True: 0, False: 17] ------------------ 1041| 0| return if_match(req, "X520.CommonName", {2, 5, 4, 3}); 1042| 0| case 0x5A990: ------------------ | Branch (1042:7): [True: 0, False: 17] ------------------ 1043| 0| return if_match(req, "ECDSA/SHA-3(256)", {2, 16, 840, 1, 101, 3, 4, 3, 10}); 1044| 0| case 0x5AB0E: ------------------ | Branch (1044:7): [True: 0, False: 17] ------------------ 1045| 0| return if_match(req, "SphincsPlus-sha2-256s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 5}); 1046| 0| case 0x5AC4A: ------------------ | Branch (1046:7): [True: 0, False: 17] ------------------ 1047| 0| return if_match(req, "X520.Surname", {2, 5, 4, 4}); 1048| 0| case 0x5AF2C: ------------------ | Branch (1048:7): [True: 0, False: 17] ------------------ 1049| 0| return if_match(req, "ClassicMcEliece_8192128pc", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 5}); 1050| 0| case 0x5BC39: ------------------ | Branch (1050:7): [True: 0, False: 17] ------------------ 1051| 0| return if_match(req, "X509v3.KeyUsage", {2, 5, 29, 15}); 1052| 0| case 0x5BDDB: ------------------ | Branch (1052:7): [True: 0, False: 17] ------------------ 1053| 0| return if_match(req, "numsp256d1", {1, 3, 6, 1, 4, 1, 25258, 4, 1}); 1054| 0| case 0x5C0AE: ------------------ | Branch (1054:7): [True: 0, False: 17] ------------------ 1055| 0| return if_match(req, "SphincsPlus-shake-256s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 5}); 1056| 0| case 0x5C10E: ------------------ | Branch (1056:7): [True: 0, False: 17] ------------------ 1057| 0| return if_match(req, "DSA/SHA-384", {2, 16, 840, 1, 101, 3, 4, 3, 3}); 1058| 0| case 0x5CFE5: ------------------ | Branch (1058:7): [True: 0, False: 17] ------------------ 1059| 0| return if_match(req, "PKCS9.X509Certificate", {1, 2, 840, 113549, 1, 9, 22, 1}); 1060| 0| case 0x5D1CF: ------------------ | Branch (1060:7): [True: 0, False: 17] ------------------ 1061| 0| return if_match(req, "X520.SerialNumber", {2, 5, 4, 5}); 1062| 0| case 0x5D375: ------------------ | Branch (1062:7): [True: 0, False: 17] ------------------ 1063| 0| return if_match(req, "SM4/OCB", {1, 2, 156, 10197, 1, 104, 100}); 1064| 0| case 0x5DD49: ------------------ | Branch (1064:7): [True: 0, False: 17] ------------------ 1065| 0| return if_match(req, "AES-128/CBC", {2, 16, 840, 1, 101, 3, 4, 1, 2}); 1066| 0| case 0x5DE4E: ------------------ | Branch (1066:7): [True: 0, False: 17] ------------------ 1067| 0| return if_match(req, "AES-128/CCM", {2, 16, 840, 1, 101, 3, 4, 1, 7}); 1068| 0| case 0x5DF23: ------------------ | Branch (1068:7): [True: 0, False: 17] ------------------ 1069| 0| return if_match(req, "HMAC(SHA-512-256)", {1, 2, 840, 113549, 2, 13}); 1070| 0| case 0x5ED04: ------------------ | Branch (1070:7): [True: 0, False: 17] ------------------ 1071| 0| return if_match(req, "SM2", {1, 2, 156, 10197, 1, 301, 1}); 1072| 0| case 0x5ED05: ------------------ | Branch (1072:7): [True: 0, False: 17] ------------------ 1073| 0| return if_match(req, "SM3", {1, 2, 156, 10197, 1, 401}); 1074| 0| case 0x5FDC6: ------------------ | Branch (1074:7): [True: 0, False: 17] ------------------ 1075| 0| return if_match(req, "ECDSA/SHA-384", {1, 2, 840, 10045, 4, 3, 3}); 1076| 0| case 0x6199F: ------------------ | Branch (1076:7): [True: 0, False: 17] ------------------ 1077| 0| return if_match(req, "SHA-3(224)", {2, 16, 840, 1, 101, 3, 4, 2, 7}); 1078| 0| case 0x61E79: ------------------ | Branch (1078:7): [True: 0, False: 17] ------------------ 1079| 0| return if_match(req, "AES-192/CBC", {2, 16, 840, 1, 101, 3, 4, 1, 22}); 1080| 0| case 0x61F7E: ------------------ | Branch (1080:7): [True: 0, False: 17] ------------------ 1081| 0| return if_match(req, "AES-192/CCM", {2, 16, 840, 1, 101, 3, 4, 1, 27}); 1082| 0| case 0x64947: ------------------ | Branch (1082:7): [True: 0, False: 17] ------------------ 1083| 0| return if_match(req, "OpenPGP.Ed25519", {1, 3, 6, 1, 4, 1, 11591, 15, 1}); 1084| 0| case 0x652E7: ------------------ | Branch (1084:7): [True: 0, False: 17] ------------------ 1085| 0| return if_match(req, "sm2p256v1", {1, 2, 156, 10197, 1, 301}); 1086| 0| case 0x6697B: ------------------ | Branch (1086:7): [True: 0, False: 17] ------------------ 1087| 0| return if_match(req, "FrodoKEM-1344-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 15, 3}); 1088| 0| case 0x67B2C: ------------------ | Branch (1088:7): [True: 0, False: 17] ------------------ 1089| 0| return if_match(req, "X520.State", {2, 5, 4, 8}); 1090| 0| case 0x67B9B: ------------------ | Branch (1090:7): [True: 0, False: 17] ------------------ 1091| 0| return if_match(req, "HMAC(SHA-384)", {1, 2, 840, 113549, 2, 10}); 1092| 0| case 0x67D86: ------------------ | Branch (1092:7): [True: 0, False: 17] ------------------ 1093| 0| return if_match(req, "ECGDSA/SHA-384", {1, 3, 36, 3, 3, 2, 5, 4, 5}); 1094| 0| case 0x68A0B: ------------------ | Branch (1094:7): [True: 0, False: 17] ------------------ 1095| 0| return if_match(req, "Camellia-128/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 6}); 1096| 0| case 0x68E33: ------------------ | Branch (1096:7): [True: 0, False: 17] ------------------ 1097| 0| return if_match(req, "PKCS9.ExtensionRequest", {1, 2, 840, 113549, 1, 9, 14}); 1098| 0| case 0x69126: ------------------ | Branch (1098:7): [True: 0, False: 17] ------------------ 1099| 0| return if_match(req, "X509v3.SubjectAlternativeName", {2, 5, 29, 17}); 1100| 0| case 0x692F8: ------------------ | Branch (1100:7): [True: 0, False: 17] ------------------ 1101| 0| return if_match(req, "SM4/CBC", {1, 2, 156, 10197, 1, 104, 2}); 1102| 0| case 0x695E1: ------------------ | Branch (1102:7): [True: 0, False: 17] ------------------ 1103| 0| return if_match(req, "Dilithium-4x4-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 9, 1}); 1104| 0| case 0x696DC: ------------------ | Branch (1104:7): [True: 0, False: 17] ------------------ 1105| 0| return if_match(req, "PKIX.IpAddrBlocks", {1, 3, 6, 1, 5, 5, 7, 1, 7}); 1106| 0| case 0x6A7CA: ------------------ | Branch (1106:7): [True: 0, False: 17] ------------------ 1107| 0| return if_match(req, "ECDSA", {1, 2, 840, 10045, 2, 1}); 1108| 0| case 0x6BD26: ------------------ | Branch (1108:7): [True: 0, False: 17] ------------------ 1109| 0| return if_match(req, "GOST.INN", {1, 2, 643, 3, 131, 1, 1}); 1110| 0| case 0x6CB3B: ------------------ | Branch (1110:7): [True: 0, False: 17] ------------------ 1111| 0| return if_match(req, "Camellia-192/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 7}); 1112| 0| case 0x6E602: ------------------ | Branch (1112:7): [True: 0, False: 17] ------------------ 1113| 0| return if_match(req, "Dilithium-8x7-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 9, 3}); 1114| 0| case 0x6F0C2: ------------------ | Branch (1114:7): [True: 0, False: 17] ------------------ 1115| 0| return if_match(req, "RSA/PKCS1v15(SHA-224)", {1, 2, 840, 113549, 1, 1, 14}); 1116| 0| case 0x6F9F8: ------------------ | Branch (1116:7): [True: 0, False: 17] ------------------ 1117| 0| return if_match(req, "PKCS12.SafeContentsBag", {1, 2, 840, 113549, 1, 12, 10, 1, 6}); 1118| 0| case 0x6FB26: ------------------ | Branch (1118:7): [True: 0, False: 17] ------------------ 1119| 0| return if_match(req, "PKIX.AuthorityInformationAccess", {1, 3, 6, 1, 5, 5, 7, 1, 1}); 1120| 0| case 0x70BB6: ------------------ | Branch (1120:7): [True: 0, False: 17] ------------------ 1121| 0| return if_match(req, "brainpool384r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 11}); 1122| 0| case 0x70EA6: ------------------ | Branch (1122:7): [True: 0, False: 17] ------------------ 1123| 0| return if_match(req, "PKCS12.PKCS8ShroudedKeyBag", {1, 2, 840, 113549, 1, 12, 10, 1, 2}); 1124| 0| case 0x71EB3: ------------------ | Branch (1124:7): [True: 0, False: 17] ------------------ 1125| 0| return if_match(req, "SphincsPlus-haraka-128f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 2}); 1126| 0| case 0x7382C: ------------------ | Branch (1126:7): [True: 0, False: 17] ------------------ 1127| 0| return if_match(req, "ML-KEM-1024", {2, 16, 840, 1, 101, 3, 4, 4, 3}); 1128| 0| case 0x743BD: ------------------ | Branch (1128:7): [True: 0, False: 17] ------------------ 1129| 0| return if_match(req, "AES-256/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 3}); 1130| 0| case 0x7498E: ------------------ | Branch (1130:7): [True: 0, False: 17] ------------------ 1131| 0| return if_match(req, "Camellia-128/CBC", {1, 2, 392, 200011, 61, 1, 1, 1, 2}); 1132| 0| case 0x74C2E: ------------------ | Branch (1132:7): [True: 0, False: 17] ------------------ 1133| 0| return if_match(req, "ML-DSA-8x7", {2, 16, 840, 1, 101, 3, 4, 3, 19}); 1134| 0| case 0x7505F: ------------------ | Branch (1134:7): [True: 0, False: 17] ------------------ 1135| 0| return if_match(req, "PKIX.XMPPAddr", {1, 3, 6, 1, 5, 5, 7, 8, 5}); 1136| 0| case 0x7517A: ------------------ | Branch (1136:7): [True: 0, False: 17] ------------------ 1137| 0| return if_match(req, "RSA/PKCS1v15(MD2)", {1, 2, 840, 113549, 1, 1, 2}); 1138| 0| case 0x7546B: ------------------ | Branch (1138:7): [True: 0, False: 17] ------------------ 1139| 0| return if_match(req, "RSA/PKCS1v15(MD5)", {1, 2, 840, 113549, 1, 1, 4}); 1140| 0| case 0x75921: ------------------ | Branch (1140:7): [True: 0, False: 17] ------------------ 1141| 0| return if_match(req, "ClassicMcEliece_348864f", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 2}); 1142| 0| case 0x76784: ------------------ | Branch (1142:7): [True: 0, False: 17] ------------------ 1143| 0| return if_match(req, "SHA-3(384)", {2, 16, 840, 1, 101, 3, 4, 2, 9}); 1144| 0| case 0x768FD: ------------------ | Branch (1144:7): [True: 0, False: 17] ------------------ 1145| 0| return if_match(req, "PKCS9.LocalKeyId", {1, 2, 840, 113549, 1, 9, 21}); 1146| 0| case 0x76A19: ------------------ | Branch (1146:7): [True: 0, False: 17] ------------------ 1147| 0| return if_match(req, "brainpool512r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 13}); 1148| 0| case 0x77254: ------------------ | Branch (1148:7): [True: 0, False: 17] ------------------ 1149| 0| return if_match(req, "SphincsPlus-haraka-256s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 5}); 1150| 0| case 0x77ADC: ------------------ | Branch (1150:7): [True: 0, False: 17] ------------------ 1151| 0| return if_match(req, "secp224k1", {1, 3, 132, 0, 32}); 1152| 0| case 0x781B9: ------------------ | Branch (1152:7): [True: 0, False: 17] ------------------ 1153| 0| return if_match(req, "secp224r1", {1, 3, 132, 0, 33}); 1154| 0| case 0x78ABE: ------------------ | Branch (1154:7): [True: 0, False: 17] ------------------ 1155| 0| return if_match(req, "Camellia-192/CBC", {1, 2, 392, 200011, 61, 1, 1, 1, 3}); 1156| 0| case 0x792F2: ------------------ | Branch (1156:7): [True: 0, False: 17] ------------------ 1157| 0| return if_match(req, "ClassicMcEliece_6688128pc", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 1}); 1158| 0| case 0x7A661: ------------------ | Branch (1158:7): [True: 0, False: 17] ------------------ 1159| 0| return if_match(req, "DSA/SHA-512", {2, 16, 840, 1, 101, 3, 4, 3, 4}); 1160| 0| case 0x7A977: ------------------ | Branch (1160:7): [True: 0, False: 17] ------------------ 1161| 0| return if_match(req, "X509v3.ExtendedKeyUsage", {2, 5, 29, 37}); 1162| 0| case 0x7AE67: ------------------ | Branch (1162:7): [True: 0, False: 17] ------------------ 1163| 0| return if_match(req, "SM2_Enc", {1, 2, 156, 10197, 1, 301, 3}); 1164| 0| case 0x7B602: ------------------ | Branch (1164:7): [True: 0, False: 17] ------------------ 1165| 0| return if_match(req, "Twofish/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 5}); 1166| 0| case 0x7B9A1: ------------------ | Branch (1166:7): [True: 0, False: 17] ------------------ 1167| 0| return if_match(req, "SphincsPlus-sha2-192s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 3}); 1168| 1| case 0x7BB0A: ------------------ | Branch (1168:7): [True: 1, False: 16] ------------------ 1169| 1| return if_match(req, "SLH-DSA-SHAKE-256f", {2, 16, 840, 1, 101, 3, 4, 3, 31}); 1170| 2| case 0x7BB17: ------------------ | Branch (1170:7): [True: 2, False: 15] ------------------ 1171| 2| return if_match(req, "SLH-DSA-SHAKE-256s", {2, 16, 840, 1, 101, 3, 4, 3, 30}); 1172| 0| case 0x7BCF3: ------------------ | Branch (1172:7): [True: 0, False: 17] ------------------ 1173| 0| return if_match(req, "PKIX.EmailProtection", {1, 3, 6, 1, 5, 5, 7, 3, 4}); 1174| 0| case 0x7CC2C: ------------------ | Branch (1174:7): [True: 0, False: 17] ------------------ 1175| 0| return if_match(req, "SHA-512-256", {2, 16, 840, 1, 101, 3, 4, 2, 6}); 1176| 0| case 0x7CF41: ------------------ | Branch (1176:7): [True: 0, False: 17] ------------------ 1177| 0| return if_match(req, "SphincsPlus-shake-192s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 3}); 1178| 0| case 0x7DB91: ------------------ | Branch (1178:7): [True: 0, False: 17] ------------------ 1179| 0| return if_match(req, "GOST-34.10", {1, 2, 643, 2, 2, 19}); 1180| 0| case 0x7E319: ------------------ | Branch (1180:7): [True: 0, False: 17] ------------------ 1181| 0| return if_match(req, "ECDSA/SHA-512", {1, 2, 840, 10045, 4, 3, 4}); 1182| 0| case 0x7E874: ------------------ | Branch (1182:7): [True: 0, False: 17] ------------------ 1183| 0| return if_match(req, "ClassicMcEliece_6688128f", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 6}); 1184| 0| case 0x7EAAF: ------------------ | Branch (1184:7): [True: 0, False: 17] ------------------ 1185| 0| return if_match(req, "eFrodoKEM-640-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 16, 1}); 1186| 0| case 0x7F51F: ------------------ | Branch (1186:7): [True: 0, False: 17] ------------------ 1187| 0| return if_match(req, "PKIX.IPsecTunnel", {1, 3, 6, 1, 5, 5, 7, 3, 6}); 1188| 0| case 0x80272: ------------------ | Branch (1188:7): [True: 0, False: 17] ------------------ 1189| 0| return if_match(req, "X520.Organization", {2, 5, 4, 10}); 1190| 0| case 0x80340: ------------------ | Branch (1190:7): [True: 0, False: 17] ------------------ 1191| 0| return if_match(req, "AES-256/CBC", {2, 16, 840, 1, 101, 3, 4, 1, 42}); 1192| 0| case 0x80445: ------------------ | Branch (1192:7): [True: 0, False: 17] ------------------ 1193| 0| return if_match(req, "AES-256/CCM", {2, 16, 840, 1, 101, 3, 4, 1, 47}); 1194| 0| case 0x811F7: ------------------ | Branch (1194:7): [True: 0, False: 17] ------------------ 1195| 0| return if_match(req, "HMAC(SHA-256)", {1, 2, 840, 113549, 2, 9}); 1196| 0| case 0x82434: ------------------ | Branch (1196:7): [True: 0, False: 17] ------------------ 1197| 0| return if_match(req, "PKCS9.X509CRL", {1, 2, 840, 113549, 1, 9, 23, 1}); 1198| 0| case 0x82B47: ------------------ | Branch (1198:7): [True: 0, False: 17] ------------------ 1199| 0| return if_match(req, "Threefish-512/CBC", {1, 3, 6, 1, 4, 1, 25258, 3, 2}); 1200| 0| case 0x83EA7: ------------------ | Branch (1200:7): [True: 0, False: 17] ------------------ 1201| 0| return if_match(req, "RSA/PKCS1v15(SHA-384)", {1, 2, 840, 113549, 1, 1, 12}); 1202| 0| case 0x84596: ------------------ | Branch (1202:7): [True: 0, False: 17] ------------------ 1203| 0| return if_match(req, "eFrodoKEM-640-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 17, 1}); 1204| 0| case 0x8469F: ------------------ | Branch (1204:7): [True: 0, False: 17] ------------------ 1205| 0| return if_match(req, "ClassicMcEliece_6960119pcf", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 4}); 1206| 0| case 0x84CA4: ------------------ | Branch (1206:7): [True: 0, False: 17] ------------------ 1207| 0| return if_match(req, "secp256k1", {1, 3, 132, 0, 10}); 1208| 0| case 0x85381: ------------------ | Branch (1208:7): [True: 0, False: 17] ------------------ 1209| 0| return if_match(req, "secp256r1", {1, 2, 840, 10045, 3, 1, 7}); 1210| 0| case 0x854FC: ------------------ | Branch (1210:7): [True: 0, False: 17] ------------------ 1211| 0| return if_match(req, "PKIX.IPsecUser", {1, 3, 6, 1, 5, 5, 7, 3, 7}); 1212| 0| case 0x85F51: ------------------ | Branch (1212:7): [True: 0, False: 17] ------------------ 1213| 0| return if_match(req, "Serpent/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 4}); 1214| 0| case 0x862D9: ------------------ | Branch (1214:7): [True: 0, False: 17] ------------------ 1215| 0| return if_match(req, "ECGDSA/SHA-512", {1, 3, 36, 3, 3, 2, 5, 4, 6}); 1216| 0| case 0x87585: ------------------ | Branch (1216:7): [True: 0, False: 17] ------------------ 1217| 0| return if_match(req, "Twofish/CBC", {1, 3, 6, 1, 4, 1, 25258, 3, 3}); 1218| 0| case 0x877D1: ------------------ | Branch (1218:7): [True: 0, False: 17] ------------------ 1219| 0| return if_match(req, "PKCS9.EmailAddress", {1, 2, 840, 113549, 1, 9, 1}); 1220| 0| case 0x87D27: ------------------ | Branch (1220:7): [True: 0, False: 17] ------------------ 1221| 0| return if_match(req, "PKIX.CertificateAuthorityIssuers", {1, 3, 6, 1, 5, 5, 7, 48, 2}); 1222| 0| case 0x87E42: ------------------ | Branch (1222:7): [True: 0, False: 17] ------------------ 1223| 0| return if_match(req, "X509v3.AuthorityKeyIdentifier", {2, 5, 29, 35}); 1224| 0| case 0x889B1: ------------------ | Branch (1224:7): [True: 0, False: 17] ------------------ 1225| 0| return if_match(req, "ECDSA/SHA-1", {1, 2, 840, 10045, 4, 1}); 1226| 0| case 0x89658: ------------------ | Branch (1226:7): [True: 0, False: 17] ------------------ 1227| 0| return if_match(req, "PBE-PKCS5v20", {1, 2, 840, 113549, 1, 5, 13}); 1228| 0| case 0x8976D: ------------------ | Branch (1228:7): [True: 0, False: 17] ------------------ 1229| 0| return if_match(req, "PKCS9.MessageDigest", {1, 2, 840, 113549, 1, 9, 4}); 1230| 0| case 0x8B002: ------------------ | Branch (1230:7): [True: 0, False: 17] ------------------ 1231| 0| return if_match(req, "Camellia-256/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 8}); 1232| 0| case 0x8B935: ------------------ | Branch (1232:7): [True: 0, False: 17] ------------------ 1233| 0| return if_match(req, "ClassicMcEliece_6688128", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 5}); 1234| 0| case 0x8BB11: ------------------ | Branch (1234:7): [True: 0, False: 17] ------------------ 1235| 0| return if_match(req, "X509v3.NoRevocationAvailable", {2, 5, 29, 56}); 1236| 0| case 0x8CE3D: ------------------ | Branch (1236:7): [True: 0, False: 17] ------------------ 1237| 0| return if_match(req, "PKCS9.ChallengePassword", {1, 2, 840, 113549, 1, 9, 7}); 1238| 0| case 0x8D45C: ------------------ | Branch (1238:7): [True: 0, False: 17] ------------------ 1239| 0| return if_match(req, "ECKCDSA", {1, 0, 14888, 3, 0, 5}); 1240| 0| case 0x8E0C1: ------------------ | Branch (1240:7): [True: 0, False: 17] ------------------ 1241| 0| return if_match(req, "X509v3.CertificatePolicies", {2, 5, 29, 32}); 1242| 0| case 0x8E39A: ------------------ | Branch (1242:7): [True: 0, False: 17] ------------------ 1243| 0| return if_match(req, "HSS-LMS-Private-Key", {1, 3, 6, 1, 4, 1, 25258, 1, 13}); 1244| 0| case 0x8EC51: ------------------ | Branch (1244:7): [True: 0, False: 17] ------------------ 1245| 0| return if_match(req, "Kyber-768-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 7, 2}); 1246| 0| case 0x8F94A: ------------------ | Branch (1246:7): [True: 0, False: 17] ------------------ 1247| 0| return if_match(req, "Dilithium-6x5-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 9, 2}); 1248| 0| case 0x8FC20: ------------------ | Branch (1248:7): [True: 0, False: 17] ------------------ 1249| 0| return if_match(req, "AES-128/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 1}); 1250| 0| case 0x8FDE0: ------------------ | Branch (1250:7): [True: 0, False: 17] ------------------ 1251| 0| return if_match(req, "SHA-3(256)", {2, 16, 840, 1, 101, 3, 4, 2, 8}); 1252| 0| case 0x919E3: ------------------ | Branch (1252:7): [True: 0, False: 17] ------------------ 1253| 0| return if_match(req, "Serpent/GCM", {1, 3, 6, 1, 4, 1, 25258, 3, 101}); 1254| 0| case 0x91C1A: ------------------ | Branch (1254:7): [True: 0, False: 17] ------------------ 1255| 0| return if_match(req, "X25519", {1, 3, 101, 110}); 1256| 0| case 0x91DC4: ------------------ | Branch (1256:7): [True: 0, False: 17] ------------------ 1257| 0| return if_match(req, "McEliece", {1, 3, 6, 1, 4, 1, 25258, 1, 3}); 1258| 0| case 0x93467: ------------------ | Branch (1258:7): [True: 0, False: 17] ------------------ 1259| 0| return if_match(req, "Dilithium-6x5-AES-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 10, 2}); 1260| 0| case 0x93D50: ------------------ | Branch (1260:7): [True: 0, False: 17] ------------------ 1261| 0| return if_match(req, "AES-192/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 2}); 1262| 1| case 0x95166: ------------------ | Branch (1262:7): [True: 1, False: 16] ------------------ 1263| 1| return if_match(req, "SLH-DSA-SHAKE-128f", {2, 16, 840, 1, 101, 3, 4, 3, 27}); 1264| 2| case 0x95173: ------------------ | Branch (1264:7): [True: 2, False: 15] ------------------ 1265| 2| return if_match(req, "SLH-DSA-SHAKE-128s", {2, 16, 840, 1, 101, 3, 4, 3, 26}); 1266| 0| case 0x952D6: ------------------ | Branch (1266:7): [True: 0, False: 17] ------------------ 1267| 0| return if_match(req, "PKIX.OCSP", {1, 3, 6, 1, 5, 5, 7, 48, 1}); 1268| 0| case 0x959B9: ------------------ | Branch (1268:7): [True: 0, False: 17] ------------------ 1269| 0| return if_match(req, "PKIX.IPsecEndSystem", {1, 3, 6, 1, 5, 5, 7, 3, 5}); 1270| 0| case 0x96F85: ------------------ | Branch (1270:7): [True: 0, False: 17] ------------------ 1271| 0| return if_match(req, "Camellia-256/CBC", {1, 2, 392, 200011, 61, 1, 1, 1, 4}); 1272| 0| case 0x97D5E: ------------------ | Branch (1272:7): [True: 0, False: 17] ------------------ 1273| 0| return if_match(req, "HMAC(SHA-1)", {1, 2, 840, 113549, 2, 7}); 1274| 0| case 0x9805C: ------------------ | Branch (1274:7): [True: 0, False: 17] ------------------ 1275| 0| return if_match(req, "SEED/CBC", {1, 2, 410, 200004, 1, 4}); 1276| 0| case 0x980E7: ------------------ | Branch (1276:7): [True: 0, False: 17] ------------------ 1277| 0| return if_match(req, "SphincsPlus-haraka-192s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 3}); 1278| 0| case 0x980F5: ------------------ | Branch (1278:7): [True: 0, False: 17] ------------------ 1279| 0| return if_match(req, "GOST.SubjectSigningTool", {1, 2, 643, 100, 111}); 1280| 0| case 0x98B03: ------------------ | Branch (1280:7): [True: 0, False: 17] ------------------ 1281| 0| return if_match(req, "XMSS", {0, 4, 0, 127, 0, 15, 1, 1, 13, 0}); 1282| 0| case 0x9A6B2: ------------------ | Branch (1282:7): [True: 0, False: 17] ------------------ 1283| 0| return if_match(req, "ECKCDSA/SHA-1", {1, 2, 410, 200004, 1, 100, 4, 3}); 1284| 0| case 0x9B1CF: ------------------ | Branch (1284:7): [True: 0, False: 17] ------------------ 1285| 0| return if_match(req, "SM4/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 9}); 1286| 0| case 0x9B6B2: ------------------ | Branch (1286:7): [True: 0, False: 17] ------------------ 1287| 0| return if_match(req, "AES-128/GCM", {2, 16, 840, 1, 101, 3, 4, 1, 6}); 1288| 0| case 0x9B6BB: ------------------ | Branch (1288:7): [True: 0, False: 17] ------------------ 1289| 0| return if_match(req, "X520.OrganizationalUnit", {2, 5, 4, 11}); 1290| 0| case 0x9B851: ------------------ | Branch (1290:7): [True: 0, False: 17] ------------------ 1291| 0| return if_match(req, "OpenPGP.Curve25519", {1, 3, 6, 1, 4, 1, 3029, 1, 5, 1}); 1292| 2| case 0x9C80B: ------------------ | Branch (1292:7): [True: 2, False: 15] ------------------ 1293| 2| return if_match(req, "SLH-DSA-SHA2-192f", {2, 16, 840, 1, 101, 3, 4, 3, 23}); 1294| 1| case 0x9C818: ------------------ | Branch (1294:7): [True: 1, False: 16] ------------------ 1295| 1| return if_match(req, "SLH-DSA-SHA2-192s", {2, 16, 840, 1, 101, 3, 4, 3, 22}); 1296| 0| case 0x9CD2B: ------------------ | Branch (1296:7): [True: 0, False: 17] ------------------ 1297| 0| return if_match(req, "Scrypt", {1, 3, 6, 1, 4, 1, 11591, 4, 11}); 1298| 0| case 0x9CDE1: ------------------ | Branch (1298:7): [True: 0, False: 17] ------------------ 1299| 0| return if_match(req, "GOST-34.10-2012-256/SHA-256", {1, 3, 6, 1, 4, 1, 25258, 1, 6, 1}); 1300| 0| case 0x9CF73: ------------------ | Branch (1300:7): [True: 0, False: 17] ------------------ 1301| 0| return if_match(req, "ClassicMcEliece_460896f", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 4}); 1302| 0| case 0x9D354: ------------------ | Branch (1302:7): [True: 0, False: 17] ------------------ 1303| 0| return if_match(req, "RIPEMD-160", {1, 3, 36, 3, 2, 1}); 1304| 0| case 0x9D503: ------------------ | Branch (1304:7): [True: 0, False: 17] ------------------ 1305| 0| return if_match(req, "RSA/PKCS1v15(SHA-256)", {1, 2, 840, 113549, 1, 1, 11}); 1306| 0| case 0x9EC88: ------------------ | Branch (1306:7): [True: 0, False: 17] ------------------ 1307| 0| return if_match(req, "DSA/SHA-3(512)", {2, 16, 840, 1, 101, 3, 4, 3, 8}); 1308| 0| case 0x9EF36: ------------------ | Branch (1308:7): [True: 0, False: 17] ------------------ 1309| 0| return if_match(req, "ClassicMcEliece_6960119", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 7}); 1310| 0| case 0x9F764: ------------------ | Branch (1310:7): [True: 0, False: 17] ------------------ 1311| 0| return if_match(req, "X448", {1, 3, 101, 111}); 1312| 0| case 0x9F7E2: ------------------ | Branch (1312:7): [True: 0, False: 17] ------------------ 1313| 0| return if_match(req, "AES-192/GCM", {2, 16, 840, 1, 101, 3, 4, 1, 26}); 1314| 0| case 0x9F9C5: ------------------ | Branch (1314:7): [True: 0, False: 17] ------------------ 1315| 0| return if_match(req, "ClassicMcEliece_6688128pcf", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 2}); 1316| 0| case 0xA0805: ------------------ | Branch (1316:7): [True: 0, False: 17] ------------------ 1317| 0| return if_match(req, "PKCS9.SDSICertificate", {1, 2, 840, 113549, 1, 9, 22, 2}); 1318| 0| case 0xA2B5B: ------------------ | Branch (1318:7): [True: 0, False: 17] ------------------ 1319| 0| return if_match(req, "X509v3.CRLNumber", {2, 5, 29, 20}); 1320| 0| case 0xA3005: ------------------ | Branch (1320:7): [True: 0, False: 17] ------------------ 1321| 0| return if_match(req, "X520.Title", {2, 5, 4, 12}); 1322| 0| case 0xA323F: ------------------ | Branch (1322:7): [True: 0, False: 17] ------------------ 1323| 0| return if_match(req, "X509v3.NameConstraints", {2, 5, 29, 30}); 1324| 0| case 0xA3C55: ------------------ | Branch (1324:7): [True: 0, False: 17] ------------------ 1325| 0| return if_match(req, "X520.Pseudonym", {2, 5, 4, 65}); 1326| 0| case 0xA4809: ------------------ | Branch (1326:7): [True: 0, False: 17] ------------------ 1327| 0| return if_match(req, "SphincsPlus-sha2-256f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 6}); 1328| 0| case 0xA57AF: ------------------ | Branch (1328:7): [True: 0, False: 17] ------------------ 1329| 0| return if_match(req, "secp521r1", {1, 3, 132, 0, 35}); 1330| 0| case 0xA5DA9: ------------------ | Branch (1330:7): [True: 0, False: 17] ------------------ 1331| 0| return if_match(req, "SphincsPlus-shake-256f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 6}); 1332| 0| case 0xA6865: ------------------ | Branch (1332:7): [True: 0, False: 17] ------------------ 1333| 0| return if_match(req, "Camellia-128/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 6}); 1334| 0| case 0xA6C61: ------------------ | Branch (1334:7): [True: 0, False: 17] ------------------ 1335| 0| return if_match(req, "SM4/GCM", {1, 2, 156, 10197, 1, 104, 8}); 1336| 0| case 0xA8439: ------------------ | Branch (1336:7): [True: 0, False: 17] ------------------ 1337| 0| return if_match(req, "PKCS12.CertBag", {1, 2, 840, 113549, 1, 12, 10, 1, 3}); 1338| 0| case 0xA9061: ------------------ | Branch (1338:7): [True: 0, False: 17] ------------------ 1339| 0| return if_match(req, "Kyber-768-90s-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 11, 2}); 1340| 0| case 0xAA995: ------------------ | Branch (1340:7): [True: 0, False: 17] ------------------ 1341| 0| return if_match(req, "Camellia-192/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 7}); 1342| 0| case 0xAAE2B: ------------------ | Branch (1342:7): [True: 0, False: 17] ------------------ 1343| 0| return if_match(req, "Dilithium-8x7-AES-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 10, 3}); 1344| 0| case 0xABCED: ------------------ | Branch (1344:7): [True: 0, False: 17] ------------------ 1345| 0| return if_match(req, "GOST.IssuerSigningTool", {1, 2, 643, 100, 112}); 1346| 0| case 0xABD24: ------------------ | Branch (1346:7): [True: 0, False: 17] ------------------ 1347| 0| return if_match(req, "RSA/OAEP", {1, 2, 840, 113549, 1, 1, 7}); 1348| 0| case 0xAC2EC: ------------------ | Branch (1348:7): [True: 0, False: 17] ------------------ 1349| 0| return if_match(req, "Streebog-256", {1, 2, 643, 7, 1, 1, 2, 2}); 1350| 0| case 0xAC3DD: ------------------ | Branch (1350:7): [True: 0, False: 17] ------------------ 1351| 0| return if_match(req, "Certificate Comment", {2, 16, 840, 1, 113730, 1, 13}); 1352| 0| case 0xAC511: ------------------ | Branch (1352:7): [True: 0, False: 17] ------------------ 1353| 0| return if_match(req, "PBE-SHA1-3DES", {1, 2, 840, 113549, 1, 12, 1, 3}); 1354| 0| case 0xAE6FE: ------------------ | Branch (1354:7): [True: 0, False: 17] ------------------ 1355| 0| return if_match(req, "PKIX.ClientAuth", {1, 3, 6, 1, 5, 5, 7, 3, 2}); 1356| 0| case 0xAE8D3: ------------------ | Branch (1356:7): [True: 0, False: 17] ------------------ 1357| 0| return if_match(req, "ClassicMcEliece_8192128pcf", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 6}); 1358| 0| case 0xAF476: ------------------ | Branch (1358:7): [True: 0, False: 17] ------------------ 1359| 0| return if_match(req, "ECDH", {1, 3, 132, 1, 12}); 1360| 0| case 0xAFA6A: ------------------ | Branch (1360:7): [True: 0, False: 17] ------------------ 1361| 0| return if_match(req, "RSA/PKCS1v15(SHA-3(384))", {2, 16, 840, 1, 101, 3, 4, 3, 15}); 1362| 0| case 0xB2217: ------------------ | Branch (1362:7): [True: 0, False: 17] ------------------ 1363| 0| return if_match(req, "AES-256/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 3}); 1364| 0| case 0xB22F7: ------------------ | Branch (1364:7): [True: 0, False: 17] ------------------ 1365| 0| return if_match(req, "Camellia-128/GCM", {0, 3, 4401, 5, 3, 1, 9, 6}); 1366| 0| case 0xB23DE: ------------------ | Branch (1366:7): [True: 0, False: 17] ------------------ 1367| 0| return if_match(req, "X520.Locality", {2, 5, 4, 7}); 1368| 0| case 0xB2FBD: ------------------ | Branch (1368:7): [True: 0, False: 17] ------------------ 1369| 0| return if_match(req, "ECKCDSA/SHA-224", {1, 2, 410, 200004, 1, 100, 4, 4}); 1370| 0| case 0xB32B0: ------------------ | Branch (1370:7): [True: 0, False: 17] ------------------ 1371| 0| return if_match(req, "ECKCDSA/SHA-256", {1, 2, 410, 200004, 1, 100, 4, 5}); 1372| 0| case 0xB360E: ------------------ | Branch (1372:7): [True: 0, False: 17] ------------------ 1373| 0| return if_match(req, "eFrodoKEM-976-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 16, 2}); 1374| 0| case 0xB4368: ------------------ | Branch (1374:7): [True: 0, False: 17] ------------------ 1375| 0| return if_match(req, "ECGDSA/SHA-1", {1, 3, 36, 3, 3, 2, 5, 4, 2}); 1376| 0| case 0xB58CD: ------------------ | Branch (1376:7): [True: 0, False: 17] ------------------ 1377| 0| return if_match(req, "RSA/PKCS1v15(SHA-3(512))", {2, 16, 840, 1, 101, 3, 4, 3, 16}); 1378| 0| case 0xB6427: ------------------ | Branch (1378:7): [True: 0, False: 17] ------------------ 1379| 0| return if_match(req, "Camellia-192/GCM", {0, 3, 4401, 5, 3, 1, 9, 26}); 1380| 0| case 0xB7102: ------------------ | Branch (1380:7): [True: 0, False: 17] ------------------ 1381| 0| return if_match(req, "brainpool224r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 5}); 1382| 0| case 0xB710D: ------------------ | Branch (1382:7): [True: 0, False: 17] ------------------ 1383| 0| return if_match(req, "X509v3.CRLIssuingDistributionPoint", {2, 5, 29, 28}); 1384| 0| case 0xB72D4: ------------------ | Branch (1384:7): [True: 0, False: 17] ------------------ 1385| 0| return if_match(req, "Microsoft UPN", {1, 3, 6, 1, 4, 1, 311, 20, 2, 3}); 1386| 0| case 0xB73A5: ------------------ | Branch (1386:7): [True: 0, False: 17] ------------------ 1387| 0| return if_match(req, "RSA/PSS", {1, 2, 840, 113549, 1, 1, 10}); 1388| 0| case 0xB84B3: ------------------ | Branch (1388:7): [True: 0, False: 17] ------------------ 1389| 0| return if_match(req, "PKIX.CodeSigning", {1, 3, 6, 1, 5, 5, 7, 3, 3}); 1390| 0| case 0xB8CB9: ------------------ | Branch (1390:7): [True: 0, False: 17] ------------------ 1391| 0| return if_match(req, "GOST-34.10-2012-256", {1, 2, 643, 7, 1, 1, 1, 1}); 1392| 0| case 0xB945C: ------------------ | Branch (1392:7): [True: 0, False: 17] ------------------ 1393| 0| return if_match(req, "Twofish/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 5}); 1394| 0| case 0xB94E4: ------------------ | Branch (1394:7): [True: 0, False: 17] ------------------ 1395| 0| return if_match(req, "gost_512A", {1, 2, 643, 7, 1, 2, 1, 2, 1}); 1396| 0| case 0xB94E5: ------------------ | Branch (1396:7): [True: 0, False: 17] ------------------ 1397| 0| return if_match(req, "gost_512B", {1, 2, 643, 7, 1, 2, 1, 2, 2}); 1398| 0| case 0xBA1D8: ------------------ | Branch (1398:7): [True: 0, False: 17] ------------------ 1399| 0| return if_match(req, "X520.StreetAddress", {2, 5, 4, 9}); 1400| 0| case 0xBCB45: ------------------ | Branch (1400:7): [True: 0, False: 17] ------------------ 1401| 0| return if_match(req, "PKCS12.CRLBag", {1, 2, 840, 113549, 1, 12, 10, 1, 4}); 1402| 0| case 0xBCC82: ------------------ | Branch (1402:7): [True: 0, False: 17] ------------------ 1403| 0| return if_match(req, "x962_p239v1", {1, 2, 840, 10045, 3, 1, 4}); 1404| 0| case 0xBCC83: ------------------ | Branch (1404:7): [True: 0, False: 17] ------------------ 1405| 0| return if_match(req, "x962_p239v2", {1, 2, 840, 10045, 3, 1, 5}); 1406| 0| case 0xBCC84: ------------------ | Branch (1406:7): [True: 0, False: 17] ------------------ 1407| 0| return if_match(req, "x962_p239v3", {1, 2, 840, 10045, 3, 1, 6}); 1408| 0| case 0xBD92B: ------------------ | Branch (1408:7): [True: 0, False: 17] ------------------ 1409| 0| return if_match(req, "X509v3.HoldInstructionCode", {2, 5, 29, 23}); 1410| 0| case 0xBDCA9: ------------------ | Branch (1410:7): [True: 0, False: 17] ------------------ 1411| 0| return if_match(req, "AES-256/GCM", {2, 16, 840, 1, 101, 3, 4, 1, 46}); 1412| 0| case 0xBE48D: ------------------ | Branch (1412:7): [True: 0, False: 17] ------------------ 1413| 0| return if_match(req, "PKIX.OCSP.BasicResponse", {1, 3, 6, 1, 5, 5, 7, 48, 1, 1}); 1414| 0| case 0xBF71E: ------------------ | Branch (1414:7): [True: 0, False: 17] ------------------ 1415| 0| return if_match(req, "Kyber-1024-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 7, 3}); 1416| 0| case 0xBFF01: ------------------ | Branch (1416:7): [True: 0, False: 17] ------------------ 1417| 0| return if_match(req, "DSA/SHA-3(224)", {2, 16, 840, 1, 101, 3, 4, 3, 5}); 1418| 0| case 0xC0F4F: ------------------ | Branch (1418:7): [True: 0, False: 17] ------------------ 1419| 0| return if_match(req, "SphincsPlus-haraka-256f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 6}); 1420| 0| case 0xC1875: ------------------ | Branch (1420:7): [True: 0, False: 17] ------------------ 1421| 0| return if_match(req, "SHA-1", {1, 3, 14, 3, 2, 26}); 1422| 0| case 0xC28D1: ------------------ | Branch (1422:7): [True: 0, False: 17] ------------------ 1423| 0| return if_match(req, "PKIX.OCSPSigning", {1, 3, 6, 1, 5, 5, 7, 3, 9}); 1424| 0| case 0xC42CA: ------------------ | Branch (1424:7): [True: 0, False: 17] ------------------ 1425| 0| return if_match(req, "brainpool256r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 7}); 1426| 0| default: ------------------ | Branch (1426:7): [True: 0, False: 17] ------------------ 1427| 0| return {}; 1428| 17| } 1429| 17|} _ZN5Botan7OID_Map16load_oid2str_mapEv: 1431| 1|std::unordered_map OID_Map::load_oid2str_map() { 1432| 1| return { 1433| 1| {OID{2, 5, 8, 1, 1}, "RSA"}, 1434| 1| {OID{1, 3, 6, 1, 4, 1, 8301, 3, 1, 2, 9, 0, 38}, "secp521r1"}, 1435| 1| {OID{1, 2, 643, 2, 2, 35, 1}, "gost_256A"}, 1436| 1| {OID{1, 2, 643, 2, 2, 36, 0}, "gost_256A"}, 1437| 1| }; 1438| 1|} _ZN5Botan7OID_Map16load_str2oid_mapEv: 1440| 1|std::unordered_map OID_Map::load_str2oid_map() { 1441| 1| return { 1442| 1| {"Curve25519", OID{1, 3, 101, 110}}, 1443| 1| {"SM2_Sig", OID{1, 2, 156, 10197, 1, 301, 1}}, 1444| 1| {"RSA/EMSA3(MD2)", OID{1, 2, 840, 113549, 1, 1, 2}}, 1445| 1| {"RSA/EMSA3(MD5)", OID{1, 2, 840, 113549, 1, 1, 4}}, 1446| 1| {"RSA/EMSA3(SHA-1)", OID{1, 2, 840, 113549, 1, 1, 5}}, 1447| 1| {"RSA/EMSA3(SHA-256)", OID{1, 2, 840, 113549, 1, 1, 11}}, 1448| 1| {"RSA/EMSA3(SHA-384)", OID{1, 2, 840, 113549, 1, 1, 12}}, 1449| 1| {"RSA/EMSA3(SHA-512)", OID{1, 2, 840, 113549, 1, 1, 13}}, 1450| 1| {"RSA/EMSA3(SHA-224)", OID{1, 2, 840, 113549, 1, 1, 14}}, 1451| 1| {"RSA/EMSA3(SHA-512-256)", OID{1, 2, 840, 113549, 1, 1, 16}}, 1452| 1| {"RSA/EMSA3(SHA-3(224))", OID{2, 16, 840, 1, 101, 3, 4, 3, 13}}, 1453| 1| {"RSA/EMSA3(SHA-3(256))", OID{2, 16, 840, 1, 101, 3, 4, 3, 14}}, 1454| 1| {"RSA/EMSA3(SHA-3(384))", OID{2, 16, 840, 1, 101, 3, 4, 3, 15}}, 1455| 1| {"RSA/EMSA3(SHA-3(512))", OID{2, 16, 840, 1, 101, 3, 4, 3, 16}}, 1456| 1| {"RSA/EMSA3(SM3)", OID{1, 2, 156, 10197, 1, 504}}, 1457| 1| {"RSA/EMSA3(RIPEMD-160)", OID{1, 3, 36, 3, 3, 1, 2}}, 1458| 1| {"RSA/EMSA4", OID{1, 2, 840, 113549, 1, 1, 10}}, 1459| 1| {"PBES2", OID{1, 2, 840, 113549, 1, 5, 13}}, 1460| 1| }; 1461| 1|} static_oids.cpp:_ZN5Botan12_GLOBAL__N_18if_matchERKNS_3OIDESt16initializer_listIjENSt3__117basic_string_viewIcNS6_11char_traitsIcEEEE: 18| 11.4k|std::optional if_match(const OID& oid, std::initializer_list val, std::string_view name) { 19| 11.4k| if(oid.matches(val)) { ------------------ | Branch (19:7): [True: 11.1k, False: 346] ------------------ 20| 11.1k| return name; 21| 11.1k| } else { 22| 346| return {}; 23| 346| } 24| 11.4k|} static_oids.cpp:_ZN5Botan12_GLOBAL__N_113hash_oid_nameENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 34| 17|uint32_t hash_oid_name(std::string_view s) { 35| 17| uint64_t hash = 0x8188B31879A4879A; 36| | 37| 297| for(const char c : s) { ------------------ | Branch (37:21): [True: 297, False: 17] ------------------ 38| 297| hash *= 251; 39| 297| hash += c; 40| 297| } 41| | 42| 17| return static_cast(hash % 805289); 43| 17|} static_oids.cpp:_ZN5Botan12_GLOBAL__N_18if_matchENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_St16initializer_listIjE: 26| 17|std::optional if_match(std::string_view req, std::string_view actual, std::initializer_list oid) { 27| 17| if(req == actual) { ------------------ | Branch (27:7): [True: 17, False: 0] ------------------ 28| 17| return OID(oid); 29| 17| } else { 30| 0| return {}; 31| 0| } 32| 17|} _ZN5Botan13base64_decodeEPKcmb: 187| 114|secure_vector base64_decode(const char input[], size_t input_length, bool ignore_ws) { 188| 114| return base_decode_to_vec>(Base64(), input, input_length, ignore_ws); 189| 114|} base64.cpp:_ZN5Botan12_GLOBAL__N_16Base6417decode_max_outputEm: 42| 228| static constexpr size_t decode_max_output(size_t input_length) { 43| 228| return (round_up(input_length, m_encoding_bytes_out) * m_encoding_bytes_in) / m_encoding_bytes_out; 44| 228| } base64.cpp:_ZN5Botan12_GLOBAL__N_16Base6419lookup_binary_valueEc: 110| 50.2k|uint8_t Base64::lookup_binary_value(char input) noexcept { 111| 50.2k| auto has_zero_byte = [](uint64_t v) { return ((v - 0x0101010101010101) & ~(v) & 0x8080808080808080); }; 112| | 113| | // Assumes each byte is either 0x00 or 0x80 114| 50.2k| auto index_of_first_set_byte = [](uint64_t v) { 115| 50.2k| return ((((v - 1) & 0x0101010101010101) * 0x0101010101010101) >> 56) - 1; 116| 50.2k| }; 117| | 118| 50.2k| constexpr uint64_t lo = 0x0101010101010101; 119| | 120| 50.2k| const uint8_t x = static_cast(input); 121| | 122| 50.2k| const uint64_t x8 = x * lo; 123| | 124| | // Defines the valid ASCII ranges of base64, except the special chars (below) 125| 50.2k| constexpr uint64_t val_l = make_uint64(0, 0, 0, 0, 0, 'A', 'a', '0'); 126| 50.2k| constexpr uint64_t val_u = make_uint64(0, 0, 0, 0, 0, 26, 26, 10); 127| | 128| | // If x is in one of the ranges return a mask. Otherwise we xor in at the 129| | // high word which will be our invalid marker 130| 50.2k| auto v_mask = swar_in_range(x8, val_l, val_u) ^ 0x80000000; 131| | 132| | // This is the offset added to x to get the value 133| 50.2k| const uint64_t val_v = 0xbfb904 ^ (0xFF000000 - (x << 24)); 134| | 135| 50.2k| const uint8_t z = x + static_cast(val_v >> (8 * index_of_first_set_byte(v_mask))); 136| | 137| | // Valid base64 special characters, and some whitespace chars 138| 50.2k| constexpr uint64_t specials_i = make_uint64(0, '+', '/', '=', ' ', '\n', '\t', '\r'); 139| | 140| 50.2k| const uint64_t specials_v = 0x3e3f8180808080 ^ (static_cast(z) << 56); 141| | 142| 50.2k| const uint64_t smask = has_zero_byte(x8 ^ specials_i) ^ 0x8000000000000000; 143| | 144| 50.2k| return static_cast(specials_v >> (8 * index_of_first_set_byte(smask))); 145| 50.2k|} base64.cpp:_ZZN5Botan12_GLOBAL__N_16Base6419lookup_binary_valueEcENK3$_0clEm: 114| 100k| auto index_of_first_set_byte = [](uint64_t v) { 115| 100k| return ((((v - 1) & 0x0101010101010101) * 0x0101010101010101) >> 56) - 1; 116| 100k| }; base64.cpp:_ZZN5Botan12_GLOBAL__N_16Base6419lookup_binary_valueEcENK3$_1clEm: 111| 50.2k| auto has_zero_byte = [](uint64_t v) { return ((v - 0x0101010101010101) & ~(v) & 0x8080808080808080); }; base64.cpp:_ZN5Botan12_GLOBAL__N_16Base6414check_bad_charEhcb: 148| 45.7k|bool Base64::check_bad_char(uint8_t bin, char input, bool ignore_ws) { 149| 45.7k| if(bin <= 0x3F) { ------------------ | Branch (149:7): [True: 7.62k, False: 38.1k] ------------------ 150| 7.62k| return true; 151| 38.1k| } else if(!(bin == 0x81 || (bin == 0x80 && ignore_ws))) { ------------------ | Branch (151:16): [True: 1.20k, False: 36.9k] | Branch (151:32): [True: 36.9k, False: 23] | Branch (151:47): [True: 36.9k, False: 0] ------------------ 152| 23| throw Invalid_Argument(fmt("base64_decode: invalid character '{}'", format_char_for_display(input))); 153| 23| } 154| 38.1k| return false; 155| 45.7k|} base64.cpp:_ZN5Botan12_GLOBAL__N_16Base646decodeEPhPKh: 52| 1.92k| static void decode(uint8_t* out_ptr, const uint8_t decode_buf[4]) { 53| 1.92k| out_ptr[0] = (decode_buf[0] << 2) | (decode_buf[1] >> 4); 54| 1.92k| out_ptr[1] = (decode_buf[1] << 4) | (decode_buf[2] >> 2); 55| 1.92k| out_ptr[2] = (decode_buf[2] << 6) | decode_buf[3]; 56| 1.92k| } base64.cpp:_ZN5Botan12_GLOBAL__N_16Base6415bytes_to_removeEm: 58| 91| static size_t bytes_to_remove(size_t final_truncate) { return final_truncate; } base64.cpp:_ZN5Botan12_GLOBAL__N_16Base644nameEv: 24| 18| static std::string name() noexcept { return "base64"; } _ZN5Botan10hex_decodeEPhPKcmRmb: 72| 18.2k|size_t hex_decode(uint8_t output[], const char input[], size_t input_length, size_t& input_consumed, bool ignore_ws) { 73| 18.2k| uint8_t* out_ptr = output; 74| 18.2k| bool top_nibble = true; 75| | 76| 18.2k| clear_mem(output, input_length / 2); 77| | 78| 1.13M| for(size_t i = 0; i != input_length; ++i) { ------------------ | Branch (78:22): [True: 1.11M, False: 18.2k] ------------------ 79| 1.11M| const uint8_t bin = hex_char_to_bin(input[i]); 80| | 81| 1.11M| if(bin >= 0x10) { ------------------ | Branch (81:10): [True: 0, False: 1.11M] ------------------ 82| 0| if(bin == 0x80 && ignore_ws) { ------------------ | Branch (82:13): [True: 0, False: 0] | Branch (82:28): [True: 0, False: 0] ------------------ 83| 0| continue; 84| 0| } 85| | 86| 0| throw Invalid_Argument(fmt("hex_decode: invalid character '{}'", format_char_for_display(input[i]))); 87| 0| } 88| | 89| 1.11M| if(top_nibble) { ------------------ | Branch (89:10): [True: 558k, False: 558k] ------------------ 90| 558k| *out_ptr |= bin << 4; 91| 558k| } else { 92| 558k| *out_ptr |= bin; 93| 558k| } 94| | 95| 1.11M| top_nibble = !top_nibble; 96| 1.11M| if(top_nibble) { ------------------ | Branch (96:10): [True: 558k, False: 558k] ------------------ 97| 558k| ++out_ptr; 98| 558k| } 99| 1.11M| } 100| | 101| 18.2k| input_consumed = input_length; 102| 18.2k| const size_t written = (out_ptr - output); 103| | 104| | /* 105| | * We only got half of a uint8_t at the end; zap the half-written 106| | * output and mark it as unread 107| | */ 108| 18.2k| if(!top_nibble) { ------------------ | Branch (108:7): [True: 0, False: 18.2k] ------------------ 109| 0| *out_ptr = 0; 110| 0| input_consumed -= 1; 111| 0| } 112| | 113| 18.2k| return written; 114| 18.2k|} _ZN5Botan10hex_decodeEPhPKcmb: 116| 18.2k|size_t hex_decode(uint8_t output[], const char input[], size_t input_length, bool ignore_ws) { 117| 18.2k| size_t consumed = 0; 118| 18.2k| const size_t written = hex_decode(output, input, input_length, consumed, ignore_ws); 119| | 120| 18.2k| if(consumed != input_length) { ------------------ | Branch (120:7): [True: 0, False: 18.2k] ------------------ 121| 0| throw Invalid_Argument("hex_decode: input did not have full bytes"); 122| 0| } 123| | 124| 18.2k| return written; 125| 18.2k|} _ZN5Botan17hex_decode_lockedEPKcmb: 135| 18.2k|secure_vector hex_decode_locked(const char input[], size_t input_length, bool ignore_ws) { 136| 18.2k| secure_vector bin(1 + input_length / 2); 137| | 138| 18.2k| const size_t written = hex_decode(bin.data(), input, input_length, ignore_ws); 139| | 140| 18.2k| bin.resize(written); 141| 18.2k| return bin; 142| 18.2k|} _ZN5Botan17hex_decode_lockedENSt3__117basic_string_viewIcNS0_11char_traitsIcEEEEb: 144| 12.2k|secure_vector hex_decode_locked(std::string_view input, bool ignore_ws) { 145| 12.2k| return hex_decode_locked(input.data(), input.size(), ignore_ws); 146| 12.2k|} hex.cpp:_ZN5Botan12_GLOBAL__N_115hex_char_to_binEc: 54| 1.11M|uint8_t hex_char_to_bin(char input) { 55| | // Starts of valid value ranges (v_lo) and their lengths (v_range) 56| 1.11M| constexpr uint64_t v_lo = make_uint64(0, '0', 'a', 'A', ' ', '\n', '\t', '\r'); 57| 1.11M| constexpr uint64_t v_range = make_uint64(0, 10, 6, 6, 1, 1, 1, 1); 58| | 59| 1.11M| const uint8_t x = static_cast(input); 60| 1.11M| const uint64_t x8 = x * 0x0101010101010101; 61| | 62| 1.11M| const uint64_t v_mask = swar_in_range(x8, v_lo, v_range) ^ 0x8000000000000000; 63| | 64| | // This is the offset added to x to get the value we need 65| 1.11M| const uint64_t val_v = 0xd0a9c960767773 ^ static_cast(0xFF - x) << 56; 66| | 67| 1.11M| return x + static_cast(val_v >> (8 * index_of_first_set_byte(v_mask))); 68| 1.11M|} _ZN5Botan12HashFunction6createENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_: 111| 60|std::unique_ptr HashFunction::create(std::string_view algo_spec, std::string_view provider) { 112| |#if defined(BOTAN_HAS_COMMONCRYPTO) 113| | if(provider.empty() || provider == "commoncrypto") { 114| | if(auto hash = make_commoncrypto_hash(algo_spec)) 115| | return hash; 116| | 117| | if(!provider.empty()) 118| | return nullptr; 119| | } 120| |#endif 121| | 122| 60| if(provider.empty() == false && provider != "base") { ------------------ | Branch (122:7): [True: 0, False: 60] | Branch (122:36): [True: 0, False: 0] ------------------ 123| 0| return nullptr; // unknown provider 124| 0| } 125| | 126| 60|#if defined(BOTAN_HAS_SHA1) 127| 60| if(algo_spec == "SHA-1") { ------------------ | Branch (127:7): [True: 0, False: 60] ------------------ 128| 0| return std::make_unique(); 129| 0| } 130| 60|#endif 131| | 132| 60|#if defined(BOTAN_HAS_SHA2_32) 133| 60| if(algo_spec == "SHA-224") { ------------------ | Branch (133:7): [True: 0, False: 60] ------------------ 134| 0| return std::make_unique(); 135| 0| } 136| | 137| 60| if(algo_spec == "SHA-256") { ------------------ | Branch (137:7): [True: 0, False: 60] ------------------ 138| 0| return std::make_unique(); 139| 0| } 140| 60|#endif 141| | 142| 60|#if defined(BOTAN_HAS_SHA2_64) 143| 60| if(algo_spec == "SHA-384") { ------------------ | Branch (143:7): [True: 0, False: 60] ------------------ 144| 0| return std::make_unique(); 145| 0| } 146| | 147| 60| if(algo_spec == "SHA-512") { ------------------ | Branch (147:7): [True: 2, False: 58] ------------------ 148| 2| return std::make_unique(); 149| 2| } 150| | 151| 58| if(algo_spec == "SHA-512-256") { ------------------ | Branch (151:7): [True: 0, False: 58] ------------------ 152| 0| return std::make_unique(); 153| 0| } 154| 58|#endif 155| | 156| 58|#if defined(BOTAN_HAS_RIPEMD_160) 157| 58| if(algo_spec == "RIPEMD-160") { ------------------ | Branch (157:7): [True: 0, False: 58] ------------------ 158| 0| return std::make_unique(); 159| 0| } 160| 58|#endif 161| | 162| 58|#if defined(BOTAN_HAS_WHIRLPOOL) 163| 58| if(algo_spec == "Whirlpool") { ------------------ | Branch (163:7): [True: 0, False: 58] ------------------ 164| 0| return std::make_unique(); 165| 0| } 166| 58|#endif 167| | 168| 58|#if defined(BOTAN_HAS_MD5) 169| 58| if(algo_spec == "MD5") { ------------------ | Branch (169:7): [True: 0, False: 58] ------------------ 170| 0| return std::make_unique(); 171| 0| } 172| 58|#endif 173| | 174| 58|#if defined(BOTAN_HAS_MD4) 175| 58| if(algo_spec == "MD4") { ------------------ | Branch (175:7): [True: 0, False: 58] ------------------ 176| 0| return std::make_unique(); 177| 0| } 178| 58|#endif 179| | 180| 58|#if defined(BOTAN_HAS_GOST_34_11) 181| 58| if(algo_spec == "GOST-R-34.11-94" || algo_spec == "GOST-34.11") { ------------------ | Branch (181:7): [True: 0, False: 58] | Branch (181:41): [True: 0, False: 58] ------------------ 182| 0| return std::make_unique(); 183| 0| } 184| 58|#endif 185| | 186| 58|#if defined(BOTAN_HAS_ADLER32) 187| 58| if(algo_spec == "Adler32") { ------------------ | Branch (187:7): [True: 0, False: 58] ------------------ 188| 0| return std::make_unique(); 189| 0| } 190| 58|#endif 191| | 192| 58|#if defined(BOTAN_HAS_ASCON_HASH256) 193| 58| if(algo_spec == "Ascon-Hash256") { ------------------ | Branch (193:7): [True: 0, False: 58] ------------------ 194| 0| return std::make_unique(); 195| 0| } 196| 58|#endif 197| | 198| 58|#if defined(BOTAN_HAS_CRC24) 199| 58| if(algo_spec == "CRC24") { ------------------ | Branch (199:7): [True: 0, False: 58] ------------------ 200| 0| return std::make_unique(); 201| 0| } 202| 58|#endif 203| | 204| 58|#if defined(BOTAN_HAS_CRC32) 205| 58| if(algo_spec == "CRC32") { ------------------ | Branch (205:7): [True: 0, False: 58] ------------------ 206| 0| return std::make_unique(); 207| 0| } 208| 58|#endif 209| | 210| 58|#if defined(BOTAN_HAS_STREEBOG) 211| 58| if(algo_spec == "Streebog-256") { ------------------ | Branch (211:7): [True: 0, False: 58] ------------------ 212| 0| return std::make_unique(256); 213| 0| } 214| 58| if(algo_spec == "Streebog-512") { ------------------ | Branch (214:7): [True: 0, False: 58] ------------------ 215| 0| return std::make_unique(512); 216| 0| } 217| 58|#endif 218| | 219| 58|#if defined(BOTAN_HAS_SM3) 220| 58| if(algo_spec == "SM3") { ------------------ | Branch (220:7): [True: 0, False: 58] ------------------ 221| 0| return std::make_unique(); 222| 0| } 223| 58|#endif 224| | 225| 58| const SCAN_Name req(algo_spec); 226| | 227| 58|#if defined(BOTAN_HAS_SKEIN_512) 228| 58| if(req.algo_name() == "Skein-512") { ------------------ | Branch (228:7): [True: 0, False: 58] ------------------ 229| 0| return std::make_unique(req.arg_as_integer(0, 512), req.arg(1, "")); 230| 0| } 231| 58|#endif 232| | 233| 58|#if defined(BOTAN_HAS_BLAKE2B) 234| 58| if(req.algo_name() == "Blake2b" || req.algo_name() == "BLAKE2b") { ------------------ | Branch (234:7): [True: 0, False: 58] | Branch (234:39): [True: 0, False: 58] ------------------ 235| 0| return std::make_unique(req.arg_as_integer(0, 512)); 236| 0| } 237| 58|#endif 238| | 239| 58|#if defined(BOTAN_HAS_BLAKE2S) 240| 58| if(req.algo_name() == "Blake2s" || req.algo_name() == "BLAKE2s") { ------------------ | Branch (240:7): [True: 0, False: 58] | Branch (240:39): [True: 0, False: 58] ------------------ 241| 0| return std::make_unique(req.arg_as_integer(0, 256)); 242| 0| } 243| 58|#endif 244| | 245| 58|#if defined(BOTAN_HAS_KECCAK) 246| 58| if(req.algo_name() == "Keccak-1600") { ------------------ | Branch (246:7): [True: 0, False: 58] ------------------ 247| 0| return std::make_unique(req.arg_as_integer(0, 512)); 248| 0| } 249| 58|#endif 250| | 251| 58|#if defined(BOTAN_HAS_SHA3) 252| 58| if(req.algo_name() == "SHA-3") { ------------------ | Branch (252:7): [True: 58, False: 0] ------------------ 253| 58| return std::make_unique(req.arg_as_integer(0, 512)); 254| 58| } 255| 0|#endif 256| | 257| 0|#if defined(BOTAN_HAS_SHAKE) 258| 0| if(req.algo_name() == "SHAKE-128" && req.arg_count() == 1) { ------------------ | Branch (258:7): [True: 0, False: 0] | Branch (258:41): [True: 0, False: 0] ------------------ 259| 0| return std::make_unique(req.arg_as_integer(0)); 260| 0| } 261| 0| if(req.algo_name() == "SHAKE-256" && req.arg_count() == 1) { ------------------ | Branch (261:7): [True: 0, False: 0] | Branch (261:41): [True: 0, False: 0] ------------------ 262| 0| return std::make_unique(req.arg_as_integer(0)); 263| 0| } 264| 0|#endif 265| | 266| 0|#if defined(BOTAN_HAS_PARALLEL_HASH) 267| 0| if(req.algo_name() == "Parallel") { ------------------ | Branch (267:7): [True: 0, False: 0] ------------------ 268| 0| std::vector> hashes; 269| | 270| 0| for(size_t i = 0; i != req.arg_count(); ++i) { ------------------ | Branch (270:25): [True: 0, False: 0] ------------------ 271| 0| auto h = HashFunction::create(req.arg(i)); 272| 0| if(!h) { ------------------ | Branch (272:13): [True: 0, False: 0] ------------------ 273| 0| return nullptr; 274| 0| } 275| 0| hashes.push_back(std::move(h)); 276| 0| } 277| | 278| 0| return std::make_unique(hashes); 279| 0| } 280| 0|#endif 281| | 282| 0|#if defined(BOTAN_HAS_TRUNCATED_HASH) 283| 0| if(req.algo_name() == "Truncated" && req.arg_count() == 2) { ------------------ | Branch (283:7): [True: 0, False: 0] | Branch (283:41): [True: 0, False: 0] ------------------ 284| 0| auto hash = HashFunction::create(req.arg(0)); 285| 0| if(!hash) { ------------------ | Branch (285:10): [True: 0, False: 0] ------------------ 286| 0| return nullptr; 287| 0| } 288| | 289| 0| return std::make_unique(std::move(hash), req.arg_as_integer(1)); 290| 0| } 291| 0|#endif 292| | 293| 0|#if defined(BOTAN_HAS_COMB4P) 294| 0| if(req.algo_name() == "Comb4P" && req.arg_count() == 2) { ------------------ | Branch (294:7): [True: 0, False: 0] | Branch (294:38): [True: 0, False: 0] ------------------ 295| 0| auto h1 = HashFunction::create(req.arg(0)); 296| 0| auto h2 = HashFunction::create(req.arg(1)); 297| | 298| 0| if(h1 && h2) { ------------------ | Branch (298:10): [True: 0, False: 0] | Branch (298:16): [True: 0, False: 0] ------------------ 299| 0| return std::make_unique(std::move(h1), std::move(h2)); 300| 0| } 301| 0| } 302| 0|#endif 303| | 304| 0| return nullptr; 305| 0|} _ZN5Botan12HashFunction15create_or_throwENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_: 308| 60|std::unique_ptr HashFunction::create_or_throw(std::string_view algo, std::string_view provider) { 309| 60| if(auto hash = HashFunction::create(algo, provider)) { ------------------ | Branch (309:12): [True: 60, False: 0] ------------------ 310| 60| return hash; 311| 60| } 312| 0| throw Lookup_Error("Hash", algo, provider); 313| 60|} _ZN5Botan7SHA_51215compress_digestERNSt3__16vectorImNS_16secure_allocatorImEEEENS1_4spanIKhLm18446744073709551615EEEm: 56| 2|void SHA_512::compress_digest(digest_type& digest, std::span input, size_t blocks) { 57| 2|#if defined(BOTAN_HAS_SHA2_64_X86) 58| 2| if(CPUID::has(CPUID::Feature::SHA512)) { ------------------ | Branch (58:7): [True: 0, False: 2] ------------------ 59| 0| return compress_digest_x86(digest, input, blocks); 60| 0| } 61| 2|#endif 62| | 63| |#if defined(BOTAN_HAS_SHA2_64_ARMV8) 64| | if(CPUID::has(CPUID::Feature::SHA2_512)) { 65| | return compress_digest_armv8(digest, input, blocks); 66| | } 67| |#endif 68| | 69| 2|#if defined(BOTAN_HAS_SHA2_64_X86_AVX512) 70| 2| if(CPUID::has(CPUID::Feature::AVX512, CPUID::Feature::BMI)) { ------------------ | Branch (70:7): [True: 0, False: 2] ------------------ 71| 0| return compress_digest_x86_avx512(digest, input, blocks); 72| 0| } 73| 2|#endif 74| | 75| 2|#if defined(BOTAN_HAS_SHA2_64_X86_AVX2) 76| 2| if(CPUID::has(CPUID::Feature::AVX2, CPUID::Feature::BMI)) { ------------------ | Branch (76:7): [True: 2, False: 0] ------------------ 77| 2| return compress_digest_x86_avx2(digest, input, blocks); 78| 2| } 79| 0|#endif 80| | 81| 0| uint64_t A = digest[0]; 82| 0| uint64_t B = digest[1]; 83| 0| uint64_t C = digest[2]; 84| 0| uint64_t D = digest[3]; 85| 0| uint64_t E = digest[4]; 86| 0| uint64_t F = digest[5]; 87| 0| uint64_t G = digest[6]; 88| 0| uint64_t H = digest[7]; 89| | 90| 0| std::array W{}; 91| | 92| 0| BufferSlicer in(input); 93| | 94| 0| for(size_t i = 0; i != blocks; ++i) { ------------------ | Branch (94:22): [True: 0, False: 0] ------------------ 95| 0| load_be(W, in.take()); 96| | 97| | // clang-format off 98| | 99| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 0], W[14], W[ 9], W[ 1], 0x428A2F98D728AE22); 100| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 1], W[15], W[10], W[ 2], 0x7137449123EF65CD); 101| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[ 2], W[ 0], W[11], W[ 3], 0xB5C0FBCFEC4D3B2F); 102| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[ 3], W[ 1], W[12], W[ 4], 0xE9B5DBA58189DBBC); 103| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[ 4], W[ 2], W[13], W[ 5], 0x3956C25BF348B538); 104| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[ 5], W[ 3], W[14], W[ 6], 0x59F111F1B605D019); 105| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[ 6], W[ 4], W[15], W[ 7], 0x923F82A4AF194F9B); 106| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[ 7], W[ 5], W[ 0], W[ 8], 0xAB1C5ED5DA6D8118); 107| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 8], W[ 6], W[ 1], W[ 9], 0xD807AA98A3030242); 108| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 9], W[ 7], W[ 2], W[10], 0x12835B0145706FBE); 109| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10], W[ 8], W[ 3], W[11], 0x243185BE4EE4B28C); 110| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11], W[ 9], W[ 4], W[12], 0x550C7DC3D5FFB4E2); 111| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12], W[10], W[ 5], W[13], 0x72BE5D74F27B896F); 112| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13], W[11], W[ 6], W[14], 0x80DEB1FE3B1696B1); 113| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14], W[12], W[ 7], W[15], 0x9BDC06A725C71235); 114| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15], W[13], W[ 8], W[ 0], 0xC19BF174CF692694); 115| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 0], W[14], W[ 9], W[ 1], 0xE49B69C19EF14AD2); 116| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 1], W[15], W[10], W[ 2], 0xEFBE4786384F25E3); 117| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[ 2], W[ 0], W[11], W[ 3], 0x0FC19DC68B8CD5B5); 118| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[ 3], W[ 1], W[12], W[ 4], 0x240CA1CC77AC9C65); 119| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[ 4], W[ 2], W[13], W[ 5], 0x2DE92C6F592B0275); 120| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[ 5], W[ 3], W[14], W[ 6], 0x4A7484AA6EA6E483); 121| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[ 6], W[ 4], W[15], W[ 7], 0x5CB0A9DCBD41FBD4); 122| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[ 7], W[ 5], W[ 0], W[ 8], 0x76F988DA831153B5); 123| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 8], W[ 6], W[ 1], W[ 9], 0x983E5152EE66DFAB); 124| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 9], W[ 7], W[ 2], W[10], 0xA831C66D2DB43210); 125| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10], W[ 8], W[ 3], W[11], 0xB00327C898FB213F); 126| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11], W[ 9], W[ 4], W[12], 0xBF597FC7BEEF0EE4); 127| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12], W[10], W[ 5], W[13], 0xC6E00BF33DA88FC2); 128| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13], W[11], W[ 6], W[14], 0xD5A79147930AA725); 129| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14], W[12], W[ 7], W[15], 0x06CA6351E003826F); 130| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15], W[13], W[ 8], W[ 0], 0x142929670A0E6E70); 131| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 0], W[14], W[ 9], W[ 1], 0x27B70A8546D22FFC); 132| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 1], W[15], W[10], W[ 2], 0x2E1B21385C26C926); 133| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[ 2], W[ 0], W[11], W[ 3], 0x4D2C6DFC5AC42AED); 134| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[ 3], W[ 1], W[12], W[ 4], 0x53380D139D95B3DF); 135| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[ 4], W[ 2], W[13], W[ 5], 0x650A73548BAF63DE); 136| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[ 5], W[ 3], W[14], W[ 6], 0x766A0ABB3C77B2A8); 137| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[ 6], W[ 4], W[15], W[ 7], 0x81C2C92E47EDAEE6); 138| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[ 7], W[ 5], W[ 0], W[ 8], 0x92722C851482353B); 139| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 8], W[ 6], W[ 1], W[ 9], 0xA2BFE8A14CF10364); 140| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 9], W[ 7], W[ 2], W[10], 0xA81A664BBC423001); 141| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10], W[ 8], W[ 3], W[11], 0xC24B8B70D0F89791); 142| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11], W[ 9], W[ 4], W[12], 0xC76C51A30654BE30); 143| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12], W[10], W[ 5], W[13], 0xD192E819D6EF5218); 144| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13], W[11], W[ 6], W[14], 0xD69906245565A910); 145| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14], W[12], W[ 7], W[15], 0xF40E35855771202A); 146| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15], W[13], W[ 8], W[ 0], 0x106AA07032BBD1B8); 147| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 0], W[14], W[ 9], W[ 1], 0x19A4C116B8D2D0C8); 148| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 1], W[15], W[10], W[ 2], 0x1E376C085141AB53); 149| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[ 2], W[ 0], W[11], W[ 3], 0x2748774CDF8EEB99); 150| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[ 3], W[ 1], W[12], W[ 4], 0x34B0BCB5E19B48A8); 151| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[ 4], W[ 2], W[13], W[ 5], 0x391C0CB3C5C95A63); 152| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[ 5], W[ 3], W[14], W[ 6], 0x4ED8AA4AE3418ACB); 153| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[ 6], W[ 4], W[15], W[ 7], 0x5B9CCA4F7763E373); 154| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[ 7], W[ 5], W[ 0], W[ 8], 0x682E6FF3D6B2B8A3); 155| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 8], W[ 6], W[ 1], W[ 9], 0x748F82EE5DEFB2FC); 156| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 9], W[ 7], W[ 2], W[10], 0x78A5636F43172F60); 157| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10], W[ 8], W[ 3], W[11], 0x84C87814A1F0AB72); 158| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11], W[ 9], W[ 4], W[12], 0x8CC702081A6439EC); 159| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12], W[10], W[ 5], W[13], 0x90BEFFFA23631E28); 160| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13], W[11], W[ 6], W[14], 0xA4506CEBDE82BDE9); 161| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14], W[12], W[ 7], W[15], 0xBEF9A3F7B2C67915); 162| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15], W[13], W[ 8], W[ 0], 0xC67178F2E372532B); 163| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 0], W[14], W[ 9], W[ 1], 0xCA273ECEEA26619C); 164| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 1], W[15], W[10], W[ 2], 0xD186B8C721C0C207); 165| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[ 2], W[ 0], W[11], W[ 3], 0xEADA7DD6CDE0EB1E); 166| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[ 3], W[ 1], W[12], W[ 4], 0xF57D4F7FEE6ED178); 167| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[ 4], W[ 2], W[13], W[ 5], 0x06F067AA72176FBA); 168| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[ 5], W[ 3], W[14], W[ 6], 0x0A637DC5A2C898A6); 169| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[ 6], W[ 4], W[15], W[ 7], 0x113F9804BEF90DAE); 170| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[ 7], W[ 5], W[ 0], W[ 8], 0x1B710B35131C471B); 171| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 8], W[ 6], W[ 1], W[ 9], 0x28DB77F523047D84); 172| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 9], W[ 7], W[ 2], W[10], 0x32CAAB7B40C72493); 173| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10], W[ 8], W[ 3], W[11], 0x3C9EBE0A15C9BEBC); 174| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11], W[ 9], W[ 4], W[12], 0x431D67C49C100D4C); 175| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12], W[10], W[ 5], W[13], 0x4CC5D4BECB3E42B6); 176| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13], W[11], W[ 6], W[14], 0x597F299CFC657E2A); 177| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14], W[12], W[ 7], W[15], 0x5FCB6FAB3AD6FAEC); 178| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15], W[13], W[ 8], W[ 0], 0x6C44198C4A475817); 179| | 180| | // clang-format on 181| | 182| 0| A = (digest[0] += A); 183| 0| B = (digest[1] += B); 184| 0| C = (digest[2] += C); 185| 0| D = (digest[3] += D); 186| 0| E = (digest[4] += E); 187| 0| F = (digest[5] += F); 188| 0| G = (digest[6] += G); 189| 0| H = (digest[7] += H); 190| 0| } 191| 0|} _ZN5Botan7SHA_51210compress_nERNSt3__16vectorImNS_16secure_allocatorImEEEENS1_4spanIKhLm18446744073709551615EEEm: 213| 2|void SHA_512::compress_n(digest_type& digest, std::span input, size_t blocks) { 214| 2| SHA_512::compress_digest(digest, input, blocks); 215| 2|} _ZN5Botan7SHA_5124initERNSt3__16vectorImNS_16secure_allocatorImEEEE: 239| 4|void SHA_512::init(digest_type& digest) { 240| 4| digest.assign({0x6A09E667F3BCC908, 241| 4| 0xBB67AE8584CAA73B, 242| 4| 0x3C6EF372FE94F82B, 243| 4| 0xA54FF53A5F1D36F1, 244| 4| 0x510E527FADE682D1, 245| 4| 0x9B05688C2B3E6C1F, 246| 4| 0x1F83D9ABFB41BD6B, 247| 4| 0x5BE0CD19137E2179}); 248| 4|} _ZN5Botan7SHA_5128add_dataENSt3__14spanIKhLm18446744073709551615EEE: 278| 2|void SHA_512::add_data(std::span input) { 279| 2| m_md.update(input); 280| 2|} _ZN5Botan7SHA_51212final_resultENSt3__14spanIhLm18446744073709551615EEE: 290| 2|void SHA_512::final_result(std::span output) { 291| 2| m_md.final(output); 292| 2|} _ZN5Botan7SHA_51224compress_digest_x86_avx2ERNSt3__16vectorImNS_16secure_allocatorImEEEENS1_4spanIKhLm18446744073709551615EEEm: 44| 2| size_t blocks) { 45| | // clang-format off 46| 2| alignas(64) const uint64_t K[80] = { 47| 2| 0x428A2F98D728AE22, 0x7137449123EF65CD, 0xB5C0FBCFEC4D3B2F, 0xE9B5DBA58189DBBC, 48| 2| 0x3956C25BF348B538, 0x59F111F1B605D019, 0x923F82A4AF194F9B, 0xAB1C5ED5DA6D8118, 49| 2| 0xD807AA98A3030242, 0x12835B0145706FBE, 0x243185BE4EE4B28C, 0x550C7DC3D5FFB4E2, 50| 2| 0x72BE5D74F27B896F, 0x80DEB1FE3B1696B1, 0x9BDC06A725C71235, 0xC19BF174CF692694, 51| 2| 0xE49B69C19EF14AD2, 0xEFBE4786384F25E3, 0x0FC19DC68B8CD5B5, 0x240CA1CC77AC9C65, 52| 2| 0x2DE92C6F592B0275, 0x4A7484AA6EA6E483, 0x5CB0A9DCBD41FBD4, 0x76F988DA831153B5, 53| 2| 0x983E5152EE66DFAB, 0xA831C66D2DB43210, 0xB00327C898FB213F, 0xBF597FC7BEEF0EE4, 54| 2| 0xC6E00BF33DA88FC2, 0xD5A79147930AA725, 0x06CA6351E003826F, 0x142929670A0E6E70, 55| 2| 0x27B70A8546D22FFC, 0x2E1B21385C26C926, 0x4D2C6DFC5AC42AED, 0x53380D139D95B3DF, 56| 2| 0x650A73548BAF63DE, 0x766A0ABB3C77B2A8, 0x81C2C92E47EDAEE6, 0x92722C851482353B, 57| 2| 0xA2BFE8A14CF10364, 0xA81A664BBC423001, 0xC24B8B70D0F89791, 0xC76C51A30654BE30, 58| 2| 0xD192E819D6EF5218, 0xD69906245565A910, 0xF40E35855771202A, 0x106AA07032BBD1B8, 59| 2| 0x19A4C116B8D2D0C8, 0x1E376C085141AB53, 0x2748774CDF8EEB99, 0x34B0BCB5E19B48A8, 60| 2| 0x391C0CB3C5C95A63, 0x4ED8AA4AE3418ACB, 0x5B9CCA4F7763E373, 0x682E6FF3D6B2B8A3, 61| 2| 0x748F82EE5DEFB2FC, 0x78A5636F43172F60, 0x84C87814A1F0AB72, 0x8CC702081A6439EC, 62| 2| 0x90BEFFFA23631E28, 0xA4506CEBDE82BDE9, 0xBEF9A3F7B2C67915, 0xC67178F2E372532B, 63| 2| 0xCA273ECEEA26619C, 0xD186B8C721C0C207, 0xEADA7DD6CDE0EB1E, 0xF57D4F7FEE6ED178, 64| 2| 0x06F067AA72176FBA, 0x0A637DC5A2C898A6, 0x113F9804BEF90DAE, 0x1B710B35131C471B, 65| 2| 0x28DB77F523047D84, 0x32CAAB7B40C72493, 0x3C9EBE0A15C9BEBC, 0x431D67C49C100D4C, 66| 2| 0x4CC5D4BECB3E42B6, 0x597F299CFC657E2A, 0x5FCB6FAB3AD6FAEC, 0x6C44198C4A475817, 67| 2| }; 68| | // clang-format on 69| | 70| 2| alignas(64) uint64_t W[16] = {0}; 71| 2| alignas(64) uint64_t W2[80]; 72| | 73| 2| uint64_t A = digest[0]; 74| 2| uint64_t B = digest[1]; 75| 2| uint64_t C = digest[2]; 76| 2| uint64_t D = digest[3]; 77| 2| uint64_t E = digest[4]; 78| 2| uint64_t F = digest[5]; 79| 2| uint64_t G = digest[6]; 80| 2| uint64_t H = digest[7]; 81| | 82| 2| const uint8_t* data = input.data(); 83| | 84| 2| while(blocks >= 2) { ------------------ | Branch (84:10): [True: 0, False: 2] ------------------ 85| 0| SIMD_4x64 WS[8]; 86| | 87| 0| for(size_t i = 0; i < 8; i++) { ------------------ | Branch (87:25): [True: 0, False: 0] ------------------ 88| 0| WS[i] = SIMD_4x64::load_be2(&data[16 * i], &data[128 + 16 * i]); 89| 0| auto WK = WS[i] + SIMD_4x64::broadcast_2x64(&K[2 * i]); 90| 0| WK.store_le2(&W[2 * i], &W2[2 * i]); 91| 0| } 92| | 93| 0| data += 2 * 128; 94| 0| blocks -= 2; 95| | 96| | // First 64 rounds of SHA-512 97| 0| for(size_t r = 0; r != 64; r += 16) { ------------------ | Branch (97:25): [True: 0, False: 0] ------------------ 98| 0| auto w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 16]); 99| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[0]); 100| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[1]); 101| 0| w.store_le2(&W[0], &W2[r + 16]); 102| | 103| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 18]); 104| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[2]); 105| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[3]); 106| 0| w.store_le2(&W[2], &W2[r + 18]); 107| | 108| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 20]); 109| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[4]); 110| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[5]); 111| 0| w.store_le2(&W[4], &W2[r + 20]); 112| | 113| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 22]); 114| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[6]); 115| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[7]); 116| 0| w.store_le2(&W[6], &W2[r + 22]); 117| | 118| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 24]); 119| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[8]); 120| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[9]); 121| 0| w.store_le2(&W[8], &W2[r + 24]); 122| | 123| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 26]); 124| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10]); 125| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11]); 126| 0| w.store_le2(&W[10], &W2[r + 26]); 127| | 128| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 28]); 129| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12]); 130| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13]); 131| 0| w.store_le2(&W[12], &W2[r + 28]); 132| | 133| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 30]); 134| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14]); 135| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15]); 136| 0| w.store_le2(&W[14], &W2[r + 30]); 137| 0| } 138| | 139| | // Final 16 rounds of SHA-512 140| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[0]); 141| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[1]); 142| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[2]); 143| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[3]); 144| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[4]); 145| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[5]); 146| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[6]); 147| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[7]); 148| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[8]); 149| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[9]); 150| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10]); 151| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11]); 152| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12]); 153| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13]); 154| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14]); 155| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15]); 156| | 157| 0| A = (digest[0] += A); 158| 0| B = (digest[1] += B); 159| 0| C = (digest[2] += C); 160| 0| D = (digest[3] += D); 161| 0| E = (digest[4] += E); 162| 0| F = (digest[5] += F); 163| 0| G = (digest[6] += G); 164| 0| H = (digest[7] += H); 165| | 166| | // Second block of SHA-512 compression, with pre-expanded message 167| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[0]); 168| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[1]); 169| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[2]); 170| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[3]); 171| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[4]); 172| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[5]); 173| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[6]); 174| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[7]); 175| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[8]); 176| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[9]); 177| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[10]); 178| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[11]); 179| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[12]); 180| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[13]); 181| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[14]); 182| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[15]); 183| | 184| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[16]); 185| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[17]); 186| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[18]); 187| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[19]); 188| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[20]); 189| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[21]); 190| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[22]); 191| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[23]); 192| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[24]); 193| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[25]); 194| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[26]); 195| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[27]); 196| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[28]); 197| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[29]); 198| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[30]); 199| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[31]); 200| | 201| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[32]); 202| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[33]); 203| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[34]); 204| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[35]); 205| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[36]); 206| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[37]); 207| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[38]); 208| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[39]); 209| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[40]); 210| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[41]); 211| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[42]); 212| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[43]); 213| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[44]); 214| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[45]); 215| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[46]); 216| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[47]); 217| | 218| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[48]); 219| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[49]); 220| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[50]); 221| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[51]); 222| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[52]); 223| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[53]); 224| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[54]); 225| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[55]); 226| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[56]); 227| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[57]); 228| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[58]); 229| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[59]); 230| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[60]); 231| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[61]); 232| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[62]); 233| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[63]); 234| | 235| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[64]); 236| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[65]); 237| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[66]); 238| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[67]); 239| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[68]); 240| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[69]); 241| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[70]); 242| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[71]); 243| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[72]); 244| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[73]); 245| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[74]); 246| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[75]); 247| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[76]); 248| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[77]); 249| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[78]); 250| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[79]); 251| | 252| 0| A = (digest[0] += A); 253| 0| B = (digest[1] += B); 254| 0| C = (digest[2] += C); 255| 0| D = (digest[3] += D); 256| 0| E = (digest[4] += E); 257| 0| F = (digest[5] += F); 258| 0| G = (digest[6] += G); 259| 0| H = (digest[7] += H); 260| 0| } 261| | 262| 4| while(blocks > 0) { ------------------ | Branch (262:10): [True: 2, False: 2] ------------------ 263| 2| SIMD_2x64 WS[8]; 264| | 265| 18| for(size_t i = 0; i < 8; i++) { ------------------ | Branch (265:25): [True: 16, False: 2] ------------------ 266| 16| WS[i] = SIMD_2x64::load_be(&data[16 * i]); 267| 16| auto WK = WS[i] + SIMD_2x64::load_le(&K[2 * i]); 268| 16| WK.store_le(&W[2 * i]); 269| 16| } 270| | 271| 2| data += 128; 272| 2| blocks -= 1; 273| | 274| | // First 64 rounds of SHA-512 275| 10| for(size_t r = 0; r != 64; r += 16) { ------------------ | Branch (275:25): [True: 8, False: 2] ------------------ 276| 8| auto w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 16]); 277| 8| SHA2_64_F(A, B, C, D, E, F, G, H, W[0]); 278| 8| SHA2_64_F(H, A, B, C, D, E, F, G, W[1]); 279| 8| w.store_le(&W[0]); 280| | 281| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 18]); 282| 8| SHA2_64_F(G, H, A, B, C, D, E, F, W[2]); 283| 8| SHA2_64_F(F, G, H, A, B, C, D, E, W[3]); 284| 8| w.store_le(&W[2]); 285| | 286| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 20]); 287| 8| SHA2_64_F(E, F, G, H, A, B, C, D, W[4]); 288| 8| SHA2_64_F(D, E, F, G, H, A, B, C, W[5]); 289| 8| w.store_le(&W[4]); 290| | 291| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 22]); 292| 8| SHA2_64_F(C, D, E, F, G, H, A, B, W[6]); 293| 8| SHA2_64_F(B, C, D, E, F, G, H, A, W[7]); 294| 8| w.store_le(&W[6]); 295| | 296| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 24]); 297| 8| SHA2_64_F(A, B, C, D, E, F, G, H, W[8]); 298| 8| SHA2_64_F(H, A, B, C, D, E, F, G, W[9]); 299| 8| w.store_le(&W[8]); 300| | 301| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 26]); 302| 8| SHA2_64_F(G, H, A, B, C, D, E, F, W[10]); 303| 8| SHA2_64_F(F, G, H, A, B, C, D, E, W[11]); 304| 8| w.store_le(&W[10]); 305| | 306| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 28]); 307| 8| SHA2_64_F(E, F, G, H, A, B, C, D, W[12]); 308| 8| SHA2_64_F(D, E, F, G, H, A, B, C, W[13]); 309| 8| w.store_le(&W[12]); 310| | 311| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 30]); 312| 8| SHA2_64_F(C, D, E, F, G, H, A, B, W[14]); 313| 8| SHA2_64_F(B, C, D, E, F, G, H, A, W[15]); 314| 8| w.store_le(&W[14]); 315| 8| } 316| | 317| | // Final 16 rounds of SHA-512 318| 2| SHA2_64_F(A, B, C, D, E, F, G, H, W[0]); 319| 2| SHA2_64_F(H, A, B, C, D, E, F, G, W[1]); 320| 2| SHA2_64_F(G, H, A, B, C, D, E, F, W[2]); 321| 2| SHA2_64_F(F, G, H, A, B, C, D, E, W[3]); 322| 2| SHA2_64_F(E, F, G, H, A, B, C, D, W[4]); 323| 2| SHA2_64_F(D, E, F, G, H, A, B, C, W[5]); 324| 2| SHA2_64_F(C, D, E, F, G, H, A, B, W[6]); 325| 2| SHA2_64_F(B, C, D, E, F, G, H, A, W[7]); 326| 2| SHA2_64_F(A, B, C, D, E, F, G, H, W[8]); 327| 2| SHA2_64_F(H, A, B, C, D, E, F, G, W[9]); 328| 2| SHA2_64_F(G, H, A, B, C, D, E, F, W[10]); 329| 2| SHA2_64_F(F, G, H, A, B, C, D, E, W[11]); 330| 2| SHA2_64_F(E, F, G, H, A, B, C, D, W[12]); 331| 2| SHA2_64_F(D, E, F, G, H, A, B, C, W[13]); 332| 2| SHA2_64_F(C, D, E, F, G, H, A, B, W[14]); 333| 2| SHA2_64_F(B, C, D, E, F, G, H, A, W[15]); 334| | 335| 2| A = (digest[0] += A); 336| 2| B = (digest[1] += B); 337| 2| C = (digest[2] += C); 338| 2| D = (digest[3] += D); 339| 2| E = (digest[4] += E); 340| 2| F = (digest[5] += F); 341| 2| G = (digest[6] += G); 342| 2| H = (digest[7] += H); 343| 2| } 344| 2|} sha2_64_avx2.cpp:_ZN5Botan12_GLOBAL__N_113sha512_next_wINS_9SIMD_2x64EEET_PS3_: 19| 64|BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_BMI2 SIMD_T sha512_next_w(SIMD_T x[8]) { 20| 64| auto t0 = SIMD_T::alignr8(x[1], x[0]); 21| 64| auto t1 = SIMD_T::alignr8(x[5], x[4]); 22| | 23| 64| auto s0 = t0.template rotr<1>() ^ t0.template rotr<8>() ^ t0.template shr<7>(); 24| 64| auto s1 = x[7].template rotr<19>() ^ x[7].template rotr<61>() ^ x[7].template shr<6>(); 25| | 26| 64| auto nx = x[0] + s0 + s1 + t1; 27| | 28| 64| x[0] = x[1]; 29| 64| x[1] = x[2]; 30| 64| x[2] = x[3]; 31| 64| x[3] = x[4]; 32| 64| x[4] = x[5]; 33| 64| x[5] = x[6]; 34| 64| x[6] = x[7]; 35| 64| x[7] = nx; 36| | 37| 64| return x[7]; 38| 64|} _ZN5Botan5SHA_3C2Em: 17| 58| m_keccak({.capacity_bits = output_bits * 2, .padding = KeccakPadding::sha3()}), m_output_length(output_bits / 8) { 18| | // We only support the parameters for SHA-3 in this constructor 19| | 20| 58| if(output_bits != 224 && output_bits != 256 && output_bits != 384 && output_bits != 512) { ------------------ | Branch (20:7): [True: 58, False: 0] | Branch (20:29): [True: 29, False: 29] | Branch (20:51): [True: 29, False: 0] | Branch (20:73): [True: 0, False: 29] ------------------ 21| 0| throw Invalid_Argument(fmt("SHA_3: Invalid output length {}", output_bits)); 22| 0| } 23| 58|} _ZN5Botan5SHA_38add_dataENSt3__14spanIKhLm18446744073709551615EEE: 45| 87|void SHA_3::add_data(std::span input) { 46| 87| m_keccak.absorb(input); 47| 87|} _ZN5Botan5SHA_312final_resultENSt3__14spanIhLm18446744073709551615EEE: 49| 58|void SHA_3::final_result(std::span output) { 50| 58| m_keccak.finish(); 51| 58| m_keccak.squeeze(output); 52| 58| m_keccak.clear(); 53| 58|} _ZN5Botan6BigInt17from_radix_digitsENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEm: 125| 15.9k|BigInt BigInt::from_radix_digits(std::string_view digits, size_t radix) { 126| 15.9k| if(radix == 16) { ------------------ | Branch (126:7): [True: 15.9k, False: 0] ------------------ 127| 15.9k| secure_vector binary; 128| | 129| 15.9k| if(digits.size() % 2 == 1) { ------------------ | Branch (129:10): [True: 3.69k, False: 12.2k] ------------------ 130| | // Handle lack of leading 0 131| 3.69k| const char buf0_with_leading_0[2] = {'0', digits[0]}; 132| | 133| 3.69k| binary = hex_decode_locked(buf0_with_leading_0, 2); 134| | 135| 3.69k| if(digits.size() > 1) { ------------------ | Branch (135:13): [True: 2.35k, False: 1.33k] ------------------ 136| 2.35k| binary += hex_decode_locked(&digits[1], digits.size() - 1, false); 137| 2.35k| } 138| 12.2k| } else { 139| 12.2k| binary = hex_decode_locked(digits, false); 140| 12.2k| } 141| | 142| 15.9k| return BigInt::from_bytes(binary); 143| 15.9k| } else if(radix == 10) { ------------------ | Branch (143:14): [True: 0, False: 0] ------------------ 144| | // Use the largest power of 10 that fits in a word, accumulating 145| | // groups of digits into word-sized chunks to minimize the number 146| | // of multiprecision multiplications. 