_ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EEC2Ev: 62| 2| AlignmentBuffer() = default; _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE5clearEv: 71| 4| void clear() { 72| 4| zeroize_buffer(m_buffer.data(), m_buffer.size()); 73| 4| m_position = 0; 74| 4| } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EED2Ev: 64| 2| ~AlignmentBuffer() { secure_zeroize_buffer(m_buffer.data(), sizeof(T) * m_buffer.size()); } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE21handle_unaligned_dataERNS_12BufferSlicerE: 166| 2| [[nodiscard]] std::optional> handle_unaligned_data(BufferSlicer& slicer) { 167| | // When the final block is to be deferred, we would need to store and 168| | // hold a buffer that contains exactly one block until more data is 169| | // passed or it is explicitly consumed. 170| 2| const size_t defer = (defers_final_block()) ? 1 : 0; ------------------ | Branch (170:31): [True: 0, False: 2] ------------------ 171| | 172| 2| if(in_alignment() && slicer.remaining() >= m_buffer.size() + defer) { ------------------ | Branch (172:13): [True: 2, False: 0] | Branch (172:31): [True: 0, False: 2] ------------------ 173| | // We are currently in alignment and the passed-in data source 174| | // contains enough data to benefit from aligned processing. 175| | // Therefore, we don't copy anything into the intermittent buffer. 176| 0| return std::nullopt; 177| 0| } 178| | 179| | // Fill the buffer with as much input data as needed to reach alignment 180| | // or until the input source is depleted. 181| 2| const auto elements_to_consume = std::min(m_buffer.size() - m_position, slicer.remaining()); 182| 2| append(slicer.take(elements_to_consume)); 183| | 184| | // If we collected enough data, we push out one full block. When 185| | // deferring the final block is enabled, we additionally check that 186| | // more input data is available to continue processing a consecutive 187| | // block. 188| 2| if(ready_to_consume() && (!defers_final_block() || !slicer.empty())) { ------------------ | Branch (188:13): [True: 0, False: 2] | Branch (188:36): [True: 0, False: 0] | Branch (188:61): [True: 0, False: 0] ------------------ 189| 0| return consume(); 190| 2| } else { 191| 2| return std::nullopt; 192| 2| } 193| 2| } _ZNK5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE18defers_final_blockEv: 233| 2| constexpr bool defers_final_block() const { 234| 2| return FINAL_BLOCK_STRATEGY == AlignmentBufferFinalBlock::must_be_deferred; 235| 2| } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE6appendENSt3__14spanIKhLm18446744073709551615EEE: 90| 4| void append(std::span elements) { 91| 4| BOTAN_ASSERT_NOMSG(elements.size() <= elements_until_alignment()); ------------------ | | 77| 4| do { \ | | 78| 4| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 4| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 4] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 4| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 4] | | ------------------ ------------------ 92| 4| std::copy(elements.begin(), elements.end(), m_buffer.begin() + m_position); 93| 4| m_position += elements.size(); 94| 4| } _ZNK5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE24elements_until_alignmentEv: 221| 10| size_t elements_until_alignment() const { return m_buffer.size() - m_position; } _ZNK5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE16ready_to_consumeEv: 231| 8| bool ready_to_consume() const { return m_position == m_buffer.size(); } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE7consumeEv: 200| 2| [[nodiscard]] std::span consume() { 201| 2| BOTAN_ASSERT_NOMSG(ready_to_consume()); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 202| 2| m_position = 0; 203| 2| return m_buffer; 204| 2| } _ZNK5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE12in_alignmentEv: 226| 4| bool in_alignment() const { return m_position == 0; } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE18fill_up_with_zerosEv: 79| 2| void fill_up_with_zeros() { 80| 2| if(!ready_to_consume()) { ------------------ | Branch (80:13): [True: 2, False: 0] ------------------ 81| 2| zeroize_buffer(&m_buffer[m_position], elements_until_alignment()); 82| 2| m_position = m_buffer.size(); 83| 2| } 84| 2| } _ZN5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE20directly_modify_lastEm: 113| 2| std::span directly_modify_last(size_t elements) { 114| 2| BOTAN_ASSERT_NOMSG(size() >= elements); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 115| 2| return std::span(m_buffer).last(elements); 116| 2| } _ZNK5Botan15AlignmentBufferIhLm128ELNS_25AlignmentBufferFinalBlockE0EE4sizeEv: 217| 2| constexpr size_t size() const { return m_buffer.size(); } _ZNK5Botan17Barrett_Reduction4cubeERKNS_6BigIntE: 66| 3.95k| BigInt cube(const BigInt& x) const { return this->multiply(x, this->square(x)); } _ZNK5Botan17Barrett_Reduction12modulus_bitsEv: 71| 736| size_t modulus_bits() const { return m_modulus_bits; } _ZN5Botan17ct_expand_top_bitITkNSt3__117unsigned_integralEmEET_S2_: 28| 383M|BOTAN_FORCE_INLINE constexpr T ct_expand_top_bit(T a) { 29| 383M| const T top = CT::value_barrier(a >> (sizeof(T) * 8 - 1)); 30| 383M| return static_cast(0) - top; 31| 383M|} _ZN5Botan10ct_is_zeroITkNSt3__117unsigned_integralEmEET_S2_: 37| 340M|BOTAN_FORCE_INLINE constexpr T ct_is_zero(T x) { 38| 340M| return ct_expand_top_bit(~x & (x - 1)); 39| 340M|} _ZN5Botan6chooseITkNSt3__117unsigned_integralEmEET_S2_S2_S2_: 216| 445M|BOTAN_FORCE_INLINE constexpr T choose(T mask, T a, T b) { 217| | //return (mask & a) | (~mask & b); 218| 445M| return (b ^ (mask & (a ^ b))); 219| 445M|} _ZN5Botan8high_bitITkNSt3__117unsigned_integralEjEEmT_: 73| 3.03k|BOTAN_FORCE_INLINE constexpr size_t high_bit(T n) { 74| 3.03k| size_t hb = 0; 75| | 76| 18.2k| for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) { ------------------ | Branch (76:38): [True: 15.1k, False: 3.03k] ------------------ 77| | // Equivalent to: ((n >> s) == 0) ? 0 : s; 78| 15.1k| const size_t z = s - ct_if_is_zero_ret(n >> s, s); 79| 15.1k| hb += z; 80| 15.1k| n >>= z; 81| 15.1k| } 82| | 83| 3.03k| hb += n; 84| | 85| 3.03k| return hb; 86| 3.03k|} _ZN5Botan17ct_if_is_zero_retITkNSt3__117unsigned_integralEjEEmT_m: 45| 15.1k|BOTAN_FORCE_INLINE constexpr size_t ct_if_is_zero_ret(T x, size_t s) { 46| | /* 47| | Similar to `return ct_is_zero(x) & s` but has to account for possibility that 48| | sizeof(T) is smaller than sizeof(size_t) which would lead to incomplete masking 49| | */ 50| 15.1k| const T a = ~x & (x - 1); 51| 15.1k| const size_t a_top = static_cast(CT::value_barrier(a >> (sizeof(T) * 8 - 1))); 52| 15.1k| const size_t mask = static_cast(0) - a_top; 53| 15.1k| return mask & s; 54| 15.1k|} _ZN5Botan17ct_if_is_zero_retITkNSt3__117unsigned_integralEmEEmT_m: 45| 3.67M|BOTAN_FORCE_INLINE constexpr size_t ct_if_is_zero_ret(T x, size_t s) { 46| | /* 47| | Similar to `return ct_is_zero(x) & s` but has to account for possibility that 48| | sizeof(T) is smaller than sizeof(size_t) which would lead to incomplete masking 49| | */ 50| 3.67M| const T a = ~x & (x - 1); 51| 3.67M| const size_t a_top = static_cast(CT::value_barrier(a >> (sizeof(T) * 8 - 1))); 52| 3.67M| const size_t mask = static_cast(0) - a_top; 53| 3.67M| return mask & s; 54| 3.67M|} _ZN5Botan13is_power_of_2ITkNSt3__117unsigned_integralEmEEbT_: 62| 42.3k|BOTAN_FORCE_INLINE constexpr bool is_power_of_2(T arg) { 63| 42.3k| return (arg != 0) && (arg != 1) && ((arg & static_cast(arg - 1)) == 0); ------------------ | Branch (63:11): [True: 42.3k, False: 0] | Branch (63:25): [True: 42.3k, False: 0] | Branch (63:39): [True: 25.8k, False: 16.4k] ------------------ 64| 42.3k|} _ZN5Botan8high_bitITkNSt3__117unsigned_integralEmEEmT_: 73| 85.1k|BOTAN_FORCE_INLINE constexpr size_t high_bit(T n) { 74| 85.1k| size_t hb = 0; 75| | 76| 596k| for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) { ------------------ | Branch (76:38): [True: 510k, False: 85.1k] ------------------ 77| | // Equivalent to: ((n >> s) == 0) ? 0 : s; 78| 510k| const size_t z = s - ct_if_is_zero_ret(n >> s, s); 79| 510k| hb += z; 80| 510k| n >>= z; 81| 510k| } 82| | 83| 85.1k| hb += n; 84| | 85| 85.1k| return hb; 86| 85.1k|} _ZN5Botan9ceil_log2ITkNSt3__117unsigned_integralEmEEhT_QltstS2_Li32E: 142| 913|{ 143| 913| if(x >> (sizeof(T) * 8 - 1)) { ------------------ | Branch (143:7): [True: 0, False: 913] ------------------ 144| 0| return sizeof(T) * 8; 145| 0| } 146| | 147| 913| uint8_t result = 0; 148| 913| T compare = 1; 149| | 150| 10.6k| while(compare < x) { ------------------ | Branch (150:10): [True: 9.78k, False: 913] ------------------ 151| 9.78k| compare <<= 1; 152| 9.78k| result++; 153| 9.78k| } 154| | 155| 913| return result; 156| 913|} _ZN5Botan10ct_is_zeroITkNSt3__117unsigned_integralEhEET_S2_: 37| 673k|BOTAN_FORCE_INLINE constexpr T ct_is_zero(T x) { 38| 673k| return ct_expand_top_bit(~x & (x - 1)); 39| 673k|} _ZN5Botan17ct_expand_top_bitITkNSt3__117unsigned_integralEhEET_S2_: 28| 673k|BOTAN_FORCE_INLINE constexpr T ct_expand_top_bit(T a) { 29| 673k| const T top = CT::value_barrier(a >> (sizeof(T) * 8 - 1)); 30| 673k| return static_cast(0) - top; 31| 673k|} _ZN5Botan6chooseITkNSt3__117unsigned_integralEhEET_S2_S2_S2_: 216| 673k|BOTAN_FORCE_INLINE constexpr T choose(T mask, T a, T b) { 217| | //return (mask & a) | (~mask & b); 218| 673k| return (b ^ (mask & (a ^ b))); 219| 673k|} _ZN5Botan3ctzITkNSt3__117unsigned_integralEmEEmT_: 115| 451k|BOTAN_FORCE_INLINE constexpr size_t ctz(T n) { 116| | /* 117| | * If n == 0 then this function will compute 8*sizeof(T)-1, so 118| | * initialize lb to 1 if n == 0 to produce the expected result. 119| | */ 120| 451k| size_t lb = ct_if_is_zero_ret(n, 1); 121| | 122| 3.16M| for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) { ------------------ | Branch (122:38): [True: 2.71M, False: 451k] ------------------ 123| 2.71M| const T range = (static_cast(1) << s) - 1; 124| | // Equivalent to: ((n & range) == 0) ? s : 0; 125| 2.71M| const size_t z = ct_if_is_zero_ret(n & range, s); 126| 2.71M| lb += z; 127| 2.71M| n >>= z; 128| 2.71M| } 129| | 130| 451k| return lb; 131| 451k|} _ZN5Botan9ceil_log2ITkNSt3__117unsigned_integralEjEEhT_QltstS2_Li32E: 142| 60|{ 143| 60| if(x >> (sizeof(T) * 8 - 1)) { ------------------ | Branch (143:7): [True: 0, False: 60] ------------------ 144| 0| return sizeof(T) * 8; 145| 0| } 146| | 147| 60| uint8_t result = 0; 148| 60| T compare = 1; 149| | 150| 468| while(compare < x) { ------------------ | Branch (150:10): [True: 408, False: 60] ------------------ 151| 408| compare <<= 1; 152| 408| result++; 153| 408| } 154| | 155| 60| return result; 156| 60|} _ZN5Botan12ceil_tobytesITkNSt3__117unsigned_integralEjEET_S2_: 175| 120|BOTAN_FORCE_INLINE constexpr T ceil_tobytes(T bits) { 176| 120| return (bits + 7) / 8; 177| 120|} _ZN5Botan8majorityITkNSt3__117unsigned_integralEmEET_S2_S2_S2_: 222| 160|BOTAN_FORCE_INLINE constexpr T majority(T a, T b, T c) { 223| | /* 224| | Considering each bit of a, b, c individually 225| | 226| | If a xor b is set, then c is the deciding vote. 227| | 228| | If a xor b is not set then either a and b are both set or both unset. 229| | In either case the value of c doesn't matter, and examining b (or a) 230| | allows us to determine which case we are in. 231| | */ 232| 160| return choose(a ^ b, c, b); 233| 160|} _ZN5Botan10ct_is_zeroITkNSt3__117unsigned_integralEjEET_S2_: 37| 1.15k|BOTAN_FORCE_INLINE constexpr T ct_is_zero(T x) { 38| 1.15k| return ct_expand_top_bit(~x & (x - 1)); 39| 1.15k|} _ZN5Botan17ct_expand_top_bitITkNSt3__117unsigned_integralEjEET_S2_: 28| 133k|BOTAN_FORCE_INLINE constexpr T ct_expand_top_bit(T a) { 29| 133k| const T top = CT::value_barrier(a >> (sizeof(T) * 8 - 1)); 30| 133k| return static_cast(0) - top; 31| 133k|} _ZN5Botan13reverse_bytesITkNSt3__117unsigned_integralEmQooooooeqstT_Li1EeqstS2_Li2EeqstS2_Li4EeqstS2_Li8EEES2_S2_: 27| 241k|inline constexpr T reverse_bytes(T x) { 28| | if constexpr(sizeof(T) == 1) { 29| | return x; 30| | } else if constexpr(sizeof(T) == 2) { 31| |#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap16) 32| | return static_cast(__builtin_bswap16(x)); 33| |#else 34| | return static_cast((x << 8) | (x >> 8)); 35| |#endif 36| | } else if constexpr(sizeof(T) == 4) { 37| |#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap32) 38| | return static_cast(__builtin_bswap32(x)); 39| |#else 40| | // MSVC at least recognizes this as a bswap 41| | return static_cast(((x & 0x000000FF) << 24) | ((x & 0x0000FF00) << 8) | ((x & 0x00FF0000) >> 8) | 42| | ((x & 0xFF000000) >> 24)); 43| |#endif 44| 241k| } else if constexpr(sizeof(T) == 8) { 45| 241k|#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap64) 46| 241k| return static_cast(__builtin_bswap64(x)); 47| |#else 48| | uint32_t hi = static_cast(x >> 32); 49| | uint32_t lo = static_cast(x); 50| | 51| | hi = reverse_bytes(hi); 52| | lo = reverse_bytes(lo); 53| | 54| | return (static_cast(lo) << 32) | hi; 55| |#endif 56| 241k| } 57| 241k|} _ZN5Botan13reverse_bytesITkNSt3__117unsigned_integralEtQooooooeqstT_Li1EeqstS2_Li2EeqstS2_Li4EeqstS2_Li8EEES2_S2_: 27| 300|inline constexpr T reverse_bytes(T x) { 28| | if constexpr(sizeof(T) == 1) { 29| | return x; 30| 300| } else if constexpr(sizeof(T) == 2) { 31| 300|#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap16) 32| 300| return static_cast(__builtin_bswap16(x)); 33| |#else 34| | return static_cast((x << 8) | (x >> 8)); 35| |#endif 36| | } else if constexpr(sizeof(T) == 4) { 37| |#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap32) 38| | return static_cast(__builtin_bswap32(x)); 39| |#else 40| | // MSVC at least recognizes this as a bswap 41| | return static_cast(((x & 0x000000FF) << 24) | ((x & 0x0000FF00) << 8) | ((x & 0x00FF0000) >> 8) | 42| | ((x & 0xFF000000) >> 24)); 43| |#endif 44| | } else if constexpr(sizeof(T) == 8) { 45| |#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap64) 46| | return static_cast(__builtin_bswap64(x)); 47| |#else 48| | uint32_t hi = static_cast(x >> 32); 49| | uint32_t lo = static_cast(x); 50| | 51| | hi = reverse_bytes(hi); 52| | lo = reverse_bytes(lo); 53| | 54| | return (static_cast(lo) << 32) | hi; 55| |#endif 56| | } 57| 300|} _ZN5Botan12BufferSlicerC2ENSt3__14spanIKhLm18446744073709551615EEE: 25| 20.9k| explicit BufferSlicer(std::span buffer) : m_remaining(buffer) {} _ZNK5Botan12BufferSlicer5emptyEv: 68| 338k| bool empty() const { return m_remaining.empty(); } _ZN5Botan12BufferSlicer9take_byteEv: 57| 172k| uint8_t take_byte() { return take(1)[0]; } _ZN5Botan12BufferSlicer4takeEm: 37| 177k| std::span take(const size_t count) { 38| 177k| BOTAN_STATE_CHECK(remaining() >= count); ------------------ | | 51| 177k| do { \ | | 52| 177k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 177k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 177k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 177k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 177k] | | ------------------ ------------------ 39| 177k| auto result = m_remaining.first(count); 40| 177k| m_remaining = m_remaining.subspan(count); 41| 177k| return result; 42| 177k| } _ZNK5Botan12BufferSlicer9remainingEv: 66| 231k| size_t remaining() const { return m_remaining.size(); } _ZN5Botan12BufferSlicer9copy_intoENSt3__14spanIhLm18446744073709551615EEE: 59| 4.48k| void copy_into(std::span sink) { 60| 4.48k| const auto data = take(sink.size()); 61| 4.48k| std::copy(data.begin(), data.end(), sink.begin()); 62| 4.48k| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_18SphincsPublicSeed_EJEEEEEDam: 28| 2| auto copy(const size_t count) { 29| 2| const auto result = take(count); 30| 2| return ContainerT(result.begin(), result.end()); 31| 2| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_16SphincsTreeNode_EJEEEEEDam: 28| 2| auto copy(const size_t count) { 29| 2| const auto result = take(count); 30| 2| return ContainerT(result.begin(), result.end()); 31| 2| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_18SphincsSecretSeed_EJEEEEEDam: 28| 2| auto copy(const size_t count) { 29| 2| const auto result = take(count); 30| 2| return ContainerT(result.begin(), result.end()); 31| 2| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_17SphincsSecretPRF_EJEEEEEDam: 28| 2| auto copy(const size_t count) { 29| 2| const auto result = take(count); 30| 2| return ContainerT(result.begin(), result.end()); 31| 2| } _ZN5Botan12BufferSlicer4takeILm8EEENSt3__14spanIKhXT_EEEv: 45| 47.3k| std::span take() { 46| 47.3k| BOTAN_STATE_CHECK(remaining() >= count); ------------------ | | 51| 47.3k| do { \ | | 52| 47.3k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 47.3k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 47.3k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 47.3k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 47.3k] | | ------------------ ------------------ 47| 47.3k| auto result = m_remaining.first(); 48| 47.3k| m_remaining = m_remaining.subspan(count); 49| 47.3k| return result; 50| 47.3k| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_13KyberSeedRho_EJEEEEEDam: 28| 30| auto copy(const size_t count) { 29| 30| const auto result = take(count); 30| 30| return ContainerT(result.begin(), result.end()); 31| 30| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEEEDam: 28| 30| auto copy(const size_t count) { 29| 30| const auto result = take(count); 30| 30| return ContainerT(result.begin(), result.end()); 31| 30| } _ZN5Botan12BufferSlicer4takeILm4EEENSt3__14spanIKhXT_EEEv: 45| 4.86k| std::span take() { 46| 4.86k| BOTAN_STATE_CHECK(remaining() >= count); ------------------ | | 51| 4.86k| do { \ | | 52| 4.86k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 4.86k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 4.86k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 4.86k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 4.86k] | | ------------------ ------------------ 47| 4.86k| auto result = m_remaining.first(); 48| 4.86k| m_remaining = m_remaining.subspan(count); 49| 4.86k| return result; 50| 4.86k| } _ZN5Botan12BufferSlicer4takeILm3EEENSt3__14spanIKhXT_EEEv: 45| 2.04k| std::span take() { 46| 2.04k| BOTAN_STATE_CHECK(remaining() >= count); ------------------ | | 51| 2.04k| do { \ | | 52| 2.04k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 2.04k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 2.04k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 2.04k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 2.04k] | | ------------------ ------------------ 47| 2.04k| auto result = m_remaining.first(); 48| 2.04k| m_remaining = m_remaining.subspan(count); 49| 2.04k| return result; 50| 2.04k| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_28KyberImplicitRejectionValue_EJEEEEEDam: 28| 30| auto copy(const size_t count) { 29| 30| const auto result = take(count); 30| 30| return ContainerT(result.begin(), result.end()); 31| 30| } _ZN5Botan12BufferSlicer4copyITkNS_8concepts20contiguous_containerENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEEEDam: 28| 30| auto copy(const size_t count) { 29| 30| const auto result = take(count); 30| 30| return ContainerT(result.begin(), result.end()); 31| 30| } _ZN5Botan13BufferStufferC2ENSt3__14spanIhLm18446744073709551615EEE: 26| 975k| constexpr explicit BufferStuffer(std::span buffer) : m_buffer(buffer) {} _ZN5Botan13BufferStuffer6appendEhm: 64| 1.87k| constexpr void append(uint8_t b, size_t repeat = 1) { 65| 1.87k| auto sink = next(repeat); 66| 1.87k| std::fill(sink.begin(), sink.end(), b); 67| 1.87k| } _ZN5Botan13BufferStuffer4nextEm: 32| 1.21M| constexpr std::span next(size_t bytes) { 33| 1.21M| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 1.21M| do { \ | | 52| 1.21M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 1.21M| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 1.21M] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 1.21M| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 1.21M] | | ------------------ ------------------ 34| | 35| 1.21M| auto result = m_buffer.first(bytes); 36| 1.21M| m_buffer = m_buffer.subspan(bytes); 37| 1.21M| return result; 38| 1.21M| } _ZN5Botan13BufferStuffer6appendENSt3__14spanIKhLm18446744073709551615EEE: 59| 1.21M| constexpr void append(std::span buffer) { 60| 1.21M| auto sink = next(buffer.size()); 61| 1.21M| std::copy(buffer.begin(), buffer.end(), sink.begin()); 62| 1.21M| } _ZNK5Botan13BufferStuffer4fullEv: 69| 973k| constexpr bool full() const { return m_buffer.empty(); } _ZN5Botan13BufferStuffer4nextILm32EEENSt3__14spanIhXT_EEEv: 41| 1.04k| constexpr std::span next() { 42| 1.04k| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 1.04k| do { \ | | 52| 1.04k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 1.04k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 1.04k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 1.04k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 1.04k] | | ------------------ ------------------ 43| | 44| 1.04k| auto result = m_buffer.first(); 45| 1.04k| m_buffer = m_buffer.subspan(bytes); 46| 1.04k| return result; 47| 1.04k| } _ZN5Botan13BufferStuffer4nextILm48EEENSt3__14spanIhXT_EEEv: 41| 672| constexpr std::span next() { 42| 672| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 672| do { \ | | 52| 672| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 672| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 672] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 672| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 672] | | ------------------ ------------------ 43| | 44| 672| auto result = m_buffer.first(); 45| 672| m_buffer = m_buffer.subspan(bytes); 46| 672| return result; 47| 672| } _ZN5Botan13BufferStuffer4nextILm64EEENSt3__14spanIhXT_EEEv: 41| 302| constexpr std::span next() { 42| 302| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 302| do { \ | | 52| 302| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 302| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 302] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 302| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 302] | | ------------------ ------------------ 43| | 44| 302| auto result = m_buffer.first(); 45| 302| m_buffer = m_buffer.subspan(bytes); 46| 302| return result; 47| 302| } _ZN5Botan13BufferStuffer4nextILm24EEENSt3__14spanIhXT_EEEv: 41| 378| constexpr std::span next() { 42| 378| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 378| do { \ | | 52| 378| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 378| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 378] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 378| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 378] | | ------------------ ------------------ 43| | 44| 378| auto result = m_buffer.first(); 45| 378| m_buffer = m_buffer.subspan(bytes); 46| 378| return result; 47| 378| } _ZN5Botan13BufferStuffer4nextILm28EEENSt3__14spanIhXT_EEEv: 41| 338| constexpr std::span next() { 42| 338| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 338| do { \ | | 52| 338| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 338| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 338] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 338| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 338] | | ------------------ ------------------ 43| | 44| 338| auto result = m_buffer.first(); 45| 338| m_buffer = m_buffer.subspan(bytes); 46| 338| return result; 47| 338| } _ZN5Botan13BufferStuffer4nextILm66EEENSt3__14spanIhXT_EEEv: 41| 274| constexpr std::span next() { 42| 274| BOTAN_STATE_CHECK(m_buffer.size() >= bytes); ------------------ | | 51| 274| do { \ | | 52| 274| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 274| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 274] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 274| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 274] | | ------------------ ------------------ 43| | 44| 274| auto result = m_buffer.first(); 45| 274| m_buffer = m_buffer.subspan(bytes); 46| 274| return result; 47| 274| } base64.cpp:_ZN5Botan11base_decodeINS_12_GLOBAL__N_16Base64EEEmRKT_PhPKcmRmbb: 124| 124| bool ignore_ws = true) { 125| | // TODO(Botan4) Check if we can use just base. or Base:: here instead 126| 124| constexpr size_t decoding_bytes_in = std::remove_reference_t::decoding_bytes_in(); 127| 124| constexpr size_t decoding_bytes_out = std::remove_reference_t::decoding_bytes_out(); 128| | 129| 124| uint8_t* out_ptr = output; 130| 124| std::array decode_buf{}; 131| 124| size_t decode_buf_pos = 0; 132| 124| size_t final_truncate = 0; 133| | 134| 124| clear_mem(output, base.decode_max_output(input_length)); 135| | 136| 31.9k| for(size_t i = 0; i != input_length; ++i) { ------------------ | Branch (136:22): [True: 31.8k, False: 124] ------------------ 137| 31.8k| const uint8_t bin = base.lookup_binary_value(input[i]); 138| | 139| | // This call might throw Invalid_Argument 140| 31.8k| if(base.check_bad_char(bin, input[i], ignore_ws)) { ------------------ | Branch (140:10): [True: 1.55k, False: 30.2k] ------------------ 141| 1.55k| decode_buf[decode_buf_pos] = bin; 142| 1.55k| ++decode_buf_pos; 143| 1.55k| } 144| | 145| | /* 146| | * If we're at the end of the input, pad with 0s and truncate 147| | */ 148| 31.8k| if(final_inputs && (i == input_length - 1)) { ------------------ | Branch (148:10): [True: 31.7k, False: 34] | Branch (148:26): [True: 75, False: 31.6k] ------------------ 149| 75| if(decode_buf_pos) { ------------------ | Branch (149:13): [True: 33, False: 42] ------------------ 150| 102| for(size_t j = decode_buf_pos; j < decoding_bytes_in; ++j) { ------------------ | Branch (150:44): [True: 69, False: 33] ------------------ 151| 69| decode_buf[j] = 0; 152| 69| } 153| | 154| 33| final_truncate = decoding_bytes_in - decode_buf_pos; 155| 33| decode_buf_pos = decoding_bytes_in; 156| 33| } 157| 75| } 158| | 159| 31.8k| if(decode_buf_pos == decoding_bytes_in) { ------------------ | Branch (159:10): [True: 402, False: 31.4k] ------------------ 160| 402| base.decode(out_ptr, decode_buf.data()); 161| | 162| 402| out_ptr += decoding_bytes_out; 163| 402| decode_buf_pos = 0; 164| 402| input_consumed = i + 1; 165| 402| } 166| 31.8k| } 167| | 168| 7.72k| while(input_consumed < input_length && base.lookup_binary_value(input[input_consumed]) == 0x80) { ------------------ | Branch (168:10): [True: 7.62k, False: 103] | Branch (168:43): [True: 7.60k, False: 21] ------------------ 169| 7.60k| ++input_consumed; 170| 7.60k| } 171| | 172| 124| const size_t written = (out_ptr - output) - base.bytes_to_remove(final_truncate); 173| | 174| 124| return written; 175| 124|} base64.cpp:_ZN5Botan16base_decode_fullINS_12_GLOBAL__N_16Base64EEEmRKT_PhPKcmb: 178| 124|size_t base_decode_full(const Base& base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws) { 179| 124| size_t consumed = 0; 180| 124| const size_t written = base_decode(base, output, input, input_length, consumed, true, ignore_ws); 181| | 182| 124| if(consumed != input_length) { ------------------ | Branch (182:7): [True: 21, False: 103] ------------------ 183| 21| throw Invalid_Argument(base.name() + " decoding failed, input did not have full bytes"); 184| 21| } 185| | 186| 103| return written; 187| 124|} base64.cpp:_ZN5Botan18base_decode_to_vecINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_12_GLOBAL__N_16Base64EEET_RKT0_PKcmb: 190| 124|Vector base_decode_to_vec(const Base& base, const char input[], size_t input_length, bool ignore_ws) { 191| 124| const size_t output_length = base.decode_max_output(input_length); 192| 124| Vector bin(output_length); 193| | 194| 124| const size_t written = base_decode_full(base, bin.data(), input, input_length, ignore_ws); 195| | 196| 124| bin.resize(written); 197| 124| return bin; 198| 124|} _ZN5Botan6concatINS_6detail10AutoDetectETpTkNS_6ranges14spanable_rangeEJNSt3__16vectorIhNS4_9allocatorIhEEEERNS_6StrongIS8_NS_13KyberSeedRho_EJEEEEEEDaDpOT0_Q10all_same_vIDpNS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRSD_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISM_EESN_E4type10value_typeEE: 92| 30|{ 93| 30| if constexpr(std::same_as) { 94| | // Try to auto-detect a reasonable output type given the input ranges 95| 30| static_assert(sizeof...(Rs) > 0, "Cannot auto-detect the output type if not a single input range is provided."); 96| 30| using candidate_result_t = std::remove_cvref_t>>; 97| 30| using result_range_value_t = std::remove_cvref_t>; 98| | 99| | if constexpr((ranges::statically_spanable_range && ...)) { 100| | // If all input ranges have a static extent, we can calculate the total size at compile time 101| | // and therefore can use a statically sized output container. This is constexpr. 102| | constexpr size_t total_size = (decltype(std::span{ranges})::extent + ... + 0); 103| | using out_array_t = std::array; 104| | return detail::concatenate(std::forward(ranges)...); 105| 30| } else { 106| | // If at least one input range has a dynamic extent, we must use a dynamically allocated output container. 107| | // We assume that the user wants to use the first input range's container type as output type. 108| 30| static_assert( 109| 30| concepts::reservable_container, 110| 30| "First input range has static extent, but a dynamically allocated output range is required. Please explicitly specify a dynamically allocatable output type."); 111| 30| return detail::concatenate(std::forward(ranges)...); 112| 30| } 113| | } else { 114| | // The caller has explicitly specified the output type 115| | return detail::concatenate(std::forward(ranges)...); 116| | } 117| 30|} _ZN5Botan6detail11concatenateITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS3_9allocatorIhEEEETpTkNS2_14spanable_rangeEJS7_RNS_6StrongIS7_NS_13KyberSeedRho_EJEEEEEET_DpOT0_Qoosr8conceptsE20reservable_containerISC_Esr6rangesE25statically_spanable_rangeISC_E: 33| 30|{ 34| 30| OutR result{}; 35| | 36| | // Prepare and validate the output range and construct a lambda that does the 37| | // actual filling of the result buffer. 38| | // (if no input ranges are given, GCC claims that fill_fn is unused) 39| 30| [[maybe_unused]] auto fill_fn = [&] { 40| 30| if constexpr(concepts::reservable_container) { 41| | // dynamically allocate the correct result byte length 42| 30| const size_t total_size = (ranges.size() + ... + 0); 43| 30| result.reserve(total_size); 44| | 45| | // fill the result buffer using a back-inserter 46| 30| return [&result](auto&& range) { 47| 30| std::copy( 48| 30| std::ranges::begin(range), std::ranges::end(range), std::back_inserter(unwrap_strong_type(result))); 49| 30| }; 50| 30| } else { 51| 30| if constexpr((ranges::statically_spanable_range && ... && true)) { 52| | // all input ranges have a static extent, so check the total size at compile time 53| | // (work around an issue in MSVC that warns `total_size` is unused) 54| 30| [[maybe_unused]] constexpr size_t total_size = (decltype(std::span{ranges})::extent + ... + 0); 55| 30| static_assert(result.size() == total_size, "size of result buffer does not match the sum of input buffers"); 56| 30| } else { 57| | // at least one input range has a dynamic extent, so check the total size at runtime 58| 30| const size_t total_size = (ranges.size() + ... + 0); 59| 30| BOTAN_ARG_CHECK(result.size() == total_size, 60| 30| "result buffer has static extent that does not match the sum of input buffers"); 61| 30| } 62| | 63| | // fill the result buffer and hold the current output-iterator position 64| 30| return [itr = std::ranges::begin(result)](auto&& range) mutable { 65| 30| std::copy(std::ranges::begin(range), std::ranges::end(range), itr); 66| 30| std::advance(itr, std::ranges::size(range)); 67| 30| }; 68| 30| } 69| 30| }(); 70| | 71| | // perform the actual concatenation 72| 30| (fill_fn(std::forward(ranges)), ...); 73| | 74| 30| return result; 75| 30|} _ZZN5Botan6detail11concatenateITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS3_9allocatorIhEEEETpTkNS2_14spanable_rangeEJS7_RNS_6StrongIS7_NS_13KyberSeedRho_EJEEEEEET_DpOT0_Qoosr8conceptsE20reservable_containerISC_Esr6rangesE25statically_spanable_rangeISC_EENKUlvE_clEv: 39| 30| [[maybe_unused]] auto fill_fn = [&] { 40| 30| if constexpr(concepts::reservable_container) { 41| | // dynamically allocate the correct result byte length 42| 30| const size_t total_size = (ranges.size() + ... + 0); 43| 30| result.reserve(total_size); 44| | 45| | // fill the result buffer using a back-inserter 46| 30| return [&result](auto&& range) { 47| 30| std::copy( 48| 30| std::ranges::begin(range), std::ranges::end(range), std::back_inserter(unwrap_strong_type(result))); 49| 30| }; 50| | } else { 51| | if constexpr((ranges::statically_spanable_range && ... && true)) { 52| | // all input ranges have a static extent, so check the total size at compile time 53| | // (work around an issue in MSVC that warns `total_size` is unused) 54| | [[maybe_unused]] constexpr size_t total_size = (decltype(std::span{ranges})::extent + ... + 0); 55| | static_assert(result.size() == total_size, "size of result buffer does not match the sum of input buffers"); 56| | } else { 57| | // at least one input range has a dynamic extent, so check the total size at runtime 58| | const size_t total_size = (ranges.size() + ... + 0); 59| | BOTAN_ARG_CHECK(result.size() == total_size, 60| | "result buffer has static extent that does not match the sum of input buffers"); 61| | } 62| | 63| | // fill the result buffer and hold the current output-iterator position 64| | return [itr = std::ranges::begin(result)](auto&& range) mutable { 65| | std::copy(std::ranges::begin(range), std::ranges::end(range), itr); 66| | std::advance(itr, std::ranges::size(range)); 67| | }; 68| | } 69| 30| }(); _ZZZN5Botan6detail11concatenateITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS3_9allocatorIhEEEETpTkNS2_14spanable_rangeEJS7_RNS_6StrongIS7_NS_13KyberSeedRho_EJEEEEEET_DpOT0_Qoosr8conceptsE20reservable_containerISC_Esr6rangesE25statically_spanable_rangeISC_EENKUlvE_clEvENKUlOSC_E_clIS7_EEDaSH_: 46| 30| return [&result](auto&& range) { 47| 30| std::copy( 48| 30| std::ranges::begin(range), std::ranges::end(range), std::back_inserter(unwrap_strong_type(result))); 49| 30| }; _ZZZN5Botan6detail11concatenateITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS3_9allocatorIhEEEETpTkNS2_14spanable_rangeEJS7_RNS_6StrongIS7_NS_13KyberSeedRho_EJEEEEEET_DpOT0_Qoosr8conceptsE20reservable_containerISC_Esr6rangesE25statically_spanable_rangeISC_EENKUlvE_clEvENKUlOSC_E_clISB_EEDaSH_: 46| 30| return [&result](auto&& range) { 47| 30| std::copy( 48| 30| std::ranges::begin(range), std::ranges::end(range), std::back_inserter(unwrap_strong_type(result))); 49| 30| }; _ZN5Botan5CPUID3hasENS_10CPUFeatureE: 94| 38.4k| static bool has(CPUID::Feature feat) { return state().has_bit(feat.as_u32()); } _ZN5Botan5CPUID5stateEv: 156| 38.4k| static CPUID_Data& state() { 157| 38.4k| static CPUID::CPUID_Data g_cpuid; 158| 38.4k| return g_cpuid; 159| 38.4k| } _ZNK5Botan5CPUID10CPUID_Data7has_bitEj: 144| 38.4k| bool has_bit(uint32_t bit) const { return (m_processor_features & bit) == bit; } _ZN5Botan5CPUID3hasENS_10CPUFeatureES1_: 99| 4| static bool has(CPUID::Feature feat1, CPUID::Feature feat2) { 100| 4| return state().has_bit(feat1.as_u32() | feat2.as_u32()); 101| 4| } _ZN5Botan5CPUID6is_setEjNS_10CPUFeatureE: 127| 4| static inline bool is_set(uint32_t allowed, CPUID::Feature bit) { 128| 4| const uint32_t feat_bit = bit.as_u32(); 129| 4| return ((allowed & feat_bit) == feat_bit); 130| 4| } cpuid_x86.cpp:_ZN5Botan5CPUID6if_setIZNS0_10CPUID_Data19detect_cpu_featuresEjE16x86_CPUID_1_bitsEEjmT_NS_10CPUFeatureEj: 117| 6| static inline uint32_t if_set(uint64_t cpuid, T flag, CPUID::Feature bit, uint32_t allowed) { 118| 6| const uint64_t flag64 = static_cast(flag); 119| 6| if((cpuid & flag64) == flag64) { ------------------ | Branch (119:13): [True: 6, False: 0] ------------------ 120| 6| return (bit.as_u32() & allowed); 121| 6| } else { 122| 0| return 0; 123| 0| } 124| 6| } cpuid_x86.cpp:_ZN5Botan5CPUID6if_setIZNS0_10CPUID_Data19detect_cpu_featuresEjE16x86_CPUID_7_bitsEEjmT_NS_10CPUFeatureEj: 117| 8| static inline uint32_t if_set(uint64_t cpuid, T flag, CPUID::Feature bit, uint32_t allowed) { 118| 8| const uint64_t flag64 = static_cast(flag); 119| 8| if((cpuid & flag64) == flag64) { ------------------ | Branch (119:13): [True: 4, False: 4] ------------------ 120| 4| return (bit.as_u32() & allowed); 121| 4| } else { 122| 4| return 0; 123| 4| } 124| 8| } cpuid_x86.cpp:_ZN5Botan5CPUID6if_setIZNS0_10CPUID_Data19detect_cpu_featuresEjE18x86_CPUID_7_1_bitsEEjmT_NS_10CPUFeatureEj: 117| 3| static inline uint32_t if_set(uint64_t cpuid, T flag, CPUID::Feature bit, uint32_t allowed) { 118| 3| const uint64_t flag64 = static_cast(flag); 119| 3| if((cpuid & flag64) == flag64) { ------------------ | Branch (119:13): [True: 0, False: 3] ------------------ 120| 0| return (bit.as_u32() & allowed); 121| 3| } else { 122| 3| return 0; 123| 3| } 124| 3| } _ZNK5Botan10CPUFeature6as_u32Ev: 53| 38.4k| uint32_t as_u32() const { return static_cast(m_bit); } _ZN5Botan10CPUFeatureC2ENS0_3BitE: 51| 38.4k| CPUFeature(Bit b) : m_bit(b) {} // NOLINT(*-explicit-conversions) _ZN5Botan2CT6Choice9from_maskEm: 303| 10.0M| constexpr static Choice from_mask(underlying_type v) { return Choice(v); } _ZN5Botan2CT6Choice2noEv: 307| 533| constexpr static Choice no() { return Choice(0); } _ZNK5Botan2CT6ChoicentEv: 309| 3.83M| constexpr Choice operator!() const { return Choice(~value()); } _ZNK5Botan2CT6ChoiceaaERKS1_: 311| 4.90M| constexpr Choice operator&&(const Choice& other) const { return Choice(value() & other.value()); } _ZNK5Botan2CT6ChoiceooERKS1_: 313| 837k| constexpr Choice operator||(const Choice& other) const { return Choice(value() | other.value()); } _ZNK5Botan2CT6Choice7as_boolEv: 329| 3.84M| constexpr bool as_bool() const { return m_value != 0; } _ZNK5Botan2CT6Choice5valueEv: 332| 19.4M| constexpr underlying_type value() const { return value_barrier(m_value); } _ZN5Botan2CT6ChoiceC2Em: 341| 22.3M| constexpr explicit Choice(underlying_type v) : m_value(CT::value_barrier(v)) {} _ZN5Botan2CT4MaskImE7is_zeroEm: 437| 123M| static constexpr Mask is_zero(T x) { return Mask(ct_is_zero(value_barrier(x))); } _ZNK5Botan2CT4MaskImE5valueEv: 630| 334M| constexpr T value() const { return value_barrier(m_mask); } _ZNK5Botan2CT4MaskImEcoEv: 533| 56.3M| constexpr Mask operator~() const { return Mask(~value()); } _ZN5Botan2CT4MaskImE6expandEm: 392| 55.9M| static constexpr Mask expand(T v) { return ~Mask::is_zero(value_barrier(v)); } _ZN5Botan2CT6poisonImEEvPKT_m: 56| 3.05M|constexpr inline void poison(const T* p, size_t n) { 57| |#if defined(BOTAN_HAS_VALGRIND) 58| | if(!std::is_constant_evaluated()) { 59| | VALGRIND_MAKE_MEM_UNDEFINED(p, n * sizeof(T)); 60| | } 61| |#endif 62| | 63| 3.05M| BOTAN_UNUSED(p, n); ------------------ | | 144| 3.05M|#define BOTAN_UNUSED Botan::ignore_params ------------------ 64| 3.05M|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__16vectorImNS_16secure_allocatorImEEEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEnt17custom_poisonableISC_EEEvRKSC_: 121| 26.2k|constexpr void poison(const R& r) { 122| 26.2k| const std::span s{r}; 123| 26.2k| poison(s.data(), s.size()); 124| 26.2k|} _ZN5Botan2CT8unpoisonImEEvPKT_m: 67| 52.8M|constexpr inline void unpoison(const T* p, size_t n) { 68| |#if defined(BOTAN_HAS_VALGRIND) 69| | if(!std::is_constant_evaluated()) { 70| | VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T)); 71| | } 72| |#endif 73| | 74| 52.8M| BOTAN_UNUSED(p, n); ------------------ | | 144| 52.8M|#define BOTAN_UNUSED Botan::ignore_params ------------------ 75| 52.8M|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__16vectorImNS_16secure_allocatorImEEEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEnt19custom_unpoisonableISC_EEEvRKSC_: 128| 9.05M|constexpr void unpoison(const R& r) { 129| 9.05M| const std::span s{r}; 130| 9.05M| unpoison(s.data(), s.size()); 131| 9.05M|} _ZNK5Botan2CT4MaskImE6selectEmm: 548| 88.1M| constexpr T select(T x, T y) const { return choose(value(), x, y); } _ZNK5Botan2CT4MaskImE16conditional_swapImEEvRT_S5_QlestTL0__stS4_: 587| 6.28k| { 588| 6.28k| auto cnd = Mask(*this); 589| 6.28k| U t0 = cnd.select(y, x); 590| 6.28k| U t1 = cnd.select(x, y); 591| 6.28k| x = t0; 592| 6.28k| y = t1; 593| 6.28k| } _ZN5Botan2CT9all_zerosImEENS0_4MaskIT_EEPKS3_m: 785| 7.66M|constexpr inline CT::Mask all_zeros(const T elem[], size_t len) { 786| 7.66M| T sum = 0; 787| 61.6M| for(size_t i = 0; i != len; ++i) { ------------------ | Branch (787:22): [True: 54.0M, False: 7.66M] ------------------ 788| 54.0M| sum |= elem[i]; 789| 54.0M| } 790| 7.66M| return CT::Mask::is_zero(sum); 791| 7.66M|} _ZN5Botan2CT4MaskImEC2Em: 637| 241M| constexpr explicit Mask(T m) : m_mask(m) {} _ZNK5Botan2CT4MaskImE7as_boolEv: 614| 864k| constexpr bool as_bool() const { return unpoisoned_value() != 0; } _ZNK5Botan2CT4MaskImE16unpoisoned_valueEv: 598| 10.9M| constexpr T unpoisoned_value() const { 599| 10.9M| T r = value(); 600| 10.9M| CT::unpoison(r); 601| 10.9M| return r; 602| 10.9M| } _ZN5Botan2CT8unpoisonITkNSt3__18integralEmEEvRKT_: 112| 30.7M|constexpr void unpoison(const T& p) { 113| 30.7M| unpoison(&p, 1); 114| 30.7M|} _ZN5Botan2CTanENS0_4MaskImEES2_: 518| 355k| friend Mask operator&(Mask x, Mask y) { return Mask(x.value() & y.value()); } _ZN5Botan2CT4MaskImE8is_equalEmm: 442| 50.7M| static constexpr Mask is_equal(T x, T y) { 443| 50.7M| const T diff = value_barrier(x) ^ value_barrier(y); 444| 50.7M| return Mask::is_zero(diff); 445| 50.7M| } _ZNK5Botan2CT4MaskImE13if_set_returnEm: 538| 43.8M| constexpr T if_set_return(T x) const { return value() & x; } _ZN5Botan2CT4MaskImE5is_ltEmm: 450| 42.4M| static constexpr Mask is_lt(T x, T y) { 451| 42.4M| T u = x ^ ((x ^ y) | ((x - y) ^ x)); 452| 42.4M| return Mask::expand_top_bit(u); 453| 42.4M| } _ZN5Botan2CT4MaskImE14expand_top_bitEm: 415| 42.8M| static constexpr Mask expand_top_bit(T v) { return Mask(ct_expand_top_bit(v)); } _ZN5Botan2CT20conditional_copy_memImEENS0_4MaskIT_EES3_PS3_PKS3_S7_m: 738| 3.06M|constexpr inline Mask conditional_copy_mem(T cnd, T* dest, const T* if_set, const T* if_unset, size_t elems) { 739| 3.06M| const auto mask = CT::Mask::expand(cnd); 740| 3.06M| return CT::conditional_copy_mem(mask, dest, if_set, if_unset, elems); 741| 3.06M|} _ZN5Botan2CT20conditional_copy_memImEENS0_4MaskIT_EES4_PS3_PKS3_S7_m: 732| 3.06M|constexpr inline Mask conditional_copy_mem(Mask mask, T* dest, const T* if_set, const T* if_unset, size_t elems) { 733| 3.06M| mask.select_n(dest, if_set, if_unset, elems); 734| 3.06M| return mask; 735| 3.06M|} _ZNK5Botan2CT4MaskImE8select_nEPmPKmS5_m: 565| 50.4M| constexpr void select_n(T output[], const T x[], const T y[], size_t len) const { 566| 50.4M| const T mask = value(); 567| 344M| for(size_t i = 0; i != len; ++i) { ------------------ | Branch (567:28): [True: 293M, False: 50.4M] ------------------ 568| 293M| output[i] = choose(mask, x[i], y[i]); 569| 293M| } 570| 50.4M| } _ZNK5Botan2CT4MaskImE11select_maskES2_S2_: 559| 18.2M| Mask select_mask(Mask x, Mask y) const { return Mask(select(x.value(), y.value())); } _ZN5Botan2CT4MaskImEoRES2_: 510| 527k| Mask& operator|=(Mask o) { 511| 527k| m_mask |= o.value(); 512| 527k| return (*this); 513| 527k| } _ZN5Botan2CT4MaskImEaNES2_: 494| 2.65M| Mask& operator&=(Mask o) { 495| 2.65M| m_mask &= o.value(); 496| 2.65M| return (*this); 497| 2.65M| } _ZN5Botan2CT4MaskImE11expand_boolEb: 397| 640k| static constexpr Mask expand_bool(bool v) { return Mask::expand(static_cast(v)); } _ZN5Botan2CT4MaskIhE11expand_boolEb: 397| 673k| static constexpr Mask expand_bool(bool v) { return Mask::expand(static_cast(v)); } _ZN5Botan2CT4MaskIhE6expandEh: 392| 673k| static constexpr Mask expand(T v) { return ~Mask::is_zero(value_barrier(v)); } _ZN5Botan2CT4MaskIhE7is_zeroEh: 437| 673k| static constexpr Mask is_zero(T x) { return Mask(ct_is_zero(value_barrier(x))); } _ZN5Botan2CT4MaskIhEC2Eh: 637| 1.34M| constexpr explicit Mask(T m) : m_mask(m) {} _ZNK5Botan2CT4MaskIhEcoEv: 533| 673k| constexpr Mask operator~() const { return Mask(~value()); } _ZNK5Botan2CT4MaskIhE5valueEv: 630| 1.34M| constexpr T value() const { return value_barrier(m_mask); } _ZNK5Botan2CT4MaskIhE6selectEhh: 548| 673k| constexpr T select(T x, T y) const { return choose(value(), x, y); } _ZNK5Botan2CT4MaskImE9as_choiceEv: 619| 10.0M| constexpr CT::Choice as_choice() const { 620| 10.0M| if constexpr(sizeof(T) >= sizeof(Choice::underlying_type)) { 621| 10.0M| return CT::Choice::from_mask(static_cast(unpoisoned_value())); 622| | } else { 623| | return CT::Choice::from_int(unpoisoned_value()); 624| | } 625| 10.0M| } _ZN5Botan2CT4MaskImE6is_gteEmm: 468| 403k| static constexpr Mask is_gte(T x, T y) { return ~Mask::is_lt(x, y); } _ZN5Botan2CTorENS0_4MaskImEES2_: 528| 403k| friend Mask operator|(Mask x, Mask y) { return Mask(x.value() | y.value()); } _ZN5Botan2CTeoENS0_4MaskImEES2_: 523| 448| friend Mask operator^(Mask x, Mask y) { return Mask(x.value() ^ y.value()); } _ZN5Botan2CT6Choice8from_intIjQaasr3stdE17unsigned_integralIT_Entsr3stdE7same_asIbS3_EEES1_S3_: 268| 2.70M| constexpr static Choice from_int(T v) { 269| 2.70M| if constexpr(sizeof(T) <= sizeof(underlying_type)) { 270| 2.70M| return !Choice(ct_is_zero(v)); 271| | } else { 272| | // Mask of T that is either |0| or |1| 273| | const T v_is_0 = ct_is_zero(value_barrier(v)); 274| | 275| | // We want the mask to be set if v != 0 so we must check that 276| | // v_is_0 is itself zero. 277| | // 278| | // Also sizeof(T) may not equal sizeof(underlying_type) so we must 279| | // use ct_is_zero. It's ok to either truncate or 280| | // zero extend v_is_0 to 32 bits since we know it is |0| or |1| 281| | // so even just the low bit is sufficient. 282| | return Choice(ct_is_zero(static_cast(v_is_0))); 283| | } 284| 2.70M| } _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__14spanIKmLm18446744073709551615EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEnt17custom_poisonableISB_EEEvRKSB_: 121| 3.01M|constexpr void poison(const R& r) { 122| 3.01M| const std::span s{r}; 123| 3.01M| poison(s.data(), s.size()); 124| 3.01M|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__14spanIKmLm18446744073709551615EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEnt19custom_unpoisonableISB_EEEvRKSB_: 128| 3.01M|constexpr void unpoison(const R& r) { 129| 3.01M| const std::span s{r}; 130| 3.01M| unpoison(s.data(), s.size()); 131| 3.01M|} _ZN5Botan2CT4MaskImE15if_set_zero_outEPmm: 575| 3.97M| constexpr void if_set_zero_out(T buf[], size_t elems) { 576| 39.7M| for(size_t i = 0; i != elems; ++i) { ------------------ | Branch (576:28): [True: 35.7M, False: 3.97M] ------------------ 577| 35.7M| buf[i] = this->if_not_set_return(buf[i]); 578| 35.7M| } 579| 3.97M| } _ZNK5Botan2CT4MaskImE17if_not_set_returnEm: 543| 36.2M| constexpr T if_not_set_return(T x) const { return ~value() & x; } _ZN5Botan2CT22conditional_assign_memImEENS0_4MaskIT_EES3_PS3_PKS3_m: 749| 38.3M|constexpr inline Mask conditional_assign_mem(T cnd, T* dest, const T* src, size_t elems) { 750| 38.3M| const auto mask = CT::Mask::expand(cnd); 751| 38.3M| mask.select_n(dest, src, dest, elems); 752| 38.3M| return mask; 753| 38.3M|} _ZN5Botan2CT4MaskImE7clearedEv: 387| 51.4k| static constexpr Mask cleared() { return Mask(0); } _ZN5Botan2CT16driveby_unpoisonITkNS0_12unpoisonableEmEEDcOT_Qsr3stdE21is_rvalue_reference_vIDtfp_EE: 245| 1.53k|{ 246| 1.53k| unpoison(v); 247| 1.53k| return std::forward(v); 248| 1.53k|} _ZNK5Botan2CT6Choice12into_bitmaskImQaasr3stdE17unsigned_integralIT_Entsr3stdE7same_asIbS3_EEES3_v: 291| 4.14M| constexpr T into_bitmask() const { 292| 4.14M| if constexpr(sizeof(T) <= sizeof(underlying_type)) { 293| | // The inner mask is already |0| or |1| so just truncate 294| 4.14M| return static_cast(value()); 295| | } else { 296| | return ~ct_is_zero(value()); 297| | } 298| 4.14M| } _ZN5Botan2CT6poisonIhEEvPKT_m: 56| 1.62k|constexpr inline void poison(const T* p, size_t n) { 57| |#if defined(BOTAN_HAS_VALGRIND) 58| | if(!std::is_constant_evaluated()) { 59| | VALGRIND_MAKE_MEM_UNDEFINED(p, n * sizeof(T)); 60| | } 61| |#endif 62| | 63| 1.62k| BOTAN_UNUSED(p, n); ------------------ | | 144| 1.62k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 64| 1.62k|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 152|constexpr void poison(const T& x) { 139| 152| x._const_time_poison(); 140| 152|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 152|constexpr void poison_all(const Ts&... ts) { 202| 152| (poison(ts), ...); 203| 152|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 138| 456|constexpr void poison(const T& x) { 139| 456| x._const_time_poison(); 140| 456|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm4EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 2.07k|constexpr void poison(const R& r) { 122| 2.07k| const std::span s{r}; 123| 2.07k| poison(s.data(), s.size()); 124| 2.07k|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 152|constexpr void unpoison(const T& x) { 144| 152| x._const_time_unpoison(); 145| 152|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 152|constexpr void unpoison_all(const Ts&... ts) { 208| 152| (unpoison(ts), ...); 209| 152|} pcurves_brainpool256r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 143| 456|constexpr void unpoison(const T& x) { 144| 456| x._const_time_unpoison(); 145| 456|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm4EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 2.07k|constexpr void unpoison(const R& r) { 129| 2.07k| const std::span s{r}; 130| 2.07k| unpoison(s.data(), s.size()); 131| 2.07k|} _ZN5Botan2CT8unpoisonIhEEvPKT_m: 67| 1.82k|constexpr inline void unpoison(const T* p, size_t n) { 68| |#if defined(BOTAN_HAS_VALGRIND) 69| | if(!std::is_constant_evaluated()) { 70| | VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T)); 71| | } 72| |#endif 73| | 74| 1.82k| BOTAN_UNUSED(p, n); ------------------ | | 144| 1.82k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 75| 1.82k|} _ZN5Botan2CT8is_equalImEENS0_4MaskIT_EEPKS3_S6_m: 798| 2.13k|constexpr inline CT::Mask is_equal(const T x[], const T y[], size_t len) { 799| 2.13k| if(std::is_constant_evaluated()) { ------------------ | Branch (799:7): [Folded, False: 2.13k] ------------------ 800| 0| T difference = 0; 801| | 802| 0| for(size_t i = 0; i != len; ++i) { ------------------ | Branch (802:25): [True: 0, False: 0] ------------------ 803| 0| difference = difference | (x[i] ^ y[i]); 804| 0| } 805| | 806| 0| return CT::Mask::is_zero(difference); 807| 2.13k| } else { 808| 2.13k| volatile T difference = 0; 809| | 810| 12.8k| for(size_t i = 0; i != len; ++i) { ------------------ | Branch (810:25): [True: 10.7k, False: 2.13k] ------------------ 811| 10.7k| difference = difference | (x[i] ^ y[i]); 812| 10.7k| } 813| | 814| 2.13k| return CT::Mask::is_zero(difference); 815| 2.13k| } 816| 2.13k|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 185|constexpr void poison(const T& x) { 139| 185| x._const_time_poison(); 140| 185|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 185|constexpr void poison_all(const Ts&... ts) { 202| 185| (poison(ts), ...); 203| 185|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 138| 555|constexpr void poison(const T& x) { 139| 555| x._const_time_poison(); 140| 555|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm6EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 1.00k|constexpr void poison(const R& r) { 122| 1.00k| const std::span s{r}; 123| 1.00k| poison(s.data(), s.size()); 124| 1.00k|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 185|constexpr void unpoison(const T& x) { 144| 185| x._const_time_unpoison(); 145| 185|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 185|constexpr void unpoison_all(const Ts&... ts) { 208| 185| (unpoison(ts), ...); 209| 185|} pcurves_brainpool384r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 143| 555|constexpr void unpoison(const T& x) { 144| 555| x._const_time_unpoison(); 145| 555|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm6EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 1.00k|constexpr void unpoison(const R& r) { 129| 1.00k| const std::span s{r}; 130| 1.00k| unpoison(s.data(), s.size()); 131| 1.00k|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 151|constexpr void poison(const T& x) { 139| 151| x._const_time_poison(); 140| 151|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 151|constexpr void poison_all(const Ts&... ts) { 202| 151| (poison(ts), ...); 203| 151|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 138| 453|constexpr void poison(const T& x) { 139| 453| x._const_time_poison(); 140| 453|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm8EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 453|constexpr void poison(const R& r) { 122| 453| const std::span s{r}; 123| 453| poison(s.data(), s.size()); 124| 453|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES4_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 151|constexpr void unpoison(const T& x) { 144| 151| x._const_time_unpoison(); 145| 151|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 151|constexpr void unpoison_all(const Ts&... ts) { 208| 151| (unpoison(ts), ...); 209| 151|} pcurves_brainpool512r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEEEEvRKT_: 143| 453|constexpr void unpoison(const T& x) { 144| 453| x._const_time_unpoison(); 145| 453|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm8EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 453|constexpr void unpoison(const R& r) { 129| 453| const std::span s{r}; 130| 453| unpoison(s.data(), s.size()); 131| 453|} _ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6PCurve22GenericProjectivePointEEEvRKT_: 138| 371|constexpr void poison(const T& x) { 139| 371| x._const_time_poison(); 140| 371|} pcurves_generic.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6PCurve12_GLOBAL__N_112GenericFieldES4_S4_EQgtsZT_Li0EEEvDpRKT_: 201| 371|constexpr void poison_all(const Ts&... ts) { 202| 371| (poison(ts), ...); 203| 371|} pcurves_generic.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6PCurve12_GLOBAL__N_112GenericFieldEEEvRKT_: 138| 1.11k|constexpr void poison(const T& x) { 139| 1.11k| x._const_time_poison(); 140| 1.11k|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm9EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 1.52k|constexpr void poison(const R& r) { 122| 1.52k| const std::span s{r}; 123| 1.52k| poison(s.data(), s.size()); 124| 1.52k|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6PCurve22GenericProjectivePointEEEvRKT_: 143| 371|constexpr void unpoison(const T& x) { 144| 371| x._const_time_unpoison(); 145| 371|} pcurves_generic.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6PCurve12_GLOBAL__N_112GenericFieldES4_S4_EQgtsZT_Li0EEEvDpRKT_: 207| 371|constexpr void unpoison_all(const Ts&... ts) { 208| 371| (unpoison(ts), ...); 209| 371|} pcurves_generic.