147| 0| constexpr word conversion_radix = decimal_conversion_radix(); 148| 0| constexpr size_t radix_digits = decimal_conversion_radix_digits(); 149| | 150| 0| BigInt r; 151| | 152| | // Handle the initial partial block (if digit count is not a multiple of radix_digits) 153| 0| const size_t partial_block = digits.size() % radix_digits; 154| | 155| 0| if(partial_block > 0) { ------------------ | Branch (155:10): [True: 0, False: 0] ------------------ 156| 0| word acc = 0; 157| 0| for(size_t i = 0; i < partial_block; ++i) { ------------------ | Branch (157:28): [True: 0, False: 0] ------------------ 158| 0| const char c = digits[i]; 159| 0| BOTAN_ARG_CHECK(c >= '0' && c <= '9', "Invalid decimal character"); ------------------ | | 35| 0| do { \ | | 36| 0| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 0| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 0, False: 0] | | | Branch (37:12): [True: 0, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 0| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 0] | | ------------------ ------------------ 160| 0| acc = acc * 10 + static_cast(c - '0'); 161| 0| } 162| 0| r += acc; 163| 0| } 164| | 165| | // Process full blocks of radix_digits 166| 0| for(size_t i = partial_block; i != digits.size(); i += radix_digits) { ------------------ | Branch (166:37): [True: 0, False: 0] ------------------ 167| 0| word acc = 0; 168| 0| for(size_t j = 0; j < radix_digits; ++j) { ------------------ | Branch (168:28): [True: 0, False: 0] ------------------ 169| 0| const char c = digits[i + j]; 170| 0| BOTAN_ARG_CHECK(c >= '0' && c <= '9', "Invalid decimal character"); ------------------ | | 35| 0| do { \ | | 36| 0| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 0| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 0, False: 0] | | | Branch (37:12): [True: 0, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 0| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 0] | | ------------------ ------------------ 171| 0| acc = acc * 10 + static_cast(c - '0'); 172| 0| } 173| 0| r *= conversion_radix; 174| 0| r += acc; 175| 0| } 176| | 177| 0| return r; 178| 0| } else { 179| 0| throw Invalid_Argument("BigInt::from_radix_digits unknown radix"); 180| 0| } 181| 15.9k|} _ZN5Botan6BigIntpLERKS0_: 16| 885|BigInt& BigInt::operator+=(const BigInt& y) { 17| 885| if(&y == this) { ------------------ | Branch (17:7): [True: 0, False: 885] ------------------ 18| 0| return *this <<= 1; 19| 0| } 20| 885| return add(y._data(), y.sig_words(), y.sign()); 21| 885|} _ZN5Botan6BigIntmIERKS0_: 23| 73.2k|BigInt& BigInt::operator-=(const BigInt& y) { 24| 73.2k| if(&y == this) { ------------------ | Branch (24:7): [True: 0, False: 73.2k] ------------------ 25| 0| this->clear(); 26| 0| this->set_sign(Positive); 27| 0| return *this; 28| 0| } 29| 73.2k| return sub(y._data(), y.sig_words(), y.sign()); 30| 73.2k|} _ZN5Botan6BigInt3addEPKmmNS0_4SignE: 32| 78.0k|BigInt& BigInt::add(const word y[], size_t y_words, Sign y_sign) { 33| 78.0k| const size_t x_sw = sig_words(); 34| | 35| 78.0k| grow_to(std::max(x_sw, y_words) + 1); 36| | 37| 78.0k| if(sign() == y_sign) { ------------------ | Branch (37:7): [True: 2.34k, False: 75.6k] ------------------ 38| 2.34k| const word carry = bigint_add2(mutable_data(), size() - 1, y, y_words); 39| 2.34k| mutable_data()[size() - 1] += carry; 40| 75.6k| } else { 41| 75.6k| const int32_t relative_size = bigint_cmp(_data(), x_sw, y, y_words); 42| | 43| 75.6k| if(relative_size >= 0) { ------------------ | Branch (43:10): [True: 73.3k, False: 2.31k] ------------------ 44| | // *this >= y 45| 73.3k| bigint_sub2(mutable_data(), x_sw, y, y_words); 46| 73.3k| } else { 47| | // *this < y: compute *this = y - *this 48| 2.31k| bigint_sub2_rev(mutable_data(), y, y_words); 49| 2.31k| } 50| | 51| 75.6k| if(relative_size < 0) { ------------------ | Branch (51:10): [True: 2.31k, False: 73.3k] ------------------ 52| 2.31k| set_sign(y_sign); 53| 73.3k| } else if(relative_size == 0) { ------------------ | Branch (53:17): [True: 3, False: 73.3k] ------------------ 54| 3| set_sign(Positive); 55| 3| } 56| 75.6k| } 57| | 58| 78.0k| return (*this); 59| 78.0k|} _ZN5Botan6BigInt7mod_addERKS0_S2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 61| 39.2k|BigInt& BigInt::mod_add(const BigInt& s, const BigInt& mod, secure_vector& ws) { 62| 39.2k| if(this->signum() < 0 || s.signum() < 0 || mod.signum() < 0) { ------------------ | Branch (62:7): [True: 0, False: 39.2k] | Branch (62:29): [True: 0, False: 39.2k] | Branch (62:47): [True: 0, False: 39.2k] ------------------ 63| 0| throw Invalid_Argument("BigInt::mod_add expects all arguments are positive"); 64| 0| } 65| | 66| 39.2k| BOTAN_DEBUG_ASSERT(*this < mod); ------------------ | | 130| 39.2k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 39.2k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 39.2k] | | ------------------ ------------------ 67| 39.2k| BOTAN_DEBUG_ASSERT(s < mod); ------------------ | | 130| 39.2k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 39.2k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 39.2k] | | ------------------ ------------------ 68| | 69| | /* 70| | t + s or t + s - p == t - (p - s) 71| | 72| | So first compute ws = p - s 73| | 74| | Then compute t + s and t - ws 75| | 76| | If t - ws does not borrow, then that is the correct valued 77| | */ 78| | 79| 39.2k| const size_t mod_sw = mod.sig_words(); 80| 39.2k| BOTAN_ARG_CHECK(mod_sw > 0, "BigInt::mod_add modulus must be positive"); ------------------ | | 35| 39.2k| do { \ | | 36| 39.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 39.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 39.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 39.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 39.2k] | | ------------------ ------------------ 81| | 82| 39.2k| this->grow_to(mod_sw); 83| 39.2k| s.grow_to(mod_sw); 84| | 85| | // First mod_sw for p - s, 2*mod_sw for bigint_addsub workspace 86| 39.2k| if(ws.size() < 3 * mod_sw) { ------------------ | Branch (86:7): [True: 28.6k, False: 10.5k] ------------------ 87| 28.6k| ws.resize(3 * mod_sw); 88| 28.6k| } 89| | 90| | // NOLINTBEGIN(readability-container-data-pointer) 91| | 92| 39.2k| word borrow = bigint_sub3(&ws[0], mod._data(), mod_sw, s._data(), mod_sw); 93| 39.2k| BOTAN_DEBUG_ASSERT(borrow == 0); ------------------ | | 130| 39.2k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 39.2k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 39.2k] | | ------------------ ------------------ 94| 39.2k| BOTAN_UNUSED(borrow); ------------------ | | 144| 39.2k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 95| | 96| | // Compute t - ws 97| 39.2k| borrow = bigint_sub3(&ws[mod_sw], this->_data(), mod_sw, &ws[0], mod_sw); 98| | 99| | // Compute t + s 100| 39.2k| bigint_add3(&ws[mod_sw * 2], this->_data(), mod_sw, s._data(), mod_sw); 101| | 102| 39.2k| CT::conditional_copy_mem(borrow, &ws[0], &ws[mod_sw * 2], &ws[mod_sw], mod_sw); 103| 39.2k| set_words(&ws[0], mod_sw); 104| | 105| | // NOLINTEND(readability-container-data-pointer) 106| | 107| 39.2k| return (*this); 108| 39.2k|} _ZN5Botan6BigInt7mod_subERKS0_S2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 110| 2.85M|BigInt& BigInt::mod_sub(const BigInt& s, const BigInt& mod, secure_vector& ws) { 111| 2.85M| if(this->signum() < 0 || s.signum() < 0 || mod.signum() < 0) { ------------------ | Branch (111:7): [True: 0, False: 2.85M] | Branch (111:29): [True: 0, False: 2.85M] | Branch (111:47): [True: 0, False: 2.85M] ------------------ 112| 0| throw Invalid_Argument("BigInt::mod_sub expects all arguments are positive"); 113| 0| } 114| | 115| | // We are assuming in this function that *this and s are no more than mod_sw words long 116| 2.85M| BOTAN_DEBUG_ASSERT(*this < mod); ------------------ | | 130| 2.85M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 2.85M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 2.85M] | | ------------------ ------------------ 117| 2.85M| BOTAN_DEBUG_ASSERT(s < mod); ------------------ | | 130| 2.85M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 2.85M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 2.85M] | | ------------------ ------------------ 118| | 119| 2.85M| const size_t mod_sw = mod.sig_words(); 120| | 121| 2.85M| this->grow_to(mod_sw); 122| 2.85M| s.grow_to(mod_sw); 123| | 124| 2.85M| if(ws.size() < mod_sw) { ------------------ | Branch (124:7): [True: 0, False: 2.85M] ------------------ 125| 0| ws.resize(mod_sw); 126| 0| } 127| | 128| 2.85M| const word borrow = bigint_sub3(ws.data(), mutable_data(), mod_sw, s._data(), mod_sw); 129| | 130| | // Conditionally add back the modulus 131| 2.85M| bigint_cnd_add(borrow, ws.data(), mod._data(), mod_sw); 132| | 133| 2.85M| unchecked_copy_memory(mutable_data(), ws.data(), mod_sw); 134| | 135| 2.85M| return (*this); 136| 2.85M|} _ZN5Botan6BigInt7mod_mulEhRKS0_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 138| 839k|BigInt& BigInt::mod_mul(uint8_t y, const BigInt& mod, secure_vector& ws) { 139| 839k| BOTAN_ARG_CHECK(this->signum() >= 0, "*this must be positive"); ------------------ | | 35| 839k| do { \ | | 36| 839k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 839k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 839k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 839k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 839k] | | ------------------ ------------------ 140| 839k| BOTAN_ARG_CHECK(y < 16, "y too large"); ------------------ | | 35| 839k| do { \ | | 36| 839k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 839k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 839k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 839k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 839k] | | ------------------ ------------------ 141| | 142| 839k| BOTAN_DEBUG_ASSERT(*this < mod); ------------------ | | 130| 839k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 839k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 839k] | | ------------------ ------------------ 143| | 144| 839k| *this *= static_cast(y); 145| 839k| this->reduce_below(mod, ws); 146| 839k| return (*this); 147| 839k|} _ZN5Botan6BigIntmLEm: 205| 839k|BigInt& BigInt::operator*=(word y) { 206| 839k| if(y == 0) { ------------------ | Branch (206:7): [True: 0, False: 839k] ------------------ 207| 0| clear(); 208| 0| set_sign(Positive); 209| 0| } 210| | 211| 839k| const word carry = bigint_linmul2(mutable_data(), size(), y); 212| 839k| set_word_at(size(), carry); 213| | 214| 839k| return (*this); 215| 839k|} _ZN5Botan6BigIntrMERKS0_: 232| 40.3k|BigInt& BigInt::operator%=(const BigInt& mod) { 233| 40.3k| return (*this = (*this) % mod); 234| 40.3k|} _ZN5Botan6BigIntlSEm: 269| 58.9k|BigInt& BigInt::operator<<=(size_t shift) { 270| 58.9k| if(shift >= 65536) { ------------------ | Branch (270:7): [True: 0, False: 58.9k] ------------------ 271| 0| throw Invalid_Argument("BigInt left shift count too large"); 272| 0| } 273| | 274| 58.9k| const size_t sw = sig_words(); 275| 58.9k| const size_t new_size = sw + (shift + WordInfo::bits - 1) / WordInfo::bits; 276| | 277| 58.9k| m_data.grow_to(new_size); 278| | 279| 58.9k| bigint_shl1(m_data.mutable_data(), new_size, sw, shift); 280| | 281| 58.9k| return (*this); 282| 58.9k|} _ZN5Botan6BigIntrSEm: 287| 1.03M|BigInt& BigInt::operator>>=(size_t shift) { 288| 1.03M| bigint_shr1(m_data.mutable_data(), m_data.size(), shift); 289| | 290| 1.03M| if(sig_words() == 0 && m_signedness == Negative) { ------------------ | Branch (290:7): [True: 837, False: 1.03M] | Branch (290:27): [True: 0, False: 837] ------------------ 291| 0| m_signedness = Positive; 292| 0| } 293| | 294| 1.03M| return (*this); 295| 1.03M|} _ZN5Botan6BigInt4add2ERKS0_PKmmNS0_4SignE: 20| 893k|BigInt BigInt::add2(const BigInt& x, const word y[], size_t y_size, BigInt::Sign y_sign) { 21| 893k| const size_t x_sw = x.sig_words(); 22| | 23| 893k| BigInt z = BigInt::with_capacity(std::max(x_sw, y_size) + 1); 24| | 25| 893k| if(x.sign() == y_sign) { ------------------ | Branch (25:7): [True: 886k, False: 6.90k] ------------------ 26| 886k| const word carry = bigint_add3(z.mutable_data(), x._data(), x_sw, y, y_size); 27| 886k| z.mutable_data()[std::max(x_sw, y_size)] += carry; 28| 886k| z.set_sign(x.sign()); 29| 886k| } else { 30| 6.90k| const int32_t relative_size = bigint_cmp(x.data(), x_sw, y, y_size); 31| | 32| 6.90k| if(relative_size < 0) { ------------------ | Branch (32:10): [True: 0, False: 6.90k] ------------------ 33| | // x < y so z = abs(y - x) 34| | // NOLINTNEXTLINE(*-suspicious-call-argument) intentionally swapping x and y here 35| 0| bigint_sub3(z.mutable_data(), y, y_size, x.data(), x_sw); 36| 0| z.set_sign(y_sign); 37| 6.90k| } else if(relative_size == 0) { ------------------ | Branch (37:17): [True: 0, False: 6.90k] ------------------ 38| | // Positive zero (nothing to do in this case) 39| 6.90k| } else { 40| | /* 41| | * We know at this point that x >= y so if y_size is larger than 42| | * x_sw, we are guaranteed they are just leading zeros which can 43| | * be ignored 44| | */ 45| 6.90k| y_size = std::min(x_sw, y_size); 46| 6.90k| bigint_sub3(z.mutable_data(), x.data(), x_sw, y, y_size); 47| 6.90k| z.set_sign(x.sign()); 48| 6.90k| } 49| 6.90k| } 50| | 51| 893k| return z; 52| 893k|} _ZN5BotanmlERKNS_6BigIntES2_: 57| 1.34k|BigInt operator*(const BigInt& x, const BigInt& y) { 58| 1.34k| const size_t x_sw = x.sig_words(); 59| 1.34k| const size_t y_sw = y.sig_words(); 60| | 61| 1.34k| BigInt z = BigInt::with_capacity(x.size() + y.size()); 62| | 63| 1.34k| if(x_sw == 1 && y_sw > 0) { ------------------ | Branch (63:7): [True: 55, False: 1.28k] | Branch (63:20): [True: 55, False: 0] ------------------ 64| 55| bigint_linmul3(z.mutable_data(), y._data(), y_sw, x.word_at(0)); 65| 1.28k| } else if(y_sw == 1 && x_sw > 0) { ------------------ | Branch (65:14): [True: 15, False: 1.27k] | Branch (65:27): [True: 15, False: 0] ------------------ 66| 15| bigint_linmul3(z.mutable_data(), x._data(), x_sw, y.word_at(0)); 67| 1.27k| } else if(x_sw > 0 && y_sw > 0) { ------------------ | Branch (67:14): [True: 1.26k, False: 3] | Branch (67:26): [True: 1.26k, False: 1] ------------------ 68| 1.26k| secure_vector workspace(z.size()); 69| | 70| 1.26k| bigint_mul(z.mutable_data(), 71| 1.26k| z.size(), 72| 1.26k| x._data(), 73| 1.26k| x.size(), 74| 1.26k| x_sw, 75| 1.26k| y._data(), 76| 1.26k| y.size(), 77| 1.26k| y_sw, 78| 1.26k| workspace.data(), 79| 1.26k| workspace.size()); 80| 1.26k| } 81| | 82| 1.34k| z.cond_flip_sign(x_sw > 0 && y_sw > 0 && x.sign() != y.sign()); ------------------ | Branch (82:21): [True: 1.33k, False: 3] | Branch (82:33): [True: 1.33k, False: 1] | Branch (82:45): [True: 0, False: 1.33k] ------------------ 83| | 84| 1.34k| return z; 85| 1.34k|} _ZN5BotanmlERKNS_6BigIntEm: 90| 68.2k|BigInt operator*(const BigInt& x, word y) { 91| 68.2k| const size_t x_sw = x.sig_words(); 92| | 93| 68.2k| BigInt z = BigInt::with_capacity(x_sw + 1); 94| | 95| 68.2k| if(x_sw > 0 && y > 0) { ------------------ | Branch (95:7): [True: 68.2k, False: 0] | Branch (95:19): [True: 68.2k, False: 0] ------------------ 96| 68.2k| bigint_linmul3(z.mutable_data(), x._data(), x_sw, y); 97| 68.2k| z.set_sign(x.sign()); 98| 68.2k| } 99| | 100| 68.2k| return z; 101| 68.2k|} _ZN5BotandvERKNS_6BigIntES2_: 106| 411|BigInt operator/(const BigInt& x, const BigInt& y) { 107| 411| if(y.sig_words() == 1 && y.signum() >= 0) { ------------------ | Branch (107:7): [True: 0, False: 411] | Branch (107:29): [True: 0, False: 0] ------------------ 108| 0| return x / y.word_at(0); 109| 0| } 110| | 111| 411| BigInt q; 112| 411| BigInt r; 113| 411| vartime_divide(x, y, q, r); 114| 411| return q; 115| 411|} _ZN5BotandvERKNS_6BigIntEm: 120| 1.36k|BigInt operator/(const BigInt& x, word y) { 121| 1.36k| if(y == 0) { ------------------ | Branch (121:7): [True: 0, False: 1.36k] ------------------ 122| 0| throw Invalid_Argument("BigInt::operator/ divide by zero"); 123| 0| } 124| | 125| 1.36k| BigInt q; 126| 1.36k| word r = 0; 127| 1.36k| ct_divide_word(x, y, q, r); 128| 1.36k| return q; 129| 1.36k|} _ZN5BotanrmERKNS_6BigIntES2_: 134| 40.7k|BigInt operator%(const BigInt& n, const BigInt& mod) { 135| 40.7k| if(mod.is_zero()) { ------------------ | Branch (135:7): [True: 0, False: 40.7k] ------------------ 136| 0| throw Invalid_Argument("BigInt::operator% divide by zero"); 137| 0| } 138| 40.7k| if(mod.signum() < 0) { ------------------ | Branch (138:7): [True: 0, False: 40.7k] ------------------ 139| 0| throw Invalid_Argument("BigInt::operator% modulus must be > 0"); 140| 0| } 141| 40.7k| if(n.signum() >= 0 && mod.signum() >= 0 && n < mod) { ------------------ | Branch (141:7): [True: 39.3k, False: 1.42k] | Branch (141:26): [True: 39.3k, False: 0] | Branch (141:47): [True: 42, False: 39.2k] ------------------ 142| 42| return n; 143| 42| } 144| | 145| 40.6k| if(mod.sig_words() == 1) { ------------------ | Branch (145:7): [True: 13.8k, False: 26.8k] ------------------ 146| 13.8k| return BigInt::from_word(n % mod.word_at(0)); 147| 13.8k| } 148| | 149| 26.8k| BigInt q; 150| 26.8k| BigInt r; 151| 26.8k| vartime_divide(n, mod, q, r); 152| 26.8k| return r; 153| 40.6k|} _ZN5BotanrmERKNS_6BigIntEm: 158| 36.0k|word operator%(const BigInt& n, word mod) { 159| 36.0k| if(mod == 0) { ------------------ | Branch (159:7): [True: 0, False: 36.0k] ------------------ 160| 0| throw Invalid_Argument("BigInt::operator% divide by zero"); 161| 0| } 162| | 163| 36.0k| if(mod == 1) { ------------------ | Branch (163:7): [True: 0, False: 36.0k] ------------------ 164| 0| return 0; 165| 0| } 166| | 167| 36.0k| word remainder = 0; 168| | 169| 36.0k| if(n.signum() >= 0 && is_power_of_2(mod)) { ------------------ | Branch (169:7): [True: 36.0k, False: 3] | Branch (169:26): [True: 22.1k, False: 13.8k] ------------------ 170| 22.1k| remainder = (n.word_at(0) & (mod - 1)); 171| 22.1k| } else { 172| 13.8k| const divide_precomp redc_mod(mod); 173| 13.8k| const size_t sw = n.sig_words(); 174| 43.5k| for(size_t i = sw; i > 0; --i) { ------------------ | Branch (174:26): [True: 29.6k, False: 13.8k] ------------------ 175| 29.6k| remainder = redc_mod.vartime_mod_2to1(remainder, n.word_at(i - 1)); 176| 29.6k| } 177| 13.8k| } 178| | 179| 36.0k| if(remainder != 0 && n.sign() == BigInt::Negative) { ------------------ | Branch (179:7): [True: 36.0k, False: 0] | Branch (179:25): [True: 3, False: 36.0k] ------------------ 180| 3| return mod - remainder; 181| 3| } 182| 36.0k| return remainder; 183| 36.0k|} _ZN5BotanlsERKNS_6BigIntEm: 188| 37.9k|BigInt operator<<(const BigInt& x, size_t shift) { 189| 37.9k| if(shift >= 65536) { ------------------ | Branch (189:7): [True: 0, False: 37.9k] ------------------ 190| 0| throw Invalid_Argument("BigInt left shift count too large"); 191| 0| } 192| | 193| 37.9k| if(x.is_zero()) { ------------------ | Branch (193:7): [True: 0, False: 37.9k] ------------------ 194| 0| return BigInt::zero(); 195| 0| } 196| | 197| 37.9k| const size_t x_sw = x.sig_words(); 198| | 199| 37.9k| const size_t new_size = x_sw + shift / WordInfo::bits + 1; 200| 37.9k| BigInt y = BigInt::with_capacity(new_size); 201| 37.9k| bigint_shl2(y.mutable_data(), new_size, x._data(), x_sw, shift); 202| 37.9k| y.set_sign(x.sign()); 203| 37.9k| return y; 204| 37.9k|} _ZN5BotanrsERKNS_6BigIntEm: 209| 1.60k|BigInt operator>>(const BigInt& x, size_t shift) { 210| 1.60k| const size_t shift_words = shift / WordInfo::bits; 211| 1.60k| const size_t x_sw = x.sig_words(); 212| | 213| 1.60k| if(shift_words >= x_sw) { ------------------ | Branch (213:7): [True: 0, False: 1.60k] ------------------ 214| 0| return BigInt::zero(); 215| 0| } 216| | 217| 1.60k| const size_t new_size = x_sw - shift_words; 218| 1.60k| BigInt y = BigInt::with_capacity(new_size); 219| 1.60k| bigint_shr2(y.mutable_data(), new_size, x._data(), x_sw, shift); 220| | 221| 1.60k| if(x.signum() < 0 && y.is_zero()) { ------------------ | Branch (221:7): [True: 0, False: 1.60k] | Branch (221:25): [True: 0, False: 0] ------------------ 222| 0| y.set_sign(BigInt::Positive); 223| 1.60k| } else { 224| 1.60k| y.set_sign(x.sign()); 225| 1.60k| } 226| | 227| 1.60k| return y; 228| 1.60k|} _ZN5Botan6BigIntC2Em: 20| 4.56k|BigInt::BigInt(uint64_t n) { 21| 4.56k| if constexpr(sizeof(word) == 8) { 22| 4.56k| m_data.set_word_at(0, static_cast(n)); 23| | } else { 24| | m_data.set_word_at(1, static_cast(n >> 32)); 25| | m_data.set_word_at(0, static_cast(n)); 26| | } 27| 4.56k|} _ZN5Botan6BigInt8from_u64Em: 30| 1.84k|BigInt BigInt::from_u64(uint64_t n) { 31| 1.84k| return BigInt(n); 32| 1.84k|} _ZN5Botan6BigInt9from_wordEm: 35| 16.6k|BigInt BigInt::from_word(word n) { 36| 16.6k| BigInt bn; 37| 16.6k| bn.set_word_at(0, n); 38| 16.6k| return bn; 39| 16.6k|} _ZN5Botan6BigInt8from_s32Ei: 42| 162|BigInt BigInt::from_s32(int32_t n) { 43| 162| if(n >= 0) { ------------------ | Branch (43:7): [True: 0, False: 162] ------------------ 44| 0| return BigInt::from_u64(static_cast(n)); 45| 162| } else { 46| 162| return -BigInt::from_u64(static_cast(-static_cast(n))); 47| 162| } 48| 162|} _ZN5Botan6BigInt13with_capacityEm: 51| 2.48M|BigInt BigInt::with_capacity(size_t size) { 52| 2.48M| BigInt bn; 53| 2.48M| bn.grow_to(size); 54| 2.48M| return bn; 55| 2.48M|} _ZN5Botan6BigInt11from_stringENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 57| 15.9k|BigInt BigInt::from_string(std::string_view str) { 58| 15.9k| size_t prefix_bytes = 0; 59| 15.9k| bool negative = false; 60| 15.9k| size_t radix = 10; 61| | 62| 15.9k| if(!str.empty() && str[0] == '-') { ------------------ | Branch (62:7): [True: 15.9k, False: 0] | Branch (62:23): [True: 0, False: 15.9k] ------------------ 63| 0| prefix_bytes += 1; 64| 0| negative = true; 65| 0| } 66| | 67| 15.9k| if(str.length() > prefix_bytes + 2 && str[prefix_bytes] == '0' && str[prefix_bytes + 1] == 'x') { ------------------ | Branch (67:7): [True: 15.9k, False: 0] | Branch (67:42): [True: 15.9k, False: 0] | Branch (67:70): [True: 15.9k, False: 0] ------------------ 68| 15.9k| prefix_bytes += 2; 69| 15.9k| radix = 16; 70| 15.9k| } 71| | 72| 15.9k| BigInt r = BigInt::from_radix_digits(str.substr(prefix_bytes), radix); 73| | 74| 15.9k| if(negative) { ------------------ | Branch (74:7): [True: 0, False: 15.9k] ------------------ 75| 0| r.set_sign(Negative); 76| 15.9k| } else { 77| 15.9k| r.set_sign(Positive); 78| 15.9k| } 79| | 80| 15.9k| return r; 81| 15.9k|} _ZN5Botan6BigInt10from_bytesENSt3__14spanIKhLm18446744073709551615EEE: 83| 25.0k|BigInt BigInt::from_bytes(std::span input) { 84| 25.0k| BigInt r; 85| 25.0k| r.assign_from_bytes(input); 86| 25.0k| return r; 87| 25.0k|} _ZNK5Botan6BigInt7byte_atEm: 118| 39.4k|uint8_t BigInt::byte_at(size_t n) const { 119| 39.4k| return get_byte_var(sizeof(word) - (n % sizeof(word)) - 1, word_at(n / sizeof(word))); 120| 39.4k|} _ZNK5Botan6BigInt8cmp_wordEm: 122| 230k|int32_t BigInt::cmp_word(word other) const { 123| 230k| if(signum() < 0) { ------------------ | Branch (123:7): [True: 3.02k, False: 227k] ------------------ 124| 3.02k| return -1; // other is positive ... 125| 3.02k| } 126| | 127| 227k| const size_t sw = this->sig_words(); 128| 227k| if(sw > 1) { ------------------ | Branch (128:7): [True: 177k, False: 49.5k] ------------------ 129| 177k| return 1; // must be larger since other is just one word ... 130| 177k| } 131| | 132| 49.5k| return bigint_cmp(this->_data(), sw, &other, 1); 133| 227k|} _ZNK5Botan6BigInt3cmpERKS0_b: 138| 15.1k|int32_t BigInt::cmp(const BigInt& other, bool check_signs) const { 139| 15.1k| if(check_signs) { ------------------ | Branch (139:7): [True: 15.1k, False: 0] ------------------ 140| 15.1k| if(other.signum() >= 0 && this->signum() < 0) { ------------------ | Branch (140:10): [True: 15.1k, False: 0] | Branch (140:33): [True: 0, False: 15.1k] ------------------ 141| 0| return -1; 142| 0| } 143| | 144| 15.1k| if(other.signum() < 0 && this->signum() >= 0) { ------------------ | Branch (144:10): [True: 0, False: 15.1k] | Branch (144:32): [True: 0, False: 0] ------------------ 145| 0| return 1; 146| 0| } 147| | 148| 15.1k| if(other.signum() < 0 && this->signum() < 0) { ------------------ | Branch (148:10): [True: 0, False: 15.1k] | Branch (148:32): [True: 0, False: 0] ------------------ 149| 0| return (-bigint_cmp(this->_data(), this->size(), other._data(), other.size())); 150| 0| } 151| 15.1k| } 152| | 153| 15.1k| return bigint_cmp(this->_data(), this->size(), other._data(), other.size()); 154| 15.1k|} _ZNK5Botan6BigInt8is_equalERKS0_: 156| 29.8k|bool BigInt::is_equal(const BigInt& other) const { 157| 29.8k| if(this->sign() != other.sign()) { ------------------ | Branch (157:7): [True: 0, False: 29.8k] ------------------ 158| 0| return false; 159| 0| } 160| | 161| 29.8k| return bigint_ct_is_eq(this->_data(), this->size(), other._data(), other.size()).as_bool(); 162| 29.8k|} _ZNK5Botan6BigInt12is_less_thanERKS0_: 164| 59.2k|bool BigInt::is_less_than(const BigInt& other) const { 165| 59.2k| if(this->signum() < 0 && other.signum() >= 0) { ------------------ | Branch (165:7): [True: 0, False: 59.2k] | Branch (165:29): [True: 0, False: 0] ------------------ 166| 0| return true; 167| 0| } 168| | 169| 59.2k| if(this->signum() >= 0 && other.signum() < 0) { ------------------ | Branch (169:7): [True: 59.2k, False: 0] | Branch (169:30): [True: 0, False: 59.2k] ------------------ 170| 0| return false; 171| 0| } 172| | 173| 59.2k| if(other.signum() < 0 && this->signum() < 0) { ------------------ | Branch (173:7): [True: 0, False: 59.2k] | Branch (173:29): [True: 0, False: 0] ------------------ 174| 0| return bigint_ct_is_lt(other._data(), other.size(), this->_data(), this->size()).as_bool(); 175| 0| } 176| | 177| 59.2k| return bigint_ct_is_lt(this->_data(), this->size(), other._data(), other.size()).as_bool(); 178| 59.2k|} _ZNK5Botan6BigInt12encode_wordsEPmm: 180| 979k|void BigInt::encode_words(word out[], size_t size) const { 181| 979k| const size_t words = sig_words(); 182| | 183| 979k| if(words > size) { ------------------ | Branch (183:7): [True: 0, False: 979k] ------------------ 184| 0| throw Encoding_Error("BigInt::encode_words value too large to encode"); 185| 0| } 186| | 187| 979k| clear_mem(out, size); 188| 979k| copy_mem(out, _data(), words); 189| 979k|} _ZN5Botan6BigInt4Data11set_to_zeroEv: 191| 39.4k|void BigInt::Data::set_to_zero() { 192| 39.4k| m_reg.resize(m_reg.capacity()); 193| 39.4k| clear_mem(m_reg.data(), m_reg.size()); 194| 39.4k| m_sig_words = 0; 195| 39.4k|} _ZNK5Botan6BigInt4Data14calc_sig_wordsEv: 215| 13.9M|size_t BigInt::Data::calc_sig_words() const { 216| 13.9M| const size_t sz = m_reg.size(); 217| 13.9M| size_t sig = sz; 218| | 219| 13.9M| word sub = 1; 220| | 221| 199M| for(size_t i = 0; i != sz; ++i) { ------------------ | Branch (221:22): [True: 185M, False: 13.9M] ------------------ 222| 185M| const word w = m_reg[sz - i - 1]; 223| 185M| sub &= ct_is_zero(w); 224| 185M| sig -= sub; 225| 185M| } 226| | 227| | /* 228| | * This depends on the data so is poisoned, but unpoison it here as 229| | * later conditionals are made on the size. 230| | */ 231| 13.9M| CT::unpoison(sig); 232| | 233| 13.9M| return sig; 234| 13.9M|} _ZNK5Botan6BigInt13get_substringEmm: 239| 135k|uint32_t BigInt::get_substring(size_t offset, size_t length) const { 240| 135k| if(length == 0 || length > 32) { ------------------ | Branch (240:7): [True: 0, False: 135k] | Branch (240:22): [True: 0, False: 135k] ------------------ 241| 0| throw Invalid_Argument("BigInt::get_substring invalid substring length"); 242| 0| } 243| | 244| 135k| const uint32_t mask = 0xFFFFFFFF >> (32 - length); 245| | 246| 135k| const size_t word_offset = offset / WordInfo::bits; 247| 135k| const size_t wshift = (offset % WordInfo::bits); 248| | 249| | /* 250| | * The substring is contained within one or at most two words. The 251| | * offset and length are not secret, so we can perform conditional 252| | * operations on those values. 253| | */ 254| 135k| const word w0 = word_at(word_offset); 255| | 256| 135k| if(wshift == 0 || (offset + length) / WordInfo::bits == word_offset) { ------------------ | Branch (256:7): [True: 10.5k, False: 124k] | Branch (256:22): [True: 116k, False: 7.87k] ------------------ 257| 127k| return static_cast(w0 >> wshift) & mask; 258| 127k| } else { 259| 7.87k| const word w1 = word_at(word_offset + 1); 260| 7.87k| return static_cast((w0 >> wshift) | (w1 << (WordInfo::bits - wshift))) & mask; 261| 7.87k| } 262| 135k|} _ZNK5Botan6BigInt5bytesEv: 294| 2.67k|size_t BigInt::bytes() const { 295| 2.67k| return round_up(bits(), 8) / 8; 296| 2.67k|} _ZNK5Botan6BigInt13top_bits_freeEv: 298| 73.8k|size_t BigInt::top_bits_free() const { 299| 73.8k| const size_t words = sig_words(); 300| | 301| 73.8k| const word top_word = word_at(words - 1); 302| 73.8k| const size_t bits_used = high_bit(CT::value_barrier(top_word)); 303| 73.8k| CT::unpoison(bits_used); 304| 73.8k| return WordInfo::bits - bits_used; 305| 73.8k|} _ZNK5Botan6BigInt4bitsEv: 307| 42.2k|size_t BigInt::bits() const { 308| 42.2k| const size_t words = sig_words(); 309| | 310| 42.2k| if(words == 0) { ------------------ | Branch (310:7): [True: 6.13k, False: 36.0k] ------------------ 311| 6.13k| return 0; 312| 6.13k| } 313| | 314| 36.0k| const size_t full_words = (words - 1) * WordInfo::bits; 315| 36.0k| const size_t top_bits = WordInfo::bits - top_bits_free(); 316| | 317| 36.0k| return full_words + top_bits; 318| 42.2k|} _ZNK5Botan6BigIntngEv: 323| 162|BigInt BigInt::operator-() const { 324| 162| BigInt x = (*this); 325| 162| x.flip_sign(); 326| 162| return x; 327| 162|} _ZN5Botan6BigInt12reduce_belowERKS0_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 329| 877k|size_t BigInt::reduce_below(const BigInt& p, secure_vector& ws) { 330| 877k| if(p.signum() < 0 || this->signum() < 0) { ------------------ | Branch (330:7): [True: 0, False: 877k] | Branch (330:25): [True: 0, False: 877k] ------------------ 331| 0| throw Invalid_Argument("BigInt::reduce_below both values must be positive"); 332| 0| } 333| | 334| 877k| const size_t p_words = p.sig_words(); 335| | 336| 877k| if(size() < p_words + 1) { ------------------ | Branch (336:7): [True: 2.49k, False: 874k] ------------------ 337| 2.49k| grow_to(p_words + 1); 338| 2.49k| } 339| | 340| 877k| if(ws.size() < p_words + 1) { ------------------ | Branch (340:7): [True: 37.8k, False: 839k] ------------------ 341| 37.8k| ws.resize(p_words + 1); 342| 37.8k| } 343| | 344| 877k| clear_mem(ws.data(), ws.size()); 345| | 346| 877k| size_t reductions = 0; 347| | 348| 2.23M| for(;;) { 349| 2.23M| const word borrow = bigint_sub3(ws.data(), _data(), p_words + 1, p._data(), p_words); 350| 2.23M| if(borrow > 0) { ------------------ | Branch (350:10): [True: 877k, False: 1.36M] ------------------ 351| 877k| break; 352| 877k| } 353| | 354| 1.36M| ++reductions; 355| 1.36M| swap_reg(ws); 356| 1.36M| } 357| | 358| 877k| return reductions; 359| 877k|} _ZNK5Botan6BigInt3absEv: 386| 1.42k|BigInt BigInt::abs() const { 387| 1.42k| BigInt x = (*this); 388| 1.42k| x.set_sign(Positive); 389| 1.42k| return x; 390| 1.42k|} _ZNK5Botan6BigInt12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 395| 968|void BigInt::serialize_to(std::span output) const { 396| 968| BOTAN_ARG_CHECK(this->bytes() <= output.size(), "Insufficient output space"); ------------------ | | 35| 968| do { \ | | 36| 968| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 968| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 968] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 968| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 968] | | ------------------ ------------------ 397| | 398| 968| this->binary_encode(output.data(), output.size()); 399| 968|} _ZNK5Botan6BigInt13binary_encodeEPhm: 404| 968|void BigInt::binary_encode(uint8_t output[], size_t len) const { 405| 968| const size_t full_words = len / sizeof(word); 406| 968| const size_t extra_bytes = len % sizeof(word); 407| | 408| 5.22k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (408:22): [True: 4.25k, False: 968] ------------------ 409| 4.25k| const word w = word_at(i); 410| 4.25k| store_be(w, output + (len - (i + 1) * sizeof(word))); 411| 4.25k| } 412| | 413| 968| if(extra_bytes > 0) { ------------------ | Branch (413:7): [True: 924, False: 44] ------------------ 414| 924| const word w = word_at(full_words); 415| | 416| 4.56k| for(size_t i = 0; i != extra_bytes; ++i) { ------------------ | Branch (416:25): [True: 3.64k, False: 924] ------------------ 417| 3.64k| output[extra_bytes - i - 1] = get_byte_var(sizeof(word) - i - 1, w); 418| 3.64k| } 419| 924| } 420| 968|} _ZN5Botan6BigInt17assign_from_bytesENSt3__14spanIKhLm18446744073709551615EEE: 425| 39.4k|void BigInt::assign_from_bytes(std::span bytes) { 426| 39.4k| clear(); 427| | 428| 39.4k| const size_t length = bytes.size(); 429| 39.4k| const size_t full_words = length / sizeof(word); 430| 39.4k| const size_t extra_bytes = length % sizeof(word); 431| | 432| 39.4k| secure_vector reg((round_up(full_words + (extra_bytes > 0 ? 1 : 0), 8))); ------------------ | Branch (432:52): [True: 26.8k, False: 12.6k] ------------------ 433| | 434| 165k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (434:22): [True: 125k, False: 39.4k] ------------------ 435| 125k| reg[i] = load_be(bytes.last()); 436| 125k| bytes = bytes.first(bytes.size() - sizeof(word)); 437| 125k| } 438| | 439| 39.4k| if(!bytes.empty()) { ------------------ | Branch (439:7): [True: 26.8k, False: 12.6k] ------------------ 440| 26.8k| BOTAN_ASSERT_NOMSG(extra_bytes == bytes.size()); ------------------ | | 77| 26.8k| do { \ | | 78| 26.8k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 26.8k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 26.8k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 26.8k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 26.8k] | | ------------------ ------------------ 441| 26.8k| std::array last_partial_word = {0}; 442| 26.8k| copy_mem(std::span{last_partial_word}.last(extra_bytes), bytes); 443| 26.8k| reg[full_words] = load_be(last_partial_word); 444| 26.8k| } 445| | 446| 39.4k| m_data.swap(reg); 447| 39.4k|} _ZN5Botan6BigInt11ct_cond_addEbRKS0_: 449| 875k|void BigInt::ct_cond_add(bool predicate, const BigInt& value) { 450| 875k| if(this->signum() < 0 || value.signum() < 0) { ------------------ | Branch (450:7): [True: 0, False: 875k] | Branch (450:29): [True: 0, False: 875k] ------------------ 451| 0| throw Invalid_Argument("BigInt::ct_cond_add requires both values to be positive"); 452| 0| } 453| 875k| const size_t v_words = value.sig_words(); 454| | 455| | // The carry can propagate through every existing word of *this, so the 456| | // output needs one slot above whichever input is wider. 457| 875k| this->grow_to(std::max(this->size(), v_words) + 1); 458| | 459| 875k| const auto mask = CT::Mask::expand(static_cast(predicate)).value(); 460| | 461| 875k| word carry = 0; 462| | 463| 875k| word* x = this->mutable_data(); 464| 875k| const word* y = value._data(); 465| | 466| 6.86M| for(size_t i = 0; i != v_words; ++i) { ------------------ | Branch (466:22): [True: 5.99M, False: 875k] ------------------ 467| 5.99M| x[i] = word_add(x[i], y[i] & mask, &carry); 468| 5.99M| } 469| | 470| 12.8M| for(size_t i = v_words; i != size(); ++i) { ------------------ | Branch (470:28): [True: 11.9M, False: 875k] ------------------ 471| 11.9M| x[i] = word_add(x[i], static_cast(0), &carry); 472| 11.9M| } 473| 875k|} _ZN5Botan6BigInt14cond_flip_signEb: 521| 612k|void BigInt::cond_flip_sign(bool predicate) { 522| | // This code is assuming Negative == 0, Positive == 1 523| | 524| 612k| const auto mask = CT::Mask::expand_bool(predicate); 525| | 526| 612k| const uint8_t current_sign = static_cast(sign()); 527| | 528| 612k| const uint8_t new_sign = mask.select(current_sign ^ 1, current_sign); 529| | 530| 612k| set_sign(static_cast(new_sign)); 531| 612k|} _ZN5Botan6BigInt14ct_cond_assignEbRKS0_: 533| 583k|void BigInt::ct_cond_assign(bool predicate, const BigInt& other) { 534| 583k| const size_t t_words = size(); 535| 583k| const size_t o_words = other.size(); 536| | 537| 583k| if(t_words < o_words) { ------------------ | Branch (537:7): [True: 583k, False: 0] ------------------ 538| 583k| grow_to(o_words); 539| 583k| } 540| | 541| 583k| const size_t r_words = std::max(t_words, o_words); 542| | 543| 583k| const auto mask = CT::Mask::expand_bool(predicate); 544| | 545| 12.5M| for(size_t i = 0; i != r_words; ++i) { ------------------ | Branch (545:22): [True: 11.9M, False: 583k] ------------------ 546| 11.9M| const word o_word = other.word_at(i); 547| 11.9M| const word t_word = this->word_at(i); 548| 11.9M| this->set_word_at(i, mask.select(o_word, t_word)); 549| 11.9M| } 550| | 551| 583k| const auto same_sign = CT::Mask::is_equal(sign(), other.sign()).as_choice(); 552| 583k| cond_flip_sign((mask.as_choice() && !same_sign).as_bool()); 553| 583k|} _ZNK5Botan6BigInt20_const_time_unpoisonEv: 559| 8.46M|void BigInt::_const_time_unpoison() const { 560| 8.46M| CT::unpoison(m_data.const_data(), m_data.size()); 561| 8.46M|} _ZN5Botan15ct_divide_pow2kEmRKNS_6BigIntE: 89| 912|BigInt ct_divide_pow2k(size_t k, const BigInt& y) { 90| 912| BOTAN_ARG_CHECK(y.signum() != 0, "Cannot divide by zero"); ------------------ | | 35| 912| do { \ | | 36| 912| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 912| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 912] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 912| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 912] | | ------------------ ------------------ 91| 912| BOTAN_ARG_CHECK(y.signum() >= 0, "Negative divisor not supported"); ------------------ | | 35| 912| do { \ | | 36| 912| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 912| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 912] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 912| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 912] | | ------------------ ------------------ 92| 912| BOTAN_ARG_CHECK(k > 1, "Invalid k"); ------------------ | | 35| 912| do { \ | | 36| 912| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 912| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 912] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 912| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 912] | | ------------------ ------------------ 93| | 94| 912| const size_t x_bits = k + 1; 95| 912| const size_t y_bits = y.bits(); 96| | 97| 912| if(x_bits < y_bits) { ------------------ | Branch (97:7): [True: 0, False: 912] ------------------ 98| 0| return BigInt::zero(); 99| 0| } 100| | 101| 912| BOTAN_ASSERT_NOMSG(y_bits >= 1); ------------------ | | 77| 912| do { \ | | 78| 912| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 912| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 912] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 912| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 912] | | ------------------ ------------------ 102| 912| const size_t x_words = (x_bits + WordInfo::bits - 1) / WordInfo::bits; 103| 912| const size_t y_words = y.sig_words(); 104| | 105| 912| BigInt q = BigInt::with_capacity(x_words); 106| 912| BigInt r = BigInt::with_capacity(y_words + 1); 107| 912| BigInt t = BigInt::with_capacity(y_words + 1); // a temporary 108| | 109| 912| r.set_bit(y_bits - 1); 110| 278k| for(size_t i = y_bits - 1; i != x_bits; ++i) { ------------------ | Branch (110:31): [True: 277k, False: 912] ------------------ 111| 277k| const size_t b = x_bits - 1 - i; 112| | 113| 277k| if(i >= y_bits) { ------------------ | Branch (113:10): [True: 276k, False: 912] ------------------ 114| 276k| bigint_shl1(r.mutable_data(), r.size(), r.size(), 1); 115| 276k| } 116| | 117| 277k| const bool r_gte_y = bigint_sub3(t.mutable_data(), r._data(), r.size(), y._data(), y_words) == 0; 118| | 119| 277k| q.conditionally_set_bit(b, r_gte_y); 120| | 121| 277k| bigint_cnd_swap(static_cast(r_gte_y), r.mutable_data(), t.mutable_data(), y_words + 1); 122| 277k| } 123| | 124| | // No need for sign fixup 125| | 126| 912| return q; 127| 912|} _ZN5Botan14ct_divide_wordERKNS_6BigIntEmRS0_Rm: 129| 1.36k|void ct_divide_word(const BigInt& x, word y, BigInt& q_out, word& r_out) { 130| 1.36k| if(y == 0) { ------------------ | Branch (130:7): [True: 0, False: 1.36k] ------------------ 131| 0| throw Invalid_Argument("ct_divide_word: cannot divide by zero"); 132| 0| } 133| | 134| 1.36k| const size_t x_words = x.sig_words(); 135| 1.36k| const size_t x_bits = x.bits(); 136| | 137| 1.36k| BigInt q = BigInt::with_capacity(x_words); 138| 1.36k| word r = 0; 139| | 140| 361k| for(size_t i = 0; i != x_bits; ++i) { ------------------ | Branch (140:22): [True: 359k, False: 1.36k] ------------------ 141| 359k| const size_t b = x_bits - 1 - i; 142| 359k| const bool x_b = x.get_bit(b); 143| | 144| 359k| const auto r_carry = CT::Mask::expand_top_bit(r); 145| | 146| 359k| r <<= 1; 147| 359k| r += static_cast(x_b); 148| | 149| 359k| const auto r_gte_y = CT::Mask::is_gte(r, y) | r_carry; 150| 359k| q.conditionally_set_bit(b, r_gte_y.as_bool()); 151| 359k| r = r_gte_y.select(r - y, r); 152| 359k| } 153| | 154| 1.36k| if(x.signum() < 0) { ------------------ | Branch (154:7): [True: 0, False: 1.36k] ------------------ 155| 0| q.flip_sign(); 156| 0| if(r != 0) { ------------------ | Branch (156:10): [True: 0, False: 0] ------------------ 157| 0| --q; 158| 0| r = y - r; 159| 0| } 160| 0| } 161| | 162| 1.36k| r_out = r; 163| 1.36k| q_out = q; 164| 1.36k|} _ZN5Botan20vartime_divide_pow2kEmRKNS_6BigIntE: 232| 10.5k|BigInt vartime_divide_pow2k(size_t k, const BigInt& y_arg) { 233| 10.5k| constexpr size_t WB = WordInfo::bits; 234| | 235| 10.5k| BOTAN_ARG_CHECK(y_arg.signum() != 0, "Cannot divide by zero"); ------------------ | | 35| 10.5k| do { \ | | 36| 10.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 10.5k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 10.5k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 10.5k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 10.5k] | | ------------------ ------------------ 236| 10.5k| BOTAN_ARG_CHECK(y_arg.signum() >= 0, "Negative divisor not supported"); ------------------ | | 35| 10.5k| do { \ | | 36| 10.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 10.5k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 10.5k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 10.5k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 10.5k] | | ------------------ ------------------ 237| 10.5k| BOTAN_ARG_CHECK(k > 1, "Invalid k"); ------------------ | | 35| 10.5k| do { \ | | 36| 10.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 10.5k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 10.5k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 10.5k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 10.5k] | | ------------------ ------------------ 238| | 239| 10.5k| BigInt y = y_arg; 240| | 241| 10.5k| const size_t y_words = y.sig_words(); 242| | 243| 10.5k| BOTAN_ASSERT_NOMSG(y_words > 0); ------------------ | | 77| 10.5k| do { \ | | 78| 10.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 10.5k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 10.5k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 10.5k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 10.5k] | | ------------------ ------------------ 244| | 245| | // Calculate shifts needed to normalize y with high bit set 246| 10.5k| const size_t shifts = y.top_bits_free(); 247| | 248| 10.5k| if(shifts > 0) { ------------------ | Branch (248:7): [True: 5.93k, False: 4.65k] ------------------ 249| 5.93k| y <<= shifts; 250| 5.93k| } 251| | 252| 10.5k| BigInt r; 253| 10.5k| r.set_bit(k + shifts); // (2^k) << shifts 254| | 255| | // we know y has not changed size, since we only shifted up to set high bit 256| 10.5k| const size_t t = y_words - 1; 257| 10.5k| const size_t n = std::max(y_words, r.sig_words()) - 1; 258| | 259| 10.5k| BOTAN_ASSERT_NOMSG(n >= t); ------------------ | | 77| 10.5k| do { \ | | 78| 10.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 10.5k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 10.5k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 10.5k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 10.5k] | | ------------------ ------------------ 260| | 261| 10.5k| BigInt q = BigInt::zero(); 262| 10.5k| q.grow_to(n - t + 1); 263| | 264| 10.5k| word* q_words = q.mutable_data(); 265| | 266| 10.5k| BigInt shifted_y = y << (WB * (n - t)); 267| | 268| | // Set q_{n-t} to number of times r > shifted_y 269| 10.5k| secure_vector ws; 270| 10.5k| q_words[n - t] = r.reduce_below(shifted_y, ws); 271| | 272| 10.5k| const word y_t0 = y.word_at(t); 273| 10.5k| const word y_t1 = y.word_at(t - 1); 274| 10.5k| BOTAN_DEBUG_ASSERT((y_t0 >> (WB - 1)) == 1); ------------------ | | 130| 10.5k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 10.5k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 10.5k] | | ------------------ ------------------ 275| | 276| 10.5k| const divide_precomp div_y_t0(y_t0); 277| | 278| 76.0k| for(size_t i = n; i != t; --i) { ------------------ | Branch (278:22): [True: 65.4k, False: 10.5k] ------------------ 279| 65.4k| const word x_i0 = r.word_at(i); 280| 65.4k| const word x_i1 = r.word_at(i - 1); 281| 65.4k| const word x_i2 = r.word_at(i - 2); 282| | 283| 65.4k| word qit = (x_i0 == y_t0) ? WordInfo::max : div_y_t0.vartime_div_2to1(x_i0, x_i1); ------------------ | Branch (283:18): [True: 751, False: 64.7k] ------------------ 284| | 285| | // Per HAC 14.23, this operation is required at most twice 286| 73.8k| for(size_t j = 0; j != 2; ++j) { ------------------ | Branch (286:25): [True: 73.6k, False: 177] ------------------ 287| 73.6k| if(division_check_vartime(qit, y_t0, y_t1, x_i0, x_i1, x_i2)) { ------------------ | Branch (287:13): [True: 8.32k, False: 65.2k] ------------------ 288| 8.32k| BOTAN_ASSERT_NOMSG(qit > 0); ------------------ | | 77| 8.32k| do { \ | | 78| 8.32k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 8.32k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 8.32k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 8.32k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 8.32k] | | ------------------ ------------------ 289| 8.32k| qit--; 290| 65.2k| } else { 291| 65.2k| break; 292| 65.2k| } 293| 73.6k| } 294| | 295| 65.4k| shifted_y >>= WB; 296| | // Now shifted_y == y << (WB * (i-t-1)) 297| | 298| | /* 299| | * Special case qit == 0 and qit == 1 which occurs relatively often here due to a 300| | * combination of the fixed 2^k and in many cases the typical structure of 301| | * public moduli (as this function is called by Barrett_Reduction::for_public_modulus). 302| | * 303| | * Over the test suite, about 5% of loop iterations have qit == 1 and 10% have qit == 0 304| | */ 305| | 306| 65.4k| if(qit != 0) { ------------------ | Branch (306:10): [True: 47.1k, False: 18.3k] ------------------ 307| 47.1k| if(qit == 1) { ------------------ | Branch (307:13): [True: 6.39k, False: 40.7k] ------------------ 308| 6.39k| r -= shifted_y; 309| 40.7k| } else { 310| 40.7k| r -= qit * shifted_y; 311| 40.7k| } 312| | 313| 47.1k| if(r.signum() < 0) { ------------------ | Branch (313:13): [True: 55, False: 47.1k] ------------------ 314| 55| BOTAN_ASSERT_NOMSG(qit > 0); ------------------ | | 77| 55| do { \ | | 78| 55| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 55| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 55] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 55| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 55] | | ------------------ ------------------ 315| 55| qit--; 316| 55| r += shifted_y; 317| 55| BOTAN_ASSERT_NOMSG(r.signum() >= 0); ------------------ | | 77| 55| do { \ | | 78| 55| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 55| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 55] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 55| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 55] | | ------------------ ------------------ 318| 55| } 319| 47.1k| } 320| | 321| 65.4k| q_words[i - t - 1] = qit; 322| 65.4k| } 323| | 324| 10.5k| return q; 325| 10.5k|} _ZN5Botan14vartime_divideERKNS_6BigIntES2_RS0_S3_: 332| 27.2k|void vartime_divide(const BigInt& x, const BigInt& y_arg, BigInt& q_out, BigInt& r_out) { 333| 27.2k| constexpr size_t WB = WordInfo::bits; 334| | 335| 27.2k| if(y_arg.is_zero()) { ------------------ | Branch (335:7): [True: 0, False: 27.2k] ------------------ 336| 0| throw Invalid_Argument("vartime_divide: cannot divide by zero"); 337| 0| } 338| | 339| 27.2k| const size_t y_words = y_arg.sig_words(); 340| | 341| 27.2k| BOTAN_ASSERT_NOMSG(y_words > 0); ------------------ | | 77| 27.2k| do { \ | | 78| 27.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 27.2k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 27.2k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 27.2k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 27.2k] | | ------------------ ------------------ 342| | 343| 27.2k| BigInt y = y_arg; 344| | 345| 27.2k| BigInt r = x; 346| 27.2k| BigInt q = BigInt::zero(); 347| 27.2k| secure_vector ws; 348| | 349| 27.2k| r.set_sign(BigInt::Positive); 350| 27.2k| y.set_sign(BigInt::Positive); 351| | 352| | // Calculate shifts needed to normalize y with high bit set 353| 27.2k| const size_t shifts = y.top_bits_free(); 354| | 355| 27.2k| if(shifts > 0) { ------------------ | Branch (355:7): [True: 26.5k, False: 719] ------------------ 356| 26.5k| y <<= shifts; 357| 26.5k| r <<= shifts; 358| 26.5k| } 359| | 360| | // we know y has not changed size, since we only shifted up to set high bit 361| 27.2k| const size_t t = y_words - 1; 362| 27.2k| const size_t n = std::max(y_words, r.sig_words()) - 1; // r may have changed size however 363| | 364| 27.2k| BOTAN_ASSERT_NOMSG(n >= t); ------------------ | | 77| 27.2k| do { \ | | 78| 27.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 27.2k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 27.2k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 27.2k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 27.2k] | | ------------------ ------------------ 365| | 366| 27.2k| q.grow_to(n - t + 1); 367| | 368| 27.2k| word* q_words = q.mutable_data(); 369| | 370| 27.2k| BigInt shifted_y = y << (WB * (n - t)); 371| | 372| | // Set q_{n-t} to number of times r > shifted_y 373| 27.2k| q_words[n - t] = r.reduce_below(shifted_y, ws); 374| | 375| 27.2k| const word y_t0 = y.word_at(t); 376| 27.2k| const word y_t1 = y.word_at(t - 1); 377| 27.2k| BOTAN_DEBUG_ASSERT((y_t0 >> (WB - 1)) == 1); ------------------ | | 130| 27.2k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 27.2k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 27.2k] | | ------------------ ------------------ 378| | 379| 27.2k| const divide_precomp div_y_t0(y_t0); 380| | 381| 53.5k| for(size_t i = n; i != t; --i) { ------------------ | Branch (381:22): [True: 26.2k, False: 27.2k] ------------------ 382| 26.2k| const word x_i0 = r.word_at(i); 383| 26.2k| const word x_i1 = r.word_at(i - 1); 384| 26.2k| const word x_i2 = r.word_at(i - 2); 385| | 386| 26.2k| word qit = (x_i0 == y_t0) ? WordInfo::max : div_y_t0.vartime_div_2to1(x_i0, x_i1); ------------------ | Branch (386:18): [True: 218, False: 26.0k] ------------------ 387| | 388| | // Per HAC 14.23, this operation is required at most twice 389| 27.7k| for(size_t j = 0; j != 2; ++j) { ------------------ | Branch (389:25): [True: 27.6k, False: 34] ------------------ 390| 27.6k| if(division_check_vartime(qit, y_t0, y_t1, x_i0, x_i1, x_i2)) { ------------------ | Branch (390:13): [True: 1.46k, False: 26.2k] ------------------ 391| 1.46k| BOTAN_ASSERT_NOMSG(qit > 0); ------------------ | | 77| 1.46k| do { \ | | 78| 1.46k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.46k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 1.46k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 1.46k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 1.46k] | | ------------------ ------------------ 392| 1.46k| qit--; 393| 26.2k| } else { 394| 26.2k| break; 395| 26.2k| } 396| 27.6k| } 397| | 398| 26.2k| shifted_y >>= WB; 399| | // Now shifted_y == y << (WB * (i-t-1)) 400| | 401| 26.2k| if(qit != 0) { ------------------ | Branch (401:10): [True: 26.0k, False: 187] ------------------ 402| 26.0k| r -= qit * shifted_y; 403| 26.0k| if(r.signum() < 0) { ------------------ | Branch (403:13): [True: 70, False: 26.0k] ------------------ 404| 70| BOTAN_ASSERT_NOMSG(qit > 0); ------------------ | | 77| 70| do { \ | | 78| 70| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 70| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 70] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 70| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 70] | | ------------------ ------------------ 405| 70| qit--; 406| 70| r += shifted_y; 407| 70| BOTAN_ASSERT_NOMSG(r.signum() >= 0); ------------------ | | 77| 70| do { \ | | 78| 70| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 70| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 70] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 70| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 70] | | ------------------ ------------------ 408| 70| } 409| 26.0k| } 410| | 411| 26.2k| q_words[i - t - 1] = qit; 412| 26.2k| } 413| | 414| 27.2k| if(shifts > 0) { ------------------ | Branch (414:7): [True: 26.5k, False: 719] ------------------ 415| 26.5k| r >>= shifts; 416| 26.5k| } 417| | 418| 27.2k| sign_fixup(x, y_arg, q, r); 419| | 420| 27.2k| r_out = r; 421| 27.2k| q_out = q; 422| 27.2k|} divide.cpp:_ZN5Botan12_GLOBAL__N_110sign_fixupERKNS_6BigIntES3_RS1_S4_: 21| 27.2k|void sign_fixup(const BigInt& x, const BigInt& y, BigInt& q, BigInt& r) { 22| 27.2k| q.cond_flip_sign(x.sign() != y.sign()); 23| | 24| 27.2k| if(x.signum() < 0 && r.signum() != 0) { ------------------ | Branch (24:7): [True: 1.42k, False: 25.8k] | Branch (24:25): [True: 1.42k, False: 0] ------------------ 25| 1.42k| if(y.signum() > 0) { ------------------ | Branch (25:10): [True: 1.42k, False: 0] ------------------ 26| 1.42k| q -= 1; 27| 1.42k| } else { 28| 0| q += 1; 29| 0| } 30| 1.42k| r = y.abs() - r; 31| 1.42k| } 32| 27.2k|} divide.cpp:_ZN5Botan12_GLOBAL__N_122division_check_vartimeEmmmmmm: 34| 101k|inline bool division_check_vartime(word q, word y2, word y1, word x3, word x2, word x1) { 35| | /* 36| | Compute (y3,y2,y1) = (y2,y1) * q 37| | and return true if (y3,y2,y1) > (x3,x2,x1) 38| | */ 39| | 40| 101k| word y3 = 0; 41| 101k| y1 = word_madd2(q, y1, &y3); 42| 101k| y2 = word_madd2(q, y2, &y3); 43| | 44| 101k| if(x3 != y3) { ------------------ | Branch (44:7): [True: 44.5k, False: 56.7k] ------------------ 45| 44.5k| return (y3 > x3); 46| 44.5k| } 47| 56.7k| if(x2 != y2) { ------------------ | Branch (47:7): [True: 42.2k, False: 14.4k] ------------------ 48| 42.2k| return (y2 > x2); 49| 42.2k| } 50| 14.4k| return (y1 > x1); 51| 56.7k|} _ZN5Botan17bigint_comba_sqr4EPmPKm: 17| 4.82M|void bigint_comba_sqr4(word z[8], const word x[4]) { 18| 4.82M| word3 accum; 19| | 20| 4.82M| accum.mul(x[0], x[0]); 21| 4.82M| z[0] = accum.extract(); 22| 4.82M| accum.mul_x2(x[0], x[1]); 23| 4.82M| z[1] = accum.extract(); 24| 4.82M| accum.mul_x2(x[0], x[2]); 25| 4.82M| accum.mul(x[1], x[1]); 26| 4.82M| z[2] = accum.extract(); 27| 4.82M| accum.mul_x2(x[0], x[3]); 28| 4.82M| accum.mul_x2(x[1], x[2]); 29| 4.82M| z[3] = accum.extract(); 30| 4.82M| accum.mul_x2(x[1], x[3]); 31| 4.82M| accum.mul(x[2], x[2]); 32| 4.82M| z[4] = accum.extract(); 33| 4.82M| accum.mul_x2(x[2], x[3]); 34| 4.82M| z[5] = accum.extract(); 35| 4.82M| accum.mul(x[3], x[3]); 36| 4.82M| z[6] = accum.extract(); 37| 4.82M| z[7] = accum.extract(); 38| 4.82M|} _ZN5Botan17bigint_comba_mul4EPmPKmS2_: 43| 11.4M|void bigint_comba_mul4(word z[8], const word x[4], const word y[4]) { 44| 11.4M| word3 accum; 45| | 46| 11.4M| accum.mul(x[0], y[0]); 47| 11.4M| z[0] = accum.extract(); 48| 11.4M| accum.mul(x[0], y[1]); 49| 11.4M| accum.mul(x[1], y[0]); 50| 11.4M| z[1] = accum.extract(); 51| 11.4M| accum.mul(x[0], y[2]); 52| 11.4M| accum.mul(x[1], y[1]); 53| 11.4M| accum.mul(x[2], y[0]); 54| 11.4M| z[2] = accum.extract(); 55| 11.4M| accum.mul(x[0], y[3]); 56| 11.4M| accum.mul(x[1], y[2]); 57| 11.4M| accum.mul(x[2], y[1]); 58| 11.4M| accum.mul(x[3], y[0]); 59| 11.4M| z[3] = accum.extract(); 60| 11.4M| accum.mul(x[1], y[3]); 61| 11.4M| accum.mul(x[2], y[2]); 62| 11.4M| accum.mul(x[3], y[1]); 63| 11.4M| z[4] = accum.extract(); 64| 11.4M| accum.mul(x[2], y[3]); 65| 11.4M| accum.mul(x[3], y[2]); 66| 11.4M| z[5] = accum.extract(); 67| 11.4M| accum.mul(x[3], y[3]); 68| 11.4M| z[6] = accum.extract(); 69| 11.4M| z[7] = accum.extract(); 70| 11.4M|} _ZN5Botan17bigint_comba_sqr6EPmPKm: 75| 196k|void bigint_comba_sqr6(word z[12], const word x[6]) { 76| 196k| word3 accum; 77| | 78| 196k| accum.mul(x[0], x[0]); 79| 196k| z[0] = accum.extract(); 80| 196k| accum.mul_x2(x[0], x[1]); 81| 196k| z[1] = accum.extract(); 82| 196k| accum.mul_x2(x[0], x[2]); 83| 196k| accum.mul(x[1], x[1]); 84| 196k| z[2] = accum.extract(); 85| 196k| accum.mul_x2(x[0], x[3]); 86| 196k| accum.mul_x2(x[1], x[2]); 87| 196k| z[3] = accum.extract(); 88| 196k| accum.mul_x2(x[0], x[4]); 89| 196k| accum.mul_x2(x[1], x[3]); 90| 196k| accum.mul(x[2], x[2]); 91| 196k| z[4] = accum.extract(); 92| 196k| accum.mul_x2(x[0], x[5]); 93| 196k| accum.mul_x2(x[1], x[4]); 94| 196k| accum.mul_x2(x[2], x[3]); 95| 196k| z[5] = accum.extract(); 96| 196k| accum.mul_x2(x[1], x[5]); 97| 196k| accum.mul_x2(x[2], x[4]); 98| 196k| accum.mul(x[3], x[3]); 99| 196k| z[6] = accum.extract(); 100| 196k| accum.mul_x2(x[2], x[5]); 101| 196k| accum.mul_x2(x[3], x[4]); 102| 196k| z[7] = accum.extract(); 103| 196k| accum.mul_x2(x[3], x[5]); 104| 196k| accum.mul(x[4], x[4]); 105| 196k| z[8] = accum.extract(); 106| 196k| accum.mul_x2(x[4], x[5]); 107| 196k| z[9] = accum.extract(); 108| 196k| accum.mul(x[5], x[5]); 109| 196k| z[10] = accum.extract(); 110| 196k| z[11] = accum.extract(); 111| 196k|} _ZN5Botan17bigint_comba_mul6EPmPKmS2_: 116| 2.75M|void bigint_comba_mul6(word z[12], const word x[6], const word y[6]) { 117| 2.75M| word3 accum; 118| | 119| 2.75M| accum.mul(x[0], y[0]); 120| 2.75M| z[0] = accum.extract(); 121| 2.75M| accum.mul(x[0], y[1]); 122| 2.75M| accum.mul(x[1], y[0]); 123| 2.75M| z[1] = accum.extract(); 124| 2.75M| accum.mul(x[0], y[2]); 125| 2.75M| accum.mul(x[1], y[1]); 126| 2.75M| accum.mul(x[2], y[0]); 127| 2.75M| z[2] = accum.extract(); 128| 2.75M| accum.mul(x[0], y[3]); 129| 2.75M| accum.mul(x[1], y[2]); 130| 2.75M| accum.mul(x[2], y[1]); 131| 2.75M| accum.mul(x[3], y[0]); 132| 2.75M| z[3] = accum.extract(); 133| 2.75M| accum.mul(x[0], y[4]); 134| 2.75M| accum.mul(x[1], y[3]); 135| 2.75M| accum.mul(x[2], y[2]); 136| 2.75M| accum.mul(x[3], y[1]); 137| 2.75M| accum.mul(x[4], y[0]); 138| 2.75M| z[4] = accum.extract(); 139| 2.75M| accum.mul(x[0], y[5]); 140| 2.75M| accum.mul(x[1], y[4]); 141| 2.75M| accum.mul(x[2], y[3]); 142| 2.75M| accum.mul(x[3], y[2]); 143| 2.75M| accum.mul(x[4], y[1]); 144| 2.75M| accum.mul(x[5], y[0]); 145| 2.75M| z[5] = accum.extract(); 146| 2.75M| accum.mul(x[1], y[5]); 147| 2.75M| accum.mul(x[2], y[4]); 148| 2.75M| accum.mul(x[3], y[3]); 149| 2.75M| accum.mul(x[4], y[2]); 150| 2.75M| accum.mul(x[5], y[1]); 151| 2.75M| z[6] = accum.extract(); 152| 2.75M| accum.mul(x[2], y[5]); 153| 2.75M| accum.mul(x[3], y[4]); 154| 2.75M| accum.mul(x[4], y[3]); 155| 2.75M| accum.mul(x[5], y[2]); 156| 2.75M| z[7] = accum.extract(); 157| 2.75M| accum.mul(x[3], y[5]); 158| 2.75M| accum.mul(x[4], y[4]); 159| 2.75M| accum.mul(x[5], y[3]); 160| 2.75M| z[8] = accum.extract(); 161| 2.75M| accum.mul(x[4], y[5]); 162| 2.75M| accum.mul(x[5], y[4]); 163| 2.75M| z[9] = accum.extract(); 164| 2.75M| accum.mul(x[5], y[5]); 165| 2.75M| z[10] = accum.extract(); 166| 2.75M| z[11] = accum.extract(); 167| 2.75M|} _ZN5Botan17bigint_comba_sqr7EPmPKm: 172| 2.23k|void bigint_comba_sqr7(word z[14], const word x[7]) { 173| 2.23k| word3 accum; 174| | 175| 2.23k| accum.mul(x[0], x[0]); 176| 2.23k| z[0] = accum.extract(); 177| 2.23k| accum.mul_x2(x[0], x[1]); 178| 2.23k| z[1] = accum.extract(); 179| 2.23k| accum.mul_x2(x[0], x[2]); 180| 2.23k| accum.mul(x[1], x[1]); 181| 2.23k| z[2] = accum.extract(); 182| 2.23k| accum.mul_x2(x[0], x[3]); 183| 2.23k| accum.mul_x2(x[1], x[2]); 184| 2.23k| z[3] = accum.extract(); 185| 2.23k| accum.mul_x2(x[0], x[4]); 186| 2.23k| accum.mul_x2(x[1], x[3]); 187| 2.23k| accum.mul(x[2], x[2]); 188| 2.23k| z[4] = accum.extract(); 189| 2.23k| accum.mul_x2(x[0], x[5]); 190| 2.23k| accum.mul_x2(x[1], x[4]); 191| 2.23k| accum.mul_x2(x[2], x[3]); 192| 2.23k| z[5] = accum.extract(); 193| 2.23k| accum.mul_x2(x[0], x[6]); 194| 2.23k| accum.mul_x2(x[1], x[5]); 195| 2.23k| accum.mul_x2(x[2], x[4]); 196| 2.23k| accum.mul(x[3], x[3]); 197| 2.23k| z[6] = accum.extract(); 198| 2.23k| accum.mul_x2(x[1], x[6]); 199| 2.23k| accum.mul_x2(x[2], x[5]); 200| 2.23k| accum.mul_x2(x[3], x[4]); 201| 2.23k| z[7] = accum.extract(); 202| 2.23k| accum.mul_x2(x[2], x[6]); 203| 2.23k| accum.mul_x2(x[3], x[5]); 204| 2.23k| accum.mul(x[4], x[4]); 205| 2.23k| z[8] = accum.extract(); 206| 2.23k| accum.mul_x2(x[3], x[6]); 207| 2.23k| accum.mul_x2(x[4], x[5]); 208| 2.23k| z[9] = accum.extract(); 209| 2.23k| accum.mul_x2(x[4], x[6]); 210| 2.23k| accum.mul(x[5], x[5]); 211| 2.23k| z[10] = accum.extract(); 212| 2.23k| accum.mul_x2(x[5], x[6]); 213| 2.23k| z[11] = accum.extract(); 214| 2.23k| accum.mul(x[6], x[6]); 215| 2.23k| z[12] = accum.extract(); 216| 2.23k| z[13] = accum.extract(); 217| 2.23k|} _ZN5Botan17bigint_comba_mul7EPmPKmS2_: 222| 2.25k|void bigint_comba_mul7(word z[14], const word x[7], const word y[7]) { 223| 2.25k| word3 accum; 224| | 225| 2.25k| accum.mul(x[0], y[0]); 226| 2.25k| z[0] = accum.extract(); 227| 2.25k| accum.mul(x[0], y[1]); 228| 2.25k| accum.mul(x[1], y[0]); 229| 2.25k| z[1] = accum.extract(); 230| 2.25k| accum.mul(x[0], y[2]); 231| 2.25k| accum.mul(x[1], y[1]); 232| 2.25k| accum.mul(x[2], y[0]); 233| 2.25k| z[2] = accum.extract(); 234| 2.25k| accum.mul(x[0], y[3]); 235| 2.25k| accum.mul(x[1], y[2]); 236| 2.25k| accum.mul(x[2], y[1]); 237| 2.25k| accum.mul(x[3], y[0]); 238| 2.25k| z[3] = accum.extract(); 239| 2.25k| accum.mul(x[0], y[4]); 240| 2.25k| accum.mul(x[1], y[3]); 241| 2.25k| accum.mul(x[2], y[2]); 242| 2.25k| accum.mul(x[3], y[1]); 243| 2.25k| accum.mul(x[4], y[0]); 244| 2.25k| z[4] = accum.extract(); 245| 2.25k| accum.mul(x[0], y[5]); 246| 2.25k| accum.mul(x[1], y[4]); 247| 2.25k| accum.mul(x[2], y[3]); 248| 2.25k| accum.mul(x[3], y[2]); 249| 2.25k| accum.mul(x[4], y[1]); 250| 2.25k| accum.mul(x[5], y[0]); 251| 2.25k| z[5] = accum.extract(); 252| 2.25k| accum.mul(x[0], y[6]); 253| 2.25k| accum.mul(x[1], y[5]); 254| 2.25k| accum.mul(x[2], y[4]); 255| 2.25k| accum.mul(x[3], y[3]); 256| 2.25k| accum.mul(x[4], y[2]); 257| 2.25k| accum.mul(x[5], y[1]); 258| 2.25k| accum.mul(x[6], y[0]); 259| 2.25k| z[6] = accum.extract(); 260| 2.25k| accum.mul(x[1], y[6]); 261| 2.25k| accum.mul(x[2], y[5]); 262| 2.25k| accum.mul(x[3], y[4]); 263| 2.25k| accum.mul(x[4], y[3]); 264| 2.25k| accum.mul(x[5], y[2]); 265| 2.25k| accum.mul(x[6], y[1]); 266| 2.25k| z[7] = accum.extract(); 267| 2.25k| accum.mul(x[2], y[6]); 268| 2.25k| accum.mul(x[3], y[5]); 269| 2.25k| accum.mul(x[4], y[4]); 270| 2.25k| accum.mul(x[5], y[3]); 271| 2.25k| accum.mul(x[6], y[2]); 272| 2.25k| z[8] = accum.extract(); 273| 2.25k| accum.mul(x[3], y[6]); 274| 2.25k| accum.mul(x[4], y[5]); 275| 2.25k| accum.mul(x[5], y[4]); 276| 2.25k| accum.mul(x[6], y[3]); 277| 2.25k| z[9] = accum.extract(); 278| 2.25k| accum.mul(x[4], y[6]); 279| 2.25k| accum.mul(x[5], y[5]); 280| 2.25k| accum.mul(x[6], y[4]); 281| 2.25k| z[10] = accum.extract(); 282| 2.25k| accum.mul(x[5], y[6]); 283| 2.25k| accum.mul(x[6], y[5]); 284| 2.25k| z[11] = accum.extract(); 285| 2.25k| accum.mul(x[6], y[6]); 286| 2.25k| z[12] = accum.extract(); 287| 2.25k| z[13] = accum.extract(); 288| 2.25k|} _ZN5Botan17bigint_comba_sqr8EPmPKm: 293| 127k|void bigint_comba_sqr8(word z[16], const word x[8]) { 294| 127k| word3 accum; 295| | 296| 127k| accum.mul(x[0], x[0]); 297| 127k| z[0] = accum.extract(); 298| 127k| accum.mul_x2(x[0], x[1]); 299| 127k| z[1] = accum.extract(); 300| 127k| accum.mul_x2(x[0], x[2]); 301| 127k| accum.mul(x[1], x[1]); 302| 127k| z[2] = accum.extract(); 303| 127k| accum.mul_x2(x[0], x[3]); 304| 127k| accum.mul_x2(x[1], x[2]); 305| 127k| z[3] = accum.extract(); 306| 127k| accum.mul_x2(x[0], x[4]); 307| 127k| accum.mul_x2(x[1], x[3]); 308| 127k| accum.mul(x[2], x[2]); 309| 127k| z[4] = accum.extract(); 310| 127k| accum.mul_x2(x[0], x[5]); 311| 127k| accum.mul_x2(x[1], x[4]); 312| 127k| accum.mul_x2(x[2], x[3]); 313| 127k| z[5] = accum.extract(); 314| 127k| accum.mul_x2(x[0], x[6]); 315| 127k| accum.mul_x2(x[1], x[5]); 316| 127k| accum.mul_x2(x[2], x[4]); 317| 127k| accum.mul(x[3], x[3]); 318| 127k| z[6] = accum.extract(); 319| 127k| accum.mul_x2(x[0], x[7]); 320| 127k| accum.mul_x2(x[1], x[6]); 321| 127k| accum.mul_x2(x[2], x[5]); 322| 127k| accum.mul_x2(x[3], x[4]); 323| 127k| z[7] = accum.extract(); 324| 127k| accum.mul_x2(x[1], x[7]); 325| 127k| accum.mul_x2(x[2], x[6]); 326| 127k| accum.mul_x2(x[3], x[5]); 327| 127k| accum.mul(x[4], x[4]); 328| 127k| z[8] = accum.extract(); 329| 127k| accum.mul_x2(x[2], x[7]); 330| 127k| accum.mul_x2(x[3], x[6]); 331| 127k| accum.mul_x2(x[4], x[5]); 332| 127k| z[9] = accum.extract(); 333| 127k| accum.mul_x2(x[3], x[7]); 334| 127k| accum.mul_x2(x[4], x[6]); 335| 127k| accum.mul(x[5], x[5]); 336| 127k| z[10] = accum.extract(); 337| 127k| accum.mul_x2(x[4], x[7]); 338| 127k| accum.mul_x2(x[5], x[6]); 339| 127k| z[11] = accum.extract(); 340| 127k| accum.mul_x2(x[5], x[7]); 341| 127k| accum.mul(x[6], x[6]); 342| 127k| z[12] = accum.extract(); 343| 127k| accum.mul_x2(x[6], x[7]); 344| 127k| z[13] = accum.extract(); 345| 127k| accum.mul(x[7], x[7]); 346| 127k| z[14] = accum.extract(); 347| 127k| z[15] = accum.extract(); 348| 127k|} _ZN5Botan17bigint_comba_mul8EPmPKmS2_: 353| 322k|void bigint_comba_mul8(word z[16], const word x[8], const word y[8]) { 354| 322k| word3 accum; 355| | 356| 322k| accum.mul(x[0], y[0]); 357| 322k| z[0] = accum.extract(); 358| 322k| accum.mul(x[0], y[1]); 359| 322k| accum.mul(x[1], y[0]); 360| 322k| z[1] = accum.extract(); 361| 322k| accum.mul(x[0], y[2]); 362| 322k| accum.mul(x[1], y[1]); 363| 322k| accum.mul(x[2], y[0]); 364| 322k| z[2] = accum.extract(); 365| 322k| accum.mul(x[0], y[3]); 366| 322k| accum.mul(x[1], y[2]); 367| 322k| accum.mul(x[2], y[1]); 368| 322k| accum.mul(x[3], y[0]); 369| 322k| z[3] = accum.extract(); 370| 322k| accum.mul(x[0], y[4]); 371| 322k| accum.mul(x[1], y[3]); 372| 322k| accum.mul(x[2], y[2]); 373| 322k| accum.mul(x[3], y[1]); 374| 322k| accum.mul(x[4], y[0]); 375| 322k| z[4] = accum.extract(); 376| 322k| accum.mul(x[0], y[5]); 377| 322k| accum.mul(x[1], y[4]); 378| 322k| accum.mul(x[2], y[3]); 379| 322k| accum.mul(x[3], y[2]); 380| 322k| accum.mul(x[4], y[1]); 381| 322k| accum.mul(x[5], y[0]); 382| 322k| z[5] = accum.extract(); 383| 322k| accum.mul(x[0], y[6]); 384| 322k| accum.mul(x[1], y[5]); 385| 322k| accum.mul(x[2], y[4]); 386| 322k| accum.mul(x[3], y[3]); 387| 322k| accum.mul(x[4], y[2]); 388| 322k| accum.mul(x[5], y[1]); 389| 322k| accum.mul(x[6], y[0]); 390| 322k| z[6] = accum.extract(); 391| 322k| accum.mul(x[0], y[7]); 392| 322k| accum.mul(x[1], y[6]); 393| 322k| accum.mul(x[2], y[5]); 394| 322k| accum.mul(x[3], y[4]); 395| 322k| accum.mul(x[4], y[3]); 396| 322k| accum.mul(x[5], y[2]); 397| 322k| accum.mul(x[6], y[1]); 398| 322k| accum.mul(x[7], y[0]); 399| 322k| z[7] = accum.extract(); 400| 322k| accum.mul(x[1], y[7]); 401| 322k| accum.mul(x[2], y[6]); 402| 322k| accum.mul(x[3], y[5]); 403| 322k| accum.mul(x[4], y[4]); 404| 322k| accum.mul(x[5], y[3]); 405| 322k| accum.mul(x[6], y[2]); 406| 322k| accum.mul(x[7], y[1]); 407| 322k| z[8] = accum.extract(); 408| 322k| accum.mul(x[2], y[7]); 409| 322k| accum.mul(x[3], y[6]); 410| 322k| accum.mul(x[4], y[5]); 411| 322k| accum.mul(x[5], y[4]); 412| 322k| accum.mul(x[6], y[3]); 413| 322k| accum.mul(x[7], y[2]); 414| 322k| z[9] = accum.extract(); 415| 322k| accum.mul(x[3], y[7]); 416| 322k| accum.mul(x[4], y[6]); 417| 322k| accum.mul(x[5], y[5]); 418| 322k| accum.mul(x[6], y[4]); 419| 322k| accum.mul(x[7], y[3]); 420| 322k| z[10] = accum.extract(); 421| 322k| accum.mul(x[4], y[7]); 422| 322k| accum.mul(x[5], y[6]); 423| 322k| accum.mul(x[6], y[5]); 424| 322k| accum.mul(x[7], y[4]); 425| 322k| z[11] = accum.extract(); 426| 322k| accum.mul(x[5], y[7]); 427| 322k| accum.mul(x[6], y[6]); 428| 322k| accum.mul(x[7], y[5]); 429| 322k| z[12] = accum.extract(); 430| 322k| accum.mul(x[6], y[7]); 431| 322k| accum.mul(x[7], y[6]); 432| 322k| z[13] = accum.extract(); 433| 322k| accum.mul(x[7], y[7]); 434| 322k| z[14] = accum.extract(); 435| 322k| z[15] = accum.extract(); 436| 322k|} _ZN5Botan17bigint_comba_sqr9EPmPKm: 441| 1.65M|void bigint_comba_sqr9(word z[18], const word x[9]) { 442| 1.65M| word3 accum; 443| | 444| 1.65M| accum.mul(x[0], x[0]); 445| 1.65M| z[0] = accum.extract(); 446| 1.65M| accum.mul_x2(x[0], x[1]); 447| 1.65M| z[1] = accum.extract(); 448| 1.65M| accum.mul_x2(x[0], x[2]); 449| 1.65M| accum.mul(x[1], x[1]); 450| 1.65M| z[2] = accum.extract(); 451| 1.65M| accum.mul_x2(x[0], x[3]); 452| 1.65M| accum.mul_x2(x[1], x[2]); 453| 1.65M| z[3] = accum.extract(); 454| 1.65M| accum.mul_x2(x[0], x[4]); 455| 1.65M| accum.mul_x2(x[1], x[3]); 456| 1.65M| accum.mul(x[2], x[2]); 457| 1.65M| z[4] = accum.extract(); 458| 1.65M| accum.mul_x2(x[0], x[5]); 459| 1.65M| accum.mul_x2(x[1], x[4]); 460| 1.65M| accum.mul_x2(x[2], x[3]); 461| 1.65M| z[5] = accum.extract(); 462| 1.65M| accum.mul_x2(x[0], x[6]); 463| 1.65M| accum.mul_x2(x[1], x[5]); 464| 1.65M| accum.mul_x2(x[2], x[4]); 465| 1.65M| accum.mul(x[3], x[3]); 466| 1.65M| z[6] = accum.extract(); 467| 1.65M| accum.mul_x2(x[0], x[7]); 468| 1.65M| accum.mul_x2(x[1], x[6]); 469| 1.65M| accum.mul_x2(x[2], x[5]); 470| 1.65M| accum.mul_x2(x[3], x[4]); 471| 1.65M| z[7] = accum.extract(); 472| 1.65M| accum.mul_x2(x[0], x[8]); 473| 1.65M| accum.mul_x2(x[1], x[7]); 474| 1.65M| accum.mul_x2(x[2], x[6]); 475| 1.65M| accum.mul_x2(x[3], x[5]); 476| 1.65M| accum.mul(x[4], x[4]); 477| 1.65M| z[8] = accum.extract(); 478| 1.65M| accum.mul_x2(x[1], x[8]); 479| 1.65M| accum.mul_x2(x[2], x[7]); 480| 1.65M| accum.mul_x2(x[3], x[6]); 481| 1.65M| accum.mul_x2(x[4], x[5]); 482| 1.65M| z[9] = accum.extract(); 483| 1.65M| accum.mul_x2(x[2], x[8]); 484| 1.65M| accum.mul_x2(x[3], x[7]); 485| 1.65M| accum.mul_x2(x[4], x[6]); 486| 1.65M| accum.mul(x[5], x[5]); 487| 1.65M| z[10] = accum.extract(); 488| 1.65M| accum.mul_x2(x[3], x[8]); 489| 1.65M| accum.mul_x2(x[4], x[7]); 490| 1.65M| accum.mul_x2(x[5], x[6]); 491| 1.65M| z[11] = accum.extract(); 492| 1.65M| accum.mul_x2(x[4], x[8]); 493| 1.65M| accum.mul_x2(x[5], x[7]); 494| 1.65M| accum.mul(x[6], x[6]); 495| 1.65M| z[12] = accum.extract(); 496| 1.65M| accum.mul_x2(x[5], x[8]); 497| 1.65M| accum.mul_x2(x[6], x[7]); 498| 1.65M| z[13] = accum.extract(); 499| 1.65M| accum.mul_x2(x[6], x[8]); 500| 1.65M| accum.mul(x[7], x[7]); 501| 1.65M| z[14] = accum.extract(); 502| 1.65M| accum.mul_x2(x[7], x[8]); 503| 1.65M| z[15] = accum.extract(); 504| 1.65M| accum.mul(x[8], x[8]); 505| 1.65M| z[16] = accum.extract(); 506| 1.65M| z[17] = accum.extract(); 507| 1.65M|} _ZN5Botan17bigint_comba_mul9EPmPKmS2_: 512| 3.47M|void bigint_comba_mul9(word z[18], const word x[9], const word y[9]) { 513| 3.47M| word3 accum; 514| | 515| 3.47M| accum.mul(x[0], y[0]); 516| 3.47M| z[0] = accum.extract(); 517| 3.47M| accum.mul(x[0], y[1]); 518| 3.47M| accum.mul(x[1], y[0]); 519| 3.47M| z[1] = accum.extract(); 520| 3.47M| accum.mul(x[0], y[2]); 521| 3.47M| accum.mul(x[1], y[1]); 522| 3.47M| accum.mul(x[2], y[0]); 523| 3.47M| z[2] = accum.extract(); 524| 3.47M| accum.mul(x[0], y[3]); 525| 3.47M| accum.mul(x[1], y[2]); 526| 3.47M| accum.mul(x[2], y[1]); 527| 3.47M| accum.mul(x[3], y[0]); 528| 3.47M| z[3] = accum.extract(); 529| 3.47M| accum.mul(x[0], y[4]); 530| 3.47M| accum.mul(x[1], y[3]); 531| 3.47M| accum.mul(x[2], y[2]); 532| 3.47M| accum.mul(x[3], y[1]); 533| 3.47M| accum.mul(x[4], y[0]); 534| 3.47M| z[4] = accum.extract(); 535| 3.47M| accum.mul(x[0], y[5]); 536| 3.47M| accum.mul(x[1], y[4]); 537| 3.47M| accum.mul(x[2], y[3]); 538| 3.47M| accum.mul(x[3], y[2]); 539| 3.47M| accum.mul(x[4], y[1]); 540| 3.47M| accum.mul(x[5], y[0]); 541| 3.47M| z[5] = accum.extract(); 542| 3.47M| accum.mul(x[0], y[6]); 543| 3.47M| accum.mul(x[1], y[5]); 544| 3.47M| accum.mul(x[2], y[4]); 545| 3.47M| accum.mul(x[3], y[3]); 546| 3.47M| accum.mul(x[4], y[2]); 547| 3.47M| accum.mul(x[5], y[1]); 548| 3.47M| accum.mul(x[6], y[0]); 549| 3.47M| z[6] = accum.extract(); 550| 3.47M| accum.mul(x[0], y[7]); 551| 3.47M| accum.mul(x[1], y[6]); 552| 3.47M| accum.mul(x[2], y[5]); 553| 3.47M| accum.mul(x[3], y[4]); 554| 3.47M| accum.mul(x[4], y[3]); 555| 3.47M| accum.mul(x[5], y[2]); 556| 3.47M| accum.mul(x[6], y[1]); 557| 3.47M| accum.mul(x[7], y[0]); 558| 3.47M| z[7] = accum.extract(); 559| 3.47M| accum.mul(x[0], y[8]); 560| 3.47M| accum.mul(x[1], y[7]); 561| 3.47M| accum.mul(x[2], y[6]); 562| 3.47M| accum.mul(x[3], y[5]); 563| 3.47M| accum.mul(x[4], y[4]); 564| 3.47M| accum.mul(x[5], y[3]); 565| 3.47M| accum.mul(x[6], y[2]); 566| 3.47M| accum.mul(x[7], y[1]); 567| 3.47M| accum.mul(x[8], y[0]); 568| 3.47M| z[8] = accum.extract(); 569| 3.47M| accum.mul(x[1], y[8]); 570| 3.47M| accum.mul(x[2], y[7]); 571| 3.47M| accum.mul(x[3], y[6]); 572| 3.47M| accum.mul(x[4], y[5]); 573| 3.47M| accum.mul(x[5], y[4]); 574| 3.47M| accum.mul(x[6], y[3]); 575| 3.47M| accum.mul(x[7], y[2]); 576| 3.47M| accum.mul(x[8], y[1]); 577| 3.47M| z[9] = accum.extract(); 578| 3.47M| accum.mul(x[2], y[8]); 579| 3.47M| accum.mul(x[3], y[7]); 580| 3.47M| accum.mul(x[4], y[6]); 581| 3.47M| accum.mul(x[5], y[5]); 582| 3.47M| accum.mul(x[6], y[4]); 583| 3.47M| accum.mul(x[7], y[3]); 584| 3.47M| accum.mul(x[8], y[2]); 585| 3.47M| z[10] = accum.extract(); 586| 3.47M| accum.mul(x[3], y[8]); 587| 3.47M| accum.mul(x[4], y[7]); 588| 3.47M| accum.mul(x[5], y[6]); 589| 3.47M| accum.mul(x[6], y[5]); 590| 3.47M| accum.mul(x[7], y[4]); 591| 3.47M| accum.mul(x[8], y[3]); 592| 3.47M| z[11] = accum.extract(); 593| 3.47M| accum.mul(x[4], y[8]); 594| 3.47M| accum.mul(x[5], y[7]); 595| 3.47M| accum.mul(x[6], y[6]); 596| 3.47M| accum.mul(x[7], y[5]); 597| 3.47M| accum.mul(x[8], y[4]); 598| 3.47M| z[12] = accum.extract(); 599| 3.47M| accum.mul(x[5], y[8]); 600| 3.47M| accum.mul(x[6], y[7]); 601| 3.47M| accum.mul(x[7], y[6]); 602| 3.47M| accum.mul(x[8], y[5]); 603| 3.47M| z[13] = accum.extract(); 604| 3.47M| accum.mul(x[6], y[8]); 605| 3.47M| accum.mul(x[7], y[7]); 606| 3.47M| accum.mul(x[8], y[6]); 607| 3.47M| z[14] = accum.extract(); 608| 3.47M| accum.mul(x[7], y[8]); 609| 3.47M| accum.mul(x[8], y[7]); 610| 3.47M| z[15] = accum.extract(); 611| 3.47M| accum.mul(x[8], y[8]); 612| 3.47M| z[16] = accum.extract(); 613| 3.47M| z[17] = accum.extract(); 614| 3.47M|} _ZN5Botan18bigint_comba_mul16EPmPKmS2_: 795| 6|void bigint_comba_mul16(word z[32], const word x[16], const word y[16]) { 796| 6| word3 accum; 797| | 798| 6| accum.mul(x[0], y[0]); 799| 6| z[0] = accum.extract(); 800| 6| accum.mul(x[0], y[1]); 801| 6| accum.mul(x[1], y[0]); 802| 6| z[1] = accum.extract(); 803| 6| accum.mul(x[0], y[2]); 804| 6| accum.mul(x[1], y[1]); 805| 6| accum.mul(x[2], y[0]); 806| 6| z[2] = accum.extract(); 807| 6| accum.mul(x[0], y[3]); 808| 6| accum.mul(x[1], y[2]); 809| 6| accum.mul(x[2], y[1]); 810| 6| accum.mul(x[3], y[0]); 811| 6| z[3] = accum.extract(); 812| 6| accum.mul(x[0], y[4]); 813| 6| accum.mul(x[1], y[3]); 814| 6| accum.mul(x[2], y[2]); 815| 6| accum.mul(x[3], y[1]); 816| 6| accum.mul(x[4], y[0]); 817| 6| z[4] = accum.extract(); 818| 6| accum.mul(x[0], y[5]); 819| 6| accum.mul(x[1], y[4]); 820| 6| accum.mul(x[2], y[3]); 821| 6| accum.mul(x[3], y[2]); 822| 6| accum.mul(x[4], y[1]); 823| 6| accum.mul(x[5], y[0]); 824| 6| z[5] = accum.extract(); 825| 6| accum.mul(x[0], y[6]); 826| 6| accum.mul(x[1], y[5]); 827| 6| accum.mul(x[2], y[4]); 828| 6| accum.mul(x[3], y[3]); 829| 6| accum.mul(x[4], y[2]); 830| 6| accum.mul(x[5], y[1]); 831| 6| accum.mul(x[6], y[0]); 832| 6| z[6] = accum.extract(); 833| 6| accum.mul(x[0], y[7]); 834| 6| accum.mul(x[1], y[6]); 835| 6| accum.mul(x[2], y[5]); 836| 6| accum.mul(x[3], y[4]); 837| 6| accum.mul(x[4], y[3]); 838| 6| accum.mul(x[5], y[2]); 839| 6| accum.mul(x[6], y[1]); 840| 6| accum.mul(x[7], y[0]); 841| 6| z[7] = accum.extract(); 842| 6| accum.mul(x[0], y[8]); 843| 6| accum.mul(x[1], y[7]); 844| 6| accum.mul(x[2], y[6]); 845| 6| accum.mul(x[3], y[5]); 846| 6| accum.mul(x[4], y[4]); 847| 6| accum.mul(x[5], y[3]); 848| 6| accum.mul(x[6], y[2]); 849| 6| accum.mul(x[7], y[1]); 850| 6| accum.mul(x[8], y[0]); 851| 6| z[8] = accum.extract(); 852| 6| accum.mul(x[0], y[9]); 853| 6| accum.mul(x[1], y[8]); 854| 6| accum.mul(x[2], y[7]); 855| 6| accum.mul(x[3], y[6]); 856| 6| accum.mul(x[4], y[5]); 857| 6| accum.mul(x[5], y[4]); 858| 6| accum.mul(x[6], y[3]); 859| 6| accum.mul(x[7], y[2]); 860| 6| accum.mul(x[8], y[1]); 861| 6| accum.mul(x[9], y[0]); 862| 6| z[9] = accum.extract(); 863| 6| accum.mul(x[0], y[10]); 864| 6| accum.mul(x[1], y[9]); 865| 6| accum.mul(x[2], y[8]); 866| 6| accum.mul(x[3], y[7]); 867| 6| accum.mul(x[4], y[6]); 868| 6| accum.mul(x[5], y[5]); 869| 6| accum.mul(x[6], y[4]); 870| 6| accum.mul(x[7], y[3]); 871| 6| accum.mul(x[8], y[2]); 872| 6| accum.mul(x[9], y[1]); 873| 6| accum.mul(x[10], y[0]); 874| 6| z[10] = accum.extract(); 875| 6| accum.mul(x[0], y[11]); 876| 6| accum.mul(x[1], y[10]); 877| 6| accum.mul(x[2], y[9]); 878| 6| accum.mul(x[3], y[8]); 879| 6| accum.mul(x[4], y[7]); 880| 6| accum.mul(x[5], y[6]); 881| 6| accum.mul(x[6], y[5]); 882| 6| accum.mul(x[7], y[4]); 883| 6| accum.mul(x[8], y[3]); 884| 6| accum.mul(x[9], y[2]); 885| 6| accum.mul(x[10], y[1]); 886| 6| accum.mul(x[11], y[0]); 887| 6| z[11] = accum.extract(); 888| 6| accum.mul(x[0], y[12]); 889| 6| accum.mul(x[1], y[11]); 890| 6| accum.mul(x[2], y[10]); 891| 6| accum.mul(x[3], y[9]); 892| 6| accum.mul(x[4], y[8]); 893| 6| accum.mul(x[5], y[7]); 894| 6| accum.mul(x[6], y[6]); 895| 6| accum.mul(x[7], y[5]); 896| 6| accum.mul(x[8], y[4]); 897| 6| accum.mul(x[9], y[3]); 898| 6| accum.mul(x[10], y[2]); 899| 6| accum.mul(x[11], y[1]); 900| 6| accum.mul(x[12], y[0]); 901| 6| z[12] = accum.extract(); 902| 6| accum.mul(x[0], y[13]); 903| 6| accum.mul(x[1], y[12]); 904| 6| accum.mul(x[2], y[11]); 905| 6| accum.mul(x[3], y[10]); 906| 6| accum.mul(x[4], y[9]); 907| 6| accum.mul(x[5], y[8]); 908| 6| accum.mul(x[6], y[7]); 909| 6| accum.mul(x[7], y[6]); 910| 6| accum.mul(x[8], y[5]); 911| 6| accum.mul(x[9], y[4]); 912| 6| accum.mul(x[10], y[3]); 913| 6| accum.mul(x[11], y[2]); 914| 6| accum.mul(x[12], y[1]); 915| 6| accum.mul(x[13], y[0]); 916| 6| z[13] = accum.extract(); 917| 6| accum.mul(x[0], y[14]); 918| 6| accum.mul(x[1], y[13]); 919| 6| accum.mul(x[2], y[12]); 920| 6| accum.mul(x[3], y[11]); 921| 6| accum.mul(x[4], y[10]); 922| 6| accum.mul(x[5], y[9]); 923| 6| accum.mul(x[6], y[8]); 924| 6| accum.mul(x[7], y[7]); 925| 6| accum.mul(x[8], y[6]); 926| 6| accum.mul(x[9], y[5]); 927| 6| accum.mul(x[10], y[4]); 928| 6| accum.mul(x[11], y[3]); 929| 6| accum.mul(x[12], y[2]); 930| 6| accum.mul(x[13], y[1]); 931| 6| accum.mul(x[14], y[0]); 932| 6| z[14] = accum.extract(); 933| 6| accum.mul(x[0], y[15]); 934| 6| accum.mul(x[1], y[14]); 935| 6| accum.mul(x[2], y[13]); 936| 6| accum.mul(x[3], y[12]); 937| 6| accum.mul(x[4], y[11]); 938| 6| accum.mul(x[5], y[10]); 939| 6| accum.mul(x[6], y[9]); 940| 6| accum.mul(x[7], y[8]); 941| 6| accum.mul(x[8], y[7]); 942| 6| accum.mul(x[9], y[6]); 943| 6| accum.mul(x[10], y[5]); 944| 6| accum.mul(x[11], y[4]); 945| 6| accum.mul(x[12], y[3]); 946| 6| accum.mul(x[13], y[2]); 947| 6| accum.mul(x[14], y[1]); 948| 6| accum.mul(x[15], y[0]); 949| 6| z[15] = accum.extract(); 950| 6| accum.mul(x[1], y[15]); 951| 6| accum.mul(x[2], y[14]); 952| 6| accum.mul(x[3], y[13]); 953| 6| accum.mul(x[4], y[12]); 954| 6| accum.mul(x[5], y[11]); 955| 6| accum.mul(x[6], y[10]); 956| 6| accum.mul(x[7], y[9]); 957| 6| accum.mul(x[8], y[8]); 958| 6| accum.mul(x[9], y[7]); 959| 6| accum.mul(x[10], y[6]); 960| 6| accum.mul(x[11], y[5]); 961| 6| accum.mul(x[12], y[4]); 962| 6| accum.mul(x[13], y[3]); 963| 6| accum.mul(x[14], y[2]); 964| 6| accum.mul(x[15], y[1]); 965| 6| z[16] = accum.extract(); 966| 6| accum.mul(x[2], y[15]); 967| 6| accum.mul(x[3], y[14]); 968| 6| accum.mul(x[4], y[13]); 969| 6| accum.mul(x[5], y[12]); 970| 6| accum.mul(x[6], y[11]); 971| 6| accum.mul(x[7], y[10]); 972| 6| accum.mul(x[8], y[9]); 973| 6| accum.mul(x[9], y[8]); 974| 6| accum.mul(x[10], y[7]); 975| 6| accum.mul(x[11], y[6]); 976| 6| accum.mul(x[12], y[5]); 977| 6| accum.mul(x[13], y[4]); 978| 6| accum.mul(x[14], y[3]); 979| 6| accum.mul(x[15], y[2]); 980| 6| z[17] = accum.extract(); 981| 6| accum.mul(x[3], y[15]); 982| 6| accum.mul(x[4], y[14]); 983| 6| accum.mul(x[5], y[13]); 984| 6| accum.mul(x[6], y[12]); 985| 6| accum.mul(x[7], y[11]); 986| 6| accum.mul(x[8], y[10]); 987| 6| accum.mul(x[9], y[9]); 988| 6| accum.mul(x[10], y[8]); 989| 6| accum.mul(x[11], y[7]); 990| 6| accum.mul(x[12], y[6]); 991| 6| accum.mul(x[13], y[5]); 992| 6| accum.mul(x[14], y[4]); 993| 6| accum.mul(x[15], y[3]); 994| 6| z[18] = accum.extract(); 995| 6| accum.mul(x[4], y[15]); 996| 6| accum.mul(x[5], y[14]); 997| 6| accum.mul(x[6], y[13]); 998| 6| accum.mul(x[7], y[12]); 999| 6| accum.mul(x[8], y[11]); 1000| 6| accum.mul(x[9], y[10]); 1001| 6| accum.mul(x[10], y[9]); 1002| 6| accum.mul(x[11], y[8]); 1003| 6| accum.mul(x[12], y[7]); 1004| 6| accum.mul(x[13], y[6]); 1005| 6| accum.mul(x[14], y[5]); 1006| 6| accum.mul(x[15], y[4]); 1007| 6| z[19] = accum.extract(); 1008| 6| accum.mul(x[5], y[15]); 1009| 6| accum.mul(x[6], y[14]); 1010| 6| accum.mul(x[7], y[13]); 1011| 6| accum.mul(x[8], y[12]); 1012| 6| accum.mul(x[9], y[11]); 1013| 6| accum.mul(x[10], y[10]); 1014| 6| accum.mul(x[11], y[9]); 1015| 6| accum.mul(x[12], y[8]); 1016| 6| accum.mul(x[13], y[7]); 1017| 6| accum.mul(x[14], y[6]); 1018| 6| accum.mul(x[15], y[5]); 1019| 6| z[20] = accum.extract(); 1020| 6| accum.mul(x[6], y[15]); 1021| 6| accum.mul(x[7], y[14]); 1022| 6| accum.mul(x[8], y[13]); 1023| 6| accum.mul(x[9], y[12]); 1024| 6| accum.mul(x[10], y[11]); 1025| 6| accum.mul(x[11], y[10]); 1026| 6| accum.mul(x[12], y[9]); 1027| 6| accum.mul(x[13], y[8]); 1028| 6| accum.mul(x[14], y[7]); 1029| 6| accum.mul(x[15], y[6]); 1030| 6| z[21] = accum.extract(); 1031| 6| accum.mul(x[7], y[15]); 1032| 6| accum.mul(x[8], y[14]); 1033| 6| accum.mul(x[9], y[13]); 1034| 6| accum.mul(x[10], y[12]); 1035| 6| accum.mul(x[11], y[11]); 1036| 6| accum.mul(x[12], y[10]); 1037| 6| accum.mul(x[13], y[9]); 1038| 6| accum.mul(x[14], y[8]); 1039| 6| accum.mul(x[15], y[7]); 1040| 6| z[22] = accum.extract(); 1041| 6| accum.mul(x[8], y[15]); 1042| 6| accum.mul(x[9], y[14]); 1043| 6| accum.mul(x[10], y[13]); 1044| 6| accum.mul(x[11], y[12]); 1045| 6| accum.mul(x[12], y[11]); 1046| 6| accum.mul(x[13], y[10]); 1047| 6| accum.mul(x[14], y[9]); 1048| 6| accum.mul(x[15], y[8]); 1049| 6| z[23] = accum.extract(); 1050| 6| accum.mul(x[9], y[15]); 1051| 6| accum.mul(x[10], y[14]); 1052| 6| accum.mul(x[11], y[13]); 1053| 6| accum.mul(x[12], y[12]); 1054| 6| accum.mul(x[13], y[11]); 1055| 6| accum.mul(x[14], y[10]); 1056| 6| accum.mul(x[15], y[9]); 1057| 6| z[24] = accum.extract(); 1058| 6| accum.mul(x[10], y[15]); 1059| 6| accum.mul(x[11], y[14]); 1060| 6| accum.mul(x[12], y[13]); 1061| 6| accum.mul(x[13], y[12]); 1062| 6| accum.mul(x[14], y[11]); 1063| 6| accum.mul(x[15], y[10]); 1064| 6| z[25] = accum.extract(); 1065| 6| accum.mul(x[11], y[15]); 1066| 6| accum.mul(x[12], y[14]); 1067| 6| accum.mul(x[13], y[13]); 1068| 6| accum.mul(x[14], y[12]); 1069| 6| accum.mul(x[15], y[11]); 1070| 6| z[26] = accum.extract(); 1071| 6| accum.mul(x[12], y[15]); 1072| 6| accum.mul(x[13], y[14]); 1073| 6| accum.mul(x[14], y[13]); 1074| 6| accum.mul(x[15], y[12]); 1075| 6| z[27] = accum.extract(); 1076| 6| accum.mul(x[13], y[15]); 1077| 6| accum.mul(x[14], y[14]); 1078| 6| accum.mul(x[15], y[13]); 1079| 6| z[28] = accum.extract(); 1080| 6| accum.mul(x[14], y[15]); 1081| 6| accum.mul(x[15], y[14]); 1082| 6| z[29] = accum.extract(); 1083| 6| accum.mul(x[15], y[15]); 1084| 6| z[30] = accum.extract(); 1085| 6| z[31] = accum.extract(); 1086| 6|} _ZN5Botan12basecase_mulEPmmPKmmS2_m: 20| 6.43M|void basecase_mul(word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size) { 21| 6.43M| if(z_size < x_size + y_size) { ------------------ | Branch (21:7): [True: 0, False: 6.43M] ------------------ 22| 0| throw Invalid_Argument("basecase_mul z_size too small"); 23| 0| } 24| | 25| 6.43M| const size_t x_size_8 = x_size - (x_size % 8); 26| | 27| 6.43M| zeroize_buffer(z, z_size); 28| | 29| 47.6M| for(size_t i = 0; i != y_size; ++i) { ------------------ | Branch (29:22): [True: 41.1M, False: 6.43M] ------------------ 30| 41.1M| const word y_i = y[i]; 31| | 32| 41.1M| word carry = 0; 33| | 34| 68.4M| for(size_t j = 0; j != x_size_8; j += 8) { ------------------ | Branch (34:25): [True: 27.3M, False: 41.1M] ------------------ 35| 27.3M| carry = word8_madd3(z + i + j, x + j, y_i, carry); 36| 27.3M| } 37| | 38| 153M| for(size_t j = x_size_8; j != x_size; ++j) { ------------------ | Branch (38:32): [True: 112M, False: 41.1M] ------------------ 39| 112M| z[i + j] = word_madd3(x[j], y_i, z[i + j], &carry); 40| 112M| } 41| | 42| 41.1M| z[x_size + i] = carry; 43| 41.1M| } 44| 6.43M|} _ZN5Botan12basecase_sqrEPmmPKmm: 46| 1.65M|void basecase_sqr(word z[], size_t z_size, const word x[], size_t x_size) { 47| 1.65M| if(z_size < 2 * x_size) { ------------------ | Branch (47:7): [True: 0, False: 1.65M] ------------------ 48| 0| throw Invalid_Argument("basecase_sqr z_size too small"); 49| 0| } 50| | 51| 1.65M| const size_t x_size_8 = x_size - (x_size % 8); 52| | 53| 1.65M| zeroize_buffer(z, z_size); 54| | 55| 8.39M| for(size_t i = 0; i != x_size; ++i) { ------------------ | Branch (55:22): [True: 6.73M, False: 1.65M] ------------------ 56| 6.73M| const word x_i = x[i]; 57| | 58| 6.73M| word carry = 0; 59| | 60| 6.83M| for(size_t j = 0; j != x_size_8; j += 8) { ------------------ | Branch (60:25): [True: 97.6k, False: 6.73M] ------------------ 61| 97.6k| carry = word8_madd3(z + i + j, x + j, x_i, carry); 62| 97.6k| } 63| | 64| 35.8M| for(size_t j = x_size_8; j != x_size; ++j) { ------------------ | Branch (64:32): [True: 29.1M, False: 6.73M] ------------------ 65| 29.1M| z[i + j] = word_madd3(x[j], x_i, z[i + j], &carry); 66| 29.1M| } 67| | 68| 6.73M| z[x_size + i] = carry; 69| 6.73M| } 70| 1.65M|} _ZN5Botan10bigint_mulEPmmPKmmmS2_mmS0_m: 292| 16.9M| size_t ws_size) { 293| 16.9M| zeroize_buffer(z, z_size); 294| | 295| 16.9M| if(x_sw == 1) { ------------------ | Branch (295:7): [True: 120, False: 16.9M] ------------------ 296| 120| bigint_linmul3(z, y, y_sw, x[0]); 297| 16.9M| } else if(y_sw == 1) { ------------------ | Branch (297:14): [True: 121, False: 16.9M] ------------------ 298| 121| bigint_linmul3(z, x, x_sw, y[0]); 299| 16.9M| } else if(sized_for_comba_mul<4>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (299:14): [True: 6.59M, False: 10.3M] ------------------ 300| 6.59M| bigint_comba_mul4(z, x, y); 301| 10.3M| } else if(sized_for_comba_mul<6>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (301:14): [True: 2.53M, False: 7.77M] ------------------ 302| 2.53M| bigint_comba_mul6(z, x, y); 303| 7.77M| } else if(sized_for_comba_mul<8>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (303:14): [True: 169k, False: 7.60M] ------------------ 304| 169k| bigint_comba_mul8(z, x, y); 305| 7.60M| } else if(sized_for_comba_mul<9>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (305:14): [True: 1.16M, False: 6.43M] ------------------ 306| 1.16M| bigint_comba_mul9(z, x, y); 307| 6.43M| } else if(sized_for_comba_mul<16>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (307:14): [True: 6, False: 6.43M] ------------------ 308| 6| bigint_comba_mul16(z, x, y); 309| 6.43M| } else if(sized_for_comba_mul<24>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (309:14): [True: 0, False: 6.43M] ------------------ 310| 0| bigint_comba_mul24(z, x, y); 311| 6.43M| } else if(x_sw < KARATSUBA_MULTIPLY_THRESHOLD || y_sw < KARATSUBA_MULTIPLY_THRESHOLD || workspace == nullptr) { ------------------ | Branch (311:14): [True: 6.43M, False: 0] | Branch (311:53): [True: 0, False: 0] | Branch (311:92): [True: 0, False: 0] ------------------ 312| 6.43M| basecase_mul(z, z_size, x, x_sw, y, y_sw); 313| 6.43M| } else { 314| 0| const size_t N = karatsuba_size(z_size, x_size, x_sw, y_size, y_sw); 315| | 316| 0| if(N > 0 && z_size >= 2 * N && ws_size >= 2 * N) { ------------------ | Branch (316:10): [True: 0, False: 0] | Branch (316:19): [True: 0, False: 0] | Branch (316:38): [True: 0, False: 0] ------------------ 317| 0| karatsuba_mul(z, x, y, N, workspace); 318| 0| } else { 319| 0| basecase_mul(z, z_size, x, x_sw, y, y_sw); 320| 0| } 321| 0| } 322| 16.9M|} _ZN5Botan10bigint_sqrEPmmPKmmmS0_m: 327| 5.12M|void bigint_sqr(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, word workspace[], size_t ws_size) { 328| 5.12M| zeroize_buffer(z, z_size); 329| | 330| 5.12M| BOTAN_ASSERT(z_size / 2 >= x_sw, "Output size is sufficient"); ------------------ | | 64| 5.12M| do { \ | | 65| 5.12M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 5.12M| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 5.12M] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 5.12M| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 5.12M] | | ------------------ ------------------ 331| | 332| 5.12M| if(x_sw == 1) { ------------------ | Branch (332:7): [True: 120, False: 5.12M] ------------------ 333| 120| bigint_linmul3(z, x, x_sw, x[0]); 334| 5.12M| } else if(sized_for_comba_sqr<4>(x_sw, x_size, z_size)) { ------------------ | Branch (334:14): [True: 2.71M, False: 2.40M] ------------------ 335| 2.71M| bigint_comba_sqr4(z, x); 336| 2.71M| } else if(sized_for_comba_sqr<6>(x_sw, x_size, z_size)) { ------------------ | Branch (336:14): [True: 16.0k, False: 2.38M] ------------------ 337| 16.0k| bigint_comba_sqr6(z, x); 338| 2.38M| } else if(sized_for_comba_sqr<8>(x_sw, x_size, z_size)) { ------------------ | Branch (338:14): [True: 1.03k, False: 2.38M] ------------------ 339| 1.03k| bigint_comba_sqr8(z, x); 340| 2.38M| } else if(sized_for_comba_sqr<9>(x_sw, x_size, z_size)) { ------------------ | Branch (340:14): [True: 733k, False: 1.65M] ------------------ 341| 733k| bigint_comba_sqr9(z, x); 342| 1.65M| } else if(sized_for_comba_sqr<16>(x_sw, x_size, z_size)) { ------------------ | Branch (342:14): [True: 0, False: 1.65M] ------------------ 343| 0| bigint_comba_sqr16(z, x); 344| 1.65M| } else if(sized_for_comba_sqr<24>(x_sw, x_size, z_size)) { ------------------ | Branch (344:14): [True: 0, False: 1.65M] ------------------ 345| 0| bigint_comba_sqr24(z, x); 346| 1.65M| } else if(x_size < KARATSUBA_SQUARE_THRESHOLD || workspace == nullptr) { ------------------ | Branch (346:14): [True: 1.65M, False: 137] | Branch (346:53): [True: 0, False: 137] ------------------ 347| 1.65M| basecase_sqr(z, z_size, x, x_sw); 348| 1.65M| } else { 349| 137| const size_t N = karatsuba_size(z_size, x_size, x_sw); 350| | 351| 137| if(N > 0 && z_size >= 2 * N && ws_size >= 2 * N) { ------------------ | Branch (351:10): [True: 111, False: 26] | Branch (351:19): [True: 111, False: 0] | Branch (351:38): [True: 111, False: 0] ------------------ 352| 111| karatsuba_sqr(z, x, N, workspace); 353| 111| } else { 354| 26| basecase_sqr(z, z_size, x, x_sw); 355| 26| } 356| 137| } 357| 5.12M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_114karatsuba_sizeEmmm: 245| 137|size_t karatsuba_size(size_t z_size, size_t x_size, size_t x_sw) { 246| 137| if(x_sw == x_size) { ------------------ | Branch (246:7): [True: 0, False: 137] ------------------ 247| 0| if(x_sw % 2 != 0) { ------------------ | Branch (247:10): [True: 0, False: 0] ------------------ 248| 0| return 0; 249| 0| } 250| 0| return x_sw; 251| 0| } 252| | 253| 163| for(size_t j = x_sw; j <= x_size; ++j) { ------------------ | Branch (253:25): [True: 163, False: 0] ------------------ 254| 163| if(j % 2 != 0) { ------------------ | Branch (254:10): [True: 26, False: 137] ------------------ 255| 26| continue; 256| 26| } 257| | 258| 137| if(2 * j > z_size) { ------------------ | Branch (258:10): [True: 26, False: 111] ------------------ 259| 26| return 0; 260| 26| } 261| | 262| 111| if(j % 4 == 2 && (j + 2) <= x_size && 2 * (j + 2) <= z_size) { ------------------ | Branch (262:10): [True: 111, False: 0] | Branch (262:24): [True: 111, False: 0] | Branch (262:45): [True: 0, False: 111] ------------------ 263| 0| return j + 2; 264| 0| } 265| 111| return j; 266| 111| } 267| | 268| 0| return 0; 269| 137|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_113karatsuba_sqrEPmPKmmS1_: 149| 111|void karatsuba_sqr(word z[], const word x[], size_t N, word workspace[]) { 150| 111| if(N < KARATSUBA_SQUARE_THRESHOLD || N % 2 != 0) { ------------------ | Branch (150:7): [True: 111, False: 0] | Branch (150:41): [True: 0, False: 0] ------------------ 151| 111| switch(N) { 152| 0| case 6: ------------------ | Branch (152:10): [True: 0, False: 111] ------------------ 153| 0| return bigint_comba_sqr6(z, x); 154| 0| case 8: ------------------ | Branch (154:10): [True: 0, False: 111] ------------------ 155| 0| return bigint_comba_sqr8(z, x); 156| 0| case 9: ------------------ | Branch (156:10): [True: 0, False: 111] ------------------ 157| 0| return bigint_comba_sqr9(z, x); 158| 0| case 16: ------------------ | Branch (158:10): [True: 0, False: 111] ------------------ 159| 0| return bigint_comba_sqr16(z, x); 160| 0| case 24: ------------------ | Branch (160:10): [True: 0, False: 111] ------------------ 161| 0| return bigint_comba_sqr24(z, x); 162| 111| default: ------------------ | Branch (162:10): [True: 111, False: 0] ------------------ 163| 111| return basecase_sqr(z, 2 * N, x, N); 164| 111| } 165| 111| } 166| | 167| 0| const size_t N2 = N / 2; 168| | 169| 0| const word* x0 = x; 170| 0| const word* x1 = x + N2; 171| 0| word* z0 = z; 172| 0| word* z1 = z + N; 173| | 174| 0| word* ws0 = workspace; 175| 0| word* ws1 = workspace + N; 176| | 177| 0| zeroize_buffer(workspace, 2 * N); 178| | 179| | // See comment in karatsuba_mul 180| 0| bigint_sub_abs(z0, x0, x1, N2, workspace); 181| 0| karatsuba_sqr(ws0, z0, N2, ws1); 182| | 183| 0| karatsuba_sqr(z0, x0, N2, ws1); 184| 0| karatsuba_sqr(z1, x1, N2, ws1); 185| | 186| 0| const word ws_carry = bigint_add3(ws1, z0, N, z1, N); 187| 0| word z_carry = bigint_add2(z + N2, N, ws1, N); 188| | 189| 0| z_carry += bigint_add2(z + N + N2, N2, &ws_carry, 1); 190| 0| bigint_add2(z + N + N2, N2, &z_carry, 1); 191| | 192| | /* 193| | * This is only actually required if cmp (result of bigint_sub_abs) is != 0, 194| | * however if cmp==0 then ws0[0:N] == 0 and avoiding the jump hides a 195| | * timing channel. 