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6PCurve12_GLOBAL__N_112GenericFieldEEEvRKT_: 143| 1.11k|constexpr void unpoison(const T& x) { 144| 1.11k| x._const_time_unpoison(); 145| 1.11k|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm9EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 1.52k|constexpr void unpoison(const R& r) { 129| 1.52k| const std::span s{r}; 130| 1.52k| unpoison(s.data(), s.size()); 131| 1.52k|} pcurves_secp192r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 189|constexpr void poison(const T& x) { 139| 189| x._const_time_poison(); 140| 189|} pcurves_secp192r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 189|constexpr void poison_all(const Ts&... ts) { 202| 189| (poison(ts), ...); 203| 189|} pcurves_secp192r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 138| 567|constexpr void poison(const T& x) { 139| 567| x._const_time_poison(); 140| 567|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm3EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 567|constexpr void poison(const R& r) { 122| 567| const std::span s{r}; 123| 567| poison(s.data(), s.size()); 124| 567|} pcurves_secp192r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 189|constexpr void unpoison(const T& x) { 144| 189| x._const_time_unpoison(); 145| 189|} pcurves_secp192r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 189|constexpr void unpoison_all(const Ts&... ts) { 208| 189| (unpoison(ts), ...); 209| 189|} pcurves_secp192r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 143| 567|constexpr void unpoison(const T& x) { 144| 567| x._const_time_unpoison(); 145| 567|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayImLm3EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 567|constexpr void unpoison(const R& r) { 129| 567| const std::span s{r}; 130| 567| unpoison(s.data(), s.size()); 131| 567|} pcurves_secp224r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 168|constexpr void poison(const T& x) { 139| 168| x._const_time_poison(); 140| 168|} pcurves_secp224r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 168|constexpr void poison_all(const Ts&... ts) { 202| 168| (poison(ts), ...); 203| 168|} pcurves_secp224r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 138| 504|constexpr void poison(const T& x) { 139| 504| x._const_time_poison(); 140| 504|} pcurves_secp224r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 168|constexpr void unpoison(const T& x) { 144| 168| x._const_time_unpoison(); 145| 168|} pcurves_secp224r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 168|constexpr void unpoison_all(const Ts&... ts) { 208| 168| (unpoison(ts), ...); 209| 168|} pcurves_secp224r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 143| 504|constexpr void unpoison(const T& x) { 144| 504| x._const_time_unpoison(); 145| 504|} pcurves_secp256k1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 157|constexpr void poison(const T& x) { 139| 157| x._const_time_poison(); 140| 157|} pcurves_secp256k1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 157|constexpr void poison_all(const Ts&... ts) { 202| 157| (poison(ts), ...); 203| 157|} pcurves_secp256k1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 138| 471|constexpr void poison(const T& x) { 139| 471| x._const_time_poison(); 140| 471|} pcurves_secp256k1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 157|constexpr void unpoison(const T& x) { 144| 157| x._const_time_unpoison(); 145| 157|} pcurves_secp256k1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 157|constexpr void unpoison_all(const Ts&... ts) { 208| 157| (unpoison(ts), ...); 209| 157|} pcurves_secp256k1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 143| 471|constexpr void unpoison(const T& x) { 144| 471| x._const_time_unpoison(); 145| 471|} pcurves_secp256r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS5_9secp256r16ParamsES6_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 215|constexpr void poison(const T& x) { 139| 215| x._const_time_poison(); 140| 215|} pcurves_secp256r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 215|constexpr void poison_all(const Ts&... ts) { 202| 215| (poison(ts), ...); 203| 215|} pcurves_secp256r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEEEEvRKT_: 138| 645|constexpr void poison(const T& x) { 139| 645| x._const_time_poison(); 140| 645|} pcurves_secp256r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS5_9secp256r16ParamsES6_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 215|constexpr void unpoison(const T& x) { 144| 215| x._const_time_unpoison(); 145| 215|} pcurves_secp256r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 215|constexpr void unpoison_all(const Ts&... ts) { 208| 215| (unpoison(ts), ...); 209| 215|} pcurves_secp256r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEEEEvRKT_: 143| 645|constexpr void unpoison(const T& x) { 144| 645| x._const_time_unpoison(); 145| 645|} pcurves_secp384r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS5_9secp384r16ParamsES6_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 151|constexpr void poison(const T& x) { 139| 151| x._const_time_poison(); 140| 151|} pcurves_secp384r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 151|constexpr void poison_all(const Ts&... ts) { 202| 151| (poison(ts), ...); 203| 151|} pcurves_secp384r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEEEEvRKT_: 138| 453|constexpr void poison(const T& x) { 139| 453| x._const_time_poison(); 140| 453|} pcurves_secp384r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS5_9secp384r16ParamsES6_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 151|constexpr void unpoison(const T& x) { 144| 151| x._const_time_unpoison(); 145| 151|} pcurves_secp384r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 151|constexpr void unpoison_all(const Ts&... ts) { 208| 151| (unpoison(ts), ...); 209| 151|} pcurves_secp384r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEEEEvRKT_: 143| 453|constexpr void unpoison(const T& x) { 144| 453| x._const_time_unpoison(); 145| 453|} pcurves_secp521r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 138| 136|constexpr void poison(const T& x) { 139| 136| x._const_time_poison(); 140| 136|} pcurves_secp521r1.cpp:_ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 201| 136|constexpr void poison_all(const Ts&... ts) { 202| 136| (poison(ts), ...); 203| 136|} pcurves_secp521r1.cpp:_ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 138| 408|constexpr void poison(const T& x) { 139| 408| x._const_time_poison(); 140| 408|} pcurves_secp521r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS6_6ParamsES7_E11FieldParamsEEEEES9_EEEEvRKT_: 143| 136|constexpr void unpoison(const T& x) { 144| 136| x._const_time_unpoison(); 145| 136|} pcurves_secp521r1.cpp:_ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEESC_SC_EQgtsZT_Li0EEEvDpRKT_: 207| 136|constexpr void unpoison_all(const Ts&... ts) { 208| 136| (unpoison(ts), ...); 209| 136|} pcurves_secp521r1.cpp:_ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEEEEvRKT_: 143| 408|constexpr void unpoison(const T& x) { 144| 408| x._const_time_unpoison(); 145| 408|} _ZN5Botan2CT12poison_rangeITkNSt3__16ranges5rangeENS2_6vectorINS_14Montgomery_IntENS2_9allocatorIS5_EEEEQ10poisonableINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEEEvRKSC_: 181| 1.63k|constexpr void poison_range(const R& r) { 182| 26.2k| for(const auto& v : r) { ------------------ | Branch (182:22): [True: 26.2k, False: 1.63k] ------------------ 183| 26.2k| poison(v); 184| 26.2k| } 185| 1.63k|} _ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_14Montgomery_IntEEEvRKT_: 138| 26.2k|constexpr void poison(const T& x) { 139| 26.2k| x._const_time_poison(); 140| 26.2k|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_14Montgomery_IntEEEvRKT_: 143| 3.59k|constexpr void unpoison(const T& x) { 144| 3.59k| x._const_time_unpoison(); 145| 3.59k|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS_16secure_allocatorIhEEEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEnt19custom_unpoisonableISC_EEEvRKSC_: 128| 1|constexpr void unpoison(const R& r) { 129| 1| const std::span s{r}; 130| 1| unpoison(s.data(), s.size()); 131| 1|} _ZNK5Botan2CT4MaskIjE5valueEv: 630| 133k| constexpr T value() const { return value_barrier(m_mask); } _ZNK5Botan2CT4MaskIjE13if_set_returnEj: 538| 132k| constexpr T if_set_return(T x) const { return value() & x; } _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__16vectorIhNS_16secure_allocatorIhEEEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEnt17custom_poisonableISC_EEEvRKSC_: 121| 1|constexpr void poison(const R& r) { 122| 1| const std::span s{r}; 123| 1| poison(s.data(), s.size()); 124| 1|} _ZN5Botan2CT8unpoisonITkNSt3__18integralEbEEvRKT_: 112| 354k|constexpr void unpoison(const T& p) { 113| 354k| unpoison(&p, 1); 114| 354k|} _ZN5Botan2CT8unpoisonIbEEvPKT_m: 67| 354k|constexpr inline void unpoison(const T* p, size_t n) { 68| |#if defined(BOTAN_HAS_VALGRIND) 69| | if(!std::is_constant_evaluated()) { 70| | VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T)); 71| | } 72| |#endif 73| | 74| 354k| BOTAN_UNUSED(p, n); ------------------ | | 144| 354k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 75| 354k|} _ZN5Botan2CT4MaskIjEC2Ej: 637| 133k| constexpr explicit Mask(T m) : m_mask(m) {} _ZN5Botan2CT4MaskIjE8is_equalEjj: 442| 1.15k| static constexpr Mask is_equal(T x, T y) { 443| 1.15k| const T diff = value_barrier(x) ^ value_barrier(y); 444| 1.15k| return Mask::is_zero(diff); 445| 1.15k| } _ZN5Botan2CT4MaskIjE7is_zeroEj: 437| 1.15k| static constexpr Mask is_zero(T x) { return Mask(ct_is_zero(value_barrier(x))); } _ZN5Botan2CT16driveby_unpoisonITkNS0_12unpoisonableEbEEDcOT_Qsr3stdE21is_rvalue_reference_vIDtfp_EE: 245| 354k|{ 246| 354k| unpoison(v); 247| 354k| return std::forward(v); 248| 354k|} _ZN5Botan2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS7_EEEDaDpRKS7_: 222| 1|[[nodiscard]] constexpr auto scoped_poison(const Ts&... xs) { 223| 1| auto scope = scoped_cleanup([&] { unpoison_all(xs...); }); 224| 1| poison_all(xs...); 225| 1| return scope; 226| 1|} _ZN5Botan2CT10poison_allITpTkNS0_10poisonableEJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQgtsZT_Li0EEEvDpRKT_: 201| 1|constexpr void poison_all(const Ts&... ts) { 202| 1| (poison(ts), ...); 203| 1|} _ZZN5Botan2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS7_EEEDaDpRKS7_ENKUlvE_clEv: 223| 1| auto scope = scoped_cleanup([&] { unpoison_all(xs...); }); _ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQgtsZT_Li0EEEvDpRKT_: 207| 1|constexpr void unpoison_all(const Ts&... ts) { 208| 1| (unpoison(ts), ...); 209| 1|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__15arrayIhLm56EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 1|constexpr void unpoison(const R& r) { 129| 1| const std::span s{r}; 130| 1| unpoison(s.data(), s.size()); 131| 1|} _ZN5Botan2CT4MaskImEeOES2_: 502| 448| Mask& operator^=(Mask o) { 503| 448| m_mask ^= o.value(); 504| 448| return (*this); 505| 448| } _ZN5Botan2CT4MaskIjE14expand_top_bitEj: 415| 132k| static constexpr Mask expand_top_bit(T v) { return Mask(ct_expand_top_bit(v)); } _ZN5Botan2CT6poisonITkNS0_17custom_poisonableENS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS2_6DomainE0EEEEEvRKT_: 138| 967|constexpr void poison(const T& x) { 139| 967| x._const_time_poison(); 140| 967|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENSt3__14spanIiLm256EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt17custom_poisonableISA_EEEvRKSA_: 121| 967|constexpr void poison(const R& r) { 122| 967| const std::span s{r}; 123| 967| poison(s.data(), s.size()); 124| 967|} _ZN5Botan2CT6poisonIiEEvPKT_m: 56| 967|constexpr inline void poison(const T* p, size_t n) { 57| |#if defined(BOTAN_HAS_VALGRIND) 58| | if(!std::is_constant_evaluated()) { 59| | VALGRIND_MAKE_MEM_UNDEFINED(p, n * sizeof(T)); 60| | } 61| |#endif 62| | 63| 967| BOTAN_UNUSED(p, n); ------------------ | | 144| 967|#define BOTAN_UNUSED Botan::ignore_params ------------------ 64| 967|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt17custom_poisonableISF_EEEvRKSF_: 121| 83|constexpr void poison(const R& r) { 122| 83| const std::span s{r}; 123| 83| poison(s.data(), s.size()); 124| 83|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS2_6DomainE0EEEEEvRKT_: 143| 332|constexpr void unpoison(const T& x) { 144| 332| x._const_time_unpoison(); 145| 332|} _ZN5Botan2CT14unpoison_rangeITkNSt3__16ranges5rangeENS2_6vectorINS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS5_6DomainE0EEENS2_9allocatorIS9_EEEEQ12unpoisonableINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvRKSG_: 189| 332|constexpr void unpoison_range(const R& r) { 190| 2.00k| for(const auto& v : r) { ------------------ | Branch (190:22): [True: 2.00k, False: 332] ------------------ 191| 2.00k| unpoison(v); 192| 2.00k| } 193| 332|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS2_6DomainE0EEEEEvRKT_: 143| 2.00k|constexpr void unpoison(const T& x) { 144| 2.00k| x._const_time_unpoison(); 145| 2.00k|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__14spanIiLm256EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 2.00k|constexpr void unpoison(const R& r) { 129| 2.00k| const std::span s{r}; 130| 2.00k| unpoison(s.data(), s.size()); 131| 2.00k|} _ZN5Botan2CT8unpoisonIiEEvPKT_m: 67| 2.00k|constexpr inline void unpoison(const T* p, size_t n) { 68| |#if defined(BOTAN_HAS_VALGRIND) 69| | if(!std::is_constant_evaluated()) { 70| | VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T)); 71| | } 72| |#endif 73| | 74| 2.00k| BOTAN_UNUSED(p, n); ------------------ | | 144| 2.00k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 75| 2.00k|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_28Dilithium_PrivateKeyInternalEEEvRKT_: 143| 83|constexpr void unpoison(const T& x) { 144| 83| x._const_time_unpoison(); 145| 83|} _ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15DilithiumSeedK_EJEEENS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNSA_6DomainE0EEESE_SE_EQgtsZT_Li0EEEvDpRKT_: 207| 83|constexpr void unpoison_all(const Ts&... ts) { 208| 83| (unpoison(ts), ...); 209| 83|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15DilithiumSeedK_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt19custom_unpoisonableISF_EEEvRKSF_: 128| 83|constexpr void unpoison(const R& r) { 129| 83| const std::span s{r}; 130| 83| unpoison(s.data(), s.size()); 131| 83|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt19custom_unpoisonableISF_EEEvRKSF_: 128| 83|constexpr void unpoison(const R& r) { 129| 83| const std::span s{r}; 130| 83| unpoison(s.data(), s.size()); 131| 83|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt19custom_unpoisonableISF_EEEvRKSF_: 128| 83|constexpr void unpoison(const R& r) { 129| 83| const std::span s{r}; 130| 83| unpoison(s.data(), s.size()); 131| 83|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__14spanIhLm32EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 2|constexpr void unpoison(const R& r) { 129| 2| const std::span s{r}; 130| 2| unpoison(s.data(), s.size()); 131| 2|} _ZN5Botan2CT6poisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt17custom_poisonableISF_EEEvRKSF_: 121| 30|constexpr void poison(const R& r) { 122| 30| const std::span s{r}; 123| 30| poison(s.data(), s.size()); 124| 30|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt19custom_unpoisonableISF_EEEvRKSF_: 128| 30|constexpr void unpoison(const R& r) { 129| 30| const std::span s{r}; 130| 30| unpoison(s.data(), s.size()); 131| 30|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS2_6DomainE1EEEEEvRKT_: 143| 60|constexpr void unpoison(const T& x) { 144| 60| x._const_time_unpoison(); 145| 60|} _ZN5Botan2CT8unpoisonITkNS0_19custom_unpoisonableENS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS2_6DomainE1EEEEEvRKT_: 143| 184|constexpr void unpoison(const T& x) { 144| 184| x._const_time_unpoison(); 145| 184|} _ZN5Botan2CT14unpoison_rangeITkNSt3__16ranges5rangeENS2_6vectorINS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS5_6DomainE1EEENS2_9allocatorIS9_EEEEQ12unpoisonableINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvRKSG_: 189| 60|constexpr void unpoison_range(const R& r) { 190| 184| for(const auto& v : r) { ------------------ | Branch (190:22): [True: 184, False: 60] ------------------ 191| 184| unpoison(v); 192| 184| } 193| 60|} _ZN5Botan2CT8unpoisonIsEEvPKT_m: 67| 184|constexpr inline void unpoison(const T* p, size_t n) { 68| |#if defined(BOTAN_HAS_VALGRIND) 69| | if(!std::is_constant_evaluated()) { 70| | VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T)); 71| | } 72| |#endif 73| | 74| 184| BOTAN_UNUSED(p, n); ------------------ | | 144| 184|#define BOTAN_UNUSED Botan::ignore_params ------------------ 75| 184|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENSt3__14spanIsLm256EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEnt19custom_unpoisonableISA_EEEvRKSA_: 128| 184|constexpr void unpoison(const R& r) { 129| 184| const std::span s{r}; 130| 184| unpoison(s.data(), s.size()); 131| 184|} _ZN5Botan2CT8unpoisonITkNS_6ranges14spanable_rangeENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_13KyberSeedRho_EJEEEQaasr3stdE23is_trivially_copyable_vINS4_11conditionalIXsr21__is_primary_templateINS4_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS4_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS4_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEnt19custom_unpoisonableISF_EEEvRKSF_: 128| 30|constexpr void unpoison(const R& r) { 129| 30| const std::span s{r}; 130| 30| unpoison(s.data(), s.size()); 131| 30|} _ZN5Botan2CT12unpoison_allITpTkNS0_12unpoisonableEJNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEENS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNSA_6DomainE1EEESE_EQgtsZT_Li0EEEvDpRKT_: 207| 30|constexpr void unpoison_all(const Ts&... ts) { 208| 30| (unpoison(ts), ...); 209| 30|} _ZN5Botan2CT4MaskImE10expand_bitEmm: 421| 512| static constexpr Mask expand_bit(T v, size_t bit) { 422| 512| return CT::Mask::expand_top_bit(v << (sizeof(v) * 8 - 1 - bit)); 423| 512| } _ZN5Botan9Gf448Elem4zeroEv: 59| 1| static Gf448Elem zero() { return Gf448Elem(0); } _ZN5Botan9Gf448Elem3oneEv: 64| 2| static Gf448Elem one() { return Gf448Elem(1); } _ZN5Botan9Gf448Elem5wordsEv: 120| 2.24k| std::span words() { return m_x; } _ZNK5Botan9Gf448Elem5wordsEv: 128| 2.24k| std::span words() const { return m_x; } _ZNK5Botan18DilithiumConstants4modeEv: 162| 169| DilithiumMode mode() const { return m_mode; } _ZNK5Botan18DilithiumConstants16public_key_bytesEv: 152| 83| size_t public_key_bytes() const { return m_public_key_bytes; } _ZNK5Botan18DilithiumConstants20symmetric_primitivesEv: 167| 4.05k| Dilithium_Symmetric_Primitives_Base& symmetric_primitives() const { return *m_symmetric_primitives; } _ZN5Botan18DilithiumConstantsC2EOS0_: 96| 421| DilithiumConstants(DilithiumConstants&& other) = default; _ZNK5Botan18DilithiumConstants9is_ml_dsaEv: 104| 338| bool is_ml_dsa() const { return m_mode.is_ml_dsa(); } _ZNK5Botan18DilithiumConstants1kEv: 123| 936| uint8_t k() const { return m_k; } _ZNK5Botan18DilithiumConstants1lEv: 126| 3.77k| uint8_t l() const { return m_l; } _ZNK5Botan18DilithiumConstants13keypair_codecEv: 169| 86| Dilithium_Keypair_Codec& keypair_codec() const { return *m_keypair_codec; } _ZN5Botan18DilithiumConstantsC2ERKS0_: 94| 83| DilithiumConstants(const DilithiumConstants& other) : DilithiumConstants(other.m_mode) {} _ZNK5Botan18DilithiumConstants9is_modernEv: 100| 169| bool is_modern() const { return m_mode.is_modern(); } _ZNK5Botan18DilithiumConstants6is_aesEv: 102| 169| bool is_aes() const { return m_mode.is_aes(); } _ZNK5Botan18DilithiumConstants3etaEv: 129| 967| DilithiumEta eta() const { return m_eta; } _ZNK5Botan18DilithiumConstants21public_key_hash_bytesEv: 138| 169| size_t public_key_hash_bytes() const { return m_public_key_hash_bytes; } _ZNK5Botan18DilithiumConstants26commitment_hash_full_bytesEv: 141| 169| size_t commitment_hash_full_bytes() const { return m_commitment_hash_full_bytes; } _ZN5Botan27Dilithium_PublicKeyInternalC2ENS_18DilithiumConstantsENS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEENS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNSA_6DomainE0EEE: 42| 83| m_mode(std::move(mode)), 43| 83| m_rho(std::move(rho)), 44| 83| m_t1(std::move(t1)), 45| 83| m_tr(m_mode.symmetric_primitives().H(raw_pk())) { 46| 83| BOTAN_ASSERT_NOMSG(!m_rho.empty()); ------------------ | | 77| 83| do { \ | | 78| 83| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 83| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 83] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 83| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 83] | | ------------------ ------------------ 47| 83| BOTAN_ASSERT_NOMSG(m_t1.size() > 0); ------------------ | | 77| 83| do { \ | | 78| 83| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 83| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 83] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 83| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 83] | | ------------------ ------------------ 48| 83| } _ZNK5Botan27Dilithium_PublicKeyInternal6raw_pkEv: 51| 83| DilithiumSerializedPublicKey raw_pk() const { return Dilithium_Algos::encode_public_key(m_rho, m_t1, m_mode); } _ZNK5Botan28Dilithium_PrivateKeyInternal20_const_time_unpoisonEv: 104| 83| void _const_time_unpoison() const { 105| 83| CT::unpoison_all(m_signing_seed, m_s1, m_s2, m_t0); 106| 83| if(m_seed.has_value()) { ------------------ | Branch (106:13): [True: 83, False: 0] ------------------ 107| 83| CT::unpoison(m_seed.value()); 108| 83| } 109| 83| } _ZN5Botan28Dilithium_PrivateKeyInternalC2ENS_18DilithiumConstantsENSt3__18optionalINS_6StrongINS2_6vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEEENS4_IS8_NS_15DilithiumSeedK_EJEEENS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNSE_6DomainE0EEESI_SI_: 76| 83| m_mode(std::move(mode)), 77| 83| m_seed(std::move(seed)), 78| 83| m_signing_seed(std::move(signing_seed)), 79| 83| m_t0(std::move(t0)), 80| 83| m_s1(std::move(s1)), 81| 83| m_s2(std::move(s2)) {} _ZN5Botan23Dilithium_Keypair_CodecD2Ev: 27| 169| virtual ~Dilithium_Keypair_Codec() = default; _ZN5Botan19DilithiumPolyTraits3nttENSt3__14spanIiLm256EEE: 50| 449| static constexpr void ntt(std::span coeffs) { 51| 449| size_t j = 0; 52| 449| size_t k = 0; 53| | 54| 4.04k| for(size_t len = N / 2; len > 0; len >>= 1) { ------------------ | Branch (54:34): [True: 3.59k, False: 449] ------------------ 55| 118k| for(size_t start = 0; start < N; start = j + len) { ------------------ | Branch (55:35): [True: 114k, False: 3.59k] ------------------ 56| 114k| const T zeta = zetas[++k]; 57| 574k| for(j = start; j < start + len; ++j) { ------------------ | Branch (57:31): [True: 459k, False: 114k] ------------------ 58| | // Zetas contain the montgomery parameter 2^32 mod q 59| 459k| const T t = fqmul(zeta, coeffs[j + len]); 60| 459k| coeffs[j + len] = coeffs[j] - t; 61| 459k| coeffs[j] = coeffs[j] + t; 62| 459k| } 63| 114k| } 64| 3.59k| } 65| 449| } _ZN5Botan19DilithiumPolyTraits29montgomery_reduce_coefficientEl: 26| 1.86M| static constexpr T montgomery_reduce_coefficient(T2 a) { 27| 1.86M| const T2 t = static_cast(static_cast(static_cast(a)) * Q_inverse); 28| 1.86M| return static_cast((a - static_cast(t) * Q) >> (sizeof(T) * 8)); 29| 1.86M| } _ZN5Botan19DilithiumPolyTraits25poly_pointwise_montgomeryENSt3__14spanIiLm256EEENS2_IKiLm256EEES5_: 107| 2.91k| std::span rhs) { 108| 749k| for(size_t i = 0; i < N; ++i) { ------------------ | Branch (108:28): [True: 747k, False: 2.91k] ------------------ 109| 747k| result[i] = fqmul(lhs[i], rhs[i]); 110| 747k| } 111| 2.91k| } _ZN5Botan19DilithiumPolyTraits26barrett_reduce_coefficientEi: 31| 265k| static constexpr T barrett_reduce_coefficient(T a) { 32| | // 2**22 is roughly Q/2 and 2**23 is roughly Q 33| 265k| const T t = (a + (1 << 22)) >> 23; 34| 265k| a = a - t * Q; 35| 265k| return a; 36| 265k| } _ZN5Botan19DilithiumPolyTraits11inverse_nttENSt3__14spanIiLm256EEE: 78| 518| static constexpr void inverse_ntt(std::span coeffs) { 79| 518| size_t j = 0; 80| 518| size_t k = N; 81| 4.66k| for(size_t len = 1; len < N; len <<= 1) { ------------------ | Branch (81:30): [True: 4.14k, False: 518] ------------------ 82| 136k| for(size_t start = 0; start < N; start = j + len) { ------------------ | Branch (82:35): [True: 132k, False: 4.14k] ------------------ 83| 132k| const T zeta = -zetas[--k]; 84| 662k| for(j = start; j < start + len; ++j) { ------------------ | Branch (84:31): [True: 530k, False: 132k] ------------------ 85| 530k| const T t = coeffs[j]; 86| 530k| coeffs[j] = t + coeffs[j + len]; 87| 530k| coeffs[j + len] = t - coeffs[j + len]; 88| | // Zetas contain the montgomery parameter 2^32 mod q 89| 530k| coeffs[j + len] = fqmul(zeta, coeffs[j + len]); 90| 530k| } 91| 132k| } 92| 4.14k| } 93| | 94| 132k| for(auto& coeff : coeffs) { ------------------ | Branch (94:26): [True: 132k, False: 518] ------------------ 95| 132k| coeff = fqmul(coeff, F_WITH_MONTY_SQUARED); 96| 132k| } 97| 518| } _ZNK5Botan17DilithiumShakeXOF6XOF128ENSt3__14spanIKhLm18446744073709551615EEEt: 27| 2.91k| std::unique_ptr XOF128(std::span seed, uint16_t nonce) const override { 28| 2.91k| return createXOF("SHAKE-128", seed, nonce); 29| 2.91k| } _ZNK5Botan17DilithiumShakeXOF6XOF256ENSt3__14spanIKhLm18446744073709551615EEEt: 31| 967| std::unique_ptr XOF256(std::span seed, uint16_t nonce) const override { 32| 967| return createXOF("SHAKE-256", seed, nonce); 33| 967| } _ZN5Botan17DilithiumShakeXOFC2Ev: 18| 169| DilithiumShakeXOF() = default; _ZNK5Botan35Dilithium_Symmetric_Primitives_Base1HENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_29DilithiumSerializedPublicKey_EJEEEEE: 120| 83| DilithiumHashedPublicKey H(StrongSpan pk) const { 121| 83| return H_256(m_public_key_hash_bytes, pk); 122| 83| } _ZNK5Botan35Dilithium_Symmetric_Primitives_Base5H_256ITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_25DilithiumHashedPublicKey_EJEEETpTkNS_6ranges14spanable_rangeEJNS_10StrongSpanIKNS3_IS8_NS_29DilithiumSerializedPublicKey_EJEEEEEEEET_mDpRKT0_: 178| 83| OutT H_256(size_t outbytes, const InTs&... ins) const { 179| 83| auto xof = XOF::create_or_throw("SHAKE-256"); 180| 83| (xof->update(ins), ...); 181| 83| return xof->output(outbytes); 182| 83| } _ZNK5Botan35Dilithium_Symmetric_Primitives_Base1HENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEEE: 125| 83| StrongSpan seed) const { 126| 83| auto xof = XOF::create_or_throw("SHAKE-256"); 127| 83| xof->update(seed); 128| 83| if(auto domsep = seed_expansion_domain_separator()) { ------------------ | Branch (128:18): [True: 83, False: 0] ------------------ 129| 83| xof->update(domsep.value()); 130| 83| } 131| | 132| | // Note: The order of invocations in an initializer list is not 133| | // guaranteed by the C++ standard. Hence, we have to store the 134| | // results in variables to ensure the correct order of execution. 135| 83| auto rho = xof->output(DilithiumConstants::SEED_RHO_BYTES); 136| 83| auto rhoprime = xof->output(DilithiumConstants::SEED_RHOPRIME_BYTES); 137| 83| auto k = xof->output(DilithiumConstants::SEED_SIGNING_KEY_BYTES); 138| | 139| 83| return {std::move(rho), std::move(rhoprime), std::move(k)}; 140| 83| } _ZNK5Botan35Dilithium_Symmetric_Primitives_Base1HENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEEt: 153| 2.91k| std::unique_ptr H(StrongSpan seed, uint16_t nonce) const { 154| 2.91k| return m_xof_adapter->XOF128(seed, nonce); 155| 2.91k| } _ZNK5Botan35Dilithium_Symmetric_Primitives_Base1HENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEEEt: 157| 967| std::unique_ptr H(StrongSpan seed, uint16_t nonce) const { 158| 967| return m_xof_adapter->XOF256(seed, nonce); 159| 967| } _ZN5Botan12DilithiumXOFD2Ev: 86| 169| virtual ~DilithiumXOF() = default; _ZN5Botan35Dilithium_Symmetric_Primitives_BaseD2Ev: 103| 169| virtual ~Dilithium_Symmetric_Primitives_Base() = default; _ZNK5Botan13DL_PrivateKey5groupEv: 67| 42| const DL_Group& group() const { return m_group; } _ZN5Botan11carry_shiftEom: 139| 28.2k|inline uint64_t carry_shift(const uint128_t a, size_t shift) { 140| 28.2k| return static_cast(a >> shift); 141| 28.2k|} _ZN5Botan13combine_lowerEomom: 143| 8|inline uint64_t combine_lower(const uint128_t a, size_t s1, const uint128_t b, size_t s2) { 144| 8| return static_cast((a >> s1) | (b << s2)); 145| 8|} _ZNK5Botan17EC_Scalar_Data_BN5valueEv: 52| 1.47k| const BigInt& value() const { return m_v; } _ZN5Botan17EC_Scalar_Data_BNC2ENSt3__110shared_ptrIKNS_13EC_Group_DataEEENS_6BigIntE: 18| 1.37k| m_group(std::move(group)), m_v(std::move(v)) {} _ZNK5Botan22EC_AffinePoint_Data_BN15to_legacy_pointEv: 85| 100| EC_Point to_legacy_point() const override { return m_pt; } _ZNK5Botan13EC_Group_Data7p_bytesEv: 205| 254| size_t p_bytes() const { return (m_p_bits + 7) / 8; } _ZNK5Botan13EC_Group_Data11order_bytesEv: 209| 11.3k| size_t order_bytes() const { return m_order_bytes; } _ZNK5Botan13EC_Group_Data1pEv: 169| 626k| const BigInt& p() const { return m_p; } _ZNK5Botan13EC_Group_Data1aEv: 171| 773| const BigInt& a() const { return m_a; } _ZNK5Botan13EC_Group_Data1bEv: 173| 770| const BigInt& b() const { return m_b; } _ZNK5Botan13EC_Group_Data5orderEv: 175| 178| const BigInt& order() const { return m_order; } _ZNK5Botan13EC_Group_Data8cofactorEv: 177| 178| const BigInt& cofactor() const { return m_cofactor; } _ZNK5Botan13EC_Group_Data3oidEv: 165| 4.84k| const OID& oid() const { return m_oid; } _ZNK5Botan13EC_Group_Data5curveEv: 180| 1.87k| const CurveGFp& curve() const { return m_curve; } _ZNK5Botan13EC_Group_Data5montyEv: 184| 11.7M| const Montgomery_Params& monty() const { return m_monty; } _ZNK5Botan13EC_Group_Data7monty_aEv: 186| 83| const BigInt& monty_a() const { return m_a_r; } _ZNK5Botan13EC_Group_Data7monty_bEv: 188| 83| const BigInt& monty_b() const { return m_b_r; } _ZNK5Botan13EC_Group_Data7p_wordsEv: 201| 969k| size_t p_words() const { return m_p_words; } _ZNK5Botan13EC_Group_Data12a_is_minus_3Ev: 211| 44.8k| bool a_is_minus_3() const { return m_a_is_minus_3; } _ZNK5Botan13EC_Group_Data9a_is_zeroEv: 213| 261k| bool a_is_zero() const { return m_a_is_zero; } _ZNK5Botan13EC_Group_Data6pcurveEv: 282| 10.1k| const PCurve::PrimeOrderCurve& pcurve() const { 283| 10.1k| BOTAN_ASSERT_NONNULL(m_pcurve); ------------------ | | 116| 10.1k| do { \ | | 117| 10.1k| if((ptr) == nullptr) { \ | | ------------------ | | | Branch (117:10): [True: 0, False: 10.1k] | | ------------------ | | 118| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 119| 0| Botan::assertion_failure(#ptr " is not null", "", __func__, __FILE__, __LINE__); \ | | 120| 0| } \ | | 121| 10.1k| } while(0) | | ------------------ | | | Branch (121:12): [Folded, False: 10.1k] | | ------------------ ------------------ 284| 10.1k| return *m_pcurve; 285| 10.1k| } _ZN5Botan19EC_AffinePoint_DataD2Ev: 73| 1.97k| virtual ~EC_AffinePoint_Data() = default; _ZN5Botan14EC_Scalar_DataD2Ev: 38| 5.91k| virtual ~EC_Scalar_Data() = default; _ZNK5Botan17EC_Scalar_Data_PC5valueEv: 53| 4.14k| const auto& value() const { return m_v; } _ZN5Botan17EC_Scalar_Data_PCC2ENSt3__110shared_ptrIKNS_13EC_Group_DataEEENS_6PCurve15PrimeOrderCurve6ScalarE: 19| 4.53k| m_group(std::move(group)), m_v(std::move(v)) {} _ZNK5Botan17EC_PublicKey_Data5groupEv: 31| 1.97k| const EC_Group& group() const { return m_group; } _ZN5Botan17EC_PublicKey_DataC2ERKNS_8EC_GroupENSt3__14spanIKhLm18446744073709551615EEE: 29| 983| EC_PublicKey_Data(group, EC_AffinePoint(group, bytes)) {} _ZN5Botan20Ed25519_FieldElementC2Ev: 33| 2.93k| constexpr Ed25519_FieldElement() : m_fe{} {} _ZN5Botan20Ed25519_FieldElement4zeroEv: 35| 132| constexpr static Ed25519_FieldElement zero() { return Ed25519_FieldElement(); } _ZN5Botan20Ed25519_FieldElement3oneEv: 37| 260| constexpr static Ed25519_FieldElement one() { 38| 260| auto o = Ed25519_FieldElement(); 39| 260| o.m_fe[0] = 1; 40| 260| return o; 41| 260| } _ZN5BotanmlERKNS_20Ed25519_FieldElementES2_: 148| 948|inline Ed25519_FieldElement operator*(const Ed25519_FieldElement& x, const Ed25519_FieldElement& y) { 149| 948| return Ed25519_FieldElement::mul(x, y); 150| 948|} _ZN5BotanplERKNS_20Ed25519_FieldElementES2_: 140| 528|inline Ed25519_FieldElement operator+(const Ed25519_FieldElement& x, const Ed25519_FieldElement& y) { 141| 528| return Ed25519_FieldElement::add(x, y); 142| 528|} _ZN5Botan20Ed25519_FieldElement3addERKS0_S2_: 94| 528| static Ed25519_FieldElement add(const Ed25519_FieldElement& a, const Ed25519_FieldElement& b) { 95| 528| Ed25519_FieldElement z; 96| 5.80k| for(size_t i = 0; i != 10; ++i) { ------------------ | Branch (96:28): [True: 5.28k, False: 528] ------------------ 97| 5.28k| z.m_fe[i] = a.m_fe[i] + b.m_fe[i]; 98| 5.28k| } 99| 528| return z; 100| 528| } _ZN5BotanmiERKNS_20Ed25519_FieldElementES2_: 144| 408|inline Ed25519_FieldElement operator-(const Ed25519_FieldElement& x, const Ed25519_FieldElement& y) { 145| 408| return Ed25519_FieldElement::sub(x, y); 146| 408|} _ZN5Botan20Ed25519_FieldElement3subERKS0_S2_: 102| 408| static Ed25519_FieldElement sub(const Ed25519_FieldElement& a, const Ed25519_FieldElement& b) { 103| 408| Ed25519_FieldElement z; 104| 4.48k| for(size_t i = 0; i != 10; ++i) { ------------------ | Branch (104:28): [True: 4.08k, False: 408] ------------------ 105| 4.08k| z.m_fe[i] = a.m_fe[i] - b.m_fe[i]; 106| 4.08k| } 107| 408| return z; 108| 408| } _ZN5Botan20Ed25519_FieldElementixEm: 134| 53.7k| int32_t& operator[](size_t i) { return m_fe[i]; } _ZNK5Botan20Ed25519_FieldElementixEm: 132| 30.7k| int32_t operator[](size_t i) const { return m_fe[i]; } _ZN5BotanngERKNS_20Ed25519_FieldElementE: 152| 128|inline Ed25519_FieldElement operator-(const Ed25519_FieldElement& x) { 153| 128| return Ed25519_FieldElement::negate(x); 154| 128|} _ZN5Botan20Ed25519_FieldElement6negateERKS0_: 110| 128| static Ed25519_FieldElement negate(const Ed25519_FieldElement& a) { 111| 128| Ed25519_FieldElement z; 112| 1.40k| for(size_t i = 0; i != 10; ++i) { ------------------ | Branch (112:28): [True: 1.28k, False: 128] ------------------ 113| 1.28k| z.m_fe[i] = -a.m_fe[i]; 114| 1.28k| } 115| 128| return z; 116| 128| } _ZNK5Botan20Ed25519_FieldElement3sqrEv: 122| 28| Ed25519_FieldElement sqr() const { return sqr_iter(1); } _ZNK5Botan20Ed25519_FieldElement11is_negativeEv: 87| 2| bool is_negative() const { 88| | // TODO could avoid most of the serialize computation here 89| 2| std::array s = {}; 90| 2| this->serialize_to(s); 91| 2| return (s[0] & 0x01) == 0x01; 92| 2| } _ZN5Botan20Ed25519_FieldElementC2Ellllllllll: 60| 1.00k| int64_t h9) { 61| 1.00k| m_fe[0] = static_cast(h0); 62| 1.00k| m_fe[1] = static_cast(h1); 63| 1.00k| m_fe[2] = static_cast(h2); 64| 1.00k| m_fe[3] = static_cast(h3); 65| 1.00k| m_fe[4] = static_cast(h4); 66| 1.00k| m_fe[5] = static_cast(h5); 67| 1.00k| m_fe[6] = static_cast(h6); 68| 1.00k| m_fe[7] = static_cast(h7); 69| 1.00k| m_fe[8] = static_cast(h8); 70| 1.00k| m_fe[9] = static_cast(h9); 71| 1.00k| } _ZN5Botan5carryILm26ELl1EEEvRlS1_QaagtT_Li0EltT_Li64E: 29| 10.4k|{ 30| 10.4k| const int64_t X1 = (static_cast(1) << S); 31| 10.4k| const int64_t X2 = (static_cast(1) << (S - 1)); 32| 10.4k| const int64_t c = (h0 + X2) >> S; 33| 10.4k| h1 += c * MUL; 34| 10.4k| h0 -= c * X1; 35| 10.4k|} _ZN5Botan5carryILm25ELl1EEEvRlS1_QaagtT_Li0EltT_Li64E: 29| 5.95k|{ 30| 5.95k| const int64_t X1 = (static_cast(1) << S); 31| 5.95k| const int64_t X2 = (static_cast(1) << (S - 1)); 32| 5.95k| const int64_t c = (h0 + X2) >> S; 33| 5.95k| h1 += c * MUL; 34| 5.95k| h0 -= c * X1; 35| 5.95k|} _ZN5Botan5carryILm25ELl19EEEvRlS1_QaagtT_Li0EltT_Li64E: 29| 1.48k|{ 30| 1.48k| const int64_t X1 = (static_cast(1) << S); 31| 1.48k| const int64_t X2 = (static_cast(1) << (S - 1)); 32| 1.48k| const int64_t c = (h0 + X2) >> S; 33| 1.48k| h1 += c * MUL; 34| 1.48k| h0 -= c * X1; 35| 1.48k|} _ZN5Botan6carry0ILm26EEEvRiS1_QaagtT_Li0EltT_Li32E: 50| 20|{ 51| 20| const int32_t X1 = (static_cast(1) << S); 52| 20| const int32_t c = h0 >> S; 53| 20| h1 += c; 54| 20| h0 -= c * X1; 55| 20|} _ZN5Botan6carry0ILm25EEEvRiS1_QaagtT_Li0EltT_Li32E: 50| 16|{ 51| 16| const int32_t X1 = (static_cast(1) << S); 52| 16| const int32_t c = h0 >> S; 53| 16| h1 += c; 54| 16| h0 -= c * X1; 55| 16|} _ZN5Botan3fmtIJNSt3__112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEEEEES7_NS1_17basic_string_viewIcS4_EEDpRKT_: 53| 446|std::string fmt(std::string_view format, const T&... args) { 54| 446| std::ostringstream oss; 55| 446| oss.imbue(std::locale::classic()); 56| 446| fmt_detail::do_fmt(oss, format, args...); 57| 446| return oss.str(); 58| 446|} _ZN5Botan10fmt_detail6do_fmtINSt3__112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEEJEEEvRNS2_19basic_ostringstreamIcS5_S7_EENS2_17basic_string_viewIcS5_EERKT_DpRKT0_: 25| 446|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 446| size_t i = 0; 27| | 28| 7.94k| while(i < format.size()) { ------------------ | Branch (28:10): [True: 7.94k, False: 0] ------------------ 29| 7.94k| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 446, False: 7.49k] | Branch (29:30): [True: 446, False: 0] | Branch (29:59): [True: 446, False: 0] ------------------ 30| 446| oss << val; 31| 446| return do_fmt(oss, format.substr(i + 2), rest...); 32| 7.49k| } else { 33| 7.49k| oss << format[i]; 34| 7.49k| } 35| | 36| 7.49k| i += 1; 37| 7.49k| } 38| 446|} _ZN5Botan10fmt_detail6do_fmtERNSt3__119basic_ostringstreamIcNS1_11char_traitsIcEENS1_9allocatorIcEEEENS1_17basic_string_viewIcS4_EE: 20| 13.2k|inline void do_fmt(std::ostringstream& oss, std::string_view format) { 21| 13.2k| oss << format; 22| 13.2k|} _ZN5Botan3fmtIJNSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEEEENS1_12basic_stringIcS4_NS1_9allocatorIcEEEES5_DpRKT_: 53| 8.20k|std::string fmt(std::string_view format, const T&... args) { 54| 8.20k| std::ostringstream oss; 55| 8.20k| oss.imbue(std::locale::classic()); 56| 8.20k| fmt_detail::do_fmt(oss, format, args...); 57| 8.20k| return oss.str(); 58| 8.20k|} _ZN5Botan10fmt_detail6do_fmtINSt3__117basic_string_viewIcNS2_11char_traitsIcEEEEJEEEvRNS2_19basic_ostringstreamIcS5_NS2_9allocatorIcEEEES6_RKT_DpRKT0_: 25| 10.0k|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 10.0k| size_t i = 0; 27| | 28| 102k| while(i < format.size()) { ------------------ | Branch (28:10): [True: 102k, False: 0] ------------------ 29| 102k| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 10.0k, False: 92.6k] | Branch (29:30): [True: 10.0k, False: 0] | Branch (29:59): [True: 10.0k, False: 0] ------------------ 30| 10.0k| oss << val; 31| 10.0k| return do_fmt(oss, format.substr(i + 2), rest...); 32| 92.6k| } else { 33| 92.6k| oss << format[i]; 34| 92.6k| } 35| | 36| 92.6k| i += 1; 37| 92.6k| } 38| 10.0k|} _ZN5Botan3fmtIJNS_3OIDEEEENSt3__112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEENS2_17basic_string_viewIcS5_EEDpRKT_: 53| 1.74k|std::string fmt(std::string_view format, const T&... args) { 54| 1.74k| std::ostringstream oss; 55| 1.74k| oss.imbue(std::locale::classic()); 56| 1.74k| fmt_detail::do_fmt(oss, format, args...); 57| 1.74k| return oss.str(); 58| 1.74k|} _ZN5Botan10fmt_detail6do_fmtINS_3OIDEJEEEvRNSt3__119basic_ostringstreamIcNS3_11char_traitsIcEENS3_9allocatorIcEEEENS3_17basic_string_viewIcS6_EERKT_DpRKT0_: 25| 1.74k|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 1.74k| size_t i = 0; 27| | 28| 40.0k| while(i < format.size()) { ------------------ | Branch (28:10): [True: 40.0k, False: 0] ------------------ 29| 40.0k| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 1.74k, False: 38.3k] | Branch (29:30): [True: 1.74k, False: 0] | Branch (29:59): [True: 1.74k, False: 0] ------------------ 30| 1.74k| oss << val; 31| 1.74k| return do_fmt(oss, format.substr(i + 2), rest...); 32| 38.3k| } else { 33| 38.3k| oss << format[i]; 34| 38.3k| } 35| | 36| 38.3k| i += 1; 37| 38.3k| } 38| 1.74k|} _ZN5Botan3fmtIJPKcS2_S2_EEENSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEENS3_17basic_string_viewIcS6_EEDpRKT_: 53| 52|std::string fmt(std::string_view format, const T&... args) { 54| 52| std::ostringstream oss; 55| 52| oss.imbue(std::locale::classic()); 56| 52| fmt_detail::do_fmt(oss, format, args...); 57| 52| return oss.str(); 58| 52|} _ZN5Botan10fmt_detail6do_fmtIPKcJS3_S3_EEEvRNSt3__119basic_ostringstreamIcNS4_11char_traitsIcEENS4_9allocatorIcEEEENS4_17basic_string_viewIcS7_EERKT_DpRKT0_: 25| 52|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 52| size_t i = 0; 27| | 28| 52| while(i < format.size()) { ------------------ | Branch (28:10): [True: 52, False: 0] ------------------ 29| 52| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 52, False: 0] | Branch (29:30): [True: 52, False: 0] | Branch (29:59): [True: 52, False: 0] ------------------ 30| 52| oss << val; 31| 52| return do_fmt(oss, format.substr(i + 2), rest...); 32| 52| } else { 33| 0| oss << format[i]; 34| 0| } 35| | 36| 0| i += 1; 37| 0| } 38| 52|} _ZN5Botan10fmt_detail6do_fmtIPKcJS3_EEEvRNSt3__119basic_ostringstreamIcNS4_11char_traitsIcEENS4_9allocatorIcEEEENS4_17basic_string_viewIcS7_EERKT_DpRKT0_: 25| 52|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 52| size_t i = 0; 27| | 28| 260| while(i < format.size()) { ------------------ | Branch (28:10): [True: 260, False: 0] ------------------ 29| 260| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 52, False: 208] | Branch (29:30): [True: 52, False: 0] | Branch (29:59): [True: 52, False: 0] ------------------ 30| 52| oss << val; 31| 52| return do_fmt(oss, format.substr(i + 2), rest...); 32| 208| } else { 33| 208| oss << format[i]; 34| 208| } 35| | 36| 208| i += 1; 37| 208| } 38| 52|} _ZN5Botan10fmt_detail6do_fmtIPKcJEEEvRNSt3__119basic_ostringstreamIcNS4_11char_traitsIcEENS4_9allocatorIcEEEENS4_17basic_string_viewIcS7_EERKT_DpRKT0_: 25| 1.03k|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 1.03k| size_t i = 0; 27| | 28| 13.8k| while(i < format.size()) { ------------------ | Branch (28:10): [True: 13.8k, False: 0] ------------------ 29| 13.8k| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 1.03k, False: 12.8k] | Branch (29:30): [True: 1.03k, False: 0] | Branch (29:59): [True: 1.03k, False: 0] ------------------ 30| 1.03k| oss << val; 31| 1.03k| return do_fmt(oss, format.substr(i + 2), rest...); 32| 12.8k| } else { 33| 12.8k| oss << format[i]; 34| 12.8k| } 35| | 36| 12.8k| i += 1; 37| 12.8k| } 38| 1.03k|} _ZN5Botan10fmt_detail6do_fmtINSt3__117basic_string_viewIcNS2_11char_traitsIcEEEEJS6_EEEvRNS2_19basic_ostringstreamIcS5_NS2_9allocatorIcEEEES6_RKT_DpRKT0_: 25| 1.80k|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 1.80k| size_t i = 0; 27| | 28| 1.80k| while(i < format.size()) { ------------------ | Branch (28:10): [True: 1.80k, False: 0] ------------------ 29| 1.80k| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 1.80k, False: 0] | Branch (29:30): [True: 1.80k, False: 0] | Branch (29:59): [True: 1.80k, False: 0] ------------------ 30| 1.80k| oss << val; 31| 1.80k| return do_fmt(oss, format.substr(i + 2), rest...); 32| 1.80k| } else { 33| 0| oss << format[i]; 34| 0| } 35| | 36| 0| i += 1; 37| 0| } 38| 1.80k|} _ZN5Botan3fmtIJNSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEPKcEEENS1_12basic_stringIcS4_NS1_9allocatorIcEEEES5_DpRKT_: 53| 979|std::string fmt(std::string_view format, const T&... args) { 54| 979| std::ostringstream oss; 55| 979| oss.imbue(std::locale::classic()); 56| 979| fmt_detail::do_fmt(oss, format, args...); 57| 979| return oss.str(); 58| 979|} _ZN5Botan10fmt_detail6do_fmtINSt3__117basic_string_viewIcNS2_11char_traitsIcEEEEJPKcEEEvRNS2_19basic_ostringstreamIcS5_NS2_9allocatorIcEEEES6_RKT_DpRKT0_: 25| 979|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 979| size_t i = 0; 27| | 28| 979| while(i < format.size()) { ------------------ | Branch (28:10): [True: 979, False: 0] ------------------ 29| 979| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 979, False: 0] | Branch (29:30): [True: 979, False: 0] | Branch (29:59): [True: 979, False: 0] ------------------ 30| 979| oss << val; 31| 979| return do_fmt(oss, format.substr(i + 2), rest...); 32| 979| } else { 33| 0| oss << format[i]; 34| 0| } 35| | 36| 0| i += 1; 37| 0| } 38| 979|} _ZN5Botan3fmtIJNSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_EEENS1_12basic_stringIcS4_NS1_9allocatorIcEEEES5_DpRKT_: 53| 1.80k|std::string fmt(std::string_view format, const T&... args) { 54| 1.80k| std::ostringstream oss; 55| 1.80k| oss.imbue(std::locale::classic()); 56| 1.80k| fmt_detail::do_fmt(oss, format, args...); 57| 1.80k| return oss.str(); 58| 1.80k|} _ZN5Botan3fmtIJNSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEjEEENS1_12basic_stringIcS4_NS1_9allocatorIcEEEES5_DpRKT_: 53| 9|std::string fmt(std::string_view format, const T&... args) { 54| 9| std::ostringstream oss; 55| 9| oss.imbue(std::locale::classic()); 56| 9| fmt_detail::do_fmt(oss, format, args...); 57| 9| return oss.str(); 58| 9|} _ZN5Botan10fmt_detail6do_fmtINSt3__117basic_string_viewIcNS2_11char_traitsIcEEEEJjEEEvRNS2_19basic_ostringstreamIcS5_NS2_9allocatorIcEEEES6_RKT_DpRKT0_: 25| 9|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 9| size_t i = 0; 27| | 28| 9| while(i < format.size()) { ------------------ | Branch (28:10): [True: 9, False: 0] ------------------ 29| 9| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 9, False: 0] | Branch (29:30): [True: 9, False: 0] | Branch (29:59): [True: 9, False: 0] ------------------ 30| 9| oss << val; 31| 9| return do_fmt(oss, format.substr(i + 2), rest...); 32| 9| } else { 33| 0| oss << format[i]; 34| 0| } 35| | 36| 0| i += 1; 37| 0| } 38| 9|} _ZN5Botan10fmt_detail6do_fmtIjJEEEvRNSt3__119basic_ostringstreamIcNS2_11char_traitsIcEENS2_9allocatorIcEEEENS2_17basic_string_viewIcS5_EERKT_DpRKT0_: 25| 9|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 9| size_t i = 0; 27| | 28| 27| while(i < format.size()) { ------------------ | Branch (28:10): [True: 27, False: 0] ------------------ 29| 27| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 9, False: 18] | Branch (29:30): [True: 9, False: 0] | Branch (29:59): [True: 9, False: 0] ------------------ 30| 9| oss << val; 31| 9| return do_fmt(oss, format.substr(i + 2), rest...); 32| 18| } else { 33| 18| oss << format[i]; 34| 18| } 35| | 36| 18| i += 1; 37| 18| } 38| 9|} _ZN5Botan3fmtIJmPKcEEENSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEENS3_17basic_string_viewIcS6_EEDpRKT_: 53| 5|std::string fmt(std::string_view format, const T&... args) { 54| 5| std::ostringstream oss; 55| 5| oss.imbue(std::locale::classic()); 56| 5| fmt_detail::do_fmt(oss, format, args...); 57| 5| return oss.str(); 58| 5|} _ZN5Botan10fmt_detail6do_fmtImJPKcEEEvRNSt3__119basic_ostringstreamIcNS4_11char_traitsIcEENS4_9allocatorIcEEEENS4_17basic_string_viewIcS7_EERKT_DpRKT0_: 25| 5|void do_fmt(std::ostringstream& oss, std::string_view format, const T& val, const Ts&... rest) { 26| 5| size_t i = 0; 27| | 28| 70| while(i < format.size()) { ------------------ | Branch (28:10): [True: 70, False: 0] ------------------ 29| 70| if(format[i] == '{' && (format.size() > (i + 1)) && format.at(i + 1) == '}') { ------------------ | Branch (29:10): [True: 5, False: 65] | Branch (29:30): [True: 5, False: 0] | Branch (29:59): [True: 5, False: 0] ------------------ 30| 5| oss << val; 31| 5| return do_fmt(oss, format.substr(i + 2), rest...); 32| 65| } else { 33| 65| oss << format[i]; 34| 65| } 35| | 36| 65| i += 1; 37| 65| } 38| 5|} _ZN5Botan11checked_mulITkNSt3__117unsigned_integralEmEENS1_8optionalIT_EES3_S3_: 46| 18.9M|constexpr inline std::optional checked_mul(T a, T b) { 47| | // Multiplication by 1U is a hack to work around C's insane 48| | // integer promotion rules. 49| | // https://stackoverflow.com/questions/24795651 50| 18.9M| const T r = (1U * a) * b; 51| | // If a == 0 then the multiply certainly did not overflow 52| | // Otherwise r / a == b unless overflow occurred 53| 18.9M| if(a != 0 && r / a != b) { ------------------ | Branch (53:7): [True: 18.9M, False: 0] | Branch (53:17): [True: 0, False: 18.9M] ------------------ 54| 0| return {}; 55| 0| } 56| 18.9M| return r; 57| 18.9M|} _ZN5Botan11checked_addITkNSt3__117unsigned_integralEjEENS1_8optionalIT_EES3_S3_: 19| 3.05k|constexpr inline std::optional checked_add(T a, T b) { 20| 3.05k| const T r = a + b; 21| 3.05k| if(r < a || r < b) { ------------------ | Branch (21:7): [True: 0, False: 3.05k] | Branch (21:16): [True: 0, False: 3.05k] ------------------ 22| 0| return {}; 23| 0| } 24| 3.05k| return r; 25| 3.05k|} _ZN5Botan13swar_in_rangeITkNSt3__117unsigned_integralEmEET_S2_S2_S2_: 114| 1.32M|constexpr T swar_in_range(T v, T lower, T upper) { 115| | // The constant 0x808080... as a T 116| 1.32M| constexpr T hi1 = (static_cast(-1) / 255) << 7; 117| | // The constant 0x7F7F7F... as a T 118| 1.32M| constexpr T lo7 = ~hi1; 119| | 120| 1.32M| const T sub = ((v | hi1) - (lower & lo7)) ^ ((v ^ (~lower)) & hi1); 121| 1.32M| const T a_lo = sub & lo7; 122| 1.32M| const T a_hi = sub & hi1; 123| 1.32M| return (lo7 - a_lo + upper) & hi1 & ~a_hi; 124| 1.32M|} _ZN5Botan23index_of_first_set_byteITkNSt3__117unsigned_integralEmEEmT_: 130| 1.28M|constexpr size_t index_of_first_set_byte(T v) { 131| | // The constant 0x010101... as a T 132| 1.28M| constexpr T lo1 = (static_cast(-1) / 255); 133| | // The constant 0x808080... as a T 134| 1.28M| constexpr T hi1 = lo1 << 7; 135| | // How many bits to shift in order to get the top byte 136| 1.28M| constexpr size_t bits = (sizeof(T) * 8) - 8; 137| | 138| 1.28M| return static_cast((((((v & hi1) - 1) & lo1) * lo1) >> bits) - 1); 139| 1.28M|} _ZN5Botan13KeccakPadding4sha3Ev: 24| 60| static constexpr KeccakPadding sha3() { return {.padding = 0b10 /* little-endian */, .bit_len = 2}; } _ZN5Botan13KeccakPadding5shakeEv: 27| 4.11k| static constexpr KeccakPadding shake() { return {.padding = 0b1111, .bit_len = 4}; } _ZN5Botan18Keccak_PermutationC2ENS0_6ConfigE: 69| 4.17k| Sponge({.bit_rate = state_bits() - config.capacity_bits, .initial_state = {}}), m_padding(config.padding) {} _ZN5Botan24Keccak_Permutation_roundEPmPKmm: 15| 460k|BOTAN_FORCE_INLINE void Keccak_Permutation_round(uint64_t T[25], const uint64_t A[25], uint64_t RC) { 16| 460k| const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20]; 17| 460k| const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21]; 18| 460k| const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22]; 19| 460k| const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23]; 20| 460k| const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24]; 21| | 22| 460k| const uint64_t D0 = rotl<1>(C0) ^ C3; 23| 460k| const uint64_t D1 = rotl<1>(C1) ^ C4; 24| 460k| const uint64_t D2 = rotl<1>(C2) ^ C0; 25| 460k| const uint64_t D3 = rotl<1>(C3) ^ C1; 26| 460k| const uint64_t D4 = rotl<1>(C4) ^ C2; 27| | 28| 460k| const uint64_t B00 = A[0] ^ D1; 29| 460k| const uint64_t B01 = rotl<44>(A[6] ^ D2); 30| 460k| const uint64_t B02 = rotl<43>(A[12] ^ D3); 31| 460k| const uint64_t B03 = rotl<21>(A[18] ^ D4); 32| 460k| const uint64_t B04 = rotl<14>(A[24] ^ D0); 33| 460k| T[0] = B00 ^ (~B01 & B02) ^ RC; 34| 460k| T[1] = B01 ^ (~B02 & B03); 35| 460k| T[2] = B02 ^ (~B03 & B04); 36| 460k| T[3] = B03 ^ (~B04 & B00); 37| 460k| T[4] = B04 ^ (~B00 & B01); 38| | 39| 460k| const uint64_t B05 = rotl<28>(A[3] ^ D4); 40| 460k| const uint64_t B06 = rotl<20>(A[9] ^ D0); 41| 460k| const uint64_t B07 = rotl<3>(A[10] ^ D1); 42| 460k| const uint64_t B08 = rotl<45>(A[16] ^ D2); 43| 460k| const uint64_t B09 = rotl<61>(A[22] ^ D3); 44| 460k| T[5] = B05 ^ (~B06 & B07); 45| 460k| T[6] = B06 ^ (~B07 & B08); 46| 460k| T[7] = B07 ^ (~B08 & B09); 47| 460k| T[8] = B08 ^ (~B09 & B05); 48| 460k| T[9] = B09 ^ (~B05 & B06); 49| | 50| 460k| const uint64_t B10 = rotl<1>(A[1] ^ D2); 51| 460k| const uint64_t B11 = rotl<6>(A[7] ^ D3); 52| 460k| const uint64_t B12 = rotl<25>(A[13] ^ D4); 53| 460k| const uint64_t B13 = rotl<8>(A[19] ^ D0); 54| 460k| const uint64_t B14 = rotl<18>(A[20] ^ D1); 55| 460k| T[10] = B10 ^ (~B11 & B12); 56| 460k| T[11] = B11 ^ (~B12 & B13); 57| 460k| T[12] = B12 ^ (~B13 & B14); 58| 460k| T[13] = B13 ^ (~B14 & B10); 59| 460k| T[14] = B14 ^ (~B10 & B11); 60| | 61| 460k| const uint64_t B15 = rotl<27>(A[4] ^ D0); 62| 460k| const uint64_t B16 = rotl<36>(A[5] ^ D1); 63| 460k| const uint64_t B17 = rotl<10>(A[11] ^ D2); 64| 460k| const uint64_t B18 = rotl<15>(A[17] ^ D3); 65| 460k| const uint64_t B19 = rotl<56>(A[23] ^ D4); 66| 460k| T[15] = B15 ^ (~B16 & B17); 67| 460k| T[16] = B16 ^ (~B17 & B18); 68| 460k| T[17] = B17 ^ (~B18 & B19); 69| 460k| T[18] = B18 ^ (~B19 & B15); 70| 460k| T[19] = B19 ^ (~B15 & B16); 71| | 72| 460k| const uint64_t B20 = rotl<62>(A[2] ^ D3); 73| 460k| const uint64_t B21 = rotl<55>(A[8] ^ D4); 74| 460k| const uint64_t B22 = rotl<39>(A[14] ^ D0); 75| 460k| const uint64_t B23 = rotl<41>(A[15] ^ D1); 76| 460k| const uint64_t B24 = rotl<2>(A[21] ^ D2); 77| 460k| T[20] = B20 ^ (~B21 & B22); 78| 460k| T[21] = B21 ^ (~B22 & B23); 79| 460k| T[22] = B22 ^ (~B23 & B24); 80| 460k| T[23] = B23 ^ (~B24 & B20); 81| 460k| T[24] = B24 ^ (~B20 & B21); 82| 460k|} _ZN5Botan11Kyber_Algos17PolynomialSamplerINS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEEC2ENS_10StrongSpanIKS9_EERKNS_14KyberConstantsE: 65| 30| m_seed(seed), m_mode(mode), m_nonce(0) {} _ZN5Botan11Kyber_Algos17PolynomialSamplerINS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEE33sample_polynomial_vector_cbd_eta1Ev: 67| 60| KyberPolyVec sample_polynomial_vector_cbd_eta1() { 68| 60| KyberPolyVec vec(m_mode.k()); 69| 184| for(auto& poly : vec) { ------------------ | Branch (69:25): [True: 184, False: 60] ------------------ 70| 184| sample_poly_cbd(poly, m_mode.eta1()); 71| 184| } 72| 60| return vec; 73| 60| } _ZN5Botan11Kyber_Algos17PolynomialSamplerINS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEE15sample_poly_cbdERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNSB_6DomainE0EEENS_14KyberConstants8KyberEtaE: 101| 184| void sample_poly_cbd(KyberPoly& poly, KyberConstants::KyberEta eta) { 102| 184| const auto randomness = [&] { 103| 184| switch(eta) { 104| 184| case KyberConstants::KyberEta::_2: 105| 184| return prf(2 * poly.size() / 4); 106| 184| case KyberConstants::KyberEta::_3: 107| 184| return prf(3 * poly.size() / 4); 108| 184| } 109| | 110| 184| BOTAN_ASSERT_UNREACHABLE(); 111| 184| }(); 112| | 113| 184| sample_polynomial_from_cbd(poly, eta, randomness); 114| 184| } _ZZN5Botan11Kyber_Algos17PolynomialSamplerINS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEE15sample_poly_cbdERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNSB_6DomainE0EEENS_14KyberConstants8KyberEtaEENKUlvE_clEv: 102| 184| const auto randomness = [&] { 103| 184| switch(eta) { ------------------ | Branch (103:20): [True: 184, False: 0] ------------------ 104| 152| case KyberConstants::KyberEta::_2: ------------------ | Branch (104:16): [True: 152, False: 32] ------------------ 105| 152| return prf(2 * poly.size() / 4); 106| 32| case KyberConstants::KyberEta::_3: ------------------ | Branch (106:16): [True: 32, False: 152] ------------------ 107| 32| return prf(3 * poly.size() / 4); 108| 184| } 109| | 110| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 111| 0| }(); _ZN5Botan11Kyber_Algos17PolynomialSamplerINS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEE3prfEm: 94| 184| KyberSamplingRandomness prf(size_t bytes) { 95| 184| const auto& sym = m_mode.symmetric_primitives(); 96| 184| auto seed_span = m_seed.get(); 97| 184| sym.setup_PRF(m_prf_xof, seed_span, m_nonce++); 98| 184| return m_prf_xof->output(bytes); 99| 184| } _ZN5Botan11Kyber_Algos24encode_polynomial_vectorITkNS_8concepts21resizable_byte_bufferENSt3__16vectorIhNS3_9allocatorIhEEEEEET_RKNS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS9_6DomainE1EEERKNS_14KyberConstantsE: 48| 30|T encode_polynomial_vector(const KyberPolyVecNTT& vec, const KyberConstants& mode) { 49| 30| T r(mode.polynomial_vector_bytes()); 50| 30| encode_polynomial_vector(r, vec); 51| 30| return r; 52| 30|} _ZNK5Botan14KyberConstants4modeEv: 73| 46| KyberMode mode() const { return m_mode; } _ZNK5Botan14KyberConstants1kEv: 81| 800| uint8_t k() const { return m_k; } _ZNK5Botan14KyberConstants23polynomial_vector_bytesEv: 99| 98| size_t polynomial_vector_bytes() const { return m_polynomial_vector_bytes; } _ZNK5Botan14KyberConstants22seed_private_key_bytesEv: 121| 38| size_t seed_private_key_bytes() const { return m_seed_private_key_bytes; } _ZN5Botan14KyberConstantsC2EOS0_: 69| 150| KyberConstants(KyberConstants&& other) = default; _ZNK5Botan14KyberConstants26expanded_private_key_bytesEv: 118| 8| size_t expanded_private_key_bytes() const { return m_expanded_private_key_bytes; } _ZN5Botan14KyberConstantsC2ERKS0_: 67| 30| KyberConstants(const KyberConstants& other) : KyberConstants(other.m_mode) {} _ZNK5Botan14KyberConstants4eta1Ev: 83| 184| KyberEta eta1() const { return m_eta1; } _ZNK5Botan14KyberConstants3d_uEv: 87| 68| KyberDu d_u() const { return m_du; } _ZNK5Botan14KyberConstants3d_vEv: 89| 68| KyberDv d_v() const { return m_dv; } _ZNK5Botan14KyberConstants16public_key_bytesEv: 114| 68| size_t public_key_bytes() const { return polynomial_vector_bytes() + SEED_BYTES; } _ZNK5Botan14KyberConstants20symmetric_primitivesEv: 125| 274| Kyber_Symmetric_Primitives& symmetric_primitives() const { return *m_symmetric_primitives; } _ZN5Botan11Kyber_Algos8load_le3ENSt3__14spanIKhLm3EEE: 24| 49.7k|inline uint32_t load_le3(std::span in) { 25| 49.7k| return Botan::load_le(std::array{in[0], in[1], in[2], 0}); 26| 49.7k|} _ZN5Botan19Kyber_Keypair_CodecD2Ev: 24| 30| virtual ~Kyber_Keypair_Codec() = default; _ZN5Botan24Kyber_PrivateKeyInternalC2ENS_14KyberConstantsENS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS2_6DomainE1EEENS_19KyberPrivateKeySeedE: 86| 30| m_mode(std::move(mode)), m_s(std::move(s)), m_seed(std::move(seed)) {} _ZN5Botan15KyberPolyTraits29montgomery_reduce_coefficientEi: 29| 380k| constexpr static T montgomery_reduce_coefficient(T2 a) { 30| 380k| const T u = static_cast(static_cast(a) * Q_inverse); 31| 380k| auto t = static_cast(u) * Q; 32| 380k| t = a - t; 33| 380k| t >>= sizeof(T) * 8; 34| 380k| return static_cast(t); 35| 380k| } _ZN5Botan15KyberPolyTraits26barrett_reduce_coefficientEs: 37| 94.2k| constexpr static T barrett_reduce_coefficient(T a) { 38| 94.2k| constexpr T2 v = ((1U << 26) + Q / 2) / Q; 39| 94.2k| const T t = static_cast(((v * a) >> 26) * Q); 40| 94.2k| return static_cast(a - t); 41| 94.2k| } _ZN5Botan15KyberPolyTraits3nttENSt3__14spanIsLm256EEE: 51| 184| constexpr static void ntt(std::span p) { 52| 1.47k| for(size_t len = N / 2, i = 0; len >= 2; len /= 2) { ------------------ | Branch (52:41): [True: 1.28k, False: 184] ------------------ 53| 24.6k| for(size_t start = 0, j = 0; start < N; start = j + len) { ------------------ | Branch (53:42): [True: 23.3k, False: 1.28k] ------------------ 54| 23.3k| const auto zeta = zetas[++i]; 55| 188k| for(j = start; j < start + len; ++j) { ------------------ | Branch (55:31): [True: 164k, False: 23.3k] ------------------ 56| 164k| const auto t = fqmul(zeta, p[j + len]); 57| 164k| p[j + len] = static_cast(p[j] - t); 58| 164k| p[j] = static_cast(p[j] + t); 59| 164k| } 60| 23.3k| } 61| 1.28k| } 62| | 63| 184| barrett_reduce(p); 64| 184| } _ZZN5Botan15KyberPolyTraits25poly_pointwise_montgomeryENSt3__14spanIsLm256EEENS2_IKsLm256EEES5_ENKUlT_E_clIS3_EEDaS6_: 111| 19.5k| auto Tq_elem_count = [](auto p) { return p.size() / 2; }; _ZZN5Botan15KyberPolyTraits25poly_pointwise_montgomeryENSt3__14spanIsLm256EEENS2_IKsLm256EEES5_ENKUlT_mE_clIS3_EEDaS6_m: 113| 38.4k| auto Tq_elem = [](auto p, size_t i) { 114| | if constexpr(std::is_const_v) { 115| | return std::array{p[2 * i], p[2 * i + 1]}; 116| 38.4k| } else { 117| 38.4k| return std::tuple{p[2 * i], p[2 * i + 1]}; 118| 38.4k| } 119| 38.4k| }; _ZZN5Botan15KyberPolyTraits25poly_pointwise_montgomeryENSt3__14spanIsLm256EEENS2_IKsLm256EEES5_ENKUlT_mE_clIS5_EEDaS6_m: 113| 76.8k| auto Tq_elem = [](auto p, size_t i) { 114| 76.8k| if constexpr(std::is_const_v) { 115| 76.8k| return std::array{p[2 * i], p[2 * i + 1]}; 116| | } else { 117| | return std::tuple{p[2 * i], p[2 * i + 1]}; 118| | } 119| 76.8k| }; _ZZN5Botan15KyberPolyTraits25poly_pointwise_montgomeryENSt3__14spanIsLm256EEENS2_IKsLm256EEES5_ENKUlT_T0_sE_clINS1_5arrayIsLm2EEESB_EENS1_5tupleIJssEEES6_S7_s: 106| 38.4k| auto basemul = [](const auto a, const auto b, const T zeta) -> std::tuple { 107| 38.4k| return {static_cast(fqmul(a[0], b[0]) + fqmul(fqmul(a[1], b[1]), zeta)), 108| 38.4k| static_cast(fqmul(a[0], b[1]) + fqmul(a[1], b[0]))}; 109| 38.4k| }; _ZN5Botan15KyberPolyTraits25poly_pointwise_montgomeryENSt3__14spanIsLm256EEENS2_IKsLm256EEES5_: 102| 300| std::span rhs) { 103| | /** 104| | * NIST FIPS 203, Algorithm 12 (BaseCaseMultiply) 105| | */ 106| 300| auto basemul = [](const auto a, const auto b, const T zeta) -> std::tuple { 107| 300| return {static_cast(fqmul(a[0], b[0]) + fqmul(fqmul(a[1], b[1]), zeta)), 108| 300| static_cast(fqmul(a[0], b[1]) + fqmul(a[1], b[0]))}; 109| 300| }; 110| | 111| 300| auto Tq_elem_count = [](auto p) { return p.size() / 2; }; 112| | 113| 300| auto Tq_elem = [](auto p, size_t i) { 114| 300| if constexpr(std::is_const_v) { 115| 300| return std::array{p[2 * i], p[2 * i + 1]}; 116| 300| } else { 117| 300| return std::tuple{p[2 * i], p[2 * i + 1]}; 118| 300| } 119| 300| }; 120| | 121| 19.5k| for(size_t i = 0; i < Tq_elem_count(result) / 2; ++i) { ------------------ | Branch (121:28): [True: 19.2k, False: 300] ------------------ 122| 19.2k| const T zeta = zetas[64 + i]; 123| 19.2k| const T nzeta = static_cast(-zeta); 124| 19.2k| Tq_elem(result, 2 * i) = basemul(Tq_elem(lhs, 2 * i), Tq_elem(rhs, 2 * i), zeta); 125| 19.2k| Tq_elem(result, 2 * i + 1) = basemul(Tq_elem(lhs, 2 * i + 1), Tq_elem(rhs, 2 * i + 1), nzeta); 126| 19.2k| } 127| 300| } _ZNK5Botan26Kyber_Symmetric_Primitives1HENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_25KyberSerializedPublicKey_EJEEEEE: 40| 30| KyberHashedPublicKey H(StrongSpan pk) const { 41| 30| return create_H()->process(pk); 42| 30| } _ZNK5Botan26Kyber_Symmetric_Primitives1GENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEEERKNS_14KyberConstantsE: 45| 30| const KyberConstants& mode) const { 46| 30| if(auto domsep = seed_expansion_domain_separator(mode)) { ------------------ | Branch (46:18): [True: 30, False: 0] ------------------ 47| 30| return G_split(seed, *domsep); 48| 30| } else { 49| 0| return G_split(seed); 50| 0| } 51| 30| } _ZNK5Botan26Kyber_Symmetric_Primitives9setup_XOFERNSt3__110unique_ptrINS_3XOFENS1_14default_deleteIS3_EEEENS_10StrongSpanIKNS_6StrongINS1_6vectorIhNS1_9allocatorIhEEEENS_13KyberSeedRho_EJEEEEENS1_5tupleIJhhEEE: 86| 300| std::tuple matrix_position) const { 87| 300| if(!xof) { ------------------ | Branch (87:13): [True: 30, False: 270] ------------------ 88| 30| xof = create_XOF(seed, matrix_position); 89| 270| } else { 90| 270| init_XOF(*xof, seed, matrix_position); 91| 270| } 92| 300| } _ZNK5Botan26Kyber_Symmetric_Primitives9setup_PRFERNSt3__110unique_ptrINS_3XOFENS1_14default_deleteIS3_EEEENS1_4spanIKhLm18446744073709551615EEEh: 95| 184| void setup_PRF(std::unique_ptr& xof, std::span seed, uint8_t nonce) const { 96| 184| if(!xof) { ------------------ | Branch (96:13): [True: 30, False: 154] ------------------ 97| 30| xof = create_PRF(seed, nonce); 98| 154| } else { 99| 154| init_PRF(*xof, seed, nonce); 100| 154| } 101| 184| } _ZNK5Botan26Kyber_Symmetric_Primitives7G_splitITkNS_8concepts22contiguous_strong_typeENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_13KyberSeedRho_EJEEETkNS2_22contiguous_strong_typeENS3_INS5_IhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEETpTkNS_6ranges16contiguous_rangeEJNS_10StrongSpanIKNS3_ISD_NS_20KyberSeedRandomness_EJEEEEENS4_5arrayIhLm1EEEEEENS4_4pairIT_T0_EEDpRKT1_: 107| 30| std::pair G_split(const InputTs&... inputs) const { 108| 30| auto g = create_G(); 109| 30| (g->update(inputs), ...); 110| 30| const auto s = g->final(); 111| | 112| 30| BufferSlicer bs(s); 113| 30| std::pair result; 114| 30| result.first = bs.copy(KyberConstants::SEED_BYTES); 115| 30| result.second = bs.copy(KyberConstants::SEED_BYTES); 116| 30| BOTAN_ASSERT_NOMSG(bs.empty()); ------------------ | | 77| 30| do { \ | | 78| 30| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 30| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 30] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 30| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 30] | | ------------------ ------------------ 117| 30| return result; 118| 30| } _ZN5Botan26Kyber_Symmetric_PrimitivesD2Ev: 30| 68| virtual ~Kyber_Symmetric_Primitives() = default; _ZN5Botan11make_uint16Ehh: 92| 300|inline constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1) { 93| 300| return static_cast((static_cast(i0) << 8) | i1); 94| 300|} _ZN5Botan11make_uint32Ehhhh: 104| 747k|inline constexpr uint32_t make_uint32(uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3) { 105| 747k| return ((static_cast(i0) << 24) | (static_cast(i1) << 16) | (static_cast(i2) << 8) | 106| 747k| (static_cast(i3))); 107| 747k|} _ZN5Botan12get_byte_varImEEhmT_: 69| 48.6k|inline constexpr uint8_t get_byte_var(size_t byte_num, T input) { 70| 48.6k| return static_cast(input >> (((~byte_num) & (sizeof(T) - 1)) << 3)); 71| 48.6k|} _ZN5Botan8store_beINS_6detail10AutoDetectEJRKmPhEEEDaDpOT0_: 745| 4.96k|inline constexpr auto store_be(ParamTs&&... params) { 746| 4.96k| return detail::store_any(std::forward(params)...); 747| 4.96k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS0_20unsigned_integralishEmQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asIT1_S5_EEEvS6_Ph: 711| 4.96k|inline constexpr void store_any(T in, uint8_t out[]) { 712| | // asserts that *out points to enough bytes to write into 713| 4.96k| store_any(in, std::span(out, sizeof(T))); 714| 4.96k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS0_20unsigned_integralishEmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm8EEEQsr3stdE7same_asIS4_T0_EEEvT1_OT2_: 646| 4.96k|inline constexpr void store_any(T in, OutR&& out_range) { 647| 4.96k| store_any(in, std::forward(out_range)); 648| 4.96k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm8EEEQnt15custom_storableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEEvS9_OT1_: 525| 52.2k|inline constexpr void store_any(WrappedInT wrapped_in, OutR&& out_range) { 526| 52.2k| const auto in = detail::unwrap_strong_type_or_enum(wrapped_in); 527| 52.2k| using InT = decltype(in); 528| 52.2k| ranges::assert_exact_byte_length(out_range); 529| 52.2k| const std::span out{out_range}; 530| | 531| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 532| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 533| | // in a `constexpr` context. 