196| | */ 197| 0| bigint_sub2(z + N2, 2 * N - N2, ws0, N); 198| 0|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm4EEEbmmmmm: 272| 16.9M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 16.9M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 8.55M, False: 8.36M] | Branch (273:26): [True: 6.67M, False: 1.87M] | Branch (273:42): [True: 6.67M, False: 0] | Branch (273:56): [True: 6.63M, False: 34.7k] | Branch (273:72): [True: 6.59M, False: 42.1k] ------------------ 274| 16.9M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm6EEEbmmmmm: 272| 10.3M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 10.3M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 6.08M, False: 4.22M] | Branch (273:26): [True: 2.71M, False: 3.37M] | Branch (273:42): [True: 2.71M, False: 0] | Branch (273:56): [True: 2.67M, False: 34.7k] | Branch (273:72): [True: 2.53M, False: 137k] ------------------ 274| 10.3M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm8EEEbmmmmm: 272| 7.77M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 7.77M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 3.77M, False: 4.00M] | Branch (273:26): [True: 353k, False: 3.41M] | Branch (273:42): [True: 320k, False: 32.2k] | Branch (273:56): [True: 291k, False: 28.9k] | Branch (273:72): [True: 169k, False: 122k] ------------------ 274| 7.77M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm9EEEbmmmmm: 272| 7.60M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 7.60M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 4.80M, False: 2.80M] | Branch (273:26): [True: 1.28M, False: 3.51M] | Branch (273:42): [True: 1.28M, False: 0] | Branch (273:56): [True: 1.20M, False: 79.6k] | Branch (273:72): [True: 1.16M, False: 39.2k] ------------------ 274| 7.60M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm16EEEbmmmmm: 272| 6.43M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 6.43M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 6.43M, False: 1.77k] | Branch (273:26): [True: 1.47M, False: 4.96M] | Branch (273:42): [True: 1.47M, False: 0] | Branch (273:56): [True: 1.43M, False: 37.2k] | Branch (273:72): [True: 6, False: 1.43M] ------------------ 274| 6.43M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm24EEEbmmmmm: 272| 6.43M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 6.43M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 6.43M, False: 1.75k] | Branch (273:26): [True: 5.16k, False: 6.43M] | Branch (273:42): [True: 5.16k, False: 0] | Branch (273:56): [True: 5.14k, False: 17] | Branch (273:72): [True: 0, False: 5.14k] ------------------ 274| 6.43M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm4EEEbmmm: 277| 5.12M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 5.12M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 3.51M, False: 1.60M] | Branch (278:26): [True: 2.74M, False: 771k] | Branch (278:42): [True: 2.71M, False: 27.2k] ------------------ 279| 5.12M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm6EEEbmmm: 277| 2.40M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 2.40M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 1.64M, False: 759k] | Branch (278:26): [True: 114k, False: 1.52M] | Branch (278:42): [True: 16.0k, False: 98.5k] ------------------ 279| 2.40M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm8EEEbmmm: 277| 2.38M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 2.38M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 1.65M, False: 734k] | Branch (278:26): [True: 103k, False: 1.54M] | Branch (278:42): [True: 1.03k, False: 102k] ------------------ 279| 2.38M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm9EEEbmmm: 277| 2.38M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 2.38M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 2.38M, False: 1.25k] | Branch (278:26): [True: 824k, False: 1.55M] | Branch (278:42): [True: 733k, False: 91.5k] ------------------ 279| 2.38M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm16EEEbmmm: 277| 1.65M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 1.65M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 1.65M, False: 1.25k] | Branch (278:26): [True: 73.7k, False: 1.57M] | Branch (278:42): [True: 0, False: 73.7k] ------------------ 279| 1.65M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm24EEEbmmm: 277| 1.65M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 1.65M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 1.65M, False: 1.25k] | Branch (278:26): [True: 10.2k, False: 1.64M] | Branch (278:42): [True: 0, False: 10.2k] ------------------ 279| 1.65M|} _ZN5Botan25bigint_monty_redc_genericEPmPKmmS2_mmS0_: 91| 9.36M| word r[], const word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[]) { 92| 9.36M| BOTAN_ARG_CHECK(z_size >= 2 * p_size && p_size > 0, "Invalid sizes for bigint_monty_redc_generic"); ------------------ | | 35| 9.36M| do { \ | | 36| 9.36M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 18.7M| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 9.36M, False: 0] | | | Branch (37:12): [True: 9.36M, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 9.36M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 9.36M] | | ------------------ ------------------ 93| | 94| 9.36M| word3 accum; 95| | 96| 9.36M| accum.add(z[0]); 97| | 98| 9.36M| ws[0] = accum.monty_step(p[0], p_dash); 99| | 100| 57.8M| for(size_t i = 1; i != p_size; ++i) { ------------------ | Branch (100:22): [True: 48.5M, False: 9.36M] ------------------ 101| 48.5M| mul_rev_range(accum, ws, p, i); 102| 48.5M| accum.add(z[i]); 103| 48.5M| ws[i] = accum.monty_step(p[0], p_dash); 104| 48.5M| } 105| | 106| 57.8M| for(size_t i = 0; i != p_size - 1; ++i) { ------------------ | Branch (106:22): [True: 48.5M, False: 9.36M] ------------------ 107| 48.5M| mul_rev_range(accum, &ws[i + 1], &p[i], p_size - (i + 1)); 108| 48.5M| accum.add(z[p_size + i]); 109| 48.5M| ws[i] = accum.extract(); 110| 48.5M| } 111| | 112| 9.36M| accum.add(z[2 * p_size - 1]); 113| | 114| 9.36M| ws[p_size - 1] = accum.extract(); 115| | // w1 is the final part, which is not stored in the workspace 116| 9.36M| const word w1 = accum.extract(); 117| | 118| | /* 119| | * The result might need to be reduced mod p. To avoid a timing 120| | * channel, always perform the subtraction. If in the computation 121| | * of x - p a borrow is required then x was already < p. 122| | * 123| | * x starts at ws[0] and is p_size bytes long plus a possible high 124| | * digit left over in w1. 125| | * 126| | * x - p starts at z[0] and is also p_size bytes long 127| | * 128| | * If borrow was set after the subtraction, then x was already less 129| | * than p and the subtraction was not needed. In that case overwrite 130| | * z[0:p_size] with the original x in ws[0:p_size]. 131| | * 132| | * We only copy out p_size in the final step because we know 133| | * the Montgomery result is < P 134| | */ 135| | 136| 9.36M| bigint_monty_maybe_sub(p_size, r, w1, ws, p); 137| 9.36M|} mp_monty.cpp:_ZN5Botan12_GLOBAL__N_113mul_rev_rangeERNS_5word3ImEEPKmS5_m: 18| 97.0M|BOTAN_FORCE_INLINE void mul_rev_range(word3& accum, const word ws[], const word p[], size_t bound) { 19| | /* 20| | Unrolled version of: 21| | 22| | for(size_t i = 0; i < bound; ++i) { 23| | accum.mul(ws[i], p[bound - i]); 24| | } 25| | */ 26| | 27| 97.0M| size_t lower = 0; 28| 240M| while(lower < bound) { ------------------ | Branch (28:10): [True: 143M, False: 97.0M] ------------------ 29| 143M| const size_t upper = bound - lower; 30| | 31| 143M| if(upper >= 16) { ------------------ | Branch (31:10): [True: 43.2k, False: 143M] ------------------ 32| 43.2k| accum.mul(ws[lower], p[upper]); 33| 43.2k| accum.mul(ws[lower + 1], p[upper - 1]); 34| 43.2k| accum.mul(ws[lower + 2], p[upper - 2]); 35| 43.2k| accum.mul(ws[lower + 3], p[upper - 3]); 36| 43.2k| accum.mul(ws[lower + 4], p[upper - 4]); 37| 43.2k| accum.mul(ws[lower + 5], p[upper - 5]); 38| 43.2k| accum.mul(ws[lower + 6], p[upper - 6]); 39| 43.2k| accum.mul(ws[lower + 7], p[upper - 7]); 40| 43.2k| accum.mul(ws[lower + 8], p[upper - 8]); 41| 43.2k| accum.mul(ws[lower + 9], p[upper - 9]); 42| 43.2k| accum.mul(ws[lower + 10], p[upper - 10]); 43| 43.2k| accum.mul(ws[lower + 11], p[upper - 11]); 44| 43.2k| accum.mul(ws[lower + 12], p[upper - 12]); 45| 43.2k| accum.mul(ws[lower + 13], p[upper - 13]); 46| 43.2k| accum.mul(ws[lower + 14], p[upper - 14]); 47| 43.2k| accum.mul(ws[lower + 15], p[upper - 15]); 48| 43.2k| lower += 16; 49| 143M| } else if(upper >= 8) { ------------------ | Branch (49:17): [True: 8.42M, False: 135M] ------------------ 50| 8.42M| accum.mul(ws[lower], p[upper]); 51| 8.42M| accum.mul(ws[lower + 1], p[upper - 1]); 52| 8.42M| accum.mul(ws[lower + 2], p[upper - 2]); 53| 8.42M| accum.mul(ws[lower + 3], p[upper - 3]); 54| 8.42M| accum.mul(ws[lower + 4], p[upper - 4]); 55| 8.42M| accum.mul(ws[lower + 5], p[upper - 5]); 56| 8.42M| accum.mul(ws[lower + 6], p[upper - 6]); 57| 8.42M| accum.mul(ws[lower + 7], p[upper - 7]); 58| 8.42M| lower += 8; 59| 135M| } else if(upper >= 4) { ------------------ | Branch (59:17): [True: 38.1M, False: 97.0M] ------------------ 60| 38.1M| accum.mul(ws[lower], p[upper]); 61| 38.1M| accum.mul(ws[lower + 1], p[upper - 1]); 62| 38.1M| accum.mul(ws[lower + 2], p[upper - 2]); 63| 38.1M| accum.mul(ws[lower + 3], p[upper - 3]); 64| 38.1M| lower += 4; 65| 97.0M| } else if(upper >= 2) { ------------------ | Branch (65:17): [True: 48.5M, False: 48.5M] ------------------ 66| 48.5M| accum.mul(ws[lower], p[upper]); 67| 48.5M| accum.mul(ws[lower + 1], p[upper - 1]); 68| 48.5M| lower += 2; 69| 48.5M| } else { 70| 48.5M| accum.mul(ws[lower], p[upper]); 71| 48.5M| lower += 1; 72| 48.5M| } 73| 143M| } 74| 97.0M|} _ZN5Botan19bigint_monty_redc_4EPmPKmS2_mS0_: 12| 15.1M|void bigint_monty_redc_4(word r[4], const word z[8], const word p[4], word p_dash, word ws[4]) { 13| 15.1M| word3 accum; 14| 15.1M| accum.add(z[0]); 15| 15.1M| ws[0] = accum.monty_step(p[0], p_dash); 16| 15.1M| accum.mul(ws[0], p[1]); 17| 15.1M| accum.add(z[1]); 18| 15.1M| ws[1] = accum.monty_step(p[0], p_dash); 19| 15.1M| accum.mul(ws[0], p[2]); 20| 15.1M| accum.mul(ws[1], p[1]); 21| 15.1M| accum.add(z[2]); 22| 15.1M| ws[2] = accum.monty_step(p[0], p_dash); 23| 15.1M| accum.mul(ws[0], p[3]); 24| 15.1M| accum.mul(ws[1], p[2]); 25| 15.1M| accum.mul(ws[2], p[1]); 26| 15.1M| accum.add(z[3]); 27| 15.1M| ws[3] = accum.monty_step(p[0], p_dash); 28| 15.1M| accum.mul(ws[1], p[3]); 29| 15.1M| accum.mul(ws[2], p[2]); 30| 15.1M| accum.mul(ws[3], p[1]); 31| 15.1M| accum.add(z[4]); 32| 15.1M| ws[0] = accum.extract(); 33| 15.1M| accum.mul(ws[2], p[3]); 34| 15.1M| accum.mul(ws[3], p[2]); 35| 15.1M| accum.add(z[5]); 36| 15.1M| ws[1] = accum.extract(); 37| 15.1M| accum.mul(ws[3], p[3]); 38| 15.1M| accum.add(z[6]); 39| 15.1M| ws[2] = accum.extract(); 40| 15.1M| accum.add(z[7]); 41| 15.1M| ws[3] = accum.extract(); 42| 15.1M| const word w1 = accum.extract(); 43| 15.1M| bigint_monty_maybe_sub<4>(r, w1, ws, p); 44| 15.1M|} _ZN5Botan19bigint_monty_redc_6EPmPKmS2_mS0_: 46| 222k|void bigint_monty_redc_6(word r[6], const word z[12], const word p[6], word p_dash, word ws[6]) { 47| 222k| word3 accum; 48| 222k| accum.add(z[0]); 49| 222k| ws[0] = accum.monty_step(p[0], p_dash); 50| 222k| accum.mul(ws[0], p[1]); 51| 222k| accum.add(z[1]); 52| 222k| ws[1] = accum.monty_step(p[0], p_dash); 53| 222k| accum.mul(ws[0], p[2]); 54| 222k| accum.mul(ws[1], p[1]); 55| 222k| accum.add(z[2]); 56| 222k| ws[2] = accum.monty_step(p[0], p_dash); 57| 222k| accum.mul(ws[0], p[3]); 58| 222k| accum.mul(ws[1], p[2]); 59| 222k| accum.mul(ws[2], p[1]); 60| 222k| accum.add(z[3]); 61| 222k| ws[3] = accum.monty_step(p[0], p_dash); 62| 222k| accum.mul(ws[0], p[4]); 63| 222k| accum.mul(ws[1], p[3]); 64| 222k| accum.mul(ws[2], p[2]); 65| 222k| accum.mul(ws[3], p[1]); 66| 222k| accum.add(z[4]); 67| 222k| ws[4] = accum.monty_step(p[0], p_dash); 68| 222k| accum.mul(ws[0], p[5]); 69| 222k| accum.mul(ws[1], p[4]); 70| 222k| accum.mul(ws[2], p[3]); 71| 222k| accum.mul(ws[3], p[2]); 72| 222k| accum.mul(ws[4], p[1]); 73| 222k| accum.add(z[5]); 74| 222k| ws[5] = accum.monty_step(p[0], p_dash); 75| 222k| accum.mul(ws[1], p[5]); 76| 222k| accum.mul(ws[2], p[4]); 77| 222k| accum.mul(ws[3], p[3]); 78| 222k| accum.mul(ws[4], p[2]); 79| 222k| accum.mul(ws[5], p[1]); 80| 222k| accum.add(z[6]); 81| 222k| ws[0] = accum.extract(); 82| 222k| accum.mul(ws[2], p[5]); 83| 222k| accum.mul(ws[3], p[4]); 84| 222k| accum.mul(ws[4], p[3]); 85| 222k| accum.mul(ws[5], p[2]); 86| 222k| accum.add(z[7]); 87| 222k| ws[1] = accum.extract(); 88| 222k| accum.mul(ws[3], p[5]); 89| 222k| accum.mul(ws[4], p[4]); 90| 222k| accum.mul(ws[5], p[3]); 91| 222k| accum.add(z[8]); 92| 222k| ws[2] = accum.extract(); 93| 222k| accum.mul(ws[4], p[5]); 94| 222k| accum.mul(ws[5], p[4]); 95| 222k| accum.add(z[9]); 96| 222k| ws[3] = accum.extract(); 97| 222k| accum.mul(ws[5], p[5]); 98| 222k| accum.add(z[10]); 99| 222k| ws[4] = accum.extract(); 100| 222k| accum.add(z[11]); 101| 222k| ws[5] = accum.extract(); 102| 222k| const word w1 = accum.extract(); 103| 222k| bigint_monty_maybe_sub<6>(r, w1, ws, p); 104| 222k|} _ZN5Botan19bigint_monty_redc_8EPmPKmS2_mS0_: 106| 281k|void bigint_monty_redc_8(word r[8], const word z[16], const word p[8], word p_dash, word ws[8]) { 107| 281k| word3 accum; 108| 281k| accum.add(z[0]); 109| 281k| ws[0] = accum.monty_step(p[0], p_dash); 110| 281k| accum.mul(ws[0], p[1]); 111| 281k| accum.add(z[1]); 112| 281k| ws[1] = accum.monty_step(p[0], p_dash); 113| 281k| accum.mul(ws[0], p[2]); 114| 281k| accum.mul(ws[1], p[1]); 115| 281k| accum.add(z[2]); 116| 281k| ws[2] = accum.monty_step(p[0], p_dash); 117| 281k| accum.mul(ws[0], p[3]); 118| 281k| accum.mul(ws[1], p[2]); 119| 281k| accum.mul(ws[2], p[1]); 120| 281k| accum.add(z[3]); 121| 281k| ws[3] = accum.monty_step(p[0], p_dash); 122| 281k| accum.mul(ws[0], p[4]); 123| 281k| accum.mul(ws[1], p[3]); 124| 281k| accum.mul(ws[2], p[2]); 125| 281k| accum.mul(ws[3], p[1]); 126| 281k| accum.add(z[4]); 127| 281k| ws[4] = accum.monty_step(p[0], p_dash); 128| 281k| accum.mul(ws[0], p[5]); 129| 281k| accum.mul(ws[1], p[4]); 130| 281k| accum.mul(ws[2], p[3]); 131| 281k| accum.mul(ws[3], p[2]); 132| 281k| accum.mul(ws[4], p[1]); 133| 281k| accum.add(z[5]); 134| 281k| ws[5] = accum.monty_step(p[0], p_dash); 135| 281k| accum.mul(ws[0], p[6]); 136| 281k| accum.mul(ws[1], p[5]); 137| 281k| accum.mul(ws[2], p[4]); 138| 281k| accum.mul(ws[3], p[3]); 139| 281k| accum.mul(ws[4], p[2]); 140| 281k| accum.mul(ws[5], p[1]); 141| 281k| accum.add(z[6]); 142| 281k| ws[6] = accum.monty_step(p[0], p_dash); 143| 281k| accum.mul(ws[0], p[7]); 144| 281k| accum.mul(ws[1], p[6]); 145| 281k| accum.mul(ws[2], p[5]); 146| 281k| accum.mul(ws[3], p[4]); 147| 281k| accum.mul(ws[4], p[3]); 148| 281k| accum.mul(ws[5], p[2]); 149| 281k| accum.mul(ws[6], p[1]); 150| 281k| accum.add(z[7]); 151| 281k| ws[7] = accum.monty_step(p[0], p_dash); 152| 281k| accum.mul(ws[1], p[7]); 153| 281k| accum.mul(ws[2], p[6]); 154| 281k| accum.mul(ws[3], p[5]); 155| 281k| accum.mul(ws[4], p[4]); 156| 281k| accum.mul(ws[5], p[3]); 157| 281k| accum.mul(ws[6], p[2]); 158| 281k| accum.mul(ws[7], p[1]); 159| 281k| accum.add(z[8]); 160| 281k| ws[0] = accum.extract(); 161| 281k| accum.mul(ws[2], p[7]); 162| 281k| accum.mul(ws[3], p[6]); 163| 281k| accum.mul(ws[4], p[5]); 164| 281k| accum.mul(ws[5], p[4]); 165| 281k| accum.mul(ws[6], p[3]); 166| 281k| accum.mul(ws[7], p[2]); 167| 281k| accum.add(z[9]); 168| 281k| ws[1] = accum.extract(); 169| 281k| accum.mul(ws[3], p[7]); 170| 281k| accum.mul(ws[4], p[6]); 171| 281k| accum.mul(ws[5], p[5]); 172| 281k| accum.mul(ws[6], p[4]); 173| 281k| accum.mul(ws[7], p[3]); 174| 281k| accum.add(z[10]); 175| 281k| ws[2] = accum.extract(); 176| 281k| accum.mul(ws[4], p[7]); 177| 281k| accum.mul(ws[5], p[6]); 178| 281k| accum.mul(ws[6], p[5]); 179| 281k| accum.mul(ws[7], p[4]); 180| 281k| accum.add(z[11]); 181| 281k| ws[3] = accum.extract(); 182| 281k| accum.mul(ws[5], p[7]); 183| 281k| accum.mul(ws[6], p[6]); 184| 281k| accum.mul(ws[7], p[5]); 185| 281k| accum.add(z[12]); 186| 281k| ws[4] = accum.extract(); 187| 281k| accum.mul(ws[6], p[7]); 188| 281k| accum.mul(ws[7], p[6]); 189| 281k| accum.add(z[13]); 190| 281k| ws[5] = accum.extract(); 191| 281k| accum.mul(ws[7], p[7]); 192| 281k| accum.add(z[14]); 193| 281k| ws[6] = accum.extract(); 194| 281k| accum.add(z[15]); 195| 281k| ws[7] = accum.extract(); 196| 281k| const word w1 = accum.extract(); 197| 281k| bigint_monty_maybe_sub<8>(r, w1, ws, p); 198| 281k|} _ZN5Botan17Barrett_ReductionC2ERKNS_6BigIntES1_m: 17| 11.4k| m_modulus(m), m_mu(std::move(mu)), m_mod_words(mw), m_modulus_bits(m.bits()) { 18| | // Give some extra space for Karatsuba 19| 11.4k| m_modulus.grow_to(m_mod_words + 8); 20| 11.4k| m_mu.grow_to(m_mod_words + 8); 21| 11.4k|} _ZN5Botan17Barrett_Reduction18for_secret_modulusERKNS_6BigIntE: 23| 912|Barrett_Reduction Barrett_Reduction::for_secret_modulus(const BigInt& mod) { 24| 912| BOTAN_ARG_CHECK(mod.signum() > 0, "Modulus must be positive"); ------------------ | | 35| 912| do { \ | | 36| 912| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 912| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 912] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 912| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 912] | | ------------------ ------------------ 25| | 26| 912| const size_t mod_words = mod.sig_words(); 27| | 28| | // Compute mu = floor(2^{2k} / m) 29| 912| const size_t mu_bits = 2 * WordInfo::bits * mod_words; 30| 912| return Barrett_Reduction(mod, ct_divide_pow2k(mu_bits, mod), mod_words); 31| 912|} _ZN5Botan17Barrett_Reduction18for_public_modulusERKNS_6BigIntE: 33| 10.5k|Barrett_Reduction Barrett_Reduction::for_public_modulus(const BigInt& mod) { 34| 10.5k| BOTAN_ARG_CHECK(mod.signum() > 0, "Modulus must be positive"); ------------------ | | 35| 10.5k| do { \ | | 36| 10.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 10.5k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 10.5k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 10.5k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 10.5k] | | ------------------ ------------------ 35| | 36| 10.5k| const size_t mod_words = mod.sig_words(); 37| | 38| | // Compute mu = floor(2^{2k} / m) 39| 10.5k| const size_t mu_bits = 2 * WordInfo::bits * mod_words; 40| 10.5k| return Barrett_Reduction(mod, vartime_divide_pow2k(mu_bits, mod), mod_words); 41| 10.5k|} _ZNK5Botan17Barrett_Reduction8multiplyERKNS_6BigIntES3_: 159| 891k|BigInt Barrett_Reduction::multiply(const BigInt& x, const BigInt& y) const { 160| 891k| BOTAN_ARG_CHECK(acceptable_barrett_input(x, m_modulus).as_bool(), "Invalid x param for Barrett multiply"); ------------------ | | 35| 891k| do { \ | | 36| 891k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 891k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 891k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 891k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 891k] | | ------------------ ------------------ 161| 891k| BOTAN_ARG_CHECK(acceptable_barrett_input(y, m_modulus).as_bool(), "Invalid y param for Barrett multiply"); ------------------ | | 35| 891k| do { \ | | 36| 891k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 891k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 891k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 891k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 891k] | | ------------------ ------------------ 162| | 163| 891k| secure_vector ws(2 * (m_mod_words + 2)); 164| 891k| secure_vector xy(2 * m_mod_words); 165| | 166| 891k| bigint_mul(xy.data(), 167| 891k| xy.size(), 168| 891k| x._data(), 169| 891k| x.size(), 170| 891k| std::min(x.size(), m_mod_words), 171| 891k| y._data(), 172| 891k| y.size(), 173| 891k| std::min(y.size(), m_mod_words), 174| 891k| ws.data(), 175| 891k| ws.size()); 176| | 177| 891k| return barrett_reduce(m_mod_words, m_modulus, m_mu, xy, ws); 178| 891k|} _ZNK5Botan17Barrett_Reduction6squareERKNS_6BigIntE: 180| 684k|BigInt Barrett_Reduction::square(const BigInt& x) const { 181| 684k| BOTAN_ARG_CHECK(acceptable_barrett_input(x, m_modulus).as_bool(), "Invalid x param for Barrett square"); ------------------ | | 35| 684k| do { \ | | 36| 684k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 684k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 684k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 684k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 684k] | | ------------------ ------------------ 182| | 183| 684k| secure_vector ws(2 * (m_mod_words + 2)); 184| 684k| secure_vector x2(2 * m_mod_words); 185| | 186| 684k| bigint_sqr(x2.data(), x2.size(), x._data(), x.size(), std::min(x.size(), m_mod_words), ws.data(), ws.size()); 187| | 188| 684k| return barrett_reduce(m_mod_words, m_modulus, m_mu, x2, ws); 189| 684k|} _ZNK5Botan17Barrett_Reduction6reduceERKNS_6BigIntE: 191| 1.17M|BigInt Barrett_Reduction::reduce(const BigInt& x) const { 192| 1.17M| BOTAN_ARG_CHECK(x.signum() >= 0, "Argument must be non-negative"); ------------------ | | 35| 1.17M| do { \ | | 36| 1.17M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.17M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.17M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.17M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.17M] | | ------------------ ------------------ 193| | 194| 1.17M| const size_t x_sw = x.sig_words(); 195| 1.17M| BOTAN_ARG_CHECK(x_sw <= 2 * m_mod_words, "Argument is too large for Barrett reduction"); ------------------ | | 35| 1.17M| do { \ | | 36| 1.17M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.17M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.17M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.17M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.17M] | | ------------------ ------------------ 196| | 197| 1.17M| x.grow_to(2 * m_mod_words); 198| | 199| 1.17M| secure_vector ws; 200| 1.17M| return barrett_reduce(m_mod_words, m_modulus, m_mu, x._as_span(), ws); 201| 1.17M|} barrett.cpp:_ZN5Botan12_GLOBAL__N_124acceptable_barrett_inputERKNS_6BigIntES3_: 151| 2.46M|CT::Choice acceptable_barrett_input(const BigInt& x, const BigInt& modulus) { 152| 2.46M| auto x_is_positive = CT::Choice::from_int(static_cast(x.signum() >= 0)); 153| 2.46M| auto x_lt_mod = bigint_ct_is_lt(x._data(), x.size(), modulus._data(), modulus.sig_words()).as_choice(); 154| 2.46M| return x_is_positive && x_lt_mod; 155| 2.46M|} barrett.cpp:_ZN5Botan12_GLOBAL__N_114barrett_reduceEmRKNS_6BigIntES3_NSt3__14spanIKmLm18446744073709551615EEERNS4_6vectorImNS_16secure_allocatorImEEEE: 54| 2.75M| size_t mod_words, const BigInt& modulus, const BigInt& mu, std::span x_words, secure_vector& ws) { 55| 2.75M| BOTAN_ASSERT_NOMSG(modulus.sig_words() == mod_words); ------------------ | | 77| 2.75M| do { \ | | 78| 2.75M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2.75M| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2.75M] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2.75M| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2.75M] | | ------------------ ------------------ 56| | 57| | // Caller must expand input to be at least this size 58| 2.75M| BOTAN_ASSERT_NOMSG(x_words.size() >= 2 * mod_words); ------------------ | | 77| 2.75M| do { \ | | 78| 2.75M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2.75M| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2.75M] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2.75M| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2.75M] | | ------------------ ------------------ 59| | 60| | // Normally mod_words + 1 but can be + 2 if the modulus is a power of 2 61| 2.75M| const size_t mu_words = mu.sig_words(); 62| 2.75M| BOTAN_ASSERT_NOMSG(mu_words <= mod_words + 2); ------------------ | | 77| 2.75M| do { \ | | 78| 2.75M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2.75M| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2.75M] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2.75M| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2.75M] | | ------------------ ------------------ 63| | 64| 2.75M| if(ws.size() < 2 * (mod_words + 2)) { ------------------ | Branch (64:7): [True: 1.17M, False: 1.57M] ------------------ 65| 1.17M| ws.resize(2 * (mod_words + 2)); 66| 1.17M| } 67| | 68| 2.75M| CT::poison(x_words); 69| | 70| | /* 71| | * Following the notation of Handbook of Applied Cryptography 72| | * Algorithm 14.42 "Barrett modular reduction", page 604 73| | * 74| | * 75| | * Using `mu` for μ in the code 76| | */ 77| | 78| | // Compute q1 = floor(x / 2^(k - 1)) which is equivalent to ignoring the low (k-1) words 79| | 80| | // 2 * mod_words + 1 is sufficient, extra is to enable Karatsuba 81| 2.75M| secure_vector r(2 * mu_words + 2); 82| | 83| 2.75M| copy_mem(r.data(), x_words.data() + (mod_words - 1), mod_words + 1); 84| | 85| | // Now compute q2 = q1 * μ 86| | 87| | // We allocate more size than required since this allows Karatsuba more often; 88| | // just `mu_words + (mod_words + 1)` is sufficient 89| 2.75M| const size_t q2_size = 2 * mu_words + 2; 90| | 91| 2.75M| secure_vector q2(q2_size); 92| | 93| 2.75M| bigint_mul( 94| 2.75M| q2.data(), q2.size(), r.data(), r.size(), mod_words + 1, mu._data(), mu.size(), mu_words, ws.data(), ws.size()); 95| | 96| | // Compute r2 = (floor(q2 / b^(k+1)) * m) mod 2^(k+1) 97| | // The division/floor is again effected by just ignoring the low k + 1 words 98| 2.75M| bigint_mul(r.data(), 99| 2.75M| r.size(), 100| 2.75M| &q2[mod_words + 1], // ignoring the low mod_words + 1 words of the first product 101| 2.75M| q2.size() - (mod_words + 1), 102| 2.75M| mod_words + 1, 103| 2.75M| modulus._data(), 104| 2.75M| modulus.size(), 105| 2.75M| mod_words, 106| 2.75M| ws.data(), 107| 2.75M| ws.size()); 108| | 109| | // Clear the high words of the product, equivalent to computing mod 2^(k+1) 110| | // TODO add masked mul to avoid computing high bits at all 111| 2.75M| clear_mem(std::span{r}.subspan(mod_words + 1)); 112| | 113| | // Compute r = r1 - r2 114| | 115| | // The return value of bigint_sub_abs isn't quite right for what we need here so first compare 116| 2.75M| const int32_t relative_size = bigint_cmp(r.data(), mod_words + 1, x_words.data(), mod_words + 1); 117| | 118| 2.75M| bigint_sub_abs(r.data(), r.data(), x_words.data(), mod_words + 1, ws.data()); 119| | 120| | /* 121| | If r is negative then we have to set r to r + 2^(k+1) 122| | 123| | However for r negative computing this sum is equivalent to computing 2^(k+1) - abs(r) 124| | */ 125| 2.75M| clear_mem(ws.data(), mod_words + 2); 126| 2.75M| ws[mod_words + 1] = 1; 127| 2.75M| bigint_sub2(ws.data(), mod_words + 2, r.data(), mod_words + 2); 128| | 129| | // If relative_size > 0 then assign r to 2^(k+1) - r 130| 2.75M| CT::Mask::is_equal(static_cast(relative_size), 1).select_n(r.data(), ws.data(), r.data(), mod_words + 2); 131| | 132| | /* 133| | * Per HAC Note 14.44 (ii) "step 4 is repeated at most twice since 0 ≤ r < 3m" 134| | */ 135| 2.75M| const size_t bound = 2; 136| | 137| 2.75M| BOTAN_ASSERT_NOMSG(r.size() >= mod_words + 1); ------------------ | | 77| 2.75M| do { \ | | 78| 2.75M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2.75M| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2.75M] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2.75M| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2.75M] | | ------------------ ------------------ 138| 8.25M| for(size_t i = 0; i != bound; ++i) { ------------------ | Branch (138:22): [True: 5.50M, False: 2.75M] ------------------ 139| 5.50M| const word borrow = bigint_sub3(ws.data(), r.data(), mod_words + 1, modulus._data(), mod_words); 140| 5.50M| CT::Mask::is_zero(borrow).select_n(r.data(), ws.data(), r.data(), mod_words + 1); 141| 5.50M| } 142| | 143| 2.75M| CT::unpoison(q2); 144| 2.75M| CT::unpoison(r); 145| 2.75M| CT::unpoison(ws); 146| 2.75M| CT::unpoison(x_words); 147| | 148| 2.75M| return BigInt::_from_words(r); 149| 2.75M|} _ZN5Botan24inverse_mod_public_primeERKNS_6BigIntES2_: 294| 654|BigInt inverse_mod_public_prime(const BigInt& x, const BigInt& p) { 295| 654| BOTAN_ARG_CHECK(p.signum() > 0, "Modulus must be positive"); ------------------ | | 35| 654| do { \ | | 36| 654| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 654| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 654] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 654| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 654] | | ------------------ ------------------ 296| 654| BOTAN_ARG_CHECK(x.signum() > 0, "Input must be positive"); ------------------ | | 35| 654| do { \ | | 36| 654| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 654| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 654] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 654| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 654] | | ------------------ ------------------ 297| 654| BOTAN_ARG_CHECK(x < p, "Input must be less than modulus"); ------------------ | | 35| 654| do { \ | | 36| 654| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 654| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 654] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 654| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 654] | | ------------------ ------------------ 298| 654| BOTAN_ARG_CHECK(p.is_odd() && p > 1, "Primes are odd integers greater than 1"); ------------------ | | 35| 654| do { \ | | 36| 654| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.30k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 654, False: 0] | | | Branch (37:12): [True: 654, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 654| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 654] | | ------------------ ------------------ 299| | 300| | // TODO possibly use FLT, or the algorithm presented for this case in 301| | // Handbook of Elliptic and Hyperelliptic Curve Cryptography 302| | 303| 654| return inverse_mod_odd_modulus(x, p); 304| 654|} mod_inv.cpp:_ZN5Botan12_GLOBAL__N_123inverse_mod_odd_modulusERKNS_6BigIntES3_: 21| 654|BigInt inverse_mod_odd_modulus(const BigInt& n, const BigInt& mod) { 22| | // Caller should assure these preconditions: 23| 654| BOTAN_ASSERT_NOMSG(n.signum() >= 0); ------------------ | | 77| 654| do { \ | | 78| 654| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 654| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 654] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 654| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 654] | | ------------------ ------------------ 24| 654| BOTAN_ASSERT_NOMSG(mod.signum() > 0); ------------------ | | 77| 654| do { \ | | 78| 654| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 654| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 654] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 654| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 654] | | ------------------ ------------------ 25| 654| BOTAN_ASSERT_NOMSG(n < mod); ------------------ | | 77| 654| do { \ | | 78| 654| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 654| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 654] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 654| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 654] | | ------------------ ------------------ 26| 654| BOTAN_ASSERT_NOMSG(mod >= 3 && mod.is_odd()); ------------------ | | 77| 654| do { \ | | 78| 654| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.30k| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 654, False: 0] | | | Branch (79:12): [True: 654, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 654| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 654] | | ------------------ ------------------ 27| | 28| | /* 29| | This uses a modular inversion algorithm designed by Niels Möller 30| | and implemented in Nettle. The same algorithm was later also 31| | adapted to GMP in mpn_sec_invert. 32| | 33| | It can be easily implemented in a way that does not depend on 34| | secret branches or memory lookups, providing resistance against 35| | some forms of side channel attack. 36| | 37| | There is also a description of the algorithm in Appendix 5 of "Fast 38| | Software Polynomial Multiplication on ARM Processors using the NEON Engine" 39| | by Danilo Câmara, Conrado P. L. Gouvêa, Julio López, and Ricardo 40| | Dahab in LNCS 8182 41| | https://inria.hal.science/hal-01506572/document 42| | 43| | Thanks to Niels for creating the algorithm, explaining some things 44| | about it, and the reference to the paper. 45| | */ 46| | 47| 654| const size_t mod_words = mod.sig_words(); 48| 654| BOTAN_ASSERT(mod_words > 0, "Not empty"); ------------------ | | 64| 654| do { \ | | 65| 654| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 654| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 654] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 654| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 654] | | ------------------ ------------------ 49| | 50| 654| secure_vector tmp_mem(5 * mod_words); 51| | 52| 654| word* v_w = &tmp_mem[0]; // NOLINT(readability-container-data-pointer) 53| 654| word* u_w = &tmp_mem[1 * mod_words]; 54| 654| word* b_w = &tmp_mem[2 * mod_words]; 55| 654| word* a_w = &tmp_mem[3 * mod_words]; 56| 654| word* mp1o2 = &tmp_mem[4 * mod_words]; 57| | 58| 654| copy_mem(a_w, n._data(), std::min(n.size(), mod_words)); 59| 654| copy_mem(b_w, mod._data(), std::min(mod.size(), mod_words)); 60| 654| u_w[0] = 1; 61| | // v_w = 0 62| | 63| | // compute (mod + 1) / 2 which [because mod is odd] is equal to 64| | // (mod / 2) + 1 65| 654| copy_mem(mp1o2, mod._data(), std::min(mod.size(), mod_words)); 66| 654| bigint_shr1(mp1o2, mod_words, 1); 67| 654| const word carry = bigint_add2(mp1o2, mod_words, u_w, 1); 68| 654| BOTAN_ASSERT_NOMSG(carry == 0); ------------------ | | 77| 654| do { \ | | 78| 654| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 654| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 654] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 654| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 654] | | ------------------ ------------------ 69| | 70| 654| CT::poison(tmp_mem.data(), tmp_mem.size()); 71| | 72| | // Only n.bits() + mod.bits() iterations are required, but avoid leaking the size of n 73| 654| const size_t execs = 2 * mod.bits(); 74| | 75| 305k| for(size_t i = 0; i != execs; ++i) { ------------------ | Branch (75:22): [True: 305k, False: 654] ------------------ 76| 305k| const word odd_a = a_w[0] & 1; 77| | 78| | //if(odd_a) a -= b 79| 305k| const word underflow = bigint_cnd_sub(odd_a, a_w, b_w, mod_words); 80| | 81| | //if(underflow) { b -= a; a = abs(a); swap(u, v); } 82| 305k| bigint_cnd_add(underflow, b_w, a_w, mod_words); 83| 305k| bigint_cnd_abs(underflow, a_w, mod_words); 84| 305k| bigint_cnd_swap(underflow, u_w, v_w, mod_words); 85| | 86| | // a >>= 1 87| 305k| bigint_shr1(a_w, mod_words, 1); 88| | 89| | //if(odd_a) u -= v; 90| 305k| const word borrow = bigint_cnd_sub(odd_a, u_w, v_w, mod_words); 91| | 92| | // if(borrow) u += p 93| 305k| bigint_cnd_add(borrow, u_w, mod._data(), mod_words); 94| | 95| 305k| const word odd_u = u_w[0] & 1; 96| | 97| | // u >>= 1 98| 305k| bigint_shr1(u_w, mod_words, 1); 99| | 100| | //if(odd_u) u += mp1o2; 101| 305k| bigint_cnd_add(odd_u, u_w, mp1o2, mod_words); 102| 305k| } 103| | 104| 654| const auto a_is_0 = CT::all_zeros(a_w, mod_words); 105| | 106| 654| auto b_is_1 = CT::Mask::is_equal(b_w[0], 1); 107| 2.71k| for(size_t i = 1; i != mod_words; ++i) { ------------------ | Branch (107:22): [True: 2.06k, False: 654] ------------------ 108| 2.06k| b_is_1 &= CT::Mask::is_zero(b_w[i]); 109| 2.06k| } 110| | 111| 654| BOTAN_ASSERT(a_is_0.as_bool(), "A is zero"); ------------------ | | 64| 654| do { \ | | 65| 654| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 654| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 654] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 654| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 654] | | ------------------ ------------------ 112| | 113| | // if b != 1 then gcd(n,mod) > 1 and inverse does not exist 114| | // in which case zero out the result to indicate this 115| 654| (~b_is_1).if_set_zero_out(v_w, mod_words); 116| | 117| | /* 118| | * We've placed the result in the lowest words of the temp buffer. 119| | * So just clear out the other values and then give that buffer to a 120| | * BigInt. 121| | */ 122| 654| clear_mem(&tmp_mem[mod_words], 4 * mod_words); 123| | 124| 654| CT::unpoison(tmp_mem.data(), tmp_mem.size()); 125| | 126| 654| BigInt r; 127| 654| r.swap_reg(tmp_mem); 128| 654| return r; 129| 654|} _ZN5Botan17Montgomery_Params4DataC2ERKNS_6BigIntERKNS_17Barrett_ReductionE: 40| 5.36k|Montgomery_Params::Data::Data(const BigInt& p, const Barrett_Reduction& mod_p) { 41| 5.36k| if(p.is_even() || p < 3) { ------------------ | Branch (41:7): [True: 0, False: 5.36k] | Branch (41:22): [True: 0, False: 5.36k] ------------------ 42| 0| throw Invalid_Argument("Montgomery_Params invalid modulus"); 43| 0| } 44| | 45| 5.36k| m_p = p; 46| 5.36k| m_p_words = m_p.sig_words(); 47| 5.36k| m_p_dash = monty_inverse(m_p.word_at(0)); 48| | 49| 5.36k| const BigInt r = BigInt::power_of_2(m_p_words * WordInfo::bits); 50| | 51| 5.36k| m_r1 = mod_p.reduce(r); 52| 5.36k| m_r2 = mod_p.square(m_r1); 53| 5.36k| m_r3 = mod_p.multiply(m_r1, m_r2); 54| | 55| | // Barrett should be at least zero prefixing up to modulus size 56| 5.36k| BOTAN_ASSERT_NOMSG(m_r1.size() >= m_p_words); ------------------ | | 77| 5.36k| do { \ | | 78| 5.36k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 5.36k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 5.36k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 5.36k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 5.36k] | | ------------------ ------------------ 57| 5.36k| BOTAN_ASSERT_NOMSG(m_r2.size() >= m_p_words); ------------------ | | 77| 5.36k| do { \ | | 78| 5.36k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 5.36k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 5.36k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 5.36k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 5.36k] | | ------------------ ------------------ 58| 5.36k| BOTAN_ASSERT_NOMSG(m_r3.size() >= m_p_words); ------------------ | | 77| 5.36k| do { \ | | 78| 5.36k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 5.36k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 5.36k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 5.36k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 5.36k] | | ------------------ ------------------ 59| 5.36k|} _ZN5Botan17Montgomery_ParamsC2ERKNS_6BigIntERKNS_17Barrett_ReductionE: 62| 5.36k| m_data(std::make_shared(p, mod_p)) {} _ZN5Botan17Montgomery_ParamsC2ERKNS_6BigIntE: 65| 912| Montgomery_Params(p, Barrett_Reduction::for_secret_modulus(p)) {} _ZNK5Botan17Montgomery_ParamseqERKS0_: 67| 42.8k|bool Montgomery_Params::operator==(const Montgomery_Params& other) const { 68| 42.8k| if(this->m_data == other.m_data) { ------------------ | Branch (68:7): [True: 42.8k, False: 0] ------------------ 69| 42.8k| return true; 70| 42.8k| } 71| | 72| 0| return (this->m_data->p() == other.m_data->p()); 73| 42.8k|} _ZNK5Botan17Montgomery_Params4redcERKNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 75| 261|BigInt Montgomery_Params::redc(const BigInt& x, secure_vector& ws) const { 76| 261| const size_t p_size = this->p_words(); 77| | 78| 261| if(ws.size() < p_size) { ------------------ | Branch (78:7): [True: 128, False: 133] ------------------ 79| 128| ws.resize(p_size); 80| 128| } 81| | 82| 261| BigInt z = x; 83| 261| z.grow_to(2 * p_size); 84| | 85| 261| bigint_monty_redc_inplace(z.mutable_data(), this->p()._data(), p_size, this->p_dash(), ws.data(), ws.size()); 86| | 87| 261| return z; 88| 261|} _ZNK5Botan17Montgomery_Params3mulERKNS_6BigIntES3_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 90| 1.47M|BigInt Montgomery_Params::mul(const BigInt& x, const BigInt& y, secure_vector& ws) const { 91| 1.47M| const size_t p_size = this->p_words(); 92| 1.47M| BigInt z = BigInt::with_capacity(2 * p_size); 93| 1.47M| this->mul(z, x, y, ws); 94| 1.47M| return z; 95| 1.47M|} _ZNK5Botan17Montgomery_Params3mulERNS_6BigIntERKS1_S4_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 97| 5.87M|void Montgomery_Params::mul(BigInt& z, const BigInt& x, const BigInt& y, secure_vector& ws) const { 98| 5.87M| BOTAN_ARG_CHECK(&z != &x && &z != &y, "Montgomery_Params::mul output must not alias inputs"); ------------------ | | 35| 5.87M| do { \ | | 36| 5.87M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 11.7M| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 5.87M, False: 0] | | | Branch (37:12): [True: 5.87M, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 5.87M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 5.87M] | | ------------------ ------------------ 99| | 100| 5.87M| const size_t p_size = this->p_words(); 101| | 102| 5.87M| if(ws.size() < 2 * p_size) { ------------------ | Branch (102:7): [True: 3.24k, False: 5.86M] ------------------ 103| 3.24k| ws.resize(2 * p_size); 104| 3.24k| } 105| | 106| 5.87M| BOTAN_DEBUG_ASSERT(x.sig_words() <= p_size); ------------------ | | 130| 5.87M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 5.87M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 5.87M] | | ------------------ ------------------ 107| 5.87M| BOTAN_DEBUG_ASSERT(y.sig_words() <= p_size); ------------------ | | 130| 5.87M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 5.87M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 5.87M] | | ------------------ ------------------ 108| | 109| 5.87M| if(z.size() < 2 * p_size) { ------------------ | Branch (109:7): [True: 490k, False: 5.38M] ------------------ 110| 490k| z.grow_to(2 * p_size); 111| 490k| } 112| | 113| 5.87M| bigint_mul(z.mutable_data(), 114| 5.87M| z.size(), 115| 5.87M| x._data(), 116| 5.87M| x.size(), 117| 5.87M| std::min(p_size, x.size()), 118| 5.87M| y._data(), 119| 5.87M| y.size(), 120| 5.87M| std::min(p_size, y.size()), 121| 5.87M| ws.data(), 122| 5.87M| ws.size()); 123| | 124| 5.87M| bigint_monty_redc_inplace(z.mutable_data(), this->p()._data(), p_size, this->p_dash(), ws.data(), ws.size()); 125| 5.87M|} _ZNK5Botan17Montgomery_Params3mulERNS_6BigIntERKS1_NSt3__14spanIKmLm18446744073709551615EEERNS5_6vectorImNS_16secure_allocatorImEEEE: 127| 1.12M|void Montgomery_Params::mul(BigInt& z, const BigInt& x, std::span y, secure_vector& ws) const { 128| 1.12M| BOTAN_ARG_CHECK(&z != &x, "Montgomery_Params::mul output must not alias x"); ------------------ | | 35| 1.12M| do { \ | | 36| 1.12M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.12M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.12M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.12M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.12M] | | ------------------ ------------------ 129| 1.12M| BOTAN_ARG_CHECK(!ranges_overlap(z._data(), z.size(), y.data(), y.size()), ------------------ | | 35| 1.12M| do { \ | | 36| 1.12M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.12M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.12M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.12M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.12M] | | ------------------ ------------------ 130| 1.12M| "Montgomery_Params::mul output must not overlap y"); 131| | 132| 1.12M| const size_t p_size = this->p_words(); 133| | 134| 1.12M| if(ws.size() < 2 * p_size) { ------------------ | Branch (134:7): [True: 0, False: 1.12M] ------------------ 135| 0| ws.resize(2 * p_size); 136| 0| } 137| 1.12M| if(z.size() < 2 * p_size) { ------------------ | Branch (137:7): [True: 0, False: 1.12M] ------------------ 138| 0| z.grow_to(2 * p_size); 139| 0| } 140| | 141| 1.12M| BOTAN_DEBUG_ASSERT(x.sig_words() <= p_size); ------------------ | | 130| 1.12M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 1.12M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 1.12M] | | ------------------ ------------------ 142| | 143| 1.12M| bigint_mul(z.mutable_data(), 144| 1.12M| z.size(), 145| 1.12M| x._data(), 146| 1.12M| x.size(), 147| 1.12M| std::min(p_size, x.size()), 148| 1.12M| y.data(), 149| 1.12M| y.size(), 150| 1.12M| std::min(p_size, y.size()), 151| 1.12M| ws.data(), 152| 1.12M| ws.size()); 153| | 154| 1.12M| bigint_monty_redc_inplace(z.mutable_data(), this->p()._data(), p_size, this->p_dash(), ws.data(), ws.size()); 155| 1.12M|} _ZNK5Botan17Montgomery_Params6mul_byERNS_6BigIntERKS1_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 157| 8.72k|void Montgomery_Params::mul_by(BigInt& x, const BigInt& y, secure_vector& ws) const { 158| 8.72k| const size_t p_size = this->p_words(); 159| | 160| 8.72k| if(ws.size() < 4 * p_size) { ------------------ | Branch (160:7): [True: 4.36k, False: 4.36k] ------------------ 161| 4.36k| ws.resize(4 * p_size); 162| 4.36k| } 163| | 164| 8.72k| word* z_data = ws.data(); 165| 8.72k| word* ws_data = &ws[2 * p_size]; 166| | 167| 8.72k| BOTAN_DEBUG_ASSERT(x.sig_words() <= p_size); ------------------ | | 130| 8.72k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 8.72k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 8.72k] | | ------------------ ------------------ 168| | 169| 8.72k| bigint_mul(z_data, 170| 8.72k| 2 * p_size, 171| 8.72k| x._data(), 172| 8.72k| x.size(), 173| 8.72k| std::min(p_size, x.size()), 174| 8.72k| y._data(), 175| 8.72k| y.size(), 176| 8.72k| std::min(p_size, y.size()), 177| 8.72k| ws_data, 178| 8.72k| 2 * p_size); 179| | 180| 8.72k| bigint_monty_redc_inplace(z_data, this->p()._data(), p_size, this->p_dash(), ws_data, 2 * p_size); 181| | 182| 8.72k| if(x.size() < 2 * p_size) { ------------------ | Branch (182:7): [True: 2.88k, False: 5.84k] ------------------ 183| 2.88k| x.grow_to(2 * p_size); 184| 2.88k| } 185| 8.72k| copy_mem(x.mutable_data(), z_data, 2 * p_size); 186| 8.72k|} _ZNK5Botan17Montgomery_Params3sqrERKNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 188| 264|BigInt Montgomery_Params::sqr(const BigInt& x, secure_vector& ws) const { 189| 264| BOTAN_DEBUG_ASSERT(x.sig_words() <= this->p_words()); ------------------ | | 130| 264| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 264| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 264] | | ------------------ ------------------ 190| 264| return this->sqr(std::span{x._data(), x.size()}, ws); 191| 264|} _ZNK5Botan17Montgomery_Params3sqrENSt3__14spanIKmLm18446744073709551615EEERNS1_6vectorImNS_16secure_allocatorImEEEE: 193| 264|BigInt Montgomery_Params::sqr(std::span x, secure_vector& ws) const { 194| 264| const size_t p_size = this->p_words(); 195| 264| BigInt z = BigInt::with_capacity(2 * p_size); 196| 264| this->sqr(z, x, ws); 197| 264| return z; 198| 264|} _ZNK5Botan17Montgomery_Params3sqrERNS_6BigIntERKS1_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 200| 2.17M|void Montgomery_Params::sqr(BigInt& z, const BigInt& x, secure_vector& ws) const { 201| 2.17M| BOTAN_ARG_CHECK(&z != &x, "Montgomery_Params::sqr output must not alias input"); ------------------ | | 35| 2.17M| do { \ | | 36| 2.17M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 2.17M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 2.17M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 2.17M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 2.17M] | | ------------------ ------------------ 202| 2.17M| this->sqr(z, std::span{x._data(), x.size()}, ws); 203| 2.17M|} _ZNK5Botan17Montgomery_Params3sqrERNS_6BigIntENSt3__14spanIKmLm18446744073709551615EEERNS3_6vectorImNS_16secure_allocatorImEEEE: 205| 2.45M|void Montgomery_Params::sqr(BigInt& z, std::span x, secure_vector& ws) const { 206| 2.45M| BOTAN_ARG_CHECK(!ranges_overlap(z._data(), z.size(), x.data(), x.size()), ------------------ | | 35| 2.45M| do { \ | | 36| 2.45M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 2.45M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 2.45M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 2.45M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 2.45M] | | ------------------ ------------------ 207| 2.45M| "Montgomery_Params::sqr output must not overlap input"); 208| | 209| 2.45M| const size_t p_size = this->p_words(); 210| | 211| 2.45M| if(ws.size() < 2 * p_size) { ------------------ | Branch (211:7): [True: 66, False: 2.45M] ------------------ 212| 66| ws.resize(2 * p_size); 213| 66| } 214| | 215| 2.45M| if(z.size() < 2 * p_size) { ------------------ | Branch (215:7): [True: 39.9k, False: 2.41M] ------------------ 216| 39.9k| z.grow_to(2 * p_size); 217| 39.9k| } 218| | 219| 2.45M| bigint_sqr(z.mutable_data(), z.size(), x.data(), x.size(), std::min(p_size, x.size()), ws.data(), ws.size()); 220| | 221| 2.45M| bigint_monty_redc_inplace(z.mutable_data(), this->p()._data(), p_size, this->p_dash(), ws.data(), ws.size()); 222| 2.45M|} _ZN5Botan14Montgomery_IntC2ERKNS_17Montgomery_ParamsENSt3__16vectorImNS_16secure_allocatorImEEEE: 227| 23.5k| m_params(params), m_v(std::move(words)) { 228| 23.5k| BOTAN_ASSERT_NOMSG(m_v.size() == m_params.p_words()); ------------------ | | 77| 23.5k| do { \ | | 78| 23.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 23.5k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 23.5k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 23.5k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 23.5k] | | ------------------ ------------------ 229| 23.5k|} _ZN5Botan14Montgomery_Int3oneERKNS_17Montgomery_ParamsE: 231| 3.36k|Montgomery_Int Montgomery_Int::one(const Montgomery_Params& params) { 232| 3.36k| return Montgomery_Int(params, params.R1(), false); 233| 3.36k|} _ZN5Botan14Montgomery_IntC2ERKNS_17Montgomery_ParamsERKNS_6BigIntEb: 242| 6.73k| m_params(params), m_v(m_params.p_words()) { 243| 6.73k| BOTAN_ARG_CHECK(v.signum() >= 0 && v < m_params.p(), "Input out of range"); ------------------ | | 35| 6.73k| do { \ | | 36| 6.73k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 13.4k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 6.73k, False: 0] | | | Branch (37:12): [True: 6.73k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 6.73k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 6.73k] | | ------------------ ------------------ 244| | 245| 6.73k| const size_t p_size = m_params.p_words(); 246| | 247| 6.73k| auto v_span = v._as_span(); 248| | 249| 6.73k| if(v_span.size() > p_size) { ------------------ | Branch (249:7): [True: 6.30k, False: 430] ------------------ 250| | // Safe to truncate the span since we already checked v < p 251| 6.30k| v_span = v_span.first(p_size); 252| 6.30k| } 253| | 254| 6.73k| BOTAN_ASSERT_NOMSG(m_v.size() >= v_span.size()); ------------------ | | 77| 6.73k| do { \ | | 78| 6.73k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 6.73k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 6.73k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 6.73k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 6.73k] | | ------------------ ------------------ 255| | 256| 6.73k| copy_mem(std::span{m_v}.first(v_span.size()), v_span); 257| | 258| 6.73k| if(redc_needed) { ------------------ | Branch (258:7): [True: 3.36k, False: 3.36k] ------------------ 259| 3.36k| secure_vector ws; 260| 3.36k| this->mul_by(m_params.R2()._as_span().first(p_size), ws); 261| 3.36k| } 262| 6.73k|} _ZN5Botan14Montgomery_IntC2ERKNS_17Montgomery_ParamsENSt3__14spanIKmLm18446744073709551615EEE: 265| 1.40k| m_params(params), m_v(words.begin(), words.end()) { 266| 1.40k| BOTAN_ARG_CHECK(m_v.size() == m_params.p_words(), "Invalid input span"); ------------------ | | 35| 1.40k| do { \ | | 36| 1.40k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.40k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.40k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.40k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.40k] | | ------------------ ------------------ 267| 1.40k|} _ZNK5Botan14Montgomery_Int5valueEv: 273| 3.29k|BigInt Montgomery_Int::value() const { 274| 3.29k| secure_vector ws(m_params.p_words()); 275| | 276| 3.29k| secure_vector z = m_v; 277| 3.29k| z.resize(2 * m_params.p_words()); // zero extend 278| | 279| 3.29k| bigint_monty_redc_inplace( 280| 3.29k| z.data(), m_params.p()._data(), m_params.p_words(), m_params.p_dash(), ws.data(), ws.size()); 281| | 282| 3.29k| return BigInt::_from_words(z); 283| 3.29k|} _ZNK5Botan14Montgomery_Int3mulERKS0_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 320| 23.5k|Montgomery_Int Montgomery_Int::mul(const Montgomery_Int& other, secure_vector& ws) const { 321| 23.5k| BOTAN_STATE_CHECK(other.m_params == m_params); ------------------ | | 51| 23.5k| do { \ | | 52| 23.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 23.5k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 23.5k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 23.5k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 23.5k] | | ------------------ ------------------ 322| | 323| 23.5k| const size_t p_size = m_params.p_words(); 324| 23.5k| BOTAN_ASSERT_NOMSG(m_v.size() == p_size && other.m_v.size() == p_size); ------------------ | | 77| 23.5k| do { \ | | 78| 23.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 47.1k| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 23.5k, False: 0] | | | Branch (79:12): [True: 23.5k, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 23.5k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 23.5k] | | ------------------ ------------------ 325| | 326| 23.5k| if(ws.size() < 2 * p_size) { ------------------ | Branch (326:7): [True: 0, False: 23.5k] ------------------ 327| 0| ws.resize(2 * p_size); 328| 0| } 329| | 330| 23.5k| secure_vector z(2 * p_size); 331| | 332| 23.5k| bigint_mul(z.data(), z.size(), m_v.data(), p_size, p_size, other.m_v.data(), p_size, p_size, ws.data(), ws.size()); 333| | 334| 23.5k| bigint_monty_redc_inplace(z.data(), m_params.p()._data(), p_size, m_params.p_dash(), ws.data(), ws.size()); 335| 23.5k| z.resize(p_size); // truncate off high zero words 336| | 337| 23.5k| return Montgomery_Int(m_params, std::move(z)); 338| 23.5k|} _ZN5Botan14Montgomery_Int6mul_byERKS0_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 340| 19.2k|Montgomery_Int& Montgomery_Int::mul_by(const Montgomery_Int& other, secure_vector& ws) { 341| 19.2k| BOTAN_STATE_CHECK(other.m_params == m_params); ------------------ | | 51| 19.2k| do { \ | | 52| 19.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 19.2k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 19.2k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 19.2k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 19.2k] | | ------------------ ------------------ 342| 19.2k| return this->mul_by(std::span{other.m_v}, ws); 343| 19.2k|} _ZN5Botan14Montgomery_Int6mul_byENSt3__14spanIKmLm18446744073709551615EEERNS1_6vectorImNS_16secure_allocatorImEEEE: 345| 129k|Montgomery_Int& Montgomery_Int::mul_by(std::span other, secure_vector& ws) { 346| 129k| const size_t p_size = m_params.p_words(); 347| 129k| BOTAN_ASSERT_NOMSG(m_v.size() == p_size && other.size() == p_size); ------------------ | | 77| 129k| do { \ | | 78| 129k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 258k| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 129k, False: 0] | | | Branch (79:12): [True: 129k, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 129k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 129k] | | ------------------ ------------------ 348| | 349| 129k| if(ws.size() < 2 * p_size) { ------------------ | Branch (349:7): [True: 3.36k, False: 125k] ------------------ 350| 3.36k| ws.resize(2 * p_size); 351| 3.36k| } 352| | 353| 129k| auto do_mul_by = [&](std::span z) { 354| 129k| bigint_mul(z.data(), z.size(), m_v.data(), p_size, p_size, other.data(), p_size, p_size, ws.data(), ws.size()); 355| | 356| 129k| bigint_monty_redc_inplace(z.data(), m_params.p()._data(), p_size, m_params.p_dash(), ws.data(), ws.size()); 357| | 358| 129k| copy_mem(m_v, z.first(p_size)); 359| 129k| }; 360| | 361| 129k| if(p_size <= MontgomeryUseStackLimit) { ------------------ | Branch (361:7): [True: 129k, False: 0] ------------------ 362| 129k| std::array z{}; 363| 129k| do_mul_by(z); 364| 129k| } else { 365| 0| secure_vector z(2 * p_size); 366| 0| do_mul_by(z); 367| 0| } 368| | 369| 129k| return (*this); 370| 129k|} _ZN5Botan14Montgomery_Int19square_this_n_timesERNSt3__16vectorImNS_16secure_allocatorImEEEEm: 372| 151k|Montgomery_Int& Montgomery_Int::square_this_n_times(secure_vector& ws, size_t n) { 373| 151k| const size_t p_size = m_params.p_words(); 374| 151k| BOTAN_ASSERT_NOMSG(m_v.size() == p_size); ------------------ | | 77| 151k| do { \ | | 78| 151k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 151k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 151k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 151k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 151k] | | ------------------ ------------------ 375| | 376| 151k| if(ws.size() < 2 * p_size) { ------------------ | Branch (376:7): [True: 0, False: 151k] ------------------ 377| 0| ws.resize(2 * p_size); 378| 0| } 379| | 380| 151k| auto do_sqr_n = [&](std::span z) { 381| 151k| for(size_t i = 0; i != n; ++i) { 382| 151k| bigint_sqr(z.data(), 2 * p_size, m_v.data(), p_size, p_size, ws.data(), ws.size()); 383| | 384| 151k| bigint_monty_redc_inplace(z.data(), m_params.p()._data(), p_size, m_params.p_dash(), ws.data(), ws.size()); 385| | 386| 151k| copy_mem(m_v, std::span{z}.first(p_size)); 387| 151k| } 388| 151k| }; 389| | 390| 151k| if(p_size <= MontgomeryUseStackLimit) { ------------------ | Branch (390:7): [True: 151k, False: 0] ------------------ 391| 151k| std::array z{}; 392| 151k| do_sqr_n(z); 393| 151k| } else { 394| 0| secure_vector z(2 * p_size); 395| 0| do_sqr_n(z); 396| 0| } 397| | 398| 151k| return (*this); 399| 151k|} _ZNK5Botan14Montgomery_Int6squareERNSt3__16vectorImNS_16secure_allocatorImEEEE: 401| 23.5k|Montgomery_Int Montgomery_Int::square(secure_vector& ws) const { 402| 23.5k| auto z = (*this); 403| 23.5k| z.square_this_n_times(ws, 1); 404| 23.5k| return z; 405| 23.5k|} monty.cpp:_ZN5Botan12_GLOBAL__N_114ranges_overlapEPKmmS2_m: 30| 3.58M|bool ranges_overlap(const word* a, size_t na, const word* b, size_t nb) { 31| 3.58M| if(na == 0 || nb == 0) { ------------------ | Branch (31:7): [True: 590, False: 3.58M] | Branch (31:18): [True: 0, False: 3.58M] ------------------ 32| 590| return false; 33| 590| } 34| 3.58M| const std::less lt; // NOLINT(modernize-use-transparent-functors) 35| 3.58M| return lt(a, b + nb) && lt(b, a + na); ------------------ | Branch (35:11): [True: 2.19M, False: 1.38M] | Branch (35:28): [True: 0, False: 2.19M] ------------------ 36| 3.58M|} monty.cpp:_ZZN5Botan14Montgomery_Int6mul_byENSt3__14spanIKmLm18446744073709551615EEERNS1_6vectorImNS_16secure_allocatorImEEEEENK3$_0clENS2_ImLm18446744073709551615EEE: 353| 129k| auto do_mul_by = [&](std::span z) { 354| 129k| bigint_mul(z.data(), z.size(), m_v.data(), p_size, p_size, other.data(), p_size, p_size, ws.data(), ws.size()); 355| | 356| 129k| bigint_monty_redc_inplace(z.data(), m_params.p()._data(), p_size, m_params.p_dash(), ws.data(), ws.size()); 357| | 358| 129k| copy_mem(m_v, z.first(p_size)); 359| 129k| }; monty.cpp:_ZZN5Botan14Montgomery_Int19square_this_n_timesERNSt3__16vectorImNS_16secure_allocatorImEEEEmENK3$_0clENS1_4spanImLm18446744073709551615EEE: 380| 151k| auto do_sqr_n = [&](std::span z) { 381| 685k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (381:25): [True: 533k, False: 151k] ------------------ 382| 533k| bigint_sqr(z.data(), 2 * p_size, m_v.data(), p_size, p_size, ws.data(), ws.size()); 383| | 384| 533k| bigint_monty_redc_inplace(z.data(), m_params.p()._data(), p_size, m_params.p_dash(), ws.data(), ws.size()); 385| | 386| 533k| copy_mem(m_v, std::span{z}.first(p_size)); 387| 533k| } 388| 151k| }; _ZN5Botan31Montgomery_Exponentiation_StateC2ERKNS_14Montgomery_IntEmb: 36| 3.36k| m_params(g._params()), m_window_bits(window_bits == 0 ? 4 : window_bits) { ------------------ | Branch (36:44): [True: 0, False: 3.36k] ------------------ 37| 3.36k| if(m_window_bits < 1 || m_window_bits > 12) { // really even 8 is too large ... ------------------ | Branch (37:7): [True: 0, False: 3.36k] | Branch (37:28): [True: 0, False: 3.36k] ------------------ 38| 0| throw Invalid_Argument("Invalid window bits for Montgomery exponentiation"); 39| 0| } 40| | 41| 3.36k| const size_t window_size = (static_cast(1) << m_window_bits); 42| | 43| 3.36k| m_g.reserve(window_size); 44| | 45| 3.36k| m_g.push_back(Montgomery_Int::one(m_params)); 46| | 47| 3.36k| m_g.push_back(g); 48| | 49| 3.36k| secure_vector ws(2 * m_params.p_words()); 50| | 51| 50.5k| for(size_t i = 2; i != window_size; ++i) { ------------------ | Branch (51:22): [True: 47.1k, False: 3.36k] ------------------ 52| 47.1k| if(i % 2 == 0) { ------------------ | Branch (52:10): [True: 23.5k, False: 23.5k] ------------------ 53| 23.5k| m_g.push_back(m_g[i / 2].square(ws)); 54| 23.5k| } else { 55| 23.5k| m_g.push_back(m_g[1].mul(m_g[i - 1], ws)); 56| 23.5k| } 57| 47.1k| } 58| | 59| 3.36k| if(const_time) { ------------------ | Branch (59:7): [True: 1.47k, False: 1.89k] ------------------ 60| 1.47k| CT::poison_range(m_g); 61| 1.47k| } 62| 3.36k|} _ZNK5Botan31Montgomery_Exponentiation_State14exponentiationERKNS_6BigIntEm: 91| 1.40k|Montgomery_Int Montgomery_Exponentiation_State::exponentiation(const BigInt& scalar, size_t max_k_bits) const { 92| 1.40k| BOTAN_ARG_CHECK(scalar.signum() >= 0, "Invalid scalar for Montgomery exponentiation"); ------------------ | | 35| 1.40k| do { \ | | 36| 1.40k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.40k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.40k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.40k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.40k] | | ------------------ ------------------ 93| 1.40k| BOTAN_DEBUG_ASSERT(scalar.bits() <= max_k_bits); ------------------ | | 130| 1.40k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 1.40k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 1.40k] | | ------------------ ------------------ 94| | // TODO add a const-time implementation of above assert and use it in release builds 95| | 96| 1.40k| const size_t exp_nibbles = (max_k_bits + m_window_bits - 1) / m_window_bits; 97| | 98| 1.40k| if(exp_nibbles == 0) { ------------------ | Branch (98:7): [True: 0, False: 1.40k] ------------------ 99| 0| return Montgomery_Int::one(m_params); 100| 0| } 101| | 102| 1.40k| secure_vector e_bits(m_params.p_words()); 103| 1.40k| secure_vector ws(2 * m_params.p_words()); 104| | 105| 1.40k| const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits * (exp_nibbles - 1), m_window_bits)); 106| 1.40k| Montgomery_Int x(m_params, std::span{e_bits}); 107| | 108| 107k| for(size_t i = exp_nibbles - 1; i > 0; --i) { ------------------ | Branch (108:36): [True: 106k, False: 1.40k] ------------------ 109| 106k| x.square_this_n_times(ws, m_window_bits); 110| 106k| const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits * (i - 1), m_window_bits)); 111| 106k| x.mul_by(e_bits, ws); 112| 106k| } 113| | 114| 1.40k| CT::unpoison(x); 115| 1.40k| return x; 116| 1.40k|} _ZNK5Botan31Montgomery_Exponentiation_State22exponentiation_vartimeERKNS_6BigIntE: 118| 1.89k|Montgomery_Int Montgomery_Exponentiation_State::exponentiation_vartime(const BigInt& scalar) const { 119| 1.89k| const size_t exp_nibbles = (scalar.bits() + m_window_bits - 1) / m_window_bits; 120| | 121| 1.89k| secure_vector ws(2 * m_params.p_words()); 122| | 123| 1.89k| if(exp_nibbles == 0) { ------------------ | Branch (123:7): [True: 0, False: 1.89k] ------------------ 124| 0| return Montgomery_Int::one(m_params); 125| 0| } 126| | 127| 1.89k| Montgomery_Int x = m_g[scalar.get_substring(m_window_bits * (exp_nibbles - 1), m_window_bits)]; 128| | 129| 22.9k| for(size_t i = exp_nibbles - 1; i > 0; --i) { ------------------ | Branch (129:36): [True: 21.0k, False: 1.89k] ------------------ 130| 21.0k| x.square_this_n_times(ws, m_window_bits); 131| | 132| 21.0k| const uint32_t nibble = scalar.get_substring(m_window_bits * (i - 1), m_window_bits); 133| 21.0k| if(nibble > 0) { ------------------ | Branch (133:10): [True: 19.2k, False: 1.78k] ------------------ 134| 19.2k| x.mul_by(m_g[nibble], ws); 135| 19.2k| } 136| 21.0k| } 137| | 138| 1.89k| CT::unpoison(x); 139| 1.89k| return x; 140| 1.89k|} _ZN5Botan16monty_precomputeERKNS_14Montgomery_IntEmb: 144| 3.36k| bool const_time) { 145| 3.36k| return std::make_shared(g, window_bits, const_time); 146| 3.36k|} _ZN5Botan16monty_precomputeERKNS_17Montgomery_ParamsERKNS_6BigIntEmb: 151| 3.36k| bool const_time) { 152| 3.36k| BOTAN_ARG_CHECK(g.signum() >= 0 && g < params.p(), "Montgomery exponentiation base integer out of range"); ------------------ | | 35| 3.36k| do { \ | | 36| 3.36k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 6.73k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 3.36k, False: 0] | | | Branch (37:12): [True: 3.36k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 3.36k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 3.36k] | | ------------------ ------------------ 153| 3.36k| const Montgomery_Int monty_g(params, g); 154| 3.36k| return monty_precompute(monty_g, window_bits, const_time); 155| 3.36k|} _ZN5Botan13monty_executeERKNS_31Montgomery_Exponentiation_StateERKNS_6BigIntEm: 159| 1.40k| size_t max_k_bits) { 160| 1.40k| return precomputed_state.exponentiation(k, max_k_bits); 161| 1.40k|} _ZN5Botan21monty_execute_vartimeERKNS_31Montgomery_Exponentiation_StateERKNS_6BigIntE: 163| 1.89k|Montgomery_Int monty_execute_vartime(const Montgomery_Exponentiation_State& precomputed_state, const BigInt& k) { 164| 1.89k| return precomputed_state.exponentiation_vartime(k); 165| 1.89k|} monty_exp.cpp:_ZN5Botan12_GLOBAL__N_117const_time_lookupERNSt3__16vectorImNS_16secure_allocatorImEEEERKNS2_INS_14Montgomery_IntENS1_9allocatorIS7_EEEEm: 66| 107k|void const_time_lookup(secure_vector& output, const std::vector& g, size_t nibble) { 67| 107k| BOTAN_ASSERT_NOMSG(g.size() % 2 == 0); // actually a power of 2 ------------------ | | 77| 107k| do { \ | | 78| 107k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 107k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 107k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 107k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 107k] | | ------------------ ------------------ 68| | 69| 107k| const size_t words = output.size(); 70| | 71| 107k| clear_mem(output.data(), output.size()); 72| | 73| 971k| for(size_t i = 0; i != g.size(); i += 2) { ------------------ | Branch (73:22): [True: 863k, False: 107k] ------------------ 74| 863k| const secure_vector& vec_0 = g[i].repr(); 75| 863k| const secure_vector& vec_1 = g[i + 1].repr(); 76| | 77| 863k| BOTAN_ASSERT_NOMSG(vec_0.size() >= words && vec_1.size() >= words); ------------------ | | 77| 863k| do { \ | | 78| 863k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.72M| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 863k, False: 0] | | | Branch (79:12): [True: 863k, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 863k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 863k] | | ------------------ ------------------ 78| | 79| 863k| const auto mask_0 = CT::Mask::is_equal(nibble, i); 80| 863k| const auto mask_1 = CT::Mask::is_equal(nibble, i + 1); 81| | 82| 6.26M| for(size_t w = 0; w != words; ++w) { ------------------ | Branch (82:25): [True: 5.40M, False: 863k] ------------------ 83| 5.40M| output[w] |= mask_0.if_set_return(vec_0[w]); 84| 5.40M| output[w] |= mask_1.if_set_return(vec_1[w]); 85| 5.40M| } 86| 863k| } 87| 107k|} _ZN5Botan17sqrt_modulo_primeERKNS_6BigIntES2_: 27| 412|BigInt sqrt_modulo_prime(const BigInt& a, const BigInt& p) { 28| 412| BOTAN_ARG_CHECK(p > 1, "invalid prime"); ------------------ | | 35| 412| do { \ | | 36| 412| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 412| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 412] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 412| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 412] | | ------------------ ------------------ 29| 412| BOTAN_ARG_CHECK(a < p, "value to solve for must be less than p"); ------------------ | | 35| 412| do { \ | | 36| 412| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 412| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 412] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 412| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 412] | | ------------------ ------------------ 30| 412| BOTAN_ARG_CHECK(a >= 0, "value to solve for must not be negative"); ------------------ | | 35| 412| do { \ | | 36| 412| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 412| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 412] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 412| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 412] | | ------------------ ------------------ 31| | 32| | // some very easy cases 33| 412| if(p == 2 || a <= 1) { ------------------ | Branch (33:7): [True: 0, False: 412] | Branch (33:17): [True: 0, False: 412] ------------------ 34| 0| return a; 35| 0| } 36| | 37| 412| BOTAN_ARG_CHECK(p.is_odd(), "invalid prime"); ------------------ | | 35| 412| do { \ | | 36| 412| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 412| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 412] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 412| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 412] | | ------------------ ------------------ 38| | 39| 412| if(jacobi(a, p) != 1) { // not a quadratic residue ------------------ | Branch (39:7): [True: 162, False: 250] ------------------ 40| 162| return BigInt::from_s32(-1); 41| 162| } 42| | 43| 250| auto mod_p = Barrett_Reduction::for_public_modulus(p); 44| 250| const Montgomery_Params monty_p(p, mod_p); 45| | 46| | // If p == 3 (mod 4) there is a simple solution 47| 250| if(p % 4 == 3) { ------------------ | Branch (47:7): [True: 13, False: 237] ------------------ 48| 13| return monty_exp_vartime(monty_p, a, ((p + 1) >> 2)).value(); 49| 13| } 50| | 51| | // Otherwise we have to use Shanks-Tonelli 52| 237| size_t s = low_zero_bits(p - 1); 53| 237| BigInt q = p >> s; 54| | 55| 237| q -= 1; 56| 237| q >>= 1; 57| | 58| 237| BigInt r = monty_exp_vartime(monty_p, a, q).value(); 59| 237| BigInt n = mod_p.multiply(a, mod_p.square(r)); 60| 237| r = mod_p.multiply(r, a); 61| | 62| 237| if(n == 1) { ------------------ | Branch (62:7): [True: 97, False: 140] ------------------ 63| 97| return r; 64| 97| } 65| | 66| | // find random quadratic nonresidue z 67| 140| word z = 2; 68| 419| for(;;) { 69| 419| if(jacobi(BigInt::from_word(z), p) == -1) { // found one ------------------ | Branch (69:10): [True: 140, False: 279] ------------------ 70| 140| break; 71| 140| } 72| | 73| 279| z += 1; // try next z 74| | 75| | /* 76| | * The expected number of tests to find a non-residue modulo a 77| | * prime is 2. If we have not found one after 256 then almost 78| | * certainly we have been given a non-prime p. 79| | */ 80| 279| if(z >= 256) { ------------------ | Branch (80:10): [True: 0, False: 279] ------------------ 81| 0| return BigInt::from_s32(-1); 82| 0| } 83| 279| } 84| | 85| 140| BigInt c = monty_exp_vartime(monty_p, BigInt::from_word(z), (q << 1) + 1).value(); 86| | 87| 1.64k| while(n > 1) { ------------------ | Branch (87:10): [True: 1.50k, False: 140] ------------------ 88| 1.50k| q = n; 89| | 90| 1.50k| size_t i = 0; 91| 67.7k| while(q != 1) { ------------------ | Branch (91:13): [True: 66.2k, False: 1.50k] ------------------ 92| 66.2k| q = mod_p.square(q); 93| 66.2k| ++i; 94| | 95| 66.2k| if(i >= s) { ------------------ | Branch (95:13): [True: 0, False: 66.2k] ------------------ 96| 0| return BigInt::from_s32(-1); 97| 0| } 98| 66.2k| } 99| | 100| 1.50k| BOTAN_ASSERT_NOMSG(s >= (i + 1)); // No underflow! ------------------ | | 77| 1.50k| do { \ | | 78| 1.50k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.50k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 1.50k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 1.50k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 1.50k] | | ------------------ ------------------ 101| 1.50k| c = monty_exp_vartime(monty_p, c, BigInt::power_of_2(s - i - 1)).value(); 102| 1.50k| r = mod_p.multiply(r, c); 103| 1.50k| c = mod_p.square(c); 104| 1.50k| n = mod_p.multiply(n, c); 105| | 106| | // s decreases as the algorithm proceeds 107| 1.50k| BOTAN_ASSERT_NOMSG(s >= i); ------------------ | | 77| 1.50k| do { \ | | 78| 1.50k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.50k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 1.50k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 1.50k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 1.50k] | | ------------------ ------------------ 108| 1.50k| s = i; 109| 1.50k| } 110| | 111| 140| return r; 112| 140|} _ZN5Botan6jacobiENS_6BigIntES0_: 119| 3.89k|int32_t jacobi(BigInt a, BigInt n) { 120| 3.89k| BOTAN_ARG_CHECK(n.is_odd() && n >= 3, "Argument n must be an odd integer >= 3"); ------------------ | | 35| 3.89k| do { \ | | 36| 3.89k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 7.78k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 3.89k, False: 0] | | | Branch (37:12): [True: 3.89k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 3.89k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 3.89k] | | ------------------ ------------------ 121| | 122| 3.89k| if(a < 0 || a >= n) { ------------------ | Branch (122:7): [True: 1.42k, False: 2.46k] | Branch (122:16): [True: 0, False: 2.46k] ------------------ 123| 1.42k| a %= n; 124| 1.42k| } 125| | 126| 3.89k| if(a == 0) { ------------------ | Branch (126:7): [True: 0, False: 3.89k] ------------------ 127| 0| return 0; 128| 0| } 129| 3.89k| if(a == 1) { ------------------ | Branch (129:7): [True: 0, False: 3.89k] ------------------ 130| 0| return 1; 131| 0| } 132| | 133| 3.89k| int32_t s = 1; 134| | 135| 42.7k| for(;;) { 136| 42.7k| const size_t e = low_zero_bits(a); 137| 42.7k| a >>= e; 138| 42.7k| const word n_mod_8 = n.word_at(0) % 8; 139| 42.7k| const word n_mod_4 = n_mod_8 % 4; 140| | 141| 42.7k| if(e % 2 == 1 && (n_mod_8 == 3 || n_mod_8 == 5)) { ------------------ | Branch (141:10): [True: 15.1k, False: 27.6k] | Branch (141:25): [True: 3.65k, False: 11.4k] | Branch (141:41): [True: 3.69k, False: 7.75k] ------------------ 142| 7.35k| s = -s; 143| 7.35k| } 144| | 145| 42.7k| if(n_mod_4 == 3 && a % 4 == 3) { ------------------ | Branch (145:10): [True: 20.8k, False: 21.8k] | Branch (145:26): [True: 9.95k, False: 10.9k] ------------------ 146| 9.95k| s = -s; 147| 9.95k| } 148| | 149| | /* 150| | * The HAC presentation of the algorithm uses recursion, which is not 151| | * desirable or necessary. 