534| 52.2k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (534:7): [Folded, False: 52.2k] ------------------ 535| 0| return fallback_store_any(in, std::forward(out_range)); 536| 52.2k| } else { 537| | if constexpr(sizeof(InT) == 1) { 538| | out[0] = static_cast(in); 539| | } else if constexpr(endianness == std::endian::native) { 540| | typecast_copy(out, in); 541| 52.2k| } else { 542| 52.2k| static_assert(opposite(endianness) == std::endian::native); 543| 52.2k| typecast_copy(out, reverse_bytes(in)); 544| 52.2k| } 545| 52.2k| } 546| 52.2k|} _ZN5Botan6detail26unwrap_strong_type_or_enumITkNS0_20unsigned_integralishEmEEDaT_: 190| 52.2k|constexpr auto unwrap_strong_type_or_enum(InT t) { 191| | if constexpr(std::is_enum_v) { 192| | // TODO: C++23: use std::to_underlying(in) instead 193| | return static_cast>(t); 194| 52.2k| } else { 195| 52.2k| return Botan::unwrap_strong_type(t); 196| 52.2k| } 197| 52.2k|} _ZN5Botan7load_beImJNSt3__14spanIKhLm8EEEEEEDaDpOT0_: 504| 144k|inline constexpr auto load_be(ParamTs&&... params) { 505| 144k| return detail::load_any(std::forward(params)...); 506| 144k|} _ZN5Botan6detail8load_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_: 278| 158k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 158k| using OutT = detail::wrapped_type; 280| 158k| ranges::assert_exact_byte_length(in_range); 281| | 282| 158k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 158k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 158k| return fallback_load_any(std::forward(in_range)); 288| 158k| } else { 289| 158k| const std::span in{in_range}; 290| 158k| if constexpr(sizeof(OutT) == 1) { 291| 158k| return static_cast(in[0]); 292| 158k| } else if constexpr(endianness == std::endian::native) { 293| 158k| return typecast_copy(in); 294| 158k| } else { 295| 158k| static_assert(opposite(endianness) == std::endian::native); 296| 158k| return reverse_bytes(typecast_copy(in)); 297| 158k| } 298| 158k| } 299| 158k| }()); 300| 158k|} _ZN5Botan6detail24wrap_strong_type_or_enumITkNS0_20unsigned_integralishEmTkNSt3__117unsigned_integralEmEEDaT0_: 200| 241k|constexpr auto wrap_strong_type_or_enum(T t) { 201| | if constexpr(std::is_enum_v) { 202| | return static_cast(t); 203| 241k| } else { 204| 241k| return Botan::wrap_strong_type(t); 205| 241k| } 206| 241k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_ENKUlvE_clEv: 282| 158k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 158k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 158k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 158k| } else { 289| 158k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| | } else if constexpr(endianness == std::endian::native) { 293| | return typecast_copy(in); 294| 158k| } else { 295| 158k| static_assert(opposite(endianness) == std::endian::native); 296| 158k| return reverse_bytes(typecast_copy(in)); 297| 158k| } 298| 158k| } 299| 158k| }()); _ZN5Botan7load_beImJRNSt3__15arrayIhLm8EEEEEEDaDpOT0_: 504| 30.9k|inline constexpr auto load_be(ParamTs&&... params) { 505| 30.9k| return detail::load_any(std::forward(params)...); 506| 30.9k|} _ZN5Botan6detail8load_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_: 278| 30.9k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 30.9k| using OutT = detail::wrapped_type; 280| 30.9k| ranges::assert_exact_byte_length(in_range); 281| | 282| 30.9k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 30.9k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 30.9k| return fallback_load_any(std::forward(in_range)); 288| 30.9k| } else { 289| 30.9k| const std::span in{in_range}; 290| 30.9k| if constexpr(sizeof(OutT) == 1) { 291| 30.9k| return static_cast(in[0]); 292| 30.9k| } else if constexpr(endianness == std::endian::native) { 293| 30.9k| return typecast_copy(in); 294| 30.9k| } else { 295| 30.9k| static_assert(opposite(endianness) == std::endian::native); 296| 30.9k| return reverse_bytes(typecast_copy(in)); 297| 30.9k| } 298| 30.9k| } 299| 30.9k| }()); 300| 30.9k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_ENKUlvE_clEv: 282| 30.9k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 30.9k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 30.9k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 30.9k| } else { 289| 30.9k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| | } else if constexpr(endianness == std::endian::native) { 293| | return typecast_copy(in); 294| 30.9k| } else { 295| 30.9k| static_assert(opposite(endianness) == std::endian::native); 296| 30.9k| return reverse_bytes(typecast_copy(in)); 297| 30.9k| } 298| 30.9k| } 299| 30.9k| }()); _ZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm8EEETpTkNS0_20unsigned_integralishEJmEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_: 582| 47.2k|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, Ts... ins) { 583| 47.2k| ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(out); 584| 47.2k| auto store_one = [off = 0](auto o, T i) mutable { 585| 47.2k| store_any(i, o.subspan(off).template first()); 586| 47.2k| off += sizeof(T); 587| 47.2k| }; 588| | 589| 47.2k| (store_one(std::span{out}, ins), ...); 590| 47.2k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm8EEETpTkNS0_20unsigned_integralishEJmEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_ENUlTyS9_T_E_clImS7_EEDaS9_SE_: 584| 47.2k| auto store_one = [off = 0](auto o, T i) mutable { 585| 47.2k| store_any(i, o.subspan(off).template first()); 586| 47.2k| off += sizeof(T); 587| 47.2k| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__14spanIhLm32EEERNS3_5arrayImLm4EEEEEEDaDpOT0_: 745| 2.14k|inline constexpr auto store_be(ParamTs&&... params) { 746| 2.14k| return detail::store_any(std::forward(params)...); 747| 2.14k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm32EEETkNS5_14spanable_rangeENS2_5arrayImLm4EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_: 603| 2.14k|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 2.14k| ranges::assert_equal_byte_lengths(out, in); 605| 2.14k| using element_type = std::ranges::range_value_t; 606| | 607| 2.14k| auto store_elementwise = [&] { 608| 2.14k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 2.14k| std::span out_s(out); 610| 2.14k| for(auto in_elem : in) { 611| 2.14k| store_any(out_s.template first(), in_elem); 612| 2.14k| out_s = out_s.subspan(bytes_per_element); 613| 2.14k| } 614| 2.14k| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 2.14k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 2.14k] ------------------ 620| 0| store_elementwise(); 621| 2.14k| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 2.14k| } else { 625| 2.14k| store_elementwise(); 626| 2.14k| } 627| 2.14k| } 628| 2.14k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm32EEETkNS5_14spanable_rangeENS2_5arrayImLm4EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_ENKUlvE_clEv: 607| 2.14k| auto store_elementwise = [&] { 608| 2.14k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 2.14k| std::span out_s(out); 610| 8.59k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 8.59k, False: 2.14k] ------------------ 611| 8.59k| store_any(out_s.template first(), in_elem); 612| 8.59k| out_s = out_s.subspan(bytes_per_element); 613| 8.59k| } 614| 2.14k| }; _ZN5Botan7load_beImJPKhmEEEDaDpOT0_: 504| 13.7k|inline constexpr auto load_be(ParamTs&&... params) { 505| 13.7k| return detail::load_any(std::forward(params)...); 506| 13.7k|} _ZN5Botan6detail8load_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmEET0_PKhm: 454| 13.7k|inline constexpr OutT load_any(const uint8_t in[], size_t off) { 455| | // asserts that *in points to enough bytes to read at offset off 456| 13.7k| constexpr size_t out_size = sizeof(OutT); 457| 13.7k| return load_any(std::span(in + off * out_size, out_size)); 458| 13.7k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_: 278| 47.3k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 47.3k| using OutT = detail::wrapped_type; 280| 47.3k| ranges::assert_exact_byte_length(in_range); 281| | 282| 47.3k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 47.3k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 47.3k| return fallback_load_any(std::forward(in_range)); 288| 47.3k| } else { 289| 47.3k| const std::span in{in_range}; 290| 47.3k| if constexpr(sizeof(OutT) == 1) { 291| 47.3k| return static_cast(in[0]); 292| 47.3k| } else if constexpr(endianness == std::endian::native) { 293| 47.3k| return typecast_copy(in); 294| 47.3k| } else { 295| 47.3k| static_assert(opposite(endianness) == std::endian::native); 296| 47.3k| return reverse_bytes(typecast_copy(in)); 297| 47.3k| } 298| 47.3k| } 299| 47.3k| }()); 300| 47.3k|} _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__14spanIhLm48EEERNS3_5arrayImLm6EEEEEEDaDpOT0_: 745| 1.37k|inline constexpr auto store_be(ParamTs&&... params) { 746| 1.37k| return detail::store_any(std::forward(params)...); 747| 1.37k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm48EEETkNS5_14spanable_rangeENS2_5arrayImLm6EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_: 603| 1.37k|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 1.37k| ranges::assert_equal_byte_lengths(out, in); 605| 1.37k| using element_type = std::ranges::range_value_t; 606| | 607| 1.37k| auto store_elementwise = [&] { 608| 1.37k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1.37k| std::span out_s(out); 610| 1.37k| for(auto in_elem : in) { 611| 1.37k| store_any(out_s.template first(), in_elem); 612| 1.37k| out_s = out_s.subspan(bytes_per_element); 613| 1.37k| } 614| 1.37k| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 1.37k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 1.37k] ------------------ 620| 0| store_elementwise(); 621| 1.37k| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 1.37k| } else { 625| 1.37k| store_elementwise(); 626| 1.37k| } 627| 1.37k| } 628| 1.37k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm48EEETkNS5_14spanable_rangeENS2_5arrayImLm6EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_ENKUlvE_clEv: 607| 1.37k| auto store_elementwise = [&] { 608| 1.37k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1.37k| std::span out_s(out); 610| 8.22k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 8.22k, False: 1.37k] ------------------ 611| 8.22k| store_any(out_s.template first(), in_elem); 612| 8.22k| out_s = out_s.subspan(bytes_per_element); 613| 8.22k| } 614| 1.37k| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__14spanIhLm64EEERNS3_5arrayImLm8EEEEEEDaDpOT0_: 745| 606|inline constexpr auto store_be(ParamTs&&... params) { 746| 606| return detail::store_any(std::forward(params)...); 747| 606|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm64EEETkNS5_14spanable_rangeENS2_5arrayImLm8EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_: 603| 606|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 606| ranges::assert_equal_byte_lengths(out, in); 605| 606| using element_type = std::ranges::range_value_t; 606| | 607| 606| auto store_elementwise = [&] { 608| 606| constexpr size_t bytes_per_element = sizeof(element_type); 609| 606| std::span out_s(out); 610| 606| for(auto in_elem : in) { 611| 606| store_any(out_s.template first(), in_elem); 612| 606| out_s = out_s.subspan(bytes_per_element); 613| 606| } 614| 606| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 606| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 606] ------------------ 620| 0| store_elementwise(); 621| 606| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 606| } else { 625| 606| store_elementwise(); 626| 606| } 627| 606| } 628| 606|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm64EEETkNS5_14spanable_rangeENS2_5arrayImLm8EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_ENKUlvE_clEv: 607| 606| auto store_elementwise = [&] { 608| 606| constexpr size_t bytes_per_element = sizeof(element_type); 609| 606| std::span out_s(out); 610| 4.84k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 4.84k, False: 606] ------------------ 611| 4.84k| store_any(out_s.template first(), in_elem); 612| 4.84k| out_s = out_s.subspan(bytes_per_element); 613| 4.84k| } 614| 606| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__15arrayImLm9EEEEEEDaDpOT0_: 745| 2.25k|inline constexpr auto store_be(ParamTs&&... params) { 746| 2.25k| return detail::store_any(std::forward(params)...); 747| 2.25k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm9EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_: 663| 2.25k|inline constexpr auto store_any(InR&& in_range) { 664| 2.25k| auto out = []([[maybe_unused]] const auto& in) { 665| 2.25k| if constexpr(std::same_as) { 666| 2.25k| if constexpr(ranges::statically_spanable_range) { 667| 2.25k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 2.25k| return std::array(); 669| 2.25k| } else { 670| 2.25k| static_assert( 671| 2.25k| !std::same_as, 672| 2.25k| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 2.25k| } 674| 2.25k| } else if constexpr(concepts::resizable_byte_buffer) { 675| 2.25k| return OutR(std::span{in}.size_bytes()); 676| 2.25k| } else { 677| 2.25k| return OutR{}; 678| 2.25k| } 679| 2.25k| }(in_range); 680| | 681| 2.25k| store_any>(out, std::forward(in_range)); 682| 2.25k| return out; 683| 2.25k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm9EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSE_: 664| 2.25k| auto out = []([[maybe_unused]] const auto& in) { 665| 2.25k| if constexpr(std::same_as) { 666| 2.25k| if constexpr(ranges::statically_spanable_range) { 667| 2.25k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 2.25k| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 2.25k| }(in_range); _ZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm72EEETkNS4_14spanable_rangeENS6_ImLm9EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 2.25k|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 2.25k| ranges::assert_equal_byte_lengths(out, in); 605| 2.25k| using element_type = std::ranges::range_value_t; 606| | 607| 2.25k| auto store_elementwise = [&] { 608| 2.25k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 2.25k| std::span out_s(out); 610| 2.25k| for(auto in_elem : in) { 611| 2.25k| store_any(out_s.template first(), in_elem); 612| 2.25k| out_s = out_s.subspan(bytes_per_element); 613| 2.25k| } 614| 2.25k| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 2.25k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 2.25k] ------------------ 620| 0| store_elementwise(); 621| 2.25k| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 2.25k| } else { 625| 2.25k| store_elementwise(); 626| 2.25k| } 627| 2.25k| } 628| 2.25k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm72EEETkNS4_14spanable_rangeENS6_ImLm9EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_ENKUlvE_clEv: 607| 2.25k| auto store_elementwise = [&] { 608| 2.25k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 2.25k| std::span out_s(out); 610| 20.2k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 20.2k, False: 2.25k] ------------------ 611| 20.2k| store_any(out_s.template first(), in_elem); 612| 20.2k| out_s = out_s.subspan(bytes_per_element); 613| 20.2k| } 614| 2.25k| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__14spanIhLm24EEERNS3_5arrayImLm3EEEEEEDaDpOT0_: 745| 756|inline constexpr auto store_be(ParamTs&&... params) { 746| 756| return detail::store_any(std::forward(params)...); 747| 756|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm24EEETkNS5_14spanable_rangeENS2_5arrayImLm3EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_: 603| 756|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 756| ranges::assert_equal_byte_lengths(out, in); 605| 756| using element_type = std::ranges::range_value_t; 606| | 607| 756| auto store_elementwise = [&] { 608| 756| constexpr size_t bytes_per_element = sizeof(element_type); 609| 756| std::span out_s(out); 610| 756| for(auto in_elem : in) { 611| 756| store_any(out_s.template first(), in_elem); 612| 756| out_s = out_s.subspan(bytes_per_element); 613| 756| } 614| 756| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 756| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 756] ------------------ 620| 0| store_elementwise(); 621| 756| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 756| } else { 625| 756| store_elementwise(); 626| 756| } 627| 756| } 628| 756|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm24EEETkNS5_14spanable_rangeENS2_5arrayImLm3EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_ENKUlvE_clEv: 607| 756| auto store_elementwise = [&] { 608| 756| constexpr size_t bytes_per_element = sizeof(element_type); 609| 756| std::span out_s(out); 610| 2.26k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 2.26k, False: 756] ------------------ 611| 2.26k| store_any(out_s.template first(), in_elem); 612| 2.26k| out_s = out_s.subspan(bytes_per_element); 613| 2.26k| } 614| 756| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRNSt3__15arrayImLm4EEEEEEDaDpOT0_: 745| 766|inline constexpr auto store_be(ParamTs&&... params) { 746| 766| return detail::store_any(std::forward(params)...); 747| 766|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm4EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_: 663| 766|inline constexpr auto store_any(InR&& in_range) { 664| 766| auto out = []([[maybe_unused]] const auto& in) { 665| 766| if constexpr(std::same_as) { 666| 766| if constexpr(ranges::statically_spanable_range) { 667| 766| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 766| return std::array(); 669| 766| } else { 670| 766| static_assert( 671| 766| !std::same_as, 672| 766| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 766| } 674| 766| } else if constexpr(concepts::resizable_byte_buffer) { 675| 766| return OutR(std::span{in}.size_bytes()); 676| 766| } else { 677| 766| return OutR{}; 678| 766| } 679| 766| }(in_range); 680| | 681| 766| store_any>(out, std::forward(in_range)); 682| 766| return out; 683| 766|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm4EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSE_: 664| 766| auto out = []([[maybe_unused]] const auto& in) { 665| 766| if constexpr(std::same_as) { 666| 766| if constexpr(ranges::statically_spanable_range) { 667| 766| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 766| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 766| }(in_range); _ZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm32EEETkNS4_14spanable_rangeENS6_ImLm4EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 766|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 766| ranges::assert_equal_byte_lengths(out, in); 605| 766| using element_type = std::ranges::range_value_t; 606| | 607| 766| auto store_elementwise = [&] { 608| 766| constexpr size_t bytes_per_element = sizeof(element_type); 609| 766| std::span out_s(out); 610| 766| for(auto in_elem : in) { 611| 766| store_any(out_s.template first(), in_elem); 612| 766| out_s = out_s.subspan(bytes_per_element); 613| 766| } 614| 766| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 766| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 766] ------------------ 620| 0| store_elementwise(); 621| 766| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 766| } else { 625| 766| store_elementwise(); 626| 766| } 627| 766| } 628| 766|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm32EEETkNS4_14spanable_rangeENS6_ImLm4EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_ENKUlvE_clEv: 607| 766| auto store_elementwise = [&] { 608| 766| constexpr size_t bytes_per_element = sizeof(element_type); 609| 766| std::span out_s(out); 610| 3.06k| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 3.06k, False: 766] ------------------ 611| 3.06k| store_any(out_s.template first(), in_elem); 612| 3.06k| out_s = out_s.subspan(bytes_per_element); 613| 3.06k| } 614| 766| }; _ZN5Botan8store_beINS_6detail10AutoDetectEJRKhEEEDaDpOT0_: 745| 184|inline constexpr auto store_be(ParamTs&&... params) { 746| 184| return detail::store_any(std::forward(params)...); 747| 184|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETpTkNS0_20unsigned_integralishEJhEQ10all_same_vIDpT1_EEEDaS6_: 696| 184|inline constexpr auto store_any(Ts... ins) { 697| 184| return store_any(std::array{ins...}); 698| 184|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayIhLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_: 663| 184|inline constexpr auto store_any(InR&& in_range) { 664| 184| auto out = []([[maybe_unused]] const auto& in) { 665| 184| if constexpr(std::same_as) { 666| 184| if constexpr(ranges::statically_spanable_range) { 667| 184| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 184| return std::array(); 669| 184| } else { 670| 184| static_assert( 671| 184| !std::same_as, 672| 184| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 184| } 674| 184| } else if constexpr(concepts::resizable_byte_buffer) { 675| 184| return OutR(std::span{in}.size_bytes()); 676| 184| } else { 677| 184| return OutR{}; 678| 184| } 679| 184| }(in_range); 680| | 681| 184| store_any>(out, std::forward(in_range)); 682| 184| return out; 683| 184|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayIhLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSD_: 664| 184| auto out = []([[maybe_unused]] const auto& in) { 665| 184| if constexpr(std::same_as) { 666| 184| if constexpr(ranges::statically_spanable_range) { 667| 184| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 184| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 184| }(in_range); _ZN5Botan6detail9store_anyILNSt3__16endianE64206EhTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm1EEETkNS4_14spanable_rangeES7_Qoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISA_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEEEvOT1_RKSF_: 603| 184|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 184| ranges::assert_equal_byte_lengths(out, in); 605| 184| using element_type = std::ranges::range_value_t; 606| | 607| 184| auto store_elementwise = [&] { 608| 184| constexpr size_t bytes_per_element = sizeof(element_type); 609| 184| std::span out_s(out); 610| 184| for(auto in_elem : in) { 611| 184| store_any(out_s.template first(), in_elem); 612| 184| out_s = out_s.subspan(bytes_per_element); 613| 184| } 614| 184| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 184| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 184] ------------------ 620| 0| store_elementwise(); 621| 184| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 184| } else { 625| 184| store_elementwise(); 626| 184| } 627| 184| } 628| 184|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EhTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm1EEETkNS4_14spanable_rangeES7_Qoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISA_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISI_EESJ_E4type10value_typeEEEEvOT1_RKSF_ENKUlvE_clEv: 607| 184| auto store_elementwise = [&] { 608| 184| constexpr size_t bytes_per_element = sizeof(element_type); 609| 184| std::span out_s(out); 610| 184| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 184, False: 184] ------------------ 611| 184| store_any(out_s.template first(), in_elem); 612| 184| out_s = out_s.subspan(bytes_per_element); 613| 184| } 614| 184| }; _ZN5Botan6detail9store_anyILNSt3__16endianE64206EhTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm1EEETpTkNS0_20unsigned_integralishEJhEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_: 582| 184|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, Ts... ins) { 583| 184| ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(out); 584| 184| auto store_one = [off = 0](auto o, T i) mutable { 585| 184| store_any(i, o.subspan(off).template first()); 586| 184| off += sizeof(T); 587| 184| }; 588| | 589| 184| (store_one(std::span{out}, ins), ...); 590| 184|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EhTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm1EEETpTkNS0_20unsigned_integralishEJhEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_ENUlTyS9_T_E_clIhS7_EEDaS9_SE_: 584| 184| auto store_one = [off = 0](auto o, T i) mutable { 585| 184| store_any(i, o.subspan(off).template first()); 586| 184| off += sizeof(T); 587| 184| }; _ZN5Botan6detail9store_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEhTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm1EEEQnt15custom_storableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEEvS9_OT1_: 525| 184|inline constexpr void store_any(WrappedInT wrapped_in, OutR&& out_range) { 526| 184| const auto in = detail::unwrap_strong_type_or_enum(wrapped_in); 527| 184| using InT = decltype(in); 528| 184| ranges::assert_exact_byte_length(out_range); 529| 184| const std::span out{out_range}; 530| | 531| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 532| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 533| | // in a `constexpr` context. 534| 184| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (534:7): [Folded, False: 184] ------------------ 535| 0| return fallback_store_any(in, std::forward(out_range)); 536| 184| } else { 537| 184| if constexpr(sizeof(InT) == 1) { 538| 184| out[0] = static_cast(in); 539| | } else if constexpr(endianness == std::endian::native) { 540| | typecast_copy(out, in); 541| | } else { 542| | static_assert(opposite(endianness) == std::endian::native); 543| | typecast_copy(out, reverse_bytes(in)); 544| | } 545| 184| } 546| 184|} _ZN5Botan6detail26unwrap_strong_type_or_enumITkNS0_20unsigned_integralishEhEEDaT_: 190| 184|constexpr auto unwrap_strong_type_or_enum(InT t) { 191| | if constexpr(std::is_enum_v) { 192| | // TODO: C++23: use std::to_underlying(in) instead 193| | return static_cast>(t); 194| 184| } else { 195| 184| return Botan::unwrap_strong_type(t); 196| 184| } 197| 184|} _ZN5Botan6detail24wrap_strong_type_or_enumITkNS0_20unsigned_integralishEjTkNSt3__117unsigned_integralEjEEDaT0_: 200| 54.6k|constexpr auto wrap_strong_type_or_enum(T t) { 201| | if constexpr(std::is_enum_v) { 202| | return static_cast(t); 203| 54.6k| } else { 204| 54.6k| return Botan::wrap_strong_type(t); 205| 54.6k| } 206| 54.6k|} _ZN5Botan6detail24wrap_strong_type_or_enumITkNS0_20unsigned_integralishEtTkNSt3__117unsigned_integralEtEEDaT0_: 200| 2.91k|constexpr auto wrap_strong_type_or_enum(T t) { 201| | if constexpr(std::is_enum_v) { 202| | return static_cast(t); 203| 2.91k| } else { 204| 2.91k| return Botan::wrap_strong_type(t); 205| 2.91k| } 206| 2.91k|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ETkNS0_20unsigned_integralishEtTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm2EEEQnt15custom_storableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEEvS9_OT1_: 525| 300|inline constexpr void store_any(WrappedInT wrapped_in, OutR&& out_range) { 526| 300| const auto in = detail::unwrap_strong_type_or_enum(wrapped_in); 527| 300| using InT = decltype(in); 528| 300| ranges::assert_exact_byte_length(out_range); 529| 300| const std::span out{out_range}; 530| | 531| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 532| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 533| | // in a `constexpr` context. 534| 300| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (534:7): [Folded, False: 300] ------------------ 535| 0| return fallback_store_any(in, std::forward(out_range)); 536| 300| } else { 537| | if constexpr(sizeof(InT) == 1) { 538| | out[0] = static_cast(in); 539| | } else if constexpr(endianness == std::endian::native) { 540| | typecast_copy(out, in); 541| 300| } else { 542| 300| static_assert(opposite(endianness) == std::endian::native); 543| 300| typecast_copy(out, reverse_bytes(in)); 544| 300| } 545| 300| } 546| 300|} _ZN5Botan6detail26unwrap_strong_type_or_enumITkNS0_20unsigned_integralishEtEEDaT_: 190| 300|constexpr auto unwrap_strong_type_or_enum(InT t) { 191| | if constexpr(std::is_enum_v) { 192| | // TODO: C++23: use std::to_underlying(in) instead 193| | return static_cast>(t); 194| 300| } else { 195| 300| return Botan::unwrap_strong_type(t); 196| 300| } 197| 300|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm8EEEQnt15custom_storableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEEvS9_OT1_: 525| 8|inline constexpr void store_any(WrappedInT wrapped_in, OutR&& out_range) { 526| 8| const auto in = detail::unwrap_strong_type_or_enum(wrapped_in); 527| 8| using InT = decltype(in); 528| 8| ranges::assert_exact_byte_length(out_range); 529| 8| const std::span out{out_range}; 530| | 531| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 532| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 533| | // in a `constexpr` context. 534| 8| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (534:7): [Folded, False: 8] ------------------ 535| 0| return fallback_store_any(in, std::forward(out_range)); 536| 8| } else { 537| | if constexpr(sizeof(InT) == 1) { 538| | out[0] = static_cast(in); 539| 8| } else if constexpr(endianness == std::endian::native) { 540| 8| typecast_copy(out, in); 541| | } else { 542| | static_assert(opposite(endianness) == std::endian::native); 543| | typecast_copy(out, reverse_bytes(in)); 544| | } 545| 8| } 546| 8|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEjTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm4EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_: 278| 4.86k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 4.86k| using OutT = detail::wrapped_type; 280| 4.86k| ranges::assert_exact_byte_length(in_range); 281| | 282| 4.86k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 4.86k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 4.86k| return fallback_load_any(std::forward(in_range)); 288| 4.86k| } else { 289| 4.86k| const std::span in{in_range}; 290| 4.86k| if constexpr(sizeof(OutT) == 1) { 291| 4.86k| return static_cast(in[0]); 292| 4.86k| } else if constexpr(endianness == std::endian::native) { 293| 4.86k| return typecast_copy(in); 294| 4.86k| } else { 295| 4.86k| static_assert(opposite(endianness) == std::endian::native); 296| 4.86k| return reverse_bytes(typecast_copy(in)); 297| 4.86k| } 298| 4.86k| } 299| 4.86k| }()); 300| 4.86k|} _ZN5Botan11copy_out_beITkNS_6ranges14spanable_rangeENSt3__16vectorImNS_16secure_allocatorImEEEEEEvNS2_4spanIhLm18446744073709551615EEERKT_: 773| 2|inline void copy_out_be(std::span out, const InR& in) { 774| 2| using T = std::ranges::range_value_t; 775| 2| std::span in_s{in}; 776| 2| const auto remaining_bytes = detail::copy_out_any_word_aligned_portion(out, in_s); 777| | 778| | // copy remaining bytes as a partial word 779| 2| for(size_t i = 0; i < remaining_bytes; ++i) { ------------------ | Branch (779:22): [True: 0, False: 2] ------------------ 780| 0| out[i] = get_byte_var(i, in_s.front()); 781| 0| } 782| 2|} _ZN5Botan6detail33copy_out_any_word_aligned_portionILNSt3__16endianE64206ETkNS0_20unsigned_integralishEmEEmRNS2_4spanIhLm18446744073709551615EEERNS4_IKT0_Lm18446744073709551615EEE: 752| 2|inline size_t copy_out_any_word_aligned_portion(std::span& out, std::span& in) { 753| 2| const size_t full_words = out.size() / sizeof(T); 754| 2| const size_t full_word_bytes = full_words * sizeof(T); 755| 2| const size_t remaining_bytes = out.size() - full_word_bytes; 756| 2| BOTAN_ASSERT_NOMSG(in.size_bytes() >= full_word_bytes + remaining_bytes); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 757| | 758| | // copy full words 759| 2| store_any(out.first(full_word_bytes), in.first(full_words)); 760| 2| out = out.subspan(full_word_bytes); 761| 2| in = in.subspan(full_words); 762| | 763| 2| return remaining_bytes; 764| 2|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm18446744073709551615EEETkNS4_14spanable_rangeENS6_IKmLm18446744073709551615EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 2|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 2| ranges::assert_equal_byte_lengths(out, in); 605| 2| using element_type = std::ranges::range_value_t; 606| | 607| 2| auto store_elementwise = [&] { 608| 2| constexpr size_t bytes_per_element = sizeof(element_type); 609| 2| std::span out_s(out); 610| 2| for(auto in_elem : in) { 611| 2| store_any(out_s.template first(), in_elem); 612| 2| out_s = out_s.subspan(bytes_per_element); 613| 2| } 614| 2| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 2| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 2] ------------------ 620| 0| store_elementwise(); 621| 2| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 2| } else { 625| 2| store_elementwise(); 626| 2| } 627| 2| } 628| 2|} _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm18446744073709551615EEETkNS4_14spanable_rangeENS6_IKmLm18446744073709551615EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_ENKUlvE_clEv: 607| 2| auto store_elementwise = [&] { 608| 2| constexpr size_t bytes_per_element = sizeof(element_type); 609| 2| std::span out_s(out); 610| 16| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 16, False: 2] ------------------ 611| 16| store_any(out_s.template first(), in_elem); 612| 16| out_s = out_s.subspan(bytes_per_element); 613| 16| } 614| 2| }; _ZN5Botan7load_leImJRPKhiEEEDaDpOT0_: 495| 2|inline constexpr auto load_le(ParamTs&&... params) { 496| 2| return detail::load_any(std::forward(params)...); 497| 2|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmEET0_PKhm: 454| 10|inline constexpr OutT load_any(const uint8_t in[], size_t off) { 455| | // asserts that *in points to enough bytes to read at offset off 456| 10| constexpr size_t out_size = sizeof(OutT); 457| 10| return load_any(std::span(in + off * out_size, out_size)); 458| 10|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_ENKUlvE_clEv: 282| 47.3k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 47.3k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 47.3k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 47.3k| } else { 289| 47.3k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| 47.3k| } else if constexpr(endianness == std::endian::native) { 293| 47.3k| return typecast_copy(in); 294| | } else { 295| | static_assert(opposite(endianness) == std::endian::native); 296| | return reverse_bytes(typecast_copy(in)); 297| | } 298| 47.3k| } 299| 47.3k| }()); _ZN5Botan7load_leImJPKhiEEEDaDpOT0_: 495| 8|inline constexpr auto load_le(ParamTs&&... params) { 496| 8| return detail::load_any(std::forward(params)...); 497| 8|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEjTkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm4EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_ENKUlvE_clEv: 282| 4.86k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 4.86k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 4.86k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 4.86k| } else { 289| 4.86k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| 4.86k| } else if constexpr(endianness == std::endian::native) { 293| 4.86k| return typecast_copy(in); 294| | } else { 295| | static_assert(opposite(endianness) == std::endian::native); 296| | return reverse_bytes(typecast_copy(in)); 297| | } 298| 4.86k| } 299| 4.86k| }()); _ZN5Botan7load_leINS_6detail10AutoDetectEJRNSt3__15arrayIhLm8EEEEEEDaDpOT0_: 495| 4.48k|inline constexpr auto load_le(ParamTs&&... params) { 496| 4.48k| return detail::load_any(std::forward(params)...); 497| 4.48k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_: 397| 4.48k|inline constexpr auto load_any(InR&& in_range) { 398| 4.48k| auto out = []([[maybe_unused]] const auto& in) { 399| 4.48k| if constexpr(std::same_as) { 400| 4.48k| if constexpr(ranges::statically_spanable_range) { 401| 4.48k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 4.48k| using type = 405| 4.48k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 4.48k| static_assert( 412| 4.48k| !std::is_void_v, 413| 4.48k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 4.48k| return type{}; 416| 4.48k| } else { 417| 4.48k| static_assert( 418| 4.48k| !std::same_as, 419| 4.48k| "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| 4.48k| } 421| 4.48k| } else if constexpr(concepts::resizable_container) { 422| 4.48k| const size_t in_bytes = std::span{in}.size_bytes(); 423| 4.48k| constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| 4.48k| BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| 4.48k| "Input range is not word-aligned with the requested output range"); 426| 4.48k| return OutT(in_bytes / out_elem_bytes); 427| 4.48k| } else { 428| 4.48k| return OutT{}; 429| 4.48k| } 430| 4.48k| }(in_range); 431| | 432| 4.48k| using out_type = decltype(out); 433| 4.48k| if constexpr(unsigned_integralish) { 434| 4.48k| out = load_any(std::forward(in_range)); 435| | } else { 436| | static_assert(ranges::contiguous_range); 437| | using out_range_type = std::ranges::range_value_t; 438| | load_any(out, std::forward(in_range)); 439| | } 440| 4.48k| return out; 441| 4.48k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_ENKUlRKT_E_clIS8_EEDaSG_: 398| 4.48k| auto out = []([[maybe_unused]] const auto& in) { 399| 4.48k| if constexpr(std::same_as) { 400| 4.48k| if constexpr(ranges::statically_spanable_range) { 401| 4.48k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 4.48k| using type = 405| 4.48k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 4.48k| static_assert( 412| 4.48k| !std::is_void_v, 413| 4.48k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 4.48k| return type{}; 416| | } else { 417| | static_assert( 418| | !std::same_as, 419| | "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| | } 421| | } else if constexpr(concepts::resizable_container) { 422| | const size_t in_bytes = std::span{in}.size_bytes(); 423| | constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| | BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| | "Input range is not word-aligned with the requested output range"); 426| | return OutT(in_bytes / out_elem_bytes); 427| | } else { 428| | return OutT{}; 429| | } 430| 4.48k| }(in_range); _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_: 278| 4.48k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 4.48k| using OutT = detail::wrapped_type; 280| 4.48k| ranges::assert_exact_byte_length(in_range); 281| | 282| 4.48k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 4.48k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 4.48k| return fallback_load_any(std::forward(in_range)); 288| 4.48k| } else { 289| 4.48k| const std::span in{in_range}; 290| 4.48k| if constexpr(sizeof(OutT) == 1) { 291| 4.48k| return static_cast(in[0]); 292| 4.48k| } else if constexpr(endianness == std::endian::native) { 293| 4.48k| return typecast_copy(in); 294| 4.48k| } else { 295| 4.48k| static_assert(opposite(endianness) == std::endian::native); 296| 4.48k| return reverse_bytes(typecast_copy(in)); 297| 4.48k| } 298| 4.48k| } 299| 4.48k| }()); 300| 4.48k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEmTkNS_6ranges16contiguous_rangeIhEERNS2_5arrayIhLm8EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEESA_OT1_ENKUlvE_clEv: 282| 4.48k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 4.48k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 4.48k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 4.48k| } else { 289| 4.48k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| 4.48k| } else if constexpr(endianness == std::endian::native) { 293| 4.48k| return typecast_copy(in); 294| | } else { 295| | static_assert(opposite(endianness) == std::endian::native); 296| | return reverse_bytes(typecast_copy(in)); 297| | } 298| 4.48k| } 299| 4.48k| }()); _ZN5Botan7load_leINS_6detail10AutoDetectEJNSt3__14spanIKhLm8EEEEEEDaDpOT0_: 495| 47.3k|inline constexpr auto load_le(ParamTs&&... params) { 496| 47.3k| return detail::load_any(std::forward(params)...); 497| 47.3k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_: 397| 47.3k|inline constexpr auto load_any(InR&& in_range) { 398| 47.3k| auto out = []([[maybe_unused]] const auto& in) { 399| 47.3k| if constexpr(std::same_as) { 400| 47.3k| if constexpr(ranges::statically_spanable_range) { 401| 47.3k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 47.3k| using type = 405| 47.3k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 47.3k| static_assert( 412| 47.3k| !std::is_void_v, 413| 47.3k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 47.3k| return type{}; 416| 47.3k| } else { 417| 47.3k| static_assert( 418| 47.3k| !std::same_as, 419| 47.3k| "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| 47.3k| } 421| 47.3k| } else if constexpr(concepts::resizable_container) { 422| 47.3k| const size_t in_bytes = std::span{in}.size_bytes(); 423| 47.3k| constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| 47.3k| BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| 47.3k| "Input range is not word-aligned with the requested output range"); 426| 47.3k| return OutT(in_bytes / out_elem_bytes); 427| 47.3k| } else { 428| 47.3k| return OutT{}; 429| 47.3k| } 430| 47.3k| }(in_range); 431| | 432| 47.3k| using out_type = decltype(out); 433| 47.3k| if constexpr(unsigned_integralish) { 434| 47.3k| out = load_any(std::forward(in_range)); 435| | } else { 436| | static_assert(ranges::contiguous_range); 437| | using out_range_type = std::ranges::range_value_t; 438| | load_any(out, std::forward(in_range)); 439| | } 440| 47.3k| return out; 441| 47.3k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm8EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_ENKUlRKT_E_clIS9_EEDaSG_: 398| 47.3k| auto out = []([[maybe_unused]] const auto& in) { 399| 47.3k| if constexpr(std::same_as) { 400| 47.3k| if constexpr(ranges::statically_spanable_range) { 401| 47.3k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 47.3k| using type = 405| 47.3k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 47.3k| static_assert( 412| 47.3k| !std::is_void_v, 413| 47.3k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 47.3k| return type{}; 416| | } else { 417| | static_assert( 418| | !std::same_as, 419| | "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| | } 421| | } else if constexpr(concepts::resizable_container) { 422| | const size_t in_bytes = std::span{in}.size_bytes(); 423| | constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| | BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| | "Input range is not word-aligned with the requested output range"); 426| | return OutT(in_bytes / out_elem_bytes); 427| | } else { 428| | return OutT{}; 429| | } 430| 47.3k| }(in_range); _ZN5Botan8store_leINS_6detail10AutoDetectEJRmEEEDaDpOT0_: 736| 1.17M|inline constexpr auto store_le(ParamTs&&... params) { 737| 1.17M| return detail::store_any(std::forward(params)...); 738| 1.17M|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETpTkNS0_20unsigned_integralishEJmEQ10all_same_vIDpT1_EEEDaS6_: 696| 1.17M|inline constexpr auto store_any(Ts... ins) { 697| 1.17M| return store_any(std::array{ins...}); 698| 1.17M|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayImLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_: 663| 1.17M|inline constexpr auto store_any(InR&& in_range) { 664| 1.17M| auto out = []([[maybe_unused]] const auto& in) { 665| 1.17M| if constexpr(std::same_as) { 666| 1.17M| if constexpr(ranges::statically_spanable_range) { 667| 1.17M| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 1.17M| return std::array(); 669| 1.17M| } else { 670| 1.17M| static_assert( 671| 1.17M| !std::same_as, 672| 1.17M| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 1.17M| } 674| 1.17M| } else if constexpr(concepts::resizable_byte_buffer) { 675| 1.17M| return OutR(std::span{in}.size_bytes()); 676| 1.17M| } else { 677| 1.17M| return OutR{}; 678| 1.17M| } 679| 1.17M| }(in_range); 680| | 681| 1.17M| store_any>(out, std::forward(in_range)); 682| 1.17M| return out; 683| 1.17M|} _ZZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayImLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSD_: 664| 1.17M| auto out = []([[maybe_unused]] const auto& in) { 665| 1.17M| if constexpr(std::same_as) { 666| 1.17M| if constexpr(ranges::statically_spanable_range) { 667| 1.17M| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 1.17M| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 1.17M| }(in_range); _ZN5Botan6detail9store_anyILNSt3__16endianE57005EmTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm8EEETkNS4_14spanable_rangeENS6_ImLm1EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 1.21M|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 1.21M| ranges::assert_equal_byte_lengths(out, in); 605| 1.21M| using element_type = std::ranges::range_value_t; 606| | 607| 1.21M| auto store_elementwise = [&] { 608| 1.21M| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1.21M| std::span out_s(out); 610| 1.21M| for(auto in_elem : in) { 611| 1.21M| store_any(out_s.template first(), in_elem); 612| 1.21M| out_s = out_s.subspan(bytes_per_element); 613| 1.21M| } 614| 1.21M| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 1.21M| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 1.21M] ------------------ 620| 0| store_elementwise(); 621| 1.21M| } else { 622| 1.21M| if constexpr(endianness == std::endian::native && !custom_storable) { 623| 1.21M| typecast_copy(out, in); 624| | } else { 625| | store_elementwise(); 626| | } 627| 1.21M| } 628| 1.21M|} _ZN5Botan7load_leINS_6detail10AutoDetectEJNSt3__14spanIKhLm4EEEEEEDaDpOT0_: 495| 4.86k|inline constexpr auto load_le(ParamTs&&... params) { 496| 4.86k| return detail::load_any(std::forward(params)...); 497| 4.86k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm4EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_: 397| 4.86k|inline constexpr auto load_any(InR&& in_range) { 398| 4.86k| auto out = []([[maybe_unused]] const auto& in) { 399| 4.86k| if constexpr(std::same_as) { 400| 4.86k| if constexpr(ranges::statically_spanable_range) { 401| 4.86k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 4.86k| using type = 405| 4.86k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 4.86k| static_assert( 412| 4.86k| !std::is_void_v, 413| 4.86k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 4.86k| return type{}; 416| 4.86k| } else { 417| 4.86k| static_assert( 418| 4.86k| !std::same_as, 419| 4.86k| "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| 4.86k| } 421| 4.86k| } else if constexpr(concepts::resizable_container) { 422| 4.86k| const size_t in_bytes = std::span{in}.size_bytes(); 423| 4.86k| constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| 4.86k| BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| 4.86k| "Input range is not word-aligned with the requested output range"); 426| 4.86k| return OutT(in_bytes / out_elem_bytes); 427| 4.86k| } else { 428| 4.86k| return OutT{}; 429| 4.86k| } 430| 4.86k| }(in_range); 431| | 432| 4.86k| using out_type = decltype(out); 433| 4.86k| if constexpr(unsigned_integralish) { 434| 4.86k| out = load_any(std::forward(in_range)); 435| | } else { 436| | static_assert(ranges::contiguous_range); 437| | using out_range_type = std::ranges::range_value_t; 438| | load_any(out, std::forward(in_range)); 439| | } 440| 4.86k| return out; 441| 4.86k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_4spanIKhLm4EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeISA_Esr8conceptsE19resizable_containerISA_E20unsigned_integralishINSA_10value_typeEEEEDaOT1_ENKUlRKT_E_clIS9_EEDaSG_: 398| 4.86k| auto out = []([[maybe_unused]] const auto& in) { 399| 4.86k| if constexpr(std::same_as) { 400| 4.86k| if constexpr(ranges::statically_spanable_range) { 401| 4.86k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 4.86k| using type = 405| 4.86k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 4.86k| static_assert( 412| 4.86k| !std::is_void_v, 413| 4.86k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 4.86k| return type{}; 416| | } else { 417| | static_assert( 418| | !std::same_as, 419| | "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| | } 421| | } else if constexpr(concepts::resizable_container) { 422| | const size_t in_bytes = std::span{in}.size_bytes(); 423| | constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| | BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| | "Input range is not word-aligned with the requested output range"); 426| | return OutT(in_bytes / out_elem_bytes); 427| | } else { 428| | return OutT{}; 429| | } 430| 4.86k| }(in_range); _ZN5Botan8store_leINS_6detail10AutoDetectEJRNSt3__15arrayImLm1EEEEEEDaDpOT0_: 736| 39.0k|inline constexpr auto store_le(ParamTs&&... params) { 737| 39.0k| return detail::store_any(std::forward(params)...); 738| 39.0k|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_: 663| 39.0k|inline constexpr auto store_any(InR&& in_range) { 664| 39.0k| auto out = []([[maybe_unused]] const auto& in) { 665| 39.0k| if constexpr(std::same_as) { 666| 39.0k| if constexpr(ranges::statically_spanable_range) { 667| 39.0k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 39.0k| return std::array(); 669| 39.0k| } else { 670| 39.0k| static_assert( 671| 39.0k| !std::same_as, 672| 39.0k| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 39.0k| } 674| 39.0k| } else if constexpr(concepts::resizable_byte_buffer) { 675| 39.0k| return OutR(std::span{in}.size_bytes()); 676| 39.0k| } else { 677| 39.0k| return OutR{}; 678| 39.0k| } 679| 39.0k| }(in_range); 680| | 681| 39.0k| store_any>(out, std::forward(in_range)); 682| 39.0k| return out; 683| 39.0k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeERNS2_5arrayImLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS9_Esr3stdE21default_initializableIS9_Esr8conceptsE21resizable_byte_bufferIS9_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSE_: 664| 39.0k| auto out = []([[maybe_unused]] const auto& in) { 665| 39.0k| if constexpr(std::same_as) { 666| 39.0k| if constexpr(ranges::statically_spanable_range) { 667| 39.0k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 39.0k| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 39.0k| }(in_range); _ZN5Botan7load_leINS_6detail10AutoDetectEJNSt3__15arrayIhLm2EEEEEEDaDpOT0_: 495| 2.91k|inline constexpr auto load_le(ParamTs&&... params) { 496| 2.91k| return detail::load_any(std::forward(params)...); 497| 2.91k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm2EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeIS9_Esr8conceptsE19resizable_containerIS9_E20unsigned_integralishINS9_10value_typeEEEEDaOT1_: 397| 2.91k|inline constexpr auto load_any(InR&& in_range) { 398| 2.91k| auto out = []([[maybe_unused]] const auto& in) { 399| 2.91k| if constexpr(std::same_as) { 400| 2.91k| if constexpr(ranges::statically_spanable_range) { 401| 2.91k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 2.91k| using type = 405| 2.91k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 2.91k| static_assert( 412| 2.91k| !std::is_void_v, 413| 2.91k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 2.91k| return type{}; 416| 2.91k| } else { 417| 2.91k| static_assert( 418| 2.91k| !std::same_as, 419| 2.91k| "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| 2.91k| } 421| 2.91k| } else if constexpr(concepts::resizable_container) { 422| 2.91k| const size_t in_bytes = std::span{in}.size_bytes(); 423| 2.91k| constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| 2.91k| BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| 2.91k| "Input range is not word-aligned with the requested output range"); 426| 2.91k| return OutT(in_bytes / out_elem_bytes); 427| 2.91k| } else { 428| 2.91k| return OutT{}; 429| 2.91k| } 430| 2.91k| }(in_range); 431| | 432| 2.91k| using out_type = decltype(out); 433| 2.91k| if constexpr(unsigned_integralish) { 434| 2.91k| out = load_any(std::forward(in_range)); 435| | } else { 436| | static_assert(ranges::contiguous_range); 437| | using out_range_type = std::ranges::range_value_t; 438| | load_any(out, std::forward(in_range)); 439| | } 440| 2.91k| return out; 441| 2.91k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm2EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeIS9_Esr8conceptsE19resizable_containerIS9_E20unsigned_integralishINS9_10value_typeEEEEDaOT1_ENKUlRKT_E_clIS8_EEDaSF_: 398| 2.91k| auto out = []([[maybe_unused]] const auto& in) { 399| 2.91k| if constexpr(std::same_as) { 400| 2.91k| if constexpr(ranges::statically_spanable_range) { 401| 2.91k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 2.91k| using type = 405| 2.91k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 2.91k| static_assert( 412| 2.91k| !std::is_void_v, 413| 2.91k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 2.91k| return type{}; 416| | } else { 417| | static_assert( 418| | !std::same_as, 419| | "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| | } 421| | } else if constexpr(concepts::resizable_container) { 422| | const size_t in_bytes = std::span{in}.size_bytes(); 423| | constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| | BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| | "Input range is not word-aligned with the requested output range"); 426| | return OutT(in_bytes / out_elem_bytes); 427| | } else { 428| | return OutT{}; 429| | } 430| 2.91k| }(in_range); _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEtTkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm2EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEES9_OT1_: 278| 2.91k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 2.91k| using OutT = detail::wrapped_type; 280| 2.91k| ranges::assert_exact_byte_length(in_range); 281| | 282| 2.91k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 2.91k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 2.91k| return fallback_load_any(std::forward(in_range)); 288| 2.91k| } else { 289| 2.91k| const std::span in{in_range}; 290| 2.91k| if constexpr(sizeof(OutT) == 1) { 291| 2.91k| return static_cast(in[0]); 292| 2.91k| } else if constexpr(endianness == std::endian::native) { 293| 2.91k| return typecast_copy(in); 294| 2.91k| } else { 295| 2.91k| static_assert(opposite(endianness) == std::endian::native); 296| 2.91k| return reverse_bytes(typecast_copy(in)); 297| 2.91k| } 298| 2.91k| } 299| 2.91k| }()); 300| 2.91k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEtTkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm2EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEES9_OT1_ENKUlvE_clEv: 282| 2.91k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 2.91k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 2.91k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 2.91k| } else { 289| 2.91k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| 2.91k| } else if constexpr(endianness == std::endian::native) { 293| 2.91k| return typecast_copy(in); 294| | } else { 295| | static_assert(opposite(endianness) == std::endian::native); 296| | return reverse_bytes(typecast_copy(in)); 297| | } 298| 2.91k| } 299| 2.91k| }()); _ZZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayItLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSD_: 664| 300| auto out = []([[maybe_unused]] const auto& in) { 665| 300| if constexpr(std::same_as) { 666| 300| if constexpr(ranges::statically_spanable_range) { 667| 300| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 300| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 300| }(in_range); _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EtTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm2EEETpTkNS0_20unsigned_integralishEJtEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_ENUlTyS9_T_E_clItS7_EEDaS9_SE_: 584| 300| auto store_one = [off = 0](auto o, T i) mutable { 585| 300| store_any(i, o.subspan(off).template first()); 586| 300| off += sizeof(T); 587| 300| }; _ZN5Botan6detail9store_anyILNSt3__16endianE64206EtTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm2EEETpTkNS0_20unsigned_integralishEJtEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_: 582| 300|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, Ts... ins) { 583| 300| ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(out); 584| 300| auto store_one = [off = 0](auto o, T i) mutable { 585| 300| store_any(i, o.subspan(off).template first()); 586| 300| off += sizeof(T); 587| 300| }; 588| | 589| 300| (store_one(std::span{out}, ins), ...); 590| 300|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206EtTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm2EEETkNS4_14spanable_rangeENS6_ItLm1EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 300|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 300| ranges::assert_equal_byte_lengths(out, in); 605| 300| using element_type = std::ranges::range_value_t; 606| | 607| 300| auto store_elementwise = [&] { 608| 300| constexpr size_t bytes_per_element = sizeof(element_type); 609| 300| std::span out_s(out); 610| 300| for(auto in_elem : in) { 611| 300| store_any(out_s.template first(), in_elem); 612| 300| out_s = out_s.subspan(bytes_per_element); 613| 300| } 614| 300| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 300| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 300] ------------------ 620| 0| store_elementwise(); 621| 300| } else { 622| | if constexpr(endianness == std::endian::native && !custom_storable) { 623| | typecast_copy(out, in); 624| 300| } else { 625| 300| store_elementwise(); 626| 300| } 627| 300| } 628| 300|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayItLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_: 663| 300|inline constexpr auto store_any(InR&& in_range) { 664| 300| auto out = []([[maybe_unused]] const auto& in) { 665| 300| if constexpr(std::same_as) { 666| 300| if constexpr(ranges::statically_spanable_range) { 667| 300| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 300| return std::array(); 669| 300| } else { 670| 300| static_assert( 671| 300| !std::same_as, 672| 300| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 300| } 674| 300| } else if constexpr(concepts::resizable_byte_buffer) { 675| 300| return OutR(std::span{in}.size_bytes()); 676| 300| } else { 677| 300| return OutR{}; 678| 300| } 679| 300| }(in_range); 680| | 681| 300| store_any>(out, std::forward(in_range)); 682| 300| return out; 683| 300|} _ZN5Botan6detail9store_anyILNSt3__16endianE64206ENS0_10AutoDetectETpTkNS0_20unsigned_integralishEJtEQ10all_same_vIDpT1_EEEDaS6_: 696| 300|inline constexpr auto store_any(Ts... ins) { 697| 300| return store_any(std::array{ins...}); 698| 300|} _ZN5Botan8store_beINS_6detail10AutoDetectEJtEEEDaDpOT0_: 745| 300|inline constexpr auto store_be(ParamTs&&... params) { 746| 300| return detail::store_any(std::forward(params)...); 747| 300|} _ZN5Botan7load_leINS_6detail10AutoDetectEJNSt3__15arrayIhLm4EEEEEEDaDpOT0_: 495| 49.7k|inline constexpr auto load_le(ParamTs&&... params) { 496| 49.7k| return detail::load_any(std::forward(params)...); 497| 49.7k|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm4EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeIS9_Esr8conceptsE19resizable_containerIS9_E20unsigned_integralishINS9_10value_typeEEEEDaOT1_: 397| 49.7k|inline constexpr auto load_any(InR&& in_range) { 398| 49.7k| auto out = []([[maybe_unused]] const auto& in) { 399| 49.7k| if constexpr(std::same_as) { 400| 49.7k| if constexpr(ranges::statically_spanable_range) { 401| 49.7k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 49.7k| using type = 405| 49.7k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 49.7k| static_assert( 412| 49.7k| !std::is_void_v, 413| 49.7k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 49.7k| return type{}; 416| 49.7k| } else { 417| 49.7k| static_assert( 418| 49.7k| !std::same_as, 419| 49.7k| "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| 49.7k| } 421| 49.7k| } else if constexpr(concepts::resizable_container) { 422| 49.7k| const size_t in_bytes = std::span{in}.size_bytes(); 423| 49.7k| constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| 49.7k| BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| 49.7k| "Input range is not word-aligned with the requested output range"); 426| 49.7k| return OutT(in_bytes / out_elem_bytes); 427| 49.7k| } else { 428| 49.7k| return OutT{}; 429| 49.7k| } 430| 49.7k| }(in_range); 431| | 432| 49.7k| using out_type = decltype(out); 433| 49.7k| if constexpr(unsigned_integralish) { 434| 49.7k| out = load_any(std::forward(in_range)); 435| | } else { 436| | static_assert(ranges::contiguous_range); 437| | using out_range_type = std::ranges::range_value_t; 438| | load_any(out, std::forward(in_range)); 439| | } 440| 49.7k| return out; 441| 49.7k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm4EEEQoosr3stdE7same_asIS4_T0_Eaaoosr6rangesE25statically_spanable_rangeIS9_Esr8conceptsE19resizable_containerIS9_E20unsigned_integralishINS9_10value_typeEEEEDaOT1_ENKUlRKT_E_clIS8_EEDaSF_: 398| 49.7k| auto out = []([[maybe_unused]] const auto& in) { 399| 49.7k| if constexpr(std::same_as) { 400| 49.7k| if constexpr(ranges::statically_spanable_range) { 401| 49.7k| constexpr size_t extent = decltype(std::span{in})::extent; 402| | 403| | // clang-format off 404| 49.7k| using type = 405| 49.7k| std::conditional_t>>>; 409| | // clang-format on 410| | 411| 49.7k| static_assert( 412| 49.7k| !std::is_void_v, 413| 49.7k| "Cannot determine the output type based on a statically sized bytearray with length other than those: 1, 2, 4, 8"); 414| | 415| 49.7k| return type{}; 416| | } else { 417| | static_assert( 418| | !std::same_as, 419| | "cannot infer return type from a dynamic range at compile time, please specify it explicitly"); 420| | } 421| | } else if constexpr(concepts::resizable_container) { 422| | const size_t in_bytes = std::span{in}.size_bytes(); 423| | constexpr size_t out_elem_bytes = sizeof(typename OutT::value_type); 424| | BOTAN_ARG_CHECK(in_bytes % out_elem_bytes == 0, 425| | "Input range is not word-aligned with the requested output range"); 426| | return OutT(in_bytes / out_elem_bytes); 427| | } else { 428| | return OutT{}; 429| | } 430| 49.7k| }(in_range); _ZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEjTkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm4EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEES9_OT1_: 278| 49.7k|inline constexpr WrappedOutT load_any(InR&& in_range) { 279| 49.7k| using OutT = detail::wrapped_type; 280| 49.7k| ranges::assert_exact_byte_length(in_range); 281| | 282| 49.7k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 49.7k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { 287| 49.7k| return fallback_load_any(std::forward(in_range)); 288| 49.7k| } else { 289| 49.7k| const std::span in{in_range}; 290| 49.7k| if constexpr(sizeof(OutT) == 1) { 291| 49.7k| return static_cast(in[0]); 292| 49.7k| } else if constexpr(endianness == std::endian::native) { 293| 49.7k| return typecast_copy(in); 294| 49.7k| } else { 295| 49.7k| static_assert(opposite(endianness) == std::endian::native); 296| 49.7k| return reverse_bytes(typecast_copy(in)); 297| 49.7k| } 298| 49.7k| } 299| 49.7k| }()); 300| 49.7k|} _ZZN5Botan6detail8load_anyILNSt3__16endianE57005ETkNS0_20unsigned_integralishEjTkNS_6ranges16contiguous_rangeIhEENS2_5arrayIhLm4EEEQnt15custom_loadableINS0_19wrapped_type_helperIu14__remove_cvrefIT0_EE4typeEEEES9_OT1_ENKUlvE_clEv: 282| 49.7k| return detail::wrap_strong_type_or_enum([&]() -> OutT { 283| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 284| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 285| | // in a `constexpr` context. 