152| | * 153| | * Instead we loop accumulating the product of the various jacobi() 154| | * subcomputations into s, until we reach algorithm termination, which 155| | * occurs in one of two ways. 156| | * 157| | * If a == 1 then the recursion has completed; we can return the value of s. 158| | * 159| | * Otherwise, after swapping and reducing, check for a == 0 [this value is 160| | * called `n1` in HAC's presentation]. This would imply that jacobi(n1,a1) 161| | * would have the value 0, due to Line 1 in HAC 2.149, in which case the 162| | * entire product is zero, and we can immediately return that result. 163| | */ 164| | 165| 42.7k| if(a == 1) { ------------------ | Branch (165:10): [True: 3.89k, False: 38.9k] ------------------ 166| 3.89k| return s; 167| 3.89k| } 168| | 169| 38.9k| std::swap(a, n); 170| | 171| 38.9k| BOTAN_ASSERT_NOMSG(n.is_odd()); ------------------ | | 77| 38.9k| do { \ | | 78| 38.9k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 38.9k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 38.9k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 38.9k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 38.9k] | | ------------------ ------------------ 172| | 173| 38.9k| a %= n; 174| | 175| 38.9k| if(a == 0) { ------------------ | Branch (175:10): [True: 0, False: 38.9k] ------------------ 176| 0| return 0; 177| 0| } 178| 38.9k| } 179| 3.89k|} _ZN5Botan13low_zero_bitsERKNS_6BigIntE: 194| 44.3k|size_t low_zero_bits(const BigInt& n) { 195| 44.3k| size_t low_zero = 0; 196| | 197| 44.3k| auto seen_nonempty_word = CT::Mask::cleared(); 198| | 199| 435k| for(size_t i = 0; i != n.size(); ++i) { ------------------ | Branch (199:22): [True: 390k, False: 44.3k] ------------------ 200| 390k| const word x = n.word_at(i); 201| | 202| | // ctz(0) will return sizeof(word) 203| 390k| const size_t tz_x = ctz(x); 204| | 205| | // if x > 0 we want to count tz_x in total but not any 206| | // further words, so set the mask after the addition 207| 390k| low_zero += seen_nonempty_word.if_not_set_return(tz_x); 208| | 209| 390k| seen_nonempty_word |= CT::Mask::expand(x); 210| 390k| } 211| | 212| | // if we saw no words with x > 0 then n == 0 and the value we have 213| | // computed is meaningless. Instead return BigInt::zero() in that case. 214| 44.3k| return static_cast(seen_nonempty_word.if_set_return(low_zero)); 215| 44.3k|} _ZN5Botan17is_perfect_squareERKNS_6BigIntE: 347| 107|BigInt is_perfect_square(const BigInt& C) { 348| 107| if(C < 1) { ------------------ | Branch (348:7): [True: 0, False: 107] ------------------ 349| 0| throw Invalid_Argument("is_perfect_square requires C >= 1"); 350| 0| } 351| 107| if(C == 1) { ------------------ | Branch (351:7): [True: 0, False: 107] ------------------ 352| 0| return BigInt::one(); 353| 0| } 354| | 355| 107| const size_t n = C.bits(); 356| 107| const size_t m = (n + 1) / 2; 357| 107| const BigInt B = C + BigInt::power_of_2(m); 358| | 359| 107| BigInt X = BigInt::power_of_2(m) - 1; 360| 107| BigInt X2 = (X * X); 361| | 362| 411| for(;;) { 363| 411| X = (X2 + C) / (2 * X); 364| 411| X2 = (X * X); 365| | 366| 411| if(X2 < B) { ------------------ | Branch (366:10): [True: 107, False: 304] ------------------ 367| 107| break; 368| 107| } 369| 411| } 370| | 371| 107| if(X2 == C) { ------------------ | Branch (371:7): [True: 0, False: 107] ------------------ 372| 0| return X; 373| 107| } else { 374| 107| return BigInt::zero(); 375| 107| } 376| 107|} _ZN5Botan23is_lucas_probable_primeERKNS_6BigIntERKNS_17Barrett_ReductionE: 18| 845|bool is_lucas_probable_prime(const BigInt& C, const Barrett_Reduction& mod_C) { 19| 845| BOTAN_ARG_CHECK(C.signum() >= 0, "Argument must be non-negative"); ------------------ | | 35| 845| do { \ | | 36| 845| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 845| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 845] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 845| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 845] | | ------------------ ------------------ 20| | 21| 845| if(C == 2 || C == 3 || C == 5 || C == 7 || C == 11 || C == 13) { ------------------ | Branch (21:7): [True: 0, False: 845] | Branch (21:17): [True: 1, False: 844] | Branch (21:27): [True: 1, False: 843] | Branch (21:37): [True: 1, False: 842] | Branch (21:47): [True: 1, False: 841] | Branch (21:58): [True: 1, False: 840] ------------------ 22| 5| return true; 23| 5| } 24| | 25| 840| if(C <= 1 || C.is_even()) { ------------------ | Branch (25:7): [True: 0, False: 840] | Branch (25:17): [True: 0, False: 840] ------------------ 26| 0| return false; 27| 0| } 28| | 29| 840| BigInt D = BigInt::from_word(5); 30| | 31| 3.06k| for(;;) { 32| 3.06k| const int32_t j = jacobi(D, C); 33| 3.06k| if(j == 0) { ------------------ | Branch (33:10): [True: 0, False: 3.06k] ------------------ 34| 0| return false; 35| 0| } 36| | 37| 3.06k| if(j == -1) { ------------------ | Branch (37:10): [True: 840, False: 2.22k] ------------------ 38| 840| break; 39| 840| } 40| | 41| | // Check 5, -7, 9, -11, 13, -15, 17, ... 42| 2.22k| if(D.signum() < 0) { ------------------ | Branch (42:10): [True: 793, False: 1.42k] ------------------ 43| 793| D.flip_sign(); 44| 793| D += 2; 45| 1.42k| } else { 46| 1.42k| D += 2; 47| 1.42k| D.flip_sign(); 48| 1.42k| } 49| | 50| 2.22k| if(D == 17 && is_perfect_square(C).signum() != 0) { ------------------ | Branch (50:10): [True: 107, False: 2.11k] | Branch (50:10): [True: 0, False: 2.22k] | Branch (50:21): [True: 0, False: 107] ------------------ 51| 0| return false; 52| 0| } 53| 2.22k| } 54| | 55| 840| if(D.signum() < 0) { ------------------ | Branch (55:7): [True: 635, False: 205] ------------------ 56| 635| D += C; 57| 635| } 58| | 59| 840| const BigInt K = C + 1; 60| 840| const size_t K_bits = K.bits() - 1; 61| | 62| 840| BigInt U = BigInt::one(); 63| 840| BigInt V = BigInt::one(); 64| | 65| 840| BigInt Ut; 66| 840| BigInt Vt; 67| 840| BigInt U2; 68| 840| BigInt V2; 69| | 70| 292k| for(size_t i = 0; i != K_bits; ++i) { ------------------ | Branch (70:22): [True: 291k, False: 840] ------------------ 71| 291k| const bool k_bit = K.get_bit(K_bits - 1 - i); 72| | 73| 291k| Ut = mod_C.multiply(U, V); 74| | 75| 291k| Vt = mod_C.reduce(mod_C.square(V) + mod_C.multiply(D, mod_C.square(U))); 76| 291k| Vt.ct_cond_add(Vt.is_odd(), C); 77| 291k| Vt >>= 1; 78| 291k| Vt = mod_C.reduce(Vt); 79| | 80| 291k| U = Ut; 81| 291k| V = Vt; 82| | 83| 291k| U2 = mod_C.reduce(Ut + Vt); 84| 291k| U2.ct_cond_add(U2.is_odd(), C); 85| 291k| U2 >>= 1; 86| | 87| 291k| V2 = mod_C.reduce(Vt + mod_C.multiply(Ut, D)); 88| 291k| V2.ct_cond_add(V2.is_odd(), C); 89| 291k| V2 >>= 1; 90| | 91| 291k| U.ct_cond_assign(k_bit, U2); 92| 291k| V.ct_cond_assign(k_bit, V2); 93| 291k| } 94| | 95| 840| return (U == 0); 96| 840|} _ZN5Botan28is_bailie_psw_probable_primeERKNS_6BigIntERKNS_17Barrett_ReductionE: 98| 1.45k|bool is_bailie_psw_probable_prime(const BigInt& n, const Barrett_Reduction& mod_n) { 99| 1.45k| if(n == 2) { ------------------ | Branch (99:7): [True: 1, False: 1.45k] ------------------ 100| 1| return true; 101| 1.45k| } else if(n <= 1 || n.is_even()) { ------------------ | Branch (101:14): [True: 1, False: 1.45k] | Branch (101:24): [True: 100, False: 1.35k] ------------------ 102| 101| return false; 103| 101| } 104| | 105| 1.35k| const Montgomery_Params monty_n(n, mod_n); 106| 1.35k| const auto base = BigInt::from_word(2); 107| 1.35k| return passes_miller_rabin_test(n, mod_n, monty_n, base) && is_lucas_probable_prime(n, mod_n); ------------------ | Branch (107:11): [True: 845, False: 512] | Branch (107:64): [True: 842, False: 3] ------------------ 108| 1.45k|} _ZN5Botan24passes_miller_rabin_testERKNS_6BigIntERKNS_17Barrett_ReductionERKNS_17Montgomery_ParamsES2_: 113| 1.35k| const BigInt& a) { 114| 1.35k| if(n < 3 || n.is_even()) { ------------------ | Branch (114:7): [True: 0, False: 1.35k] | Branch (114:16): [True: 0, False: 1.35k] ------------------ 115| 0| return false; 116| 0| } 117| | 118| 1.35k| BOTAN_ASSERT_NOMSG(n > 1); ------------------ | | 77| 1.35k| do { \ | | 78| 1.35k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.35k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 1.35k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 1.35k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 1.35k] | | ------------------ ------------------ 119| | 120| 1.35k| const BigInt n_minus_1 = n - 1; 121| | /* 122| | * This unpoison is not ideal but realistically there is no way to 123| | * hide the number of loop iterations (below). The main user of 124| | * secret primes is RSA and we always generate RSA primes such that 125| | * p == 3 (mod 4), which means s is always 1. 126| | */ 127| 1.35k| const size_t s = CT::driveby_unpoison(low_zero_bits(n_minus_1)); 128| 1.35k| const BigInt nm1_s = n_minus_1 >> s; 129| 1.35k| const size_t n_bits = n.bits(); 130| | 131| 1.35k| const size_t powm_window = 4; 132| | 133| 1.35k| auto powm_a_n = monty_precompute(monty_n, a, powm_window); 134| | 135| 1.35k| BigInt y = monty_execute(*powm_a_n, nm1_s, n_bits).value(); 136| | 137| 1.35k| if(y == 1 || y == n_minus_1) { ------------------ | Branch (137:7): [True: 447, False: 910] | Branch (137:17): [True: 38, False: 872] ------------------ 138| 485| return true; 139| 485| } 140| | 141| 21.0k| for(size_t i = 1; i != s; ++i) { ------------------ | Branch (141:22): [True: 20.5k, False: 511] ------------------ 142| 20.5k| y = mod_n.square(y); 143| | 144| 20.5k| if(y == 1) { // found a non-trivial square root ------------------ | Branch (144:10): [True: 1, False: 20.5k] ------------------ 145| 1| return false; 146| 1| } 147| | 148| | /* 149| | -1 is the trivial square root of unity, so ``a`` is not a 150| | witness for this number - give up 151| | */ 152| 20.5k| if(y == n_minus_1) { ------------------ | Branch (152:10): [True: 360, False: 20.1k] ------------------ 153| 360| return true; 154| 360| } 155| 20.5k| } 156| | 157| 511| return false; 158| 872|} _ZN5Botan6PCurve15PrimeOrderCurve6Scalar8_zeroizeEv: 16| 1.94k|void PrimeOrderCurve::Scalar::_zeroize() { 17| 1.94k| secure_zeroize_buffer(m_value.data(), m_value.size() * sizeof(word)); 18| 1.94k|} _ZN5Botan6PCurve15PrimeOrderCurve11from_paramsERKNS_6BigIntES4_S4_S4_S4_S4_: 22| 980| const BigInt& p, const BigInt& a, const BigInt& b, const BigInt& base_x, const BigInt& base_y, const BigInt& order) { 23| 980|#if defined(BOTAN_HAS_PCURVES_GENERIC) 24| 980| return PCurveInstance::from_params(p, a, b, base_x, base_y, order); 25| 0|#endif 26| | 27| 0| BOTAN_UNUSED(p, a, b, base_x, base_y, order); ------------------ | | 144| 0|#define BOTAN_UNUSED Botan::ignore_params ------------------ 28| 0| return {}; 29| 980|} _ZN5Botan6PCurve15PrimeOrderCurve15for_named_curveENSt3__117basic_string_viewIcNS2_11char_traitsIcEEEE: 32| 2.60k|std::shared_ptr PrimeOrderCurve::for_named_curve(std::string_view name) { 33| 2.60k|#if defined(BOTAN_HAS_PCURVES_SECP256R1) 34| 2.60k| if(name == "secp256r1") { ------------------ | Branch (34:7): [True: 244, False: 2.35k] ------------------ 35| 244| return PCurveInstance::secp256r1(); 36| 244| } 37| 2.35k|#endif 38| | 39| 2.35k|#if defined(BOTAN_HAS_PCURVES_SECP384R1) 40| 2.35k| if(name == "secp384r1") { ------------------ | Branch (40:7): [True: 149, False: 2.20k] ------------------ 41| 149| return PCurveInstance::secp384r1(); 42| 149| } 43| 2.20k|#endif 44| | 45| 2.20k|#if defined(BOTAN_HAS_PCURVES_SECP521R1) 46| 2.20k| if(name == "secp521r1") { ------------------ | Branch (46:7): [True: 287, False: 1.92k] ------------------ 47| 287| return PCurveInstance::secp521r1(); 48| 287| } 49| 1.92k|#endif 50| | 51| 1.92k|#if defined(BOTAN_HAS_PCURVES_BRAINPOOL256R1) 52| 1.92k| if(name == "brainpool256r1") { ------------------ | Branch (52:7): [True: 125, False: 1.79k] ------------------ 53| 125| return PCurveInstance::brainpool256r1(); 54| 125| } 55| 1.79k|#endif 56| | 57| 1.79k|#if defined(BOTAN_HAS_PCURVES_BRAINPOOL384R1) 58| 1.79k| if(name == "brainpool384r1") { ------------------ | Branch (58:7): [True: 156, False: 1.64k] ------------------ 59| 156| return PCurveInstance::brainpool384r1(); 60| 156| } 61| 1.64k|#endif 62| | 63| 1.64k|#if defined(BOTAN_HAS_PCURVES_BRAINPOOL512R1) 64| 1.64k| if(name == "brainpool512r1") { ------------------ | Branch (64:7): [True: 145, False: 1.49k] ------------------ 65| 145| return PCurveInstance::brainpool512r1(); 66| 145| } 67| 1.49k|#endif 68| | 69| 1.49k|#if defined(BOTAN_HAS_PCURVES_FRP256V1) 70| 1.49k| if(name == "frp256v1") { ------------------ | Branch (70:7): [True: 0, False: 1.49k] ------------------ 71| 0| return PCurveInstance::frp256v1(); 72| 0| } 73| 1.49k|#endif 74| | 75| 1.49k|#if defined(BOTAN_HAS_PCURVES_SECP192R1) 76| 1.49k| if(name == "secp192r1") { ------------------ | Branch (76:7): [True: 203, False: 1.29k] ------------------ 77| 203| return PCurveInstance::secp192r1(); 78| 203| } 79| 1.29k|#endif 80| | 81| 1.29k|#if defined(BOTAN_HAS_PCURVES_SECP224R1) 82| 1.29k| if(name == "secp224r1") { ------------------ | Branch (82:7): [True: 215, False: 1.07k] ------------------ 83| 215| return PCurveInstance::secp224r1(); 84| 215| } 85| 1.07k|#endif 86| | 87| 1.07k|#if defined(BOTAN_HAS_PCURVES_SECP256K1) 88| 1.07k| if(name == "secp256k1") { ------------------ | Branch (88:7): [True: 159, False: 918] ------------------ 89| 159| return PCurveInstance::secp256k1(); 90| 159| } 91| 918|#endif 92| | 93| 918|#if defined(BOTAN_HAS_PCURVES_SM2P256V1) 94| 918| if(name == "sm2p256v1") { ------------------ | Branch (94:7): [True: 0, False: 918] ------------------ 95| 0| return PCurveInstance::sm2p256v1(); 96| 0| } 97| 918|#endif 98| | 99| 918|#if defined(BOTAN_HAS_PCURVES_NUMSP512D1) 100| 918| if(name == "numsp512d1") { ------------------ | Branch (100:7): [True: 0, False: 918] ------------------ 101| 0| return PCurveInstance::numsp512d1(); 102| 0| } 103| 918|#endif 104| | 105| 918| BOTAN_UNUSED(name); ------------------ | | 144| 918|#define BOTAN_UNUSED Botan::ignore_params ------------------ 106| 918| return {}; 107| 918|} _ZN5Botan6PCurve14PCurveInstance14brainpool256r1Ev: 36| 125|std::shared_ptr PCurveInstance::brainpool256r1() { 37| 125| return PrimeOrderCurveImpl::instance(); 38| 125|} _ZN5Botan6PCurve14PCurveInstance14brainpool384r1Ev: 36| 156|std::shared_ptr PCurveInstance::brainpool384r1() { 37| 156| return PrimeOrderCurveImpl::instance(); 38| 156|} _ZN5Botan6PCurve14PCurveInstance14brainpool512r1Ev: 36| 145|std::shared_ptr PCurveInstance::brainpool512r1() { 37| 145| return PrimeOrderCurveImpl::instance(); 38| 145|} _ZN5Botan6PCurve22GenericPrimeOrderCurveC2ERKNS_6BigIntES4_S4_S4_S4_S4_: 1432| 456| m_params(std::make_unique(p, a, b, base_x, base_y, order)) {} _ZN5Botan6PCurve22GenericPrimeOrderCurve20_precompute_base_mulEv: 1434| 456|void GenericPrimeOrderCurve::_precompute_base_mul() { 1435| 456| BOTAN_STATE_CHECK(m_basemul == nullptr); ------------------ | | 51| 456| do { \ | | 52| 456| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 456| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 456] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 456| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 456] | | ------------------ ------------------ 1436| 456| m_basemul = std::make_unique(from_stash(generator())); 1437| 456|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve10order_bitsEv: 1439| 456|size_t GenericPrimeOrderCurve::order_bits() const { 1440| 456| return _params().order_bits(); 1441| 456|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve19field_element_bytesEv: 1447| 632|size_t GenericPrimeOrderCurve::field_element_bytes() const { 1448| 632| return _params().field_bytes(); 1449| 632|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 1452| 315| RandomNumberGenerator& rng) const { 1453| 315| BOTAN_STATE_CHECK(m_basemul != nullptr); ------------------ | | 51| 315| do { \ | | 52| 315| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 315| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 315] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 315| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 315] | | ------------------ ------------------ 1454| 315| return stash(m_basemul->mul(from_stash(scalar), rng)); 1455| 315|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve9generatorEv: 1546| 456|PrimeOrderCurve::AffinePoint GenericPrimeOrderCurve::generator() const { 1547| 456| return PrimeOrderCurve::AffinePoint::_create(shared_from_this(), _params().base_x(), _params().base_y()); 1548| 456|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 1550| 315|PrimeOrderCurve::AffinePoint GenericPrimeOrderCurve::point_to_affine(const ProjectivePoint& pt) const { 1551| 315| auto affine = to_affine(from_stash(pt)); 1552| | 1553| 315| const auto y2 = affine.y().square(); 1554| 315| const auto x3_ax_b = GenericCurve::AffinePoint::x3_ax_b(affine.x()); 1555| 315| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 1556| | 1557| 315| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 315| do { \ | | 65| 315| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 315| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 315] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 315| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 315] | | ------------------ ------------------ 1558| | 1559| 315| return stash(affine); 1560| 315|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 1570| 316|bool GenericPrimeOrderCurve::affine_point_is_identity(const AffinePoint& pt) const { 1571| 316| return from_stash(pt).is_identity().as_bool(); 1572| 316|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 1574| 316|void GenericPrimeOrderCurve::serialize_point(std::span bytes, const AffinePoint& pt) const { 1575| 316| from_stash(pt).serialize_to(bytes); 1576| 316|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 1578| 436|void GenericPrimeOrderCurve::serialize_scalar(std::span bytes, const Scalar& scalar) const { 1579| 436| BOTAN_ARG_CHECK(bytes.size() == _params().order_bytes(), "Invalid length to serialize_scalar"); ------------------ | | 35| 436| do { \ | | 36| 436| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 436| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 436] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 436| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 436] | | ------------------ ------------------ 1580| 436| from_stash(scalar).serialize_to(bytes); 1581| 436|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 1584| 441| std::span bytes) const { 1585| 441| if(auto s = GenericScalar::deserialize(this, bytes)) { ------------------ | Branch (1585:12): [True: 437, False: 4] ------------------ 1586| 437| if(s->is_nonzero().as_bool()) { ------------------ | Branch (1586:10): [True: 436, False: 1] ------------------ 1587| 436| return stash(s.value()); 1588| 436| } 1589| 437| } 1590| | 1591| 5| return {}; 1592| 441|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 1604| 121| std::span bytes) const { 1605| 121| if(auto pt = GenericAffinePoint::deserialize(this, bytes)) { ------------------ | Branch (1605:12): [True: 1, False: 120] ------------------ 1606| 1| return stash(pt.value()); 1607| 120| } else { 1608| 120| return {}; 1609| 120| } 1610| 121|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 1640| 436|bool GenericPrimeOrderCurve::scalar_is_zero(const Scalar& s) const { 1641| 436| return from_stash(s).is_zero().as_bool(); 1642| 436|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve5stashERKNS0_13GenericScalarE: 1656| 436|PrimeOrderCurve::Scalar GenericPrimeOrderCurve::stash(const GenericScalar& s) const { 1657| 436| return Scalar::_create(shared_from_this(), s.stash_value()); 1658| 436|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 1660| 1.18k|GenericScalar GenericPrimeOrderCurve::from_stash(const PrimeOrderCurve::Scalar& s) const { 1661| 1.18k| BOTAN_ARG_CHECK(s._curve().get() == this, "Curve mismatch"); ------------------ | | 35| 1.18k| do { \ | | 36| 1.18k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.18k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.18k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.18k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.18k] | | ------------------ ------------------ 1662| 1.18k| return GenericScalar(this, s._value()); 1663| 1.18k|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve5stashERKNS0_18GenericAffinePointE: 1665| 316|PrimeOrderCurve::AffinePoint GenericPrimeOrderCurve::stash(const GenericAffinePoint& pt) const { 1666| 316| auto x_w = pt.x().stash_value(); 1667| 316| auto y_w = pt.y().stash_value(); 1668| 316| return AffinePoint::_create(shared_from_this(), x_w, y_w); 1669| 316|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 1671| 1.08k|GenericAffinePoint GenericPrimeOrderCurve::from_stash(const PrimeOrderCurve::AffinePoint& pt) const { 1672| 1.08k| BOTAN_ARG_CHECK(pt._curve().get() == this, "Curve mismatch"); ------------------ | | 35| 1.08k| do { \ | | 36| 1.08k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.08k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.08k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.08k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.08k] | | ------------------ ------------------ 1673| 1.08k| auto x = GenericField(this, pt._x()); 1674| 1.08k| auto y = GenericField(this, pt._y()); 1675| 1.08k| return GenericAffinePoint(x, y); 1676| 1.08k|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve5stashERKNS0_22GenericProjectivePointE: 1678| 315|PrimeOrderCurve::ProjectivePoint GenericPrimeOrderCurve::stash(const GenericProjectivePoint& pt) const { 1679| 315| auto x_w = pt.x().stash_value(); 1680| 315| auto y_w = pt.y().stash_value(); 1681| 315| auto z_w = pt.z().stash_value(); 1682| 315| return ProjectivePoint::_create(shared_from_this(), x_w, y_w, z_w); 1683| 315|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 1685| 315|GenericProjectivePoint GenericPrimeOrderCurve::from_stash(const PrimeOrderCurve::ProjectivePoint& pt) const { 1686| 315| BOTAN_ARG_CHECK(pt._curve().get() == this, "Curve mismatch"); ------------------ | | 35| 315| do { \ | | 36| 315| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 315| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 315] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 315| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 315] | | ------------------ ------------------ 1687| 315| auto x = GenericField(this, pt._x()); 1688| 315| auto y = GenericField(this, pt._y()); 1689| 315| auto z = GenericField(this, pt._z()); 1690| 315| return GenericProjectivePoint(x, y, z); 1691| 315|} _ZN5Botan6PCurve14PCurveInstance11from_paramsERKNS_6BigIntES4_S4_S4_S4_S4_: 1706| 980| const BigInt& p, const BigInt& a, const BigInt& b, const BigInt& base_x, const BigInt& base_y, const BigInt& order) { 1707| | // We don't check that p and order are prime here on the assumption this has 1708| | // been checked already by EC_Group 1709| | 1710| 980| BOTAN_ARG_CHECK(a >= 0 && a < p, "a is invalid"); ------------------ | | 35| 980| do { \ | | 36| 980| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.96k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 980, False: 0] | | | Branch (37:12): [True: 980, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 980| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 980] | | ------------------ ------------------ 1711| 980| BOTAN_ARG_CHECK(b > 0 && b < p, "b is invalid"); ------------------ | | 35| 980| do { \ | | 36| 980| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.96k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 980, False: 0] | | | Branch (37:12): [True: 980, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 980| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 980] | | ------------------ ------------------ 1712| 980| BOTAN_ARG_CHECK(base_x >= 0 && base_x < p, "base_x is invalid"); ------------------ | | 35| 980| do { \ | | 36| 980| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.96k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 980, False: 0] | | | Branch (37:12): [True: 980, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 980| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 980] | | ------------------ ------------------ 1713| 980| BOTAN_ARG_CHECK(base_y >= 0 && base_y < p, "base_y is invalid"); ------------------ | | 35| 980| do { \ | | 36| 980| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.96k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 980, False: 0] | | | Branch (37:12): [True: 980, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 980| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 980] | | ------------------ ------------------ 1714| | 1715| 980| const size_t p_bits = p.bits(); 1716| | 1717| | // Same size restrictions as EC_Group however here we do not require 1718| | // exactly the primes for the 521 or 239 bit exceptions; this code 1719| | // should work fine with any such prime and we are relying on the higher 1720| | // levels to prevent creating such a group in the first place 1721| | // 1722| | // TODO(Botan4) increase the 128 here to 192 when the corresponding EC_Group constructor is changed 1723| | // 1724| 980| if(p_bits != 521 && p_bits != 239 && (p_bits < 128 || p_bits > 512 || p_bits % 32 != 0)) { ------------------ | Branch (1724:7): [True: 929, False: 51] | Branch (1724:24): [True: 784, False: 145] | Branch (1724:42): [True: 0, False: 784] | Branch (1724:58): [True: 0, False: 784] | Branch (1724:74): [True: 0, False: 784] ------------------ 1725| 0| return {}; 1726| 0| } 1727| | 1728| | // We don't want to deal with Shanks-Tonelli in the generic case 1729| 980| if(p % 4 != 3) { ------------------ | Branch (1729:7): [True: 499, False: 481] ------------------ 1730| 499| return {}; 1731| 499| } 1732| | 1733| | // The bit length of the field and order being the same simplifies things 1734| 481| if(p_bits != order.bits()) { ------------------ | Branch (1734:7): [True: 25, False: 456] ------------------ 1735| 25| return {}; 1736| 25| } 1737| | 1738| | // Check that the (x,y) generator point is on the curve 1739| 456| auto mod_p = Barrett_Reduction::for_public_modulus(p); 1740| 456| const BigInt y2 = mod_p.square(base_y); 1741| 456| const BigInt x3_ax_b = mod_p.reduce(mod_p.cube(base_x) + mod_p.multiply(a, base_x) + b); 1742| 456| if(y2 != x3_ax_b) { ------------------ | Branch (1742:7): [True: 0, False: 456] ------------------ 1743| 0| return {}; 1744| 0| } 1745| | 1746| 456| auto gpoc = std::make_shared(p, a, b, base_x, base_y, order); 1747| | /* 1748| | The implementation of this needs to call shared_from_this which is not usable 1749| | until after the constructor has completed, so we have to do a two-stage 1750| | construction process. This is certainly not so clean but it is contained to 1751| | this single file so seems tolerable. 1752| | 1753| | Alternately we could lazily compute the base mul table but this brings in 1754| | locking issues which seem a worse alternative overall. 1755| | */ 1756| 456| gpoc->_precompute_base_mul(); 1757| 456| return gpoc; 1758| 456|} _ZNK5Botan6PCurve18GenericCurveParams10order_bitsEv: 146| 771| size_t order_bits() const { return m_order_bits; } _ZNK5Botan6PCurve18GenericCurveParams11order_bytesEv: 148| 1.94k| size_t order_bytes() const { return m_order_bytes; } _ZNK5Botan6PCurve18GenericCurveParams11field_bytesEv: 152| 1.92k| size_t field_bytes() const { return m_field_bytes; } _ZN5Botan6PCurve19GenericBaseMulTable3mulERKNS0_13GenericScalarERNS_21RandomNumberGeneratorE: 1340| 315| GenericProjectivePoint mul(const GenericScalar& s, RandomNumberGenerator& rng) { 1341| | // W+1 bit windows for Booth recoding overlap 1342| 315| const GenericBlindedScalarBits scalar(s, rng, WindowBits + 1); 1343| 315| return basemul_booth_exec(m_table, scalar, rng); 1344| 315| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_124GenericBlindedScalarBitsC2ERKNS0_13GenericScalarERNS_21RandomNumberGeneratorEm: 1230| 315| GenericBlindedScalarBits(const GenericScalar& scalar, RandomNumberGenerator& rng, size_t wb) { 1231| 315| BOTAN_ASSERT_NOMSG(wb == 1 || wb == 2 || wb == 3 || wb == 4 || wb == 5 || wb == 6 || wb == 7); ------------------ | | 77| 315| do { \ | | 78| 315| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 3.78k| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 0, False: 315] | | | Branch (79:12): [True: 0, False: 315] | | | Branch (79:12): [True: 0, False: 315] | | | Branch (79:12): [True: 0, False: 315] | | | Branch (79:12): [True: 0, False: 315] | | | Branch (79:12): [True: 0, False: 315] | | | Branch (79:12): [True: 315, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 315| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 315] | | ------------------ ------------------ 1232| | 1233| 315| const auto& params = scalar.curve()->_params(); 1234| | 1235| 315| const size_t order_bits = params.order_bits(); 1236| 315| m_window_bits = wb; 1237| | 1238| 315| const size_t blinder_bits = scalar_blinding_bits(order_bits); 1239| | 1240| 315| if(blinder_bits > 0 && rng.is_seeded()) { ------------------ | Branch (1240:13): [True: 315, False: 0] | Branch (1240:33): [True: 0, False: 315] ------------------ 1241| 0| const size_t mask_words = (blinder_bits + WordInfo::bits - 1) / WordInfo::bits; 1242| 0| const size_t mask_bytes = mask_words * WordInfo::bytes; 1243| | 1244| 0| const size_t words = params.words(); 1245| | 1246| 0| secure_vector maskb(mask_bytes); 1247| 0| rng.randomize(maskb); 1248| | 1249| 0| std::array mask{}; 1250| 0| load_le(mask.data(), maskb.data(), mask_words); 1251| | 1252| | // Mask to exactly blinder_bits and set MSB and LSB 1253| 0| const size_t excess = mask_words * WordInfo::bits - blinder_bits; 1254| 0| if(excess > 0) { ------------------ | Branch (1254:16): [True: 0, False: 0] ------------------ 1255| 0| mask[mask_words - 1] &= (static_cast(1) << (WordInfo::bits - excess)) - 1; 1256| 0| } 1257| 0| const size_t msb_pos = (blinder_bits - 1) % WordInfo::bits; 1258| 0| mask[(blinder_bits - 1) / WordInfo::bits] |= static_cast(1) << msb_pos; 1259| 0| mask[0] |= 1; 1260| | 1261| 0| std::array mask_n{}; 1262| | 1263| 0| const auto sw = scalar.to_words(); 1264| | 1265| | // Compute masked scalar s + k*n 1266| 0| params.mul(mask_n, mask, params.order()); 1267| 0| bigint_add2(mask_n.data(), 2 * words, sw.data(), words); 1268| | 1269| 0| std::reverse(mask_n.begin(), mask_n.end()); 1270| 0| m_bytes = store_be>(mask_n); 1271| 0| m_bits = order_bits + blinder_bits; 1272| 315| } else { 1273| | // No RNG available, skip blinding 1274| 315| m_bytes = scalar.serialize>(); 1275| 315| m_bits = order_bits; 1276| 315| } 1277| | 1278| 315| m_windows = (m_bits + wb - 1) / wb; 1279| 315| } _ZNK5Botan6PCurve13GenericScalar5curveEv: 549| 315| const GenericPrimeOrderCurve* curve() const { return m_curve; } _ZNK5Botan6PCurve18GenericCurveParams5wordsEv: 144| 21.1M| size_t words() const { return m_words; } _ZN5Botan6PCurve13GenericScalar8from_repEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 573| 751| static StorageUnit from_rep(const GenericPrimeOrderCurve* curve, StorageUnit z) { 574| 751| std::array ze{}; 575| 751| copy_mem(std::span{ze}.template first(), z); 576| 751| return redc(curve, ze); 577| 751| } _ZN5Botan6PCurve13GenericScalar4redcEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm18EEE: 563| 1.18k| static StorageUnit redc(const GenericPrimeOrderCurve* curve, std::array z) { 564| 1.18k| const auto& mod = curve->_params().order(); 565| 1.18k| const size_t words = curve->_params().words(); 566| 1.18k| StorageUnit r{}; 567| 1.18k| StorageUnit ws{}; 568| 1.18k| bigint_monty_redc( 569| 1.18k| r.data(), z.data(), mod.data(), words, curve->_params().order_p_dash(), ws.data(), ws.size()); 570| 1.18k| return r; 571| 1.18k| } _ZNK5Botan6PCurve18GenericCurveParams12order_p_dashEv: 184| 1.18k| word order_p_dash() const { return m_order_p_dash; } _ZNK5Botan6PCurve18GenericCurveParams3mulERNSt3__15arrayImLm18EEERKNS3_ImLm9EEES8_: 200| 10.1M| void mul(std::array& z, const std::array& x, const std::array& y) const { 201| 10.1M| clear_mem(z); 202| | 203| 10.1M| if(m_words == 4) { ------------------ | Branch (203:13): [True: 4.61M, False: 5.54M] ------------------ 204| 4.61M| bigint_comba_mul4(z.data(), x.data(), y.data()); 205| 5.54M| } else if(m_words == 6) { ------------------ | Branch (205:20): [True: 0, False: 5.54M] ------------------ 206| 0| bigint_comba_mul6(z.data(), x.data(), y.data()); 207| 5.54M| } else if(m_words == 8) { ------------------ | Branch (207:20): [True: 0, False: 5.54M] ------------------ 208| 0| bigint_comba_mul8(z.data(), x.data(), y.data()); 209| 5.54M| } else if(m_words == 9) { ------------------ | Branch (209:20): [True: 2.18M, False: 3.35M] ------------------ 210| 2.18M| bigint_comba_mul9(z.data(), x.data(), y.data()); 211| 3.35M| } else { 212| 3.35M| bigint_mul(z.data(), z.size(), x.data(), m_words, m_words, y.data(), m_words, m_words, nullptr, 0); 213| 3.35M| } 214| 10.1M| } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_124GenericBlindedScalarBits4bitsEv: 1283| 315| size_t bits() const { return m_bits; } _ZN5Botan6PCurve22GenericProjectivePoint18conditional_assignENS_2CT6ChoiceERKS1_: 1114| 315| void conditional_assign(CT::Choice cond, const Self& pt) { 1115| 315| GenericField::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1116| 315| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField18conditional_assignERS2_S3_S3_NS_2CT6ChoiceERKS2_S7_S7_: 862| 706k| const GenericField& nz) { 863| 706k| const W mask = cond.into_bitmask(); 864| | 865| 7.06M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (865:28): [True: 6.36M, False: 706k] ------------------ 866| 6.36M| x.m_val[i] = choose(mask, nx.m_val[i], x.m_val[i]); 867| 6.36M| y.m_val[i] = choose(mask, ny.m_val[i], y.m_val[i]); 868| 6.36M| z.m_val[i] = choose(mask, nz.m_val[i], z.m_val[i]); 869| 6.36M| } 870| 706k| } _ZNK5Botan6PCurve22GenericProjectivePoint6negateEv: 1165| 315| Self negate() const { return Self(x(), y().negate(), z()); } _ZNK5Botan6PCurve22GenericProjectivePoint18_const_time_poisonEv: 1206| 315| void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField18_const_time_poisonEv: 813| 945| void _const_time_poison() const { CT::poison(m_val); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_124GenericBlindedScalarBits10get_windowEm: 1285| 12.3k| size_t get_window(size_t offset) const { 1286| 12.3k| if(m_window_bits == 1) { ------------------ | Branch (1286:13): [True: 0, False: 12.3k] ------------------ 1287| 0| return read_window_bits<1>(std::span{m_bytes}, offset); 1288| 12.3k| } else if(m_window_bits == 2) { ------------------ | Branch (1288:20): [True: 0, False: 12.3k] ------------------ 1289| 0| return read_window_bits<2>(std::span{m_bytes}, offset); 1290| 12.3k| } else if(m_window_bits == 3) { ------------------ | Branch (1290:20): [True: 0, False: 12.3k] ------------------ 1291| 0| return read_window_bits<3>(std::span{m_bytes}, offset); 1292| 12.3k| } else if(m_window_bits == 4) { ------------------ | Branch (1292:20): [True: 0, False: 12.3k] ------------------ 1293| 0| return read_window_bits<4>(std::span{m_bytes}, offset); 1294| 12.3k| } else if(m_window_bits == 5) { ------------------ | Branch (1294:20): [True: 0, False: 12.3k] ------------------ 1295| 0| return read_window_bits<5>(std::span{m_bytes}, offset); 1296| 12.3k| } else if(m_window_bits == 6) { ------------------ | Branch (1296:20): [True: 0, False: 12.3k] ------------------ 1297| 0| return read_window_bits<6>(std::span{m_bytes}, offset); 1298| 12.3k| } else if(m_window_bits == 7) { ------------------ | Branch (1298:20): [True: 12.3k, False: 0] ------------------ 1299| 12.3k| return read_window_bits<7>(std::span{m_bytes}, offset); 1300| 12.3k| } else { 1301| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 1302| 0| } 1303| 12.3k| } _ZN5Botan6PCurve22GenericProjectivePoint10add_or_subERKS1_RKNS0_18GenericAffinePointENS_2CT6ChoiceE: 1125| 12.0k| static Self add_or_sub(const Self& a, const GenericAffinePoint& b, CT::Choice sub) { 1126| 12.0k| return point_add_or_sub_mixed(a, b, sub, GenericField::one(a.curve())); 1127| 12.0k| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField18conditional_assignENS_2CT6ChoiceERKS2_: 828| 12.0k| void conditional_assign(CT::Choice cond, const GenericField& nx) { 829| 12.0k| const W mask = cond.into_bitmask(); 830| | 831| 120k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (831:28): [True: 108k, False: 12.0k] ------------------ 832| 108k| m_val[i] = choose(mask, nx.m_val[i], m_val[i]); 833| 108k| } 834| 12.0k| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_1miERKNS1_12GenericFieldES4_: 718| 3.53M| friend GenericField operator-(const GenericField& a, const GenericField& b) { return a + b.negate(); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField7is_zeroEv: 787| 2.15M| CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_curve->_params().words()).as_choice(); } _ZNK5Botan6PCurve22GenericProjectivePoint3dblEv: 1151| 386k| Self dbl() const { 1152| 386k| if(curve()->_params().a_is_minus_3()) { ------------------ | Branch (1152:13): [True: 250k, False: 136k] ------------------ 1153| 250k| return dbl_a_minus_3(*this); 1154| 250k| } else if(curve()->_params().a_is_zero()) { ------------------ | Branch (1154:20): [True: 2.51k, False: 133k] ------------------ 1155| 2.51k| return dbl_a_zero(*this); 1156| 133k| } else { 1157| 133k| const auto A = GenericField::curve_a(curve()); 1158| 133k| return dbl_generic(*this, A); 1159| 133k| } 1160| 386k| } _ZNK5Botan6PCurve18GenericCurveParams12a_is_minus_3Ev: 194| 386k| bool a_is_minus_3() const { return m_a_is_minus_3; } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField4mul3Ev: 698| 386k| GenericField mul3() const { return mul2() + (*this); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField4mul4Ev: 701| 386k| GenericField mul4() const { return mul2().mul2(); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField4mul2Ev: 688| 3.09M| GenericField mul2() const { 689| 3.09M| StorageUnit t = value(); 690| 3.09M| const W carry = shift_left<1>(t); 691| | 692| 3.09M| StorageUnit r; 693| 3.09M| bigint_monty_maybe_sub(r.data(), carry, t.data(), m_curve->_params().field().data()); 694| 3.09M| return GenericField(m_curve, r); 695| 3.09M| } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField5valueEv: 885| 27.5M| const StorageUnit& value() const { return m_val; } _ZNK5Botan6PCurve18GenericCurveParams5fieldEv: 158| 25.5M| const StorageUnit& field() const { return m_field; } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField4mul8Ev: 704| 386k| GenericField mul8() const { return mul2().mul2().mul2(); } _ZNK5Botan6PCurve18GenericCurveParams9a_is_zeroEv: 196| 136k| bool a_is_zero() const { return m_a_is_zero; } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField7curve_aEPKNS0_22GenericPrimeOrderCurveE: 639| 134k| static GenericField curve_a(const GenericPrimeOrderCurve* curve) { 640| 134k| return GenericField(curve, curve->_params().monty_curve_a()); 641| 134k| } _ZNK5Botan6PCurve18GenericCurveParams13monty_curve_aEv: 186| 134k| const StorageUnit& monty_curve_a() const { return m_monty_curve_a; } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField3oneEPKNS0_22GenericPrimeOrderCurveE: 635| 13.5k| static GenericField one(const GenericPrimeOrderCurve* curve) { 636| 13.5k| return GenericField(curve, curve->_params().field_monty_r1()); 637| 13.5k| } _ZNK5Botan6PCurve18GenericCurveParams14field_monty_r1Ev: 162| 13.5k| const StorageUnit& field_monty_r1() const { return m_field_monty_r1; } _ZNK5Botan6PCurve22GenericProjectivePoint5curveEv: 1204| 669k| const GenericPrimeOrderCurve* curve() const { return m_x.curve(); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField5curveEv: 801| 686k| const GenericPrimeOrderCurve* curve() const { return m_curve; } _ZN5Botan6PCurve18GenericAffinePoint9ct_selectENSt3__14spanIKS1_Lm18446744073709551615EEEm: 963| 12.3k| static auto ct_select(std::span pts, size_t idx) { 964| 12.3k| BOTAN_ARG_CHECK(!pts.empty(), "Cannot select from an empty set"); ------------------ | | 35| 12.3k| do { \ | | 36| 12.3k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 12.3k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 12.3k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 12.3k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 12.3k] | | ------------------ ------------------ 965| 12.3k| auto result = GenericAffinePoint::identity(pts[0].curve()); 966| | 967| | // Intentionally wrapping; set to maximum size_t if idx == 0 968| 12.3k| const size_t idx1 = static_cast(idx - 1); 969| 408k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (969:28): [True: 395k, False: 12.3k] ------------------ 970| 395k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 971| 395k| result.conditional_assign(found, pts[i]); 972| 395k| } 973| | 974| 12.3k| return result; 975| 12.3k| } _ZN5Botan6PCurve18GenericAffinePoint8identityEPKNS0_22GenericPrimeOrderCurveE: 934| 12.3k| static GenericAffinePoint identity(const GenericPrimeOrderCurve* curve) { 935| 12.3k| return GenericAffinePoint(GenericField::zero(curve), GenericField::zero(curve)); 936| 12.3k| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField4zeroEPKNS0_22GenericPrimeOrderCurveE: 630| 24.7k| static GenericField zero(const GenericPrimeOrderCurve* curve) { 631| 24.7k| const StorageUnit zeros{}; 632| 24.7k| return GenericField(curve, zeros); 633| 24.7k| } _ZNK5Botan6PCurve18GenericAffinePoint5curveEv: 1041| 13.1k| const GenericPrimeOrderCurve* curve() const { return m_x.curve(); } _ZN5Botan6PCurve18GenericAffinePoint18conditional_assignENS_2CT6ChoiceERKS1_: 1037| 395k| void conditional_assign(CT::Choice cond, const GenericAffinePoint& pt) { 1038| 395k| GenericField::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 1039| 395k| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField18conditional_assignERS2_S3_NS_2CT6ChoiceERKS2_S7_: 842| 395k| GenericField& x, GenericField& y, CT::Choice cond, const GenericField& nx, const GenericField& ny) { 843| 395k| const W mask = cond.into_bitmask(); 844| | 845| 3.95M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (845:28): [True: 3.56M, False: 395k] ------------------ 846| 3.56M| x.m_val[i] = choose(mask, nx.m_val[i], x.m_val[i]); 847| 3.56M| y.m_val[i] = choose(mask, ny.m_val[i], y.m_val[i]); 848| 3.56M| } 849| 395k| } _ZN5Botan6PCurve22GenericProjectivePoint13randomize_repERNS_21RandomNumberGeneratorE: 1173| 1.26k| void randomize_rep(RandomNumberGenerator& rng) { 1174| | // In certain contexts we may be called with a Null_RNG; in that case the 1175| | // caller is accepting that randomization will not occur 1176| | 1177| 1.26k| if(rng.is_seeded()) { ------------------ | Branch (1177:13): [True: 0, False: 1.26k] ------------------ 1178| 0| auto r = GenericField::random(curve(), rng); 1179| | 1180| 0| auto r2 = r.square(); 1181| 0| auto r3 = r2 * r; 1182| | 1183| 0| m_x *= r2; 1184| 0| m_y *= r3; 1185| 0| m_z *= r; 1186| 0| } 1187| 1.26k| } _ZNK5Botan6PCurve18GenericCurveParams10field_bitsEv: 150| 771| size_t field_bits() const { return m_field_bits; } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericFieldmLERKS2_: 728| 42.9k| GenericField& operator*=(const GenericField& other) { 729| 42.9k| const auto* curve = check_curve(*this, other); 730| | 731| 42.9k| std::array z; // NOLINT(*-member-init) 732| 42.9k| curve->_params().mul(z, value(), other.value()); 733| 42.9k| m_val = redc(curve, z); 734| 42.9k| return (*this); 735| 42.9k| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField11check_curveERKS2_S4_: 889| 14.8M| static const GenericPrimeOrderCurve* check_curve(const GenericField& a, const GenericField& b) { 890| 14.8M| BOTAN_STATE_CHECK(a.m_curve == b.m_curve); ------------------ | | 51| 14.8M| do { \ | | 52| 14.8M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 14.8M| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 14.8M] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 14.8M| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 14.8M] | | ------------------ ------------------ 891| 14.8M| return a.m_curve; 892| 14.8M| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField4redcEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm18EEE: 894| 14.2M| static StorageUnit redc(const GenericPrimeOrderCurve* curve, std::array z) { 895| 14.2M| const auto& mod = curve->_params().field(); 896| 14.2M| const size_t words = curve->_params().words(); 897| 14.2M| StorageUnit r{}; 898| 14.2M| StorageUnit ws{}; 899| 14.2M| bigint_monty_redc( 900| 14.2M| r.data(), z.data(), mod.data(), words, curve->_params().field_p_dash(), ws.data(), ws.size()); 901| 14.2M| return r; 902| 14.2M| } _ZNK5Botan6PCurve18GenericCurveParams12field_p_dashEv: 170| 14.2M| word field_p_dash() const { return m_field_p_dash; } _ZNK5Botan6PCurve22GenericProjectivePoint20_const_time_unpoisonEv: 1208| 315| void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField20_const_time_unpoisonEv: 815| 945| void _const_time_unpoison() const { CT::unpoison(m_val); } _ZNK5Botan6PCurve22GenericProjectivePoint11is_identityEv: 1112| 1.42M| CT::Choice is_identity() const { return z().is_zero(); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField6invertEv: 759| 771| GenericField invert() const { return pow_vartime(m_curve->_params().field_minus_2()); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField11pow_vartimeERKNSt3__15arrayImLm9EEE: 743| 771| GenericField pow_vartime(const StorageUnit& exp) const { 744| 771| auto one = GenericField::one(curve()); 745| 771| auto bits = curve()->_params().field_bits(); 746| 771| auto words = curve()->_params().words(); 747| 771| return impl_pow_vartime(*this, one, bits, std::span{exp}.last(words)); 748| 771| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_116impl_pow_vartimeINS1_12GenericFieldEEET_RKS4_S6_mNSt3__14spanIKmLm18446744073709551615EEE: 56| 771|T impl_pow_vartime(const T& elem, const T& one, size_t bits, std::span exp) { 57| 771| constexpr size_t WindowBits = 4; 58| 771| constexpr size_t WindowElements = (1 << WindowBits) - 1; 59| | 60| 771| const size_t Windows = (bits + WindowBits - 1) / WindowBits; 61| | 62| 771| std::vector tbl; 63| 771| tbl.reserve(WindowElements); 64| | 65| 771| tbl.push_back(elem); 66| | 67| 11.5k| for(size_t i = 1; i != WindowElements; ++i) { ------------------ | Branch (67:22): [True: 10.7k, False: 771] ------------------ 68| 10.7k| if(i % 2 == 1) { ------------------ | Branch (68:10): [True: 5.39k, False: 5.39k] ------------------ 69| 5.39k| tbl.push_back(tbl[i / 2].square()); 70| 5.39k| } else { 71| 5.39k| tbl.push_back(tbl[i - 1] * tbl[0]); 72| 5.39k| } 73| 10.7k| } 74| | 75| 771| auto r = one; 76| | 77| 771| const size_t w0 = read_window_bits(exp, (Windows - 1) * WindowBits); 78| | 79| 771| if(w0 > 0) { ------------------ | Branch (79:7): [True: 771, False: 0] ------------------ 80| 771| r = tbl[w0 - 1]; 81| 771| } 82| | 83| 48.4k| for(size_t i = 1; i != Windows; ++i) { ------------------ | Branch (83:22): [True: 47.6k, False: 771] ------------------ 84| 238k| for(size_t j = 0; j != WindowBits; ++j) { ------------------ | Branch (84:25): [True: 190k, False: 47.6k] ------------------ 85| 190k| r = r.square(); 86| 190k| } 87| 47.6k| const size_t w = read_window_bits(exp, (Windows - i - 1) * WindowBits); 88| | 89| 47.6k| if(w > 0) { ------------------ | Branch (89:10): [True: 42.9k, False: 4.68k] ------------------ 90| 42.9k| r *= tbl[w - 1]; 91| 42.9k| } 92| 47.6k| } 93| | 94| 771| return r; 95| 771|} _ZNK5Botan6PCurve18GenericCurveParams13field_minus_2Ev: 160| 771| const StorageUnit& field_minus_2() const { return m_field_minus_2; } _ZN5Botan6PCurveplERKNS0_22GenericProjectivePointES3_: 1096| 341k| friend Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } _ZN5Botan6PCurve22GenericProjectivePoint3addERKS1_S3_: 1132| 341k| static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_generic.cpp:_ZNK5Botan6PCurve22GenericProjectivePoint1zEv: 1202| 6.42M| const GenericField& z() const { return m_z; } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField6squareEv: 737| 4.14M| GenericField square() const { 738| 4.14M| std::array z; // NOLINT(*-member-init) 739| 4.14M| m_curve->_params().sqr(z, value()); 740| 4.14M| return GenericField(m_curve, redc(m_curve, z)); 741| 4.14M| } _ZNK5Botan6PCurve18GenericCurveParams3sqrERNSt3__15arrayImLm18EEERKNS3_ImLm9EEE: 216| 4.14M| void sqr(std::array& z, const std::array& x) const { 217| 4.14M| clear_mem(z); 218| | 219| 4.14M| if(m_words == 4) { ------------------ | Branch (219:13): [True: 1.87M, False: 2.26M] ------------------ 220| 1.87M| bigint_comba_sqr4(z.data(), x.data()); 221| 2.26M| } else if(m_words == 6) { ------------------ | Branch (221:20): [True: 0, False: 2.26M] ------------------ 222| 0| bigint_comba_sqr6(z.data(), x.data()); 223| 2.26M| } else if(m_words == 8) { ------------------ | Branch (223:20): [True: 0, False: 2.26M] ------------------ 224| 0| bigint_comba_sqr8(z.data(), x.data()); 225| 2.26M| } else if(m_words == 9) { ------------------ | Branch (225:20): [True: 818k, False: 1.44M] ------------------ 226| 818k| bigint_comba_sqr9(z.data(), x.data()); 227| 1.44M| } else { 228| 1.44M| bigint_sqr(z.data(), z.size(), x.data(), m_words, m_words, nullptr, 0); 229| 1.44M| } 230| 4.14M| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField11deserializeEPKNS0_22GenericPrimeOrderCurveENSt3__14spanIKhLm18446744073709551615EEE: 605| 228| std::span bytes) { 606| 228| const size_t len = curve->_params().field_bytes(); 607| | 608| 228| if(bytes.size() != len) { ------------------ | Branch (608:13): [True: 0, False: 228] ------------------ 609| 0| return {}; 610| 0| } 611| | 612| 228| const auto words = bytes_to_words(bytes); 613| | 614| 228| if(words) { ------------------ | Branch (614:13): [True: 228, False: 0] ------------------ 615| 228| if(!bigint_ct_is_lt(words->data(), N, curve->_params().field().data(), N).as_bool()) { ------------------ | Branch (615:16): [True: 22, False: 206] ------------------ 616| 22| return {}; 617| 22| } 618| | 619| | // Safe because we checked above that words is an integer < P 620| 206| return GenericField::from_words(curve, *words); 621| 228| } else { 622| 0| return {}; 623| 0| } 624| 228| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_114bytes_to_wordsILm9EEENSt3__18optionalINS3_5arrayImXT_EEEEENS3_4spanIKhLm18446744073709551615EEE: 28| 669|constexpr std::optional> bytes_to_words(std::span bytes) { 29| 669| if(bytes.size() > WordInfo::bytes * N) { ------------------ | Branch (29:7): [True: 0, False: 669] ------------------ 30| 0| return std::nullopt; 31| 0| } 32| | 33| 669| std::array r{}; 34| | 35| 669| const size_t full_words = bytes.size() / WordInfo::bytes; 36| 669| const size_t extra_bytes = bytes.size() % WordInfo::bytes; 37| | 38| 3.43k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (38:22): [True: 2.76k, False: 669] ------------------ 39| 2.76k| r[i] = load_be(bytes.data(), full_words - 1 - i); 40| 2.76k| } 41| | 42| 669| if(extra_bytes > 0) { ------------------ | Branch (42:7): [True: 531, False: 138] ------------------ 43| 531| const size_t shift = extra_bytes * 8; 44| 531| bigint_shl1(r.data(), r.size(), r.size(), shift); 45| | 46| 2.66k| for(size_t i = 0; i != extra_bytes; ++i) { ------------------ | Branch (46:25): [True: 2.13k, False: 531] ------------------ 47| 2.13k| const word b0 = bytes[WordInfo::bytes * full_words + i]; 48| 2.13k| r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 49| 2.13k| } 50| 531| } 51| | 52| 669| return r; 53| 669|} pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_1mlERKNS1_12GenericFieldES4_: 720| 10.1M| friend GenericField operator*(const GenericField& a, const GenericField& b) { 721| 10.1M| const auto* curve = check_curve(a, b); 722| | 723| 10.1M| std::array z; // NOLINT(*-member-init) 724| 10.1M| curve->_params().mul(z, a.value(), b.value()); 725| 10.1M| return GenericField(curve, redc(curve, z)); 726| 10.1M| } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericFieldeqERKS2_: 791| 409| CT::Choice operator==(const GenericField& other) const { 792| 409| if(this->m_curve != other.m_curve) { ------------------ | Branch (792:13): [True: 0, False: 409] ------------------ 793| 0| return CT::Choice::no(); 794| 0| } 795| | 796| 409| return CT::is_equal(m_val.data(), other.m_val.data(), m_curve->_params().words()).as_choice(); 797| 409| } pcurves_generic.cpp:_ZNK5Botan6PCurve22GenericProjectivePoint1xEv: 1192| 3.15M| const GenericField& x() const { return m_x; } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField10from_wordsEPKNS0_22GenericPrimeOrderCurveERKNSt3__15arrayImLm9EEE: 626| 206| static GenericField from_words(const GenericPrimeOrderCurve* curve, const std::array& words) { 627| 206| return GenericField(curve, to_rep(curve, words)); 628| 206| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField6to_repEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 910| 206| static StorageUnit to_rep(const GenericPrimeOrderCurve* curve, StorageUnit x) { 911| 206| std::array z{}; 912| 206| curve->_params().mul(z, x, curve->_params().field_monty_r2()); 913| 206| return redc(curve, z); 914| 206| } _ZNK5Botan6PCurve18GenericCurveParams14field_monty_r2Ev: 164| 206| const StorageUnit& field_monty_r2() const { return m_field_monty_r2; } _ZNK5Botan6PCurve18GenericCurveParams5orderEv: 172| 1.62k| const StorageUnit& order() const { return m_order; } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField6negateEv: 750| 3.54M| GenericField negate() const { 751| 3.54M| auto x_is_zero = CT::all_zeros(this->data(), N); 752| | 753| 3.54M| StorageUnit r; 754| 3.54M| bigint_sub3(r.data(), m_curve->_params().field().data(), N, this->data(), N); 755| 3.54M| x_is_zero.if_set_zero_out(r.data(), N); 756| 3.54M| return GenericField(m_curve, r); 757| 3.54M| } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField4dataEv: 887| 16.3M| const W* data() const { return m_val.data(); } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField8from_repEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 904| 632| static StorageUnit from_rep(const GenericPrimeOrderCurve* curve, StorageUnit z) { 905| 632| std::array ze{}; 906| 632| copy_mem(std::span{ze}.template first(), z); 907| 632| return redc(curve, ze); 908| 632| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_1plERKNS1_12GenericFieldES4_: 706| 4.65M| friend GenericField operator+(const GenericField& a, const GenericField& b) { 707| 4.65M| const auto* curve = check_curve(a, b); 708| 4.65M| const size_t words = curve->_params().words(); 709| | 710| 4.65M| StorageUnit t{}; 711| 4.65M| const W carry = bigint_add3(t.data(), a.data(), words, b.data(), words); 712| | 713| 4.65M| StorageUnit r{}; 714| 4.65M| bigint_monty_maybe_sub(words, r.data(), carry, t.data(), curve->_params().field().data()); 715| 4.65M| return GenericField(curve, r); 716| 4.65M| } _ZNK5Botan6PCurve18GenericCurveParams6base_xEv: 190| 456| const StorageUnit& base_x() const { return m_base_x; } _ZNK5Botan6PCurve18GenericCurveParams6base_yEv: 192| 456| const StorageUnit& base_y() const { return m_base_y; } pcurves_generic.cpp:_ZNK5Botan6PCurve18GenericAffinePoint1yEv: 1032| 423k| const GenericField& y() const { return m_y; } pcurves_generic.cpp:_ZN5Botan6PCurve18GenericAffinePoint7x3_ax_bERKNS0_12_GLOBAL__N_112GenericFieldE: 980| 409| static GenericField x3_ax_b(const GenericField& x) { 981| 409| return (x.square() + GenericField::curve_a(x.curve())) * x + GenericField::curve_b(x.curve()); 982| 409| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField7curve_bEPKNS0_22GenericPrimeOrderCurveE: 643| 409| static GenericField curve_b(const GenericPrimeOrderCurve* curve) { 644| 409| return GenericField(curve, curve->_params().monty_curve_b()); 645| 409| } _ZNK5Botan6PCurve18GenericCurveParams13monty_curve_bEv: 188| 409| const StorageUnit& monty_curve_b() const { return m_monty_curve_b; } pcurves_generic.cpp:_ZNK5Botan6PCurve18GenericAffinePoint1xEv: 1027| 435k| const GenericField& x() const { return m_x; } _ZNK5Botan6PCurve18GenericAffinePoint11is_identityEv: 940| 13.7k| CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } _ZN5Botan6PCurve22GenericProjectivePoint11from_affineERKNS0_18GenericAffinePointE: 1061| 771| static Self from_affine(const GenericAffinePoint& pt) { 1062| 771| auto x = pt.x(); 1063| 771| auto y = pt.y(); 1064| 771| auto z = GenericField::one(x.curve()); 1065| | 1066| | // If pt is identity (0,0) swap y/z to convert (0,0,1) into (0,1,0) 1067| 771| GenericField::conditional_swap(pt.is_identity(), y, z); 1068| 771| return GenericProjectivePoint(x, y, z); 1069| 771| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField16conditional_swapENS_2CT6ChoiceERS2_S5_: 817| 771| static void conditional_swap(CT::Choice cond, GenericField& x, GenericField& y) { 818| 771| const W mask = cond.into_bitmask(); 819| | 820| 7.71k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (820:28): [True: 6.93k, False: 771] ------------------ 821| 6.93k| auto nx = choose(mask, y.m_val[i], x.m_val[i]); 822| 6.93k| auto ny = choose(mask, x.m_val[i], y.m_val[i]); 823| 6.93k| x.m_val[i] = nx; 824| 6.93k| y.m_val[i] = ny; 825| 6.93k| } 826| 771| } _ZNK5Botan6PCurve18GenericAffinePoint12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 947| 316| void serialize_to(std::span bytes) const { 948| 316| const size_t fe_bytes = curve()->_params().field_bytes(); 949| 316| BOTAN_ARG_CHECK(bytes.size() == 1 + 2 * fe_bytes, "Buffer size incorrect"); ------------------ | | 35| 316| do { \ | | 36| 316| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 316| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 316] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 316| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 316] | | ------------------ ------------------ 950| 316| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 316| do { \ | | 52| 316| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 316| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 316] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 316| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 316] | | ------------------ ------------------ 951| 316| BufferStuffer pack(bytes); 952| 316| pack.append(0x04); 953| 316| x().serialize_to(pack.next(fe_bytes)); 954| 316| y().serialize_to(pack.next(fe_bytes)); 955| 316| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 316| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 316| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 316] | | ------------------ ------------------ 956| 316| } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 774| 632| void serialize_to(std::span bytes) const { 775| 632| auto v = from_rep(m_curve, m_val); 776| 632| std::reverse(v.begin(), v.end()); 777| | 778| 632| const size_t flen = m_curve->_params().field_bytes(); 779| 632| BOTAN_ARG_CHECK(bytes.size() == flen, "Expected output span provided"); ------------------ | | 35| 632| do { \ | | 36| 632| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 632| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 632] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 632| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 632] | | ------------------ ------------------ 780| | 781| | // Remove leading zero bytes 782| 632| const auto padded_bytes = store_be(v); 783| 632| const size_t extra = N * WordInfo::bytes - flen; 784| 632| copy_mem(bytes, std::span{padded_bytes}.subspan(extra, flen)); 785| 632| } _ZNK5Botan6PCurve13GenericScalar12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 517| 751| void serialize_to(std::span bytes) const { 518| 751| auto v = from_rep(m_curve, m_val); 519| 751| std::reverse(v.begin(), v.end()); 520| | 521| 751| const size_t flen = m_curve->_params().order_bytes(); 522| 751| BOTAN_ARG_CHECK(bytes.size() == flen, "Expected output span provided"); ------------------ | | 35| 751| do { \ | | 36| 751| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 751| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 751] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 751| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 751] | | ------------------ ------------------ 523| | 524| | // Remove leading zero bytes 525| 751| const auto padded_bytes = store_be(v); 526| 751| const size_t extra = N * WordInfo::bytes - flen; 527| 751| copy_mem(bytes, std::span{padded_bytes}.subspan(extra, flen)); 528| 751| } _ZN5Botan6PCurve13GenericScalar11deserializeEPKNS0_22GenericPrimeOrderCurveENSt3__14spanIKhLm18446744073709551615EEE: 312| 441| std::span bytes) { 313| 441| const size_t len = curve->_params().order_bytes(); 314| | 315| 441| if(bytes.size() != len) { ------------------ | Branch (315:13): [True: 0, False: 441] ------------------ 316| 0| return {}; 317| 0| } 318| | 319| 441| const auto words = bytes_to_words(bytes); 320| | 321| 441| if(words) { ------------------ | Branch (321:13): [True: 441, False: 0] ------------------ 322| 441| if(!bigint_ct_is_lt(words->data(), N, curve->_params().order().data(), N).as_bool()) { ------------------ | Branch (322:16): [True: 4, False: 437] ------------------ 323| 4| return {}; 324| 4| } 325| | 326| | // Safe because we checked above that words is an integer < P 327| 437| return GenericScalar(curve, to_rep(curve, *words)); 328| 441| } else { 329| 0| return {}; 330| 0| } 331| 441| } _ZN5Botan6PCurve13GenericScalar6to_repEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 579| 437| static StorageUnit to_rep(const GenericPrimeOrderCurve* curve, StorageUnit x) { 580| 437| std::array z; // NOLINT(*-member-init) 581| 437| curve->_params().mul(z, x, curve->_params().order_monty_r2()); 582| 437| return redc(curve, z); 583| 437| } _ZNK5Botan6PCurve18GenericCurveParams14order_monty_r2Ev: 178| 437| const StorageUnit& order_monty_r2() const { return m_order_monty_r2; } _ZNK5Botan6PCurve13GenericScalar10is_nonzeroEv: 532| 437| CT::Choice is_nonzero() const { return !is_zero(); } _ZN5Botan6PCurve18GenericAffinePoint11deserializeEPKNS0_22GenericPrimeOrderCurveENSt3__14spanIKhLm18446744073709551615EEE: 990| 121| std::span bytes) { 991| 121| const size_t fe_bytes = curve->_params().field_bytes(); 992| | 993| 121| if(bytes.size() == 1 + 2 * fe_bytes && bytes[0] == 0x04) { ------------------ | Branch (993:13): [True: 120, False: 1] | Branch (993:49): [True: 114, False: 6] ------------------ 994| 114| auto x = GenericField::deserialize(curve, bytes.subspan(1, fe_bytes)); 995| 114| auto y = GenericField::deserialize(curve, bytes.subspan(1 + fe_bytes, fe_bytes)); 996| | 997| 114| if(x && y) { ------------------ | Branch (997:16): [True: 109, False: 5] | Branch (997:21): [True: 94, False: 15] ------------------ 998| 94| const auto lhs = (*y).square(); 999| 94| const auto rhs = GenericAffinePoint::x3_ax_b(*x); 1000| 94| if((lhs == rhs).as_bool()) { ------------------ | Branch (1000:19): [True: 1, False: 93] ------------------ 1001| 1| return GenericAffinePoint(*x, *y); 1002| 1| } 1003| 94| } 1004| 114| } else if(bytes.size() == 1 + fe_bytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (1004:20): [True: 0, False: 7] | Branch (1004:53): [True: 0, False: 0] | Branch (1004:73): [True: 0, False: 0] ------------------ 1005| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 1006| | 1007| 0| if(auto x = GenericField::deserialize(curve, bytes.subspan(1, fe_bytes))) { ------------------ | Branch (1007:21): [True: 0, False: 0] ------------------ 1008| 0| auto [y, is_square] = x3_ax_b(*x).sqrt(); 1009| | 1010| 0| if(is_square.as_bool()) { ------------------ | Branch (1010:19): [True: 0, False: 0] ------------------ 1011| 0| const auto flip_y = y_is_even != y.is_even(); 1012| 0| y.conditional_assign(flip_y, y.negate()); 1013| 0| return GenericAffinePoint(*x, y); 1014| 0| } 1015| 0| } 1016| 7| } else if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (1016:20): [True: 0, False: 7] | Branch (1016:41): [True: 0, False: 0] ------------------ 1017| | // See SEC1 section 2.3.4 1018| 0| return GenericAffinePoint::identity(curve); 1019| 0| } 1020| | 1021| 120| return {}; 1022| 121| } _ZNK5Botan6PCurve13GenericScalar7is_zeroEv: 530| 873| CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_curve->_params().words()).as_choice(); } _ZNK5Botan6PCurve13GenericScalar11stash_valueEv: 547| 436| const StorageUnit& stash_value() const { return m_val; } _ZN5Botan6PCurve13GenericScalarC2EPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 551| 1.62k| GenericScalar(const GenericPrimeOrderCurve* curve, StorageUnit val) : m_curve(curve), m_val(val) {} pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField11stash_valueEv: 799| 1.57k| const StorageUnit& stash_value() const { return m_val; } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericFieldC2EPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 882| 25.7M| GenericField(const GenericPrimeOrderCurve* curve, StorageUnit val) : m_curve(curve), m_val(val) {} pcurves_generic.cpp:_ZN5Botan6PCurve18GenericAffinePointC2ERKNS0_12_GLOBAL__N_112GenericFieldES5_: 929| 741k| GenericAffinePoint(const GenericField& x, const GenericField& y) : m_x(x), m_y(y) {} pcurves_generic.cpp:_ZNK5Botan6PCurve22GenericProjectivePoint1yEv: 1197| 2.90M| const GenericField& y() const { return m_y; } pcurves_generic.cpp:_ZN5Botan6PCurve22GenericProjectivePointC2ERKNS0_12_GLOBAL__N_112GenericFieldES5_S5_: 1094| 741k| m_x(x), m_y(y), m_z(z) {} _ZNK5Botan6PCurve13GenericScalar9serializeITkNS_8concepts21resizable_byte_bufferENSt3__16vectorIhNS4_9allocatorIhEEEEEET_v: 511| 315| T serialize() const { 512| 315| T bytes(m_curve->_params().order_bytes()); 513| 315| this->serialize_to(bytes); 514| 315| return bytes; 515| 315| } _ZN5Botan6PCurve18GenericCurveParamsC2ERKNS_6BigIntES4_S4_S4_S4_S4_: 110| 456| m_words(p.sig_words()), 111| 456| m_order_bits(order.bits()), 112| 456| m_order_bytes(order.bytes()), 113| 456| m_field_bits(p.bits()), 114| 456| m_field_bytes(p.bytes()), 115| 456| m_monty_order(order), 116| 456| m_monty_field(p), 117| 456| m_field(bn_to_fixed(p)), 118| 456| m_field_minus_2(bn_to_fixed_rev(p - 2)), 119| 456| m_field_monty_r1(bn_to_fixed(m_monty_field.R1())), 120| 456| m_field_monty_r2(bn_to_fixed(m_monty_field.R2())), 121| 456| m_field_p_plus_1_over_4(bn_to_fixed_rev((p + 1) / 4)), 122| 456| m_field_inv_2(bn_to_fixed((p / 2) + 1)), 123| 456| m_field_p_dash(m_monty_field.p_dash()), 124| | 125| 456| m_order(bn_to_fixed(order)), 126| 456| m_order_minus_2(bn_to_fixed_rev(order - 2)), 127| 456| m_order_monty_r1(bn_to_fixed(m_monty_order.R1())), 128| 456| m_order_monty_r2(bn_to_fixed(m_monty_order.R2())), 129| 456| m_order_monty_r3(bn_to_fixed(m_monty_order.R3())), 130| 456| m_order_inv_2(bn_to_fixed((order / 2) + 1)), 131| 456| m_order_p_dash(m_monty_order.p_dash()), 132| | 133| 456| m_a_is_minus_3(a + 3 == p), 134| 456| m_a_is_zero(a.is_zero()), 135| 456| m_order_is_lt_field(order < p) { 136| 456| secure_vector ws; 137| 456| m_monty_curve_a = bn_to_fixed(m_monty_field.mul(a, m_monty_field.R2(), ws)); 138| 456| m_monty_curve_b = bn_to_fixed(m_monty_field.mul(b, m_monty_field.R2(), ws)); 139| | 140| 456| m_base_x = bn_to_fixed(m_monty_field.mul(base_x, m_monty_field.R2(), ws)); 141| 456| m_base_y = bn_to_fixed(m_monty_field.mul(base_y, m_monty_field.R2(), ws)); 142| 456| } _ZN5Botan6PCurve18GenericCurveParams11bn_to_fixedERKNS_6BigIntE: 233| 7.29k| static std::array bn_to_fixed(const BigInt& n) { 234| 7.29k| const size_t n_words = n.sig_words(); 235| 7.29k| BOTAN_ASSERT_NOMSG(n_words <= PrimeOrderCurve::StorageWords); ------------------ | | 77| 7.29k| do { \ | | 78| 7.29k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 7.29k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 7.29k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 7.29k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 7.29k] | | ------------------ ------------------ 236| | 237| 7.29k| std::array r{}; 238| 7.29k| copy_mem(std::span{r}.first(n_words), n._as_span().first(n_words)); 239| 7.29k| return r; 240| 7.29k| } _ZN5Botan6PCurve18GenericCurveParams15bn_to_fixed_revERKNS_6BigIntE: 242| 1.36k| static std::array bn_to_fixed_rev(const BigInt& n) { 243| 1.36k| auto v = bn_to_fixed(n); 244| 1.36k| std::reverse(v.begin(), v.end()); 245| 1.36k| return v; 246| 1.36k| } _ZN5Botan6PCurve19GenericBaseMulTableC2ERKNS0_18GenericAffinePointE: 1338| 456| m_table(basemul_booth_setup(pt, blinded_scalar_bits(*pt.curve()) + 1)) {} pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField14invert_vartimeEv: 761| 456| GenericField invert_vartime() const { 762| | // TODO take advantage of variable time here using eg BEEA 763| | // see IntMod::invert_vartime in pcurves_impl.h 764| 456| return invert(); 765| 456| } _ZN5Botan6PCurve19GenericBaseMulTable19blinded_scalar_bitsERKNS0_22GenericPrimeOrderCurveE: 1347| 456| static size_t blinded_scalar_bits(const GenericPrimeOrderCurve& curve) { 1348| 456| const size_t order_bits = curve.order_bits(); 1349| 456| return order_bits + scalar_blinding_bits(order_bits); 1350| 456| } _ZN5Botan6PCurve14PCurveInstance9secp192r1Ev: 180| 203|std::shared_ptr PCurveInstance::secp192r1() { 181| 203| return PrimeOrderCurveImpl::instance(); 182| 203|} pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE3oneEv: 93| 6.43k| constexpr static std::array one() { return std::array{1}; } pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE4redcERKNSt3__15arrayImLm6EEE: 25| 131k| constexpr static std::array redc(const std::array& z) { 26| 131k| if constexpr(std::same_as && WordInfo::dword_is_native) { 27| 131k| using dword = typename WordInfo::dword; 28| | 29| 131k| const dword S01 = dword(z[0]) + z[3] + z[5]; 30| 131k| const dword S23 = dword(z[1]) + z[3] + z[4] + z[5]; 31| 131k| const dword S45 = dword(z[2]) + z[4] + z[5]; 32| | 33| 131k| std::array r = {}; 34| | 35| 131k| dword S = S01; 36| 131k| r[0] = static_cast(S); 37| 131k| S >>= 64; 38| | 39| 131k| S += S23; 40| 131k| r[1] = static_cast(S); 41| 131k| S >>= 64; 42| | 43| 131k| S += S45; 44| 131k| r[2] = static_cast(S); 45| 131k| S >>= 64; 46| | 47| 131k| BOTAN_DEBUG_ASSERT(S <= 3); ------------------ | | 130| 131k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 131k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 131k] | | ------------------ ------------------ 48| | 49| 131k| solinas_correct_redc(r, P, p192_mul_mod_192(static_cast(S))); 50| | 51| 131k| return r; 52| 131k| } 53| | 54| 0| const int64_t X00 = get_uint32(z.data(), 0); 55| 131k| const int64_t X01 = get_uint32(z.data(), 1); 56| 131k| const int64_t X02 = get_uint32(z.data(), 2); 57| 131k| const int64_t X03 = get_uint32(z.data(), 3); 58| 131k| const int64_t X04 = get_uint32(z.data(), 4); 59| 131k| const int64_t X05 = get_uint32(z.data(), 5); 60| 131k| const int64_t X06 = get_uint32(z.data(), 6); 61| 131k| const int64_t X07 = get_uint32(z.data(), 7); 62| 131k| const int64_t X08 = get_uint32(z.data(), 8); 63| 131k| const int64_t X09 = get_uint32(z.data(), 9); 64| 131k| const int64_t X10 = get_uint32(z.data(), 10); 65| 131k| const int64_t X11 = get_uint32(z.data(), 11); 66| | 67| 131k| const int64_t S0 = X00 + X06 + X10; 68| 131k| const int64_t S1 = X01 + X07 + X11; 69| 131k| const int64_t S2 = X02 + X06 + X08 + X10; 70| 131k| const int64_t S3 = X03 + X07 + X09 + X11; 71| 131k| const int64_t S4 = X04 + X08 + X10; 72| 131k| const int64_t S5 = X05 + X09 + X11; 73| | 74| 131k| std::array r = {}; 75| | 76| 131k| SolinasAccum sum(r); 77| | 78| 131k| sum.accum(S0); 79| 131k| sum.accum(S1); 80| 131k| sum.accum(S2); 81| 131k| sum.accum(S3); 82| 131k| sum.accum(S4); 83| 131k| sum.accum(S5); 84| 131k| const auto S = sum.final_carry(0); 85| | 86| 131k| BOTAN_DEBUG_ASSERT(S <= 3); ------------------ | | 130| 131k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 131k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 131k] | | ------------------ ------------------ 87| | 88| 131k| solinas_correct_redc(r, P, p192_mul_mod_192(S)); 89| | 90| 131k| return r; 91| 131k| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE16p192_mul_mod_192Em: 105| 131k| constexpr static std::array p192_mul_mod_192(W i) { 106| 131k| static_assert(WordInfo::bits == 32 || WordInfo::bits == 64); 107| | 108| | // For small i, multiples of P-192 have a simple structure so it's faster to 109| | // compute the value directly vs a (constant time) table lookup 110| | 111| 131k| auto r = P; 112| | 113| | if constexpr(WordInfo::bits == 32) { 114| | r[2] -= i; 115| | r[0] -= i; 116| 131k| } else { 117| 131k| r[1] -= i; 118| 131k| r[0] -= i; 119| 131k| } 120| 131k| return r; 121| 131k| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r15Curve10fe_invert2ERKNS_6IntModINS2_12Secp192r1RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 140| 195| static constexpr FieldElement fe_invert2(const FieldElement& x) { 141| | // Generated using https://github.com/mmcloughlin/addchain 142| 195| auto z = x.square(); 143| 195| z *= x; 144| 195| auto t0 = z.square(); 145| 195| t0 *= x; 146| 195| auto t2 = t0.square(); 147| 195| auto t1 = t2.square(); 148| 195| auto t3 = t1; 149| 195| t3.square_n(3); 150| 195| t1 *= t3; 151| 195| t3 = t1; 152| 195| t3.square_n(2); 153| 195| t2 *= t3; 154| 195| t2.square_n(7); 155| 195| t1 *= t2; 156| 195| t2 = t1; 157| 195| t2.square_n(15); 158| 195| t1 *= t2; 159| 195| t2 = t1; 160| 195| t2.square_n(30); 161| 195| t1 *= t2; 162| 195| z *= t1; 163| 195| t1 = z; 164| 195| t1.square_n(3); 165| 195| t2 = t1; 166| 195| t2.square_n(62); 167| 195| t1 *= t2; 168| 195| t0 *= t1; 169| 195| t0.square_n(63); 170| 195| z *= t0; 171| 195| z.square_n(2); 172| 195| return z; 173| 195| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE8from_repERKNSt3__15arrayImLm3EEE: 99| 391| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE6to_repERKNSt3__15arrayImLm3EEE: 95| 1| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan6PCurve14PCurveInstance9secp224r1Ev: 223| 215|std::shared_ptr PCurveInstance::secp224r1() { 224| 215| return PrimeOrderCurveImpl::instance(); 225| 215|} pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE3oneEv: 69| 4.97k| constexpr static std::array one() { return std::array{1}; } pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE4redcERKNSt3__15arrayImLm8EEE: 25| 110k| constexpr static std::array redc(const std::array& z) { 26| 110k| const int64_t X00 = get_uint32(z.data(), 0); 27| 110k| const int64_t X01 = get_uint32(z.data(), 1); 28| 110k| const int64_t X02 = get_uint32(z.data(), 2); 29| 110k| const int64_t X03 = get_uint32(z.data(), 3); 30| 110k| const int64_t X04 = get_uint32(z.data(), 4); 31| 110k| const int64_t X05 = get_uint32(z.data(), 5); 32| 110k| const int64_t X06 = get_uint32(z.data(), 6); 33| 110k| const int64_t X07 = get_uint32(z.data(), 7); 34| 110k| const int64_t X08 = get_uint32(z.data(), 8); 35| 110k| const int64_t X09 = get_uint32(z.data(), 9); 36| 110k| const int64_t X10 = get_uint32(z.data(), 10); 37| 110k| const int64_t X11 = get_uint32(z.data(), 11); 38| 110k| const int64_t X12 = get_uint32(z.data(), 12); 39| 110k| const int64_t X13 = get_uint32(z.data(), 13); 40| | 41| 110k| const int64_t S0 = 0x00000001 + X00 - X07 - X11; 42| 110k| const int64_t S1 = 0x00000000 + X01 - X08 - X12; 43| 110k| const int64_t S2 = 0x00000000 + X02 - X09 - X13; 44| 110k| const int64_t S3 = 0xFFFFFFFF + X03 + X07 + X11 - X10; 45| 110k| const int64_t S4 = 0xFFFFFFFF + X04 + X08 + X12 - X11; 46| 110k| const int64_t S5 = 0xFFFFFFFF + X05 + X09 + X13 - X12; 47| 110k| const int64_t S6 = 0xFFFFFFFF + X06 + X10 - X13; 48| | 49| 110k| std::array r = {}; 50| | 51| 110k| SolinasAccum sum(r); 52| | 53| 110k| sum.accum(S0); 54| 110k| sum.accum(S1); 55| 110k| sum.accum(S2); 56| 110k| sum.accum(S3); 57| 110k| sum.accum(S4); 58| 110k| sum.accum(S5); 59| 110k| sum.accum(S6); 60| 110k| const auto S = sum.final_carry(0); 61| | 62| 110k| BOTAN_DEBUG_ASSERT(S <= 2); ------------------ | | 130| 110k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 110k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 110k] | | ------------------ ------------------ 63| | 64| 110k| solinas_correct_redc(r, P, p224_mul_mod_224(S)); 65| | 66| 110k| return r; 67| 110k| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE16p224_mul_mod_224Em: 81| 110k| constexpr static std::array p224_mul_mod_224(W i) { 82| 110k| static_assert(WordInfo::bits == 32 || WordInfo::bits == 64); 83| | 84| | // For small i, multiples of P-224 have a simple structure so it's faster to 85| | // compute the value directly vs a (constant time) table lookup 86| | 87| 110k| auto r = P; 88| | 89| | if constexpr(WordInfo::bits == 32) { 90| | r[3] -= i; 91| | r[0] += i; 92| 110k| } else { 93| 110k| const W i32 = i << 32; 94| 110k| r[1] -= i32; 95| 110k| r[0] += i; 96| 110k| } 97| 110k| return r; 98| 110k| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r15Curve10fe_invert2ERKNS_6IntModINS2_12Secp224r1RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 117| 131| static constexpr FieldElement fe_invert2(const FieldElement& x) { 118| 131| auto z = x.square(); 119| 131| z *= x; 120| 131| z = z.square(); 121| 131| z *= x; 122| 131| auto t0 = z; 123| 131| t0.square_n(3); 124| 131| t0 *= z; 125| 131| auto t1 = t0; 126| 131| t1.square_n(6); 127| 131| t0 *= t1; 128| 131| t0.square_n(3); 129| 131| z *= t0; 130| 131| t0 = z.square(); 131| 131| t0 *= x; 132| 131| t1 = t0; 133| 131| t1.square_n(16); 134| 131| t0 *= t1; 135| 131| t1 = t0; 136| 131| t1.square_n(15); 137| 131| z *= t1; 138| 131| t1 = z; 139| 131| t1.square_n(47); 140| 131| z *= t1; 141| 131| z = z.square(); 142| 131| z *= x; 143| 131| t1 = z; 144| 131| t1.square_n(32); 145| 131| t0 *= t1; 146| 131| t0.square_n(96); 147| 131| z *= t0; 148| 131| return z.square(); 149| 131| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE8from_repERKNSt3__15arrayImLm4EEE: 75| 265| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE6to_repERKNSt3__15arrayImLm4EEE: 71| 109| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan6PCurve14PCurveInstance9secp256k1Ev: 233| 159|std::shared_ptr PCurveInstance::secp256k1() { 234| 159| return PrimeOrderCurveImpl::instance(); 235| 159|} pcurves_secp256k1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE3oneEv: 28| 5.76k| constexpr static std::array one() { return std::array{1}; } pcurves_secp256k1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE4redcERKNSt3__15arrayImLm8EEE: 30| 127k| constexpr static std::array redc(const std::array& z) { 31| 127k| return redc_crandall(std::span{z}); 32| 127k| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256k15Curve10fe_invert2ERKNS_6IntModINS2_12Secp256k1RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 60| 134| static constexpr FieldElement fe_invert2(const FieldElement& x) { 61| 134| auto z = x.square(); 62| 134| z *= x; 63| 134| auto t0 = z; 64| 134| t0.square_n(2); 65| 134| t0 *= z; 66| 134| auto t1 = t0.square(); 67| 134| auto t2 = t1 * x; 68| 134| t1 = t2; 69| 134| t1.square_n(2); 70| 134| t1 *= z; 71| 134| auto t3 = t1; 72| 134| t3.square_n(4); 73| 134| t0 *= t3; 74| 134| t3 = t0; 75| 134| t3.square_n(11); 76| 134| t0 *= t3; 77| 134| t3 = t0; 78| 134| t3.square_n(5); 79| 134| t2 *= t3; 80| 134| t3 = t2; 81| 134| t3.square_n(27); 82| 134| t2 *= t3; 83| 134| t3 = t2; 84| 134| t3.square_n(54); 85| 134| t2 *= t3; 86| 134| t3 = t2; 87| 134| t3.square_n(108); 88| 134| t2 *= t3; 89| 134| t2.square_n(7); 90| 134| t1 *= t2; 91| 134| t1.square_n(23); 92| 134| t0 *= t1; 93| 134| t0.square_n(5); 94| 134| t0 *= x; 95| 134| t0.square_n(3); 96| 134| z *= t0; 97| 134| z.square_n(2); 98| 134| return z; 99| 134| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE8from_repERKNSt3__15arrayImLm4EEE: 38| 269| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp256k1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE6to_repERKNSt3__15arrayImLm4EEE: 34| 1| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan6PCurve14PCurveInstance9secp256r1Ev: 268| 244|std::shared_ptr PCurveInstance::secp256r1() { 269| 244| return PrimeOrderCurveImpl::instance(); 270| 244|} pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS1_9secp256r16ParamsES2_E11FieldParamsEE3oneEv: 77| 6.83k| constexpr static std::array one() { return std::array{1}; } pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS1_9secp256r16ParamsES2_E11FieldParamsEE4redcERKNSt3__15arrayImLm8EEE: 27| 146k| constexpr static std::array redc(const std::array& z) { 28| 146k| const int64_t X00 = get_uint32(z.data(), 0); 29| 146k| const int64_t X01 = get_uint32(z.data(), 1); 30| 146k| const int64_t X02 = get_uint32(z.data(), 2); 31| 146k| const int64_t X03 = get_uint32(z.data(), 3); 32| 146k| const int64_t X04 = get_uint32(z.data(), 4); 33| 146k| const int64_t X05 = get_uint32(z.data(), 5); 34| 146k| const int64_t X06 = get_uint32(z.data(), 6); 35| 146k| const int64_t X07 = get_uint32(z.data(), 7); 36| 146k| const int64_t X08 = get_uint32(z.data(), 8); 37| 146k| const int64_t X09 = get_uint32(z.data(), 9); 38| 146k| const int64_t X10 = get_uint32(z.data(), 10); 39| 146k| const int64_t X11 = get_uint32(z.data(), 11); 40| 146k| const int64_t X12 = get_uint32(z.data(), 12); 41| 146k| const int64_t X13 = get_uint32(z.data(), 13); 42| 146k| const int64_t X14 = get_uint32(z.data(), 14); 43| 146k| const int64_t X15 = get_uint32(z.data(), 15); 44| | 45| | // See SP 800-186 section G.1.2 46| 146k| const int64_t S0 = P256_4[0] + X00 + X08 + X09 - (X11 + X12 + X13 + X14); 47| 146k| const int64_t S1 = P256_4[1] + X01 + X09 + X10 - (X12 + X13 + X14 + X15); 48| 146k| const int64_t S2 = P256_4[2] + X02 + X10 + X11 - (X13 + X14 + X15); 49| 146k| const int64_t S3 = P256_4[3] + X03 + 2 * (X11 + X12) + X13 - (X15 + X08 + X09); 50| 146k| const int64_t S4 = P256_4[4] + X04 + 2 * (X12 + X13) + X14 - (X09 + X10); 51| 146k| const int64_t S5 = P256_4[5] + X05 + 2 * (X13 + X14) + X15 - (X10 + X11); 52| 146k| const int64_t S6 = P256_4[6] + X06 + X13 + X14 * 3 + X15 * 2 - (X08 + X09); 53| 146k| const int64_t S7 = P256_4[7] + X07 + X15 * 3 + X08 - (X10 + X11 + X12 + X13); 54| 146k| const int64_t S8 = P256_4[8]; 55| | 56| 146k| std::array r = {}; 57| | 58| 146k| SolinasAccum sum(r); 59| | 60| 146k| sum.accum(S0); 61| 146k| sum.accum(S1); 62| 146k| sum.accum(S2); 63| 146k| sum.accum(S3); 64| 146k| sum.accum(S4); 65| 146k| sum.accum(S5); 66| 146k| sum.accum(S6); 67| 146k| sum.accum(S7); 68| 146k| const auto S = sum.final_carry(S8); 69| | 70| 146k| BOTAN_DEBUG_ASSERT(S <= 8); ------------------ | | 130| 146k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 146k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 146k] | | ------------------ ------------------ 71| | 72| 146k| solinas_correct_redc(r, P, p256_mul_mod_256(S)); 73| | 74| 146k| return r; 75| 146k| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS1_9secp256r16ParamsES2_E11FieldParamsEE16p256_mul_mod_256Em: 89| 146k| constexpr static std::array p256_mul_mod_256(W i) { 90| 146k| static_assert(WordInfo::bits == 32 || WordInfo::bits == 64); 91| | 92| | // For small i, multiples of P-256 have a simple structure so it's faster to 93| | // compute the value directly vs a (constant time) table lookup 94| | 95| 146k| auto r = P; 96| | if constexpr(WordInfo::bits == 32) { 97| | r[7] -= i; 98| | r[6] += i; 99| | r[3] += i; 100| | r[0] -= i; 101| 146k| } else { 102| 146k| const uint64_t i32 = static_cast(i) << 32; 103| 146k| r[3] -= i32; 104| 146k| r[3] += i; 105| 146k| r[1] += i32; 106| 146k| r[0] -= i; 107| 146k| } 108| 146k| return r; 109| 146k| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256r15Curve10fe_invert2ERKNS_6IntModINS1_12Secp256r1RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 131| 159| static constexpr FieldElement fe_invert2(const FieldElement& x) { 132| | // Generated using https://github.com/mmcloughlin/addchain 133| | 134| 159| auto z = x.square(); 135| 159| z *= x; 136| 159| z = z.square(); 137| 159| z *= x; 138| 159| auto t0 = z; 139| 159| t0.square_n(3); 140| 159| t0 *= z; 141| 159| auto t1 = t0; 142| 159| t1.square_n(6); 143| 159| t0 *= t1; 144| 159| t0.square_n(3); 145| 159| z *= t0; 146| 159| t0 = z.square(); 147| 159| t0 *= x; 148| 159| t1 = t0; 149| 159| t1.square_n(16); 150| 159| t0 *= t1; 151| 159| t0.square_n(15); 152| 159| z *= t0; 153| 159| t0.square_n(17); 154| 159| t0 *= x; 155| 159| t0.square_n(143); 156| 159| t0 *= z; 157| 159| t0.square_n(47); 158| 159| z *= t0; 159| 159| z.square_n(2); 160| | 161| 159| return z; 162| 159| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS1_9secp256r16ParamsES2_E11FieldParamsEE8from_repERKNSt3__15arrayImLm4EEE: 83| 319| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS1_9secp256r16ParamsES2_E11FieldParamsEE6to_repERKNSt3__15arrayImLm4EEE: 79| 1| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan6PCurve14PCurveInstance9secp384r1Ev: 343| 149|std::shared_ptr PCurveInstance::secp384r1() { 344| 149| return PrimeOrderCurveImpl::instance(); 345| 149|} pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS1_9secp384r16ParamsES2_E11FieldParamsEE3oneEv: 88| 8.25k| constexpr static std::array one() { return std::array{1}; } pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS1_9secp384r16ParamsES2_E11FieldParamsEE4redcERKNSt3__15arrayImLm12EEE: 23| 184k| constexpr static std::array redc(const std::array& z) { 24| 184k| const int64_t X00 = get_uint32(z.data(), 0); 25| 184k| const int64_t X01 = get_uint32(z.data(), 1); 26| 184k| const int64_t X02 = get_uint32(z.data(), 2); 27| 184k| const int64_t X03 = get_uint32(z.data(), 3); 28| 184k| const int64_t X04 = get_uint32(z.data(), 4); 29| 184k| const int64_t X05 = get_uint32(z.data(), 5); 30| 184k| const int64_t X06 = get_uint32(z.data(), 6); 31| 184k| const int64_t X07 = get_uint32(z.data(), 7); 32| 184k| const int64_t X08 = get_uint32(z.data(), 8); 33| 184k| const int64_t X09 = get_uint32(z.data(), 9); 34| 184k| const int64_t X10 = get_uint32(z.data(), 10); 35| 184k| const int64_t X11 = get_uint32(z.data(), 11); 36| 184k| const int64_t X12 = get_uint32(z.data(), 12); 37| 184k| const int64_t X13 = get_uint32(z.data(), 13); 38| 184k| const int64_t X14 = get_uint32(z.data(), 14); 39| 184k| const int64_t X15 = get_uint32(z.data(), 15); 40| 184k| const int64_t X16 = get_uint32(z.data(), 16); 41| 184k| const int64_t X17 = get_uint32(z.data(), 17); 42| 184k| const int64_t X18 = get_uint32(z.data(), 18); 43| 184k| const int64_t X19 = get_uint32(z.data(), 19); 44| 184k| const int64_t X20 = get_uint32(z.data(), 20); 45| 184k| const int64_t X21 = get_uint32(z.data(), 21); 46| 184k| const int64_t X22 = get_uint32(z.data(), 22); 47| 184k| const int64_t X23 = get_uint32(z.data(), 23); 48| | 49| | // One copy of P-384 is added to prevent underflow 50| 184k| const int64_t S0 = 0xFFFFFFFF + X00 + X12 + X20 + X21 - X23; 51| 184k| const int64_t S1 = 0x00000000 + X01 + X13 + X22 + X23 - X12 - X20; 52| 184k| const int64_t S2 = 0x00000000 + X02 + X14 + X23 - X13 - X21; 53| 184k| const int64_t S3 = 0xFFFFFFFF + X03 + X12 + X15 + X20 + X21 - X14 - X22 - X23; 54| 184k| const int64_t S4 = 0xFFFFFFFE + X04 + X12 + X13 + X16 + X20 + X21 * 2 + X22 - X15 - X23 * 2; 55| 184k| const int64_t S5 = 0xFFFFFFFF + X05 + X13 + X14 + X17 + X21 + X22 * 2 + X23 - X16; 56| 184k| const int64_t S6 = 0xFFFFFFFF + X06 + X14 + X15 + X18 + X22 + X23 * 2 - X17; 57| 184k| const int64_t S7 = 0xFFFFFFFF + X07 + X15 + X16 + X19 + X23 - X18; 58| 184k| const int64_t S8 = 0xFFFFFFFF + X08 + X16 + X17 + X20 - X19; 59| 184k| const int64_t S9 = 0xFFFFFFFF + X09 + X17 + X18 + X21 - X20; 60| 184k| const int64_t SA = 0xFFFFFFFF + X10 + X18 + X19 + X22 - X21; 61| 184k| const int64_t SB = 0xFFFFFFFF + X11 + X19 + X20 + X23 - X22; 62| | 63| 184k| std::array r = {}; 64| | 65| 184k| SolinasAccum sum(r); 66| | 67| 184k| sum.accum(S0); 68| 184k| sum.accum(S1); 69| 184k| sum.accum(S2); 70| 184k| sum.accum(S3); 71| 184k| sum.accum(S4); 72| 184k| sum.accum(S5); 73| 184k| sum.accum(S6); 74| 184k| sum.accum(S7); 75| 184k| sum.accum(S8); 76| 184k| sum.accum(S9); 77| 184k| sum.accum(SA); 78| 184k| sum.accum(SB); 79| 184k| const auto S = sum.final_carry(0); 80| | 81| 184k| BOTAN_DEBUG_ASSERT(S <= 4); ------------------ | | 130| 184k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 184k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 184k] | | ------------------ ------------------ 82| | 83| 184k| solinas_correct_redc(r, P, p384_mul_mod_384(S)); 84| | 85| 184k| return r; 86| 184k| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS1_9secp384r16ParamsES2_E11FieldParamsEE16p384_mul_mod_384Em: 100| 184k| constexpr static std::array p384_mul_mod_384(W i) { 101| 184k| static_assert(WordInfo::bits == 32 || WordInfo::bits == 64); 102| | 103| | // For small i, multiples of P-384 have a simple structure so it's faster to 104| | // compute the value directly vs a (constant time) table lookup 105| | 106| 184k| auto r = P; 107| | if constexpr(WordInfo::bits == 32) { 108| | r[4] -= i; 109| | r[3] -= i; 110| | r[1] += i; 111| | r[0] -= i; 112| 184k| } else { 113| 184k| const uint64_t i32 = static_cast(i) << 32; 114| 184k| r[2] -= i; 115| 184k| r[1] -= i32; 116| 184k| r[0] += i32; 117| 184k| r[0] -= i; 118| 184k| } 119| 184k| return r; 120| 184k| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp384r15Curve10fe_invert2ERKNS_6IntModINS1_12Secp384r1RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 142| 127| static constexpr FieldElement fe_invert2(const FieldElement& x) { 143| | // From https://briansmith.org/ecc-inversion-addition-chains-01 144| | 145| 127| FieldElement r = x.square(); 146| 127| r *= x; 147| 127| const auto x2 = r; 148| 127| r = r.square(); 149| 127| r *= x; 150| 127| const auto x3 = r; 151| 127| r.square_n(3); 152| 127| r *= x3; 153| 127| auto rl = r; 154| 127| r.square_n(6); 155| 127| r *= rl; 156| 127| r.square_n(3); 157| 127| r *= x3; 158| 127| const auto x15 = r; 159| 127| r.square_n(15); 160| 127| r *= x15; 161| 127| const auto x30 = r; 162| 127| r.square_n(30); 163| 127| r *= x30; 164| 127| rl = r; 165| 127| r.square_n(60); 166| 127| r *= rl; 167| 127| rl = r; 168| 127| r.square_n(120); 169| 127| r *= rl; 170| 127| r.square_n(15); 171| 127| r *= x15; 172| 127| r.square_n(31); 173| 127| r *= x30; 174| 127| r.square_n(2); 175| 127| r *= x2; 176| 127| r.square_n(94); 177| 127| r *= x30; 178| 127| r.square_n(2); 179| | 180| 127| return r; 181| 127| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS1_9secp384r16ParamsES2_E11FieldParamsEE8from_repERKNSt3__15arrayImLm6EEE: 94| 255| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS1_9secp384r16ParamsES2_E11FieldParamsEE6to_repERKNSt3__15arrayImLm6EEE: 90| 1| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan6PCurve14PCurveInstance9secp521r1Ev: 291| 287|std::shared_ptr PCurveInstance::secp521r1() { 292| 287| return PrimeOrderCurveImpl::instance(); 293| 287|} pcurves_secp521r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE3oneEv: 24| 9.91k| constexpr static std::array one() { return std::array{1}; } pcurves_secp521r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE4redcERKNSt3__15arrayImLm18EEE: 26| 227k| constexpr static std::array redc(const std::array& z) { 27| | // Regardless of word size (32 or 64) the top word is 9 bits long 28| 227k| constexpr W TOP_BITS = static_cast(0x1FF); 29| | // The 23 or 55 bits that should be cleared in the top word 30| 227k| constexpr W CLEARED_TOP_BITS = WordInfo::max ^ TOP_BITS; 31| | 32| | /* 33| | * Extract the high part of z (z >> 521) 34| | */ 35| 227k| std::array t; // NOLINT(*-member-init) 36| | 37| 2.27M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (37:28): [True: 2.04M, False: 227k] ------------------ 38| 2.04M| t[i] = z[(N - 1) + i] >> 9; 39| 2.04M| } 40| | 41| 2.04M| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (41:28): [True: 1.82M, False: 227k] ------------------ 42| 1.82M| t[i] |= z[(N - 1) + i + 1] << (WordInfo::bits - 9); 43| 1.82M| } 44| | 45| | // Now t += z & (2**521-1) 46| 227k| W carry = 0; 47| 2.04M| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (47:28): [True: 1.82M, False: 227k] ------------------ 48| 1.82M| t[i] = word_add(t[i], z[i], &carry); 49| 1.82M| } 50| | 51| | // Now add the (partial) top words; this can't carry out 52| | // since both inputs are at most 2**9-1 53| 227k| t[N - 1] += (z[N - 1] & TOP_BITS) + carry; 54| | 55| | /* 56| | Since the modulus P is exactly 2**521 - 1 the only way the computed 57| | result can be larger than P is if the top word is larger than TOP_BITS 58| | 59| | Since TOP_BITS has the low 9 bits set, we can check if t[N - 1] > TOP_BITS 60| | by checking if t[N - 1] >> 9 has any bits set. Doing it this way is 61| | faster than a standard comparison since CT::Mask::is_gt requires 62| | several bit operations. 63| | */ 64| | 65| 227k| const W is_over_p521 = ~CT::Mask::is_zero(t[N - 1] >> 9).value(); 66| | 67| | /* 68| | * Also must detect/handle x == P 69| | */ 70| 227k| const W is_eq_p521 = [&]() { 71| 227k| W sum = WordInfo::max; 72| 227k| for(size_t i = 0; i != N - 1; ++i) { 73| 227k| sum &= t[i]; 74| 227k| } 75| 227k| sum &= (CLEARED_TOP_BITS | t[N - 1]); 76| | 77| 227k| return CT::Mask::is_zero(sum ^ WordInfo::max).value(); 78| 227k| }(); 79| | 80| 227k| const W need_sub = is_over_p521 | is_eq_p521; 81| | 82| 227k| W borrow = 0; 83| 2.04M| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (83:28): [True: 1.82M, False: 227k] ------------------ 84| 1.82M| t[i] = word_sub(t[i], need_sub & WordInfo::max, &borrow); 85| 1.82M| } 86| 227k| t[N - 1] = word_sub(t[N - 1], need_sub & TOP_BITS, &borrow); 87| | 88| 227k| return t; 89| 227k| } pcurves_secp521r1.cpp:_ZZN5Botan6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE4redcERKNSt3__15arrayImLm18EEEENKUlvE_clEv: 70| 227k| const W is_eq_p521 = [&]() { 71| 227k| W sum = WordInfo::max; 72| 2.04M| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (72:31): [True: 1.82M, False: 227k] ------------------ 73| 1.82M| sum &= t[i]; 74| 1.82M| } 75| 227k| sum &= (CLEARED_TOP_BITS | t[N - 1]); 76| | 77| 227k| return CT::Mask::is_zero(sum ^ WordInfo::max).value(); 78| 227k| }(); pcurves_secp521r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp521r15Curve10fe_invert2ERKNS_6IntModINS2_7P521RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 115| 114| static constexpr FieldElement fe_invert2(const FieldElement& x) { 116| | // Addition chain from https://eprint.iacr.org/2014/852.pdf page 6 117| | 118| 114| FieldElement r = x.square(); 119| 114| r *= x; 120| 114| r = r.square(); 121| 114| r *= x; 122| 114| FieldElement rl = r; 123| 114| r.square_n(3); 124| 114| r *= rl; 125| 114| r.square_n(1); 126| 114| r *= x; 127| 114| const auto a7 = r; 128| 114| r.square_n(1); 129| 114| r *= x; 130| 114| rl = r; 131| 114| r.square_n(8); 132| 114| r *= rl; 133| 114| rl = r; 134| 114| r.square_n(16); 135| 114| r *= rl; 136| 114| rl = r; 137| 114| r.square_n(32); 138| 114| r *= rl; 139| 114| rl = r; 140| 114| r.square_n(64); 141| 114| r *= rl; 142| 114| rl = r; 143| 114| r.square_n(128); 144| 114| r *= rl; 145| 114| rl = r; 146| 114| r.square_n(256); 147| 114| r *= rl; 148| 114| r.square_n(7); 149| 114| r *= a7; 150| 114| r.square_n(2); 151| | 152| 114| return r; 153| 114| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE8from_repERKNSt3__15arrayImLm9EEE: 95| 231| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp521r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE6to_repERKNSt3__15arrayImLm9EEE: 91| 129| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan18Keccak_Permutation5clearEv: 37| 582|void Keccak_Permutation::clear() { 38| 582| state() = {}; 39| 582| reset_cursor(); 40| 582|} _ZN5Botan18Keccak_Permutation6absorbENSt3__14spanIKhLm18446744073709551615EEE: 42| 8.50k|void Keccak_Permutation::absorb(std::span input) { 43| 8.50k| absorb_into_sponge(*this, input); 44| 8.50k|} _ZN5Botan18Keccak_Permutation7squeezeENSt3__14spanIhLm18446744073709551615EEE: 46| 904k|void Keccak_Permutation::squeeze(std::span output) { 47| 904k| squeeze_from_sponge(*this, output); 48| 904k|} _ZN5Botan18Keccak_Permutation6finishEv: 50| 4.30k|void Keccak_Permutation::finish() { 51| | // The padding for Keccak[c]-based functions spans the entire remaining 52| | // byterate until the next permute() call. At most that could be an entire 53| | // byterate. First are a few bits of "custom" padding defined by the using 54| | // function (e.g. SHA-3 uses "01"), then the remaining space is filled with 55| | // "pad10*1" (see NIST FIPS 202 Section 5.1) followed by a final permute(). 56| | 57| 4.30k| auto& S = state(); 58| | 59| | // Apply the custom padding + the left-most 1-bit of "pad10*1" to the current 60| | // (partial) word of the sponge state 61| | 62| 4.30k| const uint64_t start_of_padding = (m_padding.padding | uint64_t(1) << m_padding.bit_len); 63| 4.30k| S[cursor() / word_bytes] ^= start_of_padding << (8 * (cursor() % word_bytes)); 64| | 65| | // XOR'ing the 0-bits of "pad10*1" into the state is a NOOP 66| | 67| | // If the custom padding + the left-most 1-bit of "pad10*1" had resulted in a 68| | // byte-aligned "partial padding", the final 1-bit of of "pad10*1" could 69| | // potentially override parts of the already-appended "start_of_padding". 70| | // In case we ever introduce a Keccak-based function with such a need, we 71| | // have to modify this padding algorithm. 72| 4.30k| BOTAN_DEBUG_ASSERT(m_padding.bit_len % 8 != 7); ------------------ | | 130| 4.30k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 4.30k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 4.30k] | | ------------------ ------------------ 73| | 74| | // Append the final bit of "pad10*1" into the last word of the input range 75| 4.30k| S[(byte_rate() / word_bytes) - 1] ^= uint64_t(0x8000000000000000); 76| | 77| | // Perform the final permutation and reset the state cursor 78| 4.30k| permute(); 79| 4.30k| reset_cursor(); 80| | 81| 4.30k| BOTAN_DEBUG_ASSERT(cursor() == 0); ------------------ | | 130| 4.30k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 4.30k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 4.30k] | | ------------------ ------------------ 82| 4.30k|} _ZN5Botan18Keccak_Permutation7permuteEv: 84| 17.8k|void Keccak_Permutation::permute() { 85| 17.8k|#if defined(BOTAN_HAS_KECCAK_PERM_AVX512) 86| 17.8k| if(CPUID::has(CPUID::Feature::AVX512)) { ------------------ | Branch (86:7): [True: 0, False: 17.8k] ------------------ 87| 0| return permute_avx512(); 88| 0| } 89| 17.8k|#endif 90| | 91| 17.8k|#if defined(BOTAN_HAS_KECCAK_PERM_BMI2) 92| 17.8k| if(CPUID::has(CPUID::Feature::BMI)) { ------------------ | Branch (92:7): [True: 17.8k, False: 0] ------------------ 93| 17.8k| return permute_bmi2(); 94| 17.8k| } 95| 0|#endif 96| | 97| 0| static const uint64_t RC[24] = {0x0000000000000001, 0x0000000000008082, 0x800000000000808A, 0x8000000080008000, 98| 0| 0x000000000000808B, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009, 99| 0| 0x000000000000008A, 0x0000000000000088, 0x0000000080008009, 0x000000008000000A, 100| 0| 0x000000008000808B, 0x800000000000008B, 0x8000000000008089, 0x8000000000008003, 101| 0| 0x8000000000008002, 0x8000000000000080, 0x000000000000800A, 0x800000008000000A, 102| 0| 0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008}; 103| | 104| 0| uint64_t T[25]; 105| | 106| 0| for(size_t i = 0; i != 24; i += 2) { ------------------ | Branch (106:22): [True: 0, False: 0] ------------------ 107| 0| Keccak_Permutation_round(T, state().data(), RC[i + 0]); 108| 0| Keccak_Permutation_round(state().data(), T, RC[i + 1]); 109| 0| } 110| 0|} _ZN5Botan18Keccak_Permutation12permute_bmi2Ev: 15| 17.8k|void BOTAN_FN_ISA_BMI2 Keccak_Permutation::permute_bmi2() { 16| 17.8k| static const uint64_t RC[24] = {0x0000000000000001, 0x0000000000008082, 0x800000000000808A, 0x8000000080008000, 17| 17.8k| 0x000000000000808B, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009, 18| 17.8k| 0x000000000000008A, 0x0000000000000088, 0x0000000080008009, 0x000000008000000A, 19| 17.8k| 0x000000008000808B, 0x800000000000008B, 0x8000000000008089, 0x8000000000008003, 20| 17.8k| 0x8000000000008002, 0x8000000000000080, 0x000000000000800A, 0x800000008000000A, 21| 17.8k| 0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008}; 22| | 23| 17.8k| uint64_t T[25]; 24| | 25| 232k| for(size_t i = 0; i != 24; i += 2) { ------------------ | Branch (25:22): [True: 214k, False: 17.8k] ------------------ 26| 214k| Keccak_Permutation_round(T, state().data(), RC[i + 0]); 27| 214k| Keccak_Permutation_round(state().data(), T, RC[i + 1]); 28| 214k| } 29| 17.8k|} _ZN5Botan9Gf448ElemC2ENSt3__14spanIKhLm56EEE: 356| 2|Gf448Elem::Gf448Elem(std::span x) /* NOLINT(*-member-init) */ { 357| 2| load_le(m_x, x); 358| 2|} _ZN5Botan9Gf448ElemC2Em: 360| 8.06k|Gf448Elem::Gf448Elem(uint64_t least_sig_word) /* NOLINT(*-member-init) */ { 361| 8.06k| clear_mem(m_x); 362| 8.06k| m_x[0] = least_sig_word; 363| 8.06k|} _ZNK5Botan9Gf448Elem8to_bytesENSt3__14spanIhLm56EEE: 365| 1|void Gf448Elem::to_bytes(std::span out) const { 366| 1| store_le(out, to_canonical(m_x)); 367| 1|} _ZNK5Botan9Gf448Elem8to_bytesEv: 369| 1|std::array Gf448Elem::to_bytes() const { 370| 1| std::array bytes{}; 371| 1| to_bytes(bytes); 372| 1| return bytes; 373| 1|} _ZN5Botan9Gf448Elem12ct_cond_swapENS_2CT4MaskImEERS0_: 375| 898|void Gf448Elem::ct_cond_swap(CT::Mask mask, Gf448Elem& other) { 376| 7.18k| for(size_t i = 0; i < WORDS_448; ++i) { ------------------ | Branch (376:22): [True: 6.28k, False: 898] ------------------ 377| 6.28k| mask.conditional_swap(m_x[i], other.m_x[i]); 378| 6.28k| } 379| 898|} _ZNK5Botan9Gf448ElemplERKS0_: 385| 1.79k|Gf448Elem Gf448Elem::operator+(const Gf448Elem& other) const { 386| 1.79k| Gf448Elem res(0); 387| 1.79k| gf_add(res.m_x, m_x, other.m_x); 388| 1.79k| return res; 389| 1.79k|} _ZNK5Botan9Gf448ElemmiERKS0_: 391| 1.79k|Gf448Elem Gf448Elem::operator-(const Gf448Elem& other) const { 392| 1.79k| Gf448Elem res(0); 393| 1.79k| gf_sub(res.m_x, m_x, other.m_x); 394| 1.79k| return res; 395| 1.79k|} _ZNK5Botan9Gf448ElemmlERKS0_: 403| 2.24k|Gf448Elem Gf448Elem::operator*(const Gf448Elem& other) const { 404| 2.24k| Gf448Elem res(0); 405| 2.24k| gf_mul(res.m_x, m_x, other.m_x); 406| 2.24k| return res; 407| 2.24k|} _ZNK5Botan9Gf448ElemdvERKS0_: 409| 1|Gf448Elem Gf448Elem::operator/(const Gf448Elem& other) const { 410| 1| Gf448Elem res(0); 411| 1| gf_inv(res.m_x, other.m_x); 412| 1| gf_mul(res.m_x, m_x, res.m_x); 413| 1| return res; 414| 1|} _ZN5Botan7mul_a24ERKNS_9Gf448ElemE: 439| 448|Gf448Elem mul_a24(const Gf448Elem& a) { 440| 448| Gf448Elem res(0); 441| 448| gf_mul_a24(res.words(), a.words()); 442| 448| return res; 443| 448|} _ZN5Botan6squareERKNS_9Gf448ElemE: 445| 1.79k|Gf448Elem square(const Gf448Elem& elem) { 446| 1.79k| Gf448Elem res(0); 447| 1.79k| gf_square(res.words(), elem.words()); 448| 1.79k| return res; 449| 1.79k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_112to_canonicalENSt3__14spanIKmLm7EEE: 335| 1|std::array to_canonical(std::span in) { 336| 1| const std::array p = {0xffffffffffffffff, 337| 1| 0xffffffffffffffff, 338| 1| 0xffffffffffffffff, 339| 1| 0xfffffffeffffffff, 340| 1| 0xffffffffffffffff, 341| 1| 0xffffffffffffffff, 342| 1| 0xffffffffffffffff}; 343| | 344| 1| std::array in_minus_p; // NOLINT(*-member-init) 345| 1| uint64_t borrow = 0; 346| 8| for(size_t i = 0; i < WORDS_448; ++i) { ------------------ | Branch (346:22): [True: 7, False: 1] ------------------ 347| 7| in_minus_p[i] = word_sub(in[i], p[i], &borrow); 348| 7| } 349| 1| std::array out; // NOLINT(*-member-init) 350| 1| CT::Mask::expand(borrow).select_n(out.data(), in.data(), in_minus_p.data(), WORDS_448); 351| 1| return out; 352| 1|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_16gf_addENSt3__14spanImLm7EEENS2_IKmLm7EEES5_: 155| 1.79k| std::span b) { 156| 1.79k| std::array ws; // NOLINT(*-member-init) 157| | 158| 1.79k| uint64_t carry = 0; 159| 1.79k| ws[0] = word_add(a[0], b[0], &carry); 160| 1.79k| ws[1] = word_add(a[1], b[1], &carry); 161| 1.79k| ws[2] = word_add(a[2], b[2], &carry); 162| 1.79k| ws[3] = word_add(a[3], b[3], &carry); 163| 1.79k| ws[4] = word_add(a[4], b[4], &carry); 164| 1.79k| ws[5] = word_add(a[5], b[5], &carry); 165| 1.79k| ws[6] = word_add(a[6], b[6], &carry); 166| 1.79k| ws[7] = carry; 167| | 168| 1.79k| reduce_after_add(out, ws); 169| 1.79k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_116reduce_after_addENSt3__14spanImLm7EEENS2_IKmLm8EEE: 27| 6.73k|void reduce_after_add(std::span h_3, std::span h_1) { 28| 6.73k| std::array h_2; /* NOLINT(*-member-init) */ 29| 6.73k| uint64_t carry = 0; 30| | 31| 6.73k| constexpr uint64_t zero = 0; 32| | 33| | // Line 27+ (of the paper's algorithm 1) 34| 6.73k| h_2[0] = word_add(h_1[0], h_1[7], &carry); 35| 6.73k| h_2[1] = word_add(h_1[1], zero, &carry); 36| 6.73k| h_2[2] = word_add(h_1[2], zero, &carry); 37| | 38| | // Line 30 39| 6.73k| h_2[3] = word_add(h_1[3], h_1[7] << 32, &carry); 40| | 41| | // Line 31+ 42| 6.73k| h_2[4] = word_add(h_1[4], zero, &carry); 43| 6.73k| h_2[5] = word_add(h_1[5], zero, &carry); 44| 6.73k| h_2[6] = word_add(h_1[6], zero, &carry); 45| | 46| 6.73k| h_2[7] = carry; 47| | 48| 6.73k| carry = 0; 49| 6.73k| h_3[0] = word_add(h_2[0], h_2[7], &carry); 50| 6.73k| h_3[1] = word_add(h_2[1], zero, &carry); 51| 6.73k| h_3[2] = word_add(h_2[2], zero, &carry); 52| | // Line 37 53| 6.73k| h_3[3] = h_2[3] + (h_2[7] << 32) + carry; 54| | 55| | // Line 38 56| 6.73k| h_3[4] = h_2[4]; 57| 6.73k| h_3[5] = h_2[5]; 58| 6.73k| h_3[6] = h_2[6]; 59| 6.73k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_16gf_subENSt3__14spanImLm7EEENS2_IKmLm7EEES5_: 178| 1.79k| std::span b) { 179| 1.79k| std::array h_0; // NOLINT(*-member-init) 180| 1.79k| std::array h_1; // NOLINT(*-member-init) 181| | 182| 1.79k| uint64_t borrow = 0; 183| 1.79k| h_0[0] = word_sub(a[0], b[0], &borrow); 184| 1.79k| h_0[1] = word_sub(a[1], b[1], &borrow); 185| 1.79k| h_0[2] = word_sub(a[2], b[2], &borrow); 186| 1.79k| h_0[3] = word_sub(a[3], b[3], &borrow); 187| 1.79k| h_0[4] = word_sub(a[4], b[4], &borrow); 188| 1.79k| h_0[5] = word_sub(a[5], b[5], &borrow); 189| 1.79k| h_0[6] = word_sub(a[6], b[6], &borrow); 190| 1.79k| uint64_t delta = borrow; 191| 1.79k| uint64_t delta_p = delta << 32; 192| 1.79k| borrow = 0; 193| | 194| 1.79k| constexpr uint64_t zero = 0; 195| | 196| 1.79k| h_1[0] = word_sub(h_0[0], delta, &borrow); 197| 1.79k| h_1[1] = word_sub(h_0[1], zero, &borrow); 198| 1.79k| h_1[2] = word_sub(h_0[2], zero, &borrow); 199| 1.79k| h_1[3] = word_sub(h_0[3], delta_p, &borrow); 200| 1.79k| h_1[4] = word_sub(h_0[4], zero, &borrow); 201| 1.79k| h_1[5] = word_sub(h_0[5], zero, &borrow); 202| 1.79k| h_1[6] = word_sub(h_0[6], zero, &borrow); 203| | 204| 1.79k| delta = borrow; 205| 1.79k| delta_p = delta << 32; 206| 1.79k| borrow = 0; 207| | 208| 1.79k| out[0] = word_sub(h_1[0], delta, &borrow); 209| 1.79k| out[1] = word_sub(h_1[1], zero, &borrow); 210| 1.79k| out[2] = word_sub(h_1[2], zero, &borrow); 211| 1.79k| out[3] = word_sub(h_1[3], delta_p, &borrow); 212| 1.79k| out[4] = h_1[4]; 213| 1.79k| out[5] = h_1[5]; 214| 1.79k| out[6] = h_1[6]; 215| 1.79k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_16gf_mulENSt3__14spanImLm7EEENS2_IKmLm7EEES5_: 141| 2.25k| std::span b) { 142| 2.25k| std::array ws; // NOLINT(*-member-init) 143| 2.25k| comba_mul<7>(ws.data(), a.data(), b.data()); 144| 2.25k| reduce_after_mul(out, ws); 145| 2.25k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_116reduce_after_mulENSt3__14spanImLm7EEENS2_IKmLm14EEE: 66| 4.49k|void reduce_after_mul(std::span out, std::span in) { 67| 4.49k| std::array r; // NOLINT(*-member-init) 68| 4.49k| std::array s; // NOLINT(*-member-init) 69| 4.49k| std::array t_0; // NOLINT(*-member-init) 70| 4.49k| std::array h_1; // NOLINT(*-member-init) 71| | 72| 4.49k| uint64_t carry = 0; 73| | 74| | // Line 4 (of the paper's algorithm 1) 75| 4.49k| r[0] = word_add(in[0], in[7], &carry); 76| | 77| | // Line 5-7 78| 4.49k| r[1] = word_add(in[1], in[1 + 7], &carry); 79| 4.49k| r[2] = word_add(in[2], in[2 + 7], &carry); 80| 4.49k| r[3] = word_add(in[3], in[3 + 7], &carry); 81| 4.49k| r[4] = word_add(in[4], in[4 + 7], &carry); 82| 4.49k| r[5] = word_add(in[5], in[5 + 7], &carry); 83| 4.49k| r[6] = word_add(in[6], in[6 + 7], &carry); 84| 4.49k| r[7] = carry; 85| 4.49k| s[0] = r[0]; 86| 4.49k| s[1] = r[1]; 87| 4.49k| s[2] = r[2]; 88| | // Line 10 89| 4.49k| carry = 0; 90| 4.49k| s[3] = word_add(r[3], in[10] & 0xFFFFFFFF00000000, &carry); 91| | // Line 11-13 92| 4.49k| s[4] = word_add(r[4], in[4 + 7], &carry); 93| 4.49k| s[5] = word_add(r[5], in[5 + 7], &carry); 94| 4.49k| s[6] = word_add(r[6], in[6 + 7], &carry); 95| 4.49k| s[7] = r[7] + carry; 96| | 97| | // Line 15-17 98| 4.49k| t_0[0] = (in[0 + 11] << 32) | (in[0 + 10] >> 32); 99| 4.49k| t_0[1] = (in[1 + 11] << 32) | (in[1 + 10] >> 32); 100| 4.49k| t_0[2] = (in[2 + 11] << 32) | (in[2 + 10] >> 32); 101| | // Line 18 102| 4.49k| t_0[3] = (in[7] << 32) | (in[13] >> 32); 103| | // Line 19-21 104| 4.49k| t_0[4] = (in[4 + 4] << 32) | (in[4 + 3] >> 32); 105| 4.49k| t_0[5] = (in[5 + 4] << 32) | (in[5 + 3] >> 32); 106| 4.49k| t_0[6] = (in[6 + 4] << 32) | (in[6 + 3] >> 32); 107| 4.49k| carry = 0; 108| | // Line 23-25 109| 4.49k| h_1[0] = word_add(s[0], t_0[0], &carry); 110| 4.49k| h_1[1] = word_add(s[1], t_0[1], &carry); 111| 4.49k| h_1[2] = word_add(s[2], t_0[2], &carry); 112| 4.49k| h_1[3] = word_add(s[3], t_0[3], &carry); 113| 4.49k| h_1[4] = word_add(s[4], t_0[4], &carry); 114| 4.49k| h_1[5] = word_add(s[5], t_0[5], &carry); 115| 4.49k| h_1[6] = word_add(s[6], t_0[6], &carry); 116| 4.49k| h_1[7] = s[7] + carry; 117| | 118| 4.49k| reduce_after_add(out, h_1); 119| 4.49k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_16gf_invENSt3__14spanImLm7EEENS2_IKmLm7EEE: 316| 1|void gf_inv(std::span out, std::span a) { 317| 1| std::array x222; // NOLINT(*-member-init) 318| 1| std::array x223; // NOLINT(*-member-init) 319| 1| gf_pow_2_222m1(x222, x223, a); 320| | 321| | // (x223 << 223 + x222) << 2 + 1 322| 1| std::array t; // NOLINT(*-member-init) 323| 1| gf_sqr_n(t, x223, 223); 324| 1| gf_mul(t, t, x222); 325| 1| gf_sqr_n(t, t, 2); 326| 1| gf_mul(out, t, a); 327| 1|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_110gf_mul_a24ENSt3__14spanImLm7EEENS2_IKmLm7EEE: 124| 448|void gf_mul_a24(std::span out, std::span a) { 125| 448| constexpr uint64_t A24 = 39081; 126| 448| std::array ws; // NOLINT(*-member-init) 127| 448| uint64_t carry = 0; 128| 448| ws[0] = word_madd2(a[0], A24, &carry); 129| 448| ws[1] = word_madd2(a[1], A24, &carry); 130| 448| ws[2] = word_madd2(a[2], A24, &carry); 131| 448| ws[3] = word_madd2(a[3], A24, &carry); 132| 448| ws[4] = word_madd2(a[4], A24, &carry); 133| 448| ws[5] = word_madd2(a[5], A24, &carry); 134| 448| ws[6] = word_madd2(a[6], A24, &carry); 135| 448| ws[7] = carry; 136| 448| reduce_after_add(out, ws); 137| 448|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_19gf_squareENSt3__14spanImLm7EEENS2_IKmLm7EEE: 147| 2.23k|void gf_square(std::span out, std::span a) { 148| 2.23k| std::array ws; // NOLINT(*-member-init) 149| 2.23k| comba_sqr<7>(ws.data(), a.data()); 150| 2.23k| reduce_after_mul(out, ws); 151| 2.23k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_114gf_pow_2_222m1ENSt3__14spanImLm7EEES3_NS2_IKmLm7EEE: 245| 1| std::span a) { 246| 1| std::array t; // NOLINT(*-member-init) 247| | 248| | // _10 = a^2 249| 1| std::array a2; // NOLINT(*-member-init) 250| 1| gf_square(a2, a); 251| | 252| | // _11 = a^3 253| 1| std::array a3; // NOLINT(*-member-init) 254| 1| gf_mul(a3, a, a2); 255| | 256| | // _111 = a^7 257| 1| std::array a7; // NOLINT(*-member-init) 258| 1| gf_square(t, a3); 259| 1| gf_mul(a7, a, t); 260| | 261| | // _111111 = a^63 262| 1| std::array a63; // NOLINT(*-member-init) 263| 1| gf_sqr_n(t, a7, 3); 264| 1| gf_mul(a63, a7, t); 265| | 266| | // x12 = a^(2^12 - 1) 267| 1| std::array x12; // NOLINT(*-member-init) 268| 1| gf_sqr_n(t, a63, 6); 269| 1| gf_mul(x12, a63, t); 270| | 271| | // x24 = a^(2^24 - 1) 272| 1| std::array x24; // NOLINT(*-member-init) 273| 1| gf_sqr_n(t, x12, 12); 274| 1| gf_mul(x24, x12, t); 275| | 276| | // i34 = x24 << 6 = a^((2^24 - 1) * 2^6) 277| 1| std::array i34; // NOLINT(*-member-init) 278| 1| gf_sqr_n(i34, x24, 6); 279| | 280| | // x30 = a^(2^30 - 1) 281| 1| std::array x30; // NOLINT(*-member-init) 282| 1| gf_mul(x30, a63, i34); 283| | 284| | // x48 = a^(2^48 - 1) 285| 1| std::array x48; // NOLINT(*-member-init) 286| 1| gf_sqr_n(t, i34, 18); 287| 1| gf_mul(x48, x24, t); 288| | 289| | // x96 = a^(2^96 - 1) 290| 1| std::array x96; // NOLINT(*-member-init) 291| 1| gf_sqr_n(t, x48, 48); 292| 1| gf_mul(x96, x48, t); 293| | 294| | // x192 = a^(2^192 - 1) 295| 1| std::array x192; // NOLINT(*-member-init) 296| 1| gf_sqr_n(t, x96, 96); 297| 1| gf_mul(x192, x96, t); 298| | 299| | // x222 = a^(2^222 - 1) 300| 1| gf_sqr_n(t, x192, 30); 301| 1| gf_mul(x222, x30, t); 302| | 303| | // x223 = a^(2^223 - 1) 304| 1| gf_square(t, x222); 305| 1| gf_mul(x223, a, t); 306| 1|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_18gf_sqr_nENSt3__14spanImLm7EEENS2_IKmLm7EEEm: 218| 10|void gf_sqr_n(std::span out, std::span a, size_t n) { 219| 10| gf_square(out, a); 220| 444| for(size_t i = 1; i < n; ++i) { ------------------ | Branch (220:22): [True: 434, False: 10] ------------------ 221| 434| gf_square(out, out); 222| 434| } 223| 10|} _ZN5Botan16Ed448_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 58| 2|Ed448_PrivateKey::Ed448_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span key_bits) { 59| 2| secure_vector bits; 60| 2| BER_Decoder(key_bits, BER_Decoder::Limits::DER()).decode(bits, ASN1_Type::OctetString).verify_end(); 61| | 62| 2| if(bits.size() != ED448_LEN) { ------------------ | Branch (62:7): [True: 1, False: 1] ------------------ 63| 1| throw Decoding_Error("Invalid size for Ed448 private key"); 64| 1| } 65| 1| m_private = std::move(bits); 66| 1| m_public = create_pk_from_sk(std::span(m_private).first()); 67| 1|} _ZN5Botan15X448_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 68| 3| X448_PrivateKey(ber_decode_sk(key_bits)) {} _ZN5Botan15X448_PrivateKeyC1ENSt3__14spanIKhLm18446744073709551615EEE: 70| 1|X448_PrivateKey::X448_PrivateKey(std::span secret_key) { 71| 1| BOTAN_ARG_CHECK(secret_key.size() == X448_LEN, "Invalid size for X448 private key"); ------------------ | | 35| 1| do { \ | | 36| 1| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1] | | ------------------ ------------------ 72| 1| m_private.assign(secret_key.begin(), secret_key.end()); 73| 1| auto scope = CT::scoped_poison(m_private); 74| 1| x448_basepoint_from_data(m_public, std::span(m_private).first()); 75| 1| CT::unpoison(m_public); 76| 1|} x448.cpp:_ZN5Botan12_GLOBAL__N_113ber_decode_skENSt3__14spanIKhLm18446744073709551615EEE: 28| 3|secure_vector ber_decode_sk(std::span key_bits) { 29| 3| secure_vector decoded_bits; 30| 3| BER_Decoder(key_bits, BER_Decoder::Limits::DER()).decode(decoded_bits, ASN1_Type::OctetString).verify_end(); 31| 3| if(decoded_bits.size() != X448_LEN) { ------------------ | Branch (31:7): [True: 1, False: 2] ------------------ 32| 1| throw Decoding_Error("Invalid size for X448 private key"); 33| 1| } 34| 2| return decoded_bits; 35| 3|} x448.cpp:_ZN5Botan12_GLOBAL__N_124x448_basepoint_from_dataENSt3__14spanIhLm56EEENS2_IKhLm56EEE: 22| 1|void x448_basepoint_from_data(std::span mypublic, std::span secret) { 23| 1| auto bp = x448_basepoint(decode_scalar(secret)); 24| 1| auto bp_bytes = encode_point(bp); 25| 1| copy_mem(mypublic, bp_bytes); 26| 1|} _ZN5Botan12encode_pointERKNS_6StrongINSt3__15arrayIhLm56EEENS_9Point448_EJEEE: 21| 1|secure_vector encode_point(const Point448& p) { 22| 1| return {p.begin(), p.end()}; 23| 1|} _ZN5Botan13decode_scalarENSt3__14spanIKhLm18446744073709551615EEE: 30| 1|ScalarX448 decode_scalar(std::span scalar_bytes) { 31| 1| BOTAN_ARG_CHECK(scalar_bytes.size() == X448_LEN, "Invalid size for X448 scalar"); ------------------ | | 35| 1| do { \ | | 36| 1| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1] | | ------------------ ------------------ 32| 1| auto buf = typecast_copy(scalar_bytes); 33| | 34| 1| buf[0] &= 0xfc; 35| 1| buf[55] |= 0x80; 36| | 37| 1| return buf; 38| 1|} _ZN5Botan14x448_basepointERKNS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEE: 41| 1|Point448 x448_basepoint(const ScalarX448& k) { 42| 1| const Point448 u({5}); 43| 1| return x448(k, u); 44| 1|} _ZN5Botan4x448ERKNS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEERKNS0_IS3_NS_9Point448_EJEEE: 48| 1|Point448 x448(const ScalarX448& k, const Point448& u) { 49| 1| const Gf448Elem x_1 = Gf448Elem(u.get()); 50| 1| Gf448Elem x_2 = Gf448Elem::one(); 51| 1| Gf448Elem z_2 = Gf448Elem::zero(); 52| 1| Gf448Elem x_3 = Gf448Elem(u.get()); 53| 1| Gf448Elem z_3 = Gf448Elem::one(); 54| 1| auto swap = CT::Mask::cleared(); 55| | 56| 449| for(int16_t t = 448 - 1; t >= 0; --t) { ------------------ | Branch (56:29): [True: 448, False: 1] ------------------ 57| 448| auto k_t = CT::Mask::expand(get_bit(k, t)); 58| 448| swap ^= k_t; 59| | 60| 448| x_2.ct_cond_swap(swap, x_3); 61| 448| z_2.ct_cond_swap(swap, z_3); 62| 448| swap = k_t; 63| | 64| 448| const auto A = x_2 + z_2; 65| 448| const auto AA = square(A); 66| 448| const auto B = x_2 - z_2; 67| 448| const auto BB = square(B); 68| 448| const auto E = AA - BB; 69| 448| const auto C = x_3 + z_3; 70| 448| const auto D = x_3 - z_3; 71| 448| const auto DA = D * A; 72| 448| const auto CB = C * B; 73| 448| x_3 = square(DA + CB); 74| 448| z_3 = x_1 * square(DA - CB); 75| 448| x_2 = AA * BB; 76| 448| z_2 = E * (AA + mul_a24(E)); 77| 448| } 78| | 79| 1| x_2.ct_cond_swap(swap, x_3); 80| 1| z_2.ct_cond_swap(swap, z_3); 81| | 82| 1| const auto res = x_2 / z_2; 83| | 84| 1| return Point448(res.to_bytes()); 85| 1|} x448_internal.cpp:_ZN5Botan12_GLOBAL__N_17get_bitERKNS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEEm: 16| 448|uint64_t get_bit(const ScalarX448& scalar, size_t bit) { 17| 448| return (scalar[bit / 8] >> (bit % 8)) & 1; 18| 448|} _ZN5Botan13DH_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 70| 101|DH_PrivateKey::DH_PrivateKey(const AlgorithmIdentifier& alg_id, std::span key_bits) { 71| 101| m_private_key = std::make_shared(alg_id, key_bits, DL_Group_Format::ANSI_X9_42); 72| 101| m_public_key = m_private_key->public_key(); 73| 101|} _ZN5Botan13DilithiumModeC2ERKNS_3OIDE: 66| 79|DilithiumMode::DilithiumMode(const OID& oid) : m_mode(dilithium_mode_from_string(oid.to_formatted_string())) {} _ZNK5Botan13DilithiumMode6is_aesEv: 99| 310|bool DilithiumMode::is_aes() const { 100| 310| return m_mode == Dilithium4x4_AES || m_mode == Dilithium6x5_AES || m_mode == Dilithium8x7_AES; ------------------ | Branch (100:11): [True: 0, False: 310] | Branch (100:41): [True: 0, False: 310] | Branch (100:71): [True: 0, False: 310] ------------------ 101| 310|} _ZNK5Botan13DilithiumMode9is_modernEv: 103| 155|bool DilithiumMode::is_modern() const { 104| 155| return !is_aes(); 105| 155|} _ZNK5Botan13DilithiumMode9is_ml_dsaEv: 107| 620|bool DilithiumMode::is_ml_dsa() const { 108| 620| return m_mode == ML_DSA_4x4 || m_mode == ML_DSA_6x5 || m_mode == ML_DSA_8x7; ------------------ | Branch (108:11): [True: 100, False: 520] | Branch (108:35): [True: 340, False: 180] | Branch (108:59): [True: 180, False: 0] ------------------ 109| 620|} _ZN5Botan20Dilithium_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 421| 79| Dilithium_PrivateKey(sk, DilithiumMode(alg_id.oid())) {} _ZN5Botan20Dilithium_PrivateKeyC1ENSt3__14spanIKhLm18446744073709551615EEENS_13DilithiumModeE: 423| 79|Dilithium_PrivateKey::Dilithium_PrivateKey(std::span sk, DilithiumMode m) { 424| 79| DilithiumConstants mode(m); 425| 79| auto& codec = mode.keypair_codec(); 426| 79| std::tie(m_public, m_private) = codec.decode_keypair(sk, std::move(mode)); 427| 79|} dilithium.cpp:_ZN5Botan12_GLOBAL__N_126dilithium_mode_from_stringENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 32| 79|DilithiumMode::Mode dilithium_mode_from_string(std::string_view str) { 33| 79| if(str == "Dilithium-4x4-r3") { ------------------ | Branch (33:7): [True: 0, False: 79] ------------------ 34| 0| return DilithiumMode::Dilithium4x4; 35| 0| } 36| 79| if(str == "Dilithium-4x4-AES-r3") { ------------------ | Branch (36:7): [True: 0, False: 79] ------------------ 37| 0| return DilithiumMode::Dilithium4x4_AES; 38| 0| } 39| 79| if(str == "Dilithium-6x5-r3") { ------------------ | Branch (39:7): [True: 0, False: 79] ------------------ 40| 0| return DilithiumMode::Dilithium6x5; 41| 0| } 42| 79| if(str == "Dilithium-6x5-AES-r3") { ------------------ | Branch (42:7): [True: 0, False: 79] ------------------ 43| 0| return DilithiumMode::Dilithium6x5_AES; 44| 0| } 45| 79| if(str == "Dilithium-8x7-r3") { ------------------ | Branch (45:7): [True: 0, False: 79] ------------------ 46| 0| return DilithiumMode::Dilithium8x7; 47| 0| } 48| 79| if(str == "Dilithium-8x7-AES-r3") { ------------------ | Branch (48:7): [True: 0, False: 79] ------------------ 49| 0| return DilithiumMode::Dilithium8x7_AES; 50| 0| } 51| 79| if(str == "ML-DSA-4x4") { ------------------ | Branch (51:7): [True: 13, False: 66] ------------------ 52| 13| return DilithiumMode::ML_DSA_4x4; 53| 13| } 54| 66| if(str == "ML-DSA-6x5") { ------------------ | Branch (54:7): [True: 43, False: 23] ------------------ 55| 43| return DilithiumMode::ML_DSA_6x5; 56| 43| } 57| 23| if(str == "ML-DSA-8x7") { ------------------ | Branch (57:7): [True: 23, False: 0] ------------------ 58| 23| return DilithiumMode::ML_DSA_8x7; 59| 23| } 60| | 61| 0| throw Invalid_Argument(fmt("'{}' is not a valid Dilithium mode name", str)); 62| 23|} _ZN5Botan15Dilithium_Algos17encode_public_keyENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERKNS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNSC_6DomainE0EEERKNS_18DilithiumConstantsE: 332| 76| const DilithiumConstants& mode) { 333| 76| DilithiumSerializedPublicKey pk(mode.public_key_bytes()); 334| 76| BufferStuffer stuffer(pk); 335| | 336| 76| stuffer.append(rho); 337| 476| for(const auto& p : t1) { ------------------ | Branch (337:22): [True: 476, False: 76] ------------------ 338| 476| poly_pack_t1(p, stuffer); 339| 476| } 340| | 341| 76| BOTAN_ASSERT_NOMSG(stuffer.full()); ------------------ | | 77| 76| do { \ | | 78| 76| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 76| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 76] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 76| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 76] | | ------------------ ------------------ 342| 76| return pk; 343| 76|} _ZN5Botan15Dilithium_Algos14expand_keypairENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEENS_18DilithiumConstantsE: 668| 79|DilithiumInternalKeypair expand_keypair(DilithiumSeedRandomness xi, DilithiumConstants mode) { 669| 79| if(xi.size() != DilithiumConstants::SEED_RANDOMNESS_BYTES) { ------------------ | Branch (669:7): [True: 3, False: 76] ------------------ 670| 3| throw Decoding_Error("Invalid ML-DSA seed size"); 671| 3| } 672| 76| const auto& sympriv = mode.symmetric_primitives(); 673| 76| CT::poison(xi); 674| | 675| 76| auto [rho, rhoprime, K] = sympriv.H(xi); 676| 76| CT::unpoison(rho); // rho is public (seed for the public matrix A) 677| | 678| 76| const auto A = Dilithium_Algos::expand_A(rho, mode); 679| 76| auto [s1, s2] = Dilithium_Algos::expand_s(rhoprime, mode); 680| 76| auto [t1, t0] = Dilithium_Algos::compute_t1_and_t0(A, s1, s2); 681| | 682| 76| CT::unpoison(t1); // part of the public key 683| | 684| 76| DilithiumInternalKeypair keypair{ 685| 76| std::make_shared(mode, std::move(rho), std::move(t1)), 686| 76| std::make_shared( 687| 76| std::move(mode), std::move(xi), std::move(K), std::move(s1), std::move(s2), std::move(t0)), 688| 76| }; 689| | 690| 76| CT::unpoison(*keypair.second); 691| | 692| 76| return keypair; 693| 79|} _ZN5Botan15Dilithium_Algos8expand_AENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERKNS_18DilithiumConstantsE: 701| 76|DilithiumPolyMatNTT expand_A(StrongSpan rho, const DilithiumConstants& mode) { 702| 76| DilithiumPolyMatNTT A(mode.k(), mode.l()); 703| 552| for(uint8_t r = 0; r < mode.k(); ++r) { ------------------ | Branch (703:23): [True: 476, False: 76] ------------------ 704| 3.16k| for(uint8_t s = 0; s < mode.l(); ++s) { ------------------ | Branch (704:26): [True: 2.68k, False: 476] ------------------ 705| 2.68k| sample_ntt_uniform(rho, A[r][s], load_le(std::array{s, r}), mode); 706| 2.68k| } 707| 476| } 708| 76| return A; 709| 76|} _ZN5Botan15Dilithium_Algos8expand_sENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEEERKNS_18DilithiumConstantsE: 715| 76| const DilithiumConstants& mode) { 716| 76| auto result = std::make_pair(DilithiumPolyVec(mode.l()), DilithiumPolyVec(mode.k())); 717| 76| auto& [s1, s2] = result; 718| | 719| 76| uint16_t nonce = 0; 720| 412| for(auto& p : s1) { ------------------ | Branch (720:16): [True: 412, False: 76] ------------------ 721| 412| sample_uniform_eta(rhoprime, p, nonce++, mode); 722| 412| } 723| | 724| 476| for(auto& p : s2) { ------------------ | Branch (724:16): [True: 476, False: 76] ------------------ 725| 476| sample_uniform_eta(rhoprime, p, nonce++, mode); 726| 476| } 727| | 728| 76| return result; 729| 76|} _ZN5Botan15Dilithium_Algos11power2roundERKNS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS1_6DomainE0EEE: 752| 76|std::pair power2round(const DilithiumPolyVec& vec) { 753| | // This procedure is taken verbatim from Dilithium's reference implementation. 754| 76| auto power2round = [d = DilithiumConstants::D](int32_t r) -> std::pair { 755| 76| const int32_t r1 = (r + (1 << (d - 1)) - 1) >> d; 756| 76| const int32_t r0 = r - (r1 << d); 757| 76| return {r1, r0}; 758| 76| }; 759| | 760| 76| auto result = std::make_pair(DilithiumPolyVec(vec.size()), DilithiumPolyVec(vec.size())); 761| | 762| 552| for(size_t i = 0; i < vec.size(); ++i) { ------------------ | Branch (762:22): [True: 476, False: 76] ------------------ 763| 122k| for(size_t j = 0; j < vec[i].size(); ++j) { ------------------ | Branch (763:25): [True: 121k, False: 476] ------------------ 764| 121k| std::tie(result.first[i][j], result.second[i][j]) = power2round(vec[i][j]); 765| 121k| } 766| 476| } 767| | 768| 76| return result; 769| 76|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_112poly_pack_t1ERKNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS2_6DomainE0EEERNS_13BufferStufferE: 102| 476|void poly_pack_t1(const DilithiumPoly& p, BufferStuffer& stuffer) { 103| 476| constexpr auto b = (1 << (bitlen(DilithiumConstants::Q - 1) - DilithiumConstants::D)) - 1; 104| 476| poly_pack<0, b>(p, stuffer); 105| 476|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_19poly_packILi0ELi1023ETkNS_8CRYSTALS14crystals_traitENS_19DilithiumPolyTraitsELNS3_6DomainE0EEEvRKNS3_10PolynomialIT1_XT2_EEERNS_13BufferStufferE: 60| 476|constexpr void poly_pack(const CRYSTALS::Polynomial& p, BufferStuffer& stuffer) { 61| 476| if constexpr(a == 0) { 62| | // If `a` is 0, we assume SimpleBitPack (Algorithm 16) where the 63| | // coefficients are in the range [0, b]. 64| 476| CRYSTALS::pack(p, stuffer); 65| | } else { 66| | // Otherwise, for BitPack (Algorithm 17), we must map the coefficients to 67| | // positive values as they are in the range [-a, b]. 68| | CRYSTALS::pack(p, stuffer, map_range); 69| | } 70| 476|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_117compute_t1_and_t0ERKNS_8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEEERKNS2_16PolynomialVectorIS4_LNS2_6DomainE0EEESC_: 315| 76| const DilithiumPolyVec& s2) { 316| 76| auto t_hat = A * ntt(s1.clone()); 317| 76| t_hat.reduce(); 318| 76| auto t = inverse_ntt(std::move(t_hat)); 319| 76| t += s2; 320| 76| t.conditional_add_q(); 321| | 322| 76| return Dilithium_Algos::power2round(t); 323| 76|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_ntt_uniformENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNSD_6DomainE1EEEtRKNS_18DilithiumConstantsE: 563| 2.68k| const DilithiumConstants& mode) { 564| | /** 565| | * A generator that returns the next coefficient sampled from the XOF, 566| | * according to: NIST FIPS 204, Algorithm 14 (CoeffFromThreeBytes). 567| | */ 568| 2.68k| auto xof = mode.symmetric_primitives().H(rho, nonce); 569| 2.68k| auto bounded_xof = Bounded_XOF(*xof); 570| | 571| 687k| for(auto& coeff : p) { ------------------ | Branch (571:20): [True: 687k, False: 2.68k] ------------------ 572| 687k| coeff = 573| 687k| bounded_xof.next<3>([](const auto bytes) { return make_uint32(0, bytes[2], bytes[1], bytes[0]) & 0x7FFFFF; }, 574| 687k| [](const uint32_t z) { return z < DilithiumConstants::Q; }); 575| 687k| } 576| | 577| 2.68k| BOTAN_DEBUG_ASSERT(p.ct_validate_value_range(0, DilithiumConstants::Q - 1)); ------------------ | | 130| 2.68k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 2.68k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 2.68k] | | ------------------ ------------------ 578| 2.68k|} dilithium_algos.cpp:_ZZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_ntt_uniformENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNSD_6DomainE1EEEtRKNS_18DilithiumConstantsEENK3$_0clINS4_5arrayIhLm3EEEEEDaT_: 573| 687k| bounded_xof.next<3>([](const auto bytes) { return make_uint32(0, bytes[2], bytes[1], bytes[0]) & 0x7FFFFF; }, dilithium_algos.cpp:_ZZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_ntt_uniformENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNSD_6DomainE1EEEtRKNS_18DilithiumConstantsEENK3$_1clEj: 574| 687k| [](const uint32_t z) { return z < DilithiumConstants::Q; }); dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_uniform_etaENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEEERNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNSD_6DomainE0EEEtRKNS_18DilithiumConstantsE: 641| 888| const DilithiumConstants& mode) { 642| 888| using Eta = DilithiumConstants::DilithiumEta; 643| | 644| 888| auto xof = mode.symmetric_primitives().H(rhoprime, nonce); 645| 888| switch(mode.eta()) { ------------------ | Branch (645:11): [True: 888, False: 0] ------------------ 646| 426| case Eta::_2: ------------------ | Branch (646:7): [True: 426, False: 462] ------------------ 647| 426| sample_uniform_eta(p, *xof); 648| 426| break; 649| 462| case Eta::_4: ------------------ | Branch (649:7): [True: 462, False: 426] ------------------ 650| 462| sample_uniform_eta(p, *xof); 651| 462| break; 652| 888| } 653| | 654| | // Rejection sampling is done. Secret polynomial can be repoisoned. 655| 888| CT::poison(p); 656| | 657| 888| BOTAN_DEBUG_ASSERT(p.ct_validate_value_range(-static_cast(mode.eta()), mode.eta())); ------------------ | | 130| 888| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 888| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 888] | | ------------------ ------------------ 658| 888|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_uniform_etaILNS_18DilithiumConstants12DilithiumEtaE2EEEvRNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS5_6DomainE0EEERNS_3XOFE: 604| 426|void sample_uniform_eta(DilithiumPoly& p, Botan::XOF& xof) { 605| | // A generator that returns the next coefficient sampled from the XOF. As the 606| | // sampling uses half-bytes, this keeps track of the additionally sampled 607| | // coefficient as needed. 608| 426| auto next_coeff = [bounded_xof = Bounded_XOF(xof), 609| 426| stashed_coeff = std::optional{}]() mutable -> int32_t { 610| 426| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { 611| 426| return *stashed; 612| 426| } 613| | 614| 426| BOTAN_DEBUG_ASSERT(!stashed_coeff.has_value()); 615| 426| while(true) { 616| 426| const auto b = bounded_xof.next_byte(); 617| 426| const auto z0 = coeff_from_halfbyte(b & 0x0F); 618| 426| const auto z1 = coeff_from_halfbyte(b >> 4); 619| | 620| 426| if(z0.has_value()) { 621| 426| stashed_coeff = z1; // keep candidate z1 for the next invocation 622| 426| return *z0; 623| 426| } else if(z1.has_value()) { 624| | // z0 was invalid, z1 is valid, nothing to stash 625| 426| return *z1; 626| 426| } 627| 426| } 628| 426| }; 629| | 630| 109k| for(auto& coeff : p) { ------------------ | Branch (630:20): [True: 109k, False: 426] ------------------ 631| 109k| coeff = next_coeff(); 632| 109k| } 633| 426|} dilithium_algos.cpp:_ZZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_uniform_etaILNS_18DilithiumConstants12DilithiumEtaE2EEEvRNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS5_6DomainE0EEERNS_3XOFEENUlvE_clEv: 609| 109k| stashed_coeff = std::optional{}]() mutable -> int32_t { 610| 109k| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { ------------------ | Branch (610:15): [True: 51.0k, False: 57.9k] ------------------ 611| 51.0k| return *stashed; 612| 51.0k| } 613| | 614| 57.9k| BOTAN_DEBUG_ASSERT(!stashed_coeff.has_value()); ------------------ | | 130| 57.9k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 57.9k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 57.9k] | | ------------------ ------------------ 615| 58.1k| while(true) { ------------------ | Branch (615:13): [True: 58.1k, Folded] ------------------ 616| 58.1k| const auto b = bounded_xof.next_byte(); 617| 58.1k| const auto z0 = coeff_from_halfbyte(b & 0x0F); 618| 58.1k| const auto z1 = coeff_from_halfbyte(b >> 4); 619| | 620| 58.1k| if(z0.has_value()) { ------------------ | Branch (620:13): [True: 54.5k, False: 3.59k] ------------------ 621| 54.5k| stashed_coeff = z1; // keep candidate z1 for the next invocation 622| 54.5k| return *z0; 623| 54.5k| } else if(z1.has_value()) { ------------------ | Branch (623:20): [True: 3.39k, False: 197] ------------------ 624| | // z0 was invalid, z1 is valid, nothing to stash 625| 3.39k| return *z1; 626| 3.39k| } 627| 58.1k| } 628| 57.9k| }; dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_119coeff_from_halfbyteILNS_18DilithiumConstants12DilithiumEtaE2EEENSt3__18optionalIiEEh: 586| 116k|std::optional coeff_from_halfbyte(uint8_t b) { 587| 116k| BOTAN_DEBUG_ASSERT(b < 16); ------------------ | | 130| 116k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 116k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 116k] | | ------------------ ------------------ 588| | 589| 116k| if constexpr(eta == DilithiumConstants::DilithiumEta::_2) { 590| 116k| if(CT::driveby_unpoison(b < 15)) { ------------------ | Branch (590:10): [True: 109k, False: 7.05k] ------------------ 591| 109k| b = b - (205U * b >> 10) * 5; // b = b mod 5 592| 109k| return 2 - b; 593| 109k| } 594| | } else if constexpr(eta == DilithiumConstants::DilithiumEta::_4) { 595| | if(CT::driveby_unpoison(b < 9)) { 596| | return 4 - b; 597| | } 598| | } 599| | 600| 7.05k| return std::nullopt; 601| 116k|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_uniform_etaILNS_18DilithiumConstants12DilithiumEtaE4EEEvRNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS5_6DomainE0EEERNS_3XOFE: 604| 462|void sample_uniform_eta(DilithiumPoly& p, Botan::XOF& xof) { 605| | // A generator that returns the next coefficient sampled from the XOF. As the 606| | // sampling uses half-bytes, this keeps track of the additionally sampled 607| | // coefficient as needed. 608| 462| auto next_coeff = [bounded_xof = Bounded_XOF(xof), 609| 462| stashed_coeff = std::optional{}]() mutable -> int32_t { 610| 462| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { 611| 462| return *stashed; 612| 462| } 613| | 614| 462| BOTAN_DEBUG_ASSERT(!stashed_coeff.has_value()); 615| 462| while(true) { 616| 462| const auto b = bounded_xof.next_byte(); 617| 462| const auto z0 = coeff_from_halfbyte(b & 0x0F); 618| 462| const auto z1 = coeff_from_halfbyte(b >> 4); 619| | 620| 462| if(z0.has_value()) { 621| 462| stashed_coeff = z1; // keep candidate z1 for the next invocation 622| 462| return *z0; 623| 462| } else if(z1.has_value()) { 624| | // z0 was invalid, z1 is valid, nothing to stash 625| 462| return *z1; 626| 462| } 627| 462| } 628| 462| }; 629| | 630| 118k| for(auto& coeff : p) { ------------------ | Branch (630:20): [True: 118k, False: 462] ------------------ 631| 118k| coeff = next_coeff(); 632| 118k| } 633| 462|} dilithium_algos.cpp:_ZZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_uniform_etaILNS_18DilithiumConstants12DilithiumEtaE4EEEvRNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS5_6DomainE0EEERNS_3XOFEENUlvE_clEv: 609| 118k| stashed_coeff = std::optional{}]() mutable -> int32_t { 610| 118k| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { ------------------ | Branch (610:15): [True: 33.2k, False: 84.9k] ------------------ 611| 33.2k| return *stashed; 612| 33.2k| } 613| | 614| 84.9k| BOTAN_DEBUG_ASSERT(!stashed_coeff.has_value()); ------------------ | | 130| 84.9k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 84.9k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 84.9k] | | ------------------ ------------------ 615| 105k| while(true) { ------------------ | Branch (615:13): [True: 105k, Folded] ------------------ 616| 105k| const auto b = bounded_xof.next_byte(); 617| 105k| const auto z0 = coeff_from_halfbyte(b & 0x0F); 618| 105k| const auto z1 = coeff_from_halfbyte(b >> 4); 619| | 620| 105k| if(z0.has_value()) { ------------------ | Branch (620:13): [True: 59.3k, False: 46.0k] ------------------ 621| 59.3k| stashed_coeff = z1; // keep candidate z1 for the next invocation 622| 59.3k| return *z0; 623| 59.3k| } else if(z1.has_value()) { ------------------ | Branch (623:20): [True: 25.5k, False: 20.4k] ------------------ 624| | // z0 was invalid, z1 is valid, nothing to stash 625| 25.5k| return *z1; 626| 25.5k| } 627| 105k| } 628| 84.9k| }; dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_119coeff_from_halfbyteILNS_18DilithiumConstants12DilithiumEtaE4EEENSt3__18optionalIiEEh: 586| 210k|std::optional coeff_from_halfbyte(uint8_t b) { 587| 210k| BOTAN_DEBUG_ASSERT(b < 16); ------------------ | | 130| 210k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 210k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 210k] | | ------------------ ------------------ 588| | 589| | if constexpr(eta == DilithiumConstants::DilithiumEta::_2) { 590| | if(CT::driveby_unpoison(b < 15)) { 591| | b = b - (205U * b >> 10) * 5; // b = b mod 5 592| | return 2 - b; 593| | } 594| 210k| } else if constexpr(eta == DilithiumConstants::DilithiumEta::_4) { 595| 210k| if(CT::driveby_unpoison(b < 9)) { ------------------ | Branch (595:10): [True: 118k, False: 92.4k] ------------------ 596| 118k| return 4 - b; 597| 118k| } 598| 210k| } 599| | 600| 92.4k| return std::nullopt; 601| 210k|} dilithium_algos.cpp:_ZZN5Botan15Dilithium_Algos11power2roundERKNS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS1_6DomainE0EEEENK3$_0clEi: 754| 121k| auto power2round = [d = DilithiumConstants::D](int32_t r) -> std::pair { 755| 121k| const int32_t r1 = (r + (1 << (d - 1)) - 1) >> d; 756| 121k| const int32_t r0 = r - (r1 << d); 757| 121k| return {r1, r0}; 758| 121k| }; _ZN5Botan18DilithiumConstantsD2Ev: 57| 541|DilithiumConstants::~DilithiumConstants() = default; _ZN5Botan18DilithiumConstantsC2ENS_13DilithiumModeE: 60| 155| m_mode(mode), 61| 155| m_public_key_hash_bytes(public_key_hash_size(m_mode)), 62| 155| m_commitment_hash_full_bytes(commitment_hash_full_size(m_mode)) { 63| 155| switch(m_mode.mode()) { 64| 0| case Botan::DilithiumMode::Dilithium4x4: ------------------ | Branch (64:7): [True: 0, False: 155] ------------------ 65| 0| case Botan::DilithiumMode::Dilithium4x4_AES: ------------------ | Branch (65:7): [True: 0, False: 155] ------------------ 66| 25| case Botan::DilithiumMode::ML_DSA_4x4: ------------------ | Branch (66:7): [True: 25, False: 130] ------------------ 67| 25| m_tau = DilithiumTau::_39; 68| 25| m_lambda = DilithiumLambda::_128; 69| 25| m_gamma1 = DilithiumGamma1::ToThe17th; 70| 25| m_gamma2 = DilithiumGamma2::Qminus1DividedBy88; 71| 25| m_k = 4; 72| 25| m_l = 4; 73| 25| m_eta = DilithiumEta::_2; 74| 25| m_beta = DilithiumBeta::_78; 75| 25| m_omega = DilithiumOmega::_80; 76| 25| break; 77| 0| case Botan::DilithiumMode::Dilithium6x5: ------------------ | Branch (77:7): [True: 0, False: 155] ------------------ 78| 0| case Botan::DilithiumMode::Dilithium6x5_AES: ------------------ | Branch (78:7): [True: 0, False: 155] ------------------ 79| 85| case Botan::DilithiumMode::ML_DSA_6x5: ------------------ | Branch (79:7): [True: 85, False: 70] ------------------ 80| 85| m_tau = DilithiumTau::_49; 81| 85| m_lambda = DilithiumLambda::_192; 82| 85| m_gamma1 = DilithiumGamma1::ToThe19th; 83| 85| m_gamma2 = DilithiumGamma2::Qminus1DividedBy32; 84| 85| m_k = 6; 85| 85| m_l = 5; 86| 85| m_eta = DilithiumEta::_4; 87| 85| m_beta = DilithiumBeta::_196; 88| 85| m_omega = DilithiumOmega::_55; 89| 85| break; 90| 0| case Botan::DilithiumMode::Dilithium8x7: ------------------ | Branch (90:7): [True: 0, False: 155] ------------------ 91| 0| case Botan::DilithiumMode::Dilithium8x7_AES: ------------------ | Branch (91:7): [True: 0, False: 155] ------------------ 92| 45| case Botan::DilithiumMode::ML_DSA_8x7: ------------------ | Branch (92:7): [True: 45, False: 110] ------------------ 93| 45| m_tau = DilithiumTau::_60; 94| 45| m_lambda = DilithiumLambda::_256; 95| 45| m_gamma1 = DilithiumGamma1::ToThe19th; 96| 45| m_gamma2 = DilithiumGamma2::Qminus1DividedBy32; 97| 45| m_k = 8; 98| 45| m_l = 7; 99| 45| m_eta = DilithiumEta::_2; 100| 45| m_beta = DilithiumBeta::_120; 101| 45| m_omega = DilithiumOmega::_75; 102| 45| break; 103| 0| default: ------------------ | Branch (103:7): [True: 0, False: 155] ------------------ 104| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 105| 155| } 106| | 107| 155| const auto s1_bytes = 32 * m_l * bitlen(2 * m_eta); 108| 155| const auto s2_bytes = 32 * m_k * bitlen(2 * m_eta); 109| 155| const auto t0_bytes = 32 * m_k * D; 110| 155| const auto t1_bytes = 32 * m_k * (bitlen(static_cast(Q) - 1) - D); 111| 155| const auto z_bytes = 32 * m_l * (1 + bitlen(m_gamma1 - 1)); 112| 155| const auto hint_bytes = m_omega + m_k; 113| | 114| 155| m_private_key_bytes = 115| 155| SEED_RHO_BYTES + SEED_SIGNING_KEY_BYTES + m_public_key_hash_bytes + s1_bytes + s2_bytes + t0_bytes; 116| 155| m_public_key_bytes = SEED_RHO_BYTES + t1_bytes; 117| 155| m_signature_bytes = m_commitment_hash_full_bytes + z_bytes + hint_bytes; 118| 155| m_serialized_commitment_bytes = 32 * m_k * bitlen(((Q - 1) / (2 * m_gamma2)) - 1); 119| | 120| 155| m_symmetric_primitives = Dilithium_Symmetric_Primitives_Base::create(*this); 121| 155| m_keypair_codec = Dilithium_Keypair_Codec::create(mode); 122| 155|} dilithium_constants.cpp:_ZN5Botan12_GLOBAL__N_120public_key_hash_sizeENS_13DilithiumModeE: 20| 155|uint32_t public_key_hash_size(DilithiumMode mode) { 21| 155| switch(mode.mode()) { ------------------ | Branch (21:11): [True: 155, False: 0] ------------------ 22| 25| case DilithiumMode::ML_DSA_4x4: ------------------ | Branch (22:7): [True: 25, False: 130] ------------------ 23| 110| case DilithiumMode::ML_DSA_6x5: ------------------ | Branch (23:7): [True: 85, False: 70] ------------------ 24| 155| case DilithiumMode::ML_DSA_8x7: ------------------ | Branch (24:7): [True: 45, False: 110] ------------------ 25| 155| return 64; 26| 0| case DilithiumMode::Dilithium4x4: ------------------ | Branch (26:7): [True: 0, False: 155] ------------------ 27| 0| case DilithiumMode::Dilithium4x4_AES: ------------------ | Branch (27:7): [True: 0, False: 155] ------------------ 28| 0| case DilithiumMode::Dilithium6x5: ------------------ | Branch (28:7): [True: 0, False: 155] ------------------ 29| 0| case DilithiumMode::Dilithium6x5_AES: ------------------ | Branch (29:7): [True: 0, False: 155] ------------------ 30| 0| case DilithiumMode::Dilithium8x7: ------------------ | Branch (30:7): [True: 0, False: 155] ------------------ 31| 0| case DilithiumMode::Dilithium8x7_AES: ------------------ | Branch (31:7): [True: 0, False: 155] ------------------ 32| 0| return 32; 33| 155| } 34| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 35| 0|} dilithium_constants.cpp:_ZN5Botan12_GLOBAL__N_125commitment_hash_full_sizeENS_13DilithiumModeE: 37| 155|uint32_t commitment_hash_full_size(DilithiumMode mode) { 38| 155| switch(mode.mode()) { ------------------ | Branch (38:11): [True: 155, False: 0] ------------------ 39| 0| case DilithiumMode::Dilithium4x4: ------------------ | Branch (39:7): [True: 0, False: 155] ------------------ 40| 0| case DilithiumMode::Dilithium4x4_AES: ------------------ | Branch (40:7): [True: 0, False: 155] ------------------ 41| 0| case DilithiumMode::Dilithium6x5: ------------------ | Branch (41:7): [True: 0, False: 155] ------------------ 42| 0| case DilithiumMode::Dilithium6x5_AES: ------------------ | Branch (42:7): [True: 0, False: 155] ------------------ 43| 0| case DilithiumMode::Dilithium8x7: ------------------ | Branch (43:7): [True: 0, False: 155] ------------------ 44| 0| case DilithiumMode::Dilithium8x7_AES: ------------------ | Branch (44:7): [True: 0, False: 155] ------------------ 45| 25| case DilithiumMode::ML_DSA_4x4: ------------------ | Branch (45:7): [True: 25, False: 130] ------------------ 46| 25| return 32; 47| 85| case DilithiumMode::ML_DSA_6x5: ------------------ | Branch (47:7): [True: 85, False: 70] ------------------ 48| 85| return 48; 49| 45| case DilithiumMode::ML_DSA_8x7: ------------------ | Branch (49:7): [True: 45, False: 110] ------------------ 50| 45| return 64; 51| 155| } 52| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 53| 0|} _ZN5Botan23Dilithium_Keypair_Codec6createENS_13DilithiumModeE: 22| 155|std::unique_ptr Dilithium_Keypair_Codec::create(DilithiumMode mode) { 23| 155|#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES) 24| 155| if(mode.is_dilithium_round3()) { ------------------ | Branch (24:7): [True: 0, False: 155] ------------------ 25| 0| return std::make_unique(); 26| 0| } 27| 155|#endif 28| | 29| 155|#if defined(BOTAN_HAS_ML_DSA) 30| 155| if(mode.is_ml_dsa()) { ------------------ | Branch (30:7): [True: 155, False: 0] ------------------ 31| 155| return std::make_unique(); 32| 155| } 33| 0|#endif 34| | 35| 0| throw Not_Implemented("requested ML-DSA/Dilithium mode is not implemented in this build"); 36| 155|} _ZN5Botan17DilithiumShakeXOFD2Ev: 13| 155|DilithiumShakeXOF::~DilithiumShakeXOF() = default; _ZN5Botan17DilithiumShakeXOF9createXOFENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEENS1_4spanIKhLm18446744073709551615EEEt: 18| 3.57k| uint16_t nonce) { 19| 3.57k| auto xof = Botan::XOF::create_or_throw(name); 20| 3.57k| xof->update(seed); 21| 3.57k| xof->update(store_le(nonce)); 22| 3.57k| return xof; 23| 3.57k|} _ZN5Botan35Dilithium_Symmetric_Primitives_BaseC2ERKNS_18DilithiumConstantsENSt3__110unique_ptrINS_12DilithiumXOFENS4_14default_deleteIS6_EEEE: 41| 155| m_commitment_hash_length_bytes(mode.commitment_hash_full_bytes()), 42| 155| m_public_key_hash_bytes(mode.public_key_hash_bytes()), 43| 155| m_mode(mode.mode()), 44| 155| m_xof_adapter(std::move(xof_adapter)) {} _ZN5Botan35Dilithium_Symmetric_Primitives_Base6createERKNS_18DilithiumConstantsE: 47| 155| const DilithiumConstants& mode) { 48| 155|#if defined(BOTAN_HAS_DILITHIUM) 49| 155| if(mode.is_modern() && !mode.is_ml_dsa()) { ------------------ | Branch (49:7): [True: 155, False: 0] | Branch (49:27): [True: 0, False: 155] ------------------ 50| 0| return std::make_unique(mode); 51| 0| } 52| 155|#endif 53| | 54| 155|#if defined(BOTAN_HAS_DILITHIUM_AES) 55| 155| if(mode.is_aes()) { ------------------ | Branch (55:7): [True: 0, False: 155] ------------------ 56| 0| return std::make_unique(mode); 57| 0| } 58| 155|#endif 59| | 60| 155|#if defined(BOTAN_HAS_ML_DSA) 61| 155| if(mode.is_ml_dsa()) { ------------------ | Branch (61:7): [True: 155, False: 0] ------------------ 62| 155| return std::make_unique(mode); 63| 155| } 64| 0|#endif 65| | 66| 0| throw Not_Implemented("requested ML-DSA/Dilithium mode is not implemented in this build"); 67| 155|} _ZNK5Botan30ML_DSA_Expanding_Keypair_Codec14decode_keypairENSt3__14spanIKhLm18446744073709551615EEENS_18DilithiumConstantsE: 23| 79| DilithiumConstants mode) const { 24| 79| return Dilithium_Algos::expand_keypair(DilithiumSeedRandomness(private_key_seed), std::move(mode)); 25| 79|} _ZN5Botan12DL_PublicKeyC2ERKNS_8DL_GroupERKNS_6BigIntE: 38| 46|DL_PublicKey::DL_PublicKey(const DL_Group& group, const BigInt& public_key) : m_group(group), m_public_key(public_key) { 39| | // The subgroup check (y^q == 1 mod p) is deferred to check_key() since it can be expensive 40| 46| BOTAN_ARG_CHECK(m_public_key > 1 && m_public_key < m_group.get_p(), "Invalid DL public key"); ------------------ | | 35| 46| do { \ | | 36| 46| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 92| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 46, False: 0] | | | Branch (37:12): [True: 46, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 46| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 46] | | ------------------ ------------------ 41| 46|} _ZN5Botan13DL_PrivateKeyC2ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEENS_15DL_Group_FormatE: 85| 229| m_group(alg_id.parameters(), format), 86| 229| m_private_key(check_dl_private_key_input(decode_single_bigint(key_bits), m_group)), 87| 229| m_public_key(m_group.power_g_p(m_private_key, m_private_key.bits())) {} _ZNK5Botan13DL_PrivateKey10public_keyEv: 101| 46|std::shared_ptr DL_PrivateKey::public_key() const { 102| 46| return std::make_shared(m_group, m_public_key); 103| 46|} dl_scheme.cpp:_ZN5Botan12_GLOBAL__N_120decode_single_bigintENSt3__14spanIKhLm18446744073709551615EEE: 17| 116|BigInt decode_single_bigint(std::span key_bits) { 18| 116| BigInt x; 19| 116| BER_Decoder(key_bits, BER_Decoder::Limits::DER()).decode(x).verify_end(); 20| 116| return x; 21| 116|} dl_scheme.cpp:_ZN5Botan12_GLOBAL__N_126check_dl_private_key_inputERKNS_6BigIntERKNS_8DL_GroupE: 31| 53|BigInt check_dl_private_key_input(const BigInt& x, const DL_Group& group) { 32| 53| BOTAN_ARG_CHECK(group.verify_private_element(x), "Invalid discrete logarithm private key value"); ------------------ | | 35| 53| do { \ | | 36| 53| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 53| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 7, False: 46] | | ------------------ | | 38| 7| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 7| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 7| } \ | | 41| 53| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 53] | | ------------------ ------------------ 33| 53| return x; 34| 53|} _ZN5Botan8DL_Group19DER_decode_DL_groupENSt3__14spanIKhLm18446744073709551615EEENS_15DL_Group_FormatENS_15DL_Group_SourceE: 170| 229| DL_Group_Source source) { 171| 229| BER_Decoder decoder(data, BER_Decoder::Limits::DER()); 172| 229| BER_Decoder inner = decoder.start_sequence(); 173| | 174| 229| if(format == DL_Group_Format::ANSI_X9_57) { ------------------ | Branch (174:7): [True: 118, False: 111] ------------------ 175| | /* 176| | This format is p, q, g with no additional data following 177| | */ 178| 118| BigInt p; 179| 118| BigInt q; 180| 118| BigInt g; 181| 118| inner.decode(p).decode(q).decode(g).verify_end(); 182| 118| return DL_Group_Data::create(p, q, g, source); 183| 118| } else if(format == DL_Group_Format::ANSI_X9_42) { ------------------ | Branch (183:14): [True: 100, False: 11] ------------------ 184| | /* 185| | This format is p, g, q with optional cofactor and seed following 186| | */ 187| 100| BigInt p; 188| 100| BigInt g; 189| 100| BigInt q; 190| 100| inner.decode(p).decode(g).decode(q).discard_remaining(); 191| 100| return DL_Group_Data::create(p, q, g, source); 192| 100| } else if(format == DL_Group_Format::PKCS_3) { ------------------ | Branch (192:14): [True: 0, False: 11] ------------------ 193| | /* 194| | This format is p, g followed by optional privateValueLength (recommended exponent size) 195| | */ 196| 0| BigInt p; 197| 0| BigInt g; 198| 0| inner.decode(p).decode(g).discard_remaining(); 199| 0| return DL_Group_Data::create(p, g, source); 200| 11| } else { 201| 11| throw Invalid_Argument("Unknown DL_Group encoding"); 202| 11| } 203| 229|} _ZNK5Botan8DL_Group4dataEv: 412| 330|const DL_Group_Data& DL_Group::data() const { 413| 330| if(m_data) { ------------------ | Branch (413:7): [True: 330, False: 0] ------------------ 414| 330| return *m_data; 415| 330| } 416| | 417| 0| throw Invalid_State("DL_Group uninitialized"); 418| 330|} _ZNK5Botan8DL_Group22verify_private_elementERKNS_6BigIntE: 437| 53|bool DL_Group::verify_private_element(const BigInt& x) const { 438| 53| const BigInt& p = get_p(); 439| 53| const BigInt& q = get_q(); 440| | 441| 53| if(x <= 1 || x >= p) { ------------------ | Branch (441:7): [True: 6, False: 47] | Branch (441:17): [True: 0, False: 47] ------------------ 442| 6| return false; 443| 6| } 444| | 445| 47| if(q > 0 && x > q) { ------------------ | Branch (445:7): [True: 47, False: 0] | Branch (445:16): [True: 1, False: 46] ------------------ 446| 1| return false; 447| 1| } 448| | 449| 46| return true; 450| 47|} _ZNK5Botan8DL_Group5get_pEv: 522| 99|const BigInt& DL_Group::get_p() const { 523| 99| return data().p(); 524| 99|} _ZNK5Botan8DL_Group5get_qEv: 536| 53|const BigInt& DL_Group::get_q() const { 537| 53| return data().q(); 538| 53|} _ZNK5Botan8DL_Group5has_qEv: 544| 44|bool DL_Group::has_q() const { 545| 44| return data().q_is_set(); 546| 44|} _ZNK5Botan8DL_Group6q_bitsEv: 556| 44|size_t DL_Group::q_bits() const { 557| 44| data().assert_q_is_set("q_bits"); 558| 44| return data().q_bits(); 559| 44|} _ZNK5Botan8DL_Group9power_g_pERKNS_6BigIntEm: 621| 46|BigInt DL_Group::power_g_p(const BigInt& x, size_t max_x_bits) const { 622| 46| return data().power_g_p(x, max_x_bits); 623| 46|} _ZN5Botan8DL_GroupC2ENSt3__14spanIKhLm18446744073709551615EEENS_15DL_Group_FormatE: 680| 229|DL_Group::DL_Group(std::span der, DL_Group_Format format) { 681| 229| m_data = DER_decode_DL_group(der, format, DL_Group_Source::ExternalSource); 682| 229|} _ZN5Botan13DL_Group_Data6createERKNS_6BigIntES3_S3_NS_15DL_Group_SourceE: 52| 216| DL_Group_Source source) { 53| 216| check_dl_group_params(p, q, g); 54| 216| return std::make_shared(p, q, g, source); 55| 216| } dl_group.cpp:_ZN5Botan12_GLOBAL__N_121check_dl_group_paramsERKNS_6BigIntES3_S3_: 38| 216|void check_dl_group_params(const BigInt& p, const BigInt& q, const BigInt& g) { 39| 216| check_dl_group_params(p, g); 40| 216| if(q.signum() <= 0 || q.is_even() || q.bits() >= p.bits()) { ------------------ | Branch (40:7): [True: 98, False: 118] | Branch (40:26): [True: 1, False: 117] | Branch (40:41): [True: 1, False: 116] ------------------ 41| 6| throw Decoding_Error("Invalid DL group subgroup order"); 42| 6| } 43| 216|} dl_group.cpp:_ZN5Botan12_GLOBAL__N_121check_dl_group_paramsERKNS_6BigIntES3_: 29| 216|void check_dl_group_params(const BigInt& p, const BigInt& g) { 30| 216| if(p.signum() <= 0 || p.is_even() || p.bits() < 3 || p.bits() > 16384) { ------------------ | Branch (30:7): [True: 2, False: 214] | Branch (30:26): [True: 1, False: 213] | Branch (30:41): [True: 1, False: 212] | Branch (30:57): [True: 0, False: 212] ------------------ 31| 4| throw Decoding_Error("Invalid DL group prime"); 32| 4| } 33| 212| if(g.signum() <= 0 || g < 2 || g >= p) { ------------------ | Branch (33:7): [True: 2, False: 210] | Branch (33:26): [True: 1, False: 209] | Branch (33:35): [True: 87, False: 122] ------------------ 34| 90| throw Decoding_Error("Invalid DL group generator"); 35| 90| } 36| 212|} _ZN5Botan13DL_Group_DataC2ERKNS_6BigIntES3_S3_NS_15DL_Group_SourceE: 65| 116| m_p(p), 66| 116| m_q(q), 67| 116| m_g(g), 68| 116| m_mod_p(Barrett_Reduction::for_public_modulus(p)), 69| 116| m_mod_q(Barrett_Reduction::for_public_modulus(q)), 70| 116| m_monty_params(m_p, m_mod_p), 71| 116| m_monty(monty_precompute(m_monty_params, m_g, /*window bits=*/4)), 72| 116| m_p_bits(p.bits()), 73| 116| m_q_bits(q.bits()), 74| | // For DL crypto in a prime-order subgroup, security is bounded by 75| | // both the NFS cost in Z_p* and Pollard rho in the q-order subgroup. 76| 116| m_estimated_strength(std::min(dl_work_factor(m_p_bits), m_q_bits / 2)), 77| 116| m_exponent_bits(dl_exponent_size(m_p_bits)), 78| 116| m_source(source) {} _ZN5Botan13DL_Group_DataD2Ev: 94| 116| ~DL_Group_Data() = default; _ZNK5Botan13DL_Group_Data1pEv: 101| 99| const BigInt& p() const { return m_p; } _ZNK5Botan13DL_Group_Data1qEv: 103| 53| const BigInt& q() const { return m_q; } _ZNK5Botan13DL_Group_Data8q_is_setEv: 142| 88| bool q_is_set() const { return m_q_bits > 0; } _ZNK5Botan13DL_Group_Data15assert_q_is_setENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 144| 44| void assert_q_is_set(std::string_view function) const { 145| 44| if(!q_is_set()) { ------------------ | Branch (145:13): [True: 0, False: 44] ------------------ 146| 0| throw Invalid_State(fmt("DL_Group::{}: q is not set for this group", function)); 147| 0| } 148| 44| } _ZNK5Botan13DL_Group_Data6q_bitsEv: 118| 44| size_t q_bits() const { return m_q_bits; } _ZNK5Botan13DL_Group_Data9power_g_pERKNS_6BigIntEm: 128| 46| BigInt power_g_p(const BigInt& k, size_t max_k_bits) const { 129| 46| return monty_execute(*m_monty, k, max_k_bits).value(); 130| 46| } _ZN5Botan14DSA_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 96| 128|DSA_PrivateKey::DSA_PrivateKey(const AlgorithmIdentifier& alg_id, std::span key_bits) { 97| 128| m_private_key = std::make_shared(alg_id, key_bits, DL_Group_Format::ANSI_X9_57); 98| 128| m_public_key = m_private_key->public_key(); 99| | 100| 128| check_dsa_group(m_private_key->group()); 101| 128|} dsa.cpp:_ZN5Botan12_GLOBAL__N_115check_dsa_groupERKNS_8DL_GroupE: 26| 44|void check_dsa_group(const DL_Group& group) { 27| 44| BOTAN_ARG_CHECK(group.has_q(), "Q parameter must be set for DSA"); ------------------ | | 35| 44| do { \ | | 36| 44| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 44| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 44] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 44| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 44] | | ------------------ ------------------ 28| | // All versions of FIPS 186 have required that Q be at least 160 bits 29| 44| BOTAN_ARG_CHECK(group.q_bits() >= 160, "DSA Q parameter must be at least 160 bits"); ------------------ | | 35| 44| do { \ | | 36| 44| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 44| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 44, False: 0] | | ------------------ | | 38| 44| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 44| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 44| } \ | | 41| 44| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 44] | | ------------------ ------------------ 30| 44|} _ZN5Botan14EC_AffinePointC2ENSt3__110unique_ptrINS_19EC_AffinePoint_DataENS1_14default_deleteIS3_EEEE: 16| 1.62k|EC_AffinePoint::EC_AffinePoint(std::unique_ptr point) : m_point(std::move(point)) { 17| 1.62k| BOTAN_ASSERT_NONNULL(m_point); ------------------ | | 116| 1.62k| do { \ | | 117| 1.62k| if((ptr) == nullptr) { \ | | ------------------ | | | Branch (117:10): [True: 0, False: 1.62k] | | ------------------ | | 118| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 119| 0| Botan::assertion_failure(#ptr " is not null", "", __func__, __FILE__, __LINE__); \ | | 120| 0| } \ | | 121| 1.62k| } while(0) | | ------------------ | | | Branch (121:12): [Folded, False: 1.62k] | | ------------------ ------------------ 18| 1.62k|} _ZN5Botan14EC_AffinePointC2EOS0_: 22| 3.25k|EC_AffinePoint::EC_AffinePoint(EC_AffinePoint&& other) noexcept : m_point(std::move(other.m_point)) {} _ZN5Botan14EC_AffinePointC2ERKNS_8EC_GroupENSt3__14spanIKhLm18446744073709551615EEE: 36| 871|EC_AffinePoint::EC_AffinePoint(const EC_Group& group, std::span bytes) { 37| 871| m_point = group._data()->point_deserialize(bytes); 38| 871| if(!m_point) { ------------------ | Branch (38:7): [True: 867, False: 4] ------------------ 39| 867| throw Decoding_Error("Failed to deserialize elliptic curve point"); 40| 867| } 41| 871|} _ZNK5Botan14EC_AffinePoint15to_legacy_pointEv: 45| 1.63k|EC_Point EC_AffinePoint::to_legacy_point() const { 46| 1.63k| return m_point->to_legacy_point(); 47| 1.63k|} _ZNK5Botan14EC_AffinePoint11is_identityEv: 114| 1.63k|bool EC_AffinePoint::is_identity() const { 115| 1.63k| return inner().is_identity(); 116| 1.63k|} _ZN5Botan14EC_AffinePointD2Ev: 148| 4.88k|EC_AffinePoint::~EC_AffinePoint() = default; _ZN5Botan14EC_AffinePoint5g_mulERKNS_9EC_ScalarERNS_21RandomNumberGeneratorE: 158| 1.62k|EC_AffinePoint EC_AffinePoint::g_mul(const EC_Scalar& scalar, RandomNumberGenerator& rng) { 159| 1.62k| auto pt = scalar._inner().group()->point_g_mul(scalar.inner(), rng); 160| 1.62k| return EC_AffinePoint(std::move(pt)); 161| 1.62k|} _ZN5Botan8EC_Group13ec_group_dataEv: 231| 10.4k|EC_Group_Data_Map& EC_Group::ec_group_data() { 232| | /* 233| | * This exists purely to ensure the allocator is constructed before g_ec_data, 234| | * which ensures that its destructor runs after ~g_ec_data is complete. 235| | */ 236| | 237| 10.4k| static const Allocator_Initializer g_init_allocator; 238| 10.4k| static EC_Group_Data_Map g_ec_data; 239| 10.4k| return g_ec_data; 240| 10.4k|} _ZN5Botan8EC_Group27clear_registered_curve_dataEv: 243| 6.94k|size_t EC_Group::clear_registered_curve_data() { 244| 6.94k| return ec_group_data().clear(); 245| 6.94k|} _ZN5Botan8EC_Group18load_EC_group_infoEPKcS2_S2_S2_S2_S2_RKNS_3OIDE: 254| 2.60k| const OID& oid) { 255| 2.60k| BOTAN_ARG_CHECK(oid.has_value(), "EC_Group::load_EC_group_info OID must be set"); ------------------ | | 35| 2.60k| do { \ | | 36| 2.60k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 2.60k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 2.60k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 2.60k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 2.60k] | | ------------------ ------------------ 256| | 257| 2.60k| const BigInt p(p_str); 258| 2.60k| const BigInt a(a_str); 259| 2.60k| const BigInt b(b_str); 260| 2.60k| const BigInt g_x(g_x_str); 261| 2.60k| const BigInt g_y(g_y_str); 262| 2.60k| const BigInt order(order_str); 263| 2.60k| const BigInt cofactor(1); // implicit 264| | 265| 2.60k| return EC_Group_Data::create(p, a, b, g_x, g_y, order, cofactor, oid, EC_Group_Source::Builtin); 266| 2.60k|} _ZN5Botan8EC_Group19DER_decode_EC_groupENSt3__14spanIKhLm18446744073709551615EEENS_15EC_Group_SourceE: 270| 3.66k| EC_Group_Source source) { 271| 3.66k| BER_Decoder dec(der, BER_Decoder::Limits::DER()); 272| | 273| 3.66k| auto next_obj_type = dec.peek_next_object().type_tag(); 274| | 275| 3.66k| if(next_obj_type == ASN1_Type::ObjectId) { ------------------ | Branch (275:7): [True: 2.53k, False: 1.13k] ------------------ 276| 2.53k| OID oid; 277| 2.53k| dec.decode(oid); 278| | 279| 2.53k| auto data = ec_group_data().lookup(oid); 280| 2.53k| if(!data) { ------------------ | Branch (280:10): [True: 115, False: 2.41k] ------------------ 281| 115| throw Decoding_Error(fmt("Unknown namedCurve OID '{}'", oid.to_string())); 282| 115| } 283| | 284| 2.41k| return std::make_pair(data, false); 285| 2.53k| } else if(next_obj_type == ASN1_Type::Sequence) { ------------------ | Branch (285:14): [True: 1.08k, False: 51] ------------------ 286| 1.08k| BigInt p; 287| 1.08k| BigInt a; 288| 1.08k| BigInt b; 289| 1.08k| BigInt order; 290| 1.08k| BigInt cofactor; 291| 1.08k| std::vector base_pt; 292| 1.08k| std::vector seed; 293| | 294| 1.08k| dec.start_sequence() 295| 1.08k| .decode_and_check(1, "Unknown ECC param version code") 296| 1.08k| .start_sequence() 297| 1.08k| .decode_and_check(OID({1, 2, 840, 10045, 1, 1}), "Only prime ECC fields supported") 298| 1.08k| .decode(p) 299| 1.08k| .end_cons() 300| 1.08k| .start_sequence() 301| 1.08k| .decode_octet_string_bigint(a) 302| 1.08k| .decode_octet_string_bigint(b) 303| 1.08k| .decode_optional_string(seed, ASN1_Type::BitString, ASN1_Type::BitString, ASN1_Class::Universal) 304| 1.08k| .end_cons() 305| 1.08k| .decode(base_pt, ASN1_Type::OctetString) 306| 1.08k| .decode(order) 307| 1.08k| .decode(cofactor) 308| 1.08k| .end_cons() 309| 1.08k| .verify_end(); 310| | 311| | // TODO(Botan4) Require cofactor == 1 312| 1.08k| if(cofactor <= 0 || cofactor >= 16) { ------------------ | Branch (312:10): [True: 66, False: 1.01k] | Branch (312:27): [True: 1, False: 1.01k] ------------------ 313| 3| throw Decoding_Error("Invalid ECC cofactor parameter"); 314| 3| } 315| | 316| 1.07k| if(p.bits() < 112 || p.bits() > 521 || p.signum() < 0) { ------------------ | Branch (316:10): [True: 64, False: 1.01k] | Branch (316:28): [True: 1, False: 1.01k] | Branch (316:46): [True: 2, False: 1.01k] ------------------ 317| 3| throw Decoding_Error("ECC p parameter is invalid size"); 318| 3| } 319| | 320| | // A can be zero 321| 1.07k| if(a.signum() < 0 || a >= p) { ------------------ | Branch (321:10): [True: 64, False: 1.01k] | Branch (321:28): [True: 3, False: 1.00k] ------------------ 322| 3| throw Decoding_Error("Invalid ECC a parameter"); 323| 3| } 324| | 325| | // B must be > 0 326| 1.07k| if(b.signum() <= 0 || b >= p) { ------------------ | Branch (326:10): [True: 64, False: 1.00k] | Branch (326:29): [True: 1, False: 1.00k] ------------------ 327| 1| throw Decoding_Error("Invalid ECC b parameter"); 328| 1| } 329| | 330| 1.07k| if(order.signum() <= 0 || order >= 2 * p) { ------------------ | Branch (330:10): [True: 68, False: 1.00k] | Branch (330:10): [True: 5, False: 1.06k] | Branch (330:33): [True: 1, False: 1.00k] ------------------ 331| 5| throw Decoding_Error("Invalid ECC group order"); 332| 5| } 333| | 334| 1.06k| if(auto data = ec_group_data().lookup_from_params(p, a, b, base_pt, order, cofactor)) { ------------------ | Branch (334:15): [True: 77, False: 989] ------------------ 335| 77| return std::make_pair(data, true); 336| 77| } 337| | 338| | /* 339| | TODO(Botan4) the remaining code is used only to handle the case of decoding an EC_Group 340| | which is neither a builtin group nor a group that was registered by the application. 