286| 49.7k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (286:10): [Folded, False: 49.7k] ------------------ 287| 0| return fallback_load_any(std::forward(in_range)); 288| 49.7k| } else { 289| 49.7k| const std::span in{in_range}; 290| | if constexpr(sizeof(OutT) == 1) { 291| | return static_cast(in[0]); 292| 49.7k| } else if constexpr(endianness == std::endian::native) { 293| 49.7k| return typecast_copy(in); 294| | } else { 295| | static_assert(opposite(endianness) == std::endian::native); 296| | return reverse_bytes(typecast_copy(in)); 297| | } 298| 49.7k| } 299| 49.7k| }()); _ZZN5Botan6detail9store_anyILNSt3__16endianE64206EtTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm2EEETkNS4_14spanable_rangeENS6_ItLm1EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_ENKUlvE_clEv: 607| 300| auto store_elementwise = [&] { 608| 300| constexpr size_t bytes_per_element = sizeof(element_type); 609| 300| std::span out_s(out); 610| 300| for(auto in_elem : in) { ------------------ | Branch (610:24): [True: 300, False: 300] ------------------ 611| 300| store_any(out_s.template first(), in_elem); 612| 300| out_s = out_s.subspan(bytes_per_element); 613| 300| } 614| 300| }; _ZN5Botan8store_leINS_6detail10AutoDetectEJRPhmmmmEEEDaDpOT0_: 736| 2|inline constexpr auto store_le(ParamTs&&... params) { 737| 2| return detail::store_any(std::forward(params)...); 738| 2|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS0_20unsigned_integralishEmTpTkNS0_20unsigned_integralishEJmmmEQaaoosr3stdE7same_asIS4_T0_Esr3stdE7same_asIT1_S5_E10all_same_vIS6_DpT2_EEEvPhS6_S8_: 723| 2|inline constexpr void store_any(uint8_t out[], T0 in0, Ts... ins) { 724| 2| constexpr auto bytes = sizeof(in0) + (sizeof(ins) + ... + 0); 725| | // asserts that *out points to the correct amount of memory 726| 2| store_any(std::span(out, bytes), in0, ins...); 727| 2|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm32EEETpTkNS0_20unsigned_integralishEJmmmmEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_: 582| 2|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, Ts... ins) { 583| 2| ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(out); 584| 2| auto store_one = [off = 0](auto o, T i) mutable { 585| 2| store_any(i, o.subspan(off).template first()); 586| 2| off += sizeof(T); 587| 2| }; 588| | 589| 2| (store_one(std::span{out}, ins), ...); 590| 2|} _ZZN5Botan6detail9store_anyILNSt3__16endianE57005EmTkNS_6ranges23contiguous_output_rangeIhEENS2_4spanIhLm32EEETpTkNS0_20unsigned_integralishEJmmmmEQaagtsZT2_Li0Eooaasr3stdE7same_asINS0_10AutoDetectET0_E10all_same_vIDpT2_Eaa20unsigned_integralishIS9_E10all_same_vIS9_SB_EEEvOT1_SB_ENUlTyS9_T_E_clImS7_EEDaS9_SE_: 584| 8| auto store_one = [off = 0](auto o, T i) mutable { 585| 8| store_any(i, o.subspan(off).template first()); 586| 8| off += sizeof(T); 587| 8| }; _ZN5Botan7load_leINS_6detail10AutoDetectEJRNSt3__15arrayImLm7EEERNS3_4spanIKhLm56EEEEEEDaDpOT0_: 495| 2|inline constexpr auto load_le(ParamTs&&... params) { 496| 2| return detail::load_any(std::forward(params)...); 497| 2|} _ZN5Botan6detail8load_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeERNS2_5arrayImLm7EEETkNS5_16contiguous_rangeIhEENS2_4spanIKhLm56EEEQaa20unsigned_integralishINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT1_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISR_SQ_EEEvOSH_RKT2_: 355| 2|inline constexpr void load_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 356| 2| ranges::assert_equal_byte_lengths(out, in); 357| 2| using element_type = std::ranges::range_value_t; 358| | 359| 2| auto load_elementwise = [&] { 360| 2| constexpr size_t bytes_per_element = sizeof(element_type); 361| 2| std::span in_s(in); 362| 2| for(auto& out_elem : out) { 363| 2| out_elem = load_any(in_s.template first()); 364| 2| in_s = in_s.subspan(bytes_per_element); 365| 2| } 366| 2| }; 367| | 368| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 369| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 370| | // in a `constexpr` context. 371| 2| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (371:7): [Folded, False: 2] ------------------ 372| 0| load_elementwise(); 373| 2| } else { 374| 2| if constexpr(endianness == std::endian::native && !custom_loadable) { 375| 2| typecast_copy(out, in); 376| | } else { 377| | load_elementwise(); 378| | } 379| 2| } 380| 2|} _ZN5Botan8store_leINS_6detail10AutoDetectEJRNSt3__14spanIhLm56EEENS3_5arrayImLm7EEEEEEDaDpOT0_: 736| 1|inline constexpr auto store_le(ParamTs&&... params) { 737| 1| return detail::store_any(std::forward(params)...); 738| 1|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges23contiguous_output_rangeIhEERNS2_4spanIhLm56EEETkNS5_14spanable_rangeENS2_5arrayImLm7EEEQoosr3stdE7same_asIS4_T0_Esr3stdE7same_asISC_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISK_EESL_E4type10value_typeEEEEvOT1_RKSH_: 603| 1|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 1| ranges::assert_equal_byte_lengths(out, in); 605| 1| using element_type = std::ranges::range_value_t; 606| | 607| 1| auto store_elementwise = [&] { 608| 1| constexpr size_t bytes_per_element = sizeof(element_type); 609| 1| std::span out_s(out); 610| 1| for(auto in_elem : in) { 611| 1| store_any(out_s.template first(), in_elem); 612| 1| out_s = out_s.subspan(bytes_per_element); 613| 1| } 614| 1| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 1| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 1] ------------------ 620| 0| store_elementwise(); 621| 1| } else { 622| 1| if constexpr(endianness == std::endian::native && !custom_storable) { 623| 1| typecast_copy(out, in); 624| | } else { 625| | store_elementwise(); 626| | } 627| 1| } 628| 1|} _ZN5Botan8store_leINS_6detail10AutoDetectEJRtEEEDaDpOT0_: 736| 3.88k|inline constexpr auto store_le(ParamTs&&... params) { 737| 3.88k| return detail::store_any(std::forward(params)...); 738| 3.88k|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETpTkNS0_20unsigned_integralishEJtEQ10all_same_vIDpT1_EEEDaS6_: 696| 3.88k|inline constexpr auto store_any(Ts... ins) { 697| 3.88k| return store_any(std::array{ins...}); 698| 3.88k|} _ZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayItLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_: 663| 3.88k|inline constexpr auto store_any(InR&& in_range) { 664| 3.88k| auto out = []([[maybe_unused]] const auto& in) { 665| 3.88k| if constexpr(std::same_as) { 666| 3.88k| if constexpr(ranges::statically_spanable_range) { 667| 3.88k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 3.88k| return std::array(); 669| 3.88k| } else { 670| 3.88k| static_assert( 671| 3.88k| !std::same_as, 672| 3.88k| "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| 3.88k| } 674| 3.88k| } else if constexpr(concepts::resizable_byte_buffer) { 675| 3.88k| return OutR(std::span{in}.size_bytes()); 676| 3.88k| } else { 677| 3.88k| return OutR{}; 678| 3.88k| } 679| 3.88k| }(in_range); 680| | 681| 3.88k| store_any>(out, std::forward(in_range)); 682| 3.88k| return out; 683| 3.88k|} _ZZN5Botan6detail9store_anyILNSt3__16endianE57005ENS0_10AutoDetectETkNS_6ranges14spanable_rangeENS2_5arrayItLm1EEEQoooosr3stdE7same_asIS4_T0_Eaasr6rangesE25statically_spanable_rangeIS8_Esr3stdE21default_initializableIS8_Esr8conceptsE21resizable_byte_bufferIS8_EEEDaOT1_ENKUlRKT_E_clIS7_EEDaSD_: 664| 3.88k| auto out = []([[maybe_unused]] const auto& in) { 665| 3.88k| if constexpr(std::same_as) { 666| 3.88k| if constexpr(ranges::statically_spanable_range) { 667| 3.88k| constexpr size_t bytes = decltype(std::span{in})::extent * sizeof(std::ranges::range_value_t); 668| 3.88k| return std::array(); 669| | } else { 670| | static_assert( 671| | !std::same_as, 672| | "cannot infer a suitable result container type from the given parameters at compile time, please specify it explicitly"); 673| | } 674| | } else if constexpr(concepts::resizable_byte_buffer) { 675| | return OutR(std::span{in}.size_bytes()); 676| | } else { 677| | return OutR{}; 678| | } 679| 3.88k| }(in_range); _ZN5Botan6detail9store_anyILNSt3__16endianE57005EtTkNS_6ranges23contiguous_output_rangeIhEERNS2_5arrayIhLm2EEETkNS4_14spanable_rangeENS6_ItLm1EEEQoosr3stdE7same_asINS0_10AutoDetectET0_Esr3stdE7same_asISB_NS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT2_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEEvOT1_RKSG_: 603| 3.88k|inline constexpr void store_any(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 604| 3.88k| ranges::assert_equal_byte_lengths(out, in); 605| 3.88k| using element_type = std::ranges::range_value_t; 606| | 607| 3.88k| auto store_elementwise = [&] { 608| 3.88k| constexpr size_t bytes_per_element = sizeof(element_type); 609| 3.88k| std::span out_s(out); 610| 3.88k| for(auto in_elem : in) { 611| 3.88k| store_any(out_s.template first(), in_elem); 612| 3.88k| out_s = out_s.subspan(bytes_per_element); 613| 3.88k| } 614| 3.88k| }; 615| | 616| | // At compile time we cannot use `typecast_copy` as it uses `std::memcpy` 617| | // internally to copy ranges on a byte-by-byte basis, which is not allowed 618| | // in a `constexpr` context. 619| 3.88k| if(std::is_constant_evaluated()) /* TODO: C++23: if consteval {} */ { ------------------ | Branch (619:7): [Folded, False: 3.88k] ------------------ 620| 0| store_elementwise(); 621| 3.88k| } else { 622| 3.88k| if constexpr(endianness == std::endian::native && !custom_storable) { 623| 3.88k| typecast_copy(out, in); 624| | } else { 625| | store_elementwise(); 626| | } 627| 3.88k| } 628| 3.88k|} _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EEC2Ev: 42| 2| MerkleDamgard_Hash() { clear(); } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE5clearEv: 70| 4| void clear() { 71| 4| MD::init(m_digest); 72| 4| m_buffer.clear(); 73| 4| m_count = 0; 74| 4| } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE6updateENSt3__14spanIKhLm18446744073709551615EEE: 44| 2| void update(std::span input) { 45| 2| BufferSlicer in(input); 46| | 47| 4| while(!in.empty()) { ------------------ | Branch (47:16): [True: 2, False: 2] ------------------ 48| 2| if(const auto one_block = m_buffer.handle_unaligned_data(in)) { ------------------ | Branch (48:27): [True: 0, False: 2] ------------------ 49| 0| MD::compress_n(m_digest, one_block.value(), 1); 50| 0| } 51| | 52| 2| if(m_buffer.in_alignment()) { ------------------ | Branch (52:16): [True: 0, False: 2] ------------------ 53| 0| const auto [aligned_data, full_blocks] = m_buffer.aligned_data_to_process(in); 54| 0| if(full_blocks > 0) { ------------------ | Branch (54:19): [True: 0, False: 0] ------------------ 55| 0| MD::compress_n(m_digest, aligned_data, full_blocks); 56| 0| } 57| 0| } 58| 2| } 59| | 60| 2| m_count += input.size(); 61| 2| } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE5finalENSt3__14spanIhLm18446744073709551615EEE: 63| 2| void final(std::span output) { 64| 2| append_padding_bit(); 65| 2| append_counter_and_finalize(); 66| 2| copy_output(output); 67| 2| clear(); 68| 2| } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE18append_padding_bitEv: 77| 2| void append_padding_bit() { 78| 2| BOTAN_ASSERT_NOMSG(!m_buffer.ready_to_consume()); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 79| 2| if constexpr(MD::bit_endianness == MD_Endian::Big) { 80| 2| const uint8_t final_byte = 0x80; 81| 2| m_buffer.append({&final_byte, 1}); 82| | } else { 83| | const uint8_t final_byte = 0x01; 84| | m_buffer.append({&final_byte, 1}); 85| | } 86| 2| } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE27append_counter_and_finalizeEv: 88| 2| void append_counter_and_finalize() { 89| | // Compress the remaining data if the final data block does not provide 90| | // enough space for the counter bytes. 91| 2| if(m_buffer.elements_until_alignment() < MD::ctr_bytes) { ------------------ | Branch (91:13): [True: 0, False: 2] ------------------ 92| 0| m_buffer.fill_up_with_zeros(); 93| 0| MD::compress_n(m_digest, m_buffer.consume(), 1); 94| 0| } 95| | 96| | // Make sure that any remaining bytes in the very last block are zero. 97| 2| BOTAN_ASSERT_NOMSG(m_buffer.elements_until_alignment() >= MD::ctr_bytes); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 98| 2| m_buffer.fill_up_with_zeros(); 99| | 100| | // Replace a bunch of the right-most zero-padding with the counter bytes. 101| 2| const uint64_t bit_count = m_count * 8; 102| 2| auto last_bytes = m_buffer.directly_modify_last(sizeof(bit_count)); 103| 2| if constexpr(MD::byte_endianness == MD_Endian::Big) { 104| 2| store_be(bit_count, last_bytes.data()); 105| | } else { 106| | store_le(bit_count, last_bytes.data()); 107| | } 108| | 109| | // Compress the very last block. 110| 2| MD::compress_n(m_digest, m_buffer.consume(), 1); 111| 2| } _ZN5Botan18MerkleDamgard_HashINS_7SHA_512EE11copy_outputENSt3__14spanIhLm18446744073709551615EEE: 113| 2| void copy_output(std::span output) { 114| 2| BOTAN_ASSERT_NOMSG(output.size() >= MD::output_bytes); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 115| | 116| 2| if constexpr(MD::byte_endianness == MD_Endian::Big) { 117| 2| copy_out_be(output.first(MD::output_bytes), m_digest); 118| | } else { 119| | copy_out_le(output.first(MD::output_bytes), m_digest); 120| | } 121| 2| } _ZN5Botan14zeroize_bufferITkNSt3__117unsigned_integralEmEEvPT_m: 37| 49.3M|inline void zeroize_buffer(T buf[], size_t n) { 38| 49.3M| if(n > 0) { ------------------ | Branch (38:7): [True: 47.1M, False: 2.20M] ------------------ 39| 47.1M| std::memset(buf, 0, sizeof(T) * n); 40| 47.1M| } 41| 49.3M|} _ZN5Botan21unchecked_copy_memoryITkNSt3__117unsigned_integralEmEEvPT_PKS2_m: 44| 5.91M|inline void unchecked_copy_memory(T* out, const T* in, size_t n) { 45| 5.91M| if(in != nullptr && out != nullptr && n > 0) { ------------------ | Branch (45:7): [True: 5.91M, False: 0] | Branch (45:24): [True: 5.91M, False: 0] | Branch (45:42): [True: 5.91M, False: 0] ------------------ 46| 5.91M| std::memmove(out, in, sizeof(T) * n); 47| 5.91M| } 48| 5.91M|} _ZN5Botan14zeroize_bufferITkNSt3__117unsigned_integralEhEEvPT_m: 37| 6|inline void zeroize_buffer(T buf[], size_t n) { 38| 6| if(n > 0) { ------------------ | Branch (38:7): [True: 6, False: 0] ------------------ 39| 6| std::memset(buf, 0, sizeof(T) * n); 40| 6| } 41| 6|} _ZN5Botan27ML_DSA_Symmetric_PrimitivesC2ERKNS_18DilithiumConstantsE: 65| 169| Dilithium_Symmetric_Primitives_Base(mode, std::make_unique()), 66| 169| m_seed_expansion_domain_separator({mode.k(), mode.l()}) {} _ZNK5Botan27ML_DSA_Symmetric_Primitives31seed_expansion_domain_separatorEv: 92| 83| std::optional> seed_expansion_domain_separator() const override { 93| 83| return m_seed_expansion_domain_separator; 94| 83| } _ZNK5Botan27ML_KEM_Symmetric_Primitives31seed_expansion_domain_separatorERKNS_14KyberConstantsE: 59| 30| std::optional> seed_expansion_domain_separator(const KyberConstants& mode) const override { 60| | // NIST FIPS 203, Algorithm 13 (K-PKE.KeyGen) 61| | // Byte 33 of the input to G is the module dimension k from {2,3,4}. 62| | // This is included to establish domain separation between the three 63| | // parameter sets 64| 30| return std::array{mode.k()}; 65| 30| } _ZNK5Botan27ML_KEM_Symmetric_Primitives8create_GEv: 67| 30| std::unique_ptr create_G() const override { return HashFunction::create_or_throw("SHA-3(512)"); } _ZNK5Botan27ML_KEM_Symmetric_Primitives8create_HEv: 69| 30| std::unique_ptr create_H() const override { return HashFunction::create_or_throw("SHA-3(256)"); } _ZNK5Botan27ML_KEM_Symmetric_Primitives10create_PRFENSt3__14spanIKhLm18446744073709551615EEEh: 79| 30| std::unique_ptr create_PRF(std::span seed, const uint8_t nonce) const override { 80| 30| auto xof = Botan::XOF::create_or_throw("SHAKE-256"); 81| 30| init_PRF(*xof, seed, nonce); 82| 30| return xof; 83| 30| } _ZNK5Botan27ML_KEM_Symmetric_Primitives8init_PRFERNS_3XOFENSt3__14spanIKhLm18446744073709551615EEEh: 85| 184| void init_PRF(Botan::XOF& xof, std::span seed, const uint8_t nonce) const override { 86| 184| xof.clear(); 87| 184| xof.update(seed); 88| 184| xof.update(store_be(nonce)); 89| 184| } _ZNK5Botan27ML_KEM_Symmetric_Primitives10create_XOFENSt3__14spanIKhLm18446744073709551615EEENS1_5tupleIJhhEEE: 92| 30| std::tuple matrix_position) const override { 93| 30| auto xof = Botan::XOF::create_or_throw("SHAKE-128"); 94| 30| init_XOF(*xof, seed, matrix_position); 95| 30| return xof; 96| 30| } _ZNK5Botan27ML_KEM_Symmetric_Primitives8init_XOFERNS_3XOFENSt3__14spanIKhLm18446744073709551615EEENS3_5tupleIJhhEEE: 100| 300| std::tuple matrix_position) const override { 101| 300| xof.clear(); 102| 300| xof.update(seed); 103| 300| xof.update(store_be(make_uint16(std::get<0>(matrix_position), std::get<1>(matrix_position)))); 104| 300| } _ZNK5Botan17Montgomery_Params1pEv: 41| 12.5M| const BigInt& p() const { return m_data->p(); } _ZNK5Botan17Montgomery_Params2R1Ev: 43| 11.0k| const BigInt& R1() const { return m_data->r1(); } _ZNK5Botan17Montgomery_Params2R2Ev: 45| 23.4k| const BigInt& R2() const { return m_data->r2(); } _ZNK5Botan17Montgomery_Params2R3Ev: 47| 1.36k| const BigInt& R3() const { return m_data->r3(); } _ZNK5Botan17Montgomery_Params6p_dashEv: 49| 12.5M| word p_dash() const { return m_data->p_dash(); } _ZNK5Botan17Montgomery_Params7p_wordsEv: 51| 14.0M| size_t p_words() const { return m_data->p_size(); } _ZNK5Botan17Montgomery_Params4Data1pEv: 76| 12.5M| const BigInt& p() const { return m_p; } _ZNK5Botan17Montgomery_Params4Data2r1Ev: 78| 11.0k| const BigInt& r1() const { return m_r1; } _ZNK5Botan17Montgomery_Params4Data2r2Ev: 80| 23.4k| const BigInt& r2() const { return m_r2; } _ZNK5Botan17Montgomery_Params4Data2r3Ev: 82| 1.36k| const BigInt& r3() const { return m_r3; } _ZNK5Botan17Montgomery_Params4Data6p_dashEv: 84| 12.5M| word p_dash() const { return m_p_dash; } _ZNK5Botan17Montgomery_Params4Data6p_sizeEv: 86| 14.0M| size_t p_size() const { return m_p_words; } _ZNK5Botan14Montgomery_Int4reprEv: 143| 1.93M| const secure_vector& repr() const { return m_v; } _ZNK5Botan14Montgomery_Int18_const_time_poisonEv: 159| 26.2k| void _const_time_poison() const { CT::poison(m_v); } _ZNK5Botan14Montgomery_Int20_const_time_unpoisonEv: 161| 3.59k| void _const_time_unpoison() const { CT::unpoison(m_v); } _ZNK5Botan14Montgomery_Int7_paramsEv: 163| 3.65k| const Montgomery_Params& _params() const { return m_params; } _ZN5Botan17monty_exp_vartimeERKNS_17Montgomery_ParamsERKNS_6BigIntES5_: 54| 2.01k|inline Montgomery_Int monty_exp_vartime(const Montgomery_Params& params_p, const BigInt& g, const BigInt& k) { 55| 2.01k| auto precomputed = monty_precompute(params_p, g, 4, false); 56| 2.01k| return monty_execute_vartime(*precomputed, k); 57| 2.01k|} _ZN5Botan10word8_add2ITkNS_8WordTypeEmEET_PS1_PKS1_S1_: 268| 471|inline constexpr auto word8_add2(W x[8], const W y[8], W carry) -> W { 269| 471|#if defined(BOTAN_MP_USE_X86_64_ASM) 270| 471| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (270:7): [True: 0, Folded] | Branch (270:36): [True: 0, Folded] ------------------ 271| 471| asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "adcq")) 272| 471| : [carry] "=r"(carry) 273| 471| : [x] "r"(x), [y] "r"(y), "0"(carry) 274| 471| : "cc", "memory"); 275| 471| return carry; 276| 471| } 277| 0|#endif 278| | 279| 0| x[0] = word_add(x[0], y[0], &carry); 280| 0| x[1] = word_add(x[1], y[1], &carry); 281| 0| x[2] = word_add(x[2], y[2], &carry); 282| 0| x[3] = word_add(x[3], y[3], &carry); 283| 0| x[4] = word_add(x[4], y[4], &carry); 284| 0| x[5] = word_add(x[5], y[5], &carry); 285| 0| x[6] = word_add(x[6], y[6], &carry); 286| 0| x[7] = word_add(x[7], y[7], &carry); 287| 0| return carry; 288| 471|} _ZN5Botan8word_addITkNS_8WordTypeEmEET_S1_S1_PS1_: 231| 72.0M|inline constexpr auto word_add(W x, W y, W* carry) -> W { 232| 72.0M|#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_addc) 233| 72.0M| if(!std::is_constant_evaluated()) { ------------------ | Branch (233:7): [True: 72.0M, Folded] ------------------ 234| | if constexpr(std::same_as) { 235| | return __builtin_addc(x, y, *carry & 1, carry); 236| 72.0M| } else if constexpr(std::same_as) { 237| 72.0M| return __builtin_addcl(x, y, *carry & 1, carry); 238| | } else if constexpr(std::same_as) { 239| | return __builtin_addcll(x, y, *carry & 1, carry); 240| | } 241| 72.0M| } 242| 0|#endif 243| | 244| | if constexpr(WordInfo::dword_is_native && use_dword_for_word_add) { 245| | /* 246| | TODO(Botan4) this is largely a performance hack for GCCs that don't 247| | support __builtin_addc, if we increase the minimum supported version of 248| | GCC to GCC 14 then we can remove this and not worry about it 249| | */ 250| | const W cb = *carry & 1; 251| | const auto s = typename WordInfo::dword(x) + y + cb; 252| | *carry = static_cast(s >> WordInfo::bits); 253| | return static_cast(s); 254| 72.0M| } else { 255| 72.0M| const W cb = *carry & 1; 256| 72.0M| W z = x + y; 257| 72.0M| W c1 = (z < x); 258| 72.0M| z += cb; 259| 72.0M| *carry = c1 | (z < cb); 260| 72.0M| return z; 261| 72.0M| } 262| 72.0M|} _ZN5Botan10word8_sub2ITkNS_8WordTypeEmEET_PS1_PKS1_S1_: 345| 1.56M|inline constexpr auto word8_sub2(W x[8], const W y[8], W carry) -> W { 346| 1.56M|#if defined(BOTAN_MP_USE_X86_64_ASM) 347| 1.56M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (347:7): [True: 0, Folded] | Branch (347:36): [True: 0, Folded] ------------------ 348| 1.56M| asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "sbbq")) 349| 1.56M| : [carry] "=r"(carry) 350| 1.56M| : [x] "r"(x), [y] "r"(y), "0"(carry) 351| 1.56M| : "cc", "memory"); 352| 1.56M| return carry; 353| 1.56M| } 354| 0|#endif 355| | 356| 0| x[0] = word_sub(x[0], y[0], &carry); 357| 0| x[1] = word_sub(x[1], y[1], &carry); 358| 0| x[2] = word_sub(x[2], y[2], &carry); 359| 0| x[3] = word_sub(x[3], y[3], &carry); 360| 0| x[4] = word_sub(x[4], y[4], &carry); 361| 0| x[5] = word_sub(x[5], y[5], &carry); 362| 0| x[6] = word_sub(x[6], y[6], &carry); 363| 0| x[7] = word_sub(x[7], y[7], &carry); 364| 0| return carry; 365| 1.56M|} _ZN5Botan8word_subITkNS_8WordTypeEmEET_S1_S1_PS1_: 320| 259M|inline constexpr auto word_sub(W x, W y, W* carry) -> W { 321| 259M|#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_subc) 322| 259M| if(!std::is_constant_evaluated()) { ------------------ | Branch (322:7): [True: 259M, Folded] ------------------ 323| | if constexpr(std::same_as) { 324| | return __builtin_subc(x, y, *carry & 1, carry); 325| 259M| } else if constexpr(std::same_as) { 326| 259M| return __builtin_subcl(x, y, *carry & 1, carry); 327| | } else if constexpr(std::same_as) { 328| | return __builtin_subcll(x, y, *carry & 1, carry); 329| | } 330| 259M| } 331| 0|#endif 332| | 333| 0| const W cb = *carry & 1; 334| 259M| W t0 = x - y; 335| 259M| W c1 = (t0 > x); 336| 259M| W z = t0 - cb; 337| 259M| *carry = c1 | (z > t0); 338| 259M| return z; 339| 259M|} _ZN5Botan10word8_sub3ITkNS_8WordTypeEmEET_PS1_PKS1_S4_S1_: 371| 16.0M|inline constexpr auto word8_sub3(W z[8], const W x[8], const W y[8], W carry) -> W { 372| 16.0M|#if defined(BOTAN_MP_USE_X86_64_ASM) 373| 16.0M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (373:7): [True: 0, Folded] | Branch (373:36): [True: 0, Folded] ------------------ 374| 16.0M| asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq")) 375| 16.0M| : [carry] "=r"(carry) 376| 16.0M| : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry) 377| 16.0M| : "cc", "memory"); 378| 16.0M| return carry; 379| 16.0M| } 380| 0|#endif 381| | 382| 0| z[0] = word_sub(x[0], y[0], &carry); 383| 0| z[1] = word_sub(x[1], y[1], &carry); 384| 0| z[2] = word_sub(x[2], y[2], &carry); 385| 0| z[3] = word_sub(x[3], y[3], &carry); 386| 0| z[4] = word_sub(x[4], y[4], &carry); 387| 0| z[5] = word_sub(x[5], y[5], &carry); 388| 0| z[6] = word_sub(x[6], y[6], &carry); 389| 0| z[7] = word_sub(x[7], y[7], &carry); 390| 0| return carry; 391| 16.0M|} _ZN5Botan10word8_add3ITkNS_8WordTypeEmEET_PS1_PKS1_S4_S1_: 294| 1.54M|inline constexpr auto word8_add3(W z[8], const W x[8], const W y[8], W carry) -> W { 295| 1.54M|#if defined(BOTAN_MP_USE_X86_64_ASM) 296| 1.54M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (296:7): [True: 0, Folded] | Branch (296:36): [True: 0, Folded] ------------------ 297| 1.54M| asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "adcq")) 298| 1.54M| : [carry] "=r"(carry) 299| 1.54M| : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry) 300| 1.54M| : "cc", "memory"); 301| 1.54M| return carry; 302| 1.54M| } 303| 0|#endif 304| | 305| 0| z[0] = word_add(x[0], y[0], &carry); 306| 0| z[1] = word_add(x[1], y[1], &carry); 307| 0| z[2] = word_add(x[2], y[2], &carry); 308| 0| z[3] = word_add(x[3], y[3], &carry); 309| 0| z[4] = word_add(x[4], y[4], &carry); 310| 0| z[5] = word_add(x[5], y[5], &carry); 311| 0| z[6] = word_add(x[6], y[6], &carry); 312| 0| z[7] = word_add(x[7], y[7], &carry); 313| 0| return carry; 314| 1.54M|} _ZN5Botan13word8_linmul3ITkNS_8WordTypeEmEET_PS1_PKS1_S1_S1_: 397| 34.8k|inline constexpr auto word8_linmul3(W z[8], const W x[8], W y, W carry) -> W { 398| 34.8k|#if defined(BOTAN_MP_USE_X86_64_ASM) 399| 34.8k| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (399:7): [True: 0, Folded] | Branch (399:36): [True: 0, Folded] ------------------ 400| 34.8k| asm(DO_8_TIMES(LINMUL_OP, "z") 401| 34.8k| : [carry] "=r"(carry) 402| 34.8k| : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry) 403| 34.8k| : "cc", "%rax", "%rdx", "memory"); 404| 34.8k| return carry; 405| 34.8k| } 406| 0|#endif 407| | 408| 0| z[0] = word_madd2(x[0], y, &carry); 409| 0| z[1] = word_madd2(x[1], y, &carry); 410| 0| z[2] = word_madd2(x[2], y, &carry); 411| 0| z[3] = word_madd2(x[3], y, &carry); 412| 0| z[4] = word_madd2(x[4], y, &carry); 413| 0| z[5] = word_madd2(x[5], y, &carry); 414| 0| z[6] = word_madd2(x[6], y, &carry); 415| 0| z[7] = word_madd2(x[7], y, &carry); 416| 0| return carry; 417| 34.8k|} _ZN5Botan10word_madd2ITkNS_8WordTypeEmEET_S1_S1_PS1_: 90| 11.0M|inline constexpr auto word_madd2(W a, W b, W* c) -> W { 91| 11.0M|#if defined(BOTAN_MP_USE_X86_64_ASM) 92| 11.0M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (92:7): [True: 0, Folded] | Branch (92:36): [True: 0, Folded] ------------------ 93| 11.0M| asm(R"( 94| 11.0M| mulq %[b] 95| 11.0M| addq %[c],%[a] 96| 11.0M| adcq $0,%[carry] 97| 11.0M| )" 98| 11.0M| : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*c) 99| 11.0M| : "0"(a), "1"(b), [c] "g"(*c) 100| 11.0M| : "cc"); 101| | 102| 11.0M| return a; 103| 11.0M| } 104| |#elif defined(BOTAN_MP_USE_AARCH64_ASM) 105| | if(std::same_as && !std::is_constant_evaluated()) { 106| | W lo = 0; 107| | W hi = 0; 108| | asm(R"( 109| | mul %[lo], %[a], %[b] 110| | umulh %[hi], %[a], %[b] 111| | adds %[lo], %[lo], %[c] 112| | adc %[hi], %[hi], xzr 113| | )" 114| | : [lo] "=&r"(lo), [hi] "=&r"(hi) 115| | : [a] "r"(a), [b] "r"(b), [c] "r"(*c) 116| | : "cc"); 117| | 118| | *c = hi; 119| | return lo; 120| | } 121| |#endif 122| | 123| 0| typedef typename WordInfo::dword dword; 124| 0| const dword s = dword(a) * b + *c; 125| 0| *c = static_cast(s >> WordInfo::bits); 126| 0| return static_cast(s); 127| 11.0M|} _ZN5Botan11word8_madd3ITkNS_8WordTypeEmEET_PS1_PKS1_S1_S1_: 423| 27.4M|inline constexpr auto word8_madd3(W z[8], const W x[8], W y, W carry) -> W { 424| 27.4M|#if defined(BOTAN_MP_USE_X86_64_ASM) 425| 27.4M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (425:7): [True: 0, Folded] | Branch (425:36): [True: 0, Folded] ------------------ 426| 27.4M| asm(DO_8_TIMES(MULADD_OP, "") 427| 27.4M| : [carry] "=r"(carry) 428| 27.4M| : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry) 429| 27.4M| : "cc", "%rax", "%rdx", "memory"); 430| 27.4M| return carry; 431| 27.4M| } 432| 0|#endif 433| | 434| 0| z[0] = word_madd3(x[0], y, z[0], &carry); 435| 0| z[1] = word_madd3(x[1], y, z[1], &carry); 436| 0| z[2] = word_madd3(x[2], y, z[2], &carry); 437| 0| z[3] = word_madd3(x[3], y, z[3], &carry); 438| 0| z[4] = word_madd3(x[4], y, z[4], &carry); 439| 0| z[5] = word_madd3(x[5], y, z[5], &carry); 440| 0| z[6] = word_madd3(x[6], y, z[6], &carry); 441| 0| z[7] = word_madd3(x[7], y, z[7], &carry); 442| 0| return carry; 443| 27.4M|} _ZN5Botan10word_madd3ITkNS_8WordTypeEmEET_S1_S1_S1_PS1_: 133| 148M|inline constexpr auto word_madd3(W a, W b, W c, W* d) -> W { 134| 148M|#if defined(BOTAN_MP_USE_X86_64_ASM) 135| 148M| if(std::same_as && !std::is_constant_evaluated()) { ------------------ | Branch (135:7): [True: 0, Folded] | Branch (135:36): [True: 0, Folded] ------------------ 136| 148M| asm(R"( 137| 148M| mulq %[b] 138| 148M| 139| 148M| addq %[c],%[a] 140| 148M| adcq $0,%[carry] 141| 148M| 142| 148M| addq %[d],%[a] 143| 148M| adcq $0,%[carry] 144| 148M| )" 145| 148M| : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*d) 146| 148M| : "0"(a), "1"(b), [c] "g"(c), [d] "g"(*d) 147| 148M| : "cc"); 148| | 149| 148M| return a; 150| 148M| } 151| |#elif defined(BOTAN_MP_USE_AARCH64_ASM) 152| | if(std::same_as && !std::is_constant_evaluated()) { 153| | W lo = 0; 154| | W hi = 0; 155| | asm(R"( 156| | mul %[lo], %[a], %[b] 157| | umulh %[hi], %[a], %[b] 158| | adds %[lo], %[lo], %[c] 159| | adc %[hi], %[hi], xzr 160| | adds %[lo], %[lo], %[d] 161| | adc %[hi], %[hi], xzr 162| | )" 163| | : [lo] "=&r"(lo), [hi] "=&r"(hi) 164| | : [a] "r"(a), [b] "r"(b), [c] "r"(c), [d] "r"(*d) 165| | : "cc"); 166| | 167| | *d = hi; 168| | return lo; 169| | } 170| |#endif 171| | 172| 0| typedef typename WordInfo::dword dword; 173| 0| const dword s = dword(a) * b + c + *d; 174| 0| *d = static_cast(s >> WordInfo::bits); 175| 0| return static_cast(s); 176| 148M|} _ZN5Botan5word3ImE3mulEmm: 460| 1.48G| inline constexpr void mul(W x, W y) { m_w += static_cast(x) * y; } _ZN5Botan5word3ImE7extractEv: 466| 477M| inline constexpr W extract() { 467| 477M| W r = static_cast(m_w); 468| 477M| m_w >>= WordInfo::bits; 469| 477M| return r; 470| 477M| } _ZN5Botan5word3ImE3addEm: 464| 280M| inline constexpr void add(W x) { m_w += x; } _ZN5Botan5word3ImE10monty_stepEmm: 472| 140M| inline constexpr W monty_step(W p0, W p_dash) { 473| 140M| const W w0 = static_cast(m_w); 474| 140M| const W r = w0 * p_dash; 475| 140M| mul(r, p0); 476| 140M| m_w >>= WordInfo::bits; 477| 140M| return r; 478| 140M| } _ZN5Botan5word3ImEC2Ev: 458| 58.7M| constexpr word3() : m_w(0) {} _ZN5Botan5word3ImE6mul_x2Emm: 462| 105M| inline constexpr void mul_x2(W x, W y) { m_w += static_cast(x) * y * 2; } _ZN5Botan11bigint_add2ITkNS_8WordTypeEmEET_PS1_mPKS1_m: 94| 149k|inline constexpr auto bigint_add2(W x[], size_t x_size, const W y[], size_t y_size) -> W { 95| 149k| W carry = 0; 96| | 97| 149k| BOTAN_ASSERT(x_size >= y_size, "Expected sizes"); ------------------ | | 64| 149k| do { \ | | 65| 149k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 149k| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 149k] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 149k| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 149k] | | ------------------ ------------------ 98| | 99| 149k| const size_t blocks = y_size - (y_size % 8); 100| | 101| 150k| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (101:22): [True: 471, False: 149k] ------------------ 102| 471| carry = word8_add2(x + i, y + i, carry); 103| 471| } 104| | 105| 449k| for(size_t i = blocks; i != y_size; ++i) { ------------------ | Branch (105:27): [True: 299k, False: 149k] ------------------ 106| 299k| x[i] = word_add(x[i], y[i], &carry); 107| 299k| } 108| | 109| 457k| for(size_t i = y_size; i != x_size; ++i) { ------------------ | Branch (109:27): [True: 307k, False: 149k] ------------------ 110| 307k| x[i] = word_add(x[i], static_cast(0), &carry); 111| 307k| } 112| | 113| 149k| return carry; 114| 149k|} _ZN5Botan10bigint_cmpITkNS_8WordTypeEmEEiPKT_mS3_m: 439| 3.18M|inline constexpr int32_t bigint_cmp(const W x[], size_t x_size, const W y[], size_t y_size) { 440| 3.18M| static_assert(sizeof(W) >= sizeof(uint32_t), "Size assumption"); 441| | 442| 3.18M| const W LT = static_cast(-1); 443| 3.18M| const W EQ = 0; 444| 3.18M| const W GT = 1; 445| | 446| 3.18M| const size_t common_elems = std::min(x_size, y_size); 447| | 448| 3.18M| W result = EQ; // until found otherwise 449| | 450| 26.9M| for(size_t i = 0; i != common_elems; i++) { ------------------ | Branch (450:22): [True: 23.7M, False: 3.18M] ------------------ 451| 23.7M| const auto is_eq = CT::Mask::is_equal(x[i], y[i]); 452| 23.7M| const auto is_lt = CT::Mask::is_lt(x[i], y[i]); 453| | 454| 23.7M| result = is_eq.select(result, is_lt.select(LT, GT)); 455| 23.7M| } 456| | 457| 3.18M| if(x_size < y_size) { ------------------ | Branch (457:7): [True: 4.72k, False: 3.18M] ------------------ 458| 4.72k| W mask = 0; 459| 19.3k| for(size_t i = x_size; i != y_size; i++) { ------------------ | Branch (459:30): [True: 14.6k, False: 4.72k] ------------------ 460| 14.6k| mask |= y[i]; 461| 14.6k| } 462| | 463| | // If any bits were set in high part of y, then x < y 464| 4.72k| result = CT::Mask::is_zero(mask).select(result, LT); 465| 3.18M| } else if(y_size < x_size) { ------------------ | Branch (465:14): [True: 18.2k, False: 3.16M] ------------------ 466| 18.2k| W mask = 0; 467| 64.4k| for(size_t i = y_size; i != x_size; i++) { ------------------ | Branch (467:30): [True: 46.1k, False: 18.2k] ------------------ 468| 46.1k| mask |= x[i]; 469| 46.1k| } 470| | 471| | // If any bits were set in high part of x, then x > y 472| 18.2k| result = CT::Mask::is_zero(mask).select(result, GT); 473| 18.2k| } 474| | 475| 3.18M| CT::unpoison(result); 476| 3.18M| BOTAN_DEBUG_ASSERT(result == LT || result == GT || result == EQ); ------------------ | | 130| 3.18M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 3.18M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 3.18M] | | ------------------ ------------------ 477| 3.18M| return static_cast(result); 478| 3.18M|} _ZN5Botan11bigint_sub2ITkNS_8WordTypeEmEET_PS1_mPKS1_m: 148| 3.10M|inline constexpr auto bigint_sub2(W x[], size_t x_size, const W y[], size_t y_size) -> W { 149| 3.10M| W borrow = 0; 150| | 151| 3.10M| BOTAN_ASSERT(x_size >= y_size, "Expected sizes"); ------------------ | | 64| 3.10M| do { \ | | 65| 3.10M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 3.10M| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 3.10M] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 3.10M| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 3.10M] | | ------------------ ------------------ 152| | 153| 3.10M| const size_t blocks = y_size - (y_size % 8); 154| | 155| 4.66M| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (155:22): [True: 1.56M, False: 3.10M] ------------------ 156| 1.56M| borrow = word8_sub2(x + i, y + i, borrow); 157| 1.56M| } 158| | 159| 17.1M| for(size_t i = blocks; i != y_size; ++i) { ------------------ | Branch (159:27): [True: 14.0M, False: 3.10M] ------------------ 160| 14.0M| x[i] = word_sub(x[i], y[i], &borrow); 161| 14.0M| } 162| | 163| 3.11M| for(size_t i = y_size; i != x_size; ++i) { ------------------ | Branch (163:27): [True: 10.4k, False: 3.10M] ------------------ 164| 10.4k| x[i] = word_sub(x[i], static_cast(0), &borrow); 165| 10.4k| } 166| | 167| 3.10M| return borrow; 168| 3.10M|} _ZN5Botan15bigint_sub2_revITkNS_8WordTypeEmEEvPT_PKS1_m: 174| 2.57k|inline constexpr void bigint_sub2_rev(W x[], const W y[], size_t y_size) { 175| 2.57k| W borrow = 0; 176| | 177| 14.0k| for(size_t i = 0; i != y_size; ++i) { ------------------ | Branch (177:22): [True: 11.4k, False: 2.57k] ------------------ 178| 11.4k| x[i] = word_sub(y[i], x[i], &borrow); 179| 11.4k| } 180| | 181| 2.57k| BOTAN_ASSERT(borrow == 0, "y must be greater than x"); ------------------ | | 64| 2.57k| do { \ | | 65| 2.57k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 2.57k| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 2.57k] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 2.57k| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 2.57k] | | ------------------ ------------------ 182| 2.57k|} _ZN5Botan11bigint_sub3ITkNS_8WordTypeEmEET_PS1_PKS1_mS4_m: 192| 16.7M|inline constexpr auto bigint_sub3(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W { 193| 16.7M| W borrow = 0; 194| | 195| 16.7M| BOTAN_ASSERT(x_size >= y_size, "Expected sizes"); ------------------ | | 64| 16.7M| do { \ | | 65| 16.7M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 16.7M| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 16.7M] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 16.7M| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 16.7M] | | ------------------ ------------------ 196| | 197| 16.7M| const size_t blocks = y_size - (y_size % 8); 198| | 199| 24.3M| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (199:22): [True: 7.53M, False: 16.7M] ------------------ 200| 7.53M| borrow = word8_sub3(z + i, x + i, y + i, borrow); 201| 7.53M| } 202| | 203| 62.5M| for(size_t i = blocks; i != y_size; ++i) { ------------------ | Branch (203:27): [True: 45.7M, False: 16.7M] ------------------ 204| 45.7M| z[i] = word_sub(x[i], y[i], &borrow); 205| 45.7M| } 206| | 207| 27.1M| for(size_t i = y_size; i != x_size; ++i) { ------------------ | Branch (207:27): [True: 10.3M, False: 16.7M] ------------------ 208| 10.3M| z[i] = word_sub(x[i], static_cast(0), &borrow); 209| 10.3M| } 210| | 211| 16.7M| return borrow; 212| 16.7M|} _ZN5Botan11bigint_add3ITkNS_8WordTypeEmEET_PS1_PKS1_mS4_m: 120| 6.26M|inline constexpr auto bigint_add3(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W { 121| 6.26M| if(x_size < y_size) { ------------------ | Branch (121:7): [True: 21.1k, False: 6.24M] ------------------ 122| 21.1k| return bigint_add3(z, y, y_size, x, x_size); 123| 21.1k| } 124| | 125| 6.24M| W carry = 0; 126| | 127| 6.24M| const size_t blocks = y_size - (y_size % 8); 128| | 129| 7.79M| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (129:22): [True: 1.54M, False: 6.24M] ------------------ 130| 1.54M| carry = word8_add3(z + i, x + i, y + i, carry); 131| 1.54M| } 132| | 133| 26.2M| for(size_t i = blocks; i != y_size; ++i) { ------------------ | Branch (133:27): [True: 19.9M, False: 6.24M] ------------------ 134| 19.9M| z[i] = word_add(x[i], y[i], &carry); 135| 19.9M| } 136| | 137| 6.35M| for(size_t i = y_size; i != x_size; ++i) { ------------------ | Branch (137:27): [True: 115k, False: 6.24M] ------------------ 138| 115k| z[i] = word_add(x[i], static_cast(0), &carry); 139| 115k| } 140| | 141| 6.24M| return carry; 142| 6.26M|} _ZN5Botan14bigint_cnd_addITkNS_8WordTypeEmEET_S1_PS1_PKS1_m: 45| 4.72M|inline constexpr W bigint_cnd_add(W cnd, W x[], const W y[], size_t size) { 46| 4.72M| const auto mask = CT::Mask::expand(cnd).value(); 47| | 48| 4.72M| W carry = 0; 49| | 50| 25.7M| for(size_t i = 0; i != size; ++i) { ------------------ | Branch (50:22): [True: 21.0M, False: 4.72M] ------------------ 51| 21.0M| x[i] = word_add(x[i], y[i] & mask, &carry); 52| 21.0M| } 53| | 54| 4.72M| return (mask & carry); 55| 4.72M|} _ZN5Botan14bigint_linmul3ITkNS_8WordTypeEmEEvPT_PKS1_mS1_: 416| 79.2k|inline constexpr void bigint_linmul3(W z[], const W x[], size_t x_size, W y) { 417| 79.2k| const size_t blocks = x_size - (x_size % 8); 418| | 419| 79.2k| W carry = 0; 420| | 421| 114k| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (421:22): [True: 34.8k, False: 79.2k] ------------------ 422| 34.8k| carry = word8_linmul3(z + i, x + i, y, carry); 423| 34.8k| } 424| | 425| 360k| for(size_t i = blocks; i != x_size; ++i) { ------------------ | Branch (425:27): [True: 281k, False: 79.2k] ------------------ 426| 281k| z[i] = word_madd2(x[i], y, &carry); 427| 281k| } 428| | 429| 79.2k| z[x_size] = carry; 430| 79.2k|} _ZN5Botan14bigint_linmul2ITkNS_8WordTypeEmEET_PS1_mS1_: 405| 1.04M|[[nodiscard]] inline constexpr auto bigint_linmul2(W x[], size_t x_size, W y) -> W { 406| 1.04M| W carry = 0; 407| | 408| 11.4M| for(size_t i = 0; i != x_size; ++i) { ------------------ | Branch (408:22): [True: 10.3M, False: 1.04M] ------------------ 409| 10.3M| x[i] = word_madd2(x[i], y, &carry); 410| 10.3M| } 411| | 412| 1.04M| return carry; 413| 1.04M|} _ZN5Botan14divide_precompImEC2Em: 574| 60.0k| explicit constexpr divide_precomp(W divisor) : m_divisor(divisor) { 575| 60.0k| BOTAN_ARG_CHECK(m_divisor != 0, "Division by zero"); ------------------ | | 35| 60.0k| do { \ | | 36| 60.0k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 60.0k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 60.0k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 60.0k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 60.0k] | | ------------------ ------------------ 576| 60.0k| } _ZNK5Botan14divide_precompImE16vartime_mod_2to1Emm: 644| 33.6k| inline constexpr W vartime_mod_2to1(W n1, W n0) const { 645| 33.6k| BOTAN_ASSERT_NOMSG(n1 < m_divisor); ------------------ | | 77| 33.6k| do { \ | | 78| 33.6k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 33.6k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 33.6k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 33.6k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 33.6k] | | ------------------ ------------------ 646| 33.6k| W q = this->vartime_div_2to1(n1, n0); 647| 33.6k| W carry = 0; 648| 33.6k| q = word_madd2(q, m_divisor, &carry); 649| 33.6k| return (n0 - q); 650| 33.6k| } _ZNK5Botan14divide_precompImE16vartime_div_2to1Emm: 581| 137k| inline constexpr W vartime_div_2to1(W n1, W n0) const { 582| 137k| BOTAN_ASSERT_NOMSG(n1 < m_divisor); ------------------ | | 77| 137k| do { \ | | 78| 137k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 137k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 137k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 137k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 137k] | | ------------------ ------------------ 583| | 584| 137k| if(m_divisor == WordInfo::max) { ------------------ | Branch (584:13): [True: 46.3k, False: 91.1k] ------------------ 585| 46.3k| return vartime_div_2to1_max_d(n1, n0); 586| 46.3k| } 587| | 588| 91.1k| if(m_divisor == WordInfo::top_bit) { ------------------ | Branch (588:13): [True: 3.92k, False: 87.2k] ------------------ 589| | // Simply a shift by N-1 bits 590| 3.92k| return (n1 << 1) | (n0 >> (WordInfo::bits - 1)); 591| 3.92k| } 592| | 593| 87.2k| if(!std::is_constant_evaluated()) { ------------------ | Branch (593:13): [True: 87.2k, Folded] ------------------ 594| 87.2k|#if defined(BOTAN_MP_USE_X86_64_ASM) 595| 87.2k| if constexpr(std::same_as) { 596| 87.2k| W quotient = 0; 597| 87.2k| W remainder = 0; 598| | // NOLINTNEXTLINE(*-no-assembler) 599| 87.2k| asm("divq %[v]" : "=a"(quotient), "=d"(remainder) : [v] "r"(m_divisor), "a"(n0), "d"(n1) : "cc"); 600| 87.2k| return quotient; 601| 87.2k| } 602| 0|#endif 603| | 604| 0|#if !defined(BOTAN_BUILD_COMPILER_IS_CLANGCL) 605| | 606| | /* clang-cl has a bug where on encountering a 128/64 division it emits 607| | * a call to __udivti3() but then fails to link the relevant builtin into 608| | * the binary, causing a link failure. Work around this by simply omitting 609| | * such code for clang-cl 610| | * 611| | * See https://github.com/llvm/llvm-project/issues/25679 612| | */ 613| 87.2k| if constexpr(WordInfo::dword_is_native) { 614| 87.2k| typename WordInfo::dword n = n1; 615| 87.2k| n <<= WordInfo::bits; 616| 87.2k| n |= n0; 617| 87.2k| return static_cast(n / m_divisor); 618| 87.2k| } 619| 87.2k|#endif 620| 87.2k| } 621| | 622| 0| W high = n1; 623| 87.2k| W quotient = 0; 624| | 625| 87.2k| for(size_t i = 0; i != WordInfo::bits; ++i) { ------------------ | Branch (625:28): [True: 0, False: 87.2k] ------------------ 626| 0| const W high_top_bit = high >> (WordInfo::bits - 1); 627| | 628| 0| high <<= 1; 629| 0| high |= (n0 >> (WordInfo::bits - 1 - i)) & 1; 630| 0| quotient <<= 1; 631| | 632| 0| if(high_top_bit || high >= m_divisor) { ------------------ | Branch (632:16): [True: 0, False: 0] | Branch (632:32): [True: 0, False: 0] ------------------ 633| 0| high -= m_divisor; 634| 0| quotient |= 1; 635| 0| } 636| 0| } 637| | 638| 87.2k| return quotient; 639| 91.1k| } _ZN5Botan14divide_precompImE22vartime_div_2to1_max_dEmm: 657| 46.3k| static inline constexpr W vartime_div_2to1_max_d(W n1, W n0) { 658| | /* 659| | Use k to refer to WordInfo::bits 660| | 661| | We are dividing n = (n1 * 2^k) + n0 by 2^k - 1 662| | 663| | Recall that 2^k = 1 (mod 2^k - 1) 664| | 665| | Rewrite n = n1*2^k + n0 as n1*(2^k - 1) + n1 + n0 666| | 667| | The result of dividing n by (2^k - 1) will be equal to 668| | (n1*(2^k-1) + n1 + n0) / (2^k-1) = 669| | n1 + ((n1 + n0) / (2^k-1) 670| | 671| | Use c to refer to ((n1 + n0) / (2^k-1)) 672| | 673| | If (n1 + n0) < (2^k - 1) then c is 0 674| | If (n1 + n0) >= (2^k - 1) then c is 1 675| | 676| | Since n1 < 2^k - 1 [*] and n0 <= 2^k - 1 it is impossible for (n1 + n0) / (2^k -1) 677| | to be greater than 1. 678| | 679| | [*] We require n1 be strictly less than the divisor to ensure that the 680| | output fits in a single word; this is checked at the start of vartime_div_2to1. 681| | */ 682| | 683| 46.3k| const W s = n0 + n1; 684| | // did n0 + n1 overflow? or does (n0 + n1) == 2^k - 1? if either, c == 1 685| 46.3k| if(s < n0 || s == WordInfo::max) { ------------------ | Branch (685:13): [True: 7.33k, False: 38.9k] | Branch (685:23): [True: 38, False: 38.9k] ------------------ 686| 7.37k| n1 += 1; 687| 7.37k| } 688| | 689| 46.3k| return n1; 690| 46.3k| } _ZN5Botan11bigint_shl1ITkNS_8WordTypeEmEEvPT_mmm: 309| 380k|inline constexpr void bigint_shl1(W x[], size_t x_size, size_t x_words, size_t shift) { 310| 380k| const size_t word_shift = shift / WordInfo::bits; 311| 380k| const size_t bit_shift = shift % WordInfo::bits; 312| | 313| 380k| BOTAN_ASSERT_NOMSG(word_shift <= x_size); ------------------ | | 77| 380k| do { \ | | 78| 380k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 380k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 380k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 380k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 380k] | | ------------------ ------------------ 314| 380k| BOTAN_ASSERT_NOMSG(x_words <= x_size - word_shift); ------------------ | | 77| 380k| do { \ | | 78| 380k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 380k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 380k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 380k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 380k] | | ------------------ ------------------ 315| | 316| 380k| unchecked_copy_memory(x + word_shift, x, x_words); 317| 380k| zeroize_buffer(x, word_shift); 318| | 319| 380k| const auto carry_mask = CT::Mask::expand(bit_shift); 320| 380k| const W carry_shift = carry_mask.if_set_return(WordInfo::bits - bit_shift); 321| | 322| 380k| W carry = 0; 323| 3.73M| for(size_t i = word_shift; i != x_size; ++i) { ------------------ | Branch (323:31): [True: 3.35M, False: 380k] ------------------ 324| 3.35M| const W w = x[i]; 325| 3.35M| x[i] = (w << bit_shift) | carry; 326| 3.35M| carry = carry_mask.if_set_return(w >> carry_shift); 327| 3.35M| } 328| 380k|} _ZN5Botan11bigint_shr1ITkNS_8WordTypeEmEEvPT_mm: 331| 1.92M|inline constexpr void bigint_shr1(W x[], size_t x_size, size_t shift) { 332| 1.92M| const size_t word_shift = shift / WordInfo::bits; 333| 1.92M| const size_t bit_shift = shift % WordInfo::bits; 334| | 335| 1.92M| const size_t top = x_size >= word_shift ? (x_size - word_shift) : 0; ------------------ | Branch (335:23): [True: 1.92M, False: 0] ------------------ 336| | 337| 1.92M| if(top > 0) { ------------------ | Branch (337:7): [True: 1.92M, False: 0] ------------------ 338| 1.92M| unchecked_copy_memory(x, x + word_shift, top); 339| 1.92M| } 340| 1.92M| zeroize_buffer(x + top, std::min(word_shift, x_size)); 341| | 342| 1.92M| const auto carry_mask = CT::Mask::expand(bit_shift); 343| 1.92M| const W carry_shift = carry_mask.if_set_return(WordInfo::bits - bit_shift); 344| | 345| 1.92M| W carry = 0; 346| | 347| 27.1M| for(size_t i = 0; i != top; ++i) { ------------------ | Branch (347:22): [True: 25.1M, False: 1.92M] ------------------ 348| 25.1M| const W w = x[top - i - 1]; 349| 25.1M| x[top - i - 1] = (w >> bit_shift) | carry; 350| 25.1M| carry = carry_mask.if_set_return(w << carry_shift); 351| 25.1M| } 352| 1.92M|} _ZN5Botan17bigint_monty_redcEPmPKmS2_mmS0_m: 924| 28.6M| word r[], const word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size) { 925| 28.6M| const size_t z_size = 2 * p_size; 926| | 927| 28.6M| BOTAN_ARG_CHECK(ws_size >= p_size, "Montgomery reduction workspace too small"); ------------------ | | 35| 28.6M| do { \ | | 36| 28.6M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 28.6M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 28.6M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 28.6M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 28.6M] | | ------------------ ------------------ 928| | 929| 28.6M| if(p_size == 4) { ------------------ | Branch (929:7): [True: 18.4M, False: 10.2M] ------------------ 930| 18.4M| bigint_monty_redc_4(r, z, p, p_dash, ws); 931| 18.4M| } else if(p_size == 6) { ------------------ | Branch (931:14): [True: 15.4k, False: 10.1M] ------------------ 932| 15.4k| bigint_monty_redc_6(r, z, p, p_dash, ws); 933| 10.1M| } else if(p_size == 8) { ------------------ | Branch (933:14): [True: 930, False: 10.1M] ------------------ 934| 930| bigint_monty_redc_8(r, z, p, p_dash, ws); 935| 10.1M| } else if(p_size == 12) { ------------------ | Branch (935:14): [True: 0, False: 10.1M] ------------------ 936| 0| bigint_monty_redc_12(r, z, p, p_dash, ws); 937| 10.1M| } else if(p_size == 16) { ------------------ | Branch (937:14): [True: 0, False: 10.1M] ------------------ 938| 0| bigint_monty_redc_16(r, z, p, p_dash, ws); 939| 10.1M| } else if(p_size == 24) { ------------------ | Branch (939:14): [True: 0, False: 10.1M] ------------------ 940| 0| bigint_monty_redc_24(r, z, p, p_dash, ws); 941| 10.1M| } else if(p_size == 32) { ------------------ | Branch (941:14): [True: 0, False: 10.1M] ------------------ 942| 0| bigint_monty_redc_32(r, z, p, p_dash, ws); 943| 10.1M| } else { 944| 10.1M| bigint_monty_redc_generic(r, z, z_size, p, p_size, p_dash, ws); 945| 10.1M| } 946| 28.6M|} _ZN5Botan25bigint_monty_redc_inplaceEPmPKmmmS0_m: 948| 12.5M|inline void bigint_monty_redc_inplace(word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size) { 949| 12.5M| bigint_monty_redc(z, z, p, p_size, p_dash, ws, ws_size); 950| 12.5M| zeroize_buffer(z + p_size, p_size); 951| 12.5M|} _ZN5Botan11bigint_shl2ITkNS_8WordTypeEmEEvPT_mPKS1_mm: 355| 43.7k|inline constexpr void bigint_shl2(W y[], size_t y_size, const W x[], size_t x_size, size_t shift) { 356| 43.7k| const size_t word_shift = shift / WordInfo::bits; 357| 43.7k| const size_t bit_shift = shift % WordInfo::bits; 358| | 359| 43.7k| BOTAN_ASSERT_NOMSG(word_shift <= y_size); ------------------ | | 77| 43.7k| do { \ | | 78| 43.7k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 43.7k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 43.7k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 43.7k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 43.7k] | | ------------------ ------------------ 360| 43.7k| BOTAN_ASSERT_NOMSG(x_size < y_size - word_shift); ------------------ | | 77| 43.7k| do { \ | | 78| 43.7k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 43.7k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 43.7k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 43.7k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 43.7k] | | ------------------ ------------------ 361| | 362| 43.7k| unchecked_copy_memory(y + word_shift, x, x_size); 363| 43.7k| zeroize_buffer(y, word_shift); 364| 43.7k| zeroize_buffer(y + word_shift + x_size, y_size - word_shift - x_size); 365| | 366| 43.7k| const auto carry_mask = CT::Mask::expand(bit_shift); 367| 43.7k| const W carry_shift = carry_mask.if_set_return(WordInfo::bits - bit_shift); 368| | 369| 43.7k| W carry = 0; 370| 258k| for(size_t i = word_shift; i != x_size + word_shift + 1; ++i) { ------------------ | Branch (370:31): [True: 214k, False: 43.7k] ------------------ 371| 214k| const W w = y[i]; 372| 214k| y[i] = (w << bit_shift) | carry; 373| 214k| carry = carry_mask.if_set_return(w >> carry_shift); 374| 214k| } 375| 43.7k|} _ZN5Botan11bigint_shr2ITkNS_8WordTypeEmEEvPT_mPKS1_mm: 378| 1.82k|inline constexpr void bigint_shr2(W y[], size_t y_size, const W x[], size_t x_size, size_t shift) { 379| 1.82k| const size_t word_shift = shift / WordInfo::bits; 380| 1.82k| const size_t bit_shift = shift % WordInfo::bits; 381| 1.82k| const size_t new_size = x_size < word_shift ? 0 : (x_size - word_shift); ------------------ | Branch (381:28): [True: 0, False: 1.82k] ------------------ 382| | 383| 1.82k| BOTAN_ASSERT_NOMSG(new_size <= y_size); ------------------ | | 77| 1.82k| do { \ | | 78| 1.82k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.82k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 1.82k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 1.82k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 1.82k] | | ------------------ ------------------ 384| | 385| 1.82k| if(new_size > 0) { ------------------ | Branch (385:7): [True: 1.82k, False: 0] ------------------ 386| 1.82k| unchecked_copy_memory(y, x + word_shift, new_size); 387| 1.82k| } 388| 1.82k| zeroize_buffer(y + new_size, y_size - new_size); 389| | 390| 1.82k| const auto carry_mask = CT::Mask::expand(bit_shift); 391| 1.82k| const W carry_shift = carry_mask.if_set_return(WordInfo::bits - bit_shift); 392| | 393| 1.82k| W carry = 0; 394| 11.1k| for(size_t i = new_size; i > 0; --i) { ------------------ | Branch (394:29): [True: 9.32k, False: 1.82k] ------------------ 395| 9.32k| W w = y[i - 1]; 396| 9.32k| y[i - 1] = (w >> bit_shift) | carry; 397| 9.32k| carry = carry_mask.if_set_return(w << carry_shift); 398| 9.32k| } 399| 1.82k|} _ZN5Botan15bigint_ct_is_eqITkNS_8WordTypeEmEENS_2CT4MaskIT_EEPKS3_mS6_m: 519| 32.7k|inline constexpr auto bigint_ct_is_eq(const W x[], size_t x_size, const W y[], size_t y_size) -> CT::Mask { 520| 32.7k| const size_t common_elems = std::min(x_size, y_size); 521| | 522| 32.7k| W diff = 0; 523| | 524| 342k| for(size_t i = 0; i != common_elems; i++) { ------------------ | Branch (524:22): [True: 309k, False: 32.7k] ------------------ 525| 309k| diff |= (x[i] ^ y[i]); 526| 309k| } 527| | 528| | // If any bits were set in high part of x/y, then they are not equal 529| 32.7k| if(x_size < y_size) { ------------------ | Branch (529:7): [True: 291, False: 32.4k] ------------------ 530| 2.00k| for(size_t i = x_size; i != y_size; i++) { ------------------ | Branch (530:30): [True: 1.71k, False: 291] ------------------ 531| 1.71k| diff |= y[i]; 532| 1.71k| } 533| 32.4k| } else if(y_size < x_size) { ------------------ | Branch (533:14): [True: 22.8k, False: 9.60k] ------------------ 534| 134k| for(size_t i = y_size; i != x_size; i++) { ------------------ | Branch (534:30): [True: 111k, False: 22.8k] ------------------ 535| 111k| diff |= x[i]; 536| 111k| } 537| 22.8k| } 538| | 539| 32.7k| return CT::Mask::is_zero(diff); 540| 32.7k|} _ZN5Botan15bigint_ct_is_ltITkNS_8WordTypeEmEENS_2CT4MaskIT_EEPKS3_mS6_mb: 487| 2.77M| -> CT::Mask { 488| 2.77M| const size_t common_elems = std::min(x_size, y_size); 489| | 490| 2.77M| auto is_lt = CT::Mask::expand(lt_or_equal); 491| | 492| 21.0M| for(size_t i = 0; i != common_elems; i++) { ------------------ | Branch (492:22): [True: 18.2M, False: 2.77M] ------------------ 493| 18.2M| const auto eq = CT::Mask::is_equal(x[i], y[i]); 494| 18.2M| const auto lt = CT::Mask::is_lt(x[i], y[i]); 495| 18.2M| is_lt = eq.select_mask(is_lt, lt); 496| 18.2M| } 497| | 498| 2.77M| if(x_size < y_size) { ------------------ | Branch (498:7): [True: 75.8k, False: 2.70M] ------------------ 499| 75.8k| W mask = 0; 500| 205k| for(size_t i = x_size; i != y_size; i++) { ------------------ | Branch (500:30): [True: 129k, False: 75.8k] ------------------ 501| 129k| mask |= y[i]; 502| 129k| } 503| | // If any bits were set in high part of y, then is_lt should be forced true 504| 75.8k| is_lt |= CT::Mask::expand(mask); 505| 2.70M| } else if(y_size < x_size) { ------------------ | Branch (505:14): [True: 2.65M, False: 43.8k] ------------------ 506| 2.65M| W mask = 0; 507| 30.8M| for(size_t i = y_size; i != x_size; i++) { ------------------ | Branch (507:30): [True: 28.2M, False: 2.65M] ------------------ 508| 28.2M| mask |= x[i]; 509| 28.2M| } 510| | 511| | // If any bits were set in high part of x, then is_lt should be false 512| 2.65M| is_lt &= CT::Mask::is_zero(mask); 513| 2.65M| } 514| | 515| 2.77M| return is_lt; 516| 2.77M|} _ZN5Botan15bigint_cnd_swapITkNS_8WordTypeEmEEvT_PS1_S2_m: 29| 701k|inline constexpr void bigint_cnd_swap(W cnd, W x[], W y[], size_t size) { 30| 701k| const auto mask = CT::Mask::expand(cnd); 31| | 32| 4.28M| for(size_t i = 0; i != size; ++i) { ------------------ | Branch (32:22): [True: 3.58M, False: 701k] ------------------ 33| 3.58M| const W a = x[i]; 34| 3.58M| const W b = y[i]; 35| 3.58M| x[i] = mask.select(b, a); 36| 3.58M| y[i] = mask.select(a, b); 37| 3.58M| } 38| 701k|} _ZN5Botan14bigint_sub_absITkNS_8WordTypeEmEENS_2CT4MaskIT_EEPS3_PKS3_S7_mS5_: 279| 3.01M|inline constexpr auto bigint_sub_abs(W z[], const W x[], const W y[], size_t N, W ws[]) -> CT::Mask { 280| | // Subtract in both direction then conditional copy out the result 281| | 282| 3.01M| W* ws0 = ws; 283| 3.01M| W* ws1 = ws + N; 284| | 285| 3.01M| W borrow0 = 0; 286| 3.01M| W borrow1 = 0; 287| | 288| 3.01M| const size_t blocks = N - (N % 8); 289| | 290| 4.49M| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (290:22): [True: 1.47M, False: 3.01M] ------------------ 291| 1.47M| borrow0 = word8_sub3(ws0 + i, x + i, y + i, borrow0); 292| 1.47M| borrow1 = word8_sub3(ws1 + i, y + i, x + i, borrow1); 293| 1.47M| } 294| | 295| 14.0M| for(size_t i = blocks; i != N; ++i) { ------------------ | Branch (295:27): [True: 11.0M, False: 3.01M] ------------------ 296| 11.0M| ws0[i] = word_sub(x[i], y[i], &borrow0); 297| 11.0M| ws1[i] = word_sub(y[i], x[i], &borrow1); 298| 11.0M| } 299| | 300| 3.01M| return CT::conditional_copy_mem(borrow0, z, ws1, ws0, N); 301| 3.01M|} _ZN5Botan14bigint_cnd_subITkNS_8WordTypeEmEET_S1_PS1_PKS1_m: 62| 777k|inline constexpr auto bigint_cnd_sub(W cnd, W x[], const W y[], size_t size) -> W { 63| 777k| const auto mask = CT::Mask::expand(cnd).value(); 64| | 65| 777k| W carry = 0; 66| | 67| 4.19M| for(size_t i = 0; i != size; ++i) { ------------------ | Branch (67:22): [True: 3.41M, False: 777k] ------------------ 68| 3.41M| x[i] = word_sub(x[i], y[i] & mask, &carry); 69| 3.41M| } 70| | 71| 777k| return (mask & carry); 72| 777k|} _ZN5Botan14bigint_cnd_absITkNS_8WordTypeEmEEvT_PS1_m: 80| 388k|inline constexpr void bigint_cnd_abs(W cnd, W x[], size_t size) { 81| 388k| const auto mask = CT::Mask::expand(cnd); 82| | 83| 388k| W carry = mask.if_set_return(1); 84| 2.09M| for(size_t i = 0; i != size; ++i) { ------------------ | Branch (84:22): [True: 1.70M, False: 388k] ------------------ 85| 1.70M| const W z = word_add(~x[i], static_cast(0), &carry); 86| 1.70M| x[i] = mask.select(z, x[i]); 87| 1.70M| } 88| 388k|} _ZN5Botan13monty_inverseITkNS_8WordTypeEmEET_S1_: 703| 6.16k|inline constexpr auto monty_inverse(W a) -> W { 704| 6.16k| BOTAN_ARG_CHECK(a % 2 == 1, "Cannot compute Montgomery inverse of an even integer"); ------------------ | | 35| 6.16k| do { \ | | 36| 6.16k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 6.16k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 6.16k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 6.16k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 6.16k] | | ------------------ ------------------ 705| | 706| | // Newton's Method, following https://lemire.me/blog/2017/09/18/computing-the-inverse-of-odd-integers/ 707| | 708| 6.16k| constexpr size_t iter = WordInfo::bits == 64 ? 