341| | It can all be removed and replaced with a throw 342| | */ 343| | 344| 989| auto mod_p = Barrett_Reduction::for_public_modulus(p); 345| 989| if(!is_bailie_psw_probable_prime(p, mod_p)) { ------------------ | Branch (345:10): [True: 381, False: 608] ------------------ 346| 381| throw Decoding_Error("ECC p parameter is not a prime"); 347| 381| } 348| | 349| 608| auto mod_order = Barrett_Reduction::for_public_modulus(order); 350| 608| if(!is_bailie_psw_probable_prime(order, mod_order)) { ------------------ | Branch (350:10): [True: 235, False: 373] ------------------ 351| 235| throw Decoding_Error("Invalid ECC order parameter"); 352| 235| } 353| | 354| 373| const size_t p_bytes = p.bytes(); 355| 373| if(base_pt.size() != 1 + p_bytes && base_pt.size() != 1 + 2 * p_bytes) { ------------------ | Branch (355:10): [True: 304, False: 69] | Branch (355:43): [True: 42, False: 262] ------------------ 356| 42| throw Decoding_Error("Invalid ECC base point encoding"); 357| 42| } 358| | 359| 331| auto [g_x, g_y] = [&]() { 360| 331| const uint8_t hdr = base_pt[0]; 361| | 362| 331| if(hdr == 0x04 && base_pt.size() == 1 + 2 * p_bytes) { 363| 331| const BigInt x = BigInt::from_bytes(std::span{base_pt}.subspan(1, p_bytes)); 364| 331| const BigInt y = BigInt::from_bytes(std::span{base_pt}.subspan(1 + p_bytes, p_bytes)); 365| | 366| 331| if(x < p && y < p) { 367| 331| return std::make_pair(x, y); 368| 331| } 369| 331| } else if((hdr == 0x02 || hdr == 0x03) && base_pt.size() == 1 + p_bytes) { 370| | // TODO(Botan4) remove this branch; we won't support compressed points 371| 331| const BigInt x = BigInt::from_bytes(std::span{base_pt}.subspan(1, p_bytes)); 372| 331| BigInt y = sqrt_modulo_prime(((x * x + a) * x + b) % p, p); 373| | 374| 331| if(x < p && y >= 0) { 375| 331| const bool y_mod_2 = (hdr & 0x01) == 1; 376| 331| if(y.get_bit(0) != y_mod_2) { 377| 331| y = p - y; 378| 331| } 379| | 380| 331| return std::make_pair(x, y); 381| 331| } 382| 331| } 383| | 384| 331| throw Decoding_Error("Invalid ECC base point encoding"); 385| 331| }(); 386| | 387| | // TODO(Botan4) we can remove this check since we'll only accept pre-registered groups 388| 331| auto y2 = mod_p.square(g_y); 389| 331| auto x3_ax_b = mod_p.reduce(mod_p.cube(g_x) + mod_p.multiply(a, g_x) + b); 390| 331| if(y2 != x3_ax_b) { ------------------ | Branch (390:10): [True: 105, False: 226] ------------------ 391| 105| throw Decoding_Error("Invalid ECC base point"); 392| 105| } 393| | 394| | /* 395| | * Create the group data without registering it in the global map. 396| | * 397| | * Applications that need persistent custom groups should register them 398| | * via the relevant EC_Group constructor 399| | */ 400| 226| auto data = EC_Group_Data::create(p, a, b, g_x, g_y, order, cofactor, OID(), source); 401| 226| return std::make_pair(data, true); 402| 331| } else if(next_obj_type == ASN1_Type::Null) { ------------------ | Branch (402:14): [True: 1, False: 50] ------------------ 403| 1| throw Decoding_Error("Decoding ImplicitCA ECC parameters is not supported"); 404| 50| } else { 405| 50| throw Decoding_Error( 406| 50| fmt("Unexpected tag {} while decoding ECC domain params", asn1_tag_to_string(next_obj_type))); 407| 50| } 408| 3.66k|} _ZN5Botan8EC_GroupD2Ev: 412| 11.7k|EC_Group::~EC_Group() = default; _ZN5Botan8EC_GroupC2ERKS0_: 414| 5.01k|EC_Group::EC_Group(const EC_Group&) = default; _ZN5Botan8EC_GroupC2ENSt3__14spanIKhLm18446744073709551615EEE: 636| 3.66k|EC_Group::EC_Group(std::span der) { 637| 3.66k| auto data = DER_decode_EC_group(der, EC_Group_Source::ExternalSource); 638| 3.66k| m_data = data.first; 639| 3.66k| m_explicit_encoding = data.second; 640| 3.66k|} _ZNK5Botan8EC_Group4dataEv: 647| 6.23k|const EC_Group_Data& EC_Group::data() const { 648| 6.23k| if(m_data == nullptr) { ------------------ | Branch (648:7): [True: 0, False: 6.23k] ------------------ 649| 0| throw Invalid_State("EC_Group uninitialized"); 650| 0| } 651| 6.23k| return *m_data; 652| 6.23k|} _ZNK5Botan8EC_Group15get_order_bytesEv: 666| 4.60k|size_t EC_Group::get_order_bytes() const { 667| 4.60k| return data().order_bytes(); 668| 4.60k|} _ZNK5Botan8EC_Group13get_curve_oidEv: 738| 1.63k|const OID& EC_Group::get_curve_oid() const { 739| 1.63k| return data().oid(); 740| 1.63k|} _ZN5Botan17EC_Group_Data_Map5clearEv: 31| 6.94k| size_t clear() { 32| 6.94k| const lock_guard_type lock(m_mutex); 33| 6.94k| const size_t count = m_registered_curves.size(); 34| 6.94k| m_registered_curves.clear(); 35| 6.94k| return count; 36| 6.94k| } _ZN5Botan17EC_Group_Data_Map6lookupERKNS_3OIDE: 54| 2.53k| std::shared_ptr lookup(const OID& oid) { 55| 2.53k| const lock_guard_type lock(m_mutex); 56| | 57| 2.53k| for(auto i : m_registered_curves) { ------------------ | Branch (57:21): [True: 0, False: 2.53k] ------------------ 58| 0| if(i->oid() == oid) { ------------------ | Branch (58:16): [True: 0, False: 0] ------------------ 59| 0| return i; 60| 0| } 61| 0| } 62| | 63| | // Not found, check hardcoded data 64| 2.53k| std::shared_ptr data = EC_Group::EC_group_info(oid); 65| | 66| 2.53k| if(data) { ------------------ | Branch (66:13): [True: 2.41k, False: 115] ------------------ 67| | // The requested OID may be an alias for a curve whose canonical OID differs 68| | // TODO(Botan4) remove this once we require exactly one canonical OID per curve 69| 2.41k| if(data->oid() != oid) { ------------------ | Branch (69:16): [True: 0, False: 2.41k] ------------------ 70| 0| for(const auto& i : m_registered_curves) { ------------------ | Branch (70:34): [True: 0, False: 0] ------------------ 71| 0| if(i->oid() == data->oid()) { ------------------ | Branch (71:22): [True: 0, False: 0] ------------------ 72| 0| return i; 73| 0| } 74| 0| } 75| 0| } 76| | 77| 2.41k| m_registered_curves.push_back(data); 78| 2.41k| return data; 79| 2.41k| } 80| | 81| | // Nope, unknown curve 82| 115| return std::shared_ptr(); 83| 2.53k| } _ZN5Botan17EC_Group_Data_Map18lookup_from_paramsERKNS_6BigIntES3_S3_NSt3__14spanIKhLm18446744073709551615EEES3_S3_: 159| 1.00k| const BigInt& cofactor) { 160| 1.00k| const lock_guard_type lock(m_mutex); 161| | 162| 1.00k| for(auto i : m_registered_curves) { ------------------ | Branch (162:21): [True: 0, False: 1.00k] ------------------ 163| 0| if(i->params_match(p, a, b, base_pt, order, cofactor)) { ------------------ | Branch (163:16): [True: 0, False: 0] ------------------ 164| 0| return i; 165| 0| } 166| 0| } 167| | 168| | // Try to use the order as a hint to look up the group id 169| 1.00k| const OID oid_from_order = EC_Group::EC_group_identity_from_order(order); 170| 1.00k| if(oid_from_order.has_value()) { ------------------ | Branch (170:13): [True: 184, False: 818] ------------------ 171| 184| auto new_group = EC_Group::EC_group_info(oid_from_order); 172| | 173| | // Have to check all params in the (unlikely/malicious) event of an order collision 174| 184| if(new_group && new_group->params_match(p, a, b, base_pt, order, cofactor)) { ------------------ | Branch (174:16): [True: 184, False: 0] | Branch (174:29): [True: 77, False: 107] ------------------ 175| 77| m_registered_curves.push_back(new_group); 176| 77| return new_group; 177| 77| } 178| 184| } 179| | 180| 925| return {}; 181| 1.00k| } ec_group.cpp:_ZZN5Botan8EC_Group19DER_decode_EC_groupENSt3__14spanIKhLm18446744073709551615EEENS_15EC_Group_SourceEENK3$_0clEv: 359| 262| auto [g_x, g_y] = [&]() { 360| 262| const uint8_t hdr = base_pt[0]; 361| | 362| 262| if(hdr == 0x04 && base_pt.size() == 1 + 2 * p_bytes) { ------------------ | Branch (362:13): [True: 249, False: 13] | Branch (362:28): [True: 249, False: 0] ------------------ 363| 249| const BigInt x = BigInt::from_bytes(std::span{base_pt}.subspan(1, p_bytes)); 364| 249| const BigInt y = BigInt::from_bytes(std::span{base_pt}.subspan(1 + p_bytes, p_bytes)); 365| | 366| 249| if(x < p && y < p) { ------------------ | Branch (366:16): [True: 246, False: 3] | Branch (366:25): [True: 233, False: 13] ------------------ 367| 233| return std::make_pair(x, y); 368| 233| } 369| 249| } else if((hdr == 0x02 || hdr == 0x03) && base_pt.size() == 1 + p_bytes) { ------------------ | Branch (369:21): [True: 2, False: 11] | Branch (369:36): [True: 1, False: 10] | Branch (369:52): [True: 0, False: 3] ------------------ 370| | // TODO(Botan4) remove this branch; we won't support compressed points 371| 0| const BigInt x = BigInt::from_bytes(std::span{base_pt}.subspan(1, p_bytes)); 372| 0| BigInt y = sqrt_modulo_prime(((x * x + a) * x + b) % p, p); 373| | 374| 0| if(x < p && y >= 0) { ------------------ | Branch (374:16): [True: 0, False: 0] | Branch (374:25): [True: 0, False: 0] ------------------ 375| 0| const bool y_mod_2 = (hdr & 0x01) == 1; 376| 0| if(y.get_bit(0) != y_mod_2) { ------------------ | Branch (376:19): [True: 0, False: 0] ------------------ 377| 0| y = p - y; 378| 0| } 379| | 380| 0| return std::make_pair(x, y); 381| 0| } 382| 0| } 383| | 384| 29| throw Decoding_Error("Invalid ECC base point encoding"); 385| 262| }(); _ZN5Botan13EC_Group_DataD2Ev: 27| 2.72k|EC_Group_Data::~EC_Group_Data() = default; _ZN5Botan13EC_Group_DataC2ERKNS_6BigIntES3_S3_S3_S3_S3_S3_RKNS_3OIDENS_15EC_Group_SourceE: 39| 2.72k| m_p(p), 40| 2.72k| m_a(a), 41| 2.72k| m_b(b), 42| 2.72k| m_g_x(g_x), 43| 2.72k| m_g_y(g_y), 44| 2.72k| m_order(order), 45| 2.72k| m_cofactor(cofactor), 46| |#if defined(BOTAN_HAS_LEGACY_EC_POINT) 47| 2.72k| m_mod_field(Barrett_Reduction::for_public_modulus(p)), 48| 2.72k| m_mod_order(Barrett_Reduction::for_public_modulus(order)), 49| 2.72k| m_monty(m_p, m_mod_field), 50| |#endif 51| 2.72k| m_oid(oid), 52| 2.72k| m_p_words(p.sig_words()), 53| 2.72k| m_p_bits(p.bits()), 54| 2.72k| m_order_bits(order.bits()), 55| 2.72k| m_order_bytes((m_order_bits + 7) / 8), 56| 2.72k| m_a_is_minus_3(a == p - 3), 57| 2.72k| m_a_is_zero(a.is_zero()), 58| 2.72k| m_has_cofactor(m_cofactor != 1), 59| 2.72k| m_order_is_less_than_p(m_order < p), 60| 2.72k| m_source(source) { 61| | // Verify the generator (x, y) satisfies y^2 = x^3 + a*x + b (mod p) 62| 2.72k| auto mod_p = Barrett_Reduction::for_public_modulus(p); 63| 2.72k| const BigInt y2 = mod_p.square(g_y); 64| 2.72k| const BigInt x3_ax_b = mod_p.reduce(mod_p.cube(g_x) + mod_p.multiply(a, g_x) + b); 65| 2.72k| if(y2 != x3_ax_b) { ------------------ | Branch (65:7): [True: 0, False: 2.72k] ------------------ 66| 0| throw Invalid_Argument("EC_Group generator is not on the curve"); 67| 0| } 68| | 69| | // TODO(Botan4) we can assume/assert the OID is set 70| 2.72k| if(!m_oid.empty()) { ------------------ | Branch (70:7): [True: 2.60k, False: 128] ------------------ 71| 2.60k| DER_Encoder der(m_der_named_curve); 72| 2.60k| der.encode(m_oid); 73| | 74| 2.60k| const std::string name = m_oid.human_name_or_empty(); 75| 2.60k| if(!name.empty()) { ------------------ | Branch (75:10): [True: 2.60k, False: 0] ------------------ 76| | // returns nullptr if unknown or not supported 77| 2.60k| m_pcurve = PCurve::PrimeOrderCurve::for_named_curve(name); 78| 2.60k| } 79| 2.60k| if(m_pcurve) { ------------------ | Branch (79:10): [True: 1.68k, False: 918] ------------------ 80| 1.68k| m_engine = EC_Group_Engine::Optimized; 81| 1.68k| } 82| 2.60k| } 83| | 84| | // Try a generic pcurves instance 85| 2.72k| if(!m_pcurve && !m_has_cofactor) { ------------------ | Branch (85:7): [True: 1.04k, False: 1.68k] | Branch (85:20): [True: 980, False: 66] ------------------ 86| 980| m_pcurve = PCurve::PrimeOrderCurve::from_params(p, a, b, g_x, g_y, order); 87| 980| if(m_pcurve) { ------------------ | Branch (87:10): [True: 456, False: 524] ------------------ 88| 456| m_engine = EC_Group_Engine::Generic; 89| 456| } 90| | // possibly still null here, if parameters unsuitable or if the 91| | // pcurves_generic module wasn't included in the build 92| 980| } 93| | 94| 2.72k|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 95| 2.72k| secure_vector ws; 96| 2.72k| m_a_r = m_monty.mul(a, m_monty.R2(), ws); 97| 2.72k| m_b_r = m_monty.mul(b, m_monty.R2(), ws); 98| 2.72k| if(!m_pcurve) { ------------------ | Branch (98:7): [True: 590, False: 2.13k] ------------------ 99| 590| m_engine = EC_Group_Engine::Legacy; 100| 590| } 101| |#else 102| | if(!m_pcurve) { 103| | if(m_oid.empty()) { 104| | throw Not_Implemented("EC_Group this group is not supported in this build configuration"); 105| | } else { 106| | throw Not_Implemented( 107| | fmt("EC_Group the group {} is not supported in this build configuration", oid.to_string())); 108| | } 109| | } 110| |#endif 111| 2.72k|} _ZN5Botan13EC_Group_Data6createERKNS_6BigIntES3_S3_S3_S3_S3_S3_RKNS_3OIDENS_15EC_Group_SourceE: 121| 2.72k| EC_Group_Source source) { 122| 2.72k| auto group = std::make_shared(p, a, b, g_x, g_y, order, cofactor, oid, source); 123| | 124| 2.72k|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 125| 2.72k| group->m_curve = CurveGFp(group.get()); 126| 2.72k| group->m_base_point = EC_Point(group->m_curve, g_x, g_y); 127| 2.72k| if(!group->m_pcurve) { ------------------ | Branch (127:7): [True: 590, False: 2.13k] ------------------ 128| 590| group->m_base_mult = std::make_unique(group->m_base_point, group->m_mod_order); 129| 590| } 130| 2.72k|#endif 131| | 132| 2.72k| return group; 133| 2.72k|} _ZNK5Botan13EC_Group_Data12params_matchERKNS_6BigIntES3_S3_NSt3__14spanIKhLm18446744073709551615EEES3_S3_: 172| 184| const BigInt& cofactor) const { 173| 184| if(p != this->p()) { ------------------ | Branch (173:7): [True: 8, False: 176] ------------------ 174| 8| return false; 175| 8| } 176| 176| if(a != this->a()) { ------------------ | Branch (176:7): [True: 4, False: 172] ------------------ 177| 4| return false; 178| 4| } 179| 172| if(b != this->b()) { ------------------ | Branch (179:7): [True: 2, False: 170] ------------------ 180| 2| return false; 181| 2| } 182| 170| if(order != this->order()) { ------------------ | Branch (182:7): [True: 0, False: 170] ------------------ 183| 0| return false; 184| 0| } 185| 170| if(cofactor != this->cofactor()) { ------------------ | Branch (185:7): [True: 22, False: 148] ------------------ 186| 22| return false; 187| 22| } 188| | 189| 148| const size_t field_len = this->p_bytes(); 190| | 191| 148| if(base_pt.size() == 1 + field_len && (base_pt[0] == 0x02 || base_pt[0] == 0x03)) { ------------------ | Branch (191:7): [True: 0, False: 148] | Branch (191:43): [True: 0, False: 0] | Branch (191:65): [True: 0, False: 0] ------------------ 192| | // compressed 193| | 194| 0| const auto g_x = m_g_x.serialize(field_len); 195| 0| const auto g_y = m_g_y.is_odd(); 196| | 197| 0| const auto sec1_x = base_pt.subspan(1, field_len); 198| 0| const bool sec1_y = (base_pt[0] == 0x03); 199| | 200| 0| if(!std::ranges::equal(sec1_x, g_x)) { ------------------ | Branch (200:10): [True: 0, False: 0] ------------------ 201| 0| return false; 202| 0| } 203| | 204| 0| if(sec1_y != g_y) { ------------------ | Branch (204:10): [True: 0, False: 0] ------------------ 205| 0| return false; 206| 0| } 207| | 208| 0| return true; 209| 148| } else if(base_pt.size() == 1 + 2 * field_len && base_pt[0] == 0x04) { ------------------ | Branch (209:14): [True: 148, False: 0] | Branch (209:53): [True: 143, False: 5] ------------------ 210| 143| const auto g_x = m_g_x.serialize(field_len); 211| 143| const auto g_y = m_g_y.serialize(field_len); 212| | 213| 143| const auto sec1_x = base_pt.subspan(1, field_len); 214| 143| const auto sec1_y = base_pt.subspan(1 + field_len, field_len); 215| | 216| 143| if(!std::ranges::equal(sec1_x, g_x)) { ------------------ | Branch (216:10): [True: 45, False: 98] ------------------ 217| 45| return false; 218| 45| } 219| | 220| 98| if(!std::ranges::equal(sec1_y, g_y)) { ------------------ | Branch (220:10): [True: 21, False: 77] ------------------ 221| 21| return false; 222| 21| } 223| | 224| 77| return true; 225| 98| } else { 226| 5| throw Decoding_Error("Invalid base point encoding in explicit group"); 227| 5| } 228| 148|} _ZNK5Botan13EC_Group_Data18scalar_deserializeENSt3__14spanIKhLm18446744073709551615EEE: 358| 2.51k|std::unique_ptr EC_Group_Data::scalar_deserialize(std::span bytes) const { 359| 2.51k| if(bytes.size() != m_order_bytes) { ------------------ | Branch (359:7): [True: 2, False: 2.51k] ------------------ 360| 2| return nullptr; 361| 2| } 362| | 363| 2.51k| if(m_pcurve) { ------------------ | Branch (363:7): [True: 1.96k, False: 556] ------------------ 364| 1.96k| if(auto s = m_pcurve->deserialize_scalar(bytes)) { ------------------ | Branch (364:15): [True: 1.94k, False: 17] ------------------ 365| 1.94k| return std::make_unique(shared_from_this(), *s); 366| 1.94k| } else { 367| 17| return nullptr; 368| 17| } 369| 1.96k| } else { 370| 556|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 371| 556| BigInt r(bytes); 372| | 373| 556| if(r.is_zero() || r >= m_order) { ------------------ | Branch (373:10): [True: 1, False: 555] | Branch (373:25): [True: 1, False: 554] ------------------ 374| 2| return nullptr; 375| 2| } 376| | 377| 554| return std::make_unique(shared_from_this(), std::move(r)); 378| |#else 379| | throw Not_Implemented("Legacy EC interfaces disabled in this build configuration"); 380| |#endif 381| 556| } 382| 2.51k|} _ZNK5Botan13EC_Group_Data17point_deserializeENSt3__14spanIKhLm18446744073709551615EEE: 384| 1.00k|std::unique_ptr EC_Group_Data::point_deserialize(std::span bytes) const { 385| | // The deprecated "hybrid" point format 386| | // TODO(Botan4) remove this 387| 1.00k| if(bytes.size() >= 1 + 2 * 4 && (bytes[0] == 0x06 || bytes[0] == 0x07)) { ------------------ | Branch (387:7): [True: 1.00k, False: 0] | Branch (387:37): [True: 58, False: 942] | Branch (387:57): [True: 563, False: 379] ------------------ 388| 621| const bool hdr_y_is_even = bytes[0] == 0x06; 389| 621| const bool y_is_even = (bytes.back() & 0x01) == 0; 390| | 391| 621| if(hdr_y_is_even == y_is_even) { ------------------ | Branch (391:10): [True: 129, False: 492] ------------------ 392| 129| std::vector sec1(bytes.begin(), bytes.end()); 393| 129| sec1[0] = 0x04; 394| 129| return this->point_deserialize(sec1); 395| 129| } 396| 621| } 397| | 398| 871| try { 399| 871| if(m_pcurve) { ------------------ | Branch (399:10): [True: 380, False: 491] ------------------ 400| 380| if(auto pt = m_pcurve->deserialize_point(bytes)) { ------------------ | Branch (400:18): [True: 3, False: 377] ------------------ 401| 3| return std::make_unique(shared_from_this(), std::move(*pt)); 402| 377| } else { 403| 377| return {}; 404| 377| } 405| 491| } else { 406| 491|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 407| 491| auto pt = Botan::OS2ECP(bytes, m_curve); 408| 491| return std::make_unique(shared_from_this(), std::move(pt)); 409| |#else 410| | throw Not_Implemented("Legacy EC interfaces disabled in this build configuration"); 411| |#endif 412| 491| } 413| 871| } catch(...) { 414| 490| return {}; 415| 490| } 416| 871|} _ZNK5Botan13EC_Group_Data11point_g_mulERKNS_14EC_Scalar_DataERNS_21RandomNumberGeneratorE: 466| 1.62k| RandomNumberGenerator& rng) const { 467| 1.62k| if(m_pcurve) { ------------------ | Branch (467:7): [True: 1.56k, False: 63] ------------------ 468| 1.56k| const auto& k = EC_Scalar_Data_PC::checked_ref(scalar); 469| 1.56k| auto pt = m_pcurve->point_to_affine(m_pcurve->mul_by_g(k.value(), rng)); 470| 1.56k| return std::make_unique(shared_from_this(), std::move(pt)); 471| 1.56k| } else { 472| 63|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 473| 63| const auto& group = scalar.group(); 474| 63| const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar); 475| | 476| 63| BOTAN_STATE_CHECK(group->m_base_mult != nullptr); ------------------ | | 51| 63| do { \ | | 52| 63| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 63| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 63] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 63| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 63] | | ------------------ ------------------ 477| 63| std::vector ws; 478| 63| auto pt = group->m_base_mult->mul(bn.value(), rng, m_order, ws); 479| 63| return std::make_unique(shared_from_this(), std::move(pt)); 480| |#else 481| | throw Not_Implemented("Legacy EC interfaces disabled in this build configuration"); 482| |#endif 483| 63| } 484| 1.62k|} _ZN5Botan17EC_Scalar_Data_PC11checked_refERKNS_14EC_Scalar_DataE: 14| 1.56k|const EC_Scalar_Data_PC& EC_Scalar_Data_PC::checked_ref(const EC_Scalar_Data& data) { 15| 1.56k| const auto* p = dynamic_cast(&data); 16| 1.56k| if(p == nullptr) { ------------------ | Branch (16:7): [True: 0, False: 1.56k] ------------------ 17| 0| throw Invalid_State("Failed conversion to EC_Scalar_Data_PC"); 18| 0| } 19| 1.56k| return *p; 20| 1.56k|} _ZNK5Botan17EC_Scalar_Data_PC5groupEv: 22| 7.39k|const std::shared_ptr& EC_Scalar_Data_PC::group() const { 23| 7.39k| return m_group; 24| 7.39k|} _ZNK5Botan17EC_Scalar_Data_PC5bytesEv: 26| 1.94k|size_t EC_Scalar_Data_PC::bytes() const { 27| 1.94k| return this->group()->order_bytes(); 28| 1.94k|} _ZNK5Botan17EC_Scalar_Data_PC5cloneEv: 30| 1.94k|std::unique_ptr EC_Scalar_Data_PC::clone() const { 31| 1.94k| return std::make_unique(this->group(), this->value()); 32| 1.94k|} _ZNK5Botan17EC_Scalar_Data_PC7is_zeroEv: 34| 1.94k|bool EC_Scalar_Data_PC::is_zero() const { 35| 1.94k| const auto& pcurve = this->group()->pcurve(); 36| 1.94k| return pcurve.scalar_is_zero(m_v); 37| 1.94k|} _ZN5Botan17EC_Scalar_Data_PC7zeroizeEv: 48| 1.94k|void EC_Scalar_Data_PC::zeroize() { 49| 1.94k| m_v._zeroize(); 50| 1.94k|} _ZNK5Botan17EC_Scalar_Data_PC12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 81| 1.94k|void EC_Scalar_Data_PC::serialize_to(std::span bytes) const { 82| 1.94k| BOTAN_ARG_CHECK(bytes.size() == m_group->order_bytes(), "Invalid output length"); ------------------ | | 35| 1.94k| do { \ | | 36| 1.94k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.94k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.94k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.94k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.94k] | | ------------------ ------------------ 83| 1.94k| m_group->pcurve().serialize_scalar(bytes, m_v); 84| 1.94k|} _ZN5Botan22EC_AffinePoint_Data_PCC2ENSt3__110shared_ptrIKNS_13EC_Group_DataEEENS_6PCurve15PrimeOrderCurve11AffinePointE: 88| 1.56k| m_group(std::move(group)), m_pt(std::move(pt)) { 89| 1.56k| const auto& pcurve = m_group->pcurve(); 90| | 91| 1.56k| if(!pcurve.affine_point_is_identity(m_pt)) { ------------------ | Branch (91:7): [True: 1.56k, False: 0] ------------------ 92| 1.56k| m_xy.resize(1 + 2 * field_element_bytes()); 93| 1.56k| pcurve.serialize_point(m_xy, m_pt); 94| 1.56k| } 95| 1.56k|} _ZNK5Botan22EC_AffinePoint_Data_PC19field_element_bytesEv: 129| 3.13k|size_t EC_AffinePoint_Data_PC::field_element_bytes() const { 130| 3.13k| return m_group->pcurve().field_element_bytes(); 131| 3.13k|} _ZNK5Botan22EC_AffinePoint_Data_PC11is_identityEv: 133| 3.13k|bool EC_AffinePoint_Data_PC::is_identity() const { 134| 3.13k| return m_xy.empty(); 135| 3.13k|} _ZNK5Botan22EC_AffinePoint_Data_PC15to_legacy_pointEv: 177| 1.56k|EC_Point EC_AffinePoint_Data_PC::to_legacy_point() const { 178| 1.56k| if(this->is_identity()) { ------------------ | Branch (178:7): [True: 0, False: 1.56k] ------------------ 179| 0| return EC_Point(m_group->curve()); 180| 1.56k| } else { 181| 1.56k| const size_t fe_bytes = this->field_element_bytes(); 182| 1.56k| return EC_Point(m_group->curve(), 183| 1.56k| BigInt::from_bytes(std::span{m_xy}.subspan(1, fe_bytes)), 184| 1.56k| BigInt::from_bytes(std::span{m_xy}.last(fe_bytes))); 185| 1.56k| } 186| 1.56k|} _ZN5Botan8EC_Group13EC_group_infoERKNS_3OIDE: 16| 2.71k|std::shared_ptr EC_Group::EC_group_info(const OID& oid) { 17| | // secp256r1 18| 2.71k| if(oid == OID{1, 2, 840, 10045, 3, 1, 7}) { ------------------ | Branch (18:7): [True: 244, False: 2.47k] ------------------ 19| 244| return load_EC_group_info( 20| 244| "0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", 21| 244| "0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC", 22| 244| "0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B", 23| 244| "0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296", 24| 244| "0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5", 25| 244| "0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", 26| 244| oid); 27| 244| } 28| | 29| | // secp384r1 30| 2.47k| if(oid == OID{1, 3, 132, 0, 34}) { ------------------ | Branch (30:7): [True: 149, False: 2.32k] ------------------ 31| 149| return load_EC_group_info( 32| 149| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF", 33| 149| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC", 34| 149| "0xB3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF", 35| 149| "0xAA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7", 36| 149| "0x3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F", 37| 149| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973", 38| 149| oid); 39| 149| } 40| | 41| | // secp521r1 42| 2.32k| if(oid == OID{1, 3, 132, 0, 35}) { ------------------ | Branch (42:7): [True: 287, False: 2.03k] ------------------ 43| 287| return load_EC_group_info( 44| 287| "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 45| 287| "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", 46| 287| "0x51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", 47| 287| "0xC6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66", 48| 287| "0x11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650", 49| 287| "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", 50| 287| oid); 51| 287| } 52| | 53| | // brainpool160r1 54| 2.03k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 1}) { ------------------ | Branch (54:7): [True: 36, False: 2.00k] ------------------ 55| 36| return load_EC_group_info( 56| 36| "0xE95E4A5F737059DC60DFC7AD95B3D8139515620F", 57| 36| "0x340E7BE2A280EB74E2BE61BADA745D97E8F7C300", 58| 36| "0x1E589A8595423412134FAA2DBDEC95C8D8675E58", 59| 36| "0xBED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3", 60| 36| "0x1667CB477A1A8EC338F94741669C976316DA6321", 61| 36| "0xE95E4A5F737059DC60DF5991D45029409E60FC09", 62| 36| oid); 63| 36| } 64| | 65| | // brainpool192r1 66| 2.00k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 3}) { ------------------ | Branch (66:7): [True: 3, False: 1.99k] ------------------ 67| 3| return load_EC_group_info( 68| 3| "0xC302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297", 69| 3| "0x6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF", 70| 3| "0x469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9", 71| 3| "0xC0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6", 72| 3| "0x14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F", 73| 3| "0xC302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1", 74| 3| oid); 75| 3| } 76| | 77| | // brainpool224r1 78| 1.99k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 5}) { ------------------ | Branch (78:7): [True: 78, False: 1.91k] ------------------ 79| 78| return load_EC_group_info( 80| 78| "0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF", 81| 78| "0x68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43", 82| 78| "0x2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B", 83| 78| "0xD9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D", 84| 78| "0x58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD", 85| 78| "0xD7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F", 86| 78| oid); 87| 78| } 88| | 89| | // brainpool256r1 90| 1.91k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 7}) { ------------------ | Branch (90:7): [True: 125, False: 1.79k] ------------------ 91| 125| return load_EC_group_info( 92| 125| "0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", 93| 125| "0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9", 94| 125| "0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6", 95| 125| "0x8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262", 96| 125| "0x547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997", 97| 125| "0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 98| 125| oid); 99| 125| } 100| | 101| | // brainpool320r1 102| 1.79k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 9}) { ------------------ | Branch (102:7): [True: 54, False: 1.74k] ------------------ 103| 54| return load_EC_group_info( 104| 54| "0xD35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27", 105| 54| "0x3EE30B568FBAB0F883CCEBD46D3F3BB8A2A73513F5EB79DA66190EB085FFA9F492F375A97D860EB4", 106| 54| "0x520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539816F5EB4AC8FB1F1A6", 107| 54| "0x43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599C710AF8D0D39E20611", 108| 54| "0x14FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6AC7D35245D1692E8EE1", 109| 54| "0xD35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311", 110| 54| oid); 111| 54| } 112| | 113| | // brainpool384r1 114| 1.74k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 11}) { ------------------ | Branch (114:7): [True: 156, False: 1.58k] ------------------ 115| 156| return load_EC_group_info( 116| 156| "0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53", 117| 156| "0x7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503AD4EB04A8C7DD22CE2826", 118| 156| "0x4A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11", 119| 156| "0x1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E", 120| 156| "0x8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315", 121| 156| "0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565", 122| 156| oid); 123| 156| } 124| | 125| | // brainpool512r1 126| 1.58k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 13}) { ------------------ | Branch (126:7): [True: 145, False: 1.43k] ------------------ 127| 145| return load_EC_group_info( 128| 145| "0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3", 129| 145| "0x7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA", 130| 145| "0x3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723", 131| 145| "0x81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822", 132| 145| "0x7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892", 133| 145| "0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069", 134| 145| oid); 135| 145| } 136| | 137| | // frp256v1 138| 1.43k| if(oid == OID{1, 2, 250, 1, 223, 101, 256, 1}) { ------------------ | Branch (138:7): [True: 0, False: 1.43k] ------------------ 139| 0| return load_EC_group_info( 140| 0| "0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C03", 141| 0| "0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C00", 142| 0| "0xEE353FCA5428A9300D4ABA754A44C00FDFEC0C9AE4B1A1803075ED967B7BB73F", 143| 0| "0xB6B3D4C356C139EB31183D4749D423958C27D2DCAF98B70164C97A2DD98F5CFF", 144| 0| "0x6142E0F7C8B204911F9271F0F3ECEF8C2701C307E8E4C9E183115A1554062CFB", 145| 0| "0xF1FD178C0B3AD58F10126DE8CE42435B53DC67E140D2BF941FFDD459C6D655E1", 146| 0| oid); 147| 0| } 148| | 149| | // gost_256A 150| 1.43k| if(oid == OID{1, 2, 643, 7, 1, 2, 1, 1, 1} || oid == OID{1, 2, 643, 2, 2, 35, 1} || oid == OID{1, 2, 643, 2, 2, 36, 0}) { ------------------ | Branch (150:7): [True: 0, False: 1.43k] | Branch (150:7): [True: 0, False: 1.43k] | Branch (150:50): [True: 0, False: 1.43k] | Branch (150:88): [True: 0, False: 1.43k] ------------------ 151| 0| return load_EC_group_info( 152| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97", 153| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94", 154| 0| "0xA6", 155| 0| "0x1", 156| 0| "0x8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14", 157| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893", 158| 0| OID{1, 2, 643, 7, 1, 2, 1, 1, 1}); 159| 0| } 160| | 161| | // gost_512A 162| 1.43k| if(oid == OID{1, 2, 643, 7, 1, 2, 1, 2, 1}) { ------------------ | Branch (162:7): [True: 0, False: 1.43k] ------------------ 163| 0| return load_EC_group_info( 164| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC7", 165| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC4", 166| 0| "0xE8C2505DEDFC86DDC1BD0B2B6667F1DA34B82574761CB0E879BD081CFD0B6265EE3CB090F30D27614CB4574010DA90DD862EF9D4EBEE4761503190785A71C760", 167| 0| "0x3", 168| 0| "0x7503CFE87A836AE3A61B8816E25450E6CE5E1C93ACF1ABC1778064FDCBEFA921DF1626BE4FD036E93D75E6A50E3A41E98028FE5FC235F5B889A589CB5215F2A4", 169| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2B85DCACDB1411F10B275", 170| 0| oid); 171| 0| } 172| | 173| | // secp160k1 174| 1.43k| if(oid == OID{1, 3, 132, 0, 9}) { ------------------ | Branch (174:7): [True: 6, False: 1.43k] ------------------ 175| 6| return load_EC_group_info( 176| 6| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73", 177| 6| "0x0", 178| 6| "0x7", 179| 6| "0x3B4C382CE37AA192A4019E763036F4F5DD4D7EBB", 180| 6| "0x938CF935318FDCED6BC28286531733C3F03C4FEE", 181| 6| "0x100000000000000000001B8FA16DFAB9ACA16B6B3", 182| 6| oid); 183| 6| } 184| | 185| | // secp160r1 186| 1.43k| if(oid == OID{1, 3, 132, 0, 8}) { ------------------ | Branch (186:7): [True: 8, False: 1.42k] ------------------ 187| 8| return load_EC_group_info( 188| 8| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF", 189| 8| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC", 190| 8| "0x1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45", 191| 8| "0x4A96B5688EF573284664698968C38BB913CBFC82", 192| 8| "0x23A628553168947D59DCC912042351377AC5FB32", 193| 8| "0x100000000000000000001F4C8F927AED3CA752257", 194| 8| oid); 195| 8| } 196| | 197| | // secp160r2 198| 1.42k| if(oid == OID{1, 3, 132, 0, 30}) { ------------------ | Branch (198:7): [True: 9, False: 1.41k] ------------------ 199| 9| return load_EC_group_info( 200| 9| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73", 201| 9| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70", 202| 9| "0xB4E134D3FB59EB8BAB57274904664D5AF50388BA", 203| 9| "0x52DCB034293A117E1F4FF11B30F7199D3144CE6D", 204| 9| "0xFEAFFEF2E331F296E071FA0DF9982CFEA7D43F2E", 205| 9| "0x100000000000000000000351EE786A818F3A1A16B", 206| 9| oid); 207| 9| } 208| | 209| | // secp192k1 210| 1.41k| if(oid == OID{1, 3, 132, 0, 31}) { ------------------ | Branch (210:7): [True: 4, False: 1.41k] ------------------ 211| 4| return load_EC_group_info( 212| 4| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37", 213| 4| "0x0", 214| 4| "0x3", 215| 4| "0xDB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D", 216| 4| "0x9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D", 217| 4| "0xFFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D", 218| 4| oid); 219| 4| } 220| | 221| | // secp192r1 222| 1.41k| if(oid == OID{1, 2, 840, 10045, 3, 1, 1}) { ------------------ | Branch (222:7): [True: 203, False: 1.20k] ------------------ 223| 203| return load_EC_group_info( 224| 203| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", 225| 203| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", 226| 203| "0x64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1", 227| 203| "0x188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012", 228| 203| "0x7192B95FFC8DA78631011ED6B24CDD573F977A11E794811", 229| 203| "0xFFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831", 230| 203| oid); 231| 203| } 232| | 233| | // secp224k1 234| 1.20k| if(oid == OID{1, 3, 132, 0, 32}) { ------------------ | Branch (234:7): [True: 499, False: 710] ------------------ 235| 499| return load_EC_group_info( 236| 499| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D", 237| 499| "0x0", 238| 499| "0x5", 239| 499| "0xA1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C", 240| 499| "0x7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5", 241| 499| "0x10000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7", 242| 499| oid); 243| 499| } 244| | 245| | // secp224r1 246| 710| if(oid == OID{1, 3, 132, 0, 33}) { ------------------ | Branch (246:7): [True: 215, False: 495] ------------------ 247| 215| return load_EC_group_info( 248| 215| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", 249| 215| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", 250| 215| "0xB4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", 251| 215| "0xB70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", 252| 215| "0xBD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", 253| 215| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", 254| 215| oid); 255| 215| } 256| | 257| | // secp256k1 258| 495| if(oid == OID{1, 3, 132, 0, 10}) { ------------------ | Branch (258:7): [True: 159, False: 336] ------------------ 259| 159| return load_EC_group_info( 260| 159| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F", 261| 159| "0x0", 262| 159| "0x7", 263| 159| "0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", 264| 159| "0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8", 265| 159| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", 266| 159| oid); 267| 159| } 268| | 269| | // sm2p256v1 270| 336| if(oid == OID{1, 2, 156, 10197, 1, 301}) { ------------------ | Branch (270:7): [True: 0, False: 336] ------------------ 271| 0| return load_EC_group_info( 272| 0| "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF", 273| 0| "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC", 274| 0| "0x28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93", 275| 0| "0x32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7", 276| 0| "0xBC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0", 277| 0| "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123", 278| 0| oid); 279| 0| } 280| | 281| | // x962_p192v2 282| 336| if(oid == OID{1, 2, 840, 10045, 3, 1, 2}) { ------------------ | Branch (282:7): [True: 35, False: 301] ------------------ 283| 35| return load_EC_group_info( 284| 35| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", 285| 35| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", 286| 35| "0xCC22D6DFB95C6B25E49C0D6364A4E5980C393AA21668D953", 287| 35| "0xEEA2BAE7E1497842F2DE7769CFE9C989C072AD696F48034A", 288| 35| "0x6574D11D69B6EC7A672BB82A083DF2F2B0847DE970B2DE15", 289| 35| "0xFFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31", 290| 35| oid); 291| 35| } 292| | 293| | // x962_p192v3 294| 301| if(oid == OID{1, 2, 840, 10045, 3, 1, 3}) { ------------------ | Branch (294:7): [True: 41, False: 260] ------------------ 295| 41| return load_EC_group_info( 296| 41| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", 297| 41| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", 298| 41| "0x22123DC2395A05CAA7423DAECCC94760A7D462256BD56916", 299| 41| "0x7D29778100C65A1DA1783716588DCE2B8B4AEE8E228F1896", 300| 41| "0x38A90F22637337334B49DCB66A6DC8F9978ACA7648A943B0", 301| 41| "0xFFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13", 302| 41| oid); 303| 41| } 304| | 305| | // x962_p239v1 306| 260| if(oid == OID{1, 2, 840, 10045, 3, 1, 4}) { ------------------ | Branch (306:7): [True: 69, False: 191] ------------------ 307| 69| return load_EC_group_info( 308| 69| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", 309| 69| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", 310| 69| "0x6B016C3BDCF18941D0D654921475CA71A9DB2FB27D1D37796185C2942C0A", 311| 69| "0xFFA963CDCA8816CCC33B8642BEDF905C3D358573D3F27FBBD3B3CB9AAAF", 312| 69| "0x7DEBE8E4E90A5DAE6E4054CA530BA04654B36818CE226B39FCCB7B02F1AE", 313| 69| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B", 314| 69| oid); 315| 69| } 316| | 317| | // x962_p239v2 318| 191| if(oid == OID{1, 2, 840, 10045, 3, 1, 5}) { ------------------ | Branch (318:7): [True: 29, False: 162] ------------------ 319| 29| return load_EC_group_info( 320| 29| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", 321| 29| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", 322| 29| "0x617FAB6832576CBBFED50D99F0249C3FEE58B94BA0038C7AE84C8C832F2C", 323| 29| "0x38AF09D98727705120C921BB5E9E26296A3CDCF2F35757A0EAFD87B830E7", 324| 29| "0x5B0125E4DBEA0EC7206DA0FC01D9B081329FB555DE6EF460237DFF8BE4BA", 325| 29| "0x7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063", 326| 29| oid); 327| 29| } 328| | 329| | // x962_p239v3 330| 162| if(oid == OID{1, 2, 840, 10045, 3, 1, 6}) { ------------------ | Branch (330:7): [True: 47, False: 115] ------------------ 331| 47| return load_EC_group_info( 332| 47| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", 333| 47| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", 334| 47| "0x255705FA2A306654B1F4CB03D6A750A30C250102D4988717D9BA15AB6D3E", 335| 47| "0x6768AE8E18BB92CFCF005C949AA2C6D94853D0E660BBF854B1C9505FE95A", 336| 47| "0x1607E6898F390C06BC1D552BAD226F3B6FCFE48B6E818499AF18E3ED6CF3", 337| 47| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551", 338| 47| oid); 339| 47| } 340| | 341| | // numsp512d1 342| 115| if(oid == OID{1, 3, 6, 1, 4, 1, 25258, 4, 3}) { ------------------ | Branch (342:7): [True: 0, False: 115] ------------------ 343| 0| return load_EC_group_info( 344| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC7", 345| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC4", 346| 0| "0x1D99B", 347| 0| "0x2", 348| 0| "0x1C282EB23327F9711952C250EA61AD53FCC13031CF6DD336E0B9328433AFBDD8CC5A1C1F0C716FDC724DDE537C2B0ADB00BB3D08DC83755B205CC30D7F83CF28", 349| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5B3CA4FB94E7831B4FC258ED97D0BDC63B568B36607CD243CE153F390433555D", 350| 0| oid); 351| 0| } 352| | 353| 115| return std::shared_ptr(); 354| 115|} _ZN5Botan8EC_Group28EC_group_identity_from_orderERKNS_6BigIntE: 358| 1.00k| { 359| 1.00k| const uint32_t low_bits = static_cast(order.word_at(0)); 360| | 361| 1.00k| if(low_bits == 0xFC632551 && order == BigInt("0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551")) { ------------------ | Branch (361:7): [True: 70, False: 932] | Branch (361:7): [True: 32, False: 970] | Branch (361:33): [True: 32, False: 38] ------------------ 362| 32| return OID{1, 2, 840, 10045, 3, 1, 7}; 363| 32| } 364| | 365| 970| if(low_bits == 0xCCC52973 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) { ------------------ | Branch (365:7): [True: 1, False: 969] | Branch (365:7): [True: 0, False: 970] | Branch (365:33): [True: 0, False: 1] ------------------ 366| 0| return OID{1, 3, 132, 0, 34}; 367| 0| } 368| | 369| 970| if(low_bits == 0x91386409 && order == BigInt("0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409")) { ------------------ | Branch (369:7): [True: 179, False: 791] | Branch (369:7): [True: 147, False: 823] | Branch (369:33): [True: 147, False: 32] ------------------ 370| 147| return OID{1, 3, 132, 0, 35}; 371| 147| } 372| | 373| 823| if(low_bits == 0x9E60FC09 && order == BigInt("0xE95E4A5F737059DC60DF5991D45029409E60FC09")) { ------------------ | Branch (373:7): [True: 0, False: 823] | Branch (373:7): [True: 0, False: 823] | Branch (373:33): [True: 0, False: 0] ------------------ 374| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 1}; 375| 0| } 376| | 377| 823| if(low_bits == 0x9AC4ACC1 && order == BigInt("0xC302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1")) { ------------------ | Branch (377:7): [True: 0, False: 823] | Branch (377:7): [True: 0, False: 823] | Branch (377:33): [True: 0, False: 0] ------------------ 378| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 3}; 379| 0| } 380| | 381| 823| if(low_bits == 0xA5A7939F && order == BigInt("0xD7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F")) { ------------------ | Branch (381:7): [True: 1, False: 822] | Branch (381:7): [True: 0, False: 823] | Branch (381:33): [True: 0, False: 1] ------------------ 382| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 5}; 383| 0| } 384| | 385| 823| if(low_bits == 0x974856A7 && order == BigInt("0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7")) { ------------------ | Branch (385:7): [True: 2, False: 821] | Branch (385:7): [True: 0, False: 823] | Branch (385:33): [True: 0, False: 2] ------------------ 386| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 7}; 387| 0| } 388| | 389| 823| if(low_bits == 0x44C59311 && order == BigInt("0xD35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311")) { ------------------ | Branch (389:7): [True: 0, False: 823] | Branch (389:7): [True: 0, False: 823] | Branch (389:33): [True: 0, False: 0] ------------------ 390| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 9}; 391| 0| } 392| | 393| 823| if(low_bits == 0xE9046565 && order == BigInt("0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565")) { ------------------ | Branch (393:7): [True: 2, False: 821] | Branch (393:7): [True: 0, False: 823] | Branch (393:33): [True: 0, False: 2] ------------------ 394| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 11}; 395| 0| } 396| | 397| 823| if(low_bits == 0x9CA90069 && order == BigInt("0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069")) { ------------------ | Branch (397:7): [True: 9, False: 814] | Branch (397:7): [True: 0, False: 823] | Branch (397:33): [True: 0, False: 9] ------------------ 398| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 13}; 399| 0| } 400| | 401| 823| if(low_bits == 0xC6D655E1 && order == BigInt("0xF1FD178C0B3AD58F10126DE8CE42435B53DC67E140D2BF941FFDD459C6D655E1")) { ------------------ | Branch (401:7): [True: 11, False: 812] | Branch (401:7): [True: 0, False: 823] | Branch (401:33): [True: 0, False: 11] ------------------ 402| 0| return OID{1, 2, 250, 1, 223, 101, 256, 1}; 403| 0| } 404| | 405| 823| if(low_bits == 0xB761B893 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893")) { ------------------ | Branch (405:7): [True: 0, False: 823] | Branch (405:7): [True: 0, False: 823] | Branch (405:33): [True: 0, False: 0] ------------------ 406| 0| return OID{1, 2, 643, 7, 1, 2, 1, 1, 1}; 407| 0| } 408| | 409| 823| if(low_bits == 0x1F10B275 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2B85DCACDB1411F10B275")) { ------------------ | Branch (409:7): [True: 2, False: 821] | Branch (409:7): [True: 0, False: 823] | Branch (409:33): [True: 0, False: 2] ------------------ 410| 0| return OID{1, 2, 643, 7, 1, 2, 1, 2, 1}; 411| 0| } 412| | 413| 823| if(low_bits == 0xCA16B6B3 && order == BigInt("0x100000000000000000001B8FA16DFAB9ACA16B6B3")) { ------------------ | Branch (413:7): [True: 1, False: 822] | Branch (413:7): [True: 0, False: 823] | Branch (413:33): [True: 0, False: 1] ------------------ 414| 0| return OID{1, 3, 132, 0, 9}; 415| 0| } 416| | 417| 823| if(low_bits == 0xCA752257 && order == BigInt("0x100000000000000000001F4C8F927AED3CA752257")) { ------------------ | Branch (417:7): [True: 0, False: 823] | Branch (417:7): [True: 0, False: 823] | Branch (417:33): [True: 0, False: 0] ------------------ 418| 0| return OID{1, 3, 132, 0, 8}; 419| 0| } 420| | 421| 823| if(low_bits == 0xF3A1A16B && order == BigInt("0x100000000000000000000351EE786A818F3A1A16B")) { ------------------ | Branch (421:7): [True: 1, False: 822] | Branch (421:7): [True: 0, False: 823] | Branch (421:33): [True: 0, False: 1] ------------------ 422| 0| return OID{1, 3, 132, 0, 30}; 423| 0| } 424| | 425| 823| if(low_bits == 0x74DEFD8D && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D")) { ------------------ | Branch (425:7): [True: 1, False: 822] | Branch (425:7): [True: 0, False: 823] | Branch (425:33): [True: 0, False: 1] ------------------ 426| 0| return OID{1, 3, 132, 0, 31}; 427| 0| } 428| | 429| 823| if(low_bits == 0xB4D22831 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) { ------------------ | Branch (429:7): [True: 0, False: 823] | Branch (429:7): [True: 0, False: 823] | Branch (429:33): [True: 0, False: 0] ------------------ 430| 0| return OID{1, 2, 840, 10045, 3, 1, 1}; 431| 0| } 432| | 433| 823| if(low_bits == 0x769FB1F7 && order == BigInt("0x10000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7")) { ------------------ | Branch (433:7): [True: 1, False: 822] | Branch (433:7): [True: 0, False: 823] | Branch (433:33): [True: 0, False: 1] ------------------ 434| 0| return OID{1, 3, 132, 0, 32}; 435| 0| } 436| | 437| 823| if(low_bits == 0x5C5C2A3D && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) { ------------------ | Branch (437:7): [True: 10, False: 813] | Branch (437:7): [True: 5, False: 818] | Branch (437:33): [True: 5, False: 5] ------------------ 438| 5| return OID{1, 3, 132, 0, 33}; 439| 5| } 440| | 441| 818| if(low_bits == 0xD0364141 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141")) { ------------------ | Branch (441:7): [True: 1, False: 817] | Branch (441:7): [True: 0, False: 818] | Branch (441:33): [True: 0, False: 1] ------------------ 442| 0| return OID{1, 3, 132, 0, 10}; 443| 0| } 444| | 445| 818| if(low_bits == 0x39D54123 && order == BigInt("0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123")) { ------------------ | Branch (445:7): [True: 0, False: 818] | Branch (445:7): [True: 0, False: 818] | Branch (445:33): [True: 0, False: 0] ------------------ 446| 0| return OID{1, 2, 156, 10197, 1, 301}; 447| 0| } 448| | 449| 818| if(low_bits == 0x48D8DD31 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31")) { ------------------ | Branch (449:7): [True: 0, False: 818] | Branch (449:7): [True: 0, False: 818] | Branch (449:33): [True: 0, False: 0] ------------------ 450| 0| return OID{1, 2, 840, 10045, 3, 1, 2}; 451| 0| } 452| | 453| 818| if(low_bits == 0xF640EC13 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13")) { ------------------ | Branch (453:7): [True: 1, False: 817] | Branch (453:7): [True: 0, False: 818] | Branch (453:33): [True: 0, False: 1] ------------------ 454| 0| return OID{1, 2, 840, 10045, 3, 1, 3}; 455| 0| } 456| | 457| 818| if(low_bits == 0x88909D0B && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B")) { ------------------ | Branch (457:7): [True: 2, False: 816] | Branch (457:7): [True: 0, False: 818] | Branch (457:33): [True: 0, False: 2] ------------------ 458| 0| return OID{1, 2, 840, 10045, 3, 1, 4}; 459| 0| } 460| | 461| 818| if(low_bits == 0xBC582063 && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063")) { ------------------ | Branch (461:7): [True: 1, False: 817] | Branch (461:7): [True: 0, False: 818] | Branch (461:33): [True: 0, False: 1] ------------------ 462| 0| return OID{1, 2, 840, 10045, 3, 1, 5}; 463| 0| } 464| | 465| 818| if(low_bits == 0x46526551 && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551")) { ------------------ | Branch (465:7): [True: 1, False: 817] | Branch (465:7): [True: 0, False: 818] | Branch (465:33): [True: 0, False: 1] ------------------ 466| 0| return OID{1, 2, 840, 10045, 3, 1, 6}; 467| 0| } 468| | 469| 818| if(low_bits == 0x0433555D && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5B3CA4FB94E7831B4FC258ED97D0BDC63B568B36607CD243CE153F390433555D")) { ------------------ | Branch (469:7): [True: 9, False: 809] | Branch (469:7): [True: 0, False: 818] | Branch (469:33): [True: 0, False: 9] ------------------ 470| 0| return OID{1, 3, 6, 1, 4, 1, 25258, 4, 3}; 471| 0| } 472| | 473| 818| return OID(); 474| 818|} _ZN5Botan9EC_ScalarC2ENSt3__110unique_ptrINS_14EC_Scalar_DataENS1_14default_deleteIS3_EEEE: 22| 2.49k|EC_Scalar::EC_Scalar(std::unique_ptr scalar) : m_scalar(std::move(scalar)) { 23| 2.49k| BOTAN_ASSERT_NONNULL(m_scalar); ------------------ | | 116| 2.49k| do { \ | | 117| 2.49k| if((ptr) == nullptr) { \ | | ------------------ | | | Branch (117:10): [True: 0, False: 2.49k] | | ------------------ | | 118| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 119| 0| Botan::assertion_failure(#ptr " is not null", "", __func__, __FILE__, __LINE__); \ | | 120| 0| } \ | | 121| 2.49k| } while(0) | | ------------------ | | | Branch (121:12): [Folded, False: 2.49k] | | ------------------ ------------------ 24| 2.49k|} _ZN5Botan9EC_ScalarC2ERKS0_: 26| 2.49k|EC_Scalar::EC_Scalar(const EC_Scalar& other) : m_scalar(other.inner().clone()) {} _ZN5Botan9EC_ScalarC2EOS0_: 28| 4.99k|EC_Scalar::EC_Scalar(EC_Scalar&& other) noexcept : m_scalar(std::move(other.m_scalar)) {} _ZN5Botan9EC_ScalarD2Ev: 43| 9.99k|EC_Scalar::~EC_Scalar() = default; _ZNK5Botan9EC_Scalar9to_bigintEv: 77| 2.49k|BigInt EC_Scalar::to_bigint() const { 78| 2.49k| secure_vector bytes(m_scalar->bytes()); 79| 2.49k| m_scalar->serialize_to(bytes); 80| 2.49k| return BigInt::from_bytes(bytes); 81| 2.49k|} _ZN5Botan9EC_Scalar11deserializeERKNS_8EC_GroupENSt3__14spanIKhLm18446744073709551615EEE: 118| 2.51k|std::optional EC_Scalar::deserialize(const EC_Group& group, std::span bytes) { 119| 2.51k| if(auto v = group._data()->scalar_deserialize(bytes)) { ------------------ | Branch (119:12): [True: 2.49k, False: 21] ------------------ 120| 2.49k| return EC_Scalar(std::move(v)); 121| 2.49k| } else { 122| 21| return {}; 123| 21| } 124| 2.51k|} _ZNK5Botan9EC_Scalar7is_zeroEv: 133| 2.49k|bool EC_Scalar::is_zero() const { 134| 2.49k| return inner().is_zero(); 135| 2.49k|} _ZN5Botan9EC_Scalar7zeroizeEv: 169| 2.49k|void EC_Scalar::zeroize() { 170| 2.49k| m_scalar->zeroize(); 171| 2.49k|} _ZN5Botan17EC_Scalar_Data_BN11checked_refERKNS_14EC_Scalar_DataE: 15| 63|const EC_Scalar_Data_BN& EC_Scalar_Data_BN::checked_ref(const EC_Scalar_Data& data) { 16| 63| const auto* p = dynamic_cast(&data); 17| 63| if(p == nullptr) { ------------------ | Branch (17:7): [True: 0, False: 63] ------------------ 18| 0| throw Invalid_State("Failed conversion to EC_Scalar_Data_BN"); 19| 0| } 20| 63| return *p; 21| 63|} _ZNK5Botan17EC_Scalar_Data_BN5groupEv: 23| 1.23k|const std::shared_ptr& EC_Scalar_Data_BN::group() const { 24| 1.23k| return m_group; 25| 1.23k|} _ZNK5Botan17EC_Scalar_Data_BN5bytesEv: 27| 554|size_t EC_Scalar_Data_BN::bytes() const { 28| 554| return this->group()->order_bytes(); 29| 554|} _ZNK5Botan17EC_Scalar_Data_BN5cloneEv: 31| 554|std::unique_ptr EC_Scalar_Data_BN::clone() const { 32| 554| return std::make_unique(this->group(), this->value()); 33| 554|} _ZNK5Botan17EC_Scalar_Data_BN7is_zeroEv: 35| 554|bool EC_Scalar_Data_BN::is_zero() const { 36| 554| return this->value().is_zero(); 37| 554|} _ZN5Botan17EC_Scalar_Data_BN7zeroizeEv: 47| 554|void EC_Scalar_Data_BN::zeroize() { 48| | // BigInt stores its value in a secure_vector, after swapping the existing 49| | // value will go out of scope (inside `zero`) and be wiped properly. 50| 554| BigInt zero; 51| 554| std::swap(m_v, zero); 52| 554|} _ZNK5Botan17EC_Scalar_Data_BN12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 91| 554|void EC_Scalar_Data_BN::serialize_to(std::span bytes) const { 92| 554| BOTAN_ARG_CHECK(bytes.size() == m_group->order_bytes(), "Invalid output length"); ------------------ | | 35| 554| do { \ | | 36| 554| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 554| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 554] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 554| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 554] | | ------------------ ------------------ 93| 554| m_v.serialize_to(bytes); 94| 554|} _ZN5Botan22EC_AffinePoint_Data_BNC2ENSt3__110shared_ptrIKNS_13EC_Group_DataEEENS_8EC_PointE: 97| 64| m_group(std::move(group)), m_pt(std::move(pt)) { 98| 64| if(!m_pt.is_zero()) { ------------------ | Branch (98:7): [True: 64, False: 0] ------------------ 99| 64| m_pt.force_affine(); 100| 64| m_xy = m_pt.xy_bytes(); 101| 64| } 102| 64|} _ZNK5Botan22EC_AffinePoint_Data_BN11is_identityEv: 152| 64|bool EC_AffinePoint_Data_BN::is_identity() const { 153| 64| return m_xy.empty(); 154| 64|} _ZN5Botan8CurveGFpC2EPKNS_13EC_Group_DataE: 28| 2.72k|CurveGFp::CurveGFp(const EC_Group_Data* group) : m_group(group) { 29| 2.72k| BOTAN_ASSERT_NONNULL(m_group); ------------------ | | 116| 2.72k| do { \ | | 117| 2.72k| if((ptr) == nullptr) { \ | | ------------------ | | | Branch (117:10): [True: 0, False: 2.72k] | | ------------------ | | 118| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 119| 0| Botan::assertion_failure(#ptr " is not null", "", __func__, __FILE__, __LINE__); \ | | 120| 0| } \ | | 121| 2.72k| } while(0) | | ------------------ | | | Branch (121:12): [Folded, False: 2.72k] | | ------------------ ------------------ 30| 2.72k|} _ZNK5Botan8CurveGFp5groupEv: 32| 784k|const EC_Group_Data& CurveGFp::group() const { 33| 784k| BOTAN_ASSERT_NONNULL(m_group); ------------------ | | 116| 784k| do { \ | | 117| 784k| if((ptr) == nullptr) { \ | | ------------------ | | | Branch (117:10): [True: 0, False: 784k] | | ------------------ | | 118| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 119| 0| Botan::assertion_failure(#ptr " is not null", "", __func__, __FILE__, __LINE__); \ | | 120| 0| } \ | | 121| 784k| } while(0) | | ------------------ | | | Branch (121:12): [Folded, False: 784k] | | ------------------ ------------------ 34| 784k| return *m_group; 35| 784k|} _ZNK5Botan8CurveGFp5get_aEv: 37| 491|const BigInt& CurveGFp::get_a() const { 38| 491| return this->group().a(); 39| 491|} _ZNK5Botan8CurveGFp5get_bEv: 41| 491|const BigInt& CurveGFp::get_b() const { 42| 491| return this->group().b(); 43| 491|} _ZNK5Botan8CurveGFp5get_pEv: 45| 491|const BigInt& CurveGFp::get_p() const { 46| 491| return this->group().p(); 47| 491|} _ZNK5Botan8CurveGFp11get_p_wordsEv: 49| 280k|size_t CurveGFp::get_p_words() const { 50| 280k| return this->group().p_words(); 51| 280k|} _ZN5Botan8EC_PointC2ERKNS_8CurveGFpE: 108| 63|EC_Point::EC_Point(const CurveGFp& curve) : m_curve(curve), m_x(0), m_y(curve.group().monty().R1()), m_z(0) {} _ZNK5Botan8EC_Point4zeroEv: 110| 63|EC_Point EC_Point::zero() const { 111| 63| return EC_Point(m_curve); 112| 63|} _ZN5Botan8EC_PointC2ERKNS_8CurveGFpENS_6BigIntES4_: 115| 4.36k| m_curve(curve), m_x(std::move(x)), m_y(std::move(y)), m_z(m_curve.group().monty().R1()) { 116| 4.36k| const auto& group = m_curve.group(); 117| | 118| 4.36k| if(m_x < 0 || m_x >= group.p()) { ------------------ | Branch (118:7): [True: 0, False: 4.36k] | Branch (118:18): [True: 0, False: 4.36k] ------------------ 119| 0| throw Invalid_Argument("Invalid EC_Point affine x"); 120| 0| } 121| 4.36k| if(m_y < 0 || m_y >= group.p()) { ------------------ | Branch (121:7): [True: 0, False: 4.36k] | Branch (121:18): [True: 0, False: 4.36k] ------------------ 122| 0| throw Invalid_Argument("Invalid EC_Point affine y"); 123| 0| } 124| | 125| 4.36k| secure_vector monty_ws(monty_ws_size(group)); 126| | 127| 4.36k| to_rep(group, m_x, monty_ws); 128| 4.36k| to_rep(group, m_y, monty_ws); 129| 4.36k|} _ZN5Botan8EC_Point10add_affineEPKmmS2_mRNSt3__16vectorINS_6BigIntENS3_9allocatorIS5_EEEE: 188| 4.44k| const word x_words[], size_t x_size, const word y_words[], size_t y_size, std::vector& ws_bn) { 189| 4.44k| if((CT::all_zeros(x_words, x_size) & CT::all_zeros(y_words, y_size)).as_bool()) { ------------------ | Branch (189:7): [True: 1.38k, False: 3.05k] ------------------ 190| 1.38k| return; 191| 1.38k| } 192| | 193| 3.05k| const auto& group = m_curve.group(); 194| | 195| 3.05k| if(is_zero()) { ------------------ | Branch (195:7): [True: 63, False: 2.99k] ------------------ 196| 63| m_x.set_words(x_words, x_size); 197| 63| m_y.set_words(y_words, y_size); 198| 63| m_z = group.monty().R1(); 199| 63| return; 200| 63| } 201| | 202| 2.99k| resize_ws(ws_bn, monty_ws_size(group)); 203| | 204| 2.99k| secure_vector& ws = ws_bn[0].get_word_vector(); 205| 2.99k| secure_vector& sub_ws = ws_bn[1].get_word_vector(); 206| | 207| 2.99k| BigInt& T0 = ws_bn[2]; 208| 2.99k| BigInt& T1 = ws_bn[3]; 209| 2.99k| BigInt& T2 = ws_bn[4]; 210| 2.99k| BigInt& T3 = ws_bn[5]; 211| 2.99k| BigInt& T4 = ws_bn[6]; 212| | 213| | /* 214| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 215| | simplified with Z2 = 1 216| | */ 217| | 218| 2.99k| const BigInt& p = group.p(); 219| | 220| 2.99k| fe_sqr(group, T3, m_z, ws); // z1^2 221| 2.99k| fe_mul(group, T4, x_words, x_size, T3, ws); // x2*z1^2 222| | 223| 2.99k| fe_mul(group, T2, m_z, T3, ws); // z1^3 224| 2.99k| fe_mul(group, T0, y_words, y_size, T2, ws); // y2*z1^3 225| | 226| 2.99k| T4.mod_sub(m_x, p, sub_ws); // x2*z1^2 - x1*z2^2 227| | 228| 2.99k| T0.mod_sub(m_y, p, sub_ws); 229| | 230| 2.99k| if(T4.is_zero()) { ------------------ | Branch (230:7): [True: 2, False: 2.99k] ------------------ 231| 2| if(T0.is_zero()) { ------------------ | Branch (231:10): [True: 2, False: 0] ------------------ 232| 2| mult2(ws_bn); 233| 2| return; 234| 2| } 235| | 236| | // setting to zero: 237| 0| m_x.clear(); 238| 0| m_y = group.monty().R1(); 239| 0| m_z.clear(); 240| 0| return; 241| 2| } 242| | 243| 2.99k| fe_sqr(group, T2, T4, ws); 244| | 245| 2.99k| fe_mul(group, T3, m_x, T2, ws); 246| | 247| 2.99k| fe_mul(group, T1, T2, T4, ws); 248| | 249| 2.99k| fe_sqr(group, m_x, T0, ws); 250| 2.99k| m_x.mod_sub(T1, p, sub_ws); 251| | 252| 2.99k| m_x.mod_sub(T3, p, sub_ws); 253| 2.99k| m_x.mod_sub(T3, p, sub_ws); 254| | 255| 2.99k| T3.mod_sub(m_x, p, sub_ws); 256| | 257| 2.99k| fe_mul(group, T2, T0, T3, ws); 258| 2.99k| fe_mul(group, T0, m_y, T1, ws); 259| 2.99k| T2.mod_sub(T0, p, sub_ws); 260| 2.99k| m_y.swap(T2); 261| | 262| 2.99k| fe_mul(group, T0, m_z, T4, ws); 263| 2.99k| m_z.swap(T0); 264| 2.99k|} _ZN5Botan8EC_Point3addERKS0_RNSt3__16vectorINS_6BigIntENS3_9allocatorIS5_EEEE: 266| 279k|void EC_Point::add(const EC_Point& other, std::vector& workspace) { 267| 279k| BOTAN_ARG_CHECK(m_curve == other.m_curve, "cannot add points on different curves"); ------------------ | | 35| 279k| do { \ | | 36| 279k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 279k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 279k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 279k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 279k] | | ------------------ ------------------ 268| | 269| 279k| const size_t p_words = m_curve.get_p_words(); 270| | 271| 279k| add(other.m_x._data(), 272| 279k| std::min(p_words, other.m_x.size()), 273| 279k| other.m_y._data(), 274| 279k| std::min(p_words, other.m_y.size()), 275| 279k| other.m_z._data(), 276| 279k| std::min(p_words, other.m_z.size()), 277| 279k| workspace); 278| 279k|} _ZN5Botan8EC_Point3addEPKmmS2_mS2_mRNSt3__16vectorINS_6BigIntENS3_9allocatorIS5_EEEE: 286| 279k| std::vector& ws_bn) { 287| 279k| if((CT::all_zeros(x_words, x_size) & CT::all_zeros(z_words, z_size)).as_bool()) { ------------------ | Branch (287:7): [True: 0, False: 279k] ------------------ 288| 0| return; 289| 0| } 290| | 291| 279k| const auto& group = m_curve.group(); 292| | 293| 279k| if(is_zero()) { ------------------ | Branch (293:7): [True: 0, False: 279k] ------------------ 294| 0| m_x.set_words(x_words, x_size); 295| 0| m_y.set_words(y_words, y_size); 296| 0| m_z.set_words(z_words, z_size); 297| 0| return; 298| 0| } 299| | 300| 279k| resize_ws(ws_bn, monty_ws_size(group)); 301| | 302| 279k| secure_vector& ws = ws_bn[0].get_word_vector(); 303| 279k| secure_vector& sub_ws = ws_bn[1].get_word_vector(); 304| | 305| 279k| BigInt& T0 = ws_bn[2]; 306| 279k| BigInt& T1 = ws_bn[3]; 307| 279k| BigInt& T2 = ws_bn[4]; 308| 279k| BigInt& T3 = ws_bn[5]; 309| 279k| BigInt& T4 = ws_bn[6]; 310| 279k| BigInt& T5 = ws_bn[7]; 311| | 312| | /* 313| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 314| | */ 315| | 316| 279k| const BigInt& p = group.p(); 317| | 318| 279k| fe_sqr(group, T0, z_words, z_size, ws); // z2^2 319| 279k| fe_mul(group, T1, m_x, T0, ws); // x1*z2^2 320| 279k| fe_mul(group, T3, z_words, z_size, T0, ws); // z2^3 321| 279k| fe_mul(group, T2, m_y, T3, ws); // y1*z2^3 322| | 323| 279k| fe_sqr(group, T3, m_z, ws); // z1^2 324| 279k| fe_mul(group, T4, x_words, x_size, T3, ws); // x2*z1^2 325| | 326| 279k| fe_mul(group, T5, m_z, T3, ws); // z1^3 327| 279k| fe_mul(group, T0, y_words, y_size, T5, ws); // y2*z1^3 328| | 329| 279k| T4.mod_sub(T1, p, sub_ws); // x2*z1^2 - x1*z2^2 330| | 331| 279k| T0.mod_sub(T2, p, sub_ws); 332| | 333| 279k| if(T4.is_zero()) { ------------------ | Branch (333:7): [True: 0, False: 279k] ------------------ 334| 0| if(T0.is_zero()) { ------------------ | Branch (334:10): [True: 0, False: 0] ------------------ 335| 0| mult2(ws_bn); 336| 0| return; 337| 0| } 338| | 339| | // setting to zero: 340| 0| m_x.clear(); 341| 0| m_y = group.monty().R1(); 342| 0| m_z.clear(); 343| 0| return; 344| 0| } 345| | 346| 279k| fe_sqr(group, T5, T4, ws); 347| | 348| 279k| fe_mul(group, T3, T1, T5, ws); 349| | 350| 279k| fe_mul(group, T1, T5, T4, ws); 351| | 352| 279k| fe_sqr(group, m_x, T0, ws); 353| 279k| m_x.mod_sub(T1, p, sub_ws); 354| 279k| m_x.mod_sub(T3, p, sub_ws); 355| 279k| m_x.mod_sub(T3, p, sub_ws); 356| | 357| 279k| T3.mod_sub(m_x, p, sub_ws); 358| | 359| 279k| fe_mul(group, m_y, T0, T3, ws); 360| 279k| fe_mul(group, T3, T2, T1, ws); 361| | 362| 279k| m_y.mod_sub(T3, p, sub_ws); 363| | 364| 279k| fe_mul(group, T3, z_words, z_size, m_z, ws); 365| 279k| fe_mul(group, m_z, T3, T4, ws); 366| 279k|} _ZN5Botan8EC_Point5mult2ERNSt3__16vectorINS_6BigIntENS1_9allocatorIS3_EEEE: 388| 209k|void EC_Point::mult2(std::vector& ws_bn) { 389| 209k| if(is_zero()) { ------------------ | Branch (389:7): [True: 0, False: 209k] ------------------ 390| 0| return; 391| 0| } 392| | 393| 209k| const auto& group = m_curve.group(); 394| | 395| 209k| if(m_y.is_zero()) { ------------------ | Branch (395:7): [True: 0, False: 209k] ------------------ 396| 0| *this = EC_Point(m_curve); // setting myself to zero 397| 0| return; 398| 0| } 399| | 400| 209k| resize_ws(ws_bn, monty_ws_size(group)); 401| | 402| 209k| secure_vector& ws = ws_bn[0].get_word_vector(); 403| 209k| secure_vector& sub_ws = ws_bn[1].get_word_vector(); 404| | 405| 209k| BigInt& T0 = ws_bn[2]; 406| 209k| BigInt& T1 = ws_bn[3]; 407| 209k| BigInt& T2 = ws_bn[4]; 408| 209k| BigInt& T3 = ws_bn[5]; 409| 209k| BigInt& T4 = ws_bn[6]; 410| | 411| | /* 412| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-1986-cc 413| | */ 414| 209k| const BigInt& p = group.p(); 415| | 416| 209k| fe_sqr(group, T0, m_y, ws); 417| | 418| 209k| fe_mul(group, T1, m_x, T0, ws); 419| 209k| fe_smul<4>(T1, p, sub_ws); 420| | 421| 209k| if(group.a_is_zero()) { ------------------ | Branch (421:7): [True: 170k, False: 39.2k] ------------------ 422| | // if a == 0 then 3*x^2 + a*z^4 is just 3*x^2 423| 170k| fe_sqr(group, T4, m_x, ws); // x^2 424| 170k| fe_smul<3>(T4, p, sub_ws); // 3*x^2 425| 170k| } else if(group.a_is_minus_3()) { ------------------ | Branch (425:14): [True: 39.2k, False: 0] ------------------ 426| | /* 427| | if a == -3 then 428| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 429| | */ 430| 39.2k| fe_sqr(group, T3, m_z, ws); // z^2 431| | 432| | // (x-z^2) 433| 39.2k| T2 = m_x; 434| 39.2k| T2.mod_sub(T3, p, sub_ws); 435| | 436| | // (x+z^2) 437| 39.2k| T3.mod_add(m_x, p, sub_ws); 438| | 439| 39.2k| fe_mul(group, T4, T2, T3, ws); // (x-z^2)*(x+z^2) 440| | 441| 39.2k| fe_smul<3>(T4, p, sub_ws); // 3*(x-z^2)*(x+z^2) 442| 39.2k| } else { 443| 0| fe_sqr(group, T3, m_z, ws); // z^2 444| 0| fe_sqr(group, T4, T3, ws); // z^4 445| 0| fe_mul(group, T3, group.monty_a(), T4, ws); // a*z^4 446| | 447| 0| fe_sqr(group, T4, m_x, ws); // x^2 448| 0| fe_smul<3>(T4, p, sub_ws); 449| 0| T4.mod_add(T3, p, sub_ws); // 3*x^2 + a*z^4 450| 0| } 451| | 452| 209k| fe_sqr(group, T2, T4, ws); 453| 209k| T2.mod_sub(T1, p, sub_ws); 454| 209k| T2.mod_sub(T1, p, sub_ws); 455| | 456| 209k| fe_sqr(group, T3, T0, ws); 457| 209k| fe_smul<8>(T3, p, sub_ws); 458| | 459| 209k| T1.mod_sub(T2, p, sub_ws); 460| | 461| 209k| fe_mul(group, T0, T4, T1, ws); 462| 209k| T0.mod_sub(T3, p, sub_ws); 463| | 464| 209k| m_x.swap(T2); 465| | 466| 209k| fe_mul(group, T2, m_y, m_z, ws); 467| 209k| fe_smul<2>(T2, p, sub_ws); 468| | 469| 209k| m_y.swap(T0); 470| 209k| m_z.swap(T2); 471| 209k|} _ZN5Botan8EC_Point16force_all_affineENSt3__14spanIS0_Lm18446744073709551615EEERNS1_6vectorImNS_16secure_allocatorImEEEE: 520| 590|void EC_Point::force_all_affine(std::span points, secure_vector& ws) { 521| 590| if(points.size() <= 1) { ------------------ | Branch (521:7): [True: 0, False: 590] ------------------ 522| 0| for(auto& point : points) { ------------------ | Branch (522:23): [True: 0, False: 0] ------------------ 523| 0| point.force_affine(); 524| 0| } 525| 0| return; 526| 0| } 527| | 528| 489k| for(auto& point : points) { ------------------ | Branch (528:20): [True: 489k, False: 590] ------------------ 529| 489k| if(point.is_zero()) { ------------------ | Branch (529:10): [True: 0, False: 489k] ------------------ 530| 0| throw Invalid_State("Cannot convert zero ECC point to affine"); 531| 0| } 532| 489k| } 533| | 534| | /* 535| | For >= 2 points use Montgomery's trick 536| | 537| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 538| | (Hankerson, Menezes, Vanstone) 539| | 540| | TODO is it really necessary to save all k points in c? 541| | */ 542| | 543| 590| const auto& group = points[0].m_curve.group(); 544| 590| const BigInt& rep_1 = group.monty().R1(); 545| | 546| 590| if(ws.size() < monty_ws_size(group)) { ------------------ | Branch (546:7): [True: 0, False: 590] ------------------ 547| 0| ws.resize(monty_ws_size(group)); 548| 0| } 549| | 550| 590| std::vector c(points.size()); 551| 590| c[0] = points[0].m_z; 552| | 553| 489k| for(size_t i = 1; i != points.size(); ++i) { ------------------ | Branch (553:22): [True: 489k, False: 590] ------------------ 554| 489k| fe_mul(group, c[i], c[i - 1], points[i].m_z, ws); 555| 489k| } 556| | 557| 590| BigInt s_inv = invert_element(group, c[c.size() - 1], ws); 558| | 559| 590| BigInt z_inv; 560| 590| BigInt z2_inv; 561| 590| BigInt z3_inv; 562| | 563| 489k| for(size_t i = points.size() - 1; i != 0; i--) { ------------------ | Branch (563:38): [True: 489k, False: 590] ------------------ 564| 489k| EC_Point& point = points[i]; 565| | 566| 489k| fe_mul(group, z_inv, s_inv, c[i - 1], ws); 567| | 568| 489k| s_inv = fe_mul(group, s_inv, point.m_z, ws); 569| | 570| 489k| fe_sqr(group, z2_inv, z_inv, ws); 571| 489k| fe_mul(group, z3_inv, z2_inv, z_inv, ws); 572| 489k| point.m_x = fe_mul(group, point.m_x, z2_inv, ws); 573| 489k| point.m_y = fe_mul(group, point.m_y, z3_inv, ws); 574| 489k| point.m_z = rep_1; 575| 489k| } 576| | 577| 590| fe_sqr(group, z2_inv, s_inv, ws); 578| 590| fe_mul(group, z3_inv, z2_inv, s_inv, ws); 579| 590| points[0].m_x = fe_mul(group, points[0].m_x, z2_inv, ws); 580| 590| points[0].m_y = fe_mul(group, points[0].m_y, z3_inv, ws); 581| 590| points[0].m_z = rep_1; 582| 590|} _ZN5Botan8EC_Point12force_affineEv: 584| 64|void EC_Point::force_affine() { 585| 64| if(is_zero()) { ------------------ | Branch (585:7): [True: 0, False: 64] ------------------ 586| 0| throw Invalid_State("Cannot convert zero ECC point to affine"); 587| 0| } 588| | 589| 64| secure_vector ws; 590| | 591| 64| const auto& group = m_curve.group(); 592| | 593| 64| const BigInt z_inv = invert_element(group, m_z, ws); 594| 64| const BigInt z2_inv = fe_sqr(group, z_inv, ws); 595| 64| const BigInt z3_inv = fe_mul(group, z_inv, z2_inv, ws); 596| 64| m_x = fe_mul(group, m_x, z2_inv, ws); 597| 64| m_y = fe_mul(group, m_y, z3_inv, ws); 598| 64| m_z = group.monty().R1(); 599| 64|} _ZNK5Botan8EC_Point9is_affineEv: 601| 128|bool EC_Point::is_affine() const { 602| 128| const auto& group = m_curve.group(); 603| 128| return m_z == group.monty().R1(); 604| 128|} _ZNK5Botan8EC_Point8xy_bytesEv: 622| 64|secure_vector EC_Point::xy_bytes() const { 623| 64| const auto& group = m_curve.group(); 624| 64| const size_t p_bytes = group.p_bytes(); 625| 64| secure_vector b(2 * p_bytes); 626| 64| BigInt::encode_1363(&b[0], p_bytes, this->get_affine_x()); // NOLINT(*container-data-pointer) 627| 64| BigInt::encode_1363(&b[p_bytes], p_bytes, this->get_affine_y()); 628| 64| return b; 629| 64|} _ZNK5Botan8EC_Point12get_affine_xEv: 631| 64|BigInt EC_Point::get_affine_x() const { 632| 64| if(is_zero()) { ------------------ | Branch (632:7): [True: 0, False: 64] ------------------ 633| 0| throw Invalid_State("Cannot convert zero point to affine"); 634| 0| } 635| | 636| 64| secure_vector monty_ws; 637| | 638| 64| const auto& group = m_curve.group(); 639| | 640| 64| if(is_affine()) { ------------------ | Branch (640:7): [True: 64, False: 0] ------------------ 641| 64| return from_rep_to_tmp(group, m_x, monty_ws); 642| 64| } 643| | 644| 0| BigInt z2 = fe_sqr(group, m_z, monty_ws); 645| 0| z2 = invert_element(group, z2, monty_ws); 646| | 647| 0| BigInt r; 648| 0| fe_mul(group, r, m_x, z2, monty_ws); 649| 0| from_rep(group, r, monty_ws); 650| 0| return r; 651| 64|} _ZNK5Botan8EC_Point12get_affine_yEv: 653| 64|BigInt EC_Point::get_affine_y() const { 654| 64| if(is_zero()) { ------------------ | Branch (654:7): [True: 0, False: 64] ------------------ 655| 0| throw Invalid_State("Cannot convert zero point to affine"); 656| 0| } 657| | 658| 64| const auto& group = m_curve.group(); 659| 64| secure_vector monty_ws; 660| | 661| 64| if(is_affine()) { ------------------ | Branch (661:7): [True: 64, False: 0] ------------------ 662| 64| return from_rep_to_tmp(group, m_y, monty_ws); 663| 64| } 664| | 665| 0| const BigInt z2 = fe_sqr(group, m_z, monty_ws); 666| 0| const BigInt z3 = fe_mul(group, m_z, z2, monty_ws); 667| 0| const BigInt z3_inv = invert_element(group, z3, monty_ws); 668| | 669| 0| BigInt r; 670| 0| fe_mul(group, r, m_y, z3_inv, monty_ws); 671| 0| from_rep(group, r, monty_ws); 672| 0| return r; 673| 64|} _ZNK5Botan8EC_Point12on_the_curveEv: 675| 66|bool EC_Point::on_the_curve() const { 676| | /* 677| | Is the point still on the curve?? (If everything is correct, the 678| | point is always on its curve; then the function will return true. 679| | If somehow the state is corrupted, which suggests a fault attack 680| | (or internal computational error), then return false. 681| | */ 682| 66| if(is_zero()) { ------------------ | Branch (682:7): [True: 0, False: 66] ------------------ 683| 0| return true; 684| 0| } 685| | 686| 66| const auto& group = m_curve.group(); 687| 66| secure_vector monty_ws; 688| | 689| 66| const BigInt y2 = from_rep_to_tmp(group, fe_sqr(group, m_y, monty_ws), monty_ws); 690| 66| const BigInt x3 = fe_mul(group, m_x, fe_sqr(group, m_x, monty_ws), monty_ws); 691| 66| const BigInt ax = fe_mul(group, m_x, group.monty_a(), monty_ws); 692| 66| const BigInt z2 = fe_sqr(group, m_z, monty_ws); 693| | 694| 66| const BigInt& monty_b = group.monty_b(); 695| | 696| | // Is z equal to 1 (in Montgomery form)? 697| 66| if(m_z == z2) { ------------------ | Branch (697:7): [True: 66, False: 0] ------------------ 698| 66| if(y2 != from_rep_to_tmp(group, x3 + ax + monty_b, monty_ws)) { ------------------ | Branch (698:10): [True: 65, False: 1] ------------------ 699| 65| return false; 700| 65| } 701| 66| } 702| | 703| 1| const BigInt z3 = fe_mul(group, m_z, z2, monty_ws); 704| 1| const BigInt ax_z4 = fe_mul(group, ax, fe_sqr(group, z2, monty_ws), monty_ws); 705| 1| const BigInt b_z6 = fe_mul(group, monty_b, fe_sqr(group, z3, monty_ws), monty_ws); 706| | 707| 1| if(y2 != from_rep_to_tmp(group, x3 + ax_z4 + b_z6, monty_ws)) { ------------------ | Branch (707:7): [True: 0, False: 1] ------------------ 708| 0| return false; 709| 0| } 710| | 711| 1| return true; 712| 1|} _ZN5Botan8EC_Point4swapERS0_: 792| 424k|void EC_Point::swap(EC_Point& other) noexcept { 793| 424k| m_curve.swap(other.m_curve); 794| 424k| m_x.swap(other.m_x); 795| 424k| m_y.swap(other.m_y); 796| 424k| m_z.swap(other.m_z); 797| 424k|} _ZN5Botan6OS2ECPENSt3__14spanIKhLm18446744073709551615EEERKNS_8CurveGFpE: 866| 491|EC_Point OS2ECP(std::span data, const CurveGFp& curve) { 867| 491| return OS2ECP(data.data(), data.size(), curve); 868| 491|} _ZN5Botan6OS2ECPEPKhmRKNS_8CurveGFpE: 870| 491|EC_Point OS2ECP(const uint8_t data[], size_t data_len, const CurveGFp& curve) { 871| 491| if(data_len == 1 && data[0] == 0) { ------------------ | Branch (871:7): [True: 0, False: 491] | Branch (871:24): [True: 0, False: 0] ------------------ 872| | // SEC1 standard representation of the point at infinity 873| 0| return EC_Point(curve); 874| 0| } 875| | 876| 491| const auto [g_x, g_y] = OS2ECP(data, data_len, curve.get_p(), curve.get_a(), curve.get_b()); 877| | 878| 491| EC_Point point(curve, g_x, g_y); 879| | 880| 491| if(!point.on_the_curve()) { ------------------ | Branch (880:7): [True: 65, False: 426] ------------------ 881| 65| throw Decoding_Error("OS2ECP: Decoded point was not on the curve"); 882| 65| } 883| | 884| 426| return point; 885| 491|} _ZN5Botan6OS2ECPEPKhmRKNS_6BigIntES4_S4_: 887| 491|std::pair OS2ECP(const uint8_t pt[], size_t pt_len, const BigInt& p, const BigInt& a, const BigInt& b) { 888| 491| if(pt_len <= 1) { ------------------ | Branch (888:7): [True: 0, False: 491] ------------------ 889| 0| throw Decoding_Error("OS2ECP invalid point encoding"); 890| 0| } 891| | 892| 491| const uint8_t pc = pt[0]; 893| 491| const size_t p_bytes = p.bytes(); 894| | 895| 491| BigInt x; 896| 491| BigInt y; 897| | 898| 491| if(pc == 2 || pc == 3) { ------------------ | Branch (898:7): [True: 1, False: 490] | Branch (898:18): [True: 1, False: 489] ------------------ 899| 2| if(pt_len != 1 + p_bytes) { ------------------ | Branch (899:10): [True: 2, False: 0] ------------------ 900| 2| throw Decoding_Error("OS2ECP invalid point encoding"); 901| 2| } 902| 0| x = BigInt::decode(&pt[1], pt_len - 1); 903| | 904| 0| const bool y_mod_2 = ((pc & 0x01) == 1); 905| 0| y = decompress_point(y_mod_2, x, p, a, b); 906| 489| } else if(pc == 4) { ------------------ | Branch (906:14): [True: 68, False: 421] ------------------ 907| 68| if(pt_len != 1 + 2 * p_bytes) { ------------------ | Branch (907:10): [True: 0, False: 68] ------------------ 908| 0| throw Decoding_Error("OS2ECP invalid point encoding"); 909| 0| } 910| | 911| 68| x = BigInt::decode(&pt[1], p_bytes); 912| 68| y = BigInt::decode(&pt[p_bytes + 1], p_bytes); 913| 421| } else if(pc == 6 || pc == 7) { ------------------ | Branch (913:14): [True: 33, False: 388] | Branch (913:25): [True: 379, False: 9] ------------------ 914| 412| if(pt_len != 1 + 2 * p_bytes) { ------------------ | Branch (914:10): [True: 0, False: 412] ------------------ 915| 0| throw Decoding_Error("OS2ECP invalid point encoding"); 916| 0| } 917| | 918| 412| x = BigInt::decode(&pt[1], p_bytes); 919| 412| y = BigInt::decode(&pt[p_bytes + 1], p_bytes); 920| | 921| 412| const bool y_mod_2 = ((pc & 0x01) == 1); 922| | 923| 412| if(decompress_point(y_mod_2, x, p, a, b) != y) { ------------------ | Branch (923:10): [True: 250, False: 162] ------------------ 924| 250| throw Decoding_Error("OS2ECP: Decoding error in hybrid format"); 925| 250| } 926| 412| } else { 927| 9| throw Decoding_Error("OS2ECP: Unknown format type " + std::to_string(static_cast(pc))); 928| 9| } 929| | 930| 230| if(x >= p || y >= p) { ------------------ | Branch (930:7): [True: 163, False: 67] | Branch (930:17): [True: 1, False: 66] ------------------ 931| 2| throw Decoding_Error("OS2ECP invalid point encoding"); 932| 2| } 933| | 934| 228| return std::make_pair(x, y); 935| 230|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_113monty_ws_sizeERKNS_13EC_Group_DataE: 102| 497k|size_t monty_ws_size(const EC_Group_Data& group) { 103| 497k| return 2 * group.p_words(); 104| 497k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16to_repERKNS_13EC_Group_DataERNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 55| 8.72k|void to_rep(const EC_Group_Data& group, BigInt& x, secure_vector& ws) { 56| 8.72k| group.monty().mul_by(x, group.monty().R2(), ws); 57| 8.72k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_sqrERKNS_13EC_Group_DataERKNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 94| 264|BigInt fe_sqr(const EC_Group_Data& group, const BigInt& x, secure_vector& ws) { 95| 264| return group.monty().sqr(x, ws); 96| 264|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_mulERKNS_13EC_Group_DataERKNS_6BigIntES6_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 82| 1.46M|inline BigInt fe_mul(const EC_Group_Data& group, const BigInt& x, const BigInt& y, secure_vector& ws) { 83| 1.46M| return group.monty().mul(x, y, ws); 84| 1.46M|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_19resize_wsERNSt3__16vectorINS_6BigIntENS1_9allocatorIS3_EEEEm: 163| 492k|inline void resize_ws(std::vector& ws_bn, size_t cap_size) { 164| 492k| BOTAN_ASSERT(ws_bn.size() >= EC_Point::WORKSPACE_SIZE, "Expected size for EC_Point workspace"); ------------------ | | 64| 492k| do { \ | | 65| 492k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 492k| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 492k] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 492k| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 492k] | | ------------------ ------------------ 165| | 166| 3.94M| for(auto& ws : ws_bn) { ------------------ | Branch (166:17): [True: 3.94M, False: 492k] ------------------ 167| 3.94M| if(ws.size() < cap_size) { ------------------ | Branch (167:10): [True: 5.28k, False: 3.93M] ------------------ 168| 5.28k| ws.get_word_vector().resize(cap_size); 169| 5.28k| } 170| 3.94M| } 171| 492k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_sqrERKNS_13EC_Group_DataERNS_6BigIntERKS4_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 86| 2.17M|void fe_sqr(const EC_Group_Data& group, BigInt& z, const BigInt& x, secure_vector& ws) { 87| 2.17M| group.monty().sqr(z, x, ws); 88| 2.17M|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_mulERKNS_13EC_Group_DataERNS_6BigIntEPKmmRKS4_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 72| 1.12M| const EC_Group_Data& group, BigInt& z, const word x_w[], size_t x_size, const BigInt& y, secure_vector& ws) { 73| 1.12M| group.monty().mul(z, y, std::span{x_w, x_size}, ws); 74| 1.12M|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_mulERKNS_13EC_Group_DataERNS_6BigIntERKS4_S7_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 67| 4.39M|inline void fe_mul(const EC_Group_Data& group, BigInt& z, const BigInt& x, const BigInt& y, secure_vector& ws) { 68| 4.39M| group.monty().mul(z, x, y, ws); 69| 4.39M|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_sqrERKNS_13EC_Group_DataERNS_6BigIntEPKmmRNSt3__16vectorImNS_16secure_allocatorImEEEE: 90| 279k|void fe_sqr(const EC_Group_Data& group, BigInt& z, const word x_w[], size_t x_size, secure_vector& ws) { 91| 279k| group.monty().sqr(z, std::span{x_w, x_size}, ws); 92| 279k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_114invert_elementERKNS_13EC_Group_DataERKNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 98| 654|BigInt invert_element(const EC_Group_Data& group, const BigInt& x, secure_vector& ws) { 99| 654| return group.monty().mul(inverse_mod_public_prime(x, group.p()), group.monty().R3(), ws); 100| 654|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_115from_rep_to_tmpERKNS_13EC_Group_DataERKNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 63| 261|BigInt from_rep_to_tmp(const EC_Group_Data& group, const BigInt& x, secure_vector& ws) { 64| 261| return group.monty().redc(x, ws); 65| 261|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_116decompress_pointEbRKNS_6BigIntES3_S3_S3_: 848| 412|BigInt decompress_point(bool y_mod_2, const BigInt& x, const BigInt& p, const BigInt& a, const BigInt& b) { 849| 412| const BigInt g = ((x * x + a) * x + b) % p; 850| | 851| 412| BigInt z = sqrt_modulo_prime(g, p); 852| | 853| 412| if(z < 0) { ------------------ | Branch (853:7): [True: 162, False: 250] ------------------ 854| 162| throw Decoding_Error("Error during EC point decompression"); 855| 162| } 856| | 857| 250| if(z.get_bit(0) != y_mod_2) { ------------------ | Branch (857:7): [True: 133, False: 117] ------------------ 858| 133| z = p - z; 859| 133| } 860| | 861| 250| return z; 862| 412|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_17fe_smulILm4EEEvRNS_6BigIntERKS2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 77| 209k|inline void fe_smul(BigInt& z, const BigInt& p, secure_vector& ws) { 78| 209k| static_assert(M == 2 || M == 3 || M == 4 || M == 8); 79| 209k| z.mod_mul(M, p, ws); 80| 209k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_17fe_smulILm3EEEvRNS_6BigIntERKS2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 77| 209k|inline void fe_smul(BigInt& z, const BigInt& p, secure_vector& ws) { 78| 209k| static_assert(M == 2 || M == 3 || M == 4 || M == 8); 79| 209k| z.mod_mul(M, p, ws); 80| 209k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_17fe_smulILm8EEEvRNS_6BigIntERKS2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 77| 209k|inline void fe_smul(BigInt& z, const BigInt& p, secure_vector& ws) { 78| 209k| static_assert(M == 2 || M == 3 || M == 4 || M == 8); 79| 209k| z.mod_mul(M, p, ws); 80| 209k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_17fe_smulILm2EEEvRNS_6BigIntERKS2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 77| 209k|inline void fe_smul(BigInt& z, const BigInt& p, secure_vector& ws) { 78| 209k| static_assert(M == 2 || M == 3 || M == 4 || M == 8); 79| 209k| z.mod_mul(M, p, ws); 80| 209k|} _ZN5Botan30EC_Point_Base_Point_PrecomputeC2ERKNS_8EC_PointERKNS_17Barrett_ReductionE: 43| 590| m_base_point(base), m_mod_order(mod_order), m_p_words(base.get_curve().get_p_words()) { 44| 590| std::vector ws(EC_Point::WORKSPACE_SIZE); 45| | 46| 590| const size_t order_bits = mod_order.modulus_bits(); 47| | 48| 590| const size_t T_bits = round_up(order_bits + blinding_size(order_bits), WindowBits) / WindowBits; 49| | 50| 590| std::vector T(WindowSize * T_bits); 51| | 52| 590| EC_Point g = base; 53| 590| EC_Point g2; 54| 590| EC_Point g4; 55| | 56| 70.5k| for(size_t i = 0; i != T_bits; i++) { ------------------ | Branch (56:22): [True: 69.9k, False: 590] ------------------ 57| 69.9k| g2 = g; 58| 69.9k| g2.mult2(ws); 59| 69.9k| g4 = g2; 60| 69.9k| g4.mult2(ws); 61| | 62| 69.9k| T[7 * i + 0] = g; 63| 69.9k| T[7 * i + 1] = std::move(g2); 64| 69.9k| T[7 * i + 2] = T[7 * i + 1].plus(T[7 * i + 0], ws); // g2+g 65| 69.9k| T[7 * i + 3] = g4; 66| 69.9k| T[7 * i + 4] = T[7 * i + 3].plus(T[7 * i + 0], ws); // g4+g 67| 69.9k| T[7 * i + 5] = T[7 * i + 3].plus(T[7 * i + 1], ws); // g4+g2 68| 69.9k| T[7 * i + 6] = T[7 * i + 3].plus(T[7 * i + 2], ws); // g4+g2+g 69| | 70| 69.9k| g.swap(g4); 71| 69.9k| g.mult2(ws); 72| 69.9k| } 73| | 74| 590| EC_Point::force_all_affine(T, ws[0].get_word_vector()); 75| | 76| 590| m_W.resize(T.size() * 2 * m_p_words); 77| | 78| 590| word* p = m_W.data(); 79| 489k| for(const auto& pt : T) { ------------------ | Branch (79:23): [True: 489k, False: 590] ------------------ 80| 489k| pt.get_x().encode_words(p, m_p_words); 81| 489k| p += m_p_words; 82| 489k| pt.get_y().encode_words(p, m_p_words); 83| 489k| p += m_p_words; 84| 489k| } 85| 590|} _ZNK5Botan30EC_Point_Base_Point_Precompute3mulERKNS_6BigIntERNS_21RandomNumberGeneratorES3_RNSt3__16vectorIS1_NS6_9allocatorIS1_EEEE: 90| 63| std::vector& ws) const { 91| 63| if(k.signum() < 0) { ------------------ | Branch (91:7): [True: 0, False: 63] ------------------ 92| 0| throw Invalid_Argument("EC_Point_Base_Point_Precompute scalar must be positive"); 93| 0| } 94| | 95| | // Instead of reducing k mod group order should we alter the mask size?? 96| 63| BigInt scalar = m_mod_order.reduce(k); 97| | 98| 63| if(rng.is_seeded()) { ------------------ | Branch (98:7): [True: 0, False: 63] ------------------ 99| | // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure) 100| 0| scalar += group_order * blinding_mask(group_order, rng); 101| 63| } else { 102| | /* 103| | When we don't have an RNG we cannot do scalar blinding. Instead use the 104| | same trick as OpenSSL and add one or two copies of the order to normalize 105| | the length of the scalar at order.bits()+1. This at least ensures the loop 106| | bound does not leak information about the high bits of the scalar. 