4 : 3; ------------------ | Branch (708:28): [True: 0, Folded] ------------------ 709| | 710| | // Initial guess provides 5 bits of accuracy 711| 6.16k| W r = (3 * a) ^ 2; 712| | 713| | // Each iteration doubles the accuracy 714| 30.8k| for(size_t i = 0; i != iter; ++i) { ------------------ | Branch (714:22): [True: 24.6k, False: 6.16k] ------------------ 715| 24.6k| r = r * (2 - r * a); 716| 24.6k| } 717| | 718| | // Now invert in addition space 719| 6.16k| r = (WordInfo::max - r) + 1; 720| | 721| 6.16k| return r; 722| 6.16k|} _ZN5Botan22bigint_monty_maybe_subITkNS_8WordTypeEmEEvmPT_S1_PKS1_S4_: 225| 15.4M|inline constexpr void bigint_monty_maybe_sub(size_t N, W z[], W x0, const W x[], const W p[]) { 226| 15.4M| W borrow = 0; 227| | 228| 15.4M| const size_t blocks = N - (N % 8); 229| | 230| 20.9M| for(size_t i = 0; i != blocks; i += 8) { ------------------ | Branch (230:22): [True: 5.52M, False: 15.4M] ------------------ 231| 5.52M| borrow = word8_sub3(z + i, x + i, p + i, borrow); 232| 5.52M| } 233| | 234| 58.8M| for(size_t i = blocks; i != N; ++i) { ------------------ | Branch (234:27): [True: 43.4M, False: 15.4M] ------------------ 235| 43.4M| z[i] = word_sub(x[i], p[i], &borrow); 236| 43.4M| } 237| | 238| 15.4M| borrow = (x0 - borrow) > x0; 239| | 240| 15.4M| CT::conditional_assign_mem(borrow, z, x, N); 241| 15.4M|} _ZN5Botan9comba_sqrILm4ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 290k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 290k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 290k, Folded] ------------------ 856| 290k| if constexpr(std::same_as && N == 4) { 857| 290k| return bigint_comba_sqr4(z, x); 858| 290k| } 859| | if constexpr(std::same_as && N == 6) { 860| | return bigint_comba_sqr6(z, x); 861| | } 862| | if constexpr(std::same_as && N == 7) { 863| | return bigint_comba_sqr7(z, x); 864| | } 865| | if constexpr(std::same_as && N == 8) { 866| | return bigint_comba_sqr8(z, x); 867| | } 868| | if constexpr(std::same_as && N == 9) { 869| | return bigint_comba_sqr9(z, x); 870| | } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 290k| } 875| | 876| 0| word3 accum; 877| | 878| 290k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 0, False: 290k] ------------------ 879| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 0, False: 0] ------------------ 880| 0| const size_t end = std::min(N, i + 1); 881| | 882| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 0, False: 0] ------------------ 883| 0| accum.mul(x[j], x[i - j]); 884| 0| } 885| 0| z[i] = accum.extract(); 886| 0| } 887| 290k|} _ZN5Botan22bigint_monty_maybe_subILm4ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_: 254| 18.6M|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) { 255| 18.6M| W borrow = 0; 256| | 257| 93.1M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (257:22): [True: 74.5M, False: 18.6M] ------------------ 258| 74.5M| z[i] = word_sub(x[i], y[i], &borrow); 259| 74.5M| } 260| | 261| 18.6M| borrow = (x0 - borrow) > x0; 262| | 263| 18.6M| CT::conditional_assign_mem(borrow, z, x, N); 264| 18.6M|} _ZN5Botan9comba_mulILm4ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 328k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 328k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 328k, Folded] ------------------ 820| 328k| if constexpr(std::same_as && N == 4) { 821| 328k| return bigint_comba_mul4(z, x, y); 822| 328k| } 823| | if constexpr(std::same_as && N == 6) { 824| | return bigint_comba_mul6(z, x, y); 825| | } 826| | if constexpr(std::same_as && N == 7) { 827| | return bigint_comba_mul7(z, x, y); 828| | } 829| | if constexpr(std::same_as && N == 8) { 830| | return bigint_comba_mul8(z, x, y); 831| | } 832| | if constexpr(std::same_as && N == 9) { 833| | return bigint_comba_mul9(z, x, y); 834| | } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 328k| } 839| | 840| 0| word3 accum; 841| | 842| 328k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 0, False: 328k] ------------------ 843| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 0, False: 0] ------------------ 844| 0| const size_t end = std::min(N, i + 1); 845| | 846| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 0, False: 0] ------------------ 847| 0| accum.mul(x[j], y[i - j]); 848| 0| } 849| 0| z[i] = accum.extract(); 850| 0| } 851| 328k|} _ZN5Botan10shift_leftILm1ETkNS_8WordTypeEmLm4EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 25.8k|inline constexpr W shift_left(std::array& x) { 726| 25.8k| static_assert(N >= 1, "Invalid input size"); 727| 25.8k| static_assert(S > 0, "Zero shift not supported"); 728| 25.8k| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 25.8k| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 103k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 77.5k, False: 25.8k] ------------------ 733| 77.5k| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 77.5k| } 735| 25.8k| x[0] <<= S; 736| | 737| 25.8k| return carry; 738| 25.8k|} _ZN5Botan16read_window_bitsILm4EmLm4EEEmNSt3__14spanIKT0_XT1_EEEm: 1071| 9.72k|constexpr size_t read_window_bits(std::span words, size_t offset) { 1072| 9.72k| static_assert(WindowBits >= 1 && WindowBits <= 7); 1073| | 1074| 9.72k| constexpr uint8_t WindowMask = static_cast(1 << WindowBits) - 1; 1075| | 1076| 9.72k| constexpr size_t W_bits = sizeof(W) * 8; 1077| 9.72k| const auto bit_shift = offset % W_bits; 1078| 9.72k| const auto word_offset = words.size() - 1 - (offset / W_bits); 1079| | 1080| 9.72k| const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0; ------------------ | Branch (1080:36): [True: 9.72k, False: 0] | Branch (1080:74): [True: 0, False: 0] ------------------ 1081| | 1082| 9.72k| const auto w0 = words[word_offset]; 1083| | 1084| 9.72k| if(single_byte_window) { ------------------ | Branch (1084:7): [True: 9.72k, False: 0] ------------------ 1085| 9.72k| return (w0 >> bit_shift) & WindowMask; 1086| 9.72k| } else { 1087| | // Otherwise we must join two words and extract the result 1088| 0| const auto w1 = words[word_offset - 1]; 1089| 0| const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift))); 1090| 0| return combined & WindowMask; 1091| 0| } 1092| 9.72k|} _ZN5Botan11shift_rightILm1ETkNS_8WordTypeEmLm4EEET0_RNSt3__15arrayIS1_XT1_EEE: 741| 2.86k|inline constexpr W shift_right(std::array& x) { 742| 2.86k| static_assert(N >= 1, "Invalid input size"); 743| 2.86k| static_assert(S > 0, "Zero shift not supported"); 744| 2.86k| static_assert(S < WordInfo::bits, "Shift too large"); 745| | 746| 2.86k| const W carry = x[0] << (WordInfo::bits - S); 747| | 748| 11.4k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (748:22): [True: 8.59k, False: 2.86k] ------------------ 749| 8.59k| x[i] = (x[i] >> S) | (x[i + 1] << (WordInfo::bits - S)); 750| 8.59k| } 751| 2.86k| x[N - 1] >>= S; 752| | 753| 2.86k| return carry; 754| 2.86k|} _ZN5Botan16read_window_bitsILm7EhLm18446744073709551615EEEmNSt3__14spanIKT0_XT1_EEEm: 1071| 96.1k|constexpr size_t read_window_bits(std::span words, size_t offset) { 1072| 96.1k| static_assert(WindowBits >= 1 && WindowBits <= 7); 1073| | 1074| 96.1k| constexpr uint8_t WindowMask = static_cast(1 << WindowBits) - 1; 1075| | 1076| 96.1k| constexpr size_t W_bits = sizeof(W) * 8; 1077| 96.1k| const auto bit_shift = offset % W_bits; 1078| 96.1k| const auto word_offset = words.size() - 1 - (offset / W_bits); 1079| | 1080| 96.1k| const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0; ------------------ | Branch (1080:36): [True: 25.0k, False: 71.0k] | Branch (1080:74): [True: 1.56k, False: 69.5k] ------------------ 1081| | 1082| 96.1k| const auto w0 = words[word_offset]; 1083| | 1084| 96.1k| if(single_byte_window) { ------------------ | Branch (1084:7): [True: 26.5k, False: 69.5k] ------------------ 1085| 26.5k| return (w0 >> bit_shift) & WindowMask; 1086| 69.5k| } else { 1087| | // Otherwise we must join two words and extract the result 1088| 69.5k| const auto w1 = words[word_offset - 1]; 1089| 69.5k| const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift))); 1090| 69.5k| return combined & WindowMask; 1091| 69.5k| } 1092| 96.1k|} _ZN5Botan9comba_sqrILm6ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 222k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 222k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 222k, Folded] ------------------ 856| | if constexpr(std::same_as && N == 4) { 857| | return bigint_comba_sqr4(z, x); 858| | } 859| 222k| if constexpr(std::same_as && N == 6) { 860| 222k| return bigint_comba_sqr6(z, x); 861| 222k| } 862| | if constexpr(std::same_as && N == 7) { 863| | return bigint_comba_sqr7(z, x); 864| | } 865| | if constexpr(std::same_as && N == 8) { 866| | return bigint_comba_sqr8(z, x); 867| | } 868| | if constexpr(std::same_as && N == 9) { 869| | return bigint_comba_sqr9(z, x); 870| | } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 222k| } 875| | 876| 0| word3 accum; 877| | 878| 222k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 0, False: 222k] ------------------ 879| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 0, False: 0] ------------------ 880| 0| const size_t end = std::min(N, i + 1); 881| | 882| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 0, False: 0] ------------------ 883| 0| accum.mul(x[j], x[i - j]); 884| 0| } 885| 0| z[i] = accum.extract(); 886| 0| } 887| 222k|} _ZN5Botan22bigint_monty_maybe_subILm6ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_: 254| 333k|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) { 255| 333k| W borrow = 0; 256| | 257| 2.33M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (257:22): [True: 2.00M, False: 333k] ------------------ 258| 2.00M| z[i] = word_sub(x[i], y[i], &borrow); 259| 2.00M| } 260| | 261| 333k| borrow = (x0 - borrow) > x0; 262| | 263| 333k| CT::conditional_assign_mem(borrow, z, x, N); 264| 333k|} _ZN5Botan9comba_mulILm6ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 256k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 256k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 256k, Folded] ------------------ 820| | if constexpr(std::same_as && N == 4) { 821| | return bigint_comba_mul4(z, x, y); 822| | } 823| 256k| if constexpr(std::same_as && N == 6) { 824| 256k| return bigint_comba_mul6(z, x, y); 825| 256k| } 826| | if constexpr(std::same_as && N == 7) { 827| | return bigint_comba_mul7(z, x, y); 828| | } 829| | if constexpr(std::same_as && N == 8) { 830| | return bigint_comba_mul8(z, x, y); 831| | } 832| | if constexpr(std::same_as && N == 9) { 833| | return bigint_comba_mul9(z, x, y); 834| | } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 256k| } 839| | 840| 0| word3 accum; 841| | 842| 256k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 0, False: 256k] ------------------ 843| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 0, False: 0] ------------------ 844| 0| const size_t end = std::min(N, i + 1); 845| | 846| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 0, False: 0] ------------------ 847| 0| accum.mul(x[j], y[i - j]); 848| 0| } 849| 0| z[i] = accum.extract(); 850| 0| } 851| 256k|} _ZN5Botan10shift_leftILm1ETkNS_8WordTypeEmLm6EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 19.8k|inline constexpr W shift_left(std::array& x) { 726| 19.8k| static_assert(N >= 1, "Invalid input size"); 727| 19.8k| static_assert(S > 0, "Zero shift not supported"); 728| 19.8k| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 19.8k| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 119k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 99.2k, False: 19.8k] ------------------ 733| 99.2k| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 99.2k| } 735| 19.8k| x[0] <<= S; 736| | 737| 19.8k| return carry; 738| 19.8k|} _ZN5Botan16read_window_bitsILm5EmLm6EEEmNSt3__14spanIKT0_XT1_EEEm: 1071| 14.2k|constexpr size_t read_window_bits(std::span words, size_t offset) { 1072| 14.2k| static_assert(WindowBits >= 1 && WindowBits <= 7); 1073| | 1074| 14.2k| constexpr uint8_t WindowMask = static_cast(1 << WindowBits) - 1; 1075| | 1076| 14.2k| constexpr size_t W_bits = sizeof(W) * 8; 1077| 14.2k| const auto bit_shift = offset % W_bits; 1078| 14.2k| const auto word_offset = words.size() - 1 - (offset / W_bits); 1079| | 1080| 14.2k| const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0; ------------------ | Branch (1080:36): [True: 13.3k, False: 925] | Branch (1080:74): [True: 185, False: 740] ------------------ 1081| | 1082| 14.2k| const auto w0 = words[word_offset]; 1083| | 1084| 14.2k| if(single_byte_window) { ------------------ | Branch (1084:7): [True: 13.5k, False: 740] ------------------ 1085| 13.5k| return (w0 >> bit_shift) & WindowMask; 1086| 13.5k| } else { 1087| | // Otherwise we must join two words and extract the result 1088| 740| const auto w1 = words[word_offset - 1]; 1089| 740| const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift))); 1090| 740| return combined & WindowMask; 1091| 740| } 1092| 14.2k|} _ZN5Botan11shift_rightILm1ETkNS_8WordTypeEmLm6EEET0_RNSt3__15arrayIS1_XT1_EEE: 741| 2.21k|inline constexpr W shift_right(std::array& x) { 742| 2.21k| static_assert(N >= 1, "Invalid input size"); 743| 2.21k| static_assert(S > 0, "Zero shift not supported"); 744| 2.21k| static_assert(S < WordInfo::bits, "Shift too large"); 745| | 746| 2.21k| const W carry = x[0] << (WordInfo::bits - S); 747| | 748| 13.2k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (748:22): [True: 11.0k, False: 2.21k] ------------------ 749| 11.0k| x[i] = (x[i] >> S) | (x[i + 1] << (WordInfo::bits - S)); 750| 11.0k| } 751| 2.21k| x[N - 1] >>= S; 752| | 753| 2.21k| return carry; 754| 2.21k|} _ZN5Botan9comba_sqrILm8ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 137k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 137k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 137k, Folded] ------------------ 856| | if constexpr(std::same_as && N == 4) { 857| | return bigint_comba_sqr4(z, x); 858| | } 859| | if constexpr(std::same_as && N == 6) { 860| | return bigint_comba_sqr6(z, x); 861| | } 862| | if constexpr(std::same_as && N == 7) { 863| | return bigint_comba_sqr7(z, x); 864| | } 865| 137k| if constexpr(std::same_as && N == 8) { 866| 137k| return bigint_comba_sqr8(z, x); 867| 137k| } 868| | if constexpr(std::same_as && N == 9) { 869| | return bigint_comba_sqr9(z, x); 870| | } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 137k| } 875| | 876| 0| word3 accum; 877| | 878| 137k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 0, False: 137k] ------------------ 879| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 0, False: 0] ------------------ 880| 0| const size_t end = std::min(N, i + 1); 881| | 882| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 0, False: 0] ------------------ 883| 0| accum.mul(x[j], x[i - j]); 884| 0| } 885| 0| z[i] = accum.extract(); 886| 0| } 887| 137k|} _ZN5Botan22bigint_monty_maybe_subILm8ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_: 254| 333k|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) { 255| 333k| W borrow = 0; 256| | 257| 3.00M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (257:22): [True: 2.66M, False: 333k] ------------------ 258| 2.66M| z[i] = word_sub(x[i], y[i], &borrow); 259| 2.66M| } 260| | 261| 333k| borrow = (x0 - borrow) > x0; 262| | 263| 333k| CT::conditional_assign_mem(borrow, z, x, N); 264| 333k|} _ZN5Botan9comba_mulILm8ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 163k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 163k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 163k, Folded] ------------------ 820| | if constexpr(std::same_as && N == 4) { 821| | return bigint_comba_mul4(z, x, y); 822| | } 823| | if constexpr(std::same_as && N == 6) { 824| | return bigint_comba_mul6(z, x, y); 825| | } 826| | if constexpr(std::same_as && N == 7) { 827| | return bigint_comba_mul7(z, x, y); 828| | } 829| 163k| if constexpr(std::same_as && N == 8) { 830| 163k| return bigint_comba_mul8(z, x, y); 831| 163k| } 832| | if constexpr(std::same_as && N == 9) { 833| | return bigint_comba_mul9(z, x, y); 834| | } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 163k| } 839| | 840| 0| word3 accum; 841| | 842| 163k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 0, False: 163k] ------------------ 843| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 0, False: 0] ------------------ 844| 0| const size_t end = std::min(N, i + 1); 845| | 846| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 0, False: 0] ------------------ 847| 0| accum.mul(x[j], y[i - j]); 848| 0| } 849| 0| z[i] = accum.extract(); 850| 0| } 851| 163k|} _ZN5Botan10shift_leftILm1ETkNS_8WordTypeEmLm8EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 13.1k|inline constexpr W shift_left(std::array& x) { 726| 13.1k| static_assert(N >= 1, "Invalid input size"); 727| 13.1k| static_assert(S > 0, "Zero shift not supported"); 728| 13.1k| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 13.1k| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 105k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 92.3k, False: 13.1k] ------------------ 733| 92.3k| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 92.3k| } 735| 13.1k| x[0] <<= S; 736| | 737| 13.1k| return carry; 738| 13.1k|} _ZN5Botan16read_window_bitsILm5EmLm8EEEmNSt3__14spanIKT0_XT1_EEEm: 1071| 15.5k|constexpr size_t read_window_bits(std::span words, size_t offset) { 1072| 15.5k| static_assert(WindowBits >= 1 && WindowBits <= 7); 1073| | 1074| 15.5k| constexpr uint8_t WindowMask = static_cast(1 << WindowBits) - 1; 1075| | 1076| 15.5k| constexpr size_t W_bits = sizeof(W) * 8; 1077| 15.5k| const auto bit_shift = offset % W_bits; 1078| 15.5k| const auto word_offset = words.size() - 1 - (offset / W_bits); 1079| | 1080| 15.5k| const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0; ------------------ | Branch (1080:36): [True: 14.4k, False: 1.05k] | Branch (1080:74): [True: 151, False: 906] ------------------ 1081| | 1082| 15.5k| const auto w0 = words[word_offset]; 1083| | 1084| 15.5k| if(single_byte_window) { ------------------ | Branch (1084:7): [True: 14.6k, False: 906] ------------------ 1085| 14.6k| return (w0 >> bit_shift) & WindowMask; 1086| 14.6k| } else { 1087| | // Otherwise we must join two words and extract the result 1088| 906| const auto w1 = words[word_offset - 1]; 1089| 906| const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift))); 1090| 906| return combined & WindowMask; 1091| 906| } 1092| 15.5k|} _ZN5Botan11shift_rightILm1ETkNS_8WordTypeEmLm8EEET0_RNSt3__15arrayIS1_XT1_EEE: 741| 1.42k|inline constexpr W shift_right(std::array& x) { 742| 1.42k| static_assert(N >= 1, "Invalid input size"); 743| 1.42k| static_assert(S > 0, "Zero shift not supported"); 744| 1.42k| static_assert(S < WordInfo::bits, "Shift too large"); 745| | 746| 1.42k| const W carry = x[0] << (WordInfo::bits - S); 747| | 748| 11.4k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (748:22): [True: 9.98k, False: 1.42k] ------------------ 749| 9.98k| x[i] = (x[i] >> S) | (x[i + 1] << (WordInfo::bits - S)); 750| 9.98k| } 751| 1.42k| x[N - 1] >>= S; 752| | 753| 1.42k| return carry; 754| 1.42k|} _ZN5Botan10shift_leftILm1ETkNS_8WordTypeEmLm9EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 3.48M|inline constexpr W shift_left(std::array& x) { 726| 3.48M| static_assert(N >= 1, "Invalid input size"); 727| 3.48M| static_assert(S > 0, "Zero shift not supported"); 728| 3.48M| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 3.48M| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 31.3M| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 27.8M, False: 3.48M] ------------------ 733| 27.8M| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 27.8M| } 735| 3.48M| x[0] <<= S; 736| | 737| 3.48M| return carry; 738| 3.48M|} _ZN5Botan22bigint_monty_maybe_subILm9ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_: 254| 3.50M|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) { 255| 3.50M| W borrow = 0; 256| | 257| 35.0M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (257:22): [True: 31.5M, False: 3.50M] ------------------ 258| 31.5M| z[i] = word_sub(x[i], y[i], &borrow); 259| 31.5M| } 260| | 261| 3.50M| borrow = (x0 - borrow) > x0; 262| | 263| 3.50M| CT::conditional_assign_mem(borrow, z, x, N); 264| 3.50M|} _ZN5Botan16read_window_bitsILm4EmLm18446744073709551615EEEmNSt3__14spanIKT0_XT1_EEEm: 1071| 54.9k|constexpr size_t read_window_bits(std::span words, size_t offset) { 1072| 54.9k| static_assert(WindowBits >= 1 && WindowBits <= 7); 1073| | 1074| 54.9k| constexpr uint8_t WindowMask = static_cast(1 << WindowBits) - 1; 1075| | 1076| 54.9k| constexpr size_t W_bits = sizeof(W) * 8; 1077| 54.9k| const auto bit_shift = offset % W_bits; 1078| 54.9k| const auto word_offset = words.size() - 1 - (offset / W_bits); 1079| | 1080| 54.9k| const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0; ------------------ | Branch (1080:36): [True: 54.9k, False: 0] | Branch (1080:74): [True: 0, False: 0] ------------------ 1081| | 1082| 54.9k| const auto w0 = words[word_offset]; 1083| | 1084| 54.9k| if(single_byte_window) { ------------------ | Branch (1084:7): [True: 54.9k, False: 0] ------------------ 1085| 54.9k| return (w0 >> bit_shift) & WindowMask; 1086| 54.9k| } else { 1087| | // Otherwise we must join two words and extract the result 1088| 0| const auto w1 = words[word_offset - 1]; 1089| 0| const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift))); 1090| 0| return combined & WindowMask; 1091| 0| } 1092| 54.9k|} _ZN5Botan11shift_rightILm1ETkNS_8WordTypeEmLm9EEET0_RNSt3__15arrayIS1_XT1_EEE: 741| 1.48k|inline constexpr W shift_right(std::array& x) { 742| 1.48k| static_assert(N >= 1, "Invalid input size"); 743| 1.48k| static_assert(S > 0, "Zero shift not supported"); 744| 1.48k| static_assert(S < WordInfo::bits, "Shift too large"); 745| | 746| 1.48k| const W carry = x[0] << (WordInfo::bits - S); 747| | 748| 13.3k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (748:22): [True: 11.8k, False: 1.48k] ------------------ 749| 11.8k| x[i] = (x[i] >> S) | (x[i + 1] << (WordInfo::bits - S)); 750| 11.8k| } 751| 1.48k| x[N - 1] >>= S; 752| | 753| 1.48k| return carry; 754| 1.48k|} _ZN5Botan9comba_sqrILm3ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 60.7k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 60.7k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 60.7k, Folded] ------------------ 856| | if constexpr(std::same_as && N == 4) { 857| | return bigint_comba_sqr4(z, x); 858| | } 859| | if constexpr(std::same_as && N == 6) { 860| | return bigint_comba_sqr6(z, x); 861| | } 862| | if constexpr(std::same_as && N == 7) { 863| | return bigint_comba_sqr7(z, x); 864| | } 865| | if constexpr(std::same_as && N == 8) { 866| | return bigint_comba_sqr8(z, x); 867| | } 868| | if constexpr(std::same_as && N == 9) { 869| | return bigint_comba_sqr9(z, x); 870| | } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 60.7k| } 875| | 876| 60.7k| word3 accum; 877| | 878| 425k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 364k, False: 60.7k] ------------------ 879| 364k| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 121k, False: 242k] ------------------ 880| 364k| const size_t end = std::min(N, i + 1); 881| | 882| 910k| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 546k, False: 364k] ------------------ 883| 546k| accum.mul(x[j], x[i - j]); 884| 546k| } 885| 364k| z[i] = accum.extract(); 886| 364k| } 887| 60.7k|} _ZN5Botan9comba_mulILm3ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 67.6k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 67.6k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 67.6k, Folded] ------------------ 820| | if constexpr(std::same_as && N == 4) { 821| | return bigint_comba_mul4(z, x, y); 822| | } 823| | if constexpr(std::same_as && N == 6) { 824| | return bigint_comba_mul6(z, x, y); 825| | } 826| | if constexpr(std::same_as && N == 7) { 827| | return bigint_comba_mul7(z, x, y); 828| | } 829| | if constexpr(std::same_as && N == 8) { 830| | return bigint_comba_mul8(z, x, y); 831| | } 832| | if constexpr(std::same_as && N == 9) { 833| | return bigint_comba_mul9(z, x, y); 834| | } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 67.6k| } 839| | 840| 67.6k| word3 accum; 841| | 842| 473k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 406k, False: 67.6k] ------------------ 843| 406k| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 135k, False: 270k] ------------------ 844| 406k| const size_t end = std::min(N, i + 1); 845| | 846| 1.01M| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 609k, False: 406k] ------------------ 847| 609k| accum.mul(x[j], y[i - j]); 848| 609k| } 849| 406k| z[i] = accum.extract(); 850| 406k| } 851| 67.6k|} _ZN5Botan22bigint_monty_maybe_subILm3ETkNS_8WordTypeEmEEvPT0_S1_PKS1_S4_: 254| 13.9k|inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W y[N]) { 255| 13.9k| W borrow = 0; 256| | 257| 55.9k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (257:22): [True: 41.9k, False: 13.9k] ------------------ 258| 41.9k| z[i] = word_sub(x[i], y[i], &borrow); 259| 41.9k| } 260| | 261| 13.9k| borrow = (x0 - borrow) > x0; 262| | 263| 13.9k| CT::conditional_assign_mem(borrow, z, x, N); 264| 13.9k|} _ZN5Botan10shift_leftILm1ETkNS_8WordTypeEmLm3EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 5.03k|inline constexpr W shift_left(std::array& x) { 726| 5.03k| static_assert(N >= 1, "Invalid input size"); 727| 5.03k| static_assert(S > 0, "Zero shift not supported"); 728| 5.03k| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 5.03k| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 15.0k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 10.0k, False: 5.03k] ------------------ 733| 10.0k| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 10.0k| } 735| 5.03k| x[0] <<= S; 736| | 737| 5.03k| return carry; 738| 5.03k|} _ZN5Botan11shift_rightILm1ETkNS_8WordTypeEmLm3EEET0_RNSt3__15arrayIS1_XT1_EEE: 741| 514|inline constexpr W shift_right(std::array& x) { 742| 514| static_assert(N >= 1, "Invalid input size"); 743| 514| static_assert(S > 0, "Zero shift not supported"); 744| 514| static_assert(S < WordInfo::bits, "Shift too large"); 745| | 746| 514| const W carry = x[0] << (WordInfo::bits - S); 747| | 748| 1.54k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (748:22): [True: 1.02k, False: 514] ------------------ 749| 1.02k| x[i] = (x[i] >> S) | (x[i + 1] << (WordInfo::bits - S)); 750| 1.02k| } 751| 514| x[N - 1] >>= S; 752| | 753| 514| return carry; 754| 514|} _ZN5Botan10shift_leftILm32ETkNS_8WordTypeEmLm4EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 426|inline constexpr W shift_left(std::array& x) { 726| 426| static_assert(N >= 1, "Invalid input size"); 727| 426| static_assert(S > 0, "Zero shift not supported"); 728| 426| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 426| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 1.70k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 1.27k, False: 426] ------------------ 733| 1.27k| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 1.27k| } 735| 426| x[0] <<= S; 736| | 737| 426| return carry; 738| 426|} _ZN5Botan13redc_crandallITkNS_8WordTypeEmLm4ETnT_Lm4294968273EEENSt3__15arrayIS1_XT0_EEENS2_4spanIKS1_XmlLi2ET0_EEE: 992| 144k|constexpr std::array redc_crandall(std::span z) { 993| 144k| static_assert(N >= 2); 994| | 995| 144k| std::array hi = {}; 996| | 997| | // hi = hi * c + lo 998| | 999| 144k| W carry = 0; 1000| 722k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (1000:22): [True: 577k, False: 144k] ------------------ 1001| 577k| hi[i] = word_madd3(z[i + N], C, z[i], &carry); 1002| 577k| } 1003| | 1004| | // hi += carry * C 1005| 144k| word carry_c[2] = {0}; 1006| 144k| carry_c[0] = word_madd2(carry, C, &carry_c[1]); 1007| | 1008| 144k| carry = bigint_add2(hi.data(), N, carry_c, 2); 1009| | 1010| 144k| constexpr W P0 = WordInfo::max - (C - 1); 1011| | 1012| 144k| std::array r = {}; 1013| | 1014| 144k| W borrow = 0; 1015| | 1016| | /* 1017| | * For undetermined reasons, on GCC (only) removing this asm block causes 1018| | * massive (up to 20%) performance regressions in secp256k1. 1019| | * 1020| | * The generated code without the asm seems quite reasonable, and timing 1021| | * repeated calls to redc_crandall with the cycle counter show that GCC 1022| | * computes it in about the same number of cycles with or without the asm. 1023| | * 1024| | * So the cause of the regression is unclear. But it is reproducible across 1025| | * machines and GCC versions. 1026| | */ 1027| |#if defined(BOTAN_MP_USE_X86_64_ASM) && defined(__GNUC__) && !defined(__clang__) 1028| | if constexpr(N == 4 && std::same_as) { 1029| | if(!std::is_constant_evaluated()) { 1030| | asm volatile(R"( 1031| | movq 0(%[x]), %[borrow] 1032| | subq %[p0], %[borrow] 1033| | movq %[borrow], 0(%[r]) 1034| | movq 8(%[x]), %[borrow] 1035| | sbbq $-1, %[borrow] 1036| | movq %[borrow], 8(%[r]) 1037| | movq 16(%[x]), %[borrow] 1038| | sbbq $-1, %[borrow] 1039| | movq %[borrow], 16(%[r]) 1040| | movq 24(%[x]), %[borrow] 1041| | sbbq $-1, %[borrow] 1042| | movq %[borrow], 24(%[r]) 1043| | sbbq %[borrow],%[borrow] 1044| | negq %[borrow] 1045| | )" 1046| | : [borrow] "=r"(borrow) 1047| | : [x] "r"(hi.data()), [p0] "r"(P0), [r] "r"(r.data()), "0"(borrow) 1048| | : "cc", "memory"); 1049| | 1050| | borrow = (carry - borrow) > carry; 1051| | CT::conditional_assign_mem(borrow, r.data(), hi.data(), N); 1052| | return r; 1053| | } 1054| | } 1055| |#endif 1056| | 1057| 144k| r[0] = word_sub(hi[0], P0, &borrow); 1058| 577k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (1058:22): [True: 433k, False: 144k] ------------------ 1059| 433k| r[i] = word_sub(hi[i], WordInfo::max, &borrow); 1060| 433k| } 1061| | 1062| 144k| borrow = (carry - borrow) > carry; 1063| | 1064| 144k| CT::conditional_assign_mem(borrow, r.data(), hi.data(), N); 1065| | 1066| 144k| return r; 1067| 144k|} _ZN5Botan9comba_sqrILm9ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 121k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 121k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 121k, Folded] ------------------ 856| | if constexpr(std::same_as && N == 4) { 857| | return bigint_comba_sqr4(z, x); 858| | } 859| | if constexpr(std::same_as && N == 6) { 860| | return bigint_comba_sqr6(z, x); 861| | } 862| | if constexpr(std::same_as && N == 7) { 863| | return bigint_comba_sqr7(z, x); 864| | } 865| | if constexpr(std::same_as && N == 8) { 866| | return bigint_comba_sqr8(z, x); 867| | } 868| 121k| if constexpr(std::same_as && N == 9) { 869| 121k| return bigint_comba_sqr9(z, x); 870| 121k| } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 121k| } 875| | 876| 0| word3 accum; 877| | 878| 121k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 0, False: 121k] ------------------ 879| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 0, False: 0] ------------------ 880| 0| const size_t end = std::min(N, i + 1); 881| | 882| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 0, False: 0] ------------------ 883| 0| accum.mul(x[j], x[i - j]); 884| 0| } 885| 0| z[i] = accum.extract(); 886| 0| } 887| 121k|} _ZN5Botan9comba_mulILm9ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 138k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 138k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 138k, Folded] ------------------ 820| | if constexpr(std::same_as && N == 4) { 821| | return bigint_comba_mul4(z, x, y); 822| | } 823| | if constexpr(std::same_as && N == 6) { 824| | return bigint_comba_mul6(z, x, y); 825| | } 826| | if constexpr(std::same_as && N == 7) { 827| | return bigint_comba_mul7(z, x, y); 828| | } 829| | if constexpr(std::same_as && N == 8) { 830| | return bigint_comba_mul8(z, x, y); 831| | } 832| 138k| if constexpr(std::same_as && N == 9) { 833| 138k| return bigint_comba_mul9(z, x, y); 834| 138k| } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 138k| } 839| | 840| 0| word3 accum; 841| | 842| 138k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 0, False: 138k] ------------------ 843| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 0, False: 0] ------------------ 844| 0| const size_t end = std::min(N, i + 1); 845| | 846| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 0, False: 0] ------------------ 847| 0| accum.mul(x[j], y[i - j]); 848| 0| } 849| 0| z[i] = accum.extract(); 850| 0| } 851| 138k|} _ZN5Botan10shift_leftILm16ETkNS_8WordTypeEmLm9EEET0_RNSt3__15arrayIS1_XT1_EEE: 725| 391|inline constexpr W shift_left(std::array& x) { 726| 391| static_assert(N >= 1, "Invalid input size"); 727| 391| static_assert(S > 0, "Zero shift not supported"); 728| 391| static_assert(S < WordInfo::bits, "Shift too large"); 729| | 730| 391| const W carry = x[N - 1] >> (WordInfo::bits - S); 731| | 732| 3.51k| for(size_t i = N - 1; i != 0; --i) { ------------------ | Branch (732:26): [True: 3.12k, False: 391] ------------------ 733| 3.12k| x[i] = (x[i] << S) | (x[i - 1] >> (WordInfo::bits - S)); 734| 3.12k| } 735| 391| x[0] <<= S; 736| | 737| 391| return carry; 738| 391|} _ZN5Botan9comba_mulILm7ETkNS_8WordTypeEmEEvPT0_PKS1_S4_: 818| 2.25k|constexpr inline void comba_mul(W z[2 * N], const W x[N], const W y[N]) { 819| 2.25k| if(!std::is_constant_evaluated()) { ------------------ | Branch (819:7): [True: 2.25k, Folded] ------------------ 820| | if constexpr(std::same_as && N == 4) { 821| | return bigint_comba_mul4(z, x, y); 822| | } 823| | if constexpr(std::same_as && N == 6) { 824| | return bigint_comba_mul6(z, x, y); 825| | } 826| 2.25k| if constexpr(std::same_as && N == 7) { 827| 2.25k| return bigint_comba_mul7(z, x, y); 828| 2.25k| } 829| | if constexpr(std::same_as && N == 8) { 830| | return bigint_comba_mul8(z, x, y); 831| | } 832| | if constexpr(std::same_as && N == 9) { 833| | return bigint_comba_mul9(z, x, y); 834| | } 835| | if constexpr(std::same_as && N == 16) { 836| | return bigint_comba_mul16(z, x, y); 837| | } 838| 2.25k| } 839| | 840| 0| word3 accum; 841| | 842| 2.25k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (842:22): [True: 0, False: 2.25k] ------------------ 843| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (843:28): [True: 0, False: 0] ------------------ 844| 0| const size_t end = std::min(N, i + 1); 845| | 846| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (846:29): [True: 0, False: 0] ------------------ 847| 0| accum.mul(x[j], y[i - j]); 848| 0| } 849| 0| z[i] = accum.extract(); 850| 0| } 851| 2.25k|} _ZN5Botan9comba_sqrILm7ETkNS_8WordTypeEmEEvPT0_PKS1_: 854| 2.23k|constexpr inline void comba_sqr(W z[2 * N], const W x[N]) { 855| 2.23k| if(!std::is_constant_evaluated()) { ------------------ | Branch (855:7): [True: 2.23k, Folded] ------------------ 856| | if constexpr(std::same_as && N == 4) { 857| | return bigint_comba_sqr4(z, x); 858| | } 859| | if constexpr(std::same_as && N == 6) { 860| | return bigint_comba_sqr6(z, x); 861| | } 862| 2.23k| if constexpr(std::same_as && N == 7) { 863| 2.23k| return bigint_comba_sqr7(z, x); 864| 2.23k| } 865| | if constexpr(std::same_as && N == 8) { 866| | return bigint_comba_sqr8(z, x); 867| | } 868| | if constexpr(std::same_as && N == 9) { 869| | return bigint_comba_sqr9(z, x); 870| | } 871| | if constexpr(std::same_as && N == 16) { 872| | return bigint_comba_sqr16(z, x); 873| | } 874| 2.23k| } 875| | 876| 0| word3 accum; 877| | 878| 2.23k| for(size_t i = 0; i != 2 * N; ++i) { ------------------ | Branch (878:22): [True: 0, False: 2.23k] ------------------ 879| 0| const size_t start = i + 1 < N ? 0 : i + 1 - N; ------------------ | Branch (879:28): [True: 0, False: 0] ------------------ 880| 0| const size_t end = std::min(N, i + 1); 881| | 882| 0| for(size_t j = start; j != end; ++j) { ------------------ | Branch (882:29): [True: 0, False: 0] ------------------ 883| 0| accum.mul(x[j], x[i - j]); 884| 0| } 885| 0| z[i] = accum.extract(); 886| 0| } 887| 2.23k|} _ZN5Botan6PCurve15PrimeOrderCurve6ScalarD2Ev: 72| 13.6k| ~Scalar() = default; _ZN5Botan6PCurve15PrimeOrderCurve11AffinePointD2Ev: 100| 6.16k| ~AffinePoint() = default; _ZN5Botan6PCurve15PrimeOrderCurve15ProjectivePointD2Ev: 134| 1.87k| ~ProjectivePoint() = default; _ZN5Botan6PCurve15PrimeOrderCurve6ScalarC2EOS2_: 69| 6.80k| Scalar(Scalar&& other) = default; _ZN5Botan6PCurve15PrimeOrderCurve6ScalarC2ERKS2_: 68| 4.53k| Scalar(const Scalar& other) = default; _ZN5Botan6PCurve15PrimeOrderCurve11AffinePointC2EOS2_: 97| 3.75k| AffinePoint(AffinePoint&& other) = default; _ZNK5Botan6PCurve15PrimeOrderCurve6Scalar6_curveEv: 76| 6.41k| const auto& _curve() const { return m_curve; } _ZNK5Botan6PCurve15PrimeOrderCurve6Scalar6_valueEv: 78| 6.41k| const auto& _value() const { return m_value; } _ZN5Botan6PCurve15PrimeOrderCurve6Scalar7_createENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEE: 80| 2.26k| static Scalar _create(CurvePtr curve, StorageUnit v) { return Scalar(std::move(curve), v); } _ZN5Botan6PCurve15PrimeOrderCurve6ScalarC2ENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEE: 83| 2.26k| Scalar(CurvePtr curve, StorageUnit v) : m_curve(std::move(curve)), m_value(v) {} _ZNK5Botan6PCurve15PrimeOrderCurve11AffinePoint6_curveEv: 104| 4.28k| const auto& _curve() const { return m_curve; } _ZNK5Botan6PCurve15PrimeOrderCurve11AffinePoint2_xEv: 106| 4.28k| const auto& _x() const { return m_x; } _ZNK5Botan6PCurve15PrimeOrderCurve11AffinePoint2_yEv: 108| 4.28k| const auto& _y() const { return m_y; } _ZN5Botan6PCurve15PrimeOrderCurve11AffinePoint7_createENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEES8_: 110| 2.40k| static AffinePoint _create(CurvePtr curve, StorageUnit x, StorageUnit y) { 111| 2.40k| return AffinePoint(std::move(curve), x, y); 112| 2.40k| } _ZN5Botan6PCurve15PrimeOrderCurve11AffinePointC2ENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEES8_: 115| 2.40k| AffinePoint(CurvePtr curve, StorageUnit x, StorageUnit y) : m_curve(std::move(curve)), m_x(x), m_y(y) {} _ZNK5Botan6PCurve15PrimeOrderCurve15ProjectivePoint6_curveEv: 136| 1.87k| const auto& _curve() const { return m_curve; } _ZNK5Botan6PCurve15PrimeOrderCurve15ProjectivePoint2_xEv: 138| 1.87k| const auto& _x() const { return m_x; } _ZNK5Botan6PCurve15PrimeOrderCurve15ProjectivePoint2_yEv: 140| 1.87k| const auto& _y() const { return m_y; } _ZNK5Botan6PCurve15PrimeOrderCurve15ProjectivePoint2_zEv: 142| 1.87k| const auto& _z() const { return m_z; } _ZN5Botan6PCurve15PrimeOrderCurve15ProjectivePoint7_createENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEES8_S8_: 144| 1.87k| static ProjectivePoint _create(CurvePtr curve, StorageUnit x, StorageUnit y, StorageUnit z) { 145| 1.87k| return ProjectivePoint(std::move(curve), x, y, z); 146| 1.87k| } _ZN5Botan6PCurve15PrimeOrderCurve15ProjectivePointC2ENSt3__110shared_ptrIKS1_EENS3_5arrayImLm9EEES8_S8_: 150| 1.87k| m_curve(std::move(curve)), m_x(x), m_y(y), m_z(z) {} _ZN5Botan6PCurve15PrimeOrderCurveD2Ev: 163| 533| virtual ~PrimeOrderCurve() = default; pcurves_brainpool256r1.cpp:_ZN5Botan11dbl_genericINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_RKT0_: 397| 833|inline constexpr ProjectivePoint dbl_generic(const ProjectivePoint& pt, const FieldElement& A) { 398| | // Cost: 1M + 3S + 1A + 1*3 399| 833| const auto z2 = pt.z().square(); 400| 833| const auto m = pt.x().square().mul3() + A * z2.square(); 401| | 402| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 403| 833| const auto y2 = pt.y().square(); 404| 833| const auto s = pt.x().mul4() * y2; 405| 833| const auto nx = m.square() - s.mul2(); 406| 833| const auto ny = m * (s - nx) - y2.square().mul8(); 407| 833| const auto nz = pt.y().mul2() * pt.z(); 408| | 409| 833| return ProjectivePoint(nx, ny, nz); 410| 833|} pcurves_brainpool256r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 735|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 735| const auto a_is_identity = a.is_identity(); 189| 735| const auto b_is_identity = b.is_identity(); 190| | 191| 735| const auto Z1Z1 = a.z().square(); 192| 735| const auto Z2Z2 = b.z().square(); 193| 735| const auto U1 = a.x() * Z2Z2; 194| 735| const auto U2 = b.x() * Z1Z1; 195| 735| const auto S1 = a.y() * b.z() * Z2Z2; 196| 735| const auto S2 = b.y() * a.z() * Z1Z1; 197| 735| const auto H = U2 - U1; 198| 735| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 735| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 735] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 735| const auto HH = H.square(); 215| 735| const auto HHH = H * HH; 216| 735| const auto V = U1 * HH; 217| 735| const auto t2 = r.square(); 218| 735| const auto t3 = V + V; 219| 735| const auto t4 = t2 - HHH; 220| 735| auto X3 = t4 - t3; 221| 735| const auto t5 = V - X3; 222| 735| const auto t6 = S1 * HHH; 223| 735| const auto t7 = r * t5; 224| 735| auto Y3 = t7 - t6; 225| 735| const auto t8 = b.z() * H; 226| 735| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 735| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 735| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 735| return ProjectivePoint(X3, Y3, Z3); 235| 735|} pcurves_brainpool256r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 1.56k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 1.56k, False: 1] ------------------ 117| 1.56k| any_identity = any_identity || pt.is_identity(); 118| 1.56k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 1.56k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 1.56k, False: 1] ------------------ 146| 1.56k| c.push_back(c[i - 1] * projective[i].z()); 147| 1.56k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 1.56k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 1.56k, False: 1] ------------------ 158| 1.56k| const auto& p = projective[i]; 159| | 160| 1.56k| const auto z_inv = s_inv * c[i - 1]; 161| 1.56k| const auto z2_inv = z_inv.square(); 162| 1.56k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 1.56k| s_inv = s_inv * p.z(); 165| | 166| 1.56k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 1.56k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_brainpool256r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveEEEDaRKNT_15ProjectivePointE: 76| 152|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| | if constexpr(curve_supports_fe_invert2) { 81| | const auto z2_inv = C::fe_invert2(pt.z()); 82| | const auto z3_inv = z2_inv.square() * pt.z(); 83| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| 152| } else { 85| 152| const auto z_inv = invert_field_element(pt.z()); 86| 152| const auto z2_inv = z_inv.square(); 87| 152| const auto z3_inv = z_inv * z2_inv; 88| 152| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| 152| } 90| 152|} pcurves_brainpool256r1.cpp:_ZN5Botan20invert_field_elementINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveEEEDaRKNT_12FieldElementE: 35| 152|inline constexpr auto invert_field_element(const typename C::FieldElement& fe) { 36| | if constexpr(curve_supports_fe_invert2) { 37| | return C::fe_invert2(fe) * fe; 38| 152| } else { 39| 152| return fe.invert(); 40| 152| } 41| 152|} pcurves_brainpool256r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_brainpool256r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES3_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 6.38k| const FieldElement& one) { 297| 6.38k| const auto a_is_identity = a.is_identity(); 298| 6.38k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 6.38k| auto by = b.y(); 307| 6.38k| by.conditional_assign(sub, by.negate()); 308| | 309| 6.38k| const auto Z1Z1 = a.z().square(); 310| 6.38k| const auto U2 = b.x() * Z1Z1; 311| 6.38k| const auto S2 = by * a.z() * Z1Z1; 312| 6.38k| const auto H = U2 - a.x(); 313| 6.38k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 6.38k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 6.38k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 6.38k| const auto HH = H.square(); 330| 6.38k| const auto HHH = H * HH; 331| 6.38k| const auto V = a.x() * HH; 332| 6.38k| const auto t2 = r.square(); 333| 6.38k| const auto t3 = V + V; 334| 6.38k| const auto t4 = t2 - HHH; 335| 6.38k| auto X3 = t4 - t3; 336| 6.38k| const auto t5 = V - X3; 337| 6.38k| const auto t6 = a.y() * HHH; 338| 6.38k| const auto t7 = r * t5; 339| 6.38k| auto Y3 = t7 - t6; 340| 6.38k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 6.38k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 6.38k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 6.38k| return ProjectivePoint(X3, Y3, Z3); 349| 6.38k|} pcurves_brainpool384r1.cpp:_ZN5Botan11dbl_genericINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_RKT0_: 397| 1.24k|inline constexpr ProjectivePoint dbl_generic(const ProjectivePoint& pt, const FieldElement& A) { 398| | // Cost: 1M + 3S + 1A + 1*3 399| 1.24k| const auto z2 = pt.z().square(); 400| 1.24k| const auto m = pt.x().square().mul3() + A * z2.square(); 401| | 402| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 403| 1.24k| const auto y2 = pt.y().square(); 404| 1.24k| const auto s = pt.x().mul4() * y2; 405| 1.24k| const auto nx = m.square() - s.mul2(); 406| 1.24k| const auto ny = m * (s - nx) - y2.square().mul8(); 407| 1.24k| const auto nz = pt.y().mul2() * pt.z(); 408| | 409| 1.24k| return ProjectivePoint(nx, ny, nz); 410| 1.24k|} pcurves_brainpool384r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 1.09k|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 1.09k| const auto a_is_identity = a.is_identity(); 189| 1.09k| const auto b_is_identity = b.is_identity(); 190| | 191| 1.09k| const auto Z1Z1 = a.z().square(); 192| 1.09k| const auto Z2Z2 = b.z().square(); 193| 1.09k| const auto U1 = a.x() * Z2Z2; 194| 1.09k| const auto U2 = b.x() * Z1Z1; 195| 1.09k| const auto S1 = a.y() * b.z() * Z2Z2; 196| 1.09k| const auto S2 = b.y() * a.z() * Z1Z1; 197| 1.09k| const auto H = U2 - U1; 198| 1.09k| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 1.09k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 1.09k] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 1.09k| const auto HH = H.square(); 215| 1.09k| const auto HHH = H * HH; 216| 1.09k| const auto V = U1 * HH; 217| 1.09k| const auto t2 = r.square(); 218| 1.09k| const auto t3 = V + V; 219| 1.09k| const auto t4 = t2 - HHH; 220| 1.09k| auto X3 = t4 - t3; 221| 1.09k| const auto t5 = V - X3; 222| 1.09k| const auto t6 = S1 * HHH; 223| 1.09k| const auto t7 = r * t5; 224| 1.09k| auto Y3 = t7 - t6; 225| 1.09k| const auto t8 = b.z() * H; 226| 1.09k| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 1.09k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 1.09k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 1.09k| return ProjectivePoint(X3, Y3, Z3); 235| 1.09k|} pcurves_brainpool384r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 2.33k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 2.33k, False: 1] ------------------ 117| 2.33k| any_identity = any_identity || pt.is_identity(); 118| 2.33k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 2.33k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 2.33k, False: 1] ------------------ 146| 2.33k| c.push_back(c[i - 1] * projective[i].z()); 147| 2.33k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 2.33k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 2.33k, False: 1] ------------------ 158| 2.33k| const auto& p = projective[i]; 159| | 160| 2.33k| const auto z_inv = s_inv * c[i - 1]; 161| 2.33k| const auto z2_inv = z_inv.square(); 162| 2.33k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 2.33k| s_inv = s_inv * p.z(); 165| | 166| 2.33k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 2.33k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_brainpool384r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveEEEDaRKNT_15ProjectivePointE: 76| 185|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| | if constexpr(curve_supports_fe_invert2) { 81| | const auto z2_inv = C::fe_invert2(pt.z()); 82| | const auto z3_inv = z2_inv.square() * pt.z(); 83| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| 185| } else { 85| 185| const auto z_inv = invert_field_element(pt.z()); 86| 185| const auto z2_inv = z_inv.square(); 87| 185| const auto z3_inv = z_inv * z2_inv; 88| 185| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| 185| } 90| 185|} pcurves_brainpool384r1.cpp:_ZN5Botan20invert_field_elementINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveEEEDaRKNT_12FieldElementE: 35| 185|inline constexpr auto invert_field_element(const typename C::FieldElement& fe) { 36| | if constexpr(curve_supports_fe_invert2) { 37| | return C::fe_invert2(fe) * fe; 38| 185| } else { 39| 185| return fe.invert(); 40| 185| } 41| 185|} pcurves_brainpool384r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_brainpool384r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES3_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 11.8k| const FieldElement& one) { 297| 11.8k| const auto a_is_identity = a.is_identity(); 298| 11.8k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 11.8k| auto by = b.y(); 307| 11.8k| by.conditional_assign(sub, by.negate()); 308| | 309| 11.8k| const auto Z1Z1 = a.z().square(); 310| 11.8k| const auto U2 = b.x() * Z1Z1; 311| 11.8k| const auto S2 = by * a.z() * Z1Z1; 312| 11.8k| const auto H = U2 - a.x(); 313| 11.8k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 11.8k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 11.8k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 11.8k| const auto HH = H.square(); 330| 11.8k| const auto HHH = H * HH; 331| 11.8k| const auto V = a.x() * HH; 332| 11.8k| const auto t2 = r.square(); 333| 11.8k| const auto t3 = V + V; 334| 11.8k| const auto t4 = t2 - HHH; 335| 11.8k| auto X3 = t4 - t3; 336| 11.8k| const auto t5 = V - X3; 337| 11.8k| const auto t6 = a.y() * HHH; 338| 11.8k| const auto t7 = r * t5; 339| 11.8k| auto Y3 = t7 - t6; 340| 11.8k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 11.8k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 11.8k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 11.8k| return ProjectivePoint(X3, Y3, Z3); 349| 11.8k|} pcurves_brainpool512r1.cpp:_ZN5Botan11dbl_genericINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_RKT0_: 397| 1.64k|inline constexpr ProjectivePoint dbl_generic(const ProjectivePoint& pt, const FieldElement& A) { 398| | // Cost: 1M + 3S + 1A + 1*3 399| 1.64k| const auto z2 = pt.z().square(); 400| 1.64k| const auto m = pt.x().square().mul3() + A * z2.square(); 401| | 402| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 403| 1.64k| const auto y2 = pt.y().square(); 404| 1.64k| const auto s = pt.x().mul4() * y2; 405| 1.64k| const auto nx = m.square() - s.mul2(); 406| 1.64k| const auto ny = m * (s - nx) - y2.square().mul8(); 407| 1.64k| const auto nz = pt.y().mul2() * pt.z(); 408| | 409| 1.64k| return ProjectivePoint(nx, ny, nz); 410| 1.64k|} pcurves_brainpool512r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 1.45k|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 1.45k| const auto a_is_identity = a.is_identity(); 189| 1.45k| const auto b_is_identity = b.is_identity(); 190| | 191| 1.45k| const auto Z1Z1 = a.z().square(); 192| 1.45k| const auto Z2Z2 = b.z().square(); 193| 1.45k| const auto U1 = a.x() * Z2Z2; 194| 1.45k| const auto U2 = b.x() * Z1Z1; 195| 1.45k| const auto S1 = a.y() * b.z() * Z2Z2; 196| 1.45k| const auto S2 = b.y() * a.z() * Z1Z1; 197| 1.45k| const auto H = U2 - U1; 198| 1.45k| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 1.45k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 1.45k] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 1.45k| const auto HH = H.square(); 215| 1.45k| const auto HHH = H * HH; 216| 1.45k| const auto V = U1 * HH; 217| 1.45k| const auto t2 = r.square(); 218| 1.45k| const auto t3 = V + V; 219| 1.45k| const auto t4 = t2 - HHH; 220| 1.45k| auto X3 = t4 - t3; 221| 1.45k| const auto t5 = V - X3; 222| 1.45k| const auto t6 = S1 * HHH; 223| 1.45k| const auto t7 = r * t5; 224| 1.45k| auto Y3 = t7 - t6; 225| 1.45k| const auto t8 = b.z() * H; 226| 1.45k| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 1.45k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 1.45k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 1.45k| return ProjectivePoint(X3, Y3, Z3); 235| 1.45k|} pcurves_brainpool512r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 3.10k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 3.10k, False: 1] ------------------ 117| 3.10k| any_identity = any_identity || pt.is_identity(); 118| 3.10k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 3.10k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 3.10k, False: 1] ------------------ 146| 3.10k| c.push_back(c[i - 1] * projective[i].z()); 147| 3.10k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 3.10k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 3.10k, False: 1] ------------------ 158| 3.10k| const auto& p = projective[i]; 159| | 160| 3.10k| const auto z_inv = s_inv * c[i - 1]; 161| 3.10k| const auto z2_inv = z_inv.square(); 162| 3.10k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 3.10k| s_inv = s_inv * p.z(); 165| | 166| 3.10k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 3.10k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_brainpool512r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveEEEDaRKNT_15ProjectivePointE: 76| 151|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| | if constexpr(curve_supports_fe_invert2) { 81| | const auto z2_inv = C::fe_invert2(pt.z()); 82| | const auto z3_inv = z2_inv.square() * pt.z(); 83| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| 151| } else { 85| 151| const auto z_inv = invert_field_element(pt.z()); 86| 151| const auto z2_inv = z_inv.square(); 87| 151| const auto z3_inv = z_inv * z2_inv; 88| 151| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| 151| } 90| 151|} pcurves_brainpool512r1.cpp:_ZN5Botan20invert_field_elementINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveEEEDaRKNT_12FieldElementE: 35| 151|inline constexpr auto invert_field_element(const typename C::FieldElement& fe) { 36| | if constexpr(curve_supports_fe_invert2) { 37| | return C::fe_invert2(fe) * fe; 38| 151| } else { 39| 151| return fe.invert(); 40| 151| } 41| 151|} pcurves_brainpool512r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_brainpool512r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES3_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 12.8k| const FieldElement& one) { 297| 12.8k| const auto a_is_identity = a.is_identity(); 298| 12.8k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 12.8k| auto by = b.y(); 307| 12.8k| by.conditional_assign(sub, by.negate()); 308| | 309| 12.8k| const auto Z1Z1 = a.z().square(); 310| 12.8k| const auto U2 = b.x() * Z1Z1; 311| 12.8k| const auto S2 = by * a.z() * Z1Z1; 312| 12.8k| const auto H = U2 - a.x(); 313| 12.8k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 12.8k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 12.8k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 12.8k| const auto HH = H.square(); 330| 12.8k| const auto HHH = H * HH; 331| 12.8k| const auto V = a.x() * HH; 332| 12.8k| const auto t2 = r.square(); 333| 12.8k| const auto t3 = V + V; 334| 12.8k| const auto t4 = t2 - HHH; 335| 12.8k| auto X3 = t4 - t3; 336| 12.8k| const auto t5 = V - X3; 337| 12.8k| const auto t6 = a.y() * HHH; 338| 12.8k| const auto t7 = r * t5; 339| 12.8k| auto Y3 = t7 - t6; 340| 12.8k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 12.8k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 12.8k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 12.8k| return ProjectivePoint(X3, Y3, Z3); 349| 12.8k|} pcurves_generic.cpp:_ZN5Botan22point_add_or_sub_mixedINS_6PCurve22GenericProjectivePointENS1_18GenericAffinePointENS1_12_GLOBAL__N_112GenericFieldEEET_RKS6_RKT0_NS_2CT6ChoiceERKT1_: 296| 13.9k| const FieldElement& one) { 297| 13.9k| const auto a_is_identity = a.is_identity(); 298| 13.9k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 13.9k| auto by = b.y(); 307| 13.9k| by.conditional_assign(sub, by.negate()); 308| | 309| 13.9k| const auto Z1Z1 = a.z().square(); 310| 13.9k| const auto U2 = b.x() * Z1Z1; 311| 13.9k| const auto S2 = by * a.z() * Z1Z1; 312| 13.9k| const auto H = U2 - a.x(); 313| 13.9k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 13.9k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 13.9k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 13.9k| const auto HH = H.square(); 330| 13.9k| const auto HHH = H * HH; 331| 13.9k| const auto V = a.x() * HH; 332| 13.9k| const auto t2 = r.square(); 333| 13.9k| const auto t3 = V + V; 334| 13.9k| const auto t4 = t2 - HHH; 335| 13.9k| auto X3 = t4 - t3; 336| 13.9k| const auto t5 = V - X3; 337| 13.9k| const auto t6 = a.y() * HHH; 338| 13.9k| const auto t7 = r * t5; 339| 13.9k| auto Y3 = t7 - t6; 340| 13.9k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 13.9k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 13.9k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 13.9k| return ProjectivePoint(X3, Y3, Z3); 349| 13.9k|} _ZN5Botan13dbl_a_minus_3INS_6PCurve22GenericProjectivePointEEET_RKS3_: 362| 278k|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 278k| const auto z2 = pt.z().square(); 368| 278k| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 278k| const auto y2 = pt.y().square(); 372| 278k| const auto s = pt.x().mul4() * y2; 373| 278k| const auto nx = m.square() - s.mul2(); 374| 278k| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 278k| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 278k| return ProjectivePoint(nx, ny, nz); 378| 278k|} _ZN5Botan10dbl_a_zeroINS_6PCurve22GenericProjectivePointEEET_RKS3_: 381| 3.77k|inline constexpr ProjectivePoint dbl_a_zero(const ProjectivePoint& pt) { 382| | // If a == 0 then 3*x^2 + a*z^4 == 3*x^2 383| | // Cost: 1S + 1*3 384| 3.77k| const auto m = pt.x().square().mul3(); 385| | 386| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 387| 3.77k| const auto y2 = pt.y().square(); 388| 3.77k| const auto s = pt.x().mul4() * y2; 389| 3.77k| const auto nx = m.square() - s.mul2(); 390| 3.77k| const auto ny = m * (s - nx) - y2.square().mul8(); 391| 3.77k| const auto nz = pt.y().mul2() * pt.z(); 392| | 393| 3.77k| return ProjectivePoint(nx, ny, nz); 394| 3.77k|} pcurves_generic.cpp:_ZN5Botan11dbl_genericINS_6PCurve22GenericProjectivePointENS1_12_GLOBAL__N_112GenericFieldEEET_RKS5_RKT0_: 397| 151k|inline constexpr ProjectivePoint dbl_generic(const ProjectivePoint& pt, const FieldElement& A) { 398| | // Cost: 1M + 3S + 1A + 1*3 399| 151k| const auto z2 = pt.z().square(); 400| 151k| const auto m = pt.x().square().mul3() + A * z2.square(); 401| | 402| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 403| 151k| const auto y2 = pt.y().square(); 404| 151k| const auto s = pt.x().mul4() * y2; 405| 151k| const auto nx = m.square() - s.mul2(); 406| 151k| const auto ny = m * (s - nx) - y2.square().mul8(); 407| 151k| const auto nz = pt.y().mul2() * pt.z(); 408| | 409| 151k| return ProjectivePoint(nx, ny, nz); 410| 151k|} pcurves_generic.cpp:_ZN5Botan20invert_field_elementINS_6PCurve12_GLOBAL__N_112GenericCurveEEEDaRKNT_12FieldElementE: 35| 371|inline constexpr auto invert_field_element(const typename C::FieldElement& fe) { 36| | if constexpr(curve_supports_fe_invert2) { 37| | return C::fe_invert2(fe) * fe; 38| 371| } else { 39| 371| return fe.invert(); 40| 371| } 41| 371|} pcurves_generic.cpp:_ZN5Botan9point_addINS_6PCurve22GenericProjectivePointENS1_12_GLOBAL__N_112GenericFieldEEET_RKS5_S7_: 187| 382k|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 382k| const auto a_is_identity = a.is_identity(); 189| 382k| const auto b_is_identity = b.is_identity(); 190| | 191| 382k| const auto Z1Z1 = a.z().square(); 192| 382k| const auto Z2Z2 = b.z().square(); 193| 382k| const auto U1 = a.x() * Z2Z2; 194| 382k| const auto U2 = b.x() * Z1Z1; 195| 382k| const auto S1 = a.y() * b.z() * Z2Z2; 196| 382k| const auto S2 = b.y() * a.z() * Z1Z1; 197| 382k| const auto H = U2 - U1; 198| 382k| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 382k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 382k] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 382k| const auto HH = H.square(); 215| 382k| const auto HHH = H * HH; 216| 382k| const auto V = U1 * HH; 217| 382k| const auto t2 = r.square(); 218| 382k| const auto t3 = V + V; 219| 382k| const auto t4 = t2 - HHH; 220| 382k| auto X3 = t4 - t3; 221| 382k| const auto t5 = V - X3; 222| 382k| const auto t6 = S1 * HHH; 223| 382k| const auto t7 = r * t5; 224| 382k| auto Y3 = t7 - t6; 225| 382k| const auto t8 = b.z() * H; 226| 382k| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 382k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 382k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 382k| return ProjectivePoint(X3, Y3, Z3); 235| 382k|} pcurves_generic.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_112GenericCurveEEEDaRKNT_15ProjectivePointE: 76| 371|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| | if constexpr(curve_supports_fe_invert2) { 81| | const auto z2_inv = C::fe_invert2(pt.z()); 82| | const auto z3_inv = z2_inv.square() * pt.z(); 83| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| 371| } else { 85| 371| const auto z_inv = invert_field_element(pt.z()); 86| 371| const auto z2_inv = z_inv.square(); 87| 371| const auto z3_inv = z_inv * z2_inv; 88| 371| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| 371| } 90| 371|} pcurves_generic.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_112GenericCurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 524|auto to_affine_batch(std::span projective) { 108| 524| using AffinePoint = typename C::AffinePoint; 109| | 110| 524| const size_t N = projective.size(); 111| 524| std::vector affine; 112| 524| affine.reserve(N); 113| | 114| 524| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 817k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 817k, False: 524] ------------------ 117| 817k| any_identity = any_identity || pt.is_identity(); 118| 817k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 524| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 524] | Branch (126:17): [True: 0, False: 524] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 524| } else { 134| 524| std::vector c; 135| 524| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 524| c.push_back(projective[0].z()); 145| 817k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 816k, False: 524] ------------------ 146| 816k| c.push_back(c[i - 1] * projective[i].z()); 147| 816k| } 148| | 149| 524| auto s_inv = [&]() { 150| 524| if constexpr(VariableTime) { 151| 524| return c[N - 1].invert_vartime(); 152| 524| } else { 153| 524| return invert_field_element(c[N - 1]); 154| 524| } 155| 524| }(); 156| | 157| 817k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 816k, False: 524] ------------------ 158| 816k| const auto& p = projective[i]; 159| | 160| 816k| const auto z_inv = s_inv * c[i - 1]; 161| 816k| const auto z2_inv = z_inv.square(); 162| 816k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 816k| s_inv = s_inv * p.z(); 165| | 166| 816k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 816k| } 168| | 169| 524| const auto z2_inv = s_inv.square(); 170| 524| const auto z3_inv = s_inv * z2_inv; 171| 524| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 524| std::reverse(affine.begin(), affine.end()); 173| 524| return affine; 174| 524| } 175| | 176| 0| return affine; 177| 524|} pcurves_generic.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_112GenericCurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 524| auto s_inv = [&]() { 150| 524| if constexpr(VariableTime) { 151| 524| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 524| }(); pcurves_secp192r1.cpp:_ZN5Botan13dbl_a_minus_3INS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EEEET_RKSE_: 362| 629|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 629| const auto z2 = pt.z().square(); 368| 629| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 629| const auto y2 = pt.y().square(); 372| 629| const auto s = pt.x().mul4() * y2; 373| 629| const auto nx = m.square() - s.mul2(); 374| 629| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 629| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 629| return ProjectivePoint(nx, ny, nz); 378| 629|} pcurves_secp192r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 555|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 555| const auto a_is_identity = a.is_identity(); 189| 555| const auto b_is_identity = b.is_identity(); 190| | 191| 555| const auto Z1Z1 = a.z().square(); 192| 555| const auto Z2Z2 = b.z().square(); 193| 555| const auto U1 = a.x() * Z2Z2; 194| 555| const auto U2 = b.x() * Z1Z1; 195| 555| const auto S1 = a.y() * b.z() * Z2Z2; 196| 555| const auto S2 = b.y() * a.z() * Z1Z1; 197| 555| const auto H = U2 - U1; 198| 555| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 555| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 555] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 555| const auto HH = H.square(); 215| 555| const auto HHH = H * HH; 216| 555| const auto V = U1 * HH; 217| 555| const auto t2 = r.square(); 218| 555| const auto t3 = V + V; 219| 555| const auto t4 = t2 - HHH; 220| 555| auto X3 = t4 - t3; 221| 555| const auto t5 = V - X3; 222| 555| const auto t6 = S1 * HHH; 223| 555| const auto t7 = r * t5; 224| 555| auto Y3 = t7 - t6; 225| 555| const auto t8 = b.z() * H; 226| 555| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 555| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 555| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 555| return ProjectivePoint(X3, Y3, Z3); 235| 555|} pcurves_secp192r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp192r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 1.18k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 1.18k, False: 1] ------------------ 117| 1.18k| any_identity = any_identity || pt.is_identity(); 118| 1.18k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 1.18k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 1.18k, False: 1] ------------------ 146| 1.18k| c.push_back(c[i - 1] * projective[i].z()); 147| 1.18k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 1.18k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 1.18k, False: 1] ------------------ 158| 1.18k| const auto& p = projective[i]; 159| | 160| 1.18k| const auto z_inv = s_inv * c[i - 1]; 161| 1.18k| const auto z2_inv = z_inv.square(); 162| 1.18k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 1.18k| s_inv = s_inv * p.z(); 165| | 166| 1.18k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 1.18k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp192r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp192r15CurveEEEDaRKNT_15ProjectivePointE: 76| 189|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 189| if constexpr(curve_supports_fe_invert2) { 81| 189| const auto z2_inv = C::fe_invert2(pt.z()); 82| 189| const auto z3_inv = z2_inv.square() * pt.z(); 83| 189| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 189|} pcurves_secp192r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp192r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp192r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 6.04k| const FieldElement& one) { 297| 6.04k| const auto a_is_identity = a.is_identity(); 298| 6.04k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 6.04k| auto by = b.y(); 307| 6.04k| by.conditional_assign(sub, by.negate()); 308| | 309| 6.04k| const auto Z1Z1 = a.z().square(); 310| 6.04k| const auto U2 = b.x() * Z1Z1; 311| 6.04k| const auto S2 = by * a.z() * Z1Z1; 312| 6.04k| const auto H = U2 - a.x(); 313| 6.04k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 6.04k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 6.04k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 6.04k| const auto HH = H.square(); 330| 6.04k| const auto HHH = H * HH; 331| 6.04k| const auto V = a.x() * HH; 332| 6.04k| const auto t2 = r.square(); 333| 6.04k| const auto t3 = V + V; 334| 6.04k| const auto t4 = t2 - HHH; 335| 6.04k| auto X3 = t4 - t3; 336| 6.04k| const auto t5 = V - X3; 337| 6.04k| const auto t6 = a.y() * HHH; 338| 6.04k| const auto t7 = r * t5; 339| 6.04k| auto Y3 = t7 - t6; 340| 6.04k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 6.04k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 6.04k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 6.04k| return ProjectivePoint(X3, Y3, Z3); 349| 6.04k|} pcurves_secp224r1.cpp:_ZN5Botan13dbl_a_minus_3INS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EEEET_RKSE_: 362| 731|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 731| const auto z2 = pt.z().square(); 368| 731| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 731| const auto y2 = pt.y().square(); 372| 731| const auto s = pt.x().mul4() * y2; 373| 731| const auto nx = m.square() - s.mul2(); 374| 731| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 731| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 731| return ProjectivePoint(nx, ny, nz); 378| 731|} pcurves_secp224r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 645|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 645| const auto a_is_identity = a.is_identity(); 189| 645| const auto b_is_identity = b.is_identity(); 190| | 191| 645| const auto Z1Z1 = a.z().square(); 192| 645| const auto Z2Z2 = b.z().square(); 193| 645| const auto U1 = a.x() * Z2Z2; 194| 645| const auto U2 = b.x() * Z1Z1; 195| 645| const auto S1 = a.y() * b.z() * Z2Z2; 196| 645| const auto S2 = b.y() * a.z() * Z1Z1; 197| 645| const auto H = U2 - U1; 198| 645| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 645| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 645] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 645| const auto HH = H.square(); 215| 645| const auto HHH = H * HH; 216| 645| const auto V = U1 * HH; 217| 645| const auto t2 = r.square(); 218| 645| const auto t3 = V + V; 219| 645| const auto t4 = t2 - HHH; 220| 645| auto X3 = t4 - t3; 221| 645| const auto t5 = V - X3; 222| 645| const auto t6 = S1 * HHH; 223| 645| const auto t7 = r * t5; 224| 645| auto Y3 = t7 - t6; 225| 645| const auto t8 = b.z() * H; 226| 645| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 645| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 645| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 645| return ProjectivePoint(X3, Y3, Z3); 235| 645|} pcurves_secp224r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp224r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 1.37k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 1.37k, False: 1] ------------------ 117| 1.37k| any_identity = any_identity || pt.is_identity(); 118| 1.37k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 1.37k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 1.37k, False: 1] ------------------ 146| 1.37k| c.push_back(c[i - 1] * projective[i].z()); 147| 1.37k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 1.37k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 1.37k, False: 1] ------------------ 158| 1.37k| const auto& p = projective[i]; 159| | 160| 1.37k| const auto z_inv = s_inv * c[i - 1]; 161| 1.37k| const auto z2_inv = z_inv.square(); 162| 1.37k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 1.37k| s_inv = s_inv * p.z(); 165| | 166| 1.37k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 1.37k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp224r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp224r15CurveEEEDaRKNT_15ProjectivePointE: 76| 168|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 168| if constexpr(curve_supports_fe_invert2) { 81| 168| const auto z2_inv = C::fe_invert2(pt.z()); 82| 168| const auto z3_inv = z2_inv.square() * pt.z(); 83| 168| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 168|} pcurves_secp224r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp224r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp224r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 6.21k| const FieldElement& one) { 297| 6.21k| const auto a_is_identity = a.is_identity(); 298| 6.21k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 6.21k| auto by = b.y(); 307| 6.21k| by.conditional_assign(sub, by.negate()); 308| | 309| 6.21k| const auto Z1Z1 = a.z().square(); 310| 6.21k| const auto U2 = b.x() * Z1Z1; 311| 6.21k| const auto S2 = by * a.z() * Z1Z1; 312| 6.21k| const auto H = U2 - a.x(); 313| 6.21k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 6.21k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 6.21k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 6.21k| const auto HH = H.square(); 330| 6.21k| const auto HHH = H * HH; 331| 6.21k| const auto V = a.x() * HH; 332| 6.21k| const auto t2 = r.square(); 333| 6.21k| const auto t3 = V + V; 334| 6.21k| const auto t4 = t2 - HHH; 335| 6.21k| auto X3 = t4 - t3; 336| 6.21k| const auto t5 = V - X3; 337| 6.21k| const auto t6 = a.y() * HHH; 338| 6.21k| const auto t7 = r * t5; 339| 6.21k| auto Y3 = t7 - t6; 340| 6.21k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 6.21k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 6.21k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 6.21k| return ProjectivePoint(X3, Y3, Z3); 349| 6.21k|} pcurves_secp256k1.cpp:_ZN5Botan10dbl_a_zeroINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EEEET_RKSE_: 381| 833|inline constexpr ProjectivePoint dbl_a_zero(const ProjectivePoint& pt) { 382| | // If a == 0 then 3*x^2 + a*z^4 == 3*x^2 383| | // Cost: 1S + 1*3 384| 833| const auto m = pt.x().square().mul3(); 385| | 386| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 387| 833| const auto y2 = pt.y().square(); 388| 833| const auto s = pt.x().mul4() * y2; 389| 833| const auto nx = m.square() - s.mul2(); 390| 833| const auto ny = m * (s - nx) - y2.square().mul8(); 391| 833| const auto nz = pt.y().mul2() * pt.z(); 392| | 393| 833| return ProjectivePoint(nx, ny, nz); 394| 833|} pcurves_secp256k1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 735|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 735| const auto a_is_identity = a.is_identity(); 189| 735| const auto b_is_identity = b.is_identity(); 190| | 191| 735| const auto Z1Z1 = a.z().square(); 192| 735| const auto Z2Z2 = b.z().square(); 193| 735| const auto U1 = a.x() * Z2Z2; 194| 735| const auto U2 = b.x() * Z1Z1; 195| 735| const auto S1 = a.y() * b.z() * Z2Z2; 196| 735| const auto S2 = b.y() * a.z() * Z1Z1; 197| 735| const auto H = U2 - U1; 198| 735| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 735| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 735] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 735| const auto HH = H.square(); 215| 735| const auto HHH = H * HH; 216| 735| const auto V = U1 * HH; 217| 735| const auto t2 = r.square(); 218| 735| const auto t3 = V + V; 219| 735| const auto t4 = t2 - HHH; 220| 735| auto X3 = t4 - t3; 221| 735| const auto t5 = V - X3; 222| 735| const auto t6 = S1 * HHH; 223| 735| const auto t7 = r * t5; 224| 735| auto Y3 = t7 - t6; 225| 735| const auto t8 = b.z() * H; 226| 735| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 735| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 735| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 735| return ProjectivePoint(X3, Y3, Z3); 235| 735|} pcurves_secp256k1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp256k15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 1.56k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 1.56k, False: 1] ------------------ 117| 1.56k| any_identity = any_identity || pt.is_identity(); 118| 1.56k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 1.56k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 1.56k, False: 1] ------------------ 146| 1.56k| c.push_back(c[i - 1] * projective[i].z()); 147| 1.56k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 1.56k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 1.56k, False: 1] ------------------ 158| 1.56k| const auto& p = projective[i]; 159| | 160| 1.56k| const auto z_inv = s_inv * c[i - 1]; 161| 1.56k| const auto z2_inv = z_inv.square(); 162| 1.56k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 1.56k| s_inv = s_inv * p.z(); 165| | 166| 1.56k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 1.56k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp256k1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp256k15CurveEEEDaRKNT_15ProjectivePointE: 76| 157|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 157| if constexpr(curve_supports_fe_invert2) { 81| 157| const auto z2_inv = C::fe_invert2(pt.z()); 82| 157| const auto z3_inv = z2_inv.square() * pt.z(); 83| 157| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 157|} pcurves_secp256k1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp256k15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp256k1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 6.59k| const FieldElement& one) { 297| 6.59k| const auto a_is_identity = a.is_identity(); 298| 6.59k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 6.59k| auto by = b.y(); 307| 6.59k| by.conditional_assign(sub, by.negate()); 308| | 309| 6.59k| const auto Z1Z1 = a.z().square(); 310| 6.59k| const auto U2 = b.x() * Z1Z1; 311| 6.59k| const auto S2 = by * a.z() * Z1Z1; 312| 6.59k| const auto H = U2 - a.x(); 313| 6.59k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 6.59k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 6.59k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 6.59k| const auto HH = H.square(); 330| 6.59k| const auto HHH = H * HH; 331| 6.59k| const auto V = a.x() * HH; 332| 6.59k| const auto t2 = r.square(); 333| 6.59k| const auto t3 = V + V; 334| 6.59k| const auto t4 = t2 - HHH; 335| 6.59k| auto X3 = t4 - t3; 336| 6.59k| const auto t5 = V - X3; 337| 6.59k| const auto t6 = a.y() * HHH; 338| 6.59k| const auto t7 = r * t5; 339| 6.59k| auto Y3 = t7 - t6; 340| 6.59k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 6.59k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 6.59k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 6.59k| return ProjectivePoint(X3, Y3, Z3); 349| 6.59k|} pcurves_secp256r1.cpp:_ZN5Botan13dbl_a_minus_3INS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEES8_EEEET_RKSE_: 362| 833|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 833| const auto z2 = pt.z().square(); 368| 833| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 833| const auto y2 = pt.y().square(); 372| 833| const auto s = pt.x().mul4() * y2; 373| 833| const auto nx = m.square() - s.mul2(); 374| 833| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 833| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 833| return ProjectivePoint(nx, ny, nz); 378| 833|} pcurves_secp256r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 735|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 735| const auto a_is_identity = a.is_identity(); 189| 735| const auto b_is_identity = b.is_identity(); 190| | 191| 735| const auto Z1Z1 = a.z().square(); 192| 735| const auto Z2Z2 = b.z().square(); 193| 735| const auto U1 = a.x() * Z2Z2; 194| 735| const auto U2 = b.x() * Z1Z1; 195| 735| const auto S1 = a.y() * b.z() * Z2Z2; 196| 735| const auto S2 = b.y() * a.z() * Z1Z1; 197| 735| const auto H = U2 - U1; 198| 735| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 735| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 735] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 735| const auto HH = H.square(); 215| 735| const auto HHH = H * HH; 216| 735| const auto V = U1 * HH; 217| 735| const auto t2 = r.square(); 218| 735| const auto t3 = V + V; 219| 735| const auto t4 = t2 - HHH; 220| 735| auto X3 = t4 - t3; 221| 735| const auto t5 = V - X3; 222| 735| const auto t6 = S1 * HHH; 223| 735| const auto t7 = r * t5; 224| 735| auto Y3 = t7 - t6; 225| 735| const auto t8 = b.z() * H; 226| 735| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 735| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 735| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 735| return ProjectivePoint(X3, Y3, Z3); 235| 735|} pcurves_secp256r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp256r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 1.56k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 1.56k, False: 1] ------------------ 117| 1.56k| any_identity = any_identity || pt.is_identity(); 118| 1.56k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 1.56k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 1.56k, False: 1] ------------------ 146| 1.56k| c.push_back(c[i - 1] * projective[i].z()); 147| 1.56k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 1.56k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 1.56k, False: 1] ------------------ 158| 1.56k| const auto& p = projective[i]; 159| | 160| 1.56k| const auto z_inv = s_inv * c[i - 1]; 161| 1.56k| const auto z2_inv = z_inv.square(); 162| 1.56k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 1.56k| s_inv = s_inv * p.z(); 165| | 166| 1.56k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 1.56k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp256r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp256r15CurveEEEDaRKNT_15ProjectivePointE: 76| 215|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 215| if constexpr(curve_supports_fe_invert2) { 81| 215| const auto z2_inv = C::fe_invert2(pt.z()); 82| 215| const auto z3_inv = z2_inv.square() * pt.z(); 83| 215| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 215|} pcurves_secp256r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp256r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp256r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS4_9secp256r16ParamsES5_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 9.03k| const FieldElement& one) { 297| 9.03k| const auto a_is_identity = a.is_identity(); 298| 9.03k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 9.03k| auto by = b.y(); 307| 9.03k| by.conditional_assign(sub, by.negate()); 308| | 309| 9.03k| const auto Z1Z1 = a.z().square(); 310| 9.03k| const auto U2 = b.x() * Z1Z1; 311| 9.03k| const auto S2 = by * a.z() * Z1Z1; 312| 9.03k| const auto H = U2 - a.x(); 313| 9.03k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 9.03k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 9.03k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 9.03k| const auto HH = H.square(); 330| 9.03k| const auto HHH = H * HH; 331| 9.03k| const auto V = a.x() * HH; 332| 9.03k| const auto t2 = r.square(); 333| 9.03k| const auto t3 = V + V; 334| 9.03k| const auto t4 = t2 - HHH; 335| 9.03k| auto X3 = t4 - t3; 336| 9.03k| const auto t5 = V - X3; 337| 9.03k| const auto t6 = a.y() * HHH; 338| 9.03k| const auto t7 = r * t5; 339| 9.03k| auto Y3 = t7 - t6; 340| 9.03k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 9.03k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 9.03k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 9.03k| return ProjectivePoint(X3, Y3, Z3); 349| 9.03k|} pcurves_secp384r1.cpp:_ZN5Botan13dbl_a_minus_3INS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEES8_EEEET_RKSE_: 362| 1.24k|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 1.24k| const auto z2 = pt.z().square(); 368| 1.24k| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 1.24k| const auto y2 = pt.y().square(); 372| 1.24k| const auto s = pt.x().mul4() * y2; 373| 1.24k| const auto nx = m.square() - s.mul2(); 374| 1.24k| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 1.24k| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 1.24k| return ProjectivePoint(nx, ny, nz); 378| 1.24k|} pcurves_secp384r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 1.09k|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 1.09k| const auto a_is_identity = a.is_identity(); 189| 1.09k| const auto b_is_identity = b.is_identity(); 190| | 191| 1.09k| const auto Z1Z1 = a.z().square(); 192| 1.09k| const auto Z2Z2 = b.z().square(); 193| 1.09k| const auto U1 = a.x() * Z2Z2; 194| 1.09k| const auto U2 = b.x() * Z1Z1; 195| 1.09k| const auto S1 = a.y() * b.z() * Z2Z2; 196| 1.09k| const auto S2 = b.y() * a.z() * Z1Z1; 197| 1.09k| const auto H = U2 - U1; 198| 1.09k| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 1.09k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 1.09k] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 1.09k| const auto HH = H.square(); 215| 1.09k| const auto HHH = H * HH; 216| 1.09k| const auto V = U1 * HH; 217| 1.09k| const auto t2 = r.square(); 218| 1.09k| const auto t3 = V + V; 219| 1.09k| const auto t4 = t2 - HHH; 220| 1.09k| auto X3 = t4 - t3; 221| 1.09k| const auto t5 = V - X3; 222| 1.09k| const auto t6 = S1 * HHH; 223| 1.09k| const auto t7 = r * t5; 224| 1.09k| auto Y3 = t7 - t6; 225| 1.09k| const auto t8 = b.z() * H; 226| 1.09k| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 1.09k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 1.09k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 1.09k| return ProjectivePoint(X3, Y3, Z3); 235| 1.09k|} pcurves_secp384r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp384r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 2.33k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 2.33k, False: 1] ------------------ 117| 2.33k| any_identity = any_identity || pt.is_identity(); 118| 2.33k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 2.33k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 2.33k, False: 1] ------------------ 146| 2.33k| c.push_back(c[i - 1] * projective[i].z()); 147| 2.33k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 2.33k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 2.33k, False: 1] ------------------ 158| 2.33k| const auto& p = projective[i]; 159| | 160| 2.33k| const auto z_inv = s_inv * c[i - 1]; 161| 2.33k| const auto z2_inv = z_inv.square(); 162| 2.33k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 2.33k| s_inv = s_inv * p.z(); 165| | 166| 2.33k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 2.33k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp384r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp384r15CurveEEEDaRKNT_15ProjectivePointE: 76| 151|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 151| if constexpr(curve_supports_fe_invert2) { 81| 151| const auto z2_inv = C::fe_invert2(pt.z()); 82| 151| const auto z3_inv = z2_inv.square() * pt.z(); 83| 151| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 151|} pcurves_secp384r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp384r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp384r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS4_9secp384r16ParamsES5_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 9.66k| const FieldElement& one) { 297| 9.66k| const auto a_is_identity = a.is_identity(); 298| 9.66k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 9.66k| auto by = b.y(); 307| 9.66k| by.conditional_assign(sub, by.negate()); 308| | 309| 9.66k| const auto Z1Z1 = a.z().square(); 310| 9.66k| const auto U2 = b.x() * Z1Z1; 311| 9.66k| const auto S2 = by * a.z() * Z1Z1; 312| 9.66k| const auto H = U2 - a.x(); 313| 9.66k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 9.66k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 9.66k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 9.66k| const auto HH = H.square(); 330| 9.66k| const auto HHH = H * HH; 331| 9.66k| const auto V = a.x() * HH; 332| 9.66k| const auto t2 = r.square(); 333| 9.66k| const auto t3 = V + V; 334| 9.66k| const auto t4 = t2 - HHH; 335| 9.66k| auto X3 = t4 - t3; 336| 9.66k| const auto t5 = V - X3; 337| 9.66k| const auto t6 = a.y() * HHH; 338| 9.66k| const auto t7 = r * t5; 339| 9.66k| auto Y3 = t7 - t6; 340| 9.66k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 9.66k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 9.66k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 9.66k| return ProjectivePoint(X3, Y3, Z3); 349| 9.66k|} pcurves_secp521r1.cpp:_ZN5Botan13dbl_a_minus_3INS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EEEET_RKSE_: 362| 1.64k|inline constexpr ProjectivePoint dbl_a_minus_3(const ProjectivePoint& pt) { 363| | /* 364| | if a == -3 then 365| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 366| | */ 367| 1.64k| const auto z2 = pt.z().square(); 368| 1.64k| const auto m = (pt.x() - z2).mul3() * (pt.x() + z2); 369| | 370| | // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8 371| 1.64k| const auto y2 = pt.y().square(); 372| 1.64k| const auto s = pt.x().mul4() * y2; 373| 1.64k| const auto nx = m.square() - s.mul2(); 374| 1.64k| const auto ny = m * (s - nx) - y2.square().mul8(); 375| 1.64k| const auto nz = pt.y().mul2() * pt.z(); 376| | 377| 1.64k| return ProjectivePoint(nx, ny, nz); 378| 1.64k|} pcurves_secp521r1.cpp:_ZN5Botan9point_addINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EESC_EET_RKSE_SG_: 187| 1.45k|inline constexpr ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) { 188| 1.45k| const auto a_is_identity = a.is_identity(); 189| 1.45k| const auto b_is_identity = b.is_identity(); 190| | 191| 1.45k| const auto Z1Z1 = a.z().square(); 192| 1.45k| const auto Z2Z2 = b.z().square(); 193| 1.45k| const auto U1 = a.x() * Z2Z2; 194| 1.45k| const auto U2 = b.x() * Z1Z1; 195| 1.45k| const auto S1 = a.y() * b.z() * Z2Z2; 196| 1.45k| const auto S2 = b.y() * a.z() * Z1Z1; 197| 1.45k| const auto H = U2 - U1; 198| 1.45k| const auto r = S2 - S1; 199| | 200| | /* Risky conditional 201| | * 202| | * This implementation uses projective coordinates, which do not have an efficient complete 203| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 204| | * 205| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 206| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 207| | * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct 208| | * output (the identity element) 209| | */ 210| 1.45k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (210:7): [True: 0, False: 1.45k] ------------------ 211| 0| return a.dbl(); 212| 0| } 213| | 214| 1.45k| const auto HH = H.square(); 215| 1.45k| const auto HHH = H * HH; 216| 1.45k| const auto V = U1 * HH; 217| 1.45k| const auto t2 = r.square(); 218| 1.45k| const auto t3 = V + V; 219| 1.45k| const auto t4 = t2 - HHH; 220| 1.45k| auto X3 = t4 - t3; 221| 1.45k| const auto t5 = V - X3; 222| 1.45k| const auto t6 = S1 * HHH; 223| 1.45k| const auto t7 = r * t5; 224| 1.45k| auto Y3 = t7 - t6; 225| 1.45k| const auto t8 = b.z() * H; 226| 1.45k| auto Z3 = a.z() * t8; 227| | 228| | // if a is identity then return b 229| 1.45k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z()); 230| | 231| | // if b is identity then return a 232| 1.45k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 233| | 234| 1.45k| return ProjectivePoint(X3, Y3, Z3); 235| 1.45k|} pcurves_secp521r1.cpp:_ZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp521r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEE: 107| 1|auto to_affine_batch(std::span projective) { 108| 1| using AffinePoint = typename C::AffinePoint; 109| | 110| 1| const size_t N = projective.size(); 111| 1| std::vector affine; 112| 1| affine.reserve(N); 113| | 114| 1| CT::Choice any_identity = CT::Choice::no(); 115| | 116| 3.10k| for(const auto& pt : projective) { ------------------ | Branch (116:23): [True: 3.10k, False: 1] ------------------ 117| 3.10k| any_identity = any_identity || pt.is_identity(); 118| 3.10k| } 119| | 120| | // Conditional acceptable: N is public. State of points is not necessarily 121| | // public, but we don't leak which point was the identity. In practice with 122| | // the algorithms currently in use, the only time an identity can occur is 123| | // during mul2 where the two points g/h have a small relation (ie h = g*k for 124| | // some k < 16) 125| | 126| 1| if(N <= 2 || any_identity.as_bool()) { ------------------ | Branch (126:7): [True: 0, False: 1] | Branch (126:17): [True: 0, False: 1] ------------------ 127| | // If there are identity elements, using the batch inversion gets 128| | // tricky. It can be done, but this should be a rare situation so 129| | // just punt to the serial conversion if it occurs 130| 0| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (130:25): [True: 0, False: 0] ------------------ 131| 0| affine.push_back(to_affine(projective[i])); 132| 0| } 133| 1| } else { 134| 1| std::vector c; 135| 1| c.reserve(N); 136| | 137| | /* 138| | Batch projective->affine using Montgomery's trick 139| | 140| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 141| | (Hankerson, Menezes, Vanstone) 142| | */ 143| | 144| 1| c.push_back(projective[0].z()); 145| 3.10k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (145:25): [True: 3.10k, False: 1] ------------------ 146| 3.10k| c.push_back(c[i - 1] * projective[i].z()); 147| 3.10k| } 148| | 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| 1| } else { 153| 1| return invert_field_element(c[N - 1]); 154| 1| } 155| 1| }(); 156| | 157| 3.10k| for(size_t i = N - 1; i > 0; --i) { ------------------ | Branch (157:29): [True: 3.10k, False: 1] ------------------ 158| 3.10k| const auto& p = projective[i]; 159| | 160| 3.10k| const auto z_inv = s_inv * c[i - 1]; 161| 3.10k| const auto z2_inv = z_inv.square(); 162| 3.10k| const auto z3_inv = z_inv * z2_inv; 163| | 164| 3.10k| s_inv = s_inv * p.z(); 165| | 166| 3.10k| affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv)); 167| 3.10k| } 168| | 169| 1| const auto z2_inv = s_inv.square(); 170| 1| const auto z3_inv = s_inv * z2_inv; 171| 1| affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv)); 172| 1| std::reverse(affine.begin(), affine.end()); 173| 1| return affine; 174| 1| } 175| | 176| 0| return affine; 177| 1|} pcurves_secp521r1.cpp:_ZN5Botan9to_affineINS_6PCurve12_GLOBAL__N_19secp521r15CurveEEEDaRKNT_15ProjectivePointE: 76| 136|inline constexpr auto to_affine(const typename C::ProjectivePoint& pt) { 77| | // Not strictly required right? - default should work as long 78| | // as (0,0) is identity and invert returns 0 on 0 79| | 80| 136| if constexpr(curve_supports_fe_invert2) { 81| 136| const auto z2_inv = C::fe_invert2(pt.z()); 82| 136| const auto z3_inv = z2_inv.square() * pt.z(); 83| 136| return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 84| | } else { 85| | const auto z_inv = invert_field_element(pt.z()); 86| | const auto z2_inv = z_inv.square(); 87| | const auto z3_inv = z_inv * z2_inv; 88| | return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv); 89| | } 90| 136|} pcurves_secp521r1.cpp:_ZZN5Botan15to_affine_batchINS_6PCurve12_GLOBAL__N_19secp521r15CurveELb1EEEDaNSt3__14spanIKNT_15ProjectivePointELm18446744073709551615EEEENKUlvE_clEv: 149| 1| auto s_inv = [&]() { 150| 1| if constexpr(VariableTime) { 151| 1| return c[N - 1].invert_vartime(); 152| | } else { 153| | return invert_field_element(c[N - 1]); 154| | } 155| 1| }(); pcurves_secp521r1.cpp:_ZN5Botan22point_add_or_sub_mixedINS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS5_6ParamsES6_E11FieldParamsEEEEES8_EENS_16AffineCurvePointISC_EESC_EET_RKSG_RKT0_NS_2CT6ChoiceERKT1_: 296| 11.6k| const FieldElement& one) { 297| 11.6k| const auto a_is_identity = a.is_identity(); 298| 11.6k| const auto b_is_identity = b.is_identity(); 299| | 300| | /* 301| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 302| | 303| | Cost: 8M + 3S + 6add + 1*2 304| | */ 305| | 306| 11.6k| auto by = b.y(); 307| 11.6k| by.conditional_assign(sub, by.negate()); 308| | 309| 11.6k| const auto Z1Z1 = a.z().square(); 310| 11.6k| const auto U2 = b.x() * Z1Z1; 311| 11.6k| const auto S2 = by * a.z() * Z1Z1; 312| 11.6k| const auto H = U2 - a.x(); 313| 11.6k| const auto r = S2 - a.y(); 314| | 315| | /* Risky conditional 316| | * 317| | * This implementation uses projective coordinates, which do not have an efficient complete 318| | * addition formula. We rely on the design of the multiplication algorithms to avoid doublings. 319| | * 320| | * This conditional only comes into play for the actual doubling case, not x + (-x) which 321| | * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0, 322| | * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output 323| | * (the identity element) 324| | */ 325| 11.6k| if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) { ------------------ | Branch (325:7): [True: 0, False: 11.6k] ------------------ 326| 0| return a.dbl(); 327| 0| } 328| | 329| 11.6k| const auto HH = H.square(); 330| 11.6k| const auto HHH = H * HH; 331| 11.6k| const auto V = a.x() * HH; 332| 11.6k| const auto t2 = r.square(); 333| 11.6k| const auto t3 = V + V; 334| 11.6k| const auto t4 = t2 - HHH; 335| 11.6k| auto X3 = t4 - t3; 336| 11.6k| const auto t5 = V - X3; 337| 11.6k| const auto t6 = a.y() * HHH; 338| 11.6k| const auto t7 = r * t5; 339| 11.6k| auto Y3 = t7 - t6; 340| 11.6k| auto Z3 = a.z() * H; 341| | 342| | // if a is identity then return b 343| 11.6k| FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one); 344| | 345| | // if b is identity then return a 346| 11.6k| FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z()); 347| | 348| 11.6k| return ProjectivePoint(X3, Y3, Z3); 349| 11.6k|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve7_paramsEv: 113| 85.3M| const GenericCurveParams& _params() const { return *m_params; } pcurves_brainpool256r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 153| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 153| auto x = pt.x(); 1027| 153| auto y = pt.y(); 1028| 153| auto z = FieldElement::one(); 1029| | 1030| 153| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 153| return ProjectiveCurvePoint(x, y, z); 1033| 153| } pcurves_brainpool256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE1xEv: 971| 229k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE1yEv: 976| 223k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE3oneEv: 200| 6.68k| static constexpr Self one() { return Self(Rep::one()); } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E11FieldParamsEE3oneEv: 99| 6.68k| constexpr static std::array one() { return R1; } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 192k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 153| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 153| const W mask = cond.into_bitmask(); 412| | 413| 765| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 612, False: 153] ------------------ 414| 612| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 612| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 612| x.m_val[i] = nx; 417| 612| y.m_val[i] = ny; 418| 612| } 419| 153| } pcurves_brainpool256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE11is_identityEv: 928| 6.99k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE7is_zeroEv: 225| 37.6k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 8.40k| m_x(x), m_y(y), m_z(z) {} pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E3dblEv: 1121| 833| constexpr Self dbl() const { 1122| | if constexpr(Self::A_is_minus_3) { 1123| | return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| 833| } else { 1127| 833| return dbl_generic(*this, A); 1128| 833| } 1129| 833| } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E1zEv: 1172| 46.2k| constexpr const FieldElement& z() const { return m_z; } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE6squareEv: 426| 30.1k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 30.1k| std::array z; // NOLINT(*-member-init) 428| 30.1k| comba_sqr(z.data(), this->data()); 429| 30.1k| return Self(Rep::redc(z)); 430| 30.1k| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4dataEv: 896| 242k| constexpr const W* data() const { return m_val.data(); } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E11FieldParamsEE4redcERKNSt3__15arrayImLm8EEE: 104| 152k| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 152k| } else { 108| 152k| return monty_redc(z, P, P_dash); 109| 152k| } 110| 152k| } pcurves_brainpool256r1.cpp:_ZN5BotanplERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEESC_: 265| 9.26k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 9.26k| std::array t; // NOLINT(*-member-init) 267| | 268| 9.26k| W carry = 0; 269| 46.3k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 37.0k, False: 9.26k] ------------------ 270| 37.0k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 37.0k| } 272| | 273| 9.26k| std::array r; // NOLINT(*-member-init) 274| 9.26k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 9.26k| return Self(r); 276| 9.26k| } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E1xEv: 1162| 25.9k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4mul3Ev: 335| 833| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_brainpool256r1.cpp:_ZN5BotanmlERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEESC_: 346| 74.3k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 74.3k| std::array z; // NOLINT(*-member-init) 348| 74.3k| comba_mul(z.data(), a.data(), b.data()); 349| 74.3k| return Self(Rep::redc(z)); 350| 74.3k| } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E1yEv: 1167| 25.9k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4mul4Ev: 338| 833| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_brainpool256r1.cpp:_ZN5BotanmiERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEESC_: 281| 45.2k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 45.2k| std::array r; // NOLINT(*-member-init) 283| 45.2k| W carry = 0; 284| 226k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 180k, False: 45.2k] ------------------ 285| 180k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 180k| } 287| | 288| 45.2k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 45.2k| carry = 0; 291| | 292| 226k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 180k, False: 45.2k] ------------------ 293| 180k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 180k| } 295| | 296| 45.2k| return Self(r); 297| 45.2k| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4mul2Ev: 325| 6.66k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 6.66k| std::array t = value(); 327| 6.66k| const W carry = shift_left<1>(t); 328| | 329| 6.66k| std::array r; // NOLINT(*-member-init) 330| 6.66k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 6.66k| return Self(r); 332| 6.66k| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE5valueEv: 894| 6.66k| constexpr const std::array& value() const { return m_val; } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4mul8Ev: 341| 833| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_brainpool256r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_EESE_: 1064| 735| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 735| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 9.42k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 14.3k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 14.3k| const W mask = cond.into_bitmask(); 397| | 398| 71.9k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 57.5k, False: 14.3k] ------------------ 399| 57.5k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 57.5k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 57.5k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 57.5k| } 403| 14.3k| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE6invertEv: 538| 152| constexpr Self invert() const { return pow_vartime(Self::P_MINUS_2); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE11pow_vartimeERKNSt3__15arrayImLm4EEE: 477| 152| constexpr Self pow_vartime(const std::array& exp) const { 478| 152| constexpr size_t WindowBits = (Self::BITS <= 256) ? 4 : 5; ------------------ | Branch (478:40): [True: 0, Folded] ------------------ 479| 152| constexpr size_t WindowElements = (1 << WindowBits) - 1; 480| | 481| 152| constexpr size_t Windows = (Self::BITS + WindowBits - 1) / WindowBits; 482| | 483| | /* 484| | A simple fixed width window modular multiplication. 485| | 486| | TODO: investigate using sliding window here 487| | */ 488| | 489| 152| std::array tbl; 490| | 491| 152| tbl[0] = (*this); 492| | 493| 2.28k| for(size_t i = 1; i != WindowElements; ++i) { ------------------ | Branch (493:28): [True: 2.12k, False: 152] ------------------ 494| | // Conditional ok: table indexes are public here 495| 2.12k| if(i % 2 == 1) { ------------------ | Branch (495:16): [True: 1.06k, False: 1.06k] ------------------ 496| 1.06k| tbl[i] = tbl[i / 2].square(); 497| 1.06k| } else { 498| 1.06k| tbl[i] = tbl[i - 1] * tbl[0]; 499| 1.06k| } 500| 2.12k| } 501| | 502| 152| auto r = Self::one(); 503| | 504| 152| const size_t w0 = read_window_bits(std::span{exp}, (Windows - 1) * WindowBits); 505| | 506| | // Conditional ok: this function is variable time 507| 152| if(w0 > 0) { ------------------ | Branch (507:13): [True: 152, False: 0] ------------------ 508| 152| r = tbl[w0 - 1]; 509| 152| } 510| | 511| 9.72k| for(size_t i = 1; i != Windows; ++i) { ------------------ | Branch (511:28): [True: 9.57k, False: 152] ------------------ 512| 9.57k| r.square_n(WindowBits); 513| | 514| 9.57k| const size_t w = read_window_bits(std::span{exp}, (Windows - i - 1) * WindowBits); 515| | 516| | // Conditional ok: this function is variable time 517| 9.57k| if(w > 0) { ------------------ | Branch (517:16): [True: 8.96k, False: 608] ------------------ 518| 8.96k| r *= tbl[w - 1]; 519| 8.96k| } 520| 9.57k| } 521| | 522| 152| return r; 523| 152| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEC2Ev: 180| 2.28k| constexpr IntMod() : m_val({}) {} pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE8square_nEm: 439| 9.57k| constexpr void square_n(size_t n) { 440| 9.57k| std::array z; // NOLINT(*-member-init) 441| 47.8k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 38.3k, False: 9.57k] ------------------ 442| 38.3k| comba_sqr(z.data(), this->data()); 443| 38.3k| m_val = Rep::redc(z); 444| 38.3k| } 445| 9.57k| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEmLERKSA_: 355| 8.96k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 8.96k| std::array z; // NOLINT(*-member-init) 357| 8.96k| comba_mul(z.data(), data(), other.data()); 358| 8.96k| m_val = Rep::redc(z); 359| 8.96k| return (*this); 360| 8.96k| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 177| for(;;) { 618| | // Conditional ok: this function is variable time 619| 177| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 176] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 176| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 176| std::array r; // NOLINT(*-member-init) 640| 176| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 176| if(carry == 0) { ------------------ | Branch (643:16): [True: 94, False: 82] ------------------ 644| | // b > a 645| 94| b.m_val = r; 646| 94| x = nx; 647| 94| Self::_invert_vartime_div2_helper(b, x); 648| 94| } else { 649| | // We know this can't underflow because a > b 650| 82| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 82| a.m_val = r; 652| 82| y = nx; 653| 82| Self::_invert_vartime_div2_helper(a, y); 654| 82| } 655| 176| } 656| 1| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE4zeroEv: 195| 13.0k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E11FieldParamsEE8from_repERKNSt3__15arrayImLm4EEE: 137| 305| constexpr static std::array from_rep(const std::array& z) { 138| 305| std::array ze = {}; 139| 305| copy_mem(std::span{ze}.template first(), z); 140| 305| return Self::redc(ze); 141| 305| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 178| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 178| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 553| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 375, False: 178] ------------------ 552| 375| shift_right<1>(a.m_val); 553| | 554| 375| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 375| if(borrow) { ------------------ | Branch (557:16): [True: 193, False: 182] ------------------ 558| 193| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 193| } 560| 375| } 561| 178| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE6negateEv: 452| 6.53k| constexpr Self negate() const { 453| 6.53k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 6.53k| std::array r; // NOLINT(*-member-init) 456| 6.53k| W carry = 0; 457| 32.6k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 26.1k, False: 6.53k] ------------------ 458| 26.1k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 26.1k| } 460| | 461| 6.53k| return Self(r); 462| 6.53k| } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E11FieldParamsEE6to_repERKNSt3__15arrayImLm4EEE: 115| 1| constexpr static std::array to_rep(const std::array& x) { 116| 1| std::array z; // NOLINT(*-member-init) 117| 1| comba_mul(z.data(), x.data(), R2.data()); 118| 1| return Self::redc(z); 119| 1| } pcurves_brainpool256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 8.56k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 760| std::array stash_value() const { 760| 760| static_assert(L >= N); 761| 760| std::array stash = {}; 762| 3.80k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 3.04k, False: 760] ------------------ 763| 3.04k| stash[i] = m_val[i]; 764| 3.04k| } 765| 760| return stash; 766| 760| } pcurves_brainpool256r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 152| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 152| const BlindedScalar scalar(s, rng); 1409| 152| return basemul_booth_exec(m_table, scalar, rng); 1410| 152| } pcurves_brainpool256r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 152| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 152| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 152, Folded] | Branch (1308:33): [True: 0, False: 152] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 152| } else { 1344| | // No RNG available, skip blinding 1345| 152| m_bytes.resize(C::Scalar::BYTES); 1346| 152| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 152| m_bits = C::Scalar::BITS; 1348| 152| } 1349| | 1350| 152| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 152| } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E12ScalarParamsEE8from_repERKNSt3__15arrayImLm4EEE: 137| 325| constexpr static std::array from_rep(const std::array& z) { 138| 325| std::array ze = {}; 139| 325| copy_mem(std::span{ze}.template first(), z); 140| 325| return Self::redc(ze); 141| 325| } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E12ScalarParamsEE4redcERKNSt3__15arrayImLm8EEE: 104| 499| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 499| } else { 108| 499| return monty_redc(z, P, P_dash); 109| 499| } 110| 499| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 325| constexpr void serialize_to(std::span bytes) const { 740| 325| auto v = Rep::from_rep(m_val); 741| 325| std::reverse(v.begin(), v.end()); 742| | 743| 325| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 325| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 325| } pcurves_brainpool256r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm7EE4bitsEv: 1305| 152| size_t bits() const { return m_bits; } pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 152| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 152| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 152| } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E6negateEv: 1134| 152| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 152| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE18_const_time_poisonEv: 889| 456| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_brainpool256r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm7EE10get_windowEm: 1353| 6.53k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 6.53k| return read_window_bits(std::span{m_bytes}, offset); 1356| 6.53k| } pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 6.38k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 6.38k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 6.38k| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 6.38k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 6.38k| const W mask = cond.into_bitmask(); 369| | 370| 31.9k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 25.5k, False: 6.38k] ------------------ 371| 25.5k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 25.5k| } 373| 6.38k| } pcurves_brainpool256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 6.53k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 6.53k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 6.53k| const size_t idx1 = static_cast(idx - 1); 960| 215k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 209k, False: 6.53k] ------------------ 961| 209k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 209k| result.conditional_assign(found, pts[i]); 963| 209k| } 964| | 965| 6.53k| return result; 966| 6.53k| } pcurves_brainpool256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE8identityERKSC_: 924| 6.53k| static constexpr Self identity(const Self& /*unused*/) { 925| 6.53k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 6.53k| } pcurves_brainpool256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 209k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 209k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 209k| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 209k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 209k| const W mask = cond.into_bitmask(); 382| | 383| 1.04M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 836k, False: 209k] ------------------ 384| 836k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 836k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 836k| } 387| 209k| } pcurves_brainpool256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 608| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 608| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 608] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 608| } pcurves_brainpool256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 152| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 456| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_brainpool256r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm7EED2Ev: 1358| 152| ~BlindedScalarBits() { 1359| 152| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 152| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 152| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 498| static Self from_stash(const std::array& stash) { 775| 498| static_assert(L >= N); 776| 498| std::array val = {}; 777| 2.49k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 1.99k, False: 498] ------------------ 778| 1.99k| val[i] = stash[i]; 779| 1.99k| } 780| 498| return Self(val); 781| 498| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 672| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 304| constexpr void serialize_to(std::span bytes) const { 740| 304| auto v = Rep::from_rep(m_val); 741| 304| std::reverse(v.begin(), v.end()); 742| | 743| 304| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 304| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 304| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 173| std::array stash_value() const { 760| 173| static_assert(L >= N); 761| 173| std::array stash = {}; 762| 865| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 692, False: 173] ------------------ 763| 692| stash[i] = m_val[i]; 764| 692| } 765| 173| return stash; 766| 173| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 1.06k| static Self from_stash(const std::array& stash) { 775| 1.06k| static_assert(L >= N); 776| 1.06k| std::array val = {}; 777| 5.32k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 4.25k, False: 1.06k] ------------------ 778| 4.25k| val[i] = stash[i]; 779| 4.25k| } 780| 1.06k| return Self(val); 781| 1.06k| } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE7is_zeroEv: 225| 347| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E11FieldParamsEEEEeqERKSA_: 722| 152| constexpr CT::Choice operator==(const Self& other) const { 723| 152| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 152| } pcurves_brainpool256r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsENS_13MontgomeryRepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 152| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 174| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 174| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 174] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 174| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 174| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 174] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 174| return Self::from_words(words); 807| 174| } pcurves_brainpool256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES1_E12ScalarParamsEEEE10from_wordsILm4EEESA_NSt3__15arrayImXT_EEE: 211| 174| static constexpr Self from_words(std::array w) { 212| 174| if constexpr(L == N) { 213| 174| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 174| } pcurves_brainpool256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES0_E12ScalarParamsEE6to_repERKNSt3__15arrayImLm4EEE: 115| 174| constexpr static std::array to_rep(const std::array& x) { 116| 174| std::array z; // NOLINT(*-member-init) 117| 174| comba_mul(z.data(), x.data(), R2.data()); 118| 174| return Self::redc(z); 119| 174| } pcurves_brainpool256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool256r16ParamsES2_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm65EEE: 941| 152| constexpr void serialize_to(std::span bytes) const { 942| 152| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 152| do { \ | | 52| 152| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 152| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 152] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 152| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 152] | | ------------------ ------------------ 943| 152| BufferStuffer pack(bytes); 944| 152| pack.append(0x04); 945| 152| x().serialize_to(pack.next()); 946| 152| y().serialize_to(pack.next()); 947| 152| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 152| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 152| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 152] | | ------------------ ------------------ 948| 152| } pcurves_brainpool384r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 186| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 186| auto x = pt.x(); 1027| 186| auto y = pt.y(); 1028| 186| auto z = FieldElement::one(); 1029| | 1030| 186| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 186| return ProjectiveCurvePoint(x, y, z); 1033| 186| } pcurves_brainpool384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE1xEv: 971| 421k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE1yEv: 976| 409k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE3oneEv: 200| 12.2k| static constexpr Self one() { return Self(Rep::one()); } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E11FieldParamsEE3oneEv: 99| 12.2k| constexpr static std::array one() { return R1; } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEC2ENSt3__15arrayImLm6EEE: 898| 340k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 186| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 186| const W mask = cond.into_bitmask(); 412| | 413| 1.30k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 1.11k, False: 186] ------------------ 414| 1.11k| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 1.11k| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 1.11k| x.m_val[i] = nx; 417| 1.11k| y.m_val[i] = ny; 418| 1.11k| } 419| 186| } pcurves_brainpool384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE11is_identityEv: 928| 12.5k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE7is_zeroEv: 225| 67.3k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 14.7k| m_x(x), m_y(y), m_z(z) {} pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E3dblEv: 1121| 1.24k| constexpr Self dbl() const { 1122| | if constexpr(Self::A_is_minus_3) { 1123| | return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| 1.24k| } else { 1127| 1.24k| return dbl_generic(*this, A); 1128| 1.24k| } 1129| 1.24k| } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E1zEv: 1172| 80.3k| constexpr const FieldElement& z() const { return m_z; } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE6squareEv: 426| 53.0k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 53.0k| std::array z; // NOLINT(*-member-init) 428| 53.0k| comba_sqr(z.data(), this->data()); 429| 53.0k| return Self(Rep::redc(z)); 430| 53.0k| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4dataEv: 896| 424k| constexpr const W* data() const { return m_val.data(); } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E11FieldParamsEE4redcERKNSt3__15arrayImLm12EEE: 104| 267k| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 267k| } else { 108| 267k| return monty_redc(z, P, P_dash); 109| 267k| } 110| 267k| } pcurves_brainpool384r1.cpp:_ZN5BotanplERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEESC_: 265| 16.0k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 16.0k| std::array t; // NOLINT(*-member-init) 267| | 268| 16.0k| W carry = 0; 269| 112k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 96.2k, False: 16.0k] ------------------ 270| 96.2k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 96.2k| } 272| | 273| 16.0k| std::array r; // NOLINT(*-member-init) 274| 16.0k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 16.0k| return Self(r); 276| 16.0k| } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E1xEv: 1162| 45.4k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4mul3Ev: 335| 1.24k| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_brainpool384r1.cpp:_ZN5BotanmlERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEESC_: 346| 130k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 130k| std::array z; // NOLINT(*-member-init) 348| 130k| comba_mul(z.data(), a.data(), b.data()); 349| 130k| return Self(Rep::redc(z)); 350| 130k| } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E1yEv: 1167| 45.4k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4mul4Ev: 338| 1.24k| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_brainpool384r1.cpp:_ZN5BotanmiERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEESC_: 281| 81.3k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 81.3k| std::array r; // NOLINT(*-member-init) 283| 81.3k| W carry = 0; 284| 569k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 487k, False: 81.3k] ------------------ 285| 487k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 487k| } 287| | 288| 81.3k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 81.3k| carry = 0; 291| | 292| 569k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 487k, False: 81.3k] ------------------ 293| 487k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 487k| } 295| | 296| 81.3k| return Self(r); 297| 81.3k| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4mul2Ev: 325| 9.92k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 9.92k| std::array t = value(); 327| 9.92k| const W carry = shift_left<1>(t); 328| | 329| 9.92k| std::array r; // NOLINT(*-member-init) 330| 9.92k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 9.92k| return Self(r); 332| 9.92k| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE5valueEv: 894| 9.92k| constexpr const std::array& value() const { return m_val; } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4mul8Ev: 341| 1.24k| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_brainpool384r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_EESE_: 1064| 1.09k| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 1.09k| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 16.3k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 26.0k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 26.0k| const W mask = cond.into_bitmask(); 397| | 398| 182k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 156k, False: 26.0k] ------------------ 399| 156k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 156k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 156k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 156k| } 403| 26.0k| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE6invertEv: 538| 185| constexpr Self invert() const { return pow_vartime(Self::P_MINUS_2); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE11pow_vartimeERKNSt3__15arrayImLm6EEE: 477| 185| constexpr Self pow_vartime(const std::array& exp) const { 478| 185| constexpr size_t WindowBits = (Self::BITS <= 256) ? 4 : 5; ------------------ | Branch (478:40): [Folded, False: 185] ------------------ 479| 185| constexpr size_t WindowElements = (1 << WindowBits) - 1; 480| | 481| 185| constexpr size_t Windows = (Self::BITS + WindowBits - 1) / WindowBits; 482| | 483| | /* 484| | A simple fixed width window modular multiplication. 