107| | */ 108| 63| scalar += group_order; 109| 63| if(scalar.bits() == group_order.bits()) { ------------------ | Branch (109:10): [True: 62, False: 1] ------------------ 110| 62| scalar += group_order; 111| 62| } 112| 63| BOTAN_DEBUG_ASSERT(scalar.bits() == group_order.bits() + 1); ------------------ | | 130| 63| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 63| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 63] | | ------------------ ------------------ 113| 63| } 114| | 115| 63| const size_t windows = round_up(scalar.bits(), WindowBits) / WindowBits; 116| | 117| 63| const size_t elem_size = 2 * m_p_words; 118| | 119| 63| BOTAN_ASSERT(windows <= m_W.size() / (3 * elem_size), "Precomputed sufficient values for scalar mult"); ------------------ | | 64| 63| do { \ | | 65| 63| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 63| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 63] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 63| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 63] | | ------------------ ------------------ 120| | 121| 63| EC_Point R = m_base_point.zero(); 122| | 123| 63| if(ws.size() < EC_Point::WORKSPACE_SIZE) { ------------------ | Branch (123:7): [True: 63, False: 0] ------------------ 124| 63| ws.resize(EC_Point::WORKSPACE_SIZE); 125| 63| } 126| | 127| | // the precomputed multiples are not secret so use std::vector 128| 63| std::vector Wt(elem_size); 129| | 130| 4.50k| for(size_t i = 0; i != windows; ++i) { ------------------ | Branch (130:22): [True: 4.44k, False: 63] ------------------ 131| 4.44k| const size_t window = windows - i - 1; 132| 4.44k| const size_t base_addr = (WindowSize * window) * elem_size; 133| | 134| 4.44k| const word w = scalar.get_substring(WindowBits * window, WindowBits); 135| | 136| 4.44k| const auto w_is_1 = CT::Mask::is_equal(w, 1); 137| 4.44k| const auto w_is_2 = CT::Mask::is_equal(w, 2); 138| 4.44k| const auto w_is_3 = CT::Mask::is_equal(w, 3); 139| 4.44k| const auto w_is_4 = CT::Mask::is_equal(w, 4); 140| 4.44k| const auto w_is_5 = CT::Mask::is_equal(w, 5); 141| 4.44k| const auto w_is_6 = CT::Mask::is_equal(w, 6); 142| 4.44k| const auto w_is_7 = CT::Mask::is_equal(w, 7); 143| | 144| 38.1k| for(size_t j = 0; j != elem_size; ++j) { ------------------ | Branch (144:25): [True: 33.7k, False: 4.44k] ------------------ 145| 33.7k| const word w1 = w_is_1.if_set_return(m_W[base_addr + 0 * elem_size + j]); 146| 33.7k| const word w2 = w_is_2.if_set_return(m_W[base_addr + 1 * elem_size + j]); 147| 33.7k| const word w3 = w_is_3.if_set_return(m_W[base_addr + 2 * elem_size + j]); 148| 33.7k| const word w4 = w_is_4.if_set_return(m_W[base_addr + 3 * elem_size + j]); 149| 33.7k| const word w5 = w_is_5.if_set_return(m_W[base_addr + 4 * elem_size + j]); 150| 33.7k| const word w6 = w_is_6.if_set_return(m_W[base_addr + 5 * elem_size + j]); 151| 33.7k| const word w7 = w_is_7.if_set_return(m_W[base_addr + 6 * elem_size + j]); 152| | 153| 33.7k| Wt[j] = w1 | w2 | w3 | w4 | w5 | w6 | w7; 154| 33.7k| } 155| | 156| 4.44k| R.add_affine(Wt.data(), m_p_words, &Wt[m_p_words], m_p_words, ws); 157| | 158| 4.44k| if(i == 0 && rng.is_seeded()) { ------------------ | Branch (158:10): [True: 63, False: 4.38k] | Branch (158:20): [True: 0, False: 63] ------------------ 159| | /* 160| | * Since we start with the top bit of the exponent we know the 161| | * first window must have a non-zero element, and thus R is 162| | * now a point other than the point at infinity. 163| | */ 164| 0| BOTAN_DEBUG_ASSERT(w != 0); ------------------ | | 130| 0| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 0| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 0] | | ------------------ ------------------ 165| 0| R.randomize_repr(rng, ws[0].get_word_vector()); 166| 0| } 167| 4.44k| } 168| | 169| 63| BOTAN_DEBUG_ASSERT(R.on_the_curve()); ------------------ | | 130| 63| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 63| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 63] | | ------------------ ------------------ 170| | 171| 63| return R; 172| 63|} point_mul.cpp:_ZN5Botan12_GLOBAL__N_113blinding_sizeEm: 20| 590|size_t blinding_size(size_t order_bits) { 21| 590| return (order_bits + 1) / 2; 22| 590|} _ZN5Botan17EC_PublicKey_DataC2ENS_8EC_GroupENS_14EC_AffinePointE: 15| 1.63k| m_group(std::move(group)), m_point(std::move(pt)) { 16| 1.63k|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 17| 1.63k| m_legacy_point = m_point.to_legacy_point(); 18| 1.63k|#endif 19| | 20| | // Checking that the point lies on the curve is done in the deserialization 21| | // of EC_AffinePoint. 22| 1.63k| BOTAN_ARG_CHECK(!m_point.is_identity(), "ECC public key cannot be point at infinity"); ------------------ | | 35| 1.63k| do { \ | | 36| 1.63k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.63k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.63k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.63k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.63k] | | ------------------ ------------------ 23| 1.63k|} _ZN5Botan18EC_PrivateKey_DataC2ENS_8EC_GroupENS_9EC_ScalarE: 26| 2.49k| m_group(std::move(group)), m_scalar(std::move(x)), m_legacy_x(m_scalar.to_bigint()) { 27| | // Checking that the scalar is lower than the group order is ensured in the 28| | // deserialization of the EC_Scalar or during the random generation respectively. 29| 2.49k| BOTAN_ARG_CHECK(m_scalar.is_nonzero(), "ECC private key cannot be zero"); ------------------ | | 35| 2.49k| do { \ | | 36| 2.49k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 2.49k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 2.49k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 2.49k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 2.49k] | | ------------------ ------------------ 30| 2.49k|} _ZN5Botan18EC_PrivateKey_DataC2ERKNS_8EC_GroupENSt3__14spanIKhLm18446744073709551615EEE: 62| 2.51k| Botan::EC_PrivateKey_Data(group, decode_ec_secret_key_scalar(group, bytes)) {} _ZN5Botan18EC_PrivateKey_DataD2Ev: 64| 2.49k|EC_PrivateKey_Data::~EC_PrivateKey_Data() { 65| 2.49k| m_scalar.zeroize(); 66| 2.49k|} _ZNK5Botan18EC_PrivateKey_Data10public_keyERNS_21RandomNumberGeneratorEb: 69| 1.62k| bool with_modular_inverse) const { 70| 1.62k| auto public_point = [&] { 71| 1.62k| if(with_modular_inverse) { 72| 1.62k| return EC_AffinePoint::g_mul(m_scalar.invert(), rng); 73| 1.62k| } else { 74| 1.62k| return EC_AffinePoint::g_mul(m_scalar, rng); 75| 1.62k| } 76| 1.62k| }; 77| | 78| 1.62k| return std::make_shared(m_group, public_point()); 79| 1.62k|} _ZNK5Botan18EC_PrivateKey_Data10public_keyEb: 81| 1.62k|std::shared_ptr EC_PrivateKey_Data::public_key(bool with_modular_inverse) const { 82| 1.62k| Null_RNG null_rng; 83| 1.62k| return this->public_key(null_rng, with_modular_inverse); 84| 1.62k|} ec_key_data.cpp:_ZN5Botan12_GLOBAL__N_127decode_ec_secret_key_scalarERKNS_8EC_GroupENSt3__14spanIKhLm18446744073709551615EEE: 34| 4.60k|EC_Scalar decode_ec_secret_key_scalar(const EC_Group& group, std::span bytes) { 35| 4.60k| const size_t order_bytes = group.get_order_bytes(); 36| | 37| 4.60k| if(bytes.size() < order_bytes) { ------------------ | Branch (37:7): [True: 2.08k, False: 2.51k] ------------------ 38| | /* 39| | * Older versions had a bug which caused secret keys to not be encoded to 40| | * the full byte length of the order if there were leading zero bytes. This 41| | * was particularly a problem for P-521, where on average half of keys do 42| | * not have their high bit set and so can be encoded in 65 bytes, vs 66 43| | * bytes for the full order. 44| | * 45| | * To accommodate this, zero prefix the key if we see such a short input 46| | */ 47| 2.08k| secure_vector padded_sk(order_bytes); 48| 2.08k| copy_mem(std::span{padded_sk}.last(bytes.size()), bytes); 49| 2.08k| return decode_ec_secret_key_scalar(group, padded_sk); 50| 2.08k| } 51| | 52| 2.51k| if(auto s = EC_Scalar::deserialize(group, bytes)) { ------------------ | Branch (52:12): [True: 2.49k, False: 21] ------------------ 53| 2.49k| return s.value(); 54| 2.49k| } else { 55| 21| throw Decoding_Error("EC private key is invalid for this group"); 56| 21| } 57| 2.51k|} ec_key_data.cpp:_ZZNK5Botan18EC_PrivateKey_Data10public_keyERNS_21RandomNumberGeneratorEbENK3$_0clEv: 70| 1.62k| auto public_point = [&] { 71| 1.62k| if(with_modular_inverse) { ------------------ | Branch (71:10): [True: 0, False: 1.62k] ------------------ 72| 0| return EC_AffinePoint::g_mul(m_scalar.invert(), rng); 73| 1.62k| } else { 74| 1.62k| return EC_AffinePoint::g_mul(m_scalar, rng); 75| 1.62k| } 76| 1.62k| }; _ZNK5Botan12EC_PublicKey6domainEv: 64| 1.63k|const EC_Group& EC_PublicKey::domain() const { 65| 1.63k| BOTAN_STATE_CHECK(m_public_key != nullptr); ------------------ | | 51| 1.63k| do { \ | | 52| 1.63k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 1.63k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 1.63k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 1.63k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 1.63k] | | ------------------ ------------------ 66| 1.63k| return m_public_key->group(); 67| 1.63k|} _ZN5Botan13EC_PrivateKeyC2ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEEb: 179| 3.66k| m_with_modular_inverse(with_modular_inverse) { 180| 3.66k| const EC_Group group(alg_id.parameters()); 181| | 182| 3.66k| OID key_parameters; 183| 3.66k| secure_vector private_key_bits; 184| 3.66k| secure_vector public_key_bits; 185| | 186| 3.66k| BER_Decoder(key_bits, BER_Decoder::Limits::DER()) 187| 3.66k| .start_sequence() 188| 3.66k| .decode_and_check(1, "Unknown version code for ECC key") 189| 3.66k| .decode(private_key_bits, ASN1_Type::OctetString) 190| 3.66k| .decode_optional(key_parameters, ASN1_Type(0), ASN1_Class::ExplicitContextSpecific) 191| 3.66k| .decode_optional_string(public_key_bits, ASN1_Type::BitString, 1, ASN1_Class::ExplicitContextSpecific) 192| 3.66k| .end_cons() 193| 3.66k| .verify_end(); 194| | 195| 3.66k| m_private_key = std::make_shared(group, private_key_bits); 196| | 197| 3.66k| if(public_key_bits.empty()) { ------------------ | Branch (197:7): [True: 1.62k, False: 2.03k] ------------------ 198| 1.62k| m_public_key = m_private_key->public_key(with_modular_inverse); 199| 2.03k| } else { 200| 2.03k| m_public_key = std::make_shared(group, public_key_bits); 201| 2.03k| } 202| | 203| 3.66k| m_domain_encoding = default_encoding_for(domain()); 204| 3.66k|} ecc_key.cpp:_ZN5Botan12_GLOBAL__N_120default_encoding_forERKNS_8EC_GroupE: 36| 1.63k|EC_Group_Encoding default_encoding_for(const EC_Group& group) { 37| 1.63k| if(group.get_curve_oid().empty()) { ------------------ | Branch (37:7): [True: 14, False: 1.61k] ------------------ 38| 14| return EC_Group_Encoding::Explicit; 39| 1.61k| } else { 40| 1.61k| return EC_Group_Encoding::NamedCurve; 41| 1.61k| } 42| 1.63k|} _ZN5Botan19ed25519_gen_keypairEPhS0_PKh: 19| 2|void ed25519_gen_keypair(uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32]) { 20| 2| uint8_t az[64]; 21| | 22| 2| auto sha512 = HashFunction::create_or_throw("SHA-512"); 23| 2| sha512->update(seed, 32); 24| 2| sha512->final(az); 25| 2| az[0] &= 248; 26| 2| az[31] &= 63; 27| 2| az[31] |= 64; 28| | 29| 2| ed25519_basepoint_mul(std::span{pk, 32}, az); 30| | 31| 2| copy_mem(sk, seed, 32); 32| 2| copy_mem(sk + 32, pk, 32); 33| 2|} _ZNK5Botan20Ed25519_FieldElement6invertEv: 18| 2|Ed25519_FieldElement Ed25519_FieldElement::invert() const { 19| 2| auto t0 = this->sqr(); 20| 2| auto t1 = t0.sqr_iter(2); 21| 2| t1 = *this * t1; 22| 2| t0 = t0 * t1; 23| 2| auto t2 = t0.sqr(); 24| 2| t1 = t1 * t2; 25| 2| t2 = t1.sqr_iter(5); 26| 2| t1 = t2 * t1; 27| 2| t2 = t1.sqr_iter(10); 28| 2| t2 = t2 * t1; 29| 2| auto t3 = t2.sqr_iter(20); 30| 2| t2 = t3 * t2; 31| 2| t2 = t2.sqr_iter(10); 32| 2| t1 = t2 * t1; 33| 2| t2 = t1.sqr_iter(50); 34| 2| t2 = t2 * t1; 35| 2| t3 = t2.sqr_iter(100); 36| 2| t2 = t3 * t2; 37| 2| t2 = t2.sqr_iter(50); 38| 2| t1 = t2 * t1; 39| 2| t1 = t1.sqr_iter(5); 40| | 41| 2| t0 = t1 * t0; 42| 2| return t0; 43| 2|} _ZN5Botan20Ed25519_FieldElement3mulERKS0_S2_: 105| 948|Ed25519_FieldElement Ed25519_FieldElement::mul(const Ed25519_FieldElement& f, const Ed25519_FieldElement& g) { 106| 948| const int32_t f0 = f.m_fe[0]; 107| 948| const int32_t f1 = f.m_fe[1]; 108| 948| const int32_t f2 = f.m_fe[2]; 109| 948| const int32_t f3 = f.m_fe[3]; 110| 948| const int32_t f4 = f.m_fe[4]; 111| 948| const int32_t f5 = f.m_fe[5]; 112| 948| const int32_t f6 = f.m_fe[6]; 113| 948| const int32_t f7 = f.m_fe[7]; 114| 948| const int32_t f8 = f.m_fe[8]; 115| 948| const int32_t f9 = f.m_fe[9]; 116| | 117| 948| const int32_t g0 = g.m_fe[0]; 118| 948| const int32_t g1 = g.m_fe[1]; 119| 948| const int32_t g2 = g.m_fe[2]; 120| 948| const int32_t g3 = g.m_fe[3]; 121| 948| const int32_t g4 = g.m_fe[4]; 122| 948| const int32_t g5 = g.m_fe[5]; 123| 948| const int32_t g6 = g.m_fe[6]; 124| 948| const int32_t g7 = g.m_fe[7]; 125| 948| const int32_t g8 = g.m_fe[8]; 126| 948| const int32_t g9 = g.m_fe[9]; 127| | 128| 948| const int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */ 129| 948| const int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ 130| 948| const int32_t g3_19 = 19 * g3; 131| 948| const int32_t g4_19 = 19 * g4; 132| 948| const int32_t g5_19 = 19 * g5; 133| 948| const int32_t g6_19 = 19 * g6; 134| 948| const int32_t g7_19 = 19 * g7; 135| 948| const int32_t g8_19 = 19 * g8; 136| 948| const int32_t g9_19 = 19 * g9; 137| 948| const int32_t f1_2 = 2 * f1; 138| 948| const int32_t f3_2 = 2 * f3; 139| 948| const int32_t f5_2 = 2 * f5; 140| 948| const int32_t f7_2 = 2 * f7; 141| 948| const int32_t f9_2 = 2 * f9; 142| | 143| 948| const int64_t f0g0 = f0 * static_cast(g0); 144| 948| const int64_t f0g1 = f0 * static_cast(g1); 145| 948| const int64_t f0g2 = f0 * static_cast(g2); 146| 948| const int64_t f0g3 = f0 * static_cast(g3); 147| 948| const int64_t f0g4 = f0 * static_cast(g4); 148| 948| const int64_t f0g5 = f0 * static_cast(g5); 149| 948| const int64_t f0g6 = f0 * static_cast(g6); 150| 948| const int64_t f0g7 = f0 * static_cast(g7); 151| 948| const int64_t f0g8 = f0 * static_cast(g8); 152| 948| const int64_t f0g9 = f0 * static_cast(g9); 153| 948| const int64_t f1g0 = f1 * static_cast(g0); 154| 948| const int64_t f1g1_2 = f1_2 * static_cast(g1); 155| 948| const int64_t f1g2 = f1 * static_cast(g2); 156| 948| const int64_t f1g3_2 = f1_2 * static_cast(g3); 157| 948| const int64_t f1g4 = f1 * static_cast(g4); 158| 948| const int64_t f1g5_2 = f1_2 * static_cast(g5); 159| 948| const int64_t f1g6 = f1 * static_cast(g6); 160| 948| const int64_t f1g7_2 = f1_2 * static_cast(g7); 161| 948| const int64_t f1g8 = f1 * static_cast(g8); 162| 948| const int64_t f1g9_38 = f1_2 * static_cast(g9_19); 163| 948| const int64_t f2g0 = f2 * static_cast(g0); 164| 948| const int64_t f2g1 = f2 * static_cast(g1); 165| 948| const int64_t f2g2 = f2 * static_cast(g2); 166| 948| const int64_t f2g3 = f2 * static_cast(g3); 167| 948| const int64_t f2g4 = f2 * static_cast(g4); 168| 948| const int64_t f2g5 = f2 * static_cast(g5); 169| 948| const int64_t f2g6 = f2 * static_cast(g6); 170| 948| const int64_t f2g7 = f2 * static_cast(g7); 171| 948| const int64_t f2g8_19 = f2 * static_cast(g8_19); 172| 948| const int64_t f2g9_19 = f2 * static_cast(g9_19); 173| 948| const int64_t f3g0 = f3 * static_cast(g0); 174| 948| const int64_t f3g1_2 = f3_2 * static_cast(g1); 175| 948| const int64_t f3g2 = f3 * static_cast(g2); 176| 948| const int64_t f3g3_2 = f3_2 * static_cast(g3); 177| 948| const int64_t f3g4 = f3 * static_cast(g4); 178| 948| const int64_t f3g5_2 = f3_2 * static_cast(g5); 179| 948| const int64_t f3g6 = f3 * static_cast(g6); 180| 948| const int64_t f3g7_38 = f3_2 * static_cast(g7_19); 181| 948| const int64_t f3g8_19 = f3 * static_cast(g8_19); 182| 948| const int64_t f3g9_38 = f3_2 * static_cast(g9_19); 183| 948| const int64_t f4g0 = f4 * static_cast(g0); 184| 948| const int64_t f4g1 = f4 * static_cast(g1); 185| 948| const int64_t f4g2 = f4 * static_cast(g2); 186| 948| const int64_t f4g3 = f4 * static_cast(g3); 187| 948| const int64_t f4g4 = f4 * static_cast(g4); 188| 948| const int64_t f4g5 = f4 * static_cast(g5); 189| 948| const int64_t f4g6_19 = f4 * static_cast(g6_19); 190| 948| const int64_t f4g7_19 = f4 * static_cast(g7_19); 191| 948| const int64_t f4g8_19 = f4 * static_cast(g8_19); 192| 948| const int64_t f4g9_19 = f4 * static_cast(g9_19); 193| 948| const int64_t f5g0 = f5 * static_cast(g0); 194| 948| const int64_t f5g1_2 = f5_2 * static_cast(g1); 195| 948| const int64_t f5g2 = f5 * static_cast(g2); 196| 948| const int64_t f5g3_2 = f5_2 * static_cast(g3); 197| 948| const int64_t f5g4 = f5 * static_cast(g4); 198| 948| const int64_t f5g5_38 = f5_2 * static_cast(g5_19); 199| 948| const int64_t f5g6_19 = f5 * static_cast(g6_19); 200| 948| const int64_t f5g7_38 = f5_2 * static_cast(g7_19); 201| 948| const int64_t f5g8_19 = f5 * static_cast(g8_19); 202| 948| const int64_t f5g9_38 = f5_2 * static_cast(g9_19); 203| 948| const int64_t f6g0 = f6 * static_cast(g0); 204| 948| const int64_t f6g1 = f6 * static_cast(g1); 205| 948| const int64_t f6g2 = f6 * static_cast(g2); 206| 948| const int64_t f6g3 = f6 * static_cast(g3); 207| 948| const int64_t f6g4_19 = f6 * static_cast(g4_19); 208| 948| const int64_t f6g5_19 = f6 * static_cast(g5_19); 209| 948| const int64_t f6g6_19 = f6 * static_cast(g6_19); 210| 948| const int64_t f6g7_19 = f6 * static_cast(g7_19); 211| 948| const int64_t f6g8_19 = f6 * static_cast(g8_19); 212| 948| const int64_t f6g9_19 = f6 * static_cast(g9_19); 213| 948| const int64_t f7g0 = f7 * static_cast(g0); 214| 948| const int64_t f7g1_2 = f7_2 * static_cast(g1); 215| 948| const int64_t f7g2 = f7 * static_cast(g2); 216| 948| const int64_t f7g3_38 = f7_2 * static_cast(g3_19); 217| 948| const int64_t f7g4_19 = f7 * static_cast(g4_19); 218| 948| const int64_t f7g5_38 = f7_2 * static_cast(g5_19); 219| 948| const int64_t f7g6_19 = f7 * static_cast(g6_19); 220| 948| const int64_t f7g7_38 = f7_2 * static_cast(g7_19); 221| 948| const int64_t f7g8_19 = f7 * static_cast(g8_19); 222| 948| const int64_t f7g9_38 = f7_2 * static_cast(g9_19); 223| 948| const int64_t f8g0 = f8 * static_cast(g0); 224| 948| const int64_t f8g1 = f8 * static_cast(g1); 225| 948| const int64_t f8g2_19 = f8 * static_cast(g2_19); 226| 948| const int64_t f8g3_19 = f8 * static_cast(g3_19); 227| 948| const int64_t f8g4_19 = f8 * static_cast(g4_19); 228| 948| const int64_t f8g5_19 = f8 * static_cast(g5_19); 229| 948| const int64_t f8g6_19 = f8 * static_cast(g6_19); 230| 948| const int64_t f8g7_19 = f8 * static_cast(g7_19); 231| 948| const int64_t f8g8_19 = f8 * static_cast(g8_19); 232| 948| const int64_t f8g9_19 = f8 * static_cast(g9_19); 233| 948| const int64_t f9g0 = f9 * static_cast(g0); 234| 948| const int64_t f9g1_38 = f9_2 * static_cast(g1_19); 235| 948| const int64_t f9g2_19 = f9 * static_cast(g2_19); 236| 948| const int64_t f9g3_38 = f9_2 * static_cast(g3_19); 237| 948| const int64_t f9g4_19 = f9 * static_cast(g4_19); 238| 948| const int64_t f9g5_38 = f9_2 * static_cast(g5_19); 239| 948| const int64_t f9g6_19 = f9 * static_cast(g6_19); 240| 948| const int64_t f9g7_38 = f9_2 * static_cast(g7_19); 241| 948| const int64_t f9g8_19 = f9 * static_cast(g8_19); 242| 948| const int64_t f9g9_38 = f9_2 * static_cast(g9_19); 243| | 244| 948| int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38; 245| 948| int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19; 246| 948| int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38; 247| 948| int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19; 248| 948| int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38; 249| 948| int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19; 250| 948| int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38; 251| 948| int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19; 252| 948| int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38; 253| 948| int64_t h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0; 254| | 255| | /* 256| | |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38)) 257| | i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8 258| | |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19)) 259| | i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 260| | */ 261| 948| carry<26>(h0, h1); 262| 948| carry<26>(h4, h5); 263| | 264| | /* |h0| <= 2^25 */ 265| | /* |h4| <= 2^25 */ 266| | /* |h1| <= 1.71*2^59 */ 267| | /* |h5| <= 1.71*2^59 */ 268| | 269| 948| carry<25>(h1, h2); 270| 948| carry<25>(h5, h6); 271| | 272| | /* |h1| <= 2^24; from now on fits into int32 */ 273| | /* |h5| <= 2^24; from now on fits into int32 */ 274| | /* |h2| <= 1.41*2^60 */ 275| | /* |h6| <= 1.41*2^60 */ 276| | 277| 948| carry<26>(h2, h3); 278| 948| carry<26>(h6, h7); 279| | /* |h2| <= 2^25; from now on fits into int32 unchanged */ 280| | /* |h6| <= 2^25; from now on fits into int32 unchanged */ 281| | /* |h3| <= 1.71*2^59 */ 282| | /* |h7| <= 1.71*2^59 */ 283| | 284| 948| carry<25>(h3, h4); 285| 948| carry<25>(h7, h8); 286| | /* |h3| <= 2^24; from now on fits into int32 unchanged */ 287| | /* |h7| <= 2^24; from now on fits into int32 unchanged */ 288| | /* |h4| <= 1.72*2^34 */ 289| | /* |h8| <= 1.41*2^60 */ 290| | 291| 948| carry<26>(h4, h5); 292| 948| carry<26>(h8, h9); 293| | /* |h4| <= 2^25; from now on fits into int32 unchanged */ 294| | /* |h8| <= 2^25; from now on fits into int32 unchanged */ 295| | /* |h5| <= 1.01*2^24 */ 296| | /* |h9| <= 1.71*2^59 */ 297| | 298| 948| carry<25, 19>(h9, h0); 299| | 300| | /* |h9| <= 2^24; from now on fits into int32 unchanged */ 301| | /* |h0| <= 1.1*2^39 */ 302| | 303| 948| carry<26>(h0, h1); 304| | /* |h0| <= 2^25; from now on fits into int32 unchanged */ 305| | /* |h1| <= 1.01*2^24 */ 306| | 307| 948| return Ed25519_FieldElement(h0, h1, h2, h3, h4, h5, h6, h7, h8, h9); 308| 948|} _ZNK5Botan20Ed25519_FieldElement8sqr_iterEm: 326| 46|Ed25519_FieldElement Ed25519_FieldElement::sqr_iter(size_t iter) const { 327| 46| int32_t f0 = m_fe[0]; 328| 46| int32_t f1 = m_fe[1]; 329| 46| int32_t f2 = m_fe[2]; 330| 46| int32_t f3 = m_fe[3]; 331| 46| int32_t f4 = m_fe[4]; 332| 46| int32_t f5 = m_fe[5]; 333| 46| int32_t f6 = m_fe[6]; 334| 46| int32_t f7 = m_fe[7]; 335| 46| int32_t f8 = m_fe[8]; 336| 46| int32_t f9 = m_fe[9]; 337| | 338| 578| for(size_t i = 0; i != iter; ++i) { ------------------ | Branch (338:22): [True: 532, False: 46] ------------------ 339| 532| const int32_t f0_2 = 2 * f0; 340| 532| const int32_t f1_2 = 2 * f1; 341| 532| const int32_t f2_2 = 2 * f2; 342| 532| const int32_t f3_2 = 2 * f3; 343| 532| const int32_t f4_2 = 2 * f4; 344| 532| const int32_t f5_2 = 2 * f5; 345| 532| const int32_t f6_2 = 2 * f6; 346| 532| const int32_t f7_2 = 2 * f7; 347| 532| const int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ 348| 532| const int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ 349| 532| const int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ 350| 532| const int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ 351| 532| const int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ 352| | 353| 532| const int64_t f0f0 = f0 * static_cast(f0); 354| 532| const int64_t f0f1_2 = f0_2 * static_cast(f1); 355| 532| const int64_t f0f2_2 = f0_2 * static_cast(f2); 356| 532| const int64_t f0f3_2 = f0_2 * static_cast(f3); 357| 532| const int64_t f0f4_2 = f0_2 * static_cast(f4); 358| 532| const int64_t f0f5_2 = f0_2 * static_cast(f5); 359| 532| const int64_t f0f6_2 = f0_2 * static_cast(f6); 360| 532| const int64_t f0f7_2 = f0_2 * static_cast(f7); 361| 532| const int64_t f0f8_2 = f0_2 * static_cast(f8); 362| 532| const int64_t f0f9_2 = f0_2 * static_cast(f9); 363| 532| const int64_t f1f1_2 = f1_2 * static_cast(f1); 364| 532| const int64_t f1f2_2 = f1_2 * static_cast(f2); 365| 532| const int64_t f1f3_4 = f1_2 * static_cast(f3_2); 366| 532| const int64_t f1f4_2 = f1_2 * static_cast(f4); 367| 532| const int64_t f1f5_4 = f1_2 * static_cast(f5_2); 368| 532| const int64_t f1f6_2 = f1_2 * static_cast(f6); 369| 532| const int64_t f1f7_4 = f1_2 * static_cast(f7_2); 370| 532| const int64_t f1f8_2 = f1_2 * static_cast(f8); 371| 532| const int64_t f1f9_76 = f1_2 * static_cast(f9_38); 372| 532| const int64_t f2f2 = f2 * static_cast(f2); 373| 532| const int64_t f2f3_2 = f2_2 * static_cast(f3); 374| 532| const int64_t f2f4_2 = f2_2 * static_cast(f4); 375| 532| const int64_t f2f5_2 = f2_2 * static_cast(f5); 376| 532| const int64_t f2f6_2 = f2_2 * static_cast(f6); 377| 532| const int64_t f2f7_2 = f2_2 * static_cast(f7); 378| 532| const int64_t f2f8_38 = f2_2 * static_cast(f8_19); 379| 532| const int64_t f2f9_38 = f2 * static_cast(f9_38); 380| 532| const int64_t f3f3_2 = f3_2 * static_cast(f3); 381| 532| const int64_t f3f4_2 = f3_2 * static_cast(f4); 382| 532| const int64_t f3f5_4 = f3_2 * static_cast(f5_2); 383| 532| const int64_t f3f6_2 = f3_2 * static_cast(f6); 384| 532| const int64_t f3f7_76 = f3_2 * static_cast(f7_38); 385| 532| const int64_t f3f8_38 = f3_2 * static_cast(f8_19); 386| 532| const int64_t f3f9_76 = f3_2 * static_cast(f9_38); 387| 532| const int64_t f4f4 = f4 * static_cast(f4); 388| 532| const int64_t f4f5_2 = f4_2 * static_cast(f5); 389| 532| const int64_t f4f6_38 = f4_2 * static_cast(f6_19); 390| 532| const int64_t f4f7_38 = f4 * static_cast(f7_38); 391| 532| const int64_t f4f8_38 = f4_2 * static_cast(f8_19); 392| 532| const int64_t f4f9_38 = f4 * static_cast(f9_38); 393| 532| const int64_t f5f5_38 = f5 * static_cast(f5_38); 394| 532| const int64_t f5f6_38 = f5_2 * static_cast(f6_19); 395| 532| const int64_t f5f7_76 = f5_2 * static_cast(f7_38); 396| 532| const int64_t f5f8_38 = f5_2 * static_cast(f8_19); 397| 532| const int64_t f5f9_76 = f5_2 * static_cast(f9_38); 398| 532| const int64_t f6f6_19 = f6 * static_cast(f6_19); 399| 532| const int64_t f6f7_38 = f6 * static_cast(f7_38); 400| 532| const int64_t f6f8_38 = f6_2 * static_cast(f8_19); 401| 532| const int64_t f6f9_38 = f6 * static_cast(f9_38); 402| 532| const int64_t f7f7_38 = f7 * static_cast(f7_38); 403| 532| const int64_t f7f8_38 = f7_2 * static_cast(f8_19); 404| 532| const int64_t f7f9_76 = f7_2 * static_cast(f9_38); 405| 532| const int64_t f8f8_19 = f8 * static_cast(f8_19); 406| 532| const int64_t f8f9_38 = f8 * static_cast(f9_38); 407| 532| const int64_t f9f9_38 = f9 * static_cast(f9_38); 408| | 409| 532| int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; 410| 532| int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; 411| 532| int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; 412| 532| int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; 413| 532| int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; 414| 532| int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; 415| 532| int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; 416| 532| int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; 417| 532| int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; 418| 532| int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; 419| | 420| 532| carry<26>(h0, h1); 421| 532| carry<26>(h4, h5); 422| 532| carry<25>(h1, h2); 423| 532| carry<25>(h5, h6); 424| 532| carry<26>(h2, h3); 425| 532| carry<26>(h6, h7); 426| | 427| 532| carry<25>(h3, h4); 428| 532| carry<25>(h7, h8); 429| | 430| 532| carry<26>(h4, h5); 431| 532| carry<26>(h8, h9); 432| 532| carry<25, 19>(h9, h0); 433| 532| carry<26>(h0, h1); 434| | 435| 532| f0 = static_cast(h0); 436| 532| f1 = static_cast(h1); 437| 532| f2 = static_cast(h2); 438| 532| f3 = static_cast(h3); 439| 532| f4 = static_cast(h4); 440| 532| f5 = static_cast(h5); 441| 532| f6 = static_cast(h6); 442| 532| f7 = static_cast(h7); 443| 532| f8 = static_cast(h8); 444| 532| f9 = static_cast(h9); 445| 532| } 446| | 447| 46| return Ed25519_FieldElement(f0, f1, f2, f3, f4, f5, f6, f7, f8, f9); 448| 46|} _ZNK5Botan20Ed25519_FieldElement4sqr2Ev: 466| 8|Ed25519_FieldElement Ed25519_FieldElement::sqr2() const { 467| 8| const int32_t f0 = m_fe[0]; 468| 8| const int32_t f1 = m_fe[1]; 469| 8| const int32_t f2 = m_fe[2]; 470| 8| const int32_t f3 = m_fe[3]; 471| 8| const int32_t f4 = m_fe[4]; 472| 8| const int32_t f5 = m_fe[5]; 473| 8| const int32_t f6 = m_fe[6]; 474| 8| const int32_t f7 = m_fe[7]; 475| 8| const int32_t f8 = m_fe[8]; 476| 8| const int32_t f9 = m_fe[9]; 477| | 478| 8| const int32_t f0_2 = 2 * f0; 479| 8| const int32_t f1_2 = 2 * f1; 480| 8| const int32_t f2_2 = 2 * f2; 481| 8| const int32_t f3_2 = 2 * f3; 482| 8| const int32_t f4_2 = 2 * f4; 483| 8| const int32_t f5_2 = 2 * f5; 484| 8| const int32_t f6_2 = 2 * f6; 485| 8| const int32_t f7_2 = 2 * f7; 486| 8| const int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ 487| 8| const int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ 488| 8| const int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ 489| 8| const int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ 490| 8| const int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ 491| 8| const int64_t f0f0 = f0 * static_cast(f0); 492| 8| const int64_t f0f1_2 = f0_2 * static_cast(f1); 493| 8| const int64_t f0f2_2 = f0_2 * static_cast(f2); 494| 8| const int64_t f0f3_2 = f0_2 * static_cast(f3); 495| 8| const int64_t f0f4_2 = f0_2 * static_cast(f4); 496| 8| const int64_t f0f5_2 = f0_2 * static_cast(f5); 497| 8| const int64_t f0f6_2 = f0_2 * static_cast(f6); 498| 8| const int64_t f0f7_2 = f0_2 * static_cast(f7); 499| 8| const int64_t f0f8_2 = f0_2 * static_cast(f8); 500| 8| const int64_t f0f9_2 = f0_2 * static_cast(f9); 501| 8| const int64_t f1f1_2 = f1_2 * static_cast(f1); 502| 8| const int64_t f1f2_2 = f1_2 * static_cast(f2); 503| 8| const int64_t f1f3_4 = f1_2 * static_cast(f3_2); 504| 8| const int64_t f1f4_2 = f1_2 * static_cast(f4); 505| 8| const int64_t f1f5_4 = f1_2 * static_cast(f5_2); 506| 8| const int64_t f1f6_2 = f1_2 * static_cast(f6); 507| 8| const int64_t f1f7_4 = f1_2 * static_cast(f7_2); 508| 8| const int64_t f1f8_2 = f1_2 * static_cast(f8); 509| 8| const int64_t f1f9_76 = f1_2 * static_cast(f9_38); 510| 8| const int64_t f2f2 = f2 * static_cast(f2); 511| 8| const int64_t f2f3_2 = f2_2 * static_cast(f3); 512| 8| const int64_t f2f4_2 = f2_2 * static_cast(f4); 513| 8| const int64_t f2f5_2 = f2_2 * static_cast(f5); 514| 8| const int64_t f2f6_2 = f2_2 * static_cast(f6); 515| 8| const int64_t f2f7_2 = f2_2 * static_cast(f7); 516| 8| const int64_t f2f8_38 = f2_2 * static_cast(f8_19); 517| 8| const int64_t f2f9_38 = f2 * static_cast(f9_38); 518| 8| const int64_t f3f3_2 = f3_2 * static_cast(f3); 519| 8| const int64_t f3f4_2 = f3_2 * static_cast(f4); 520| 8| const int64_t f3f5_4 = f3_2 * static_cast(f5_2); 521| 8| const int64_t f3f6_2 = f3_2 * static_cast(f6); 522| 8| const int64_t f3f7_76 = f3_2 * static_cast(f7_38); 523| 8| const int64_t f3f8_38 = f3_2 * static_cast(f8_19); 524| 8| const int64_t f3f9_76 = f3_2 * static_cast(f9_38); 525| 8| const int64_t f4f4 = f4 * static_cast(f4); 526| 8| const int64_t f4f5_2 = f4_2 * static_cast(f5); 527| 8| const int64_t f4f6_38 = f4_2 * static_cast(f6_19); 528| 8| const int64_t f4f7_38 = f4 * static_cast(f7_38); 529| 8| const int64_t f4f8_38 = f4_2 * static_cast(f8_19); 530| 8| const int64_t f4f9_38 = f4 * static_cast(f9_38); 531| 8| const int64_t f5f5_38 = f5 * static_cast(f5_38); 532| 8| const int64_t f5f6_38 = f5_2 * static_cast(f6_19); 533| 8| const int64_t f5f7_76 = f5_2 * static_cast(f7_38); 534| 8| const int64_t f5f8_38 = f5_2 * static_cast(f8_19); 535| 8| const int64_t f5f9_76 = f5_2 * static_cast(f9_38); 536| 8| const int64_t f6f6_19 = f6 * static_cast(f6_19); 537| 8| const int64_t f6f7_38 = f6 * static_cast(f7_38); 538| 8| const int64_t f6f8_38 = f6_2 * static_cast(f8_19); 539| 8| const int64_t f6f9_38 = f6 * static_cast(f9_38); 540| 8| const int64_t f7f7_38 = f7 * static_cast(f7_38); 541| 8| const int64_t f7f8_38 = f7_2 * static_cast(f8_19); 542| 8| const int64_t f7f9_76 = f7_2 * static_cast(f9_38); 543| 8| const int64_t f8f8_19 = f8 * static_cast(f8_19); 544| 8| const int64_t f8f9_38 = f8 * static_cast(f9_38); 545| 8| const int64_t f9f9_38 = f9 * static_cast(f9_38); 546| | 547| 8| int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; 548| 8| int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; 549| 8| int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; 550| 8| int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; 551| 8| int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; 552| 8| int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; 553| 8| int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; 554| 8| int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; 555| 8| int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; 556| 8| int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; 557| | 558| 8| h0 += h0; 559| 8| h1 += h1; 560| 8| h2 += h2; 561| 8| h3 += h3; 562| 8| h4 += h4; 563| 8| h5 += h5; 564| 8| h6 += h6; 565| 8| h7 += h7; 566| 8| h8 += h8; 567| 8| h9 += h9; 568| | 569| 8| carry<26>(h0, h1); 570| 8| carry<26>(h4, h5); 571| | 572| 8| carry<25>(h1, h2); 573| 8| carry<25>(h5, h6); 574| | 575| 8| carry<26>(h2, h3); 576| 8| carry<26>(h6, h7); 577| | 578| 8| carry<25>(h3, h4); 579| 8| carry<25>(h7, h8); 580| 8| carry<26>(h4, h5); 581| 8| carry<26>(h8, h9); 582| 8| carry<25, 19>(h9, h0); 583| 8| carry<26>(h0, h1); 584| | 585| 8| return Ed25519_FieldElement(h0, h1, h2, h3, h4, h5, h6, h7, h8, h9); 586| 8|} _ZNK5Botan20Ed25519_FieldElement12serialize_toENSt3__14spanIhLm32EEE: 643| 4|void Ed25519_FieldElement::serialize_to(std::span s) const { 644| 4| const int32_t X25 = (1 << 25); 645| | 646| 4| int32_t h0 = m_fe[0]; 647| 4| int32_t h1 = m_fe[1]; 648| 4| int32_t h2 = m_fe[2]; 649| 4| int32_t h3 = m_fe[3]; 650| 4| int32_t h4 = m_fe[4]; 651| 4| int32_t h5 = m_fe[5]; 652| 4| int32_t h6 = m_fe[6]; 653| 4| int32_t h7 = m_fe[7]; 654| 4| int32_t h8 = m_fe[8]; 655| 4| int32_t h9 = m_fe[9]; 656| | 657| 4| int32_t q = (19 * h9 + ((static_cast(1) << 24))) >> 25; 658| 4| q = (h0 + q) >> 26; 659| 4| q = (h1 + q) >> 25; 660| 4| q = (h2 + q) >> 26; 661| 4| q = (h3 + q) >> 25; 662| 4| q = (h4 + q) >> 26; 663| 4| q = (h5 + q) >> 25; 664| 4| q = (h6 + q) >> 26; 665| 4| q = (h7 + q) >> 25; 666| 4| q = (h8 + q) >> 26; 667| 4| q = (h9 + q) >> 25; 668| | 669| | /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */ 670| 4| h0 += 19 * q; 671| | /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */ 672| | 673| 4| carry0<26>(h0, h1); 674| 4| carry0<25>(h1, h2); 675| 4| carry0<26>(h2, h3); 676| 4| carry0<25>(h3, h4); 677| 4| carry0<26>(h4, h5); 678| 4| carry0<25>(h5, h6); 679| 4| carry0<26>(h6, h7); 680| 4| carry0<25>(h7, h8); 681| 4| carry0<26>(h8, h9); 682| | 683| 4| const int32_t carry9 = h9 >> 25; 684| 4| h9 -= carry9 * X25; 685| | /* h10 = carry9 */ 686| | 687| | /* 688| | Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. 689| | Have h0+...+2^230 h9 between 0 and 2^255-1; 690| | evidently 2^255 h10-2^255 q = 0. 691| | Goal: Output h0+...+2^230 h9. 692| | */ 693| | 694| 4| s[0] = static_cast(h0 >> 0); 695| 4| s[1] = static_cast(h0 >> 8); 696| 4| s[2] = static_cast(h0 >> 16); 697| 4| s[3] = static_cast((h0 >> 24) | (h1 << 2)); 698| 4| s[4] = static_cast(h1 >> 6); 699| 4| s[5] = static_cast(h1 >> 14); 700| 4| s[6] = static_cast((h1 >> 22) | (h2 << 3)); 701| 4| s[7] = static_cast(h2 >> 5); 702| 4| s[8] = static_cast(h2 >> 13); 703| 4| s[9] = static_cast((h2 >> 21) | (h3 << 5)); 704| 4| s[10] = static_cast(h3 >> 3); 705| 4| s[11] = static_cast(h3 >> 11); 706| 4| s[12] = static_cast((h3 >> 19) | (h4 << 6)); 707| 4| s[13] = static_cast(h4 >> 2); 708| 4| s[14] = static_cast(h4 >> 10); 709| 4| s[15] = static_cast(h4 >> 18); 710| 4| s[16] = static_cast(h5 >> 0); 711| 4| s[17] = static_cast(h5 >> 8); 712| 4| s[18] = static_cast(h5 >> 16); 713| 4| s[19] = static_cast((h5 >> 24) | (h6 << 1)); 714| 4| s[20] = static_cast(h6 >> 7); 715| 4| s[21] = static_cast(h6 >> 15); 716| 4| s[22] = static_cast((h6 >> 23) | (h7 << 3)); 717| 4| s[23] = static_cast(h7 >> 5); 718| 4| s[24] = static_cast(h7 >> 13); 719| 4| s[25] = static_cast((h7 >> 21) | (h8 << 4)); 720| 4| s[26] = static_cast(h8 >> 4); 721| 4| s[27] = static_cast(h8 >> 12); 722| 4| s[28] = static_cast((h8 >> 20) | (h9 << 6)); 723| 4| s[29] = static_cast(h9 >> 2); 724| 4| s[30] = static_cast(h9 >> 10); 725| 4| s[31] = static_cast(h9 >> 18); 726| 4|} _ZN5Botan18Ed25519_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 113| 6|Ed25519_PrivateKey::Ed25519_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span key_bits) { 114| 6| secure_vector bits; 115| 6| BER_Decoder(key_bits, BER_Decoder::Limits::DER()).decode(bits, ASN1_Type::OctetString).discard_remaining(); 116| | 117| 6| if(bits.size() != 32) { ------------------ | Branch (117:7): [True: 2, False: 4] ------------------ 118| 2| throw Decoding_Error("Invalid size for Ed25519 private key"); 119| 2| } 120| 4| m_public.resize(32); 121| 4| m_private.resize(64); 122| 4| ed25519_gen_keypair(m_public.data(), m_private.data(), bits.data()); 123| 4|} _ZN5Botan21ed25519_basepoint_mulENSt3__14spanIhLm32EEEPKh: 1863| 2|void ed25519_basepoint_mul(std::span out, const uint8_t a[32]) { 1864| 2| std::array e{}; 1865| | 1866| 2| CT::poison(a, 32); 1867| | 1868| | // each e[i] is between 0 and 15 except e[63] which is between 0 and 7 1869| 66| for(size_t i = 0; i != 32; ++i) { ------------------ | Branch (1869:22): [True: 64, False: 2] ------------------ 1870| 64| e[2 * i + 0] = (a[i] >> 0) & 0x0F; 1871| 64| e[2 * i + 1] = (a[i] >> 4) & 0x0F; 1872| 64| } 1873| | 1874| 2| int8_t carry = 0; 1875| 128| for(size_t i = 0; i < 63; ++i) { ------------------ | Branch (1875:22): [True: 126, False: 2] ------------------ 1876| 126| e[i] += carry; 1877| 126| carry = e[i] + 8; 1878| 126| carry >>= 4; 1879| 126| e[i] -= carry << 4; 1880| 126| } 1881| 2| e[63] += carry; 1882| | /* each e[i] is between -8 and 8 */ 1883| | 1884| 2| auto h = Ed25519_Point_Extended::identity(); 1885| 66| for(size_t i = 1; i < 64; i += 2) { ------------------ | Branch (1885:22): [True: 64, False: 2] ------------------ 1886| 64| h = Ed25519_Point_Extended::from(h + select(B_precomp[i / 2], e[i])); 1887| 64| } 1888| | 1889| 2| auto s = Ed25519_Point_Projective::from(h.dbl()); 1890| 2| s = Ed25519_Point_Projective::from(s.dbl()); 1891| 2| s = Ed25519_Point_Projective::from(s.dbl()); 1892| 2| h = Ed25519_Point_Extended::from(s.dbl()); 1893| | 1894| 66| for(size_t i = 0; i != 64; i += 2) { ------------------ | Branch (1894:22): [True: 64, False: 2] ------------------ 1895| 64| h = Ed25519_Point_Extended::from(h + select(B_precomp[i / 2], e[i])); 1896| 64| } 1897| | 1898| 2| h.serialize_to(out); 1899| | 1900| 2| CT::unpoison(a, 32); 1901| 2| CT::unpoison(out); 1902| 2|} ge.cpp:_ZN5Botan12_GLOBAL__N_122Ed25519_Point_Extended8identityEv: 109| 2| static constexpr Ed25519_Point_Extended identity() { 110| 2| Ed25519_Point_Extended h; 111| 2| h.X = Ed25519_FieldElement::zero(); 112| 2| h.Y = Ed25519_FieldElement::one(); 113| 2| h.Z = Ed25519_FieldElement::one(); 114| 2| h.T = Ed25519_FieldElement::zero(); 115| 2| return h; 116| 2| } ge.cpp:_ZN5Botan12_GLOBAL__N_122Ed25519_Point_Extended4fromERKNS0_23Ed25519_Point_CompletedE: 129| 130| static Ed25519_Point_Extended from(const Ed25519_Point_Completed& p) { 130| 130| Ed25519_Point_Extended r; 131| 130| r.X = p.X * p.T; 132| 130| r.Y = p.Y * p.Z; 133| 130| r.Z = p.Z * p.T; 134| 130| r.T = p.X * p.Y; 135| 130| return r; 136| 130| } ge.cpp:_ZN5Botan12_GLOBAL__N_1plERKNS0_22Ed25519_Point_ExtendedERKNS0_19Ed25519_Point_NielsE: 220| 128|inline Ed25519_Point_Completed operator+(const Ed25519_Point_Extended& p, const Ed25519_Point_Niels& q) { 221| 128| Ed25519_Point_Completed r; 222| 128| r.X = p.Y + p.X; // YpX1 = Y1+X1 223| 128| r.Y = p.Y - p.X; // YmX1 = Y1-X1 224| 128| r.Z = r.X * q.yplusx; // A = YpX1*ypx2 225| 128| r.Y = r.Y * q.yminusx; // B = YmX1*ymx2 226| 128| r.T = q.xy2d * p.T; // C = xy2d2*T1 227| 128| auto t0 = p.Z + p.Z; // D = 2*Z1 228| 128| r.X = r.Z - r.Y; // X3 = A-B 229| 128| r.Y = r.Z + r.Y; // Y3 = A+B 230| 128| r.Z = t0 + r.T; // Z3 = D+C 231| 128| r.T = t0 - r.T; // T3 = D-C 232| 128| return r; 233| 128|} ge.cpp:_ZN5Botan12_GLOBAL__N_16selectEPKNS0_19Ed25519_Point_NielsEa: 455| 128|Ed25519_Point_Niels select(const Ed25519_Point_Niels base[8], int8_t b) { 456| 128| const uint8_t bnegative = negative(b); 457| 128| const uint8_t babs = b - ((-static_cast(bnegative) & b) * 2); 458| 128| const uint32_t neg_mask = equal32(bnegative, 1); 459| | 460| 128| const uint32_t mask1 = equal32(babs, 1); 461| 128| const uint32_t mask2 = equal32(babs, 2); 462| 128| const uint32_t mask3 = equal32(babs, 3); 463| 128| const uint32_t mask4 = equal32(babs, 4); 464| 128| const uint32_t mask5 = equal32(babs, 5); 465| 128| const uint32_t mask6 = equal32(babs, 6); 466| 128| const uint32_t mask7 = equal32(babs, 7); 467| 128| const uint32_t mask8 = equal32(babs, 8); 468| | 469| 128| auto t = Ed25519_Point_Niels::identity(); 470| | 471| 1.40k| for(size_t i = 0; i != 10; ++i) { ------------------ | Branch (471:22): [True: 1.28k, False: 128] ------------------ 472| 1.28k| t.yplusx[i] = t.yplusx[i] ^ ((t.yplusx[i] ^ base[0].yplusx[i]) & mask1) ^ 473| 1.28k| ((t.yplusx[i] ^ base[1].yplusx[i]) & mask2) ^ ((t.yplusx[i] ^ base[2].yplusx[i]) & mask3) ^ 474| 1.28k| ((t.yplusx[i] ^ base[3].yplusx[i]) & mask4) ^ ((t.yplusx[i] ^ base[4].yplusx[i]) & mask5) ^ 475| 1.28k| ((t.yplusx[i] ^ base[5].yplusx[i]) & mask6) ^ ((t.yplusx[i] ^ base[6].yplusx[i]) & mask7) ^ 476| 1.28k| ((t.yplusx[i] ^ base[7].yplusx[i]) & mask8); 477| | 478| 1.28k| t.yminusx[i] = t.yminusx[i] ^ ((t.yminusx[i] ^ base[0].yminusx[i]) & mask1) ^ 479| 1.28k| ((t.yminusx[i] ^ base[1].yminusx[i]) & mask2) ^ ((t.yminusx[i] ^ base[2].yminusx[i]) & mask3) ^ 480| 1.28k| ((t.yminusx[i] ^ base[3].yminusx[i]) & mask4) ^ ((t.yminusx[i] ^ base[4].yminusx[i]) & mask5) ^ 481| 1.28k| ((t.yminusx[i] ^ base[5].yminusx[i]) & mask6) ^ ((t.yminusx[i] ^ base[6].yminusx[i]) & mask7) ^ 482| 1.28k| ((t.yminusx[i] ^ base[7].yminusx[i]) & mask8); 483| | 484| 1.28k| t.xy2d[i] = t.xy2d[i] ^ ((t.xy2d[i] ^ base[0].xy2d[i]) & mask1) ^ ((t.xy2d[i] ^ base[1].xy2d[i]) & mask2) ^ 485| 1.28k| ((t.xy2d[i] ^ base[2].xy2d[i]) & mask3) ^ ((t.xy2d[i] ^ base[3].xy2d[i]) & mask4) ^ 486| 1.28k| ((t.xy2d[i] ^ base[4].xy2d[i]) & mask5) ^ ((t.xy2d[i] ^ base[5].xy2d[i]) & mask6) ^ 487| 1.28k| ((t.xy2d[i] ^ base[6].xy2d[i]) & mask7) ^ ((t.xy2d[i] ^ base[7].xy2d[i]) & mask8); 488| 1.28k| } 489| | 490| 128| auto minus_xy2d = -t.xy2d; 491| | 492| | // If negative have to swap yminusx and yplusx 493| 1.40k| for(size_t i = 0; i != 10; ++i) { ------------------ | Branch (493:22): [True: 1.28k, False: 128] ------------------ 494| 1.28k| const int32_t t_yplusx = t.yplusx[i] ^ ((t.yplusx[i] ^ t.yminusx[i]) & neg_mask); 495| 1.28k| const int32_t t_yminusx = t.yminusx[i] ^ ((t.yminusx[i] ^ t.yplusx[i]) & neg_mask); 496| | 497| 1.28k| t.yplusx[i] = t_yplusx; 498| 1.28k| t.yminusx[i] = t_yminusx; 499| 1.28k| t.xy2d[i] = t.xy2d[i] ^ ((t.xy2d[i] ^ minus_xy2d[i]) & neg_mask); 500| 1.28k| } 501| | 502| 128| return t; 503| 128|} ge.cpp:_ZN5Botan12_GLOBAL__N_18negativeEa: 451| 128|inline uint8_t negative(int8_t b) { 452| 128| return static_cast(b) >> 7; 453| 128|} ge.cpp:_ZN5Botan12_GLOBAL__N_17equal32Ehh: 447| 1.15k|inline uint32_t equal32(uint8_t b, uint8_t c) { 448| 1.15k| return CT::Mask::is_equal(b, c).value(); 449| 1.15k|} ge.cpp:_ZN5Botan12_GLOBAL__N_119Ed25519_Point_Niels8identityEv: 160| 128| static constexpr Ed25519_Point_Niels identity() { 161| 128| Ed25519_Point_Niels h; 162| 128| h.yplusx = Ed25519_FieldElement::one(); 163| 128| h.yminusx = Ed25519_FieldElement::one(); 164| 128| h.xy2d = Ed25519_FieldElement::zero(); 165| 128| return h; 166| 128| } ge.cpp:_ZN5Botan12_GLOBAL__N_124Ed25519_Point_Projective4fromERKNS0_23Ed25519_Point_CompletedE: 56| 6| static Ed25519_Point_Projective from(const Ed25519_Point_Completed& p) { 57| 6| Ed25519_Point_Projective r; 58| 6| r.X = p.X * p.T; 59| 6| r.Y = p.Y * p.Z; 60| 6| r.Z = p.Z * p.T; 61| 6| return r; 62| 6| } ge.cpp:_ZNK5Botan12_GLOBAL__N_122Ed25519_Point_Extended3dblEv: 118| 2| Ed25519_Point_Completed dbl() const { 119| 2| Ed25519_Point_Projective q; 120| 2| q.X = X; 121| 2| q.Y = Y; 122| 2| q.Z = Z; 123| 2| return q.dbl(); 124| 2| } ge.cpp:_ZNK5Botan12_GLOBAL__N_124Ed25519_Point_Projective3dblEv: 83| 8|Ed25519_Point_Completed Ed25519_Point_Projective::dbl() const { 84| 8| Ed25519_Point_Completed r; 85| 8| r.X = X.sqr(); // XX=X1^2 86| 8| r.Z = Y.sqr(); // YY=Y1^2 87| 8| r.T = Z.sqr2(); // B=2*Z1^2 88| 8| r.Y = X + Y; // A=X1+Y1 89| 8| auto t0 = r.Y.sqr(); // AA=A^2 90| 8| r.Y = r.Z + r.X; // Y3=YY+XX 91| 8| r.Z = r.Z - r.X; // Z3=YY-XX 92| 8| r.X = t0 - r.Y; // X3=AA-Y3 93| 8| r.T = r.T - r.Z; // T3=B-Z3 94| 8| return r; 95| 8|} ge.cpp:_ZNK5Botan12_GLOBAL__N_122Ed25519_Point_Extended12serialize_toENSt3__14spanIhLm32EEE: 138| 2| void serialize_to(std::span out) const { 139| 2| auto recip = this->Z.invert(); 140| 2| auto x = this->X * recip; 141| 2| auto y = this->Y * recip; 142| 2| y.serialize_to(out); 143| 2| out[31] ^= x.is_negative() ? 0x80 : 0x00; ------------------ | Branch (143:21): [True: 1, False: 1] ------------------ 144| 2| } _ZN5Botan9KyberModeC2ERKNS_3OIDE: 78| 37|KyberMode::KyberMode(const OID& oid) : m_mode(kyber_mode_from_string(oid.to_formatted_string())) {} _ZNK5Botan9KyberMode9is_ml_kemEv: 119| 111|bool KyberMode::is_ml_kem() const { 120| 111| return m_mode == KyberMode::ML_KEM_512 || m_mode == KyberMode::ML_KEM_768 || m_mode == KyberMode::ML_KEM_1024; ------------------ | Branch (120:11): [True: 15, False: 96] | Branch (120:46): [True: 39, False: 57] | Branch (120:81): [True: 57, False: 0] ------------------ 121| 111|} _ZNK5Botan9KyberMode15is_kyber_round3Ev: 123| 132|bool KyberMode::is_kyber_round3() const { 124| 132| return m_mode == KyberMode::Kyber512_R3 || m_mode == KyberMode::Kyber768_R3 || m_mode == KyberMode::Kyber1024_R3 || ------------------ | Branch (124:11): [True: 0, False: 132] | Branch (124:47): [True: 0, False: 132] | Branch (124:83): [True: 0, False: 132] ------------------ 125| 132| m_mode == KyberMode::Kyber512_90s || m_mode == KyberMode::Kyber768_90s || m_mode == KyberMode::Kyber1024_90s; ------------------ | Branch (125:11): [True: 0, False: 132] | Branch (125:48): [True: 0, False: 132] | Branch (125:85): [True: 0, False: 132] ------------------ 126| 132|} _ZN5Botan16Kyber_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 227| 37| Kyber_PrivateKey(key_bits, KyberMode(alg_id.oid())) {} _ZN5Botan16Kyber_PrivateKeyC1ENSt3__14spanIKhLm18446744073709551615EEENS_9KyberModeE: 229| 37|Kyber_PrivateKey::Kyber_PrivateKey(std::span sk, KyberMode m) { 230| 37| KyberConstants mode(m); 231| | 232| 37| if(mode.mode().is_ml_kem() && sk.size() == mode.seed_private_key_bytes()) { ------------------ | Branch (232:7): [True: 37, False: 0] | Branch (232:7): [True: 29, False: 8] | Branch (232:34): [True: 29, False: 8] ------------------ 233| 29| std::tie(m_public, m_private) = Seed_Expanding_Keypair_Codec().decode_keypair(sk, std::move(mode)); 234| 29| } else if(sk.size() == mode.expanded_private_key_bytes()) { ------------------ | Branch (234:14): [True: 0, False: 8] ------------------ 235| 0| std::tie(m_public, m_private) = Expanded_Keypair_Codec().decode_keypair(sk, std::move(mode)); 236| 8| } else if(!mode.mode().is_ml_kem() && sk.size() == mode.seed_private_key_bytes()) { ------------------ | Branch (236:14): [True: 0, False: 8] | Branch (236:14): [True: 0, False: 8] | Branch (236:42): [True: 0, False: 0] ------------------ 237| 0| throw Invalid_Argument("Kyber round 3 private keys do not support the seed format"); 238| 8| } else { 239| 8| throw Invalid_Argument("Private key does not have the correct byte count"); 240| 8| } 241| 37|} kyber.cpp:_ZN5Botan12_GLOBAL__N_122kyber_mode_from_stringENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 42| 37|KyberMode::Mode kyber_mode_from_string(std::string_view str) { 43| 37| if(str == "Kyber-512-90s-r3") { ------------------ | Branch (43:7): [True: 0, False: 37] ------------------ 44| 0| return KyberMode::Kyber512_90s; 45| 0| } 46| 37| if(str == "Kyber-768-90s-r3") { ------------------ | Branch (46:7): [True: 0, False: 37] ------------------ 47| 0| return KyberMode::Kyber768_90s; 48| 0| } 49| 37| if(str == "Kyber-1024-90s-r3") { ------------------ | Branch (49:7): [True: 0, False: 37] ------------------ 50| 0| return KyberMode::Kyber1024_90s; 51| 0| } 52| 37| if(str == "Kyber-512-r3") { ------------------ | Branch (52:7): [True: 0, False: 37] ------------------ 53| 0| return KyberMode::Kyber512_R3; 54| 0| } 55| 37| if(str == "Kyber-768-r3") { ------------------ | Branch (55:7): [True: 0, False: 37] ------------------ 56| 0| return KyberMode::Kyber768_R3; 57| 0| } 58| 37| if(str == "Kyber-1024-r3") { ------------------ | Branch (58:7): [True: 0, False: 37] ------------------ 59| 0| return KyberMode::Kyber1024_R3; 60| 0| } 61| 37| if(str == "ML-KEM-512") { ------------------ | Branch (61:7): [True: 5, False: 32] ------------------ 62| 5| return KyberMode::ML_KEM_512; 63| 5| } 64| 32| if(str == "ML-KEM-768") { ------------------ | Branch (64:7): [True: 13, False: 19] ------------------ 65| 13| return KyberMode::ML_KEM_768; 66| 13| } 67| 19| if(str == "ML-KEM-1024") { ------------------ | Branch (67:7): [True: 19, False: 0] ------------------ 68| 19| return KyberMode::ML_KEM_1024; 69| 19| } 70| | 71| 0| throw Invalid_Argument(fmt("'{}' is not a valid Kyber mode name", str)); 72| 19|} _ZN5Botan11Kyber_Algos24encode_polynomial_vectorENSt3__14spanIhLm18446744073709551615EEERKNS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS4_6DomainE1EEE: 186| 29|void encode_polynomial_vector(std::span out, const KyberPolyVecNTT& vec) { 187| 29| BufferStuffer bs(out); 188| 96| for(const auto& v : vec) { ------------------ | Branch (188:22): [True: 96, False: 29] ------------------ 189| 96| byte_encode(bs, v); 190| 96| } 191| 29| BOTAN_ASSERT_NOMSG(bs.full()); ------------------ | | 77| 29| do { \ | | 78| 29| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 29| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 29] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 29| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 29] | | ------------------ ------------------ 192| 29|} _ZN5Botan11Kyber_Algos14expand_keypairENS_19KyberPrivateKeySeedENS_14KyberConstantsE: 323| 29|KyberInternalKeypair expand_keypair(KyberPrivateKeySeed seed, KyberConstants mode) { 324| 29| BOTAN_ARG_CHECK(seed.d.has_value(), "Cannot expand keypair without the full private seed"); ------------------ | | 35| 29| do { \ | | 36| 29| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 29| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 29] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 29| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 29] | | ------------------ ------------------ 325| 29| const auto& d = seed.d.value(); 326| | 327| 29| CT::poison(d); 328| 29| auto [rho, sigma] = mode.symmetric_primitives().G(d, mode); 329| 29| CT::unpoison(rho); // rho is public (seed for the public matrix A) 330| | 331| | // Algorithm 13 (K-PKE.KeyGen) ---------------- 332| | 333| 29| auto A = Kyber_Algos::sample_matrix(rho, false /* not transposed */, mode); 334| | 335| | // The nonce N is handled internally by the PolynomialSampler 336| 29| Kyber_Algos::PolynomialSampler ps(sigma, mode); 337| 29| auto s = ntt(ps.sample_polynomial_vector_cbd_eta1()); 338| 29| const auto e = ntt(ps.sample_polynomial_vector_cbd_eta1()); 339| | 340| 29| auto t = montgomery(A * s); 341| 29| t += e; 342| 29| t.reduce(); 343| | 344| | // End Algorithm 13 --------------------------- 345| | 346| 29| CT::unpoison_all(d, t, s); 347| | 348| 29| return { 349| 29| std::make_shared(mode, std::move(t), std::move(rho)), 350| 29| std::make_shared(std::move(mode), std::move(s), std::move(seed)), 351| 29| }; 352| 29|} _ZN5Botan11Kyber_Algos13sample_matrixENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_13KyberSeedRho_EJEEEEEbRKNS_14KyberConstantsE: 382| 29|KyberPolyMat sample_matrix(StrongSpan seed, bool transposed, const KyberConstants& mode) { 383| 29| BOTAN_ASSERT(seed.size() == KyberConstants::SEED_BYTES, "unexpected seed size"); ------------------ | | 64| 29| do { \ | | 65| 29| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 29| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 29] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 29| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 29] | | ------------------ ------------------ 384| | 385| 29| KyberPolyMat mat(mode.k(), mode.k()); 386| | 387| 29| const auto& sym = mode.symmetric_primitives(); 388| 29| std::unique_ptr xof; 389| | 390| 125| for(uint8_t i = 0; i < mode.k(); ++i) { ------------------ | Branch (390:23): [True: 96, False: 29] ------------------ 391| 428| for(uint8_t j = 0; j < mode.k(); ++j) { ------------------ | Branch (391:26): [True: 332, False: 96] ------------------ 392| 332| const auto pos = (transposed) ? std::tuple(i, j) : std::tuple(j, i); ------------------ | Branch (392:27): [True: 0, False: 332] ------------------ 393| 332| sym.setup_XOF(xof, seed, pos); 394| 332| sample_ntt_uniform(mat[i][j], *xof); 395| 332| } 396| 96| } 397| | 398| 29| return mat; 399| 29|} _ZN5Botan11Kyber_Algos26sample_polynomial_from_cbdERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS1_6DomainE0EEENS_14KyberConstants8KyberEtaERKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEE: 409| 192| const KyberSamplingRandomness& randomness) { 410| 192| switch(eta) { ------------------ | Branch (410:11): [True: 192, False: 0] ------------------ 411| 176| case KyberConstants::KyberEta::_2: ------------------ | Branch (411:7): [True: 176, False: 16] ------------------ 412| 176| return sample_poly_cbd(poly, randomness); 413| 16| case KyberConstants::KyberEta::_3: ------------------ | Branch (413:7): [True: 16, False: 176] ------------------ 414| 16| return sample_poly_cbd(poly, randomness); 415| 192| } 416| | 417| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 418| 0|} kyber_algos.cpp:_ZN5Botan11Kyber_Algos12_GLOBAL__N_111byte_encodeERNS_13BufferStufferERKNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS4_6DomainE1EEE: 44| 96|void byte_encode(BufferStuffer& bs, const KyberPolyNTT& p) { 45| 96| CRYSTALS::pack(p, bs); 46| 96|} kyber_algos.cpp:_ZN5Botan11Kyber_Algos12_GLOBAL__N_118sample_ntt_uniformERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS2_6DomainE1EEERNS_3XOFE: 76| 332|void sample_ntt_uniform(KyberPolyNTT& p, XOF& xof) { 77| | // A generator that returns the next coefficient sampled from the XOF. As the 78| | // sampling uses half-bytes, this keeps track of the additionally sampled 79| | // coefficient as needed. 80| 332| auto sample = [stashed_coeff = std::optional{}, 81| 332| bounded_xof = 82| 332| Bounded_XOF(xof)]() mutable -> uint16_t { 83| 332| auto lowerthan_q = [](uint32_t d) -> std::optional { 84| 332| if(d < KyberConstants::Q) { 85| 332| return static_cast(d); 86| 332| } else { 87| 332| return std::nullopt; 88| 332| } 89| 332| }; 90| | 91| 332| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { 92| 332| return *stashed; // value retained from a previous invocation 93| 332| } 94| | 95| 332| while(true) { 96| 332| const auto [d1, d2] = bounded_xof.next<3>([&](const auto bytes) { 97| 332| const auto x = load_le3(bytes); 98| 332| return std::pair{lowerthan_q(x & 0x0FFF), lowerthan_q(x >> 12)}; 99| 332| }); 100| | 101| 332| if(d1.has_value()) { 102| 332| stashed_coeff = d2; // keep candidate d2 for the next invocation 103| 332| return *d1; 104| 332| } else if(d2.has_value()) { 105| | // d1 was invalid, d2 is valid, nothing to stash 106| 332| return *d2; 107| 332| } 108| 332| } 109| 332| }; 110| | 111| 84.9k| for(auto& coeff : p) { ------------------ | Branch (111:20): [True: 84.9k, False: 332] ------------------ 112| 84.9k| coeff = sample(); 113| 84.9k| } 114| 332|} kyber_algos.cpp:_ZZN5Botan11Kyber_Algos12_GLOBAL__N_118sample_ntt_uniformERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS2_6DomainE1EEERNS_3XOFEEN3$_0clEv: 82| 84.9k| Bounded_XOF(xof)]() mutable -> uint16_t { 83| 84.9k| auto lowerthan_q = [](uint32_t d) -> std::optional { 84| 84.9k| if(d < KyberConstants::Q) { 85| 84.9k| return static_cast(d); 86| 84.9k| } else { 87| 84.9k| return std::nullopt; 88| 84.9k| } 89| 84.9k| }; 90| | 91| 84.9k| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { ------------------ | Branch (91:15): [True: 34.2k, False: 50.7k] ------------------ 92| 34.2k| return *stashed; // value retained from a previous invocation 93| 34.2k| } 94| | 95| 52.7k| while(true) { ------------------ | Branch (95:13): [True: 52.7k, Folded] ------------------ 96| 52.7k| const auto [d1, d2] = bounded_xof.next<3>([&](const auto bytes) { 97| 52.7k| const auto x = load_le3(bytes); 98| 52.7k| return std::pair{lowerthan_q(x & 0x0FFF), lowerthan_q(x >> 12)}; 99| 52.7k| }); 100| | 101| 52.7k| if(d1.has_value()) { ------------------ | Branch (101:13): [True: 42.3k, False: 10.3k] ------------------ 102| 42.3k| stashed_coeff = d2; // keep candidate d2 for the next invocation 103| 42.3k| return *d1; 104| 42.3k| } else if(d2.has_value()) { ------------------ | Branch (104:20): [True: 8.40k, False: 1.92k] ------------------ 105| | // d1 was invalid, d2 is valid, nothing to stash 106| 8.40k| return *d2; 107| 8.40k| } 108| 52.7k| } 109| 50.7k| }; kyber_algos.cpp:_ZZZN5Botan11Kyber_Algos12_GLOBAL__N_118sample_ntt_uniformERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS2_6DomainE1EEERNS_3XOFEEN3$_0clEvENKUlT_E_clINSt3__15arrayIhLm3EEEEEDaSB_: 96| 52.7k| const auto [d1, d2] = bounded_xof.next<3>([&](const auto bytes) { 97| 52.7k| const auto x = load_le3(bytes); 98| 52.7k| return std::pair{lowerthan_q(x & 0x0FFF), lowerthan_q(x >> 12)}; 99| 52.7k| }); kyber_algos.cpp:_ZZZN5Botan11Kyber_Algos12_GLOBAL__N_118sample_ntt_uniformERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS2_6DomainE1EEERNS_3XOFEEN3$_0clEvENKUljE_clEj: 83| 105k| auto lowerthan_q = [](uint32_t d) -> std::optional { 84| 105k| if(d < KyberConstants::Q) { ------------------ | Branch (84:13): [True: 85.1k, False: 20.2k] ------------------ 85| 85.1k| return static_cast(d); 86| 85.1k| } else { 87| 20.2k| return std::nullopt; 88| 20.2k| } 89| 105k| }; kyber_algos.cpp:_ZN5Botan11Kyber_Algos12_GLOBAL__N_115sample_poly_cbdILNS_14KyberConstants8KyberEtaE2EEEvRNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS5_6DomainE0EEENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEEE: 130| 176| StrongSpan randomness) { 131| 176| BufferSlicer bs(randomness); 132| | 133| 5.80k| for(size_t i = 0; i < poly.size() / 8; ++i) { ------------------ | Branch (133:22): [True: 5.63k, False: 176] ------------------ 134| 5.63k| const uint32_t t = Botan::load_le(bs.take<4>()); 135| | 136| | // SWAR (SIMD within a Register) trick: calculate 16 2-bit-sums in parallel 137| 5.63k| constexpr uint32_t operand_bitmask = 0b01010101010101010101010101010101; 138| | 139| | // clang-format off 140| 5.63k| const uint32_t d = ((t >> 0) & operand_bitmask) + 141| 5.63k| ((t >> 1) & operand_bitmask); 142| | // clang-format on 143| | 144| 50.6k| for(size_t j = 0; j < 8; ++j) { ------------------ | Branch (144:25): [True: 45.0k, False: 5.63k] ------------------ 145| 45.0k| const int16_t a = (d >> (4 * j + 0)) & 0x3; 146| 45.0k| const int16_t b = (d >> (4 * j + 2)) & 0x3; 147| 45.0k| poly[8 * i + j] = a - b; 148| 45.0k| } 149| 5.63k| } 150| | 151| 176| BOTAN_ASSERT_NOMSG(bs.empty()); ------------------ | | 77| 176| do { \ | | 78| 176| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 176| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 176] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 176| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 176] | | ------------------ ------------------ 152| 176|} kyber_algos.cpp:_ZN5Botan11Kyber_Algos12_GLOBAL__N_115sample_poly_cbdILNS_14KyberConstants8KyberEtaE3EEEvRNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS5_6DomainE0EEENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEEE: 159| 16| StrongSpan randomness) { 160| 16| BufferSlicer bs(randomness); 161| | 162| 1.04k| for(size_t i = 0; i < poly.size() / 4; ++i) { ------------------ | Branch (162:22): [True: 1.02k, False: 16] ------------------ 163| 1.02k| const uint32_t t = load_le3(bs.take<3>()); 164| | 165| | // SWAR (SIMD within a Register) trick: calculate 8 3-bit-sums in parallel 166| 1.02k| constexpr uint32_t operand_bitmask = 0b00000000001001001001001001001001; 167| | 168| | // clang-format off 169| 1.02k| const uint32_t d = ((t >> 0) & operand_bitmask) + 170| 1.02k| ((t >> 1) & operand_bitmask) + 171| 1.02k| ((t >> 2) & operand_bitmask); 172| | // clang-format on 173| | 174| 5.12k| for(size_t j = 0; j < 4; ++j) { ------------------ | Branch (174:25): [True: 4.09k, False: 1.02k] ------------------ 175| 4.09k| const int16_t a = (d >> (6 * j + 0)) & 0x7; 176| 4.09k| const int16_t b = (d >> (6 * j + 3)) & 0x7; 177| 4.09k| poly[4 * i + j] = a - b; 178| 4.09k| } 179| 1.02k| } 180| | 181| 16| BOTAN_ASSERT_NOMSG(bs.empty()); ------------------ | | 77| 16| do { \ | | 78| 16| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 16| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 16] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 16| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 16] | | ------------------ ------------------ 182| 16|} _ZN5Botan14KyberConstantsC2ENS_9KyberModeE: 30| 66|KyberConstants::KyberConstants(KyberMode mode) : m_mode(mode) { 31| 66| switch(mode.mode()) { 32| 0| case KyberMode::Kyber512_R3: ------------------ | Branch (32:7): [True: 0, False: 66] ------------------ 33| 0| case KyberMode::Kyber512_90s: ------------------ | Branch (33:7): [True: 0, False: 66] ------------------ 34| 9| case KyberMode::ML_KEM_512: ------------------ | Branch (34:7): [True: 9, False: 57] ------------------ 35| 9| m_nist_strength = KyberStrength::_128; 36| 9| m_k = 2; 37| 9| m_eta1 = KyberEta::_3; 38| 9| m_du = KyberDu::_10; 39| 9| m_dv = KyberDv::_4; 40| 9| break; 41| | 42| 0| case KyberMode::Kyber768_R3: ------------------ | Branch (42:7): [True: 0, False: 66] ------------------ 43| 0| case KyberMode::Kyber768_90s: ------------------ | Branch (43:7): [True: 0, False: 66] ------------------ 44| 25| case KyberMode::ML_KEM_768: ------------------ | Branch (44:7): [True: 25, False: 41] ------------------ 45| 25| m_nist_strength = KyberStrength::_192; 46| 25| m_k = 3; 47| 25| m_eta1 = KyberEta::_2; 48| 25| m_du = KyberDu::_10; 49| 25| m_dv = KyberDv::_4; 50| 25| break; 51| | 52| 0| case KyberMode::Kyber1024_R3: ------------------ | Branch (52:7): [True: 0, False: 66] ------------------ 53| 0| case KyberMode::Kyber1024_90s: ------------------ | Branch (53:7): [True: 0, False: 66] ------------------ 54| 32| case KyberMode::ML_KEM_1024: ------------------ | Branch (54:7): [True: 32, False: 34] ------------------ 55| 32| m_nist_strength = KyberStrength::_256; 56| 32| m_k = 4; 57| 32| m_eta1 = KyberEta::_2; 58| 32| m_du = KyberDu::_11; 59| 32| m_dv = KyberDv::_5; 60| 32| break; 61| | 62| 0| default: ------------------ | Branch (62:7): [True: 0, False: 66] ------------------ 63| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 64| 66| } 65| | 66| 66|#ifdef BOTAN_HAS_KYBER_90S 67| 66| if(mode.is_kyber_round3() && mode.is_90s()) { ------------------ | Branch (67:7): [True: 0, False: 66] | Branch (67:33): [True: 0, False: 0] ------------------ 68| 0| m_symmetric_primitives = std::make_unique(); 69| 0| } 70| 66|#endif 71| | 72| 66|#ifdef BOTAN_HAS_KYBER 73| 66| if(mode.is_kyber_round3() && mode.is_modern()) { ------------------ | Branch (73:7): [True: 0, False: 66] | Branch (73:33): [True: 0, False: 0] ------------------ 74| 0| m_symmetric_primitives = std::make_unique(); 75| 0| } 76| 66|#endif 77| | 78| 66|#ifdef BOTAN_HAS_ML_KEM 79| 66| if(mode.is_ml_kem()) { ------------------ | Branch (79:7): [True: 66, False: 0] ------------------ 80| 66| m_symmetric_primitives = std::make_unique(); 81| 66| } 82| 66|#endif 83| | 84| 66| static_assert(N % 8 == 0); 85| 66| m_polynomial_vector_bytes = (bitlen(Q) * (N / 8)) * k(); 86| 66| m_polynomial_vector_compressed_bytes = d_u() * k() * (N / 8); 87| 66| m_polynomial_compressed_bytes = d_v() * (N / 8); 88| 66| m_expanded_private_key_bytes = 89| 66| static_cast(m_polynomial_vector_bytes + public_key_bytes() + PUBLIC_KEY_HASH_BYTES + SEED_BYTES); 90| 66| m_seed_private_key_bytes = 2 * SEED_BYTES; 91| | 92| 66| if(!m_symmetric_primitives) { ------------------ | Branch (92:7): [True: 0, False: 66] ------------------ 93| 0| throw Not_Implemented("requested Kyber mode is not enabled in this build"); 94| 0| } 95| 66|} _ZN5Botan14KyberConstantsD2Ev: 97| 211|KyberConstants::~KyberConstants() = default; _ZNK5Botan28Seed_Expanding_Keypair_Codec14decode_keypairENSt3__14spanIKhLm18446744073709551615EEENS_14KyberConstantsE: 88| 29| KyberConstants mode) const { 89| 29| BufferSlicer s(private_key); 90| 29| auto seed = KyberPrivateKeySeed{ 91| 29| s.copy(KyberConstants::SEED_BYTES), 92| 29| s.copy(KyberConstants::SEED_BYTES), 93| 29| }; 94| 29| BOTAN_ASSERT_NOMSG(s.empty()); ------------------ | | 77| 29| do { \ | | 78| 29| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 29| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 29] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 29| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 29] | | ------------------ ------------------ 95| 29| return Kyber_Algos::expand_keypair(std::move(seed), std::move(mode)); 96| 29|} _ZN5Botan23Kyber_PublicKeyInternalC2ENS_14KyberConstantsENS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS2_6DomainE1EEENS_6StrongINSt3__16vectorIhNS8_9allocatorIhEEEENS_13KyberSeedRho_EJEEE: 114| 29| m_mode(std::move(mode)), 115| 29| m_public_key_bits_raw(concat(Kyber_Algos::encode_polynomial_vector>(t, m_mode), rho)), 116| 29| m_H_public_key_bits_raw(m_mode.symmetric_primitives().H(m_public_key_bits_raw)), 117| 29| m_t(std::move(t)), 118| 29| m_rho(std::move(rho)) {} _ZN5Botan8PEM_Code6decodeERNS_10DataSourceERNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEE: 62| 262|secure_vector decode(DataSource& source, std::string& label) { 63| 262| const size_t RANDOM_CHAR_LIMIT = 8; 64| | 65| 262| label.clear(); 66| | 67| 262| const std::string PEM_HEADER1 = "-----BEGIN "; 68| 262| const std::string PEM_HEADER2 = "-----"; 69| 262| size_t position = 0; 70| | 71| 28.3k| while(position != PEM_HEADER1.length()) { ------------------ | Branch (71:10): [True: 28.1k, False: 218] ------------------ 72| 28.1k| auto b = source.read_byte(); 73| | 74| 28.1k| if(!b) { ------------------ | Branch (74:10): [True: 43, False: 28.1k] ------------------ 75| 43| throw Decoding_Error("PEM: No PEM header found"); 76| 43| } 77| 28.1k| if(static_cast(*b) == PEM_HEADER1[position]) { ------------------ | Branch (77:10): [True: 6.97k, False: 21.1k] ------------------ 78| 6.97k| ++position; 79| 21.1k| } else if(position >= RANDOM_CHAR_LIMIT) { ------------------ | Branch (79:17): [True: 1, False: 21.1k] ------------------ 80| 1| throw Decoding_Error("PEM: Malformed PEM header"); 81| 21.1k| } else { 82| 21.1k| position = 0; 83| 21.1k| } 84| 28.1k| } 85| 218| position = 0; 86| 2.73k| while(position != PEM_HEADER2.length()) { ------------------ | Branch (86:10): [True: 2.55k, False: 179] ------------------ 87| 2.55k| auto b = source.read_byte(); 88| | 89| 2.55k| if(!b) { ------------------ | Branch (89:10): [True: 36, False: 2.52k] ------------------ 90| 36| throw Decoding_Error("PEM: No PEM header found"); 91| 36| } 92| 2.52k| if(static_cast(*b) == PEM_HEADER2[position]) { ------------------ | Branch (92:10): [True: 909, False: 1.61k] ------------------ 93| 909| ++position; 94| 1.61k| } else if(position > 0) { ------------------ | Branch (94:17): [True: 2, False: 1.61k] ------------------ 95| 2| throw Decoding_Error("PEM: Malformed PEM header"); 96| 2| } 97| | 98| 2.52k| if(position == 0) { ------------------ | Branch (98:10): [True: 1.61k, False: 909] ------------------ 99| 1.61k| if(label.size() >= 128) { ------------------ | Branch (99:13): [True: 1, False: 1.61k] ------------------ 100| 1| throw Decoding_Error("PEM: Label too long"); 101| 1| } 102| 1.61k| label += static_cast(*b); 103| 1.61k| } 104| 2.52k| } 105| | 106| 179| std::vector b64; 107| | 108| 179| const std::string PEM_TRAILER = fmt("-----END {}-----", label); 109| 179| position = 0; 110| 75.3k| while(position != PEM_TRAILER.length()) { ------------------ | Branch (110:10): [True: 75.2k, False: 114] ------------------ 111| 75.2k| auto b = source.read_byte(); 112| | 113| 75.2k| if(!b) { ------------------ | Branch (113:10): [True: 59, False: 75.1k] ------------------ 114| 59| throw Decoding_Error("PEM: No PEM trailer found"); 115| 59| } 116| 75.1k| if(static_cast(*b) == PEM_TRAILER[position]) { ------------------ | Branch (116:10): [True: 2.12k, False: 73.0k] ------------------ 117| 2.12k| ++position; 118| 73.0k| } else if(position > 0) { ------------------ | Branch (118:17): [True: 6, False: 73.0k] ------------------ 119| 6| throw Decoding_Error("PEM: Malformed PEM trailer"); 120| 6| } 121| | 122| 75.1k| if(position == 0) { ------------------ | Branch (122:10): [True: 73.0k, False: 2.12k] ------------------ 123| 73.0k| b64.push_back(*b); 124| 73.0k| } 125| 75.1k| } 126| | 127| 114| return base64_decode(b64.data(), b64.size()); 128| 179|} _ZN5Botan8PEM_Code7matchesERNS_10DataSourceENSt3__117basic_string_viewIcNS3_11char_traitsIcEEEEm: 143| 6.68k|bool matches(DataSource& source, std::string_view extra, size_t search_range) { 144| 6.68k| const std::string PEM_HEADER = fmt("-----BEGIN {}", extra); 145| | 146| 6.68k| secure_vector search_buf(search_range); 147| 6.68k| const size_t got = source.peek(search_buf.data(), search_buf.size(), 0); 148| | 149| 6.68k| if(got < PEM_HEADER.length()) { ------------------ | Branch (149:7): [True: 404, False: 6.28k] ------------------ 150| 404| return false; 151| 404| } 152| | 153| 6.28k| size_t index = 0; 154| | 155| 1.15M| for(size_t j = 0; j != got; ++j) { ------------------ | Branch (155:22): [True: 1.14M, False: 6.28k] ------------------ 156| 1.14M| if(static_cast(search_buf[j]) == PEM_HEADER[index]) { ------------------ | Branch (156:10): [True: 4.45k, False: 1.14M] ------------------ 157| 4.45k| ++index; 158| 1.14M| } else { 159| 1.14M| index = 0; 160| 1.14M| } 161| | 162| 1.14M| if(index == PEM_HEADER.size()) { ------------------ | Branch (162:10): [True: 2, False: 1.14M] ------------------ 163| 2| return true; 164| 2| } 165| 1.14M| } 166| | 167| 6.28k| return false; 168| 6.28k|} _ZN5Botan16load_private_keyERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 290| 4.19k| [[maybe_unused]] std::span key_bits) { 291| 4.19k| const std::string oid_str = alg_id.oid().to_formatted_string(); 292| 4.19k| const std::vector alg_info = split_on(oid_str, '/'); 293| 4.19k| const std::string_view alg_name = alg_info[0]; 294| | 295| 4.19k|#if defined(BOTAN_HAS_RSA) 296| 4.19k| if(alg_name == "RSA") { ------------------ | Branch (296:7): [True: 36, False: 4.15k] ------------------ 297| 36| return std::make_unique(alg_id, key_bits); 298| 36| } 299| 4.15k|#endif 300| | 301| 4.15k|#if defined(BOTAN_HAS_X25519) 302| 4.15k| if(alg_name == "X25519" || alg_name == "Curve25519") { ------------------ | Branch (302:7): [True: 9, False: 4.14k] | Branch (302:31): [True: 0, False: 4.14k] ------------------ 303| 9| return std::make_unique(alg_id, key_bits); 304| 9| } 305| 4.14k|#endif 306| | 307| 4.14k|#if defined(BOTAN_HAS_X448) 308| 4.14k| if(alg_name == "X448") { ------------------ | Branch (308:7): [True: 3, False: 4.14k] ------------------ 309| 3| return std::make_unique(alg_id, key_bits); 310| 3| } 311| 4.14k|#endif 312| | 313| 4.14k|#if defined(BOTAN_HAS_ECDSA) 314| 4.14k| if(alg_name == "ECDSA") { ------------------ | Branch (314:7): [True: 2.27k, False: 1.87k] ------------------ 315| 2.27k| return std::make_unique(alg_id, key_bits); 316| 2.27k| } 317| 1.87k|#endif 318| | 319| 1.87k|#if defined(BOTAN_HAS_ECDH) 320| 1.87k| if(alg_name == "ECDH") { ------------------ | Branch (320:7): [True: 1.39k, False: 480] ------------------ 321| 1.39k| return std::make_unique(alg_id, key_bits); 322| 1.39k| } 323| 480|#endif 324| | 325| 480|#if defined(BOTAN_HAS_DIFFIE_HELLMAN) 326| 480| if(alg_name == "DH") { ------------------ | Branch (326:7): [True: 101, False: 379] ------------------ 327| 101| return std::make_unique(alg_id, key_bits); 328| 101| } 329| 379|#endif 330| | 331| 379|#if defined(BOTAN_HAS_DSA) 332| 379| if(alg_name == "DSA") { ------------------ | Branch (332:7): [True: 128, False: 251] ------------------ 333| 128| return std::make_unique(alg_id, key_bits); 334| 128| } 335| 251|#endif 336| | 337| 251|#if defined(BOTAN_HAS_FRODOKEM) 338| 251| if(alg_name == "FrodoKEM" || alg_name.starts_with("FrodoKEM-") || alg_name.starts_with("eFrodoKEM-")) { ------------------ | Branch (338:7): [True: 0, False: 251] | Branch (338:33): [True: 0, False: 251] | Branch (338:70): [True: 0, False: 251] ------------------ 339| 0| return std::make_unique(alg_id, key_bits); 340| 0| } 341| 251|#endif 342| | 343| 251|#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S) 344| 251| if(alg_name == "Kyber" || alg_name.starts_with("Kyber-")) { ------------------ | Branch (344:7): [True: 0, False: 251] | Branch (344:30): [True: 0, False: 251] ------------------ 345| 0| return std::make_unique(alg_id, key_bits); 346| 0| } 347| 251|#endif 348| | 349| 251|#if defined(BOTAN_HAS_ML_KEM) 350| 251| if(alg_name.starts_with("ML-KEM-")) { ------------------ | Branch (350:7): [True: 37, False: 214] ------------------ 351| 37| return std::make_unique(alg_id, key_bits); 352| 37| } 353| 214|#endif 354| | 355| 214|#if defined(BOTAN_HAS_MCELIECE) 356| 214| if(alg_name == "McEliece") { ------------------ | Branch (356:7): [True: 0, False: 214] ------------------ 357| 0| return std::make_unique(key_bits); 358| 0| } 359| 214|#endif 360| | 361| 214|#if defined(BOTAN_HAS_ECGDSA) 362| 214| if(alg_name == "ECGDSA") { ------------------ | Branch (362:7): [True: 0, False: 214] ------------------ 363| 0| return std::make_unique(alg_id, key_bits); 364| 0| } 365| 214|#endif 366| | 367| 214|#if defined(BOTAN_HAS_ECKCDSA) 368| 214| if(alg_name == "ECKCDSA") { ------------------ | Branch (368:7): [True: 0, False: 214] ------------------ 369| 0| return std::make_unique(alg_id, key_bits); 370| 0| } 371| 214|#endif 372| | 373| 214|#if defined(BOTAN_HAS_ED25519) 374| 214| if(alg_name == "Ed25519") { ------------------ | Branch (374:7): [True: 6, False: 208] ------------------ 375| 6| return std::make_unique(alg_id, key_bits); 376| 6| } 377| 208|#endif 378| | 379| 208|#if defined(BOTAN_HAS_ED448) 380| 208| if(alg_name == "Ed448") { ------------------ | Branch (380:7): [True: 2, False: 206] ------------------ 381| 2| return std::make_unique(alg_id, key_bits); 382| 2| } 383| 206|#endif 384| | 385| 206|#if defined(BOTAN_HAS_GOST_34_10_2001) 386| 206| if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") { ------------------ | Branch (386:7): [True: 2, False: 204] | Branch (386:35): [True: 0, False: 204] | Branch (386:72): [True: 0, False: 204] ------------------ 387| 2| return std::make_unique(alg_id, key_bits); 388| 2| } 389| 204|#endif 390| | 391| 204|#if defined(BOTAN_HAS_SM2) 392| 204| if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") { ------------------ | Branch (392:7): [True: 0, False: 204] | Branch (392:28): [True: 0, False: 204] | Branch (392:53): [True: 0, False: 204] ------------------ 393| 0| return std::make_unique(alg_id, key_bits); 394| 0| } 395| 204|#endif 396| | 397| 204|#if defined(BOTAN_HAS_ELGAMAL) 398| 204| if(alg_name == "ElGamal") { ------------------ | Branch (398:7): [True: 0, False: 204] ------------------ 399| 0| return std::make_unique(alg_id, key_bits); 400| 0| } 401| 204|#endif 402| | 403| 204|#if defined(BOTAN_HAS_XMSS_RFC8391) 404| 204| if(alg_name == "XMSS") { ------------------ | Branch (404:7): [True: 0, False: 204] ------------------ 405| 0| return std::make_unique(key_bits); 406| 0| } 407| 204|#endif 408| | 409| 204|#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES) 410| 204| if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) { ------------------ | Branch (410:7): [True: 0, False: 204] | Branch (410:34): [True: 0, False: 204] ------------------ 411| 0| return std::make_unique(alg_id, key_bits); 412| 0| } 413| 204|#endif 414| | 415| 204|#if defined(BOTAN_HAS_ML_DSA) 416| 204| if(alg_name.starts_with("ML-DSA-")) { ------------------ | Branch (416:7): [True: 79, False: 125] ------------------ 417| 79| return std::make_unique(alg_id, key_bits); 418| 79| } 419| 125|#endif 420| | 421| 125|#if defined(BOTAN_HAS_HSS_LMS) 422| 125| if(alg_name == "HSS-LMS-Private-Key") { ------------------ | Branch (422:7): [True: 0, False: 125] ------------------ 423| 0| return std::make_unique(key_bits); 424| 0| } 425| 125|#endif 426| | 427| 125|#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE) 428| 125| if(alg_name == "SPHINCS+" || alg_name.starts_with("SphincsPlus-")) { ------------------ | Branch (428:7): [True: 0, False: 125] | Branch (428:33): [True: 0, False: 125] ------------------ 429| 0| return std::make_unique(alg_id, key_bits); 430| 0| } 431| 125|#endif 432| | 433| 125|#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE) 434| 125| if(alg_name.starts_with("SLH-DSA-") || alg_name.starts_with("Hash-SLH-DSA-")) { ------------------ | Branch (434:7): [True: 17, False: 108] | Branch (434:43): [True: 0, False: 108] ------------------ 435| 17| return std::make_unique(alg_id, key_bits); 436| 17| } 437| 108|#endif 438| | 439| 108|#if defined(BOTAN_HAS_CLASSICMCELIECE) 440| 108| if(alg_name.starts_with("ClassicMcEliece")) { ------------------ | Branch (440:7): [True: 0, False: 108] ------------------ 441| 0| return std::make_unique(alg_id, key_bits); 442| 0| } 443| 108|#endif 444| | 445| 108| throw Decoding_Error(fmt("Unknown or unavailable public key algorithm '{}'", alg_name)); 446| 108|} _ZN5Botan5PKCS88load_keyERNS_10DataSourceE: 350| 6.94k|std::unique_ptr load_key(DataSource& source) { 351| 6.94k| auto fail_fn = []() -> std::string { 352| 6.94k| throw PKCS8_Exception("Internal error: Attempt to read password for unencrypted key"); 353| 6.94k| }; 354| | 355| 6.94k| return load_key(source, fail_fn, false); 356| 6.94k|} pkcs8.cpp:_ZN5Botan5PKCS812_GLOBAL__N_18load_keyERNS_10DataSourceERKNSt3__18functionIFNS4_12basic_stringIcNS4_11char_traitsIcEENS4_9allocatorIcEEEEvEEEb: 302| 6.94k| bool is_encrypted) { 303| 6.94k| AlgorithmIdentifier alg_id; 304| 6.94k| secure_vector pkcs8_key = PKCS8_decode(source, get_pass, alg_id, is_encrypted); 305| | 306| 6.94k| const std::string alg_name = alg_id.oid().human_name_or_empty(); 307| 6.94k| if(alg_name.empty()) { ------------------ | Branch (307:7): [True: 1.78k, False: 5.16k] ------------------ 308| 1.78k| throw PKCS8_Exception(fmt("Unknown algorithm OID {}", alg_id.oid())); 309| 1.78k| } 310| | 311| 5.16k| return load_private_key(alg_id, pkcs8_key); 312| 6.94k|} pkcs8.cpp:_ZN5Botan5PKCS812_GLOBAL__N_112PKCS8_decodeERNS_10DataSourceERKNSt3__18functionIFNS4_12basic_stringIcNS4_11char_traitsIcEENS4_9allocatorIcEEEEvEEERNS_19AlgorithmIdentifierEb: 49| 6.94k| bool is_encrypted) { 50| 6.94k| AlgorithmIdentifier pbe_alg_id; 51| 6.94k| secure_vector key_data; 52| 6.94k| secure_vector key; 53| | 54| 6.94k| try { 55| 6.94k| if(ASN1::maybe_BER(source) && !PEM_Code::matches(source)) { ------------------ | Branch (55:10): [True: 6.68k, False: 260] | Branch (55:37): [True: 6.68k, False: 2] ------------------ 56| 6.68k| if(is_encrypted) { ------------------ | Branch (56:13): [True: 0, False: 6.68k] ------------------ 57| 0| key_data = PKCS8_extract(source, pbe_alg_id); 58| 6.68k| } else { 59| | // todo read more efficiently 60| 1.19M| while(auto b = source.read_byte()) { ------------------ | Branch (60:24): [True: 1.18M, False: 6.68k] ------------------ 61| 1.18M| key_data.push_back(*b); 62| 1.18M| } 63| 6.68k| } 64| 6.68k| } else { 65| 262| std::string label; 66| 262| key_data = PEM_Code::decode(source, label); 67| | 68| | // todo remove autodetect for pem as well? 69| 262| if(label == "PRIVATE KEY") { ------------------ | Branch (69:13): [True: 2, False: 260] ------------------ 70| 2| is_encrypted = false; 71| 260| } else if(label == "ENCRYPTED PRIVATE KEY") { ------------------ | Branch (71:20): [True: 4, False: 256] ------------------ 72| 4| DataSource_Memory key_source(key_data); 73| 4| key_data = PKCS8_extract(key_source, pbe_alg_id); 74| 256| } else { 75| 256| throw PKCS8_Exception(fmt("Unknown PEM label '{}'", label)); 76| 256| } 77| 262| } 78| | 79| 6.69k| if(key_data.empty()) { ------------------ | Branch (79:10): [True: 1, False: 6.69k] ------------------ 80| 1| throw PKCS8_Exception("No key data found"); 81| 1| } 82| 6.69k| } catch(Decoding_Error& e) { 83| 220| throw Decoding_Error("PKCS #8 private key decoding", e); 84| 220| } 85| | 86| 6.68k| try { 87| 6.68k| if(is_encrypted) { ------------------ | Branch (87:10): [True: 0, False: 6.68k] ------------------ 88| 0| if(pbe_alg_id.oid().to_formatted_string() != "PBE-PKCS5v20") { ------------------ | Branch (88:13): [True: 0, False: 0] ------------------ 89| 0| throw PKCS8_Exception(fmt("Unknown PBE type {}", pbe_alg_id.oid())); 90| 0| } 91| | 92| 0|#if defined(BOTAN_HAS_PKCS5_PBES2) 93| 0| key = pbes2_decrypt(key_data, get_passphrase(), pbe_alg_id.parameters()); 94| |#else 95| | BOTAN_UNUSED(get_passphrase); 96| | throw Decoding_Error("Private key is encrypted but PBES2 was disabled in build"); 97| |#endif 98| 6.68k| } else { 99| 6.68k| key = key_data; 100| 6.68k| } 101| | 102| 6.68k| BER_Decoder(key, BER_Decoder::Limits::DER()) 103| 6.68k| .start_sequence() 104| 6.68k| .decode_and_check(0, "Unknown PKCS #8 version number") 105| 6.68k| .decode(pk_alg_id) 106| 6.68k| .decode(key, ASN1_Type::OctetString) 107| 6.68k| .discard_remaining() 108| 6.68k| .end_cons() 109| 6.68k| .verify_end(); 110| 6.68k| } catch(std::exception& e) { 111| 707| throw Decoding_Error("PKCS #8 private key decoding", e); 112| 707| } 113| 5.98k| return key; 114| 6.68k|} pkcs8.cpp:_ZN5Botan5PKCS812_GLOBAL__N_113PKCS8_extractERNS_10DataSourceERNS_19AlgorithmIdentifierE: 31| 4|secure_vector PKCS8_extract(DataSource& source, AlgorithmIdentifier& pbe_alg_id) { 32| 4| secure_vector key_data; 33| | 34| 4| BER_Decoder(source, BER_Decoder::Limits::DER()) 35| 4| .start_sequence() 36| 4| .decode(pbe_alg_id) 37| 4| .decode(key_data, ASN1_Type::OctetString) 38| 4| .verify_end(); 39| | 40| 4| return key_data; 41| 4|} _ZN5Botan13RSA_PublicKey4initEONS_6BigIntES2_: 156| 6|void RSA_PublicKey::init(BigInt&& n, BigInt&& e) { 157| 6| if(n.signum() <= 0 || n.is_even() || n.bits() < 384 || n.bits() > 16384) { ------------------ | Branch (157:7): [True: 1, False: 5] | Branch (157:26): [True: 1, False: 4] | Branch (157:41): [True: 4, False: 0] | Branch (157:59): [True: 0, False: 0] ------------------ 158| 6| throw Decoding_Error("Invalid RSA public key modulus"); 159| 6| } 160| 0| if(e.is_even() || e <= 1 || e >= n || e.bits() > 256) { ------------------ | Branch (160:7): [True: 0, False: 0] | Branch (160:22): [True: 0, False: 0] | Branch (160:32): [True: 0, False: 0] | Branch (160:42): [True: 0, False: 0] ------------------ 161| 0| throw Decoding_Error("Invalid RSA public key exponent"); 162| 0| } 163| 0| m_public = std::make_shared(std::move(n), std::move(e)); 164| 0|} _ZN5Botan14RSA_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 274| 36|RSA_PrivateKey::RSA_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span key_bits) { 275| 36| BigInt n; 276| 36| BigInt e; 277| 36| BigInt d; 278| 36| BigInt p; 279| 36| BigInt q; 280| 36| BigInt d1; 281| 36| BigInt d2; 282| 36| BigInt c; 283| | 284| 36| BER_Decoder(key_bits, BER_Decoder::Limits::DER()) 285| 36| .start_sequence() 286| 36| .decode_and_check(0, "Unknown PKCS #1 key format version") 287| 36| .decode(n) 288| 36| .decode(e) 289| 36| .decode(d) 290| 36| .decode(p) 291| 36| .decode(q) 292| 36| .decode(d1) 293| 36| .decode(d2) 294| 36| .decode(c) 295| 36| .end_cons() 296| 36| .verify_end(); 297| | 298| 36| RSA_PublicKey::init(std::move(n), std::move(e)); 299| | 300| 36| RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c)); 301| 36|} _ZN5Botan18Sphincs_ParametersC2ENS_21Sphincs_Parameter_SetENS_17Sphincs_Hash_TypeEjjjjjjj: 279| 34| m_set(set), m_hash_type(hash_type), m_n(n), m_h(h), m_d(d), m_a(a), m_k(k), m_w(w), m_bitsec(bitsec) { 280| 34| BOTAN_ARG_CHECK(!