485| | 486| | TODO: investigate using sliding window here 487| | */ 488| | 489| 185| std::array tbl; 490| | 491| 185| tbl[0] = (*this); 492| | 493| 5.73k| for(size_t i = 1; i != WindowElements; ++i) { ------------------ | Branch (493:28): [True: 5.55k, False: 185] ------------------ 494| | // Conditional ok: table indexes are public here 495| 5.55k| if(i % 2 == 1) { ------------------ | Branch (495:16): [True: 2.77k, False: 2.77k] ------------------ 496| 2.77k| tbl[i] = tbl[i / 2].square(); 497| 2.77k| } else { 498| 2.77k| tbl[i] = tbl[i - 1] * tbl[0]; 499| 2.77k| } 500| 5.55k| } 501| | 502| 185| auto r = Self::one(); 503| | 504| 185| const size_t w0 = read_window_bits(std::span{exp}, (Windows - 1) * WindowBits); 505| | 506| | // Conditional ok: this function is variable time 507| 185| if(w0 > 0) { ------------------ | Branch (507:13): [True: 185, False: 0] ------------------ 508| 185| r = tbl[w0 - 1]; 509| 185| } 510| | 511| 14.2k| for(size_t i = 1; i != Windows; ++i) { ------------------ | Branch (511:28): [True: 14.0k, False: 185] ------------------ 512| 14.0k| r.square_n(WindowBits); 513| | 514| 14.0k| const size_t w = read_window_bits(std::span{exp}, (Windows - i - 1) * WindowBits); 515| | 516| | // Conditional ok: this function is variable time 517| 14.0k| if(w > 0) { ------------------ | Branch (517:16): [True: 13.5k, False: 555] ------------------ 518| 13.5k| r *= tbl[w - 1]; 519| 13.5k| } 520| 14.0k| } 521| | 522| 185| return r; 523| 185| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEC2Ev: 180| 5.73k| constexpr IntMod() : m_val({}) {} pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE8square_nEm: 439| 14.0k| constexpr void square_n(size_t n) { 440| 14.0k| std::array z; // NOLINT(*-member-init) 441| 84.3k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 70.3k, False: 14.0k] ------------------ 442| 70.3k| comba_sqr(z.data(), this->data()); 443| 70.3k| m_val = Rep::redc(z); 444| 70.3k| } 445| 14.0k| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEmLERKSA_: 355| 13.5k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 13.5k| std::array z; // NOLINT(*-member-init) 357| 13.5k| comba_mul(z.data(), data(), other.data()); 358| 13.5k| m_val = Rep::redc(z); 359| 13.5k| return (*this); 360| 13.5k| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 262| for(;;) { 618| | // Conditional ok: this function is variable time 619| 262| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 261] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 261| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 261| std::array r; // NOLINT(*-member-init) 640| 261| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 261| if(carry == 0) { ------------------ | Branch (643:16): [True: 128, False: 133] ------------------ 644| | // b > a 645| 128| b.m_val = r; 646| 128| x = nx; 647| 128| Self::_invert_vartime_div2_helper(b, x); 648| 133| } else { 649| | // We know this can't underflow because a > b 650| 133| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 133| a.m_val = r; 652| 133| y = nx; 653| 133| Self::_invert_vartime_div2_helper(a, y); 654| 133| } 655| 261| } 656| 1| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE4zeroEv: 195| 24.0k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E11FieldParamsEE8from_repERKNSt3__15arrayImLm6EEE: 137| 371| constexpr static std::array from_rep(const std::array& z) { 138| 371| std::array ze = {}; 139| 371| copy_mem(std::span{ze}.template first(), z); 140| 371| return Self::redc(ze); 141| 371| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 263| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 263| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 814| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 551, False: 263] ------------------ 552| 551| shift_right<1>(a.m_val); 553| | 554| 551| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 551| if(borrow) { ------------------ | Branch (557:16): [True: 291, False: 260] ------------------ 558| 291| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 291| } 560| 551| } 561| 263| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE6negateEv: 452| 12.0k| constexpr Self negate() const { 453| 12.0k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 12.0k| std::array r; // NOLINT(*-member-init) 456| 12.0k| W carry = 0; 457| 84.1k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 72.1k, False: 12.0k] ------------------ 458| 72.1k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 72.1k| } 460| | 461| 12.0k| return Self(r); 462| 12.0k| } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E11FieldParamsEE6to_repERKNSt3__15arrayImLm6EEE: 115| 1| constexpr static std::array to_rep(const std::array& x) { 116| 1| std::array z; // NOLINT(*-member-init) 117| 1| comba_mul(z.data(), x.data(), R2.data()); 118| 1| return Self::redc(z); 119| 1| } pcurves_brainpool384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 14.9k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 925| std::array stash_value() const { 760| 925| static_assert(L >= N); 761| 925| std::array stash = {}; 762| 6.47k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 5.55k, False: 925] ------------------ 763| 5.55k| stash[i] = m_val[i]; 764| 5.55k| } 765| 925| return stash; 766| 925| } pcurves_brainpool384r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 185| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 185| const BlindedScalar scalar(s, rng); 1409| 185| return basemul_booth_exec(m_table, scalar, rng); 1410| 185| } pcurves_brainpool384r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 185| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 185| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 185, Folded] | Branch (1308:33): [True: 0, False: 185] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 185| } else { 1344| | // No RNG available, skip blinding 1345| 185| m_bytes.resize(C::Scalar::BYTES); 1346| 185| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 185| m_bits = C::Scalar::BITS; 1348| 185| } 1349| | 1350| 185| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 185| } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E12ScalarParamsEE8from_repERKNSt3__15arrayImLm6EEE: 137| 388| constexpr static std::array from_rep(const std::array& z) { 138| 388| std::array ze = {}; 139| 388| copy_mem(std::span{ze}.template first(), z); 140| 388| return Self::redc(ze); 141| 388| } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E12ScalarParamsEE4redcERKNSt3__15arrayImLm12EEE: 104| 592| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 592| } else { 108| 592| return monty_redc(z, P, P_dash); 109| 592| } 110| 592| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm48EEE: 739| 388| constexpr void serialize_to(std::span bytes) const { 740| 388| auto v = Rep::from_rep(m_val); 741| 388| std::reverse(v.begin(), v.end()); 742| | 743| 388| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 388| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 388| } pcurves_brainpool384r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm7EE4bitsEv: 1305| 185| size_t bits() const { return m_bits; } pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 185| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 185| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 185| } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E6negateEv: 1134| 185| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 185| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE18_const_time_poisonEv: 889| 555| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_brainpool384r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm7EE10get_windowEm: 1353| 12.0k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 12.0k| return read_window_bits(std::span{m_bytes}, offset); 1356| 12.0k| } pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 11.8k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 11.8k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 11.8k| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 11.8k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 11.8k| const W mask = cond.into_bitmask(); 369| | 370| 82.8k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 71.0k, False: 11.8k] ------------------ 371| 71.0k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 71.0k| } 373| 11.8k| } pcurves_brainpool384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 12.0k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 12.0k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 12.0k| const size_t idx1 = static_cast(idx - 1); 960| 396k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 384k, False: 12.0k] ------------------ 961| 384k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 384k| result.conditional_assign(found, pts[i]); 963| 384k| } 964| | 965| 12.0k| return result; 966| 12.0k| } pcurves_brainpool384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE8identityERKSC_: 924| 12.0k| static constexpr Self identity(const Self& /*unused*/) { 925| 12.0k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 12.0k| } pcurves_brainpool384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 384k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 384k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 384k| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 384k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 384k| const W mask = cond.into_bitmask(); 382| | 383| 2.69M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 2.30M, False: 384k] ------------------ 384| 2.30M| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 2.30M| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 2.30M| } 387| 384k| } pcurves_brainpool384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 740| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 740| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 740] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 740| } pcurves_brainpool384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 185| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 555| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_brainpool384r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm7EED2Ev: 1358| 185| ~BlindedScalarBits() { 1359| 185| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 185| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 185| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 591| static Self from_stash(const std::array& stash) { 775| 591| static_assert(L >= N); 776| 591| std::array val = {}; 777| 4.13k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 3.54k, False: 591] ------------------ 778| 3.54k| val[i] = stash[i]; 779| 3.54k| } 780| 591| return Self(val); 781| 591| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEEC2ENSt3__15arrayImLm6EEE: 898| 795| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm48EEE: 739| 370| constexpr void serialize_to(std::span bytes) const { 740| 370| auto v = Rep::from_rep(m_val); 741| 370| std::reverse(v.begin(), v.end()); 742| | 743| 370| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 370| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 370| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 203| std::array stash_value() const { 760| 203| static_assert(L >= N); 761| 203| std::array stash = {}; 762| 1.42k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 1.21k, False: 203] ------------------ 763| 1.21k| stash[i] = m_val[i]; 764| 1.21k| } 765| 203| return stash; 766| 203| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 1.29k| static Self from_stash(const std::array& stash) { 775| 1.29k| static_assert(L >= N); 776| 1.29k| std::array val = {}; 777| 9.06k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 7.77k, False: 1.29k] ------------------ 778| 7.77k| val[i] = stash[i]; 779| 7.77k| } 780| 1.29k| return Self(val); 781| 1.29k| } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE7is_zeroEv: 225| 407| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E11FieldParamsEEEEeqERKSA_: 722| 185| constexpr CT::Choice operator==(const Self& other) const { 723| 185| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 185| } pcurves_brainpool384r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsENS_13MontgomeryRepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 185| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 204| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 204| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 204] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 204| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 204| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 204] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 204| return Self::from_words(words); 807| 204| } pcurves_brainpool384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES1_E12ScalarParamsEEEE10from_wordsILm6EEESA_NSt3__15arrayImXT_EEE: 211| 204| static constexpr Self from_words(std::array w) { 212| 204| if constexpr(L == N) { 213| 204| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 204| } pcurves_brainpool384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES0_E12ScalarParamsEE6to_repERKNSt3__15arrayImLm6EEE: 115| 204| constexpr static std::array to_rep(const std::array& x) { 116| 204| std::array z; // NOLINT(*-member-init) 117| 204| comba_mul(z.data(), x.data(), R2.data()); 118| 204| return Self::redc(z); 119| 204| } pcurves_brainpool384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool384r16ParamsES2_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm97EEE: 941| 185| constexpr void serialize_to(std::span bytes) const { 942| 185| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 185| do { \ | | 52| 185| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 185| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 185] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 185| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 185] | | ------------------ ------------------ 943| 185| BufferStuffer pack(bytes); 944| 185| pack.append(0x04); 945| 185| x().serialize_to(pack.next()); 946| 185| y().serialize_to(pack.next()); 947| 185| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 185| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 185| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 185] | | ------------------ ------------------ 948| 185| } pcurves_brainpool512r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 152| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 152| auto x = pt.x(); 1027| 152| auto y = pt.y(); 1028| 152| auto z = FieldElement::one(); 1029| | 1030| 152| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 152| return ProjectiveCurvePoint(x, y, z); 1033| 152| } pcurves_brainpool512r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE1xEv: 971| 455k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool512r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE1yEv: 976| 442k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE3oneEv: 200| 13.1k| static constexpr Self one() { return Self(Rep::one()); } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E11FieldParamsEE3oneEv: 99| 13.1k| constexpr static std::array one() { return R1; } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEC2ENSt3__15arrayImLm8EEE: 898| 383k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 152| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 152| const W mask = cond.into_bitmask(); 412| | 413| 1.36k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 1.21k, False: 152] ------------------ 414| 1.21k| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 1.21k| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 1.21k| x.m_val[i] = nx; 417| 1.21k| y.m_val[i] = ny; 418| 1.21k| } 419| 152| } pcurves_brainpool512r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE11is_identityEv: 928| 13.4k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE7is_zeroEv: 225| 74.3k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 16.3k| m_x(x), m_y(y), m_z(z) {} pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E3dblEv: 1121| 1.64k| constexpr Self dbl() const { 1122| | if constexpr(Self::A_is_minus_3) { 1123| | return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| 1.64k| } else { 1127| 1.64k| return dbl_generic(*this, A); 1128| 1.64k| } 1129| 1.64k| } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E1zEv: 1172| 91.9k| constexpr const FieldElement& z() const { return m_z; } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE6squareEv: 426| 60.0k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 60.0k| std::array z; // NOLINT(*-member-init) 428| 60.0k| comba_sqr(z.data(), this->data()); 429| 60.0k| return Self(Rep::redc(z)); 430| 60.0k| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4dataEv: 896| 478k| constexpr const W* data() const { return m_val.data(); } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E11FieldParamsEE4redcERKNSt3__15arrayImLm16EEE: 104| 300k| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 300k| } else { 108| 300k| return monty_redc(z, P, P_dash); 109| 300k| } 110| 300k| } pcurves_brainpool512r1.cpp:_ZN5BotanplERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEESC_: 265| 18.2k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 18.2k| std::array t; // NOLINT(*-member-init) 267| | 268| 18.2k| W carry = 0; 269| 164k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 146k, False: 18.2k] ------------------ 270| 146k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 146k| } 272| | 273| 18.2k| std::array r; // NOLINT(*-member-init) 274| 18.2k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 18.2k| return Self(r); 276| 18.2k| } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E1xEv: 1162| 51.3k| constexpr const FieldElement& x() const { return m_x; } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4mul3Ev: 335| 1.64k| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_brainpool512r1.cpp:_ZN5BotanmlERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEESC_: 346| 148k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 148k| std::array z; // NOLINT(*-member-init) 348| 148k| comba_mul(z.data(), a.data(), b.data()); 349| 148k| return Self(Rep::redc(z)); 350| 148k| } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E1yEv: 1167| 51.3k| constexpr const FieldElement& y() const { return m_y; } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4mul4Ev: 338| 1.64k| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_brainpool512r1.cpp:_ZN5BotanmiERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEESC_: 281| 90.6k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 90.6k| std::array r; // NOLINT(*-member-init) 283| 90.6k| W carry = 0; 284| 816k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 725k, False: 90.6k] ------------------ 285| 725k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 725k| } 287| | 288| 90.6k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 90.6k| carry = 0; 291| | 292| 816k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 725k, False: 90.6k] ------------------ 293| 725k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 725k| } 295| | 296| 90.6k| return Self(r); 297| 90.6k| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4mul2Ev: 325| 13.1k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 13.1k| std::array t = value(); 327| 13.1k| const W carry = shift_left<1>(t); 328| | 329| 13.1k| std::array r; // NOLINT(*-member-init) 330| 13.1k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 13.1k| return Self(r); 332| 13.1k| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE5valueEv: 894| 13.1k| constexpr const std::array& value() const { return m_val; } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4mul8Ev: 341| 1.64k| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_brainpool512r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_EESE_: 1064| 1.45k| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 1.45k| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 18.8k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 28.7k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 28.7k| const W mask = cond.into_bitmask(); 397| | 398| 258k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 229k, False: 28.7k] ------------------ 399| 229k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 229k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 229k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 229k| } 403| 28.7k| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE6invertEv: 538| 151| constexpr Self invert() const { return pow_vartime(Self::P_MINUS_2); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE11pow_vartimeERKNSt3__15arrayImLm8EEE: 477| 151| constexpr Self pow_vartime(const std::array& exp) const { 478| 151| constexpr size_t WindowBits = (Self::BITS <= 256) ? 4 : 5; ------------------ | Branch (478:40): [Folded, False: 151] ------------------ 479| 151| constexpr size_t WindowElements = (1 << WindowBits) - 1; 480| | 481| 151| constexpr size_t Windows = (Self::BITS + WindowBits - 1) / WindowBits; 482| | 483| | /* 484| | A simple fixed width window modular multiplication. 485| | 486| | TODO: investigate using sliding window here 487| | */ 488| | 489| 151| std::array tbl; 490| | 491| 151| tbl[0] = (*this); 492| | 493| 4.68k| for(size_t i = 1; i != WindowElements; ++i) { ------------------ | Branch (493:28): [True: 4.53k, False: 151] ------------------ 494| | // Conditional ok: table indexes are public here 495| 4.53k| if(i % 2 == 1) { ------------------ | Branch (495:16): [True: 2.26k, False: 2.26k] ------------------ 496| 2.26k| tbl[i] = tbl[i / 2].square(); 497| 2.26k| } else { 498| 2.26k| tbl[i] = tbl[i - 1] * tbl[0]; 499| 2.26k| } 500| 4.53k| } 501| | 502| 151| auto r = Self::one(); 503| | 504| 151| const size_t w0 = read_window_bits(std::span{exp}, (Windows - 1) * WindowBits); 505| | 506| | // Conditional ok: this function is variable time 507| 151| if(w0 > 0) { ------------------ | Branch (507:13): [True: 151, False: 0] ------------------ 508| 151| r = tbl[w0 - 1]; 509| 151| } 510| | 511| 15.5k| for(size_t i = 1; i != Windows; ++i) { ------------------ | Branch (511:28): [True: 15.4k, False: 151] ------------------ 512| 15.4k| r.square_n(WindowBits); 513| | 514| 15.4k| const size_t w = read_window_bits(std::span{exp}, (Windows - i - 1) * WindowBits); 515| | 516| | // Conditional ok: this function is variable time 517| 15.4k| if(w > 0) { ------------------ | Branch (517:16): [True: 15.1k, False: 302] ------------------ 518| 15.1k| r *= tbl[w - 1]; 519| 15.1k| } 520| 15.4k| } 521| | 522| 151| return r; 523| 151| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEC2Ev: 180| 4.68k| constexpr IntMod() : m_val({}) {} pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE8square_nEm: 439| 15.4k| constexpr void square_n(size_t n) { 440| 15.4k| std::array z; // NOLINT(*-member-init) 441| 92.4k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 77.0k, False: 15.4k] ------------------ 442| 77.0k| comba_sqr(z.data(), this->data()); 443| 77.0k| m_val = Rep::redc(z); 444| 77.0k| } 445| 15.4k| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEmLERKSA_: 355| 15.1k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 15.1k| std::array z; // NOLINT(*-member-init) 357| 15.1k| comba_mul(z.data(), data(), other.data()); 358| 15.1k| m_val = Rep::redc(z); 359| 15.1k| return (*this); 360| 15.1k| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 366| for(;;) { 618| | // Conditional ok: this function is variable time 619| 366| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 365] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 365| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 365| std::array r; // NOLINT(*-member-init) 640| 365| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 365| if(carry == 0) { ------------------ | Branch (643:16): [True: 175, False: 190] ------------------ 644| | // b > a 645| 175| b.m_val = r; 646| 175| x = nx; 647| 175| Self::_invert_vartime_div2_helper(b, x); 648| 190| } else { 649| | // We know this can't underflow because a > b 650| 190| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 190| a.m_val = r; 652| 190| y = nx; 653| 190| Self::_invert_vartime_div2_helper(a, y); 654| 190| } 655| 365| } 656| 1| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE4zeroEv: 195| 25.9k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E11FieldParamsEE8from_repERKNSt3__15arrayImLm8EEE: 137| 303| constexpr static std::array from_rep(const std::array& z) { 138| 303| std::array ze = {}; 139| 303| copy_mem(std::span{ze}.template first(), z); 140| 303| return Self::redc(ze); 141| 303| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 367| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 367| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 1.08k| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 713, False: 367] ------------------ 552| 713| shift_right<1>(a.m_val); 553| | 554| 713| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 713| if(borrow) { ------------------ | Branch (557:16): [True: 362, False: 351] ------------------ 558| 362| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 362| } 560| 713| } 561| 367| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE6negateEv: 452| 12.9k| constexpr Self negate() const { 453| 12.9k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 12.9k| std::array r; // NOLINT(*-member-init) 456| 12.9k| W carry = 0; 457| 116k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 103k, False: 12.9k] ------------------ 458| 103k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 103k| } 460| | 461| 12.9k| return Self(r); 462| 12.9k| } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E11FieldParamsEE6to_repERKNSt3__15arrayImLm8EEE: 115| 1| constexpr static std::array to_rep(const std::array& x) { 116| 1| std::array z; // NOLINT(*-member-init) 117| 1| comba_mul(z.data(), x.data(), R2.data()); 118| 1| return Self::redc(z); 119| 1| } pcurves_brainpool512r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 16.5k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 755| std::array stash_value() const { 760| 755| static_assert(L >= N); 761| 755| std::array stash = {}; 762| 6.79k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 6.04k, False: 755] ------------------ 763| 6.04k| stash[i] = m_val[i]; 764| 6.04k| } 765| 755| return stash; 766| 755| } pcurves_brainpool512r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 151| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 151| const BlindedScalar scalar(s, rng); 1409| 151| return basemul_booth_exec(m_table, scalar, rng); 1410| 151| } pcurves_brainpool512r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 151| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 151| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 151, Folded] | Branch (1308:33): [True: 0, False: 151] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| | if constexpr(ExcessBits > 0) { 1323| | constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| | mask[MaskWords - 1] &= ExcessMask; 1325| | } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 151| } else { 1344| | // No RNG available, skip blinding 1345| 151| m_bytes.resize(C::Scalar::BYTES); 1346| 151| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 151| m_bits = C::Scalar::BITS; 1348| 151| } 1349| | 1350| 151| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 151| } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E12ScalarParamsEE8from_repERKNSt3__15arrayImLm8EEE: 137| 304| constexpr static std::array from_rep(const std::array& z) { 138| 304| std::array ze = {}; 139| 304| copy_mem(std::span{ze}.template first(), z); 140| 304| return Self::redc(ze); 141| 304| } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E12ScalarParamsEE4redcERKNSt3__15arrayImLm16EEE: 104| 459| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 459| } else { 108| 459| return monty_redc(z, P, P_dash); 109| 459| } 110| 459| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm64EEE: 739| 304| constexpr void serialize_to(std::span bytes) const { 740| 304| auto v = Rep::from_rep(m_val); 741| 304| std::reverse(v.begin(), v.end()); 742| | 743| 304| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 304| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 304| } pcurves_brainpool512r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm7EE4bitsEv: 1305| 151| size_t bits() const { return m_bits; } pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 151| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 151| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 151| } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E6negateEv: 1134| 151| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 151| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE18_const_time_poisonEv: 889| 453| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_brainpool512r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm7EE10get_windowEm: 1353| 12.9k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 12.9k| return read_window_bits(std::span{m_bytes}, offset); 1356| 12.9k| } pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 12.8k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 12.8k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 12.8k| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 12.8k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 12.8k| const W mask = cond.into_bitmask(); 369| | 370| 115k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 102k, False: 12.8k] ------------------ 371| 102k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 102k| } 373| 12.8k| } pcurves_brainpool512r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 12.9k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 12.9k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 12.9k| const size_t idx1 = static_cast(idx - 1); 960| 428k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 415k, False: 12.9k] ------------------ 961| 415k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 415k| result.conditional_assign(found, pts[i]); 963| 415k| } 964| | 965| 12.9k| return result; 966| 12.9k| } pcurves_brainpool512r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE8identityERKSC_: 924| 12.9k| static constexpr Self identity(const Self& /*unused*/) { 925| 12.9k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 12.9k| } pcurves_brainpool512r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 415k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 415k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 415k| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 415k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 415k| const W mask = cond.into_bitmask(); 382| | 383| 3.73M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 3.32M, False: 415k] ------------------ 384| 3.32M| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 3.32M| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 3.32M| } 387| 415k| } pcurves_brainpool512r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 604| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 604| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 604] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 604| } pcurves_brainpool512r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 151| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 453| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_brainpool512r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm7EED2Ev: 1358| 151| ~BlindedScalarBits() { 1359| 151| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 151| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 151| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 457| static Self from_stash(const std::array& stash) { 775| 457| static_assert(L >= N); 776| 457| std::array val = {}; 777| 4.11k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 3.65k, False: 457] ------------------ 778| 3.65k| val[i] = stash[i]; 779| 3.65k| } 780| 457| return Self(val); 781| 457| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEEC2ENSt3__15arrayImLm8EEE: 898| 612| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm64EEE: 739| 302| constexpr void serialize_to(std::span bytes) const { 740| 302| auto v = Rep::from_rep(m_val); 741| 302| std::reverse(v.begin(), v.end()); 742| | 743| 302| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 302| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 302| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 153| std::array stash_value() const { 760| 153| static_assert(L >= N); 761| 153| std::array stash = {}; 762| 1.37k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 1.22k, False: 153] ------------------ 763| 1.22k| stash[i] = m_val[i]; 764| 1.22k| } 765| 153| return stash; 766| 153| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 1.05k| static Self from_stash(const std::array& stash) { 775| 1.05k| static_assert(L >= N); 776| 1.05k| std::array val = {}; 777| 9.51k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 8.45k, False: 1.05k] ------------------ 778| 8.45k| val[i] = stash[i]; 779| 8.45k| } 780| 1.05k| return Self(val); 781| 1.05k| } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE7is_zeroEv: 225| 308| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_brainpool512r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E11FieldParamsEEEEeqERKSA_: 722| 151| constexpr CT::Choice operator==(const Self& other) const { 723| 151| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 151| } pcurves_brainpool512r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsENS_13MontgomeryRepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 151| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 155| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 155| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 155] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 155| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 155| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 155] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 155| return Self::from_words(words); 807| 155| } pcurves_brainpool512r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES1_E12ScalarParamsEEEE10from_wordsILm8EEESA_NSt3__15arrayImXT_EEE: 211| 155| static constexpr Self from_words(std::array w) { 212| 155| if constexpr(L == N) { 213| 155| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 155| } pcurves_brainpool512r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES0_E12ScalarParamsEE6to_repERKNSt3__15arrayImLm8EEE: 115| 155| constexpr static std::array to_rep(const std::array& x) { 116| 155| std::array z; // NOLINT(*-member-init) 117| 155| comba_mul(z.data(), x.data(), R2.data()); 118| 155| return Self::redc(z); 119| 155| } pcurves_brainpool512r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_114brainpool512r16ParamsES2_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm129EEE: 941| 151| constexpr void serialize_to(std::span bytes) const { 942| 151| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 151| do { \ | | 52| 151| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 151| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 151] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 151| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 151] | | ------------------ ------------------ 943| 151| BufferStuffer pack(bytes); 944| 151| pack.append(0x04); 945| 151| x().serialize_to(pack.next()); 946| 151| y().serialize_to(pack.next()); 947| 151| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 151| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 151| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 151] | | ------------------ ------------------ 948| 151| } pcurves_secp192r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS3_12Secp192r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 190| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 190| auto x = pt.x(); 1027| 190| auto y = pt.y(); 1028| 190| auto z = FieldElement::one(); 1029| | 1030| 190| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 190| return ProjectiveCurvePoint(x, y, z); 1033| 190| } pcurves_secp192r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1xEv: 971| 219k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp192r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1yEv: 976| 213k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE3oneEv: 200| 6.23k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEC2ENSt3__15arrayImLm3EEE: 898| 172k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 190| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 190| const W mask = cond.into_bitmask(); 412| | 413| 760| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 570, False: 190] ------------------ 414| 570| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 570| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 570| x.m_val[i] = nx; 417| 570| y.m_val[i] = ny; 418| 570| } 419| 190| } pcurves_secp192r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE11is_identityEv: 928| 6.80k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE7is_zeroEv: 225| 35.1k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 7.80k| m_x(x), m_y(y), m_z(z) {} pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3dblEv: 1121| 629| constexpr Self dbl() const { 1122| 629| if constexpr(Self::A_is_minus_3) { 1123| 629| return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 629| } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1zEv: 1172| 41.5k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6squareEv: 426| 25.3k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 25.3k| std::array z; // NOLINT(*-member-init) 428| 25.3k| comba_sqr(z.data(), this->data()); 429| 25.3k| return Self(Rep::redc(z)); 430| 25.3k| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4dataEv: 896| 202k| constexpr const W* data() const { return m_val.data(); } pcurves_secp192r1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 346| 65.4k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 65.4k| std::array z; // NOLINT(*-member-init) 348| 65.4k| comba_mul(z.data(), a.data(), b.data()); 349| 65.4k| return Self(Rep::redc(z)); 350| 65.4k| } pcurves_secp192r1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 281| 42.1k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 42.1k| std::array r; // NOLINT(*-member-init) 283| 42.1k| W carry = 0; 284| 168k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 126k, False: 42.1k] ------------------ 285| 126k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 126k| } 287| | 288| 42.1k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 42.1k| carry = 0; 291| | 292| 168k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 126k, False: 42.1k] ------------------ 293| 126k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 126k| } 295| | 296| 42.1k| return Self(r); 297| 42.1k| } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1xEv: 1162| 24.1k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul3Ev: 335| 629| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp192r1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 265| 8.38k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 8.38k| std::array t; // NOLINT(*-member-init) 267| | 268| 8.38k| W carry = 0; 269| 33.5k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 25.1k, False: 8.38k] ------------------ 270| 25.1k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 25.1k| } 272| | 273| 8.38k| std::array r; // NOLINT(*-member-init) 274| 8.38k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 8.38k| return Self(r); 276| 8.38k| } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1yEv: 1167| 23.5k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul4Ev: 338| 629| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul2Ev: 325| 5.03k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 5.03k| std::array t = value(); 327| 5.03k| const W carry = shift_left<1>(t); 328| | 329| 5.03k| std::array r; // NOLINT(*-member-init) 330| 5.03k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 5.03k| return Self(r); 332| 5.03k| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE5valueEv: 894| 5.03k| constexpr const std::array& value() const { return m_val; } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul8Ev: 341| 629| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp192r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EESE_: 1064| 555| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 555| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 8.34k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 13.3k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 13.3k| const W mask = cond.into_bitmask(); 397| | 398| 53.5k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 40.1k, False: 13.3k] ------------------ 399| 40.1k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 40.1k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 40.1k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 40.1k| } 403| 13.3k| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEmLERKSA_: 355| 2.07k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 2.07k| std::array z; // NOLINT(*-member-init) 357| 2.07k| comba_mul(z.data(), data(), other.data()); 358| 2.07k| m_val = Rep::redc(z); 359| 2.07k| return (*this); 360| 2.07k| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8square_nEm: 439| 1.70k| constexpr void square_n(size_t n) { 440| 1.70k| std::array z; // NOLINT(*-member-init) 441| 37.0k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 35.3k, False: 1.70k] ------------------ 442| 35.3k| comba_sqr(z.data(), this->data()); 443| 35.3k| m_val = Rep::redc(z); 444| 35.3k| } 445| 1.70k| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 144| for(;;) { 618| | // Conditional ok: this function is variable time 619| 144| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 143] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 143| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 143| std::array r; // NOLINT(*-member-init) 640| 143| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 143| if(carry == 0) { ------------------ | Branch (643:16): [True: 74, False: 69] ------------------ 644| | // b > a 645| 74| b.m_val = r; 646| 74| x = nx; 647| 74| Self::_invert_vartime_div2_helper(b, x); 648| 74| } else { 649| | // We know this can't underflow because a > b 650| 69| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 69| a.m_val = r; 652| 69| y = nx; 653| 69| Self::_invert_vartime_div2_helper(a, y); 654| 69| } 655| 143| } 656| 1| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4zeroEv: 195| 12.4k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 145| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 145| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 402| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 257, False: 145] ------------------ 552| 257| shift_right<1>(a.m_val); 553| | 554| 257| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 257| if(borrow) { ------------------ | Branch (557:16): [True: 110, False: 147] ------------------ 558| 110| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 110| } 560| 257| } 561| 145| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6negateEv: 452| 6.23k| constexpr Self negate() const { 453| 6.23k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 6.23k| std::array r; // NOLINT(*-member-init) 456| 6.23k| W carry = 0; 457| 24.9k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 18.7k, False: 6.23k] ------------------ 458| 18.7k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 18.7k| } 460| | 461| 6.23k| return Self(r); 462| 6.23k| } pcurves_secp192r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 7.98k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 945| std::array stash_value() const { 760| 945| static_assert(L >= N); 761| 945| std::array stash = {}; 762| 3.78k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 2.83k, False: 945] ------------------ 763| 2.83k| stash[i] = m_val[i]; 764| 2.83k| } 765| 945| return stash; 766| 945| } pcurves_secp192r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp192r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 189| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 189| const BlindedScalar scalar(s, rng); 1409| 189| return basemul_booth_exec(m_table, scalar, rng); 1410| 189| } pcurves_secp192r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp192r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 189| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 189| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 189, Folded] | Branch (1308:33): [True: 0, False: 189] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 189| } else { 1344| | // No RNG available, skip blinding 1345| 189| m_bytes.resize(C::Scalar::BYTES); 1346| 189| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 189| m_bits = C::Scalar::BITS; 1348| 189| } 1349| | 1350| 189| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 189| } pcurves_secp192r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS4_12Secp192r1RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm3EEE: 137| 378| constexpr static std::array from_rep(const std::array& z) { 138| 378| std::array ze = {}; 139| 378| copy_mem(std::span{ze}.template first(), z); 140| 378| return Self::redc(ze); 141| 378| } pcurves_secp192r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS4_12Secp192r1RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm6EEE: 104| 568| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 568| } else { 108| 568| return monty_redc(z, P, P_dash); 109| 568| } 110| 568| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm24EEE: 739| 378| constexpr void serialize_to(std::span bytes) const { 740| 378| auto v = Rep::from_rep(m_val); 741| 378| std::reverse(v.begin(), v.end()); 742| | 743| 378| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 378| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 378| } pcurves_secp192r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm7EE4bitsEv: 1305| 189| size_t bits() const { return m_bits; } pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 189| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 189| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 189| } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E6negateEv: 1134| 189| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 189| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18_const_time_poisonEv: 889| 567| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp192r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm7EE10get_windowEm: 1353| 6.23k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 6.23k| return read_window_bits(std::span{m_bytes}, offset); 1356| 6.23k| } pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 6.04k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 6.04k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 6.04k| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 6.04k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 6.04k| const W mask = cond.into_bitmask(); 369| | 370| 24.1k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 18.1k, False: 6.04k] ------------------ 371| 18.1k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 18.1k| } 373| 6.04k| } pcurves_secp192r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 6.23k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 6.23k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 6.23k| const size_t idx1 = static_cast(idx - 1); 960| 205k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 199k, False: 6.23k] ------------------ 961| 199k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 199k| result.conditional_assign(found, pts[i]); 963| 199k| } 964| | 965| 6.23k| return result; 966| 6.23k| } pcurves_secp192r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE8identityERKSC_: 924| 6.23k| static constexpr Self identity(const Self& /*unused*/) { 925| 6.23k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 6.23k| } pcurves_secp192r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 199k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 199k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 199k| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 199k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 199k| const W mask = cond.into_bitmask(); 382| | 383| 798k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 598k, False: 199k] ------------------ 384| 598k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 598k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 598k| } 387| 199k| } pcurves_secp192r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 756| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 756| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 756] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 756| } pcurves_secp192r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 189| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 567| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp192r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm7EED2Ev: 1358| 189| ~BlindedScalarBits() { 1359| 189| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 189| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 189| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 567| static Self from_stash(const std::array& stash) { 775| 567| static_assert(L >= N); 776| 567| std::array val = {}; 777| 2.26k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 1.70k, False: 567] ------------------ 778| 1.70k| val[i] = stash[i]; 779| 1.70k| } 780| 567| return Self(val); 781| 567| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm3EEE: 898| 757| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm24EEE: 739| 378| constexpr void serialize_to(std::span bytes) const { 740| 378| auto v = Rep::from_rep(m_val); 741| 378| std::reverse(v.begin(), v.end()); 742| | 743| 378| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 378| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 378| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 189| std::array stash_value() const { 760| 189| static_assert(L >= N); 761| 189| std::array stash = {}; 762| 756| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 567, False: 189] ------------------ 763| 567| stash[i] = m_val[i]; 764| 567| } 765| 189| return stash; 766| 189| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 1.32k| static Self from_stash(const std::array& stash) { 775| 1.32k| static_assert(L >= N); 776| 1.32k| std::array val = {}; 777| 5.29k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 3.96k, False: 1.32k] ------------------ 778| 3.96k| val[i] = stash[i]; 779| 3.96k| } 780| 1.32k| return Self(val); 781| 1.32k| } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE7is_zeroEv: 225| 379| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp192r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEeqERKSA_: 722| 189| constexpr CT::Choice operator==(const Self& other) const { 723| 189| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 189| } pcurves_secp192r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS3_12Secp192r1RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 189| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 190| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 190| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 190] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 190| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 190| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 190] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 190| return Self::from_words(words); 807| 190| } pcurves_secp192r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS5_12Secp192r1RepEE12ScalarParamsEEEE10from_wordsILm3EEESB_NSt3__15arrayImXT_EEE: 211| 190| static constexpr Self from_words(std::array w) { 212| 190| if constexpr(L == N) { 213| 190| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 190| } pcurves_secp192r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp192r16ParamsENS4_12Secp192r1RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm3EEE: 115| 190| constexpr static std::array to_rep(const std::array& x) { 116| 190| std::array z; // NOLINT(*-member-init) 117| 190| comba_mul(z.data(), x.data(), R2.data()); 118| 190| return Self::redc(z); 119| 190| } pcurves_secp192r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm49EEE: 941| 189| constexpr void serialize_to(std::span bytes) const { 942| 189| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 189| do { \ | | 52| 189| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 189| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 189] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 189| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 189] | | ------------------ ------------------ 943| 189| BufferStuffer pack(bytes); 944| 189| pack.append(0x04); 945| 189| x().serialize_to(pack.next()); 946| 189| y().serialize_to(pack.next()); 947| 189| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 189| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 189| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 189] | | ------------------ ------------------ 948| 189| } pcurves_secp224r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS3_12Secp224r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 169| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 169| auto x = pt.x(); 1027| 169| auto y = pt.y(); 1028| 169| auto z = FieldElement::one(); 1029| | 1030| 169| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 169| return ProjectiveCurvePoint(x, y, z); 1033| 169| } pcurves_secp224r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1xEv: 971| 224k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp224r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1yEv: 976| 218k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE3oneEv: 200| 6.38k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 182k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 169| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 169| const W mask = cond.into_bitmask(); 412| | 413| 845| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 676, False: 169] ------------------ 414| 676| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 676| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 676| x.m_val[i] = nx; 417| 676| y.m_val[i] = ny; 418| 676| } 419| 169| } pcurves_secp224r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE11is_identityEv: 928| 6.89k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE7is_zeroEv: 225| 36.3k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 8.09k| m_x(x), m_y(y), m_z(z) {} pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3dblEv: 1121| 731| constexpr Self dbl() const { 1122| 731| if constexpr(Self::A_is_minus_3) { 1123| 731| return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 731| } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1zEv: 1172| 43.9k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6squareEv: 426| 27.0k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 27.0k| std::array z; // NOLINT(*-member-init) 428| 27.0k| comba_sqr(z.data(), this->data()); 429| 27.0k| return Self(Rep::redc(z)); 430| 27.0k| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4dataEv: 896| 213k| constexpr const W* data() const { return m_val.data(); } pcurves_secp224r1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 346| 69.3k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 69.3k| std::array z; // NOLINT(*-member-init) 348| 69.3k| comba_mul(z.data(), a.data(), b.data()); 349| 69.3k| return Self(Rep::redc(z)); 350| 69.3k| } pcurves_secp224r1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 281| 44.0k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 44.0k| std::array r; // NOLINT(*-member-init) 283| 44.0k| W carry = 0; 284| 220k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 176k, False: 44.0k] ------------------ 285| 176k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 176k| } 287| | 288| 44.0k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 44.0k| carry = 0; 291| | 292| 220k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 176k, False: 44.0k] ------------------ 293| 176k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 176k| } 295| | 296| 44.0k| return Self(r); 297| 44.0k| } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1xEv: 1162| 25.4k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul3Ev: 335| 731| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp224r1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 265| 8.96k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 8.96k| std::array t; // NOLINT(*-member-init) 267| | 268| 8.96k| W carry = 0; 269| 44.8k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 35.8k, False: 8.96k] ------------------ 270| 35.8k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 35.8k| } 272| | 273| 8.96k| std::array r; // NOLINT(*-member-init) 274| 8.96k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 8.96k| return Self(r); 276| 8.96k| } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1yEv: 1167| 24.7k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul4Ev: 338| 731| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul2Ev: 325| 5.84k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 5.84k| std::array t = value(); 327| 5.84k| const W carry = shift_left<1>(t); 328| | 329| 5.84k| std::array r; // NOLINT(*-member-init) 330| 5.84k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 5.84k| return Self(r); 332| 5.84k| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE5valueEv: 894| 5.84k| constexpr const std::array& value() const { return m_val; } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul8Ev: 341| 731| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp224r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EESE_: 1064| 645| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 645| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 8.88k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 13.8k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 13.8k| const W mask = cond.into_bitmask(); 397| | 398| 69.4k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 55.5k, False: 13.8k] ------------------ 399| 55.5k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 55.5k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 55.5k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 55.5k| } 403| 13.8k| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEmLERKSA_: 355| 2.01k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 2.01k| std::array z; // NOLINT(*-member-init) 357| 2.01k| comba_mul(z.data(), data(), other.data()); 358| 2.01k| m_val = Rep::redc(z); 359| 2.01k| return (*this); 360| 2.01k| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8square_nEm: 439| 1.34k| constexpr void square_n(size_t n) { 440| 1.34k| std::array z; // NOLINT(*-member-init) 441| 37.9k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 36.6k, False: 1.34k] ------------------ 442| 36.6k| comba_sqr(z.data(), this->data()); 443| 36.6k| m_val = Rep::redc(z); 444| 36.6k| } 445| 1.34k| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 153| for(;;) { 618| | // Conditional ok: this function is variable time 619| 153| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 152] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 152| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 152| std::array r; // NOLINT(*-member-init) 640| 152| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 152| if(carry == 0) { ------------------ | Branch (643:16): [True: 81, False: 71] ------------------ 644| | // b > a 645| 81| b.m_val = r; 646| 81| x = nx; 647| 81| Self::_invert_vartime_div2_helper(b, x); 648| 81| } else { 649| | // We know this can't underflow because a > b 650| 71| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 71| a.m_val = r; 652| 71| y = nx; 653| 71| Self::_invert_vartime_div2_helper(a, y); 654| 71| } 655| 152| } 656| 1| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4zeroEv: 195| 12.7k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 154| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 154| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 479| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 325, False: 154] ------------------ 552| 325| shift_right<1>(a.m_val); 553| | 554| 325| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 325| if(borrow) { ------------------ | Branch (557:16): [True: 200, False: 125] ------------------ 558| 200| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 200| } 560| 325| } 561| 154| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6negateEv: 452| 6.38k| constexpr Self negate() const { 453| 6.38k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 6.38k| std::array r; // NOLINT(*-member-init) 456| 6.38k| W carry = 0; 457| 31.9k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 25.5k, False: 6.38k] ------------------ 458| 25.5k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 25.5k| } 460| | 461| 6.38k| return Self(r); 462| 6.38k| } pcurves_secp224r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 8.26k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 842| std::array stash_value() const { 760| 842| static_assert(L >= N); 761| 842| std::array stash = {}; 762| 4.21k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 3.36k, False: 842] ------------------ 763| 3.36k| stash[i] = m_val[i]; 764| 3.36k| } 765| 842| return stash; 766| 842| } pcurves_secp224r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp224r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 168| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 168| const BlindedScalar scalar(s, rng); 1409| 168| return basemul_booth_exec(m_table, scalar, rng); 1410| 168| } pcurves_secp224r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp224r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 168| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 168| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 168, Folded] | Branch (1308:33): [True: 0, False: 168] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 168| } else { 1344| | // No RNG available, skip blinding 1345| 168| m_bytes.resize(C::Scalar::BYTES); 1346| 168| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 168| m_bits = C::Scalar::BITS; 1348| 168| } 1349| | 1350| 168| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 168| } pcurves_secp224r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS4_12Secp224r1RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm4EEE: 137| 428| constexpr static std::array from_rep(const std::array& z) { 138| 428| std::array ze = {}; 139| 428| copy_mem(std::span{ze}.template first(), z); 140| 428| return Self::redc(ze); 141| 428| } pcurves_secp224r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS4_12Secp224r1RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm8EEE: 104| 689| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 689| } else { 108| 689| return monty_redc(z, P, P_dash); 109| 689| } 110| 689| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm28EEE: 739| 428| constexpr void serialize_to(std::span bytes) const { 740| 428| auto v = Rep::from_rep(m_val); 