(hash_type == Sphincs_Hash_Type::Haraka && is_slh_dsa_set(set)), ------------------ | | 35| 34| do { \ | | 36| 34| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 34| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 0, False: 34] | | | Branch (37:12): [True: 0, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 34| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 34] | | ------------------ ------------------ 281| 34| "Haraka is not available for SLH-DSA"); 282| 34| BOTAN_ARG_CHECK(w == 4 || w == 16 || w == 256, "Winternitz parameter must be one of 4, 16, 256"); ------------------ | | 35| 34| do { \ | | 36| 34| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 102| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 0, False: 34] | | | Branch (37:12): [True: 34, False: 0] | | | Branch (37:12): [True: 0, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 34| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 34] | | ------------------ ------------------ 283| 34| BOTAN_ARG_CHECK(n == 16 || n == 24 || n == 32, "n must be one of 16, 24, 32"); ------------------ | | 35| 34| do { \ | | 36| 34| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 98| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 14, False: 20] | | | Branch (37:12): [True: 10, False: 10] | | | Branch (37:12): [True: 10, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 34| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 34] | | ------------------ ------------------ 284| 34| BOTAN_ARG_CHECK(m_d > 0, "d must be greater than zero"); ------------------ | | 35| 34| do { \ | | 36| 34| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 34| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 34] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 34| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 34] | | ------------------ ------------------ 285| | 286| 34| m_xmss_tree_height = m_h / m_d; 287| 34| m_lg_w = ceil_log2(m_w); 288| | 289| | // base_2^b algorithm (Fips 205, Algorithm 4) only works 290| | // when m_log_w is a divisor of 8. 291| 34| BOTAN_ASSERT_NOMSG(m_lg_w <= 8 && 8 % m_lg_w == 0); ------------------ | | 77| 34| do { \ | | 78| 34| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 68| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 34, False: 0] | | | Branch (79:12): [True: 34, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 34| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 34] | | ------------------ ------------------ 292| | 293| | // # Winternitz blocks of the message (len_1 of FIPS 205, Algorithm 1) 294| 34| m_wots_len1 = (m_n * 8) / m_lg_w; 295| | 296| | // # Winternitz blocks of the checksum (output of FIPS 205 Algorithm 1) 297| 34| m_wots_len2 = ceil_log2(m_wots_len1 * (m_w - 1)) / m_lg_w + 1; 298| | 299| | // # Winternitz blocks in the signature (len of FIPS 205, Equation 5.4) 300| 34| m_wots_len = m_wots_len1 + m_wots_len2; 301| | 302| | // byte length of WOTS+ signature as well as public key 303| 34| m_wots_bytes = m_wots_len * m_n; 304| | 305| | // # of bytes the WOTS+ checksum consists of 306| 34| m_wots_checksum_bytes = ceil_tobytes(m_wots_len2 * m_lg_w); 307| | 308| 34| m_fors_sig_bytes = (m_a + 1) * m_k * m_n; 309| | 310| | // byte length of the FORS input message 311| 34| m_fors_message_bytes = ceil_tobytes(m_k * m_a); 312| | 313| 34| m_xmss_sig_bytes = m_wots_bytes + m_xmss_tree_height * m_n; 314| 34| m_ht_sig_bytes = m_d * m_xmss_sig_bytes; 315| 34| m_sp_sig_bytes = m_n /* random */ + m_fors_sig_bytes + m_ht_sig_bytes; 316| | 317| 34| m_tree_digest_bytes = ceil_tobytes(m_h - m_xmss_tree_height); 318| 34| m_leaf_digest_bytes = ceil_tobytes(m_xmss_tree_height); 319| 34| m_h_msg_digest_bytes = m_fors_message_bytes + m_tree_digest_bytes + m_leaf_digest_bytes; 320| 34|} _ZNK5Botan18Sphincs_Parameters12is_availableEv: 322| 4|bool Sphincs_Parameters::is_available() const { 323| 4| [[maybe_unused]] const bool is_slh_dsa = is_slh_dsa_set(m_set); 324| 4|#ifdef BOTAN_HAS_SLH_DSA_WITH_SHA2 325| 4| if(is_slh_dsa && m_hash_type == Sphincs_Hash_Type::Sha256) { ------------------ | Branch (325:7): [True: 4, False: 0] | Branch (325:21): [True: 2, False: 2] ------------------ 326| 2| return true; 327| 2| } 328| 2|#endif 329| 2|#ifdef BOTAN_HAS_SLH_DSA_WITH_SHAKE 330| 2| if(is_slh_dsa && m_hash_type == Sphincs_Hash_Type::Shake256) { ------------------ | Branch (330:7): [True: 2, False: 0] | Branch (330:21): [True: 2, False: 0] ------------------ 331| 2| return true; 332| 2| } 333| 0|#endif 334| 0|#ifdef BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2 335| 0| if(!is_slh_dsa && m_hash_type == Sphincs_Hash_Type::Sha256) { ------------------ | Branch (335:7): [True: 0, False: 0] | Branch (335:22): [True: 0, False: 0] ------------------ 336| 0| return true; 337| 0| } 338| 0|#endif 339| 0|#ifdef BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE 340| 0| if(!is_slh_dsa && m_hash_type == Sphincs_Hash_Type::Shake256) { ------------------ | Branch (340:7): [True: 0, False: 0] | Branch (340:22): [True: 0, False: 0] ------------------ 341| 0| return true; 342| 0| } 343| 0|#endif 344| 0| return false; 345| 0|} _ZN5Botan18Sphincs_Parameters6createENS_21Sphincs_Parameter_SetENS_17Sphincs_Hash_TypeE: 348| 34| Sphincs_Parameter_Set set, Sphincs_Hash_Type hash /*, SlhDsaInputMode input_mode [TODO: prehash mode]*/) { 349| | // See FIPS 205, Table 2 350| 34| switch(set) { ------------------ | Branch (350:11): [True: 34, False: 0] ------------------ 351| 0| case Sphincs_Parameter_Set::Sphincs128Small: ------------------ | Branch (351:7): [True: 0, False: 34] ------------------ 352| 10| case Sphincs_Parameter_Set::SLHDSA128Small: ------------------ | Branch (352:7): [True: 10, False: 24] ------------------ 353| 10| return Sphincs_Parameters(set, hash, 16, 63, 7, 12, 14, 16, 133); 354| 0| case Sphincs_Parameter_Set::Sphincs128Fast: ------------------ | Branch (354:7): [True: 0, False: 34] ------------------ 355| 4| case Sphincs_Parameter_Set::SLHDSA128Fast: ------------------ | Branch (355:7): [True: 4, False: 30] ------------------ 356| 4| return Sphincs_Parameters(set, hash, 16, 66, 22, 6, 33, 16, 128); 357| | 358| 0| case Sphincs_Parameter_Set::Sphincs192Small: ------------------ | Branch (358:7): [True: 0, False: 34] ------------------ 359| 4| case Sphincs_Parameter_Set::SLHDSA192Small: ------------------ | Branch (359:7): [True: 4, False: 30] ------------------ 360| 4| return Sphincs_Parameters(set, hash, 24, 63, 7, 14, 17, 16, 193); 361| 0| case Sphincs_Parameter_Set::Sphincs192Fast: ------------------ | Branch (361:7): [True: 0, False: 34] ------------------ 362| 6| case Sphincs_Parameter_Set::SLHDSA192Fast: ------------------ | Branch (362:7): [True: 6, False: 28] ------------------ 363| 6| return Sphincs_Parameters(set, hash, 24, 66, 22, 8, 33, 16, 194); 364| | 365| 0| case Sphincs_Parameter_Set::Sphincs256Small: ------------------ | Branch (365:7): [True: 0, False: 34] ------------------ 366| 6| case Sphincs_Parameter_Set::SLHDSA256Small: ------------------ | Branch (366:7): [True: 6, False: 28] ------------------ 367| 6| return Sphincs_Parameters(set, hash, 32, 64, 8, 14, 22, 16, 255); 368| 0| case Sphincs_Parameter_Set::Sphincs256Fast: ------------------ | Branch (368:7): [True: 0, False: 34] ------------------ 369| 4| case Sphincs_Parameter_Set::SLHDSA256Fast: ------------------ | Branch (369:7): [True: 4, False: 30] ------------------ 370| 4| return Sphincs_Parameters(set, hash, 32, 68, 17, 9, 35, 16, 255); 371| 34| } 372| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 373| 0|} _ZN5Botan18Sphincs_Parameters6createENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 375| 34|Sphincs_Parameters Sphincs_Parameters::create(std::string_view name) { 376| 34| auto [param_set, hash_type] = set_and_hash_from_name(name); 377| 34| return Sphincs_Parameters::create(param_set, hash_type); 378| 34|} _ZNK5Botan18Sphincs_Parameters9to_stringEv: 396| 17|std::string Sphincs_Parameters::to_string() const { 397| 17| return name_from_set_and_hash(parameter_set(), hash_type()); 398| 17|} _ZN5Botan18Sphincs_Parameters6createERKNS_3OIDE: 400| 34|Sphincs_Parameters Sphincs_Parameters::create(const OID& oid) { 401| 34| return Sphincs_Parameters::create(oid.to_formatted_string()); 402| 34|} _ZNK5Botan18Sphincs_Parameters17object_identifierEv: 404| 17|OID Sphincs_Parameters::object_identifier() const { 405| 17| return OID::from_string(to_string()); 406| 17|} sp_parameters.cpp:_ZN5Botan12_GLOBAL__N_114is_slh_dsa_setENS_21Sphincs_Parameter_SetE: 248| 4|constexpr bool is_slh_dsa_set(Sphincs_Parameter_Set set) { 249| 4| switch(set) { ------------------ | Branch (249:11): [True: 4, False: 0] ------------------ 250| 4| case Sphincs_Parameter_Set::SLHDSA128Small: ------------------ | Branch (250:7): [True: 4, False: 0] ------------------ 251| 4| case Sphincs_Parameter_Set::SLHDSA128Fast: ------------------ | Branch (251:7): [True: 0, False: 4] ------------------ 252| 4| case Sphincs_Parameter_Set::SLHDSA192Small: ------------------ | Branch (252:7): [True: 0, False: 4] ------------------ 253| 4| case Sphincs_Parameter_Set::SLHDSA192Fast: ------------------ | Branch (253:7): [True: 0, False: 4] ------------------ 254| 4| case Sphincs_Parameter_Set::SLHDSA256Small: ------------------ | Branch (254:7): [True: 0, False: 4] ------------------ 255| 4| case Sphincs_Parameter_Set::SLHDSA256Fast: ------------------ | Branch (255:7): [True: 0, False: 4] ------------------ 256| 4| return true; 257| 0| case Sphincs_Parameter_Set::Sphincs128Small: ------------------ | Branch (257:7): [True: 0, False: 4] ------------------ 258| 0| case Sphincs_Parameter_Set::Sphincs128Fast: ------------------ | Branch (258:7): [True: 0, False: 4] ------------------ 259| 0| case Sphincs_Parameter_Set::Sphincs192Small: ------------------ | Branch (259:7): [True: 0, False: 4] ------------------ 260| 0| case Sphincs_Parameter_Set::Sphincs192Fast: ------------------ | Branch (260:7): [True: 0, False: 4] ------------------ 261| 0| case Sphincs_Parameter_Set::Sphincs256Small: ------------------ | Branch (261:7): [True: 0, False: 4] ------------------ 262| 0| case Sphincs_Parameter_Set::Sphincs256Fast: ------------------ | Branch (262:7): [True: 0, False: 4] ------------------ 263| 0| return false; 264| 4| } 265| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 266| 0|} sp_parameters.cpp:_ZN5Botan12_GLOBAL__N_122set_and_hash_from_nameENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 20| 34|std::pair set_and_hash_from_name(std::string_view name) { 21| | // SPHINCS+ Round 3.1 instances 22| 34| if(name == "SphincsPlus-sha2-128s-r3.1") { ------------------ | Branch (22:7): [True: 0, False: 34] ------------------ 23| 0| return {Sphincs_Parameter_Set::Sphincs128Small, Sphincs_Hash_Type::Sha256}; 24| 0| } 25| 34| if(name == "SphincsPlus-sha2-128f-r3.1") { ------------------ | Branch (25:7): [True: 0, False: 34] ------------------ 26| 0| return {Sphincs_Parameter_Set::Sphincs128Fast, Sphincs_Hash_Type::Sha256}; 27| 0| } 28| 34| if(name == "SphincsPlus-sha2-192s-r3.1") { ------------------ | Branch (28:7): [True: 0, False: 34] ------------------ 29| 0| return {Sphincs_Parameter_Set::Sphincs192Small, Sphincs_Hash_Type::Sha256}; 30| 0| } 31| 34| if(name == "SphincsPlus-sha2-192f-r3.1") { ------------------ | Branch (31:7): [True: 0, False: 34] ------------------ 32| 0| return {Sphincs_Parameter_Set::Sphincs192Fast, Sphincs_Hash_Type::Sha256}; 33| 0| } 34| 34| if(name == "SphincsPlus-sha2-256s-r3.1") { ------------------ | Branch (34:7): [True: 0, False: 34] ------------------ 35| 0| return {Sphincs_Parameter_Set::Sphincs256Small, Sphincs_Hash_Type::Sha256}; 36| 0| } 37| 34| if(name == "SphincsPlus-sha2-256f-r3.1") { ------------------ | Branch (37:7): [True: 0, False: 34] ------------------ 38| 0| return {Sphincs_Parameter_Set::Sphincs256Fast, Sphincs_Hash_Type::Sha256}; 39| 0| } 40| | 41| 34| if(name == "SphincsPlus-shake-128s-r3.1") { ------------------ | Branch (41:7): [True: 0, False: 34] ------------------ 42| 0| return {Sphincs_Parameter_Set::Sphincs128Small, Sphincs_Hash_Type::Shake256}; 43| 0| } 44| 34| if(name == "SphincsPlus-shake-128f-r3.1") { ------------------ | Branch (44:7): [True: 0, False: 34] ------------------ 45| 0| return {Sphincs_Parameter_Set::Sphincs128Fast, Sphincs_Hash_Type::Shake256}; 46| 0| } 47| 34| if(name == "SphincsPlus-shake-192s-r3.1") { ------------------ | Branch (47:7): [True: 0, False: 34] ------------------ 48| 0| return {Sphincs_Parameter_Set::Sphincs192Small, Sphincs_Hash_Type::Shake256}; 49| 0| } 50| 34| if(name == "SphincsPlus-shake-192f-r3.1") { ------------------ | Branch (50:7): [True: 0, False: 34] ------------------ 51| 0| return {Sphincs_Parameter_Set::Sphincs192Fast, Sphincs_Hash_Type::Shake256}; 52| 0| } 53| 34| if(name == "SphincsPlus-shake-256s-r3.1") { ------------------ | Branch (53:7): [True: 0, False: 34] ------------------ 54| 0| return {Sphincs_Parameter_Set::Sphincs256Small, Sphincs_Hash_Type::Shake256}; 55| 0| } 56| 34| if(name == "SphincsPlus-shake-256f-r3.1") { ------------------ | Branch (56:7): [True: 0, False: 34] ------------------ 57| 0| return {Sphincs_Parameter_Set::Sphincs256Fast, Sphincs_Hash_Type::Shake256}; 58| 0| } 59| | 60| 34| if(name == "SphincsPlus-haraka-128s-r3.1") { ------------------ | Branch (60:7): [True: 0, False: 34] ------------------ 61| 0| return {Sphincs_Parameter_Set::Sphincs128Small, Sphincs_Hash_Type::Haraka}; 62| 0| } 63| 34| if(name == "SphincsPlus-haraka-128f-r3.1") { ------------------ | Branch (63:7): [True: 0, False: 34] ------------------ 64| 0| return {Sphincs_Parameter_Set::Sphincs128Fast, Sphincs_Hash_Type::Haraka}; 65| 0| } 66| 34| if(name == "SphincsPlus-haraka-192s-r3.1") { ------------------ | Branch (66:7): [True: 0, False: 34] ------------------ 67| 0| return {Sphincs_Parameter_Set::Sphincs192Small, Sphincs_Hash_Type::Haraka}; 68| 0| } 69| 34| if(name == "SphincsPlus-haraka-192f-r3.1") { ------------------ | Branch (69:7): [True: 0, False: 34] ------------------ 70| 0| return {Sphincs_Parameter_Set::Sphincs192Fast, Sphincs_Hash_Type::Haraka}; 71| 0| } 72| 34| if(name == "SphincsPlus-haraka-256s-r3.1") { ------------------ | Branch (72:7): [True: 0, False: 34] ------------------ 73| 0| return {Sphincs_Parameter_Set::Sphincs256Small, Sphincs_Hash_Type::Haraka}; 74| 0| } 75| 34| if(name == "SphincsPlus-haraka-256f-r3.1") { ------------------ | Branch (75:7): [True: 0, False: 34] ------------------ 76| 0| return {Sphincs_Parameter_Set::Sphincs256Fast, Sphincs_Hash_Type::Haraka}; 77| 0| } 78| | 79| | // SLH-DSA instances WITHOUT prehash mode 80| 34| if(name == "SLH-DSA-SHA2-128s") { ------------------ | Branch (80:7): [True: 6, False: 28] ------------------ 81| 6| return {Sphincs_Parameter_Set::SLHDSA128Small, Sphincs_Hash_Type::Sha256}; 82| 6| } 83| 28| if(name == "SLH-DSA-SHA2-128f") { ------------------ | Branch (83:7): [True: 2, False: 26] ------------------ 84| 2| return {Sphincs_Parameter_Set::SLHDSA128Fast, Sphincs_Hash_Type::Sha256}; 85| 2| } 86| 26| if(name == "SLH-DSA-SHA2-192s") { ------------------ | Branch (86:7): [True: 2, False: 24] ------------------ 87| 2| return {Sphincs_Parameter_Set::SLHDSA192Small, Sphincs_Hash_Type::Sha256}; 88| 2| } 89| 24| if(name == "SLH-DSA-SHA2-192f") { ------------------ | Branch (89:7): [True: 4, False: 20] ------------------ 90| 4| return {Sphincs_Parameter_Set::SLHDSA192Fast, Sphincs_Hash_Type::Sha256}; 91| 4| } 92| 20| if(name == "SLH-DSA-SHA2-256s") { ------------------ | Branch (92:7): [True: 2, False: 18] ------------------ 93| 2| return {Sphincs_Parameter_Set::SLHDSA256Small, Sphincs_Hash_Type::Sha256}; 94| 2| } 95| 18| if(name == "SLH-DSA-SHA2-256f") { ------------------ | Branch (95:7): [True: 2, False: 16] ------------------ 96| 2| return {Sphincs_Parameter_Set::SLHDSA256Fast, Sphincs_Hash_Type::Sha256}; 97| 2| } 98| | 99| 16| if(name == "SLH-DSA-SHAKE-128s") { ------------------ | Branch (99:7): [True: 4, False: 12] ------------------ 100| 4| return {Sphincs_Parameter_Set::SLHDSA128Small, Sphincs_Hash_Type::Shake256}; 101| 4| } 102| 12| if(name == "SLH-DSA-SHAKE-128f") { ------------------ | Branch (102:7): [True: 2, False: 10] ------------------ 103| 2| return {Sphincs_Parameter_Set::SLHDSA128Fast, Sphincs_Hash_Type::Shake256}; 104| 2| } 105| 10| if(name == "SLH-DSA-SHAKE-192s") { ------------------ | Branch (105:7): [True: 2, False: 8] ------------------ 106| 2| return {Sphincs_Parameter_Set::SLHDSA192Small, Sphincs_Hash_Type::Shake256}; 107| 2| } 108| 8| if(name == "SLH-DSA-SHAKE-192f") { ------------------ | Branch (108:7): [True: 2, False: 6] ------------------ 109| 2| return {Sphincs_Parameter_Set::SLHDSA192Fast, Sphincs_Hash_Type::Shake256}; 110| 2| } 111| 6| if(name == "SLH-DSA-SHAKE-256s") { ------------------ | Branch (111:7): [True: 4, False: 2] ------------------ 112| 4| return {Sphincs_Parameter_Set::SLHDSA256Small, Sphincs_Hash_Type::Shake256}; 113| 4| } 114| 2| if(name == "SLH-DSA-SHAKE-256f") { ------------------ | Branch (114:7): [True: 2, False: 0] ------------------ 115| 2| return {Sphincs_Parameter_Set::SLHDSA256Fast, Sphincs_Hash_Type::Shake256}; 116| 2| } 117| | 118| | // SLH-DSA instances WITH prehash mode 119| 0| if(name == "Hash-SLH-DSA-SHA2-128s-with-SHA256") { ------------------ | Branch (119:7): [True: 0, False: 0] ------------------ 120| 0| return {Sphincs_Parameter_Set::SLHDSA128Small, Sphincs_Hash_Type::Sha256}; 121| 0| } 122| 0| if(name == "Hash-SLH-DSA-SHA2-128f-with-SHA256") { ------------------ | Branch (122:7): [True: 0, False: 0] ------------------ 123| 0| return {Sphincs_Parameter_Set::SLHDSA128Fast, Sphincs_Hash_Type::Sha256}; 124| 0| } 125| 0| if(name == "Hash-SLH-DSA-SHA2-192s-with-SHA512") { ------------------ | Branch (125:7): [True: 0, False: 0] ------------------ 126| 0| return {Sphincs_Parameter_Set::SLHDSA192Small, Sphincs_Hash_Type::Sha256}; 127| 0| } 128| 0| if(name == "Hash-SLH-DSA-SHA2-192f-with-SHA512") { ------------------ | Branch (128:7): [True: 0, False: 0] ------------------ 129| 0| return {Sphincs_Parameter_Set::SLHDSA192Fast, Sphincs_Hash_Type::Sha256}; 130| 0| } 131| 0| if(name == "Hash-SLH-DSA-SHA2-256s-with-SHA512") { ------------------ | Branch (131:7): [True: 0, False: 0] ------------------ 132| 0| return {Sphincs_Parameter_Set::SLHDSA256Small, Sphincs_Hash_Type::Sha256}; 133| 0| } 134| 0| if(name == "Hash-SLH-DSA-SHA2-256f-with-SHA512") { ------------------ | Branch (134:7): [True: 0, False: 0] ------------------ 135| 0| return {Sphincs_Parameter_Set::SLHDSA256Fast, Sphincs_Hash_Type::Sha256}; 136| 0| } 137| | 138| 0| if(name == "Hash-SLH-DSA-SHAKE-128s-with-SHAKE128") { ------------------ | Branch (138:7): [True: 0, False: 0] ------------------ 139| 0| return {Sphincs_Parameter_Set::SLHDSA128Small, Sphincs_Hash_Type::Shake256}; 140| 0| } 141| 0| if(name == "Hash-SLH-DSA-SHAKE-128f-with-SHAKE128") { ------------------ | Branch (141:7): [True: 0, False: 0] ------------------ 142| 0| return {Sphincs_Parameter_Set::SLHDSA128Fast, Sphincs_Hash_Type::Shake256}; 143| 0| } 144| 0| if(name == "Hash-SLH-DSA-SHAKE-192s-with-SHAKE256") { ------------------ | Branch (144:7): [True: 0, False: 0] ------------------ 145| 0| return {Sphincs_Parameter_Set::SLHDSA192Small, Sphincs_Hash_Type::Shake256}; 146| 0| } 147| 0| if(name == "Hash-SLH-DSA-SHAKE-192f-with-SHAKE256") { ------------------ | Branch (147:7): [True: 0, False: 0] ------------------ 148| 0| return {Sphincs_Parameter_Set::SLHDSA192Fast, Sphincs_Hash_Type::Shake256}; 149| 0| } 150| 0| if(name == "Hash-SLH-DSA-SHAKE-256s-with-SHAKE256") { ------------------ | Branch (150:7): [True: 0, False: 0] ------------------ 151| 0| return {Sphincs_Parameter_Set::SLHDSA256Small, Sphincs_Hash_Type::Shake256}; 152| 0| } 153| 0| if(name == "Hash-SLH-DSA-SHAKE-256f-with-SHAKE256") { ------------------ | Branch (153:7): [True: 0, False: 0] ------------------ 154| 0| return {Sphincs_Parameter_Set::SLHDSA256Fast, Sphincs_Hash_Type::Shake256}; 155| 0| } 156| | 157| 0| throw Lookup_Error(fmt("No SLH-DSA (or SPHINCS+) parameter supported for: {}", name)); 158| 0|} sp_parameters.cpp:_ZN5Botan12_GLOBAL__N_122name_from_set_and_hashENS_21Sphincs_Parameter_SetENS_17Sphincs_Hash_TypeE: 160| 17|std::string name_from_set_and_hash(Sphincs_Parameter_Set set, Sphincs_Hash_Type hash) { 161| 17| if(hash == Sphincs_Hash_Type::Sha256) { ------------------ | Branch (161:7): [True: 9, False: 8] ------------------ 162| 9| switch(set) { ------------------ | Branch (162:14): [True: 9, False: 0] ------------------ 163| 0| case Sphincs_Parameter_Set::Sphincs128Small: ------------------ | Branch (163:10): [True: 0, False: 9] ------------------ 164| 0| return "SphincsPlus-sha2-128s-r3.1"; 165| 0| case Sphincs_Parameter_Set::Sphincs128Fast: ------------------ | Branch (165:10): [True: 0, False: 9] ------------------ 166| 0| return "SphincsPlus-sha2-128f-r3.1"; 167| 0| case Sphincs_Parameter_Set::Sphincs192Small: ------------------ | Branch (167:10): [True: 0, False: 9] ------------------ 168| 0| return "SphincsPlus-sha2-192s-r3.1"; 169| 0| case Sphincs_Parameter_Set::Sphincs192Fast: ------------------ | Branch (169:10): [True: 0, False: 9] ------------------ 170| 0| return "SphincsPlus-sha2-192f-r3.1"; 171| 0| case Sphincs_Parameter_Set::Sphincs256Small: ------------------ | Branch (171:10): [True: 0, False: 9] ------------------ 172| 0| return "SphincsPlus-sha2-256s-r3.1"; 173| 0| case Sphincs_Parameter_Set::Sphincs256Fast: ------------------ | Branch (173:10): [True: 0, False: 9] ------------------ 174| 0| return "SphincsPlus-sha2-256f-r3.1"; 175| | 176| 3| case Sphincs_Parameter_Set::SLHDSA128Small: ------------------ | Branch (176:10): [True: 3, False: 6] ------------------ 177| 3| return "SLH-DSA-SHA2-128s"; 178| 1| case Sphincs_Parameter_Set::SLHDSA128Fast: ------------------ | Branch (178:10): [True: 1, False: 8] ------------------ 179| 1| return "SLH-DSA-SHA2-128f"; 180| 1| case Sphincs_Parameter_Set::SLHDSA192Small: ------------------ | Branch (180:10): [True: 1, False: 8] ------------------ 181| 1| return "SLH-DSA-SHA2-192s"; 182| 2| case Sphincs_Parameter_Set::SLHDSA192Fast: ------------------ | Branch (182:10): [True: 2, False: 7] ------------------ 183| 2| return "SLH-DSA-SHA2-192f"; 184| 1| case Sphincs_Parameter_Set::SLHDSA256Small: ------------------ | Branch (184:10): [True: 1, False: 8] ------------------ 185| 1| return "SLH-DSA-SHA2-256s"; 186| 1| case Sphincs_Parameter_Set::SLHDSA256Fast: ------------------ | Branch (186:10): [True: 1, False: 8] ------------------ 187| 1| return "SLH-DSA-SHA2-256f"; 188| 9| } 189| 9| } 190| | 191| 8| if(hash == Sphincs_Hash_Type::Shake256) { ------------------ | Branch (191:7): [True: 8, False: 0] ------------------ 192| 8| switch(set) { ------------------ | Branch (192:14): [True: 8, False: 0] ------------------ 193| 0| case Sphincs_Parameter_Set::Sphincs128Small: ------------------ | Branch (193:10): [True: 0, False: 8] ------------------ 194| 0| return "SphincsPlus-shake-128s-r3.1"; 195| 0| case Sphincs_Parameter_Set::Sphincs128Fast: ------------------ | Branch (195:10): [True: 0, False: 8] ------------------ 196| 0| return "SphincsPlus-shake-128f-r3.1"; 197| 0| case Sphincs_Parameter_Set::Sphincs192Small: ------------------ | Branch (197:10): [True: 0, False: 8] ------------------ 198| 0| return "SphincsPlus-shake-192s-r3.1"; 199| 0| case Sphincs_Parameter_Set::Sphincs192Fast: ------------------ | Branch (199:10): [True: 0, False: 8] ------------------ 200| 0| return "SphincsPlus-shake-192f-r3.1"; 201| 0| case Sphincs_Parameter_Set::Sphincs256Small: ------------------ | Branch (201:10): [True: 0, False: 8] ------------------ 202| 0| return "SphincsPlus-shake-256s-r3.1"; 203| 0| case Sphincs_Parameter_Set::Sphincs256Fast: ------------------ | Branch (203:10): [True: 0, False: 8] ------------------ 204| 0| return "SphincsPlus-shake-256f-r3.1"; 205| | 206| 2| case Sphincs_Parameter_Set::SLHDSA128Small: ------------------ | Branch (206:10): [True: 2, False: 6] ------------------ 207| 2| return "SLH-DSA-SHAKE-128s"; 208| 1| case Sphincs_Parameter_Set::SLHDSA128Fast: ------------------ | Branch (208:10): [True: 1, False: 7] ------------------ 209| 1| return "SLH-DSA-SHAKE-128f"; 210| 1| case Sphincs_Parameter_Set::SLHDSA192Small: ------------------ | Branch (210:10): [True: 1, False: 7] ------------------ 211| 1| return "SLH-DSA-SHAKE-192s"; 212| 1| case Sphincs_Parameter_Set::SLHDSA192Fast: ------------------ | Branch (212:10): [True: 1, False: 7] ------------------ 213| 1| return "SLH-DSA-SHAKE-192f"; 214| 2| case Sphincs_Parameter_Set::SLHDSA256Small: ------------------ | Branch (214:10): [True: 2, False: 6] ------------------ 215| 2| return "SLH-DSA-SHAKE-256s"; 216| 1| case Sphincs_Parameter_Set::SLHDSA256Fast: ------------------ | Branch (216:10): [True: 1, False: 7] ------------------ 217| 1| return "SLH-DSA-SHAKE-256f"; 218| 8| } 219| 8| } 220| | 221| 0| if(hash == Sphincs_Hash_Type::Haraka) { ------------------ | Branch (221:7): [True: 0, False: 0] ------------------ 222| 0| switch(set) { ------------------ | Branch (222:14): [True: 0, False: 0] ------------------ 223| 0| case Sphincs_Parameter_Set::Sphincs128Small: ------------------ | Branch (223:10): [True: 0, False: 0] ------------------ 224| 0| return "SphincsPlus-haraka-128s-r3.1"; 225| 0| case Sphincs_Parameter_Set::Sphincs128Fast: ------------------ | Branch (225:10): [True: 0, False: 0] ------------------ 226| 0| return "SphincsPlus-haraka-128f-r3.1"; 227| 0| case Sphincs_Parameter_Set::Sphincs192Small: ------------------ | Branch (227:10): [True: 0, False: 0] ------------------ 228| 0| return "SphincsPlus-haraka-192s-r3.1"; 229| 0| case Sphincs_Parameter_Set::Sphincs192Fast: ------------------ | Branch (229:10): [True: 0, False: 0] ------------------ 230| 0| return "SphincsPlus-haraka-192f-r3.1"; 231| 0| case Sphincs_Parameter_Set::Sphincs256Small: ------------------ | Branch (231:10): [True: 0, False: 0] ------------------ 232| 0| return "SphincsPlus-haraka-256s-r3.1"; 233| 0| case Sphincs_Parameter_Set::Sphincs256Fast: ------------------ | Branch (233:10): [True: 0, False: 0] ------------------ 234| 0| return "SphincsPlus-haraka-256f-r3.1"; 235| | 236| 0| case Sphincs_Parameter_Set::SLHDSA128Small: ------------------ | Branch (236:10): [True: 0, False: 0] ------------------ 237| 0| case Sphincs_Parameter_Set::SLHDSA128Fast: ------------------ | Branch (237:10): [True: 0, False: 0] ------------------ 238| 0| case Sphincs_Parameter_Set::SLHDSA192Small: ------------------ | Branch (238:10): [True: 0, False: 0] ------------------ 239| 0| case Sphincs_Parameter_Set::SLHDSA192Fast: ------------------ | Branch (239:10): [True: 0, False: 0] ------------------ 240| 0| case Sphincs_Parameter_Set::SLHDSA256Small: ------------------ | Branch (240:10): [True: 0, False: 0] ------------------ 241| 0| case Sphincs_Parameter_Set::SLHDSA256Fast: ------------------ | Branch (241:10): [True: 0, False: 0] ------------------ 242| 0| throw Invalid_Argument("SLH-DSA does not support Haraka"); 243| 0| } 244| 0| } 245| 0| throw Invalid_Argument("Cannot serialize invalid parameter combination"); 246| 0|} _ZN5Botan21SphincsPlus_PublicKeyC2ENSt3__14spanIKhLm18446744073709551615EEENS_18Sphincs_ParametersE: 133| 2| m_public(std::make_shared(params, pub_key)) { 134| 2| if(!params.is_available()) { ------------------ | Branch (134:7): [True: 0, False: 2] ------------------ 135| 0| throw Not_Implemented("This SPHINCS+ parameter set is not available in this configuration"); 136| 0| } 137| 2|} _ZN5Botan21SphincsPlus_PublicKeyD2Ev: 142| 2|SphincsPlus_PublicKey::~SphincsPlus_PublicKey() = default; _ZN5Botan22SphincsPlus_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 299| 17| SphincsPlus_PrivateKey(key_bits, Sphincs_Parameters::create(alg_id.oid())) {} _ZN5Botan22SphincsPlus_PrivateKeyC1ENSt3__14spanIKhLm18446744073709551615EEENS_18Sphincs_ParametersE: 302| 17| SphincsPlus_PublicKey(slice_off_public_key(params.object_identifier(), private_key), params) { 303| 17| if(!params.is_available()) { ------------------ | Branch (303:7): [True: 0, False: 17] ------------------ 304| 0| throw Not_Implemented("This SPHINCS+ parameter set is not available in this configuration"); 305| 0| } 306| | 307| 17| const auto private_portion_bytes = params.private_key_bytes() - params.public_key_bytes(); 308| 17| BOTAN_ASSERT_NOMSG(private_key.size() >= private_portion_bytes); ------------------ | | 77| 17| do { \ | | 78| 17| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 17| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 17] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 17| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 17] | | ------------------ ------------------ 309| | 310| 17| m_private = std::make_shared(params, private_key.first(private_portion_bytes)); 311| 17|} _ZN5Botan22SphincsPlus_PrivateKeyD2Ev: 335| 2|SphincsPlus_PrivateKey::~SphincsPlus_PrivateKey() = default; sphincsplus.cpp:_ZN5Botan12_GLOBAL__N_120slice_off_public_keyERKNS_3OIDENSt3__14spanIKhLm18446744073709551615EEE: 277| 17|std::span slice_off_public_key(const OID& oid, std::span key_bits) { 278| 17| const auto params = Sphincs_Parameters::create(oid); 279| | // Note: We need to transiently instantiate the `Sphincs_Parameters` object 280| | // to know the size of the public/private key. That's slightly 281| | // inefficient but was the best we could do. Once we get rid of the 282| | // PublicKey-PrivateKey inheritance, we might want to reconsider this 283| | // control flow. 284| 17| if(key_bits.size() != params.private_key_bytes()) { ------------------ | Branch (284:7): [True: 15, False: 2] ------------------ 285| 15| throw Decoding_Error("Sphincs Private Key doesn't have the expected length"); 286| 15| } 287| | 288| 2| return key_bits.subspan(params.private_key_bytes() - params.public_key_bytes()); 289| 17|} _ZN5Botan29SphincsPlus_PublicKeyInternalC2ENS_18Sphincs_ParametersENSt3__14spanIKhLm18446744073709551615EEE: 73| 2| SphincsPlus_PublicKeyInternal(Sphincs_Parameters params, std::span key_bits) : m_params(params) { 74| 2| if(key_bits.size() != m_params.public_key_bytes()) { ------------------ | Branch (74:13): [True: 0, False: 2] ------------------ 75| 0| throw Decoding_Error("SLH-DSA (or SPHINCS+) Public Key doesn't have the expected length"); 76| 0| } 77| | 78| 2| BufferSlicer s(key_bits); 79| 2| m_public_seed = s.copy(params.n()); 80| 2| m_sphincs_root = s.copy(params.n()); 81| | 82| 2| BOTAN_ASSERT_NOMSG(s.empty()); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 83| 2| } _ZN5Botan30SphincsPlus_PrivateKeyInternalC2ERKNS_18Sphincs_ParametersENSt3__14spanIKhLm18446744073709551615EEE: 104| 2| SphincsPlus_PrivateKeyInternal(const Sphincs_Parameters& params, std::span key_bits) { 105| 2| if(key_bits.size() != params.private_key_bytes() - params.public_key_bytes()) { ------------------ | Branch (105:13): [True: 0, False: 2] ------------------ 106| 0| throw Decoding_Error("SLH-DSA (or SPHINCS+) Private Key doesn't have the expected length"); 107| 0| } 108| | 109| 2| BufferSlicer s(key_bits); 110| 2| m_secret_seed = s.copy(params.n()); 111| 2| m_prf = s.copy(params.n()); 112| | 113| 2| BOTAN_ASSERT_NOMSG(s.empty()); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 114| 2| } _ZN5Botan14if_work_factorEm: 37| 116|size_t if_work_factor(size_t bits) { 38| 116| if(bits < 512) { ------------------ | Branch (38:7): [True: 5, False: 111] ------------------ 39| 5| return 0; 40| 5| } 41| | 42| | // RFC 3766 estimates k at .02 and o(1) to be effectively zero for sizes of interest 43| | 44| 111| const double log2_k = -5.6438; // log2(.02) 45| 111| return nfs_workfactor(bits, log2_k); 46| 116|} _ZN5Botan14dl_work_factorEm: 48| 116|size_t dl_work_factor(size_t bits) { 49| | // Lacking better estimates... 50| 116| return if_work_factor(bits); 51| 116|} _ZN5Botan16dl_exponent_sizeEm: 53| 116|size_t dl_exponent_size(size_t p_bits) { 54| 116| BOTAN_ARG_CHECK(p_bits > 1, "Invalid prime length"); ------------------ | | 35| 116| do { \ | | 36| 116| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 116| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 116] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 116| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 116] | | ------------------ ------------------ 55| | 56| | /* 57| | For relevant sizes we follow the suggestions in 58| | NIST SP 800-56B Rev 2 Appendix D 59| | "Maximum Security Strength Estimates for IFC Modulus Lengths" 60| | 61| | For sizes outside the range considered in the SP we use some sensible values 62| | 63| | Note that we return twice the value given in Table 4 since we are choosing 64| | the exponent size as twice the estimated security strength. 65| | 66| | See also NIST SP 800-56A Rev 3 Appendix D, Tables 25 and 26 67| | */ 68| | 69| 116| if(p_bits <= 256) { ------------------ | Branch (69:7): [True: 4, False: 112] ------------------ 70| | /* 71| | * For stupidly small groups we might return a value larger than the group 72| | * size if we fell into the conditionals below. Just use the maximum 73| | * possible exponent size - for all the good it will do you with a group 74| | * this weak. 75| | */ 76| 4| return p_bits - 1; 77| 112| } else if(p_bits <= 1024) { ------------------ | Branch (77:14): [True: 1, False: 111] ------------------ 78| | /* 79| | Not in the SP, but general estimates are that a 1024 bit group provides at 80| | most 80 bits security, so using an exponent appropriate for 96 bit security 81| | is more than sufficient. 82| | */ 83| 1| return 192; 84| 111| } else if(p_bits <= 2048) { ------------------ | Branch (84:14): [True: 111, False: 0] ------------------ 85| 111| return 224; // SP 800-56B 86| 111| } else if(p_bits <= 3072) { ------------------ | Branch (86:14): [True: 0, False: 0] ------------------ 87| 0| return 256; // SP 800-56B 88| 0| } else if(p_bits <= 4096) { ------------------ | Branch (88:14): [True: 0, False: 0] ------------------ 89| 0| return 304; // SP 800-56B 90| 0| } else if(p_bits <= 6144) { ------------------ | Branch (90:14): [True: 0, False: 0] ------------------ 91| 0| return 352; // SP 800-56B 92| 0| } else if(p_bits <= 8192) { ------------------ | Branch (92:14): [True: 0, False: 0] ------------------ 93| 0| return 400; // SP 800-56B 94| 0| } else { 95| | // For values larger than we know about, just saturate to 256 bit security 96| | // which is Good Enough for FFDH 97| | // 98| | // NIST puts 15360 bit groups at exactly 256 bits security 99| 0| return 512; 100| 0| } 101| 116|} workfactor.cpp:_ZN5Botan12_GLOBAL__N_114nfs_workfactorEmd: 22| 111|size_t nfs_workfactor(size_t bits, double log2_k) { 23| | // approximates natural logarithm of an integer of given bitsize 24| 111| const double log_p = static_cast(bits) / std::numbers::log2e; 25| | 26| 111| const double log_log_p = std::log(log_p); 27| | 28| | // RFC 3766: k * e^((1.92 + o(1)) * cubrt(ln(n) * (ln(ln(n)))^2)) 29| 111| const double est = 1.92 * std::pow(log_p * log_log_p * log_log_p, 1.0 / 3.0); 30| | 31| | // return log2 of the workfactor 32| 111| return static_cast(log2_k + std::numbers::log2e * est); 33| 111|} _ZN5Botan16curve25519_donnaEPhPKhS2_: 453| 1|void curve25519_donna(uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32]) { 454| 1| CT::poison(secret, 32); 455| 1| CT::poison(basepoint, 32); 456| | 457| 1| uint64_t bp[5]; 458| 1| uint64_t x[5]; 459| 1| uint64_t z[5]; 460| 1| uint64_t zmone[5]; 461| 1| uint8_t e[32]; 462| | 463| 1| copy_mem(e, secret, 32); 464| 1| e[0] &= 248; 465| 1| e[31] &= 127; 466| 1| e[31] |= 64; 467| | 468| 1| fexpand(bp, basepoint); 469| 1| cmult(x, z, e, bp); 470| 1| crecip(zmone, z); 471| 1| fmul(z, x, zmone); 472| 1| fcontract(mypublic, z); 473| | 474| 1| CT::unpoison(secret, 32); 475| 1| CT::unpoison(basepoint, 32); 476| 1| CT::unpoison(mypublic, 32); 477| 1|} donna.cpp:_ZN5Botan12_GLOBAL__N_17fexpandEPmPKh: 217| 1|inline void fexpand(uint64_t* out, const uint8_t* in) { 218| 1| out[0] = load_le(in, 0) & MASK_63; 219| 1| out[1] = (load_le(in + 6, 0) >> 3) & MASK_63; 220| 1| out[2] = (load_le(in + 12, 0) >> 6) & MASK_63; 221| 1| out[3] = (load_le(in + 19, 0) >> 1) & MASK_63; 222| 1| out[4] = (load_le(in + 24, 0) >> 12) & MASK_63; 223| 1|} donna.cpp:_ZN5Botan12_GLOBAL__N_15cmultEPmS1_PKhPKm: 364| 1|void cmult(uint64_t resultx[5], uint64_t resultz[5], const uint8_t n[32], const uint64_t q[5]) { 365| 1| uint64_t a[5] = {0}; // nqpqx 366| 1| uint64_t b[5] = {1}; // npqpz 367| 1| uint64_t c[5] = {1}; // nqx 368| 1| uint64_t d[5] = {0}; // nqz 369| 1| uint64_t e[5] = {0}; // npqqx2 370| 1| uint64_t f[5] = {1}; // npqqz2 371| 1| uint64_t g[5] = {0}; // nqx2 372| 1| uint64_t h[5] = {1}; // nqz2 373| | 374| 1| copy_mem(a, q, 5); 375| | 376| 33| for(size_t i = 0; i < 32; ++i) { ------------------ | Branch (376:22): [True: 32, False: 1] ------------------ 377| 32| const uint64_t si = n[31 - i]; 378| 32| const auto bit0 = CT::Mask::expand_bit(si, 7); 379| 32| const auto bit1 = CT::Mask::expand_bit(si, 6); 380| 32| const auto bit2 = CT::Mask::expand_bit(si, 5); 381| 32| const auto bit3 = CT::Mask::expand_bit(si, 4); 382| 32| const auto bit4 = CT::Mask::expand_bit(si, 3); 383| 32| const auto bit5 = CT::Mask::expand_bit(si, 2); 384| 32| const auto bit6 = CT::Mask::expand_bit(si, 1); 385| 32| const auto bit7 = CT::Mask::expand_bit(si, 0); 386| | 387| 32| swap_conditional(c, a, d, b, bit0); 388| 32| fmonty(g, h, e, f, c, d, a, b, q); 389| | 390| 32| swap_conditional(g, e, h, f, bit0 ^ bit1); 391| 32| fmonty(c, d, a, b, g, h, e, f, q); 392| | 393| 32| swap_conditional(c, a, d, b, bit1 ^ bit2); 394| 32| fmonty(g, h, e, f, c, d, a, b, q); 395| | 396| 32| swap_conditional(g, e, h, f, bit2 ^ bit3); 397| 32| fmonty(c, d, a, b, g, h, e, f, q); 398| | 399| 32| swap_conditional(c, a, d, b, bit3 ^ bit4); 400| 32| fmonty(g, h, e, f, c, d, a, b, q); 401| | 402| 32| swap_conditional(g, e, h, f, bit4 ^ bit5); 403| 32| fmonty(c, d, a, b, g, h, e, f, q); 404| | 405| 32| swap_conditional(c, a, d, b, bit5 ^ bit6); 406| 32| fmonty(g, h, e, f, c, d, a, b, q); 407| | 408| 32| swap_conditional(g, e, h, f, bit6 ^ bit7); 409| 32| fmonty(c, d, a, b, g, h, e, f, q); 410| | 411| 32| swap_conditional(c, a, d, b, bit7); 412| 32| } 413| | 414| 1| copy_mem(resultx, c, 5); 415| 1| copy_mem(resultz, d, 5); 416| 1|} donna.cpp:_ZN5Botan12_GLOBAL__N_116swap_conditionalEPmS1_S1_S1_NS_2CT4MaskImEE: 346| 288|inline void swap_conditional(uint64_t a[5], uint64_t b[5], uint64_t c[5], uint64_t d[5], CT::Mask swap) { 347| 1.72k| for(size_t i = 0; i < 5; ++i) { ------------------ | Branch (347:22): [True: 1.44k, False: 288] ------------------ 348| 1.44k| const uint64_t x0 = swap.if_set_return(a[i] ^ b[i]); 349| 1.44k| a[i] ^= x0; 350| 1.44k| b[i] ^= x0; 351| | 352| 1.44k| const uint64_t x1 = swap.if_set_return(c[i] ^ d[i]); 353| 1.44k| c[i] ^= x1; 354| 1.44k| d[i] ^= x1; 355| 1.44k| } 356| 288|} donna.cpp:_ZN5Botan12_GLOBAL__N_16fmontyEPmS1_S1_S1_S1_S1_S1_S1_PKm: 308| 256| const uint64_t q_minus_q_dash[5]) { 309| 256| uint64_t zzz[5]; 310| 256| uint64_t xx[5]; 311| 256| uint64_t zz[5]; 312| 256| uint64_t xxprime[5]; 313| 256| uint64_t zzprime[5]; 314| 256| uint64_t zzzprime[5]; 315| | 316| 256| fadd_sub(in_q_z, in_q_x); 317| 256| fadd_sub(in_q_dash_z, in_q_dash_x); 318| | 319| 256| fmul(xxprime, in_q_dash_x, in_q_z); 320| 256| fmul(zzprime, in_q_dash_z, in_q_x); 321| | 322| 256| fadd_sub(zzprime, xxprime); 323| | 324| 256| fsquare(result_q_plus_q_dash_x, xxprime); 325| 256| fsquare(zzzprime, zzprime); 326| 256| fmul(result_q_plus_q_dash_z, zzzprime, q_minus_q_dash); 327| | 328| 256| fsquare(xx, in_q_x); 329| 256| fsquare(zz, in_q_z); 330| 256| fmul(result_two_q_x, xx, zz); 331| | 332| 256| fdifference_backwards(zz, xx); // does zz = xx - zz 333| 256| fscalar_product(zzz, zz, 121665); 334| 256| fsum(zzz, xx); 335| | 336| 256| fmul(result_two_q_z, zz, zzz); 337| 256|} donna.cpp:_ZN5Botan12_GLOBAL__N_18fadd_subEPmS1_: 76| 768|inline void fadd_sub(uint64_t x[5], uint64_t y[5]) { 77| | // TODO merge these and avoid the tmp array 78| 768| uint64_t tmp[5]; 79| 768| copy_mem(tmp, y, 5); 80| 768| fsum(y, x); 81| 768| fdifference_backwards(x, tmp); // does x - z 82| 768|} donna.cpp:_ZN5Botan12_GLOBAL__N_17fsquareEPmPKmm: 169| 1.03k|inline void fsquare(uint64_t out[5], const uint64_t in[5], size_t count = 1) { 170| 1.03k| uint64_t r0 = in[0]; 171| 1.03k| uint64_t r1 = in[1]; 172| 1.03k| uint64_t r2 = in[2]; 173| 1.03k| uint64_t r3 = in[3]; 174| 1.03k| uint64_t r4 = in[4]; 175| | 176| 2.31k| for(size_t i = 0; i != count; ++i) { ------------------ | Branch (176:22): [True: 1.27k, False: 1.03k] ------------------ 177| 1.27k| const uint64_t d0 = r0 * 2; 178| 1.27k| const uint64_t d1 = r1 * 2; 179| 1.27k| const uint64_t d2 = r2 * 2 * 19; 180| 1.27k| const uint64_t d419 = r4 * 19; 181| 1.27k| const uint64_t d4 = d419 * 2; 182| | 183| 1.27k| const uint128_t t0 = uint128_t(r0) * r0 + uint128_t(d4) * r1 + uint128_t(d2) * (r3); 184| 1.27k| uint128_t t1 = uint128_t(d0) * r1 + uint128_t(d4) * r2 + uint128_t(r3) * (r3 * 19); 185| 1.27k| uint128_t t2 = uint128_t(d0) * r2 + uint128_t(r1) * r1 + uint128_t(d4) * (r3); 186| 1.27k| uint128_t t3 = uint128_t(d0) * r3 + uint128_t(d1) * r2 + uint128_t(r4) * (d419); 187| 1.27k| uint128_t t4 = uint128_t(d0) * r4 + uint128_t(d1) * r3 + uint128_t(r2) * (r2); 188| | 189| 1.27k| r0 = t0 & MASK_63; 190| 1.27k| t1 += carry_shift(t0, 51); 191| 1.27k| r1 = t1 & MASK_63; 192| 1.27k| t2 += carry_shift(t1, 51); 193| 1.27k| r2 = t2 & MASK_63; 194| 1.27k| t3 += carry_shift(t2, 51); 195| 1.27k| r3 = t3 & MASK_63; 196| 1.27k| t4 += carry_shift(t3, 51); 197| 1.27k| r4 = t4 & MASK_63; 198| 1.27k| uint64_t c = carry_shift(t4, 51); 199| | 200| 1.27k| r0 += c * 19; 201| 1.27k| c = r0 >> 51U; 202| 1.27k| r0 = r0 & MASK_63; 203| 1.27k| r1 += c; 204| 1.27k| c = r1 >> 51U; 205| 1.27k| r1 = r1 & MASK_63; 206| 1.27k| r2 += c; 207| 1.27k| } 208| | 209| 1.03k| out[0] = r0; 210| 1.03k| out[1] = r1; 211| 1.03k| out[2] = r2; 212| 1.03k| out[3] = r3; 213| 1.03k| out[4] = r4; 214| 1.03k|} donna.cpp:_ZN5Botan12_GLOBAL__N_121fdifference_backwardsEPmPKm: 64| 1.02k|inline void fdifference_backwards(uint64_t out[5], const uint64_t in[5]) { 65| | /* 152 is 19 << 3 */ 66| 1.02k| const uint64_t two54m152 = (static_cast(1) << 54) - 152; 67| 1.02k| const uint64_t two54m8 = (static_cast(1) << 54) - 8; 68| | 69| 1.02k| out[0] = in[0] + two54m152 - out[0]; 70| 1.02k| out[1] = in[1] + two54m8 - out[1]; 71| 1.02k| out[2] = in[2] + two54m8 - out[2]; 72| 1.02k| out[3] = in[3] + two54m8 - out[3]; 73| 1.02k| out[4] = in[4] + two54m8 - out[4]; 74| 1.02k|} donna.cpp:_ZN5Botan12_GLOBAL__N_115fscalar_productEPmPKmm: 87| 256|inline void fscalar_product(uint64_t out[5], const uint64_t in[5], const uint64_t scalar) { 88| 256| uint128_t a = uint128_t(in[0]) * scalar; 89| 256| out[0] = a & MASK_63; 90| | 91| 256| a = uint128_t(in[1]) * scalar + carry_shift(a, 51); 92| 256| out[1] = a & MASK_63; 93| | 94| 256| a = uint128_t(in[2]) * scalar + carry_shift(a, 51); 95| 256| out[2] = a & MASK_63; 96| | 97| 256| a = uint128_t(in[3]) * scalar + carry_shift(a, 51); 98| 256| out[3] = a & MASK_63; 99| | 100| 256| a = uint128_t(in[4]) * scalar + carry_shift(a, 51); 101| 256| out[4] = a & MASK_63; 102| | 103| 256| out[0] += carry_shift(a, 51) * 19; 104| 256|} donna.cpp:_ZN5Botan12_GLOBAL__N_14fsumEPmPKm: 50| 1.02k|inline void fsum(uint64_t out[5], const uint64_t in[5]) { 51| 1.02k| out[0] += in[0]; 52| 1.02k| out[1] += in[1]; 53| 1.02k| out[2] += in[2]; 54| 1.02k| out[3] += in[3]; 55| 1.02k| out[4] += in[4]; 56| 1.02k|} donna.cpp:_ZN5Botan12_GLOBAL__N_16crecipEPmPKm: 421| 1|void crecip(uint64_t out[5], const uint64_t z[5]) { 422| 1| uint64_t a[5]; 423| 1| uint64_t b[5]; 424| 1| uint64_t c[5]; 425| 1| uint64_t t0[5]; 426| | 427| 1| fsquare(a, z); // 2 428| 1| fsquare(t0, a, 2); // 8 429| 1| fmul(b, t0, z); // 9 430| 1| fmul(a, b, a); // 11 431| 1| fsquare(t0, a); // 22 432| 1| fmul(b, t0, b); // 2^5 - 2^0 = 31 433| 1| fsquare(t0, b, 5); // 2^10 - 2^5 434| 1| fmul(b, t0, b); // 2^10 - 2^0 435| 1| fsquare(t0, b, 10); // 2^20 - 2^10 436| 1| fmul(c, t0, b); // 2^20 - 2^0 437| 1| fsquare(t0, c, 20); // 2^40 - 2^20 438| 1| fmul(t0, t0, c); // 2^40 - 2^0 439| 1| fsquare(t0, t0, 10); // 2^50 - 2^10 440| 1| fmul(b, t0, b); // 2^50 - 2^0 441| 1| fsquare(t0, b, 50); // 2^100 - 2^50 442| 1| fmul(c, t0, b); // 2^100 - 2^0 443| 1| fsquare(t0, c, 100); // 2^200 - 2^100 444| 1| fmul(t0, t0, c); // 2^200 - 2^0 445| 1| fsquare(t0, t0, 50); // 2^250 - 2^50 446| 1| fmul(t0, t0, b); // 2^250 - 2^0 447| 1| fsquare(t0, t0, 5); // 2^255 - 2^5 448| 1| fmul(out, t0, a); // 2^255 - 21 449| 1|} donna.cpp:_ZN5Botan12_GLOBAL__N_14fmulEPmPKmS3_: 114| 1.29k|inline void fmul(uint64_t out[5], const uint64_t in[5], const uint64_t in2[5]) { 115| 1.29k| const auto s0 = uint128_t(in2[0]); 116| 1.29k| const auto s1 = uint128_t(in2[1]); 117| 1.29k| const auto s2 = uint128_t(in2[2]); 118| 1.29k| const auto s3 = uint128_t(in2[3]); 119| 1.29k| const auto s4 = uint128_t(in2[4]); 120| | 121| 1.29k| uint64_t r0 = in[0]; 122| 1.29k| uint64_t r1 = in[1]; 123| 1.29k| uint64_t r2 = in[2]; 124| 1.29k| uint64_t r3 = in[3]; 125| 1.29k| uint64_t r4 = in[4]; 126| | 127| 1.29k| uint128_t t0 = r0 * s0; 128| 1.29k| uint128_t t1 = r0 * s1 + r1 * s0; 129| 1.29k| uint128_t t2 = r0 * s2 + r2 * s0 + r1 * s1; 130| 1.29k| uint128_t t3 = r0 * s3 + r3 * s0 + r1 * s2 + r2 * s1; 131| 1.29k| uint128_t t4 = r0 * s4 + r4 * s0 + r3 * s1 + r1 * s3 + r2 * s2; 132| | 133| 1.29k| r4 *= 19; 134| 1.29k| r1 *= 19; 135| 1.29k| r2 *= 19; 136| 1.29k| r3 *= 19; 137| | 138| 1.29k| t0 += r4 * s1 + r1 * s4 + r2 * s3 + r3 * s2; 139| 1.29k| t1 += r4 * s2 + r2 * s4 + r3 * s3; 140| 1.29k| t2 += r4 * s3 + r3 * s4; 141| 1.29k| t3 += r4 * s4; 142| | 143| 1.29k| r0 = t0 & MASK_63; 144| 1.29k| t1 += carry_shift(t0, 51); 145| 1.29k| r1 = t1 & MASK_63; 146| 1.29k| t2 += carry_shift(t1, 51); 147| 1.29k| r2 = t2 & MASK_63; 148| 1.29k| t3 += carry_shift(t2, 51); 149| 1.29k| r3 = t3 & MASK_63; 150| 1.29k| t4 += carry_shift(t3, 51); 151| 1.29k| r4 = t4 & MASK_63; 152| 1.29k| uint64_t c = carry_shift(t4, 51); 153| | 154| 1.29k| r0 += c * 19; 155| 1.29k| c = r0 >> 51U; 156| 1.29k| r0 = r0 & MASK_63; 157| 1.29k| r1 += c; 158| 1.29k| c = r1 >> 51U; 159| 1.29k| r1 = r1 & MASK_63; 160| 1.29k| r2 += c; 161| | 162| 1.29k| out[0] = r0; 163| 1.29k| out[1] = r1; 164| 1.29k| out[2] = r2; 165| 1.29k| out[3] = r3; 166| 1.29k| out[4] = r4; 167| 1.29k|} donna.cpp:_ZN5Botan12_GLOBAL__N_19fcontractEPhPKm: 228| 1|inline void fcontract(uint8_t* out, const uint64_t input[5]) { 229| 1| auto t0 = uint128_t(input[0]); 230| 1| auto t1 = uint128_t(input[1]); 231| 1| auto t2 = uint128_t(input[2]); 232| 1| auto t3 = uint128_t(input[3]); 233| 1| auto t4 = uint128_t(input[4]); 234| | 235| 3| for(size_t i = 0; i != 2; ++i) { ------------------ | Branch (235:22): [True: 2, False: 1] ------------------ 236| 2| t1 += t0 >> 51U; 237| 2| t0 &= MASK_63; 238| 2| t2 += t1 >> 51U; 239| 2| t1 &= MASK_63; 240| 2| t3 += t2 >> 51U; 241| 2| t2 &= MASK_63; 242| 2| t4 += t3 >> 51U; 243| 2| t3 &= MASK_63; 244| 2| t0 += (t4 >> 51U) * 19; 245| 2| t4 &= MASK_63; 246| 2| } 247| | 248| | /* now t is between 0 and 2^255-1, properly carried. */ 249| | /* case 1: between 0 and 2^255-20. case 2: between 2^255-19 and 2^255-1. */ 250| | 251| 1| t0 += 19; 252| | 253| 1| t1 += t0 >> 51U; 254| 1| t0 &= MASK_63; 255| 1| t2 += t1 >> 51U; 256| 1| t1 &= MASK_63; 257| 1| t3 += t2 >> 51U; 258| 1| t2 &= MASK_63; 259| 1| t4 += t3 >> 51U; 260| 1| t3 &= MASK_63; 261| 1| t0 += (t4 >> 51U) * 19; 262| 1| t4 &= MASK_63; 263| | 264| | /* now between 19 and 2^255-1 in both cases, and offset by 19. */ 265| | 266| 1| t0 += 0x8000000000000 - 19; 267| 1| t1 += 0x8000000000000 - 1; 268| 1| t2 += 0x8000000000000 - 1; 269| 1| t3 += 0x8000000000000 - 1; 270| 1| t4 += 0x8000000000000 - 1; 271| | 272| | /* now between 2^255 and 2^256-20, and offset by 2^255. */ 273| | 274| 1| t1 += t0 >> 51U; 275| 1| t0 &= MASK_63; 276| 1| t2 += t1 >> 51U; 277| 1| t1 &= MASK_63; 278| 1| t3 += t2 >> 51U; 279| 1| t2 &= MASK_63; 280| 1| t4 += t3 >> 51U; 281| 1| t3 &= MASK_63; 282| 1| t4 &= MASK_63; 283| | 284| 1| store_le(out, 285| 1| combine_lower(t0, 0, t1, 51), 286| 1| combine_lower(t1, 13, t2, 38), 287| 1| combine_lower(t2, 26, t3, 25), 288| 1| combine_lower(t3, 39, t4, 12)); 289| 1|} _ZN5Botan20curve25519_basepointEPhPKh: 19| 1|void curve25519_basepoint(uint8_t mypublic[32], const uint8_t secret[32]) { 20| 1| const uint8_t basepoint[32] = {9}; 21| 1| curve25519_donna(mypublic, secret, basepoint); 22| 1|} _ZN5Botan17X25519_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 85| 9|X25519_PrivateKey::X25519_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span key_bits) { 86| 9| BER_Decoder(key_bits, BER_Decoder::Limits::DER()).decode(m_private, ASN1_Type::OctetString).discard_remaining(); 87| | 88| 9| size_check(m_private.size(), "private key"); 89| 9| m_public.resize(32); 90| 9| curve25519_basepoint(m_public.data(), m_private.data()); 91| 9|} x25519.cpp:_ZN5Botan12_GLOBAL__N_110size_checkEmPKc: 26| 8|void size_check(size_t size, const char* thing) { 27| 8| if(size != 32) { ------------------ | Branch (27:7): [True: 7, False: 1] ------------------ 28| 7| throw Decoding_Error(fmt("Invalid size {} for X25519 {}", size, thing)); 29| 7| } 30| 8|} _ZN5Botan15allocate_memoryEmm: 21| 16.7M|BOTAN_MALLOC_FN void* allocate_memory(size_t elems, size_t elem_size) { 22| 16.7M| if(elems == 0 || elem_size == 0) { ------------------ | Branch (22:7): [True: 0, False: 16.7M] | Branch (22:21): [True: 0, False: 16.7M] ------------------ 23| 0| return nullptr; 24| 0| } 25| | 26| | // Some calloc implementations do not check for overflow (?!?) 27| 16.7M| if(!checked_mul(elems, elem_size).has_value()) { ------------------ | Branch (27:7): [True: 0, False: 16.7M] ------------------ 28| 0| throw std::bad_alloc(); 29| 0| } 30| | 31| |#if defined(BOTAN_HAS_LOCKING_ALLOCATOR) 32| | // NOLINTNEXTLINE(*-const-correctness) bug in clang-tidy 33| | if(void* p = mlock_allocator::instance().allocate(elems, elem_size)) { 34| | return p; 35| | } 36| |#endif 37| | 38| |#if defined(BOTAN_TARGET_OS_HAS_ALLOC_CONCEAL) 39| | void* ptr = ::calloc_conceal(elems, elem_size); 40| |#else 41| | // NOLINTNEXTLINE(*-const-correctness) bug in clang-tidy 42| 16.7M| void* ptr = std::calloc(elems, elem_size); // NOLINT(*-no-malloc,*-owning-memory) 43| 16.7M|#endif 44| 16.7M| if(ptr == nullptr) { ------------------ | Branch (44:7): [True: 0, False: 16.7M] ------------------ 45| 0| [[unlikely]] throw std::bad_alloc(); 46| 0| } 47| 16.7M| return ptr; 48| 16.7M|} _ZN5Botan17deallocate_memoryEPvmm: 50| 16.7M|void deallocate_memory(void* p, size_t elems, size_t elem_size) { 51| 16.7M| if(p == nullptr) { ------------------ | Branch (51:7): [True: 0, False: 16.7M] ------------------ 52| 0| [[unlikely]] return; 53| 0| } 54| | 55| 16.7M| secure_scrub_memory(p, elems * elem_size); 56| | 57| |#if defined(BOTAN_HAS_LOCKING_ALLOCATOR) 58| | if(mlock_allocator::instance().deallocate(p, elems, elem_size)) { 59| | return; 60| | } 61| |#endif 62| | 63| 16.7M| std::free(p); // NOLINT(*-no-malloc,*-owning-memory) 64| 16.7M|} _ZN5Botan20initialize_allocatorEv: 66| 1|void initialize_allocator() { 67| |#if defined(BOTAN_HAS_LOCKING_ALLOCATOR) 68| | mlock_allocator::instance(); 69| |#endif 70| 1|} _ZN5Botan22throw_invalid_argumentEPKcS1_S1_: 23| 51|void throw_invalid_argument(const char* message, const char* func, const char* file) { 24| 51| throw Invalid_Argument(fmt("{} in {}:{}", message, func, file)); 25| 51|} _ZN5Botan23format_char_for_displayEc: 197| 23|std::string format_char_for_display(char c) { 198| 23| std::ostringstream oss; 199| | 200| 23| oss << "'"; 201| | 202| 23| if(c == '\t') { ------------------ | Branch (202:7): [True: 0, False: 23] ------------------ 203| 0| oss << "\\t"; 204| 23| } else if(c == '\n') { ------------------ | Branch (204:14): [True: 0, False: 23] ------------------ 205| 0| oss << "\\n"; 206| 23| } else if(c == '\r') { ------------------ | Branch (206:14): [True: 0, False: 23] ------------------ 207| 0| oss << "\\r"; 208| 23| } else if(static_cast(c) >= 128) { ------------------ | Branch (208:14): [True: 9, False: 14] ------------------ 209| 9| const unsigned char z = static_cast(c); 210| 9| oss << "\\x" << std::hex << std::uppercase << static_cast(z); 211| 14| } else { 212| 14| oss << c; 213| 14| } 214| | 215| 23| oss << "'"; 216| | 217| 23| return oss.str(); 218| 23|} _ZN5Botan5CPUID10CPUID_DataC2Ev: 80| 1|CPUID::CPUID_Data::CPUID_Data() { 81| | // NOLINTBEGIN(*-prefer-member-initializer) 82| 1|#if defined(BOTAN_HAS_CPUID_DETECTION) 83| 1| m_processor_features = detect_cpu_features(~cleared_cpuid_bits()); 84| |#else 85| | m_processor_features = 0; 86| |#endif 87| | // NOLINTEND(*-prefer-member-initializer) 88| 1|} cpuid.cpp:_ZN5Botan12_GLOBAL__N_118cleared_cpuid_bitsEv: 59| 1|uint32_t cleared_cpuid_bits() { 60| 1| uint32_t cleared = 0; 61| | 62| 1| #if defined(BOTAN_HAS_OS_UTILS) 63| 1| std::string clear_cpuid_env; 64| 1| if(OS::read_env_variable(clear_cpuid_env, "BOTAN_CLEAR_CPUID")) { ------------------ | Branch (64:7): [True: 0, False: 1] ------------------ 65| 0| for(const auto& cpuid : split_on(clear_cpuid_env, ',')) { ------------------ | Branch (65:29): [True: 0, False: 0] ------------------ 66| 0| if(auto bit = CPUID::bit_from_string(cpuid)) { ------------------ | Branch (66:18): [True: 0, False: 0] ------------------ 67| 0| cleared |= bit->as_u32(); 68| 0| } 69| 0| } 70| 0| } 71| 1| #endif 72| | 73| 1| return cleared; 74| 1|} _ZN5Botan5CPUID10CPUID_Data19detect_cpu_featuresEj: 62| 1|uint32_t CPUID::CPUID_Data::detect_cpu_features(uint32_t allowed) { 63| 1| enum class x86_CPUID_1_bits : uint64_t { 64| 1| RDTSC = (1ULL << 4), 65| 1| SSE2 = (1ULL << 26), 66| 1| CLMUL = (1ULL << 33), 67| 1| SSSE3 = (1ULL << 41), 68| 1| SSE41 = (1ULL << 51), 69| 1| AESNI = (1ULL << 57), 70| | // AVX + OSXSAVE 71| 1| OSXSAVE = (1ULL << 59) | (1ULL << 60), 72| 1| RDRAND = (1ULL << 62) 73| 1| }; 74| | 75| 1| enum class x86_CPUID_7_bits : uint64_t { 76| 1| BMI1 = (1ULL << 3), 77| 1| AVX2 = (1ULL << 5), 78| 1| BMI2 = (1ULL << 8), 79| 1| BMI_1_AND_2 = BMI1 | BMI2, 80| 1| AVX512_F = (1ULL << 16), 81| 1| AVX512_DQ = (1ULL << 17), 82| 1| RDSEED = (1ULL << 18), 83| 1| ADX = (1ULL << 19), 84| 1| AVX512_IFMA = (1ULL << 21), 85| 1| SHA = (1ULL << 29), 86| 1| AVX512_BW = (1ULL << 30), 87| 1| AVX512_VL = (1ULL << 31), 88| 1| AVX512_VBMI = (1ULL << 33), 89| 1| AVX512_VBMI2 = (1ULL << 38), 90| 1| GFNI = (1ULL << 40), 91| 1| AVX512_VAES = (1ULL << 41), 92| 1| AVX512_VCLMUL = (1ULL << 42), 93| 1| AVX512_VBITALG = (1ULL << 44), 94| | 95| | /* 96| | We only enable AVX512 support if all of the below flags are available 97| | 98| | This is more than we strictly need for most uses, however it also has 99| | the effect of preventing execution of AVX512 codepaths on cores that 100| | have serious downclocking problems when AVX512 code executes, 101| | especially Intel Skylake. 102| | 103| | VBMI2/VBITALG are the key flags here as they restrict us to Intel Ice 104| | Lake/Rocket Lake, or AMD Zen4, all of which do not have penalties for 105| | executing AVX512. 106| | 107| | There is nothing stopping some future processor from supporting the 108| | above flags and having AVX512 penalties, but maybe you should not have 109| | bought such a processor. 110| | */ 111| 1| AVX512_PROFILE = 112| 1| AVX512_F | AVX512_DQ | AVX512_IFMA | AVX512_BW | AVX512_VL | AVX512_VBMI | AVX512_VBMI2 | AVX512_VBITALG, 113| 1| }; 114| | 115| | // NOLINTNEXTLINE(performance-enum-size) 116| 1| enum class x86_CPUID_7_1_bits : uint64_t { 117| 1| SHA512 = (1 << 0), 118| 1| SM3 = (1 << 1), 119| 1| SM4 = (1 << 2), 120| 1| }; 121| | 122| 1| uint32_t feat = 0; 123| 1| uint32_t cpuid[4] = {0}; 124| 1| bool has_os_ymm_support = false; 125| 1| bool has_os_zmm_support = false; 126| | 127| | // CPUID 0: vendor identification, max sublevel 128| 1| invoke_cpuid(0, cpuid); 129| | 130| 1| const uint32_t max_supported_sublevel = cpuid[0]; 131| | 132| 1| if(max_supported_sublevel >= 1) { ------------------ | Branch (132:7): [True: 1, False: 0] ------------------ 133| | // CPUID 1: feature bits 134| 1| invoke_cpuid(1, cpuid); 135| 1| const uint64_t flags0 = (static_cast(cpuid[2]) << 32) | cpuid[3]; 136| | 137| 1| feat |= if_set(flags0, x86_CPUID_1_bits::RDTSC, CPUFeature::Bit::RDTSC, allowed); 138| | 139| 1| feat |= if_set(flags0, x86_CPUID_1_bits::RDRAND, CPUFeature::Bit::RDRAND, allowed); 140| | 141| 1| feat |= if_set(flags0, x86_CPUID_1_bits::SSE2, CPUFeature::Bit::SSE2, allowed); 142| | 143| 1| if(is_set(feat, CPUFeature::Bit::SSE2)) { ------------------ | Branch (143:10): [True: 1, False: 0] ------------------ 144| 1| feat |= if_set(flags0, x86_CPUID_1_bits::SSSE3, CPUFeature::Bit::SSSE3, allowed); 145| | 146| 1| if(is_set(feat, CPUFeature::Bit::SSSE3)) { ------------------ | Branch (146:13): [True: 1, False: 0] ------------------ 147| 1| feat |= if_set(flags0, x86_CPUID_1_bits::CLMUL, CPUFeature::Bit::CLMUL, allowed); 148| 1| feat |= if_set(flags0, x86_CPUID_1_bits::AESNI, CPUFeature::Bit::AESNI, allowed); 149| 1| } 150| | 151| 1| const uint64_t osxsave64 = static_cast(x86_CPUID_1_bits::OSXSAVE); 152| 1| if((flags0 & osxsave64) == osxsave64) { ------------------ | Branch (152:13): [True: 1, False: 0] ------------------ 153| 1| const uint64_t xcr_flags = xgetbv(); 154| 1| if((xcr_flags & 0x6) == 0x6) { ------------------ | Branch (154:16): [True: 1, False: 0] ------------------ 155| 1| has_os_ymm_support = true; 156| 1| has_os_zmm_support = (xcr_flags & 0xE0) == 0xE0; 157| 1| } 158| 1| } 159| 1| } 160| 1| } 161| | 162| 1| if(max_supported_sublevel >= 7) { ------------------ | Branch (162:7): [True: 1, False: 0] ------------------ 163| 1| clear_mem(cpuid, 4); 164| 1| invoke_cpuid_sublevel(7, 0, cpuid); 165| | 166| 1| const uint64_t flags7 = (static_cast(cpuid[2]) << 32) | cpuid[1]; 167| | 168| 1| clear_mem(cpuid, 4); 169| 1| invoke_cpuid_sublevel(7, 1, cpuid); 170| 1| const uint32_t flags7_1 = cpuid[0]; 171| | 172| 1| feat |= if_set(flags7, x86_CPUID_7_bits::RDSEED, CPUFeature::Bit::RDSEED, allowed); 173| 1| feat |= if_set(flags7, x86_CPUID_7_bits::ADX, CPUFeature::Bit::ADX, allowed); 174| | 175| | /* 176| | We only set the BMI bit if both BMI1 and BMI2 are supported, since 177| | typically we want to use both extensions in the same code. 178| | */ 179| 1| feat |= if_set(flags7, x86_CPUID_7_bits::BMI_1_AND_2, CPUFeature::Bit::BMI, allowed); 180| | 181| 1| if(is_set(feat, CPUFeature::Bit::SSSE3)) { ------------------ | Branch (181:10): [True: 1, False: 0] ------------------ 182| 1| feat |= if_set(flags7, x86_CPUID_7_bits::SHA, CPUFeature::Bit::SHA, allowed); 183| 1| feat |= if_set(flags7_1, x86_CPUID_7_1_bits::SM3, CPUFeature::Bit::SM3, allowed); 184| | 185| | // We only consider AVX2 if SSSE3 is supported 186| 1| if(has_os_ymm_support) { ------------------ | Branch (186:13): [True: 1, False: 0] ------------------ 187| 1| feat |= if_set(flags7, x86_CPUID_7_bits::AVX2, CPUFeature::Bit::AVX2, allowed); 188| | 189| 1| if(is_set(feat, CPUFeature::Bit::AVX2)) { ------------------ | Branch (189:16): [True: 1, False: 0] ------------------ 190| 1| feat |= if_set(flags7, x86_CPUID_7_bits::GFNI, CPUFeature::Bit::GFNI, allowed); 191| 1| feat |= if_set(flags7, x86_CPUID_7_bits::AVX512_VAES, CPUFeature::Bit::AVX2_AES, allowed); 192| 1| feat |= if_set(flags7, x86_CPUID_7_bits::AVX512_VCLMUL, CPUFeature::Bit::AVX2_CLMUL, allowed); 193| 1| feat |= if_set(flags7_1, x86_CPUID_7_1_bits::SHA512, CPUFeature::Bit::SHA512, allowed); 194| 1| feat |= if_set(flags7_1, x86_CPUID_7_1_bits::SM4, CPUFeature::Bit::SM4, allowed); 195| | 196| | // Likewise we only consider AVX-512 if AVX2 is supported 197| 1| if(has_os_zmm_support) { ------------------ | Branch (197:19): [True: 0, False: 1] ------------------ 198| 0| feat |= if_set(flags7, x86_CPUID_7_bits::AVX512_PROFILE, CPUFeature::Bit::AVX512, allowed); 199| | 200| 0| if(is_set(feat, CPUFeature::Bit::AVX512)) { ------------------ | Branch (200:22): [True: 0, False: 0] ------------------ 201| 0| feat |= if_set(flags7, x86_CPUID_7_bits::AVX512_VAES, CPUFeature::Bit::AVX512_AES, allowed); 202| 0| feat |= if_set(flags7, x86_CPUID_7_bits::AVX512_VCLMUL, CPUFeature::Bit::AVX512_CLMUL, allowed); 203| 0| } 204| 0| } 205| 1| } 206| 1| } 207| 1| } 208| 1| } 209| | 210| |/* 211| | * If we don't have access to CPUID, we can still safely assume that 212| | * any x86-64 processor has SSE2 and RDTSC 213| | */ 214| 1|#if defined(BOTAN_TARGET_ARCH_IS_X86_64) 215| 1| if(feat == 0) { ------------------ | Branch (215:7): [True: 0, False: 1] ------------------ 216| 0| feat |= CPUFeature::Bit::SSE2 & allowed; 217| 0| feat |= CPUFeature::Bit::RDTSC & allowed; 218| 0| } 219| 1|#endif 220| | 221| 1| return feat; 222| 1|} cpuid_x86.cpp:_ZN5Botan12_GLOBAL__N_112invoke_cpuidEjPj: 24| 2|void invoke_cpuid(uint32_t type, uint32_t out[4]) { 25| 2| clear_mem(out, 4); 26| | 27| 2|#if defined(BOTAN_USE_GCC_INLINE_ASM) 28| | // NOLINTNEXTLINE(*-no-assembler) 29| 2| asm volatile("cpuid\n\t" : "=a"(out[0]), "=b"(out[1]), "=c"(out[2]), "=d"(out[3]) : "0"(type)); 30| | 31| |#elif defined(BOTAN_BUILD_COMPILER_IS_MSVC) 32| | __cpuid((int*)out, type); 33| | 34| |#else 35| | BOTAN_UNUSED(type); 36| | #warning "No way of calling x86 cpuid instruction for this compiler" 37| |#endif 38| 2|} cpuid_x86.cpp:_ZN5Botan12_GLOBAL__N_16xgetbvEv: 56| 1|BOTAN_FUNC_ISA("xsave") uint64_t xgetbv() { 57| | return _xgetbv(0); 58| 1|} cpuid_x86.cpp:_ZN5Botan12_GLOBAL__N_121invoke_cpuid_sublevelEjjPj: 40| 2|void invoke_cpuid_sublevel(uint32_t type, uint32_t level, uint32_t out[4]) { 41| 2| clear_mem(out, 4); 42| | 43| 2|#if defined(BOTAN_USE_GCC_INLINE_ASM) 44| | // NOLINTNEXTLINE(*-no-assembler) 45| 2| asm volatile("cpuid\n\t" : "=a"(out[0]), "=b"(out[1]), "=c"(out[2]), "=d"(out[3]) : "0"(type), "2"(level)); 46| | 47| |#elif defined(BOTAN_BUILD_COMPILER_IS_MSVC) 48| | __cpuidex((int*)out, type, level); 49| | 50| |#else 51| | BOTAN_UNUSED(type, level); 52| | #warning "No way of calling x86 cpuid instruction for this compiler" 53| |#endif 54| 2|} _ZN5Botan10DataSource9read_byteERh: 27| 719k|size_t DataSource::read_byte(uint8_t& out) { 28| 719k| return read(&out, 1); 29| 719k|} _ZN5Botan10DataSource9read_byteEv: 34| 1.36M|std::optional DataSource::read_byte() { 35| 1.36M| uint8_t b = 0; 36| 1.36M| if(this->read(&b, 1) == 1) { ------------------ | Branch (36:7): [True: 1.35M, False: 9.61k] ------------------ 37| 1.35M| return b; 38| 1.35M| } else { 39| 9.61k| return {}; 40| 9.61k| } 41| 1.36M|} _ZNK5Botan10DataSource9peek_byteERh: 46| 6.94k|size_t DataSource::peek_byte(uint8_t& out) const { 47| 6.94k| return peek(&out, 1, 0); 48| 6.94k|} _ZN5Botan17DataSource_Memory4readEPhm: 73| 1.34M|size_t DataSource_Memory::read(uint8_t out[], size_t length) { 74| 1.34M| const size_t got = std::min(m_source.size() - m_offset, length); 75| 1.34M| copy_mem(out, m_source.data() + m_offset, got); 76| 1.34M| m_offset += got; 77| 1.34M| return got; 78| 1.34M|} _ZN5Botan17DataSource_Memory15check_availableEm: 80| 14.7k|bool DataSource_Memory::check_available(size_t n) { 81| 14.7k| return (n <= (m_source.size() - m_offset)); 82| 14.7k|} _ZNK5Botan17DataSource_Memory4peekEPhmm: 87| 13.6k|size_t DataSource_Memory::peek(uint8_t out[], size_t length, size_t peek_offset) const { 88| 13.6k| const size_t bytes_left = m_source.size() - m_offset; 89| 13.6k| if(peek_offset >= bytes_left) { ------------------ | Branch (89:7): [True: 0, False: 13.6k] ------------------ 90| 0| return 0; 91| 0| } 92| | 93| 13.6k| const size_t got = std::min(bytes_left - peek_offset, length); 94| 13.6k| copy_mem(out, &m_source[m_offset + peek_offset], got); 95| 13.6k| return got; 96| 13.6k|} _ZNK5Botan17DataSource_Memory11end_of_dataEv: 101| 11.0k|bool DataSource_Memory::end_of_data() const { 102| 11.0k| return (m_offset == m_source.size()); 103| 11.0k|} _ZN5Botan9ExceptionC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 71| 5.69k|Exception::Exception(std::string_view msg) : m_msg(msg) {} _ZN5Botan9ExceptionC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEERKSt9exception: 73| 927|Exception::Exception(std::string_view msg, const std::exception& e) : m_msg(fmt("{} failed with {}", msg, e.what())) {} _ZN5Botan16Invalid_ArgumentC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 77| 100|Invalid_Argument::Invalid_Argument(std::string_view msg) : Exception(msg) {} _ZN5Botan14Decoding_ErrorC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 125| 3.73k|Decoding_Error::Decoding_Error(std::string_view name) : Exception(name) {} _ZN5Botan14Decoding_ErrorC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_: 128| 1.85k| Exception(fmt("{}: {}", category, err)) {} _ZN5Botan14Decoding_ErrorC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEERKSt9exception: 130| 927|Decoding_Error::Decoding_Error(std::string_view msg, const std::exception& e) : Exception(msg, e) {} _ZN5Botan19secure_scrub_memoryEPvm: 25| 16.8M|void secure_scrub_memory(void* ptr, size_t n) { 26| 16.8M| return secure_zeroize_buffer(ptr, n); 27| 16.8M|} _ZN5Botan21secure_zeroize_bufferEPvm: 29| 16.8M|void secure_zeroize_buffer(void* ptr, size_t n) { 30| 16.8M| if(n == 0) { ------------------ | Branch (30:7): [True: 73.4k, False: 16.7M] ------------------ 31| 73.4k| return; 32| 73.4k| } 33| | 34| |#if defined(BOTAN_TARGET_OS_HAS_RTLSECUREZEROMEMORY) 35| | ::RtlSecureZeroMemory(ptr, n); 36| | 37| |#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_BZERO) 38| 16.7M| ::explicit_bzero(ptr, n); 39| | 40| |#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_MEMSET) 41| | (void)::explicit_memset(ptr, 0, n); 42| | 43| |#else 44| | /* 45| | * Call memset through a static volatile pointer, which the compiler should 46| | * not elide. This construct should be safe in conforming compilers, but who 47| | * knows. This has been checked to generate the expected code, which saves the 48| | * memset address in the data segment and unconditionally loads and jumps to 49| | * that address, with the following targets: 50| | * 51| | * x86-64: Clang 19, GCC 6, 11, 13, 14 52| | * riscv64: GCC 14 53| | * aarch64: GCC 14 54| | * armv7: GCC 14 55| | * 56| | * Actually all of them generated the expected jump even without marking the 57| | * function pointer as volatile. However this seems worth including as an 58| | * additional precaution. 59| | */ 60| | static void* (*const volatile memset_ptr)(void*, int, size_t) = std::memset; 61| | (memset_ptr)(ptr, 0, n); 62| |#endif 63| 16.7M|} _ZN5Botan2OS17read_env_variableERNSt3__112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEENS1_17basic_string_viewIcS4_EE: 448| 1|bool OS::read_env_variable(std::string& value_out, std::string_view name_view) { 449| 1| value_out = ""; 450| | 451| 1| if(running_in_privileged_state()) { ------------------ | Branch (451:7): [True: 0, False: 1] ------------------ 452| 0| return false; 453| 0| } 454| | 455| |#if defined(BOTAN_TARGET_OS_HAS_WIN32) && \ 456| | (defined(BOTAN_BUILD_COMPILER_IS_MSVC) || defined(BOTAN_BUILD_COMPILER_IS_CLANGCL)) 457| | const std::string name(name_view); 458| | char val[128] = {0}; 459| | size_t req_size = 0; 460| | if(getenv_s(&req_size, val, sizeof(val), name.c_str()) == 0) { 461| | // Microsoft's implementation always writes a terminating \0, 462| | // and includes it in the reported length of the environment variable 463| | // if a value exists. 464| | if(req_size > 0 && val[req_size - 1] == '\0') { 465| | value_out = std::string(val); 466| | } else { 467| | value_out = std::string(val, req_size); 468| | } 469| | return true; 470| | } 471| |#else 472| 1| const std::string name(name_view); 473| 1| if(const char* val = std::getenv(name.c_str())) { ------------------ | Branch (473:19): [True: 0, False: 1] ------------------ 474| 0| value_out = val; 475| 0| return true; 476| 0| } 477| 1|#endif 478| | 479| 1| return false; 480| 1|} os_utils.cpp:_ZN5Botan12_GLOBAL__N_110get_auxvalENSt3__18optionalImEE: 118| 1|std::optional get_auxval(std::optional id) { 119| 1| if(id) { ------------------ | Branch (119:7): [True: 1, False: 0] ------------------ 120| 1|#if defined(BOTAN_TARGET_OS_HAS_GETAUXVAL) 121| 1| return ::getauxval(*id); 122| |#elif defined(BOTAN_TARGET_OS_HAS_ELF_AUX_INFO) 123| | unsigned long auxinfo = 0; 124| | if(::elf_aux_info(static_cast(*id), &auxinfo, sizeof(auxinfo)) == 0) { 125| | return auxinfo; 126| | } 127| |#endif 128| 1| } 129| | 130| 0| return {}; 131| 1|} os_utils.cpp:_ZN5Botan12_GLOBAL__N_127running_in_privileged_stateEv: 152| 1|bool running_in_privileged_state() { 153| 1|#if defined(AT_SECURE) 154| 1| if(auto at_secure = get_auxval(AT_SECURE)) { ------------------ | Branch (154:12): [True: 1, False: 0] ------------------ 155| 1| return at_secure != 0; 156| 1| } 157| 0|#endif 158| | 159| 0|#if defined(BOTAN_TARGET_OS_HAS_POSIX1) 160| 0| return (::getuid() != ::geteuid()) || (::getgid() != ::getegid()); ------------------ | Branch (160:11): [True: 0, False: 0] | Branch (160:42): [True: 0, False: 0] ------------------ 161| |#else 162| | return false; 163| |#endif 164| 1|} _ZN5Botan9to_u32bitENSt3__117basic_string_viewIcNS0_11char_traitsIcEEEE: 30| 58|uint32_t to_u32bit(std::string_view str_view) { 31| 58| const std::string str(str_view); 32| | 33| | // std::stoul is not strict enough. Ensure that str is digit only [0-9]* 34| 174| for(const char chr : str) { ------------------ | Branch (34:23): [True: 174, False: 58] ------------------ 35| 174| if(chr < '0' || chr > '9') { ------------------ | Branch (35:10): [True: 0, False: 174] | Branch (35:23): [True: 0, False: 174] ------------------ 36| 0| throw Invalid_Argument("to_u32bit invalid decimal string '" + str + "'"); 37| 0| } 38| 174| } 39| | 40| 58| const unsigned long int x = std::stoul(str); 41| | 42| 58| if constexpr(sizeof(unsigned long int) > 4) { 43| | // x might be uint64 44| 58| if(x > std::numeric_limits::max()) { ------------------ | Branch (44:10): [True: 0, False: 58] ------------------ 45| 0| throw Invalid_Argument("Integer value of " + str + " exceeds 32 bit range"); 46| 0| } 47| 58| } 48| | 49| 58| return static_cast(x); 50| 58|} _ZN5Botan8split_onENSt3__117basic_string_viewIcNS0_11char_traitsIcEEEEc: 109| 4.19k|std::vector split_on(std::string_view str, char delim) { 110| 4.19k| std::vector elems; 111| 4.19k| if(str.empty()) { ------------------ | Branch (111:7): [True: 0, False: 4.19k] ------------------ 112| 0| return elems; 113| 0| } 114| | 115| 4.19k| std::string substr; 116| 22.3k| for(const char c : str) { ------------------ | Branch (116:21): [True: 22.3k, False: 4.19k] ------------------ 117| 22.3k| if(c == delim) { ------------------ | Branch (117:10): [True: 186, False: 22.2k] ------------------ 118| 186| if(!substr.empty()) { ------------------ | Branch (118:13): [True: 186, False: 0] ------------------ 119| 186| elems.push_back(substr); 120| 186| } 121| 186| substr.clear(); 122| 22.2k| } else { 123| 22.2k| substr += c; 124| 22.2k| } 125| 22.3k| } 126| | 127| 4.19k| if(substr.empty()) { ------------------ | Branch (127:7): [True: 0, False: 4.19k] ------------------ 128| 0| throw Invalid_Argument(fmt("Unable to split string '{}", str)); 129| 0| } 130| 4.19k| elems.push_back(substr); 131| | 132| 4.19k| return elems; 133| 4.19k|} _ZN5Botan9SCAN_NameC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 58| 3.84k|SCAN_Name::SCAN_Name(std::string_view algo_spec) : m_orig_algo_spec(algo_spec) { 59| 3.84k| if(algo_spec.empty()) { ------------------ | Branch (59:7): [True: 0, False: 3.84k] ------------------ 60| 0| throw Invalid_Argument("Expected algorithm name, got empty string"); 61| 0| } 62| | 63| 3.84k| std::vector> name; 64| 3.84k| size_t level = 0; 65| 3.84k| std::pair accum = std::make_pair(level, ""); 66| | 67| 3.84k| const std::string decoding_error = "Bad SCAN name '" + m_orig_algo_spec + "': "; 68| | 69| 34.6k| for(const char c : algo_spec) { ------------------ | Branch (69:21): [True: 34.6k, False: 3.84k] ------------------ 70| 34.6k| if(c == '/' || c == ',' || c == '(' || c == ')') { ------------------ | Branch (70:10): [True: 0, False: 34.6k] | Branch (70:22): [True: 0, False: 34.6k] | Branch (70:34): [True: 58, False: 34.5k] | Branch (70:46): [True: 58, False: 34.5k] ------------------ 71| 116| if(c == '(') { ------------------ | Branch (71:13): [True: 58, False: 58] ------------------ 72| 58| ++level; 73| 58| } else if(c == ')') { ------------------ | Branch (73:20): [True: 58, False: 0] ------------------ 74| 58| if(level == 0) { ------------------ | Branch (74:16): [True: 0, False: 58] ------------------ 75| 0| throw Decoding_Error(decoding_error + "Mismatched parens"); 76| 0| } 77| 58| --level; 78| 58| } 79| | 80| 116| if(c == '/' && level > 0) { ------------------ | Branch (80:13): [True: 0, False: 116] | Branch (80:25): [True: 0, False: 0] ------------------ 81| 0| accum.second.push_back(c); 82| 116| } else { 83| 116| if(!accum.second.empty()) { ------------------ | Branch (83:16): [True: 116, False: 0] ------------------ 84| 116| name.push_back(accum); 85| 116| } 86| 116| accum = std::make_pair(level, ""); 87| 116| } 88| 34.5k| } else { 89| 34.5k| accum.second.push_back(c); 90| 34.5k| } 91| 34.6k| } 92| | 93| 3.84k| if(!accum.second.empty()) { ------------------ | Branch (93:7): [True: 3.78k, False: 58] ------------------ 94| 3.78k| name.push_back(accum); 95| 3.78k| } 96| | 97| 3.84k| if(level != 0) { ------------------ | Branch (97:7): [True: 0, False: 3.84k] ------------------ 98| 0| throw Decoding_Error(decoding_error + "Missing close paren"); 99| 0| } 100| | 101| 3.84k| if(name.empty()) { ------------------ | Branch (101:7): [True: 0, False: 3.84k] ------------------ 102| 0| throw Decoding_Error(decoding_error + "Empty name"); 103| 0| } 104| | 105| 3.84k| m_alg_name = name[0].second; 106| | 107| 3.84k| bool in_modes = false; 108| | 109| 3.89k| for(size_t i = 1; i != name.size(); ++i) { ------------------ | Branch (109:22): [True: 58, False: 3.84k] ------------------ 110| 58| if(name[i].first == 0) { ------------------ | Branch (110:10): [True: 0, False: 58] ------------------ 111| 0| m_mode_info.push_back(make_arg(name, i)); 112| 0| in_modes = true; 113| 58| } else if(name[i].first == 1 && !in_modes) { ------------------ | Branch (113:17): [True: 58, False: 0] | Branch (113:39): [True: 58, False: 0] ------------------ 114| 58| m_args.push_back(make_arg(name, i)); 115| 58| } 116| 58| } 117| 3.84k|} _ZNK5Botan9SCAN_Name14arg_as_integerEmm: 133| 58|size_t SCAN_Name::arg_as_integer(size_t i, size_t def_value) const { 134| 58| if(i >= arg_count()) { ------------------ | Branch (134:7): [True: 0, False: 58] ------------------ 135| 0| return def_value; 136| 0| } 137| 58| return to_u32bit(m_args[i]); 138| 58|} scan_name.cpp:_ZN5Botan12_GLOBAL__N_18make_argERKNSt3__16vectorINS1_4pairImNS1_12basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEEEENS7_ISA_EEEEm: 17| 58|std::string make_arg(const std::vector>& name, size_t start) { 18| 58| std::string output = name[start].second; 19| 58| size_t level = name[start].first; 20| | 21| 58| size_t paren_depth = 0; 22| | 23| 58| for(size_t i = start + 1; i != name.size(); ++i) { ------------------ | Branch (23:30): [True: 0, False: 58] ------------------ 24| 0| if(name[i].first <= name[start].first) { ------------------ | Branch (24:10): [True: 0, False: 0] ------------------ 25| 0| break; 26| 0| } 27| | 28| 0| if(name[i].first > level) { ------------------ | Branch (28:10): [True: 0, False: 0] ------------------ 29| 0| output += "(" + name[i].second; 30| 0| ++paren_depth; 31| 0| } else if(name[i].first < level) { ------------------ | Branch (31:17): [True: 0, False: 0] ------------------ 32| 0| for(size_t j = name[i].first; j < level; j++) { ------------------ | Branch (32:40): [True: 0, False: 0] ------------------ 33| 0| output += ")"; 34| 0| --paren_depth; 35| 0| } 36| 0| output += "," + name[i].second; 37| 0| } else { 38| 0| if(output[output.size() - 1] != '(') { ------------------ | Branch (38:13): [True: 0, False: 0] ------------------ 39| 0| output += ","; 40| 0| } 41| 0| output += name[i].second; 42| 0| } 43| | 44| 0| level = name[i].first; 45| 0| } 46| | 47| 58| for(size_t i = 0; i != paren_depth; ++i) { ------------------ | Branch (47:22): [True: 0, False: 58] ------------------ 48| 0| output += ")"; 49| 0| } 50| | 51| 58| return output; 52| 58|} _ZN5Botan9SHAKE_XOFC2Em: 17| 3.78k| m_keccak({.capacity_bits = capacity, .padding = KeccakPadding::shake()}), m_output_generated(false) { 18| 3.78k| BOTAN_ASSERT_NOMSG(capacity == 256 || capacity == 512); ------------------ | | 77| 3.78k| do { \ | | 78| 3.78k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 4.85k| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 2.71k, False: 1.06k] | | | Branch (79:12): [True: 1.06k, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 3.78k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 3.78k] | | ------------------ ------------------ 19| 3.78k|} _ZN5Botan9SHAKE_XOF5resetEv: 21| 524|void SHAKE_XOF::reset() { 22| 524| m_keccak.clear(); 23| 524| m_output_generated = false; 24| 524|} _ZN5Botan9SHAKE_XOF8add_dataENSt3__14spanIKhLm18446744073709551615EEE: 26| 8.42k|void SHAKE_XOF::add_data(std::span input) { 27| 8.42k| BOTAN_STATE_CHECK(!m_output_generated); ------------------ | | 51| 8.42k| do { \ | | 52| 8.42k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 8.42k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 8.42k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 8.42k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 8.42k] | | ------------------ ------------------ 28| 8.42k| m_keccak.absorb(input); 29| 8.42k|} _ZN5Botan9SHAKE_XOF14generate_bytesENSt3__14spanIhLm18446744073709551615EEE: 31| 904k|void SHAKE_XOF::generate_bytes(std::span output) { 32| 904k| if(!m_output_generated) { ------------------ | Branch (32:7): [True: 4.24k, False: 900k] ------------------ 33| 4.24k| m_output_generated = true; 34| 4.24k| m_keccak.finish(); 35| 4.24k| } 36| | 37| 904k| m_keccak.squeeze(output); 38| 904k|} _ZN5Botan3XOF6createENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_: 28| 3.78k|std::unique_ptr XOF::create(std::string_view algo_spec, std::string_view provider) { 29| 3.78k| const SCAN_Name req(algo_spec); 30| | 31| 3.78k| if(!provider.empty() && provider != "base") { ------------------ | Branch (31:7): [True: 0, False: 3.78k] | Branch (31:28): [True: 0, False: 0] ------------------ 32| 0| return nullptr; // unknown provider 33| 0| } 34| | 35| 3.78k|#if defined(BOTAN_HAS_SHAKE_XOF) 36| 3.78k| if(req.algo_name() == "SHAKE-128" && req.arg_count() == 0) { ------------------ | Branch (36:7): [True: 2.71k, False: 1.06k] | Branch (36:41): [True: 2.71k, False: 0] ------------------ 37| 2.71k| return std::make_unique(); 38| 2.71k| } 39| 1.06k| if(req.algo_name() == "SHAKE-256" && req.arg_count() == 0) { ------------------ | Branch (39:7): [True: 1.06k, False: 0] | Branch (39:41): [True: 1.06k, False: 0] ------------------ 40| 1.06k| return std::make_unique(); 41| 1.06k| } 42| 0|#endif 43| | 44| 0|#if defined(BOTAN_HAS_ASCON_XOF128) 45| 0| if(req.algo_name() == "Ascon-XOF128" && req.arg_count() == 0) { ------------------ | Branch (45:7): [True: 0, False: 0] | Branch (45:44): [True: 0, False: 0] ------------------ 46| 0| return std::make_unique(); 47| 0| } 48| 0|#endif 49| | 50| 0| return nullptr; 51| 0|} _ZN5Botan3XOF15create_or_throwENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_: 54| 3.78k|std::unique_ptr XOF::create_or_throw(std::string_view algo_spec, std::string_view provider) { 55| 3.78k| if(auto xof = XOF::create(algo_spec, provider)) { ------------------ | Branch (55:12): [True: 3.78k, False: 0] ------------------ 56| 3.78k| return xof; 57| 3.78k| } 58| 0| throw Lookup_Error("XOF", algo_spec, provider); 59| 3.78k|} _ZN5Botan3XOF5startENSt3__14spanIKhLm18446744073709551615EEES4_: 70| 4.24k|void XOF::start(std::span salt, std::span key) { 71| 4.24k| if(!key_spec().valid_keylength(key.size())) { ------------------ | Branch (71:7): [True: 0, False: 4.24k] ------------------ 72| 0| throw Invalid_Key_Length(name(), key.size()); 73| 0| } 74| | 75| 4.24k| if(!valid_salt_length(salt.size())) { ------------------ | Branch (75:7): [True: 0, False: 4.24k] ------------------ 76| 0| throw Invalid_Argument(fmt("{} cannot accept a salt length of {}", name(), salt.size())); 77| 0| } 78| | 79| 4.24k| m_xof_started = true; 80| 4.24k| start_msg(salt, key); 81| 4.24k|} _ZN5Botan3XOF9start_msgENSt3__14spanIKhLm18446744073709551615EEES4_: 83| 4.24k|void XOF::start_msg(std::span salt, std::span key) { 84| 4.24k| BOTAN_UNUSED(salt, key); ------------------ | | 144| 4.24k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 85| 4.24k|}