741| 428| std::reverse(v.begin(), v.end()); 742| | 743| | if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| | store_be(bytes, v); 745| 428| } else { 746| | // Remove leading zero bytes 747| 428| const auto padded_bytes = store_be(v); 748| 428| constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| 428| copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| 428| } 751| 428| } pcurves_secp224r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm7EE4bitsEv: 1305| 168| size_t bits() const { return m_bits; } pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 168| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 168| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 168| } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E6negateEv: 1134| 168| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 168| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18_const_time_poisonEv: 889| 504| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp224r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm7EE10get_windowEm: 1353| 6.38k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 6.38k| return read_window_bits(std::span{m_bytes}, offset); 1356| 6.38k| } pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 6.21k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 6.21k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 6.21k| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 6.21k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 6.21k| const W mask = cond.into_bitmask(); 369| | 370| 31.0k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 24.8k, False: 6.21k] ------------------ 371| 24.8k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 24.8k| } 373| 6.21k| } pcurves_secp224r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 6.38k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 6.38k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 6.38k| const size_t idx1 = static_cast(idx - 1); 960| 210k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 204k, False: 6.38k] ------------------ 961| 204k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 204k| result.conditional_assign(found, pts[i]); 963| 204k| } 964| | 965| 6.38k| return result; 966| 6.38k| } pcurves_secp224r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE8identityERKSC_: 924| 6.38k| static constexpr Self identity(const Self& /*unused*/) { 925| 6.38k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 6.38k| } pcurves_secp224r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 204k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 204k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 204k| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 204k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 204k| const W mask = cond.into_bitmask(); 382| | 383| 1.02M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 817k, False: 204k] ------------------ 384| 817k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 817k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 817k| } 387| 204k| } pcurves_secp224r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 672| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 672| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 672] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 672| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 164| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 164| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 164] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 164| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 164| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 6, False: 158] ------------------ 802| 6| return {}; 803| 6| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 158| return Self::from_words(words); 807| 164| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_wordsILm4EEESA_NSt3__15arrayImXT_EEE: 211| 158| static constexpr Self from_words(std::array w) { 212| 158| if constexpr(L == N) { 213| 158| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 158| } pcurves_secp224r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 168| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 504| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp224r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm7EED2Ev: 1358| 168| ~BlindedScalarBits() { 1359| 168| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 168| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 168| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 688| static Self from_stash(const std::array& stash) { 775| 688| static_assert(L >= N); 776| 688| std::array val = {}; 777| 3.44k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 2.75k, False: 688] ------------------ 778| 2.75k| val[i] = stash[i]; 779| 2.75k| } 780| 688| return Self(val); 781| 688| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 949| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm28EEE: 739| 338| constexpr void serialize_to(std::span bytes) const { 740| 338| auto v = Rep::from_rep(m_val); 741| 338| std::reverse(v.begin(), v.end()); 742| | 743| | if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| | store_be(bytes, v); 745| 338| } else { 746| | // Remove leading zero bytes 747| 338| const auto padded_bytes = store_be(v); 748| 338| constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| 338| copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| 338| } 751| 338| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 260| std::array stash_value() const { 760| 260| static_assert(L >= N); 761| 260| std::array stash = {}; 762| 1.30k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 1.04k, False: 260] ------------------ 763| 1.04k| stash[i] = m_val[i]; 764| 1.04k| } 765| 260| return stash; 766| 260| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 1.18k| static Self from_stash(const std::array& stash) { 775| 1.18k| static_assert(L >= N); 776| 1.18k| std::array val = {}; 777| 5.90k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 4.72k, False: 1.18k] ------------------ 778| 4.72k| val[i] = stash[i]; 779| 4.72k| } 780| 1.18k| return Self(val); 781| 1.18k| } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE7is_zeroEv: 225| 521| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp224r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEeqERKSA_: 722| 245| constexpr CT::Choice operator==(const Self& other) const { 723| 245| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 245| } pcurves_secp224r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS3_12Secp224r1RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 245| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 262| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 262| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 262] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 262| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 262| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 1, False: 261] ------------------ 802| 1| return {}; 803| 1| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 261| return Self::from_words(words); 807| 262| } pcurves_secp224r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS5_12Secp224r1RepEE12ScalarParamsEEEE10from_wordsILm4EEESB_NSt3__15arrayImXT_EEE: 211| 261| static constexpr Self from_words(std::array w) { 212| 261| if constexpr(L == N) { 213| 261| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 261| } pcurves_secp224r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp224r16ParamsENS4_12Secp224r1RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm4EEE: 115| 261| constexpr static std::array to_rep(const std::array& x) { 116| 261| std::array z; // NOLINT(*-member-init) 117| 261| comba_mul(z.data(), x.data(), R2.data()); 118| 261| return Self::redc(z); 119| 261| } pcurves_secp224r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm57EEE: 941| 169| constexpr void serialize_to(std::span bytes) const { 942| 169| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 169| do { \ | | 52| 169| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 169| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 169] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 169| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 169] | | ------------------ ------------------ 943| 169| BufferStuffer pack(bytes); 944| 169| pack.append(0x04); 945| 169| x().serialize_to(pack.next()); 946| 169| y().serialize_to(pack.next()); 947| 169| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 169| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 169| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 169] | | ------------------ ------------------ 948| 169| } pcurves_secp256k1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS3_12Secp256k1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 158| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 158| auto x = pt.x(); 1027| 158| auto y = pt.y(); 1028| 158| auto z = FieldElement::one(); 1029| | 1030| 158| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 158| return ProjectiveCurvePoint(x, y, z); 1033| 158| } pcurves_secp256k1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1xEv: 971| 237k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp256k1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1yEv: 976| 230k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE3oneEv: 200| 6.75k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 192k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 158| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 158| const W mask = cond.into_bitmask(); 412| | 413| 790| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 632, False: 158] ------------------ 414| 632| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 632| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 632| x.m_val[i] = nx; 417| 632| y.m_val[i] = ny; 418| 632| } 419| 158| } pcurves_secp256k1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE11is_identityEv: 928| 7.22k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE7is_zeroEv: 225| 38.7k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 8.63k| m_x(x), m_y(y), m_z(z) {} pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3dblEv: 1121| 833| constexpr Self dbl() const { 1122| | if constexpr(Self::A_is_minus_3) { 1123| | return dbl_a_minus_3(*this); 1124| 833| } else if constexpr(Self::A_is_zero) { 1125| 833| return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 833| } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1xEv: 1162| 26.5k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6squareEv: 426| 28.4k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 28.4k| std::array z; // NOLINT(*-member-init) 428| 28.4k| comba_sqr(z.data(), this->data()); 429| 28.4k| return Self(Rep::redc(z)); 430| 28.4k| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4dataEv: 896| 228k| constexpr const W* data() const { return m_val.data(); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul3Ev: 335| 833| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp256k1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 265| 8.65k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 8.65k| std::array t; // NOLINT(*-member-init) 267| | 268| 8.65k| W carry = 0; 269| 43.2k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 34.6k, False: 8.65k] ------------------ 270| 34.6k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 34.6k| } 272| | 273| 8.65k| std::array r; // NOLINT(*-member-init) 274| 8.65k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 8.65k| return Self(r); 276| 8.65k| } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1yEv: 1167| 26.5k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp256k1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 346| 74.2k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 74.2k| std::array z; // NOLINT(*-member-init) 348| 74.2k| comba_mul(z.data(), a.data(), b.data()); 349| 74.2k| return Self(Rep::redc(z)); 350| 74.2k| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul4Ev: 338| 833| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp256k1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 281| 46.4k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 46.4k| std::array r; // NOLINT(*-member-init) 283| 46.4k| W carry = 0; 284| 232k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 185k, False: 46.4k] ------------------ 285| 185k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 185k| } 287| | 288| 46.4k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 46.4k| carry = 0; 291| | 292| 232k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 185k, False: 46.4k] ------------------ 293| 185k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 185k| } 295| | 296| 46.4k| return Self(r); 297| 46.4k| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul2Ev: 325| 6.66k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 6.66k| std::array t = value(); 327| 6.66k| const W carry = shift_left<1>(t); 328| | 329| 6.66k| std::array r; // NOLINT(*-member-init) 330| 6.66k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 6.66k| return Self(r); 332| 6.66k| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE5valueEv: 894| 6.66k| constexpr const std::array& value() const { return m_val; } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul8Ev: 341| 833| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1zEv: 1172| 46.6k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp256k1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EESE_: 1064| 735| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 735| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 9.63k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 14.8k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 14.8k| const W mask = cond.into_bitmask(); 397| | 398| 74.0k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 59.2k, False: 14.8k] ------------------ 399| 59.2k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 59.2k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 59.2k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 59.2k| } 403| 14.8k| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEmLERKSA_: 355| 2.04k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 2.04k| std::array z; // NOLINT(*-member-init) 357| 2.04k| comba_mul(z.data(), data(), other.data()); 358| 2.04k| m_val = Rep::redc(z); 359| 2.04k| return (*this); 360| 2.04k| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8square_nEm: 439| 2.04k| constexpr void square_n(size_t n) { 440| 2.04k| std::array z; // NOLINT(*-member-init) 441| 41.7k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 39.7k, False: 2.04k] ------------------ 442| 39.7k| comba_sqr(z.data(), this->data()); 443| 39.7k| m_val = Rep::redc(z); 444| 39.7k| } 445| 2.04k| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 176| for(;;) { 618| | // Conditional ok: this function is variable time 619| 176| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 175] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 175| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 175| std::array r; // NOLINT(*-member-init) 640| 175| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 175| if(carry == 0) { ------------------ | Branch (643:16): [True: 105, False: 70] ------------------ 644| | // b > a 645| 105| b.m_val = r; 646| 105| x = nx; 647| 105| Self::_invert_vartime_div2_helper(b, x); 648| 105| } else { 649| | // We know this can't underflow because a > b 650| 70| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 70| a.m_val = r; 652| 70| y = nx; 653| 70| Self::_invert_vartime_div2_helper(a, y); 654| 70| } 655| 175| } 656| 1| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4zeroEv: 195| 13.5k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 177| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 177| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 541| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 364, False: 177] ------------------ 552| 364| shift_right<1>(a.m_val); 553| | 554| 364| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 364| if(borrow) { ------------------ | Branch (557:16): [True: 186, False: 178] ------------------ 558| 186| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 186| } 560| 364| } 561| 177| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6negateEv: 452| 6.75k| constexpr Self negate() const { 453| 6.75k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 6.75k| std::array r; // NOLINT(*-member-init) 456| 6.75k| W carry = 0; 457| 33.7k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 27.0k, False: 6.75k] ------------------ 458| 27.0k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 27.0k| } 460| | 461| 6.75k| return Self(r); 462| 6.75k| } pcurves_secp256k1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 8.79k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 785| std::array stash_value() const { 760| 785| static_assert(L >= N); 761| 785| std::array stash = {}; 762| 3.92k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 3.14k, False: 785] ------------------ 763| 3.14k| stash[i] = m_val[i]; 764| 3.14k| } 765| 785| return stash; 766| 785| } pcurves_secp256k1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp256k1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 157| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 157| const BlindedScalar scalar(s, rng); 1409| 157| return basemul_booth_exec(m_table, scalar, rng); 1410| 157| } pcurves_secp256k1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp256k1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 157| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 157| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 157, Folded] | Branch (1308:33): [True: 0, False: 157] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 157| } else { 1344| | // No RNG available, skip blinding 1345| 157| m_bytes.resize(C::Scalar::BYTES); 1346| 157| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 157| m_bits = C::Scalar::BITS; 1348| 157| } 1349| | 1350| 157| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 157| } pcurves_secp256k1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS4_12Secp256k1RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm4EEE: 137| 325| constexpr static std::array from_rep(const std::array& z) { 138| 325| std::array ze = {}; 139| 325| copy_mem(std::span{ze}.template first(), z); 140| 325| return Self::redc(ze); 141| 325| } pcurves_secp256k1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS4_12Secp256k1RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm8EEE: 104| 494| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 494| } else { 108| 494| return monty_redc(z, P, P_dash); 109| 494| } 110| 494| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 325| constexpr void serialize_to(std::span bytes) const { 740| 325| auto v = Rep::from_rep(m_val); 741| 325| std::reverse(v.begin(), v.end()); 742| | 743| 325| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 325| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 325| } pcurves_secp256k1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm7EE4bitsEv: 1305| 157| size_t bits() const { return m_bits; } pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 157| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 157| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 157| } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E6negateEv: 1134| 157| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 157| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18_const_time_poisonEv: 889| 471| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp256k1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm7EE10get_windowEm: 1353| 6.75k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 6.75k| return read_window_bits(std::span{m_bytes}, offset); 1356| 6.75k| } pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 6.59k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 6.59k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 6.59k| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 6.59k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 6.59k| const W mask = cond.into_bitmask(); 369| | 370| 32.9k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 26.3k, False: 6.59k] ------------------ 371| 26.3k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 26.3k| } 373| 6.59k| } pcurves_secp256k1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 6.75k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 6.75k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 6.75k| const size_t idx1 = static_cast(idx - 1); 960| 222k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 216k, False: 6.75k] ------------------ 961| 216k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 216k| result.conditional_assign(found, pts[i]); 963| 216k| } 964| | 965| 6.75k| return result; 966| 6.75k| } pcurves_secp256k1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE8identityERKSC_: 924| 6.75k| static constexpr Self identity(const Self& /*unused*/) { 925| 6.75k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 6.75k| } pcurves_secp256k1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 216k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 216k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 216k| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 216k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 216k| const W mask = cond.into_bitmask(); 382| | 383| 1.08M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 864k, False: 216k] ------------------ 384| 864k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 864k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 864k| } 387| 216k| } pcurves_secp256k1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 628| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 628| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 628] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 628| } pcurves_secp256k1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 157| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 471| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp256k1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm7EED2Ev: 1358| 157| ~BlindedScalarBits() { 1359| 157| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 157| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 157| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 493| static Self from_stash(const std::array& stash) { 775| 493| static_assert(L >= N); 776| 493| std::array val = {}; 777| 2.46k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 1.97k, False: 493] ------------------ 778| 1.97k| val[i] = stash[i]; 779| 1.97k| } 780| 493| return Self(val); 781| 493| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 662| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 314| constexpr void serialize_to(std::span bytes) const { 740| 314| auto v = Rep::from_rep(m_val); 741| 314| std::reverse(v.begin(), v.end()); 742| | 743| 314| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 314| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 314| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 168| std::array stash_value() const { 760| 168| static_assert(L >= N); 761| 168| std::array stash = {}; 762| 840| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 672, False: 168] ------------------ 763| 672| stash[i] = m_val[i]; 764| 672| } 765| 168| return stash; 766| 168| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 1.09k| static Self from_stash(const std::array& stash) { 775| 1.09k| static_assert(L >= N); 776| 1.09k| std::array val = {}; 777| 5.49k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 4.39k, False: 1.09k] ------------------ 778| 4.39k| val[i] = stash[i]; 779| 4.39k| } 780| 1.09k| return Self(val); 781| 1.09k| } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE7is_zeroEv: 225| 337| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp256k1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEeqERKSA_: 722| 157| constexpr CT::Choice operator==(const Self& other) const { 723| 157| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 157| } pcurves_secp256k1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS3_12Secp256k1RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 157| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 169| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 169| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 169] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 169| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 169| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 169] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 169| return Self::from_words(words); 807| 169| } pcurves_secp256k1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS5_12Secp256k1RepEE12ScalarParamsEEEE10from_wordsILm4EEESB_NSt3__15arrayImXT_EEE: 211| 169| static constexpr Self from_words(std::array w) { 212| 169| if constexpr(L == N) { 213| 169| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 169| } pcurves_secp256k1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256k16ParamsENS4_12Secp256k1RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm4EEE: 115| 169| constexpr static std::array to_rep(const std::array& x) { 116| 169| std::array z; // NOLINT(*-member-init) 117| 169| comba_mul(z.data(), x.data(), R2.data()); 118| 169| return Self::redc(z); 119| 169| } pcurves_secp256k1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm65EEE: 941| 157| constexpr void serialize_to(std::span bytes) const { 942| 157| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 157| do { \ | | 52| 157| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 157| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 157] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 157| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 157] | | ------------------ ------------------ 943| 157| BufferStuffer pack(bytes); 944| 157| pack.append(0x04); 945| 157| x().serialize_to(pack.next()); 946| 157| y().serialize_to(pack.next()); 947| 157| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 157| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 157| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 157] | | ------------------ ------------------ 948| 157| } pcurves_secp256r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS2_12Secp256r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 216| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 216| auto x = pt.x(); 1027| 216| auto y = pt.y(); 1028| 216| auto z = FieldElement::one(); 1029| | 1030| 216| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 216| return ProjectiveCurvePoint(x, y, z); 1033| 216| } pcurves_secp256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE1xEv: 971| 324k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE1yEv: 976| 315k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE3oneEv: 200| 9.24k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 249k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 216| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 216| const W mask = cond.into_bitmask(); 412| | 413| 1.08k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 864, False: 216] ------------------ 414| 864| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 864| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 864| x.m_val[i] = nx; 417| 864| y.m_val[i] = ny; 418| 864| } 419| 216| } pcurves_secp256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE11is_identityEv: 928| 9.89k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE7is_zeroEv: 225| 51.3k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 11.2k| m_x(x), m_y(y), m_z(z) {} pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E3dblEv: 1121| 833| constexpr Self dbl() const { 1122| 833| if constexpr(Self::A_is_minus_3) { 1123| 833| return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 833| } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E1zEv: 1172| 59.9k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE6squareEv: 426| 36.2k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 36.2k| std::array z; // NOLINT(*-member-init) 428| 36.2k| comba_sqr(z.data(), this->data()); 429| 36.2k| return Self(Rep::redc(z)); 430| 36.2k| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4dataEv: 896| 294k| constexpr const W* data() const { return m_val.data(); } pcurves_secp256r1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEESC_: 346| 94.6k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 94.6k| std::array z; // NOLINT(*-member-init) 348| 94.6k| comba_mul(z.data(), a.data(), b.data()); 349| 94.6k| return Self(Rep::redc(z)); 350| 94.6k| } pcurves_secp256r1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEESC_: 281| 61.9k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 61.9k| std::array r; // NOLINT(*-member-init) 283| 61.9k| W carry = 0; 284| 309k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 247k, False: 61.9k] ------------------ 285| 247k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 247k| } 287| | 288| 61.9k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 61.9k| carry = 0; 291| | 292| 309k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 247k, False: 61.9k] ------------------ 293| 247k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 247k| } 295| | 296| 61.9k| return Self(r); 297| 61.9k| } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E1xEv: 1162| 34.9k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4mul3Ev: 335| 833| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp256r1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEESC_: 265| 12.0k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 12.0k| std::array t; // NOLINT(*-member-init) 267| | 268| 12.0k| W carry = 0; 269| 60.1k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 48.1k, False: 12.0k] ------------------ 270| 48.1k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 48.1k| } 272| | 273| 12.0k| std::array r; // NOLINT(*-member-init) 274| 12.0k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 12.0k| return Self(r); 276| 12.0k| } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E1yEv: 1167| 34.1k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4mul4Ev: 338| 833| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4mul2Ev: 325| 6.66k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 6.66k| std::array t = value(); 327| 6.66k| const W carry = shift_left<1>(t); 328| | 329| 6.66k| std::array r; // NOLINT(*-member-init) 330| 6.66k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 6.66k| return Self(r); 332| 6.66k| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE5valueEv: 894| 6.66k| constexpr const std::array& value() const { return m_val; } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4mul8Ev: 341| 833| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp256r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_EESE_: 1064| 735| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 735| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 12.0k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 19.7k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 19.7k| const W mask = cond.into_bitmask(); 397| | 398| 98.7k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 78.9k, False: 19.7k] ------------------ 399| 78.9k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 78.9k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 78.9k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 78.9k| } 403| 19.7k| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEmLERKSA_: 355| 2.36k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 2.36k| std::array z; // NOLINT(*-member-init) 357| 2.36k| comba_mul(z.data(), data(), other.data()); 358| 2.36k| m_val = Rep::redc(z); 359| 2.36k| return (*this); 360| 2.36k| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE8square_nEm: 439| 1.93k| constexpr void square_n(size_t n) { 440| 1.93k| std::array z; // NOLINT(*-member-init) 441| 56.1k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 54.1k, False: 1.93k] ------------------ 442| 54.1k| comba_sqr(z.data(), this->data()); 443| 54.1k| m_val = Rep::redc(z); 444| 54.1k| } 445| 1.93k| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 176| for(;;) { 618| | // Conditional ok: this function is variable time 619| 176| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 175] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 175| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 175| std::array r; // NOLINT(*-member-init) 640| 175| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 175| if(carry == 0) { ------------------ | Branch (643:16): [True: 85, False: 90] ------------------ 644| | // b > a 645| 85| b.m_val = r; 646| 85| x = nx; 647| 85| Self::_invert_vartime_div2_helper(b, x); 648| 90| } else { 649| | // We know this can't underflow because a > b 650| 90| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 90| a.m_val = r; 652| 90| y = nx; 653| 90| Self::_invert_vartime_div2_helper(a, y); 654| 90| } 655| 175| } 656| 1| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE4zeroEv: 195| 18.4k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 177| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 177| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 545| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 368, False: 177] ------------------ 552| 368| shift_right<1>(a.m_val); 553| | 554| 368| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 368| if(borrow) { ------------------ | Branch (557:16): [True: 129, False: 239] ------------------ 558| 129| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 129| } 560| 368| } 561| 177| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE6negateEv: 452| 9.24k| constexpr Self negate() const { 453| 9.24k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 9.24k| std::array r; // NOLINT(*-member-init) 456| 9.24k| W carry = 0; 457| 46.2k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 36.9k, False: 9.24k] ------------------ 458| 36.9k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 36.9k| } 460| | 461| 9.24k| return Self(r); 462| 9.24k| } pcurves_secp256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 11.4k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 1.07k| std::array stash_value() const { 760| 1.07k| static_assert(L >= N); 761| 1.07k| std::array stash = {}; 762| 5.37k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 4.30k, False: 1.07k] ------------------ 763| 4.30k| stash[i] = m_val[i]; 764| 4.30k| } 765| 1.07k| return stash; 766| 1.07k| } pcurves_secp256r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp256r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 215| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 215| const BlindedScalar scalar(s, rng); 1409| 215| return basemul_booth_exec(m_table, scalar, rng); 1410| 215| } pcurves_secp256r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp256r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 215| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 215| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 215, Folded] | Branch (1308:33): [True: 0, False: 215] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 215| } else { 1344| | // No RNG available, skip blinding 1345| 215| m_bytes.resize(C::Scalar::BYTES); 1346| 215| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 215| m_bits = C::Scalar::BITS; 1348| 215| } 1349| | 1350| 215| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 215| } pcurves_secp256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS3_12Secp256r1RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm4EEE: 137| 450| constexpr static std::array from_rep(const std::array& z) { 138| 450| std::array ze = {}; 139| 450| copy_mem(std::span{ze}.template first(), z); 140| 450| return Self::redc(ze); 141| 450| } pcurves_secp256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS3_12Secp256r1RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm8EEE: 104| 686| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 686| } else { 108| 686| return monty_redc(z, P, P_dash); 109| 686| } 110| 686| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 450| constexpr void serialize_to(std::span bytes) const { 740| 450| auto v = Rep::from_rep(m_val); 741| 450| std::reverse(v.begin(), v.end()); 742| | 743| 450| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 450| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 450| } pcurves_secp256r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm7EE4bitsEv: 1305| 215| size_t bits() const { return m_bits; } pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 215| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 215| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 215| } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E6negateEv: 1134| 215| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 215| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE18_const_time_poisonEv: 889| 645| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp256r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm7EE10get_windowEm: 1353| 9.24k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 9.24k| return read_window_bits(std::span{m_bytes}, offset); 1356| 9.24k| } pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 9.03k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 9.03k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 9.03k| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 9.03k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 9.03k| const W mask = cond.into_bitmask(); 369| | 370| 45.1k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 36.1k, False: 9.03k] ------------------ 371| 36.1k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 36.1k| } 373| 9.03k| } pcurves_secp256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 9.24k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 9.24k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 9.24k| const size_t idx1 = static_cast(idx - 1); 960| 305k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 295k, False: 9.24k] ------------------ 961| 295k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 295k| result.conditional_assign(found, pts[i]); 963| 295k| } 964| | 965| 9.24k| return result; 966| 9.24k| } pcurves_secp256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE8identityERKSC_: 924| 9.24k| static constexpr Self identity(const Self& /*unused*/) { 925| 9.24k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 9.24k| } pcurves_secp256r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 295k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 295k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 295k| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 295k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 295k| const W mask = cond.into_bitmask(); 382| | 383| 1.47M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 1.18M, False: 295k] ------------------ 384| 1.18M| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 1.18M| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 1.18M| } 387| 295k| } pcurves_secp256r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 860| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 860| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 860] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 860| } pcurves_secp256r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 215| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 645| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp256r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm7EED2Ev: 1358| 215| ~BlindedScalarBits() { 1359| 215| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 215| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 215| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 685| static Self from_stash(const std::array& stash) { 775| 685| static_assert(L >= N); 776| 685| std::array val = {}; 777| 3.42k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 2.74k, False: 685] ------------------ 778| 2.74k| val[i] = stash[i]; 779| 2.74k| } 780| 685| return Self(val); 781| 685| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm4EEE: 898| 921| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm32EEE: 739| 430| constexpr void serialize_to(std::span bytes) const { 740| 430| auto v = Rep::from_rep(m_val); 741| 430| std::reverse(v.begin(), v.end()); 742| | 743| 430| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 430| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 430| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 235| std::array stash_value() const { 760| 235| static_assert(L >= N); 761| 235| std::array stash = {}; 762| 1.17k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 940, False: 235] ------------------ 763| 940| stash[i] = m_val[i]; 764| 940| } 765| 235| return stash; 766| 235| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 1.50k| static Self from_stash(const std::array& stash) { 775| 1.50k| static_assert(L >= N); 776| 1.50k| std::array val = {}; 777| 7.52k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 6.02k, False: 1.50k] ------------------ 778| 6.02k| val[i] = stash[i]; 779| 6.02k| } 780| 1.50k| return Self(val); 781| 1.50k| } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE7is_zeroEv: 225| 471| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp256r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS2_9secp256r16ParamsES3_E11FieldParamsEEEEeqERKSA_: 722| 215| constexpr CT::Choice operator==(const Self& other) const { 723| 215| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 215| } pcurves_secp256r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS2_12Secp256r1RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 215| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 236| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 236| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 236] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 236| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 236| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 236] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 236| return Self::from_words(words); 807| 236| } pcurves_secp256r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS4_12Secp256r1RepEE12ScalarParamsEEEE10from_wordsILm4EEESB_NSt3__15arrayImXT_EEE: 211| 236| static constexpr Self from_words(std::array w) { 212| 236| if constexpr(L == N) { 213| 236| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 236| } pcurves_secp256r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp256r16ParamsENS3_12Secp256r1RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm4EEE: 115| 236| constexpr static std::array to_rep(const std::array& x) { 116| 236| std::array z; // NOLINT(*-member-init) 117| 236| comba_mul(z.data(), x.data(), R2.data()); 118| 236| return Self::redc(z); 119| 236| } pcurves_secp256r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS3_9secp256r16ParamsES4_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm65EEE: 941| 215| constexpr void serialize_to(std::span bytes) const { 942| 215| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 215| do { \ | | 52| 215| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 215| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 215] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 215| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 215] | | ------------------ ------------------ 943| 215| BufferStuffer pack(bytes); 944| 215| pack.append(0x04); 945| 215| x().serialize_to(pack.next()); 946| 215| y().serialize_to(pack.next()); 947| 215| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 215| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 215| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 215] | | ------------------ ------------------ 948| 215| } pcurves_secp384r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS2_12Secp384r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 152| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 152| auto x = pt.x(); 1027| 152| auto y = pt.y(); 1028| 152| auto z = FieldElement::one(); 1029| | 1030| 152| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 152| return ProjectiveCurvePoint(x, y, z); 1033| 152| } pcurves_secp384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE1xEv: 971| 344k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE1yEv: 976| 334k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE3oneEv: 200| 9.81k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEC2ENSt3__15arrayImLm6EEE: 898| 285k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 152| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 152| const W mask = cond.into_bitmask(); 412| | 413| 1.06k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 912, False: 152] ------------------ 414| 912| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 912| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 912| x.m_val[i] = nx; 417| 912| y.m_val[i] = ny; 418| 912| } 419| 152| } pcurves_secp384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE11is_identityEv: 928| 10.2k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE7is_zeroEv: 225| 56.2k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 12.4k| m_x(x), m_y(y), m_z(z) {} pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E3dblEv: 1121| 1.24k| constexpr Self dbl() const { 1122| 1.24k| if constexpr(Self::A_is_minus_3) { 1123| 1.24k| return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 1.24k| } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E1zEv: 1172| 69.5k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE6squareEv: 426| 41.4k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 41.4k| std::array z; // NOLINT(*-member-init) 428| 41.4k| comba_sqr(z.data(), this->data()); 429| 41.4k| return Self(Rep::redc(z)); 430| 41.4k| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4dataEv: 896| 333k| constexpr const W* data() const { return m_val.data(); } pcurves_secp384r1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEESC_: 346| 110k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 110k| std::array z; // NOLINT(*-member-init) 348| 110k| comba_mul(z.data(), a.data(), b.data()); 349| 110k| return Self(Rep::redc(z)); 350| 110k| } pcurves_secp384r1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEESC_: 281| 69.5k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 69.5k| std::array r; // NOLINT(*-member-init) 283| 69.5k| W carry = 0; 284| 486k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 417k, False: 69.5k] ------------------ 285| 417k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 417k| } 287| | 288| 69.5k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 69.5k| carry = 0; 291| | 292| 486k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 417k, False: 69.5k] ------------------ 293| 417k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 417k| } 295| | 296| 69.5k| return Self(r); 297| 69.5k| } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E1xEv: 1162| 40.0k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4mul3Ev: 335| 1.24k| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp384r1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEESC_: 265| 13.7k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 13.7k| std::array t; // NOLINT(*-member-init) 267| | 268| 13.7k| W carry = 0; 269| 96.5k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 82.7k, False: 13.7k] ------------------ 270| 82.7k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 82.7k| } 272| | 273| 13.7k| std::array r; // NOLINT(*-member-init) 274| 13.7k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 13.7k| return Self(r); 276| 13.7k| } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E1yEv: 1167| 38.7k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4mul4Ev: 338| 1.24k| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4mul2Ev: 325| 9.92k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 9.92k| std::array t = value(); 327| 9.92k| const W carry = shift_left<1>(t); 328| | 329| 9.92k| std::array r; // NOLINT(*-member-init) 330| 9.92k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 9.92k| return Self(r); 332| 9.92k| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE5valueEv: 894| 9.92k| constexpr const std::array& value() const { return m_val; } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4mul8Ev: 341| 1.24k| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp384r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_EESE_: 1064| 1.09k| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 1.09k| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 14.1k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 21.6k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 21.6k| const W mask = cond.into_bitmask(); 397| | 398| 151k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 130k, False: 21.6k] ------------------ 399| 130k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 130k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 130k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 130k| } 403| 21.6k| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEmLERKSA_: 355| 1.96k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 1.96k| std::array z; // NOLINT(*-member-init) 357| 1.96k| comba_mul(z.data(), data(), other.data()); 358| 1.96k| m_val = Rep::redc(z); 359| 1.96k| return (*this); 360| 1.96k| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE8square_nEm: 439| 1.81k| constexpr void square_n(size_t n) { 440| 1.81k| std::array z; // NOLINT(*-member-init) 441| 59.3k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 57.5k, False: 1.81k] ------------------ 442| 57.5k| comba_sqr(z.data(), this->data()); 443| 57.5k| m_val = Rep::redc(z); 444| 57.5k| } 445| 1.81k| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 252| for(;;) { 618| | // Conditional ok: this function is variable time 619| 252| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 251] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 251| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 251| std::array r; // NOLINT(*-member-init) 640| 251| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 251| if(carry == 0) { ------------------ | Branch (643:16): [True: 118, False: 133] ------------------ 644| | // b > a 645| 118| b.m_val = r; 646| 118| x = nx; 647| 118| Self::_invert_vartime_div2_helper(b, x); 648| 133| } else { 649| | // We know this can't underflow because a > b 650| 133| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 133| a.m_val = r; 652| 133| y = nx; 653| 133| Self::_invert_vartime_div2_helper(a, y); 654| 133| } 655| 251| } 656| 1| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE4zeroEv: 195| 19.6k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 253| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 253| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 809| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 556, False: 253] ------------------ 552| 556| shift_right<1>(a.m_val); 553| | 554| 556| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 556| if(borrow) { ------------------ | Branch (557:16): [True: 248, False: 308] ------------------ 558| 248| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 248| } 560| 556| } 561| 253| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE6negateEv: 452| 9.81k| constexpr Self negate() const { 453| 9.81k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 9.81k| std::array r; // NOLINT(*-member-init) 456| 9.81k| W carry = 0; 457| 68.7k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 58.9k, False: 9.81k] ------------------ 458| 58.9k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 58.9k| } 460| | 461| 9.81k| return Self(r); 462| 9.81k| } pcurves_secp384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 12.6k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 755| std::array stash_value() const { 760| 755| static_assert(L >= N); 761| 755| std::array stash = {}; 762| 5.28k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 4.53k, False: 755] ------------------ 763| 4.53k| stash[i] = m_val[i]; 764| 4.53k| } 765| 755| return stash; 766| 755| } pcurves_secp384r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp384r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 151| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 151| const BlindedScalar scalar(s, rng); 1409| 151| return basemul_booth_exec(m_table, scalar, rng); 1410| 151| } pcurves_secp384r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp384r1RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 151| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 151| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 151, Folded] | Branch (1308:33): [True: 0, False: 151] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 151| } else { 1344| | // No RNG available, skip blinding 1345| 151| m_bytes.resize(C::Scalar::BYTES); 1346| 151| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 151| m_bits = C::Scalar::BITS; 1348| 151| } 1349| | 1350| 151| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 151| } pcurves_secp384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS3_12Secp384r1RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm6EEE: 137| 311| constexpr static std::array from_rep(const std::array& z) { 138| 311| std::array ze = {}; 139| 311| copy_mem(std::span{ze}.template first(), z); 140| 311| return Self::redc(ze); 141| 311| } pcurves_secp384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS3_12Secp384r1RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm12EEE: 104| 472| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 472| } else { 108| 472| return monty_redc(z, P, P_dash); 109| 472| } 110| 472| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm48EEE: 739| 311| constexpr void serialize_to(std::span bytes) const { 740| 311| auto v = Rep::from_rep(m_val); 741| 311| std::reverse(v.begin(), v.end()); 742| | 743| 311| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 311| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 311| } pcurves_secp384r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm7EE4bitsEv: 1305| 151| size_t bits() const { return m_bits; } pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 151| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 151| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 151| } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E6negateEv: 1134| 151| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 151| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE18_const_time_poisonEv: 889| 453| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp384r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm7EE10get_windowEm: 1353| 9.81k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 9.81k| return read_window_bits(std::span{m_bytes}, offset); 1356| 9.81k| } pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 9.66k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 9.66k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 9.66k| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 9.66k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 9.66k| const W mask = cond.into_bitmask(); 369| | 370| 67.6k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 57.9k, False: 9.66k] ------------------ 371| 57.9k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 57.9k| } 373| 9.66k| } pcurves_secp384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 9.81k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 9.81k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 9.81k| const size_t idx1 = static_cast(idx - 1); 960| 323k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 314k, False: 9.81k] ------------------ 961| 314k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 314k| result.conditional_assign(found, pts[i]); 963| 314k| } 964| | 965| 9.81k| return result; 966| 9.81k| } pcurves_secp384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE8identityERKSC_: 924| 9.81k| static constexpr Self identity(const Self& /*unused*/) { 925| 9.81k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 9.81k| } pcurves_secp384r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 314k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 314k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 314k| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 314k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 314k| const W mask = cond.into_bitmask(); 382| | 383| 2.19M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 1.88M, False: 314k] ------------------ 384| 1.88M| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 1.88M| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 1.88M| } 387| 314k| } pcurves_secp384r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 604| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 604| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 604] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 604| } pcurves_secp384r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 151| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 453| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp384r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm7EED2Ev: 1358| 151| ~BlindedScalarBits() { 1359| 151| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 151| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 151| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 471| static Self from_stash(const std::array& stash) { 775| 471| static_assert(L >= N); 776| 471| std::array val = {}; 777| 3.29k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 2.82k, False: 471] ------------------ 778| 2.82k| val[i] = stash[i]; 779| 2.82k| } 780| 471| return Self(val); 781| 471| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm6EEE: 898| 632| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm48EEE: 739| 302| constexpr void serialize_to(std::span bytes) const { 740| 302| auto v = Rep::from_rep(m_val); 741| 302| std::reverse(v.begin(), v.end()); 742| | 743| 302| if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| 302| store_be(bytes, v); 745| | } else { 746| | // Remove leading zero bytes 747| | const auto padded_bytes = store_be(v); 748| | constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| | copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| | } 751| 302| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 160| std::array stash_value() const { 760| 160| static_assert(L >= N); 761| 160| std::array stash = {}; 762| 1.12k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 960, False: 160] ------------------ 763| 960| stash[i] = m_val[i]; 764| 960| } 765| 160| return stash; 766| 160| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 1.05k| static Self from_stash(const std::array& stash) { 775| 1.05k| static_assert(L >= N); 776| 1.05k| std::array val = {}; 777| 7.39k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 6.34k, False: 1.05k] ------------------ 778| 6.34k| val[i] = stash[i]; 779| 6.34k| } 780| 1.05k| return Self(val); 781| 1.05k| } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE7is_zeroEv: 225| 321| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp384r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS2_9secp384r16ParamsES3_E11FieldParamsEEEEeqERKSA_: 722| 151| constexpr CT::Choice operator==(const Self& other) const { 723| 151| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 151| } pcurves_secp384r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS2_12Secp384r1RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 151| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 161| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 161| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 161] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 161| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 161| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 0, False: 161] ------------------ 802| 0| return {}; 803| 0| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 161| return Self::from_words(words); 807| 161| } pcurves_secp384r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS4_12Secp384r1RepEE12ScalarParamsEEEE10from_wordsILm6EEESB_NSt3__15arrayImXT_EEE: 211| 161| static constexpr Self from_words(std::array w) { 212| 161| if constexpr(L == N) { 213| 161| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 161| } pcurves_secp384r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp384r16ParamsENS3_12Secp384r1RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm6EEE: 115| 161| constexpr static std::array to_rep(const std::array& x) { 116| 161| std::array z; // NOLINT(*-member-init) 117| 161| comba_mul(z.data(), x.data(), R2.data()); 118| 161| return Self::redc(z); 119| 161| } pcurves_secp384r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS3_9secp384r16ParamsES4_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm97EEE: 941| 151| constexpr void serialize_to(std::span bytes) const { 942| 151| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 151| do { \ | | 52| 151| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 151| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 151] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 151| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 151] | | ------------------ ------------------ 943| 151| BufferStuffer pack(bytes); 944| 151| pack.append(0x04); 945| 151| x().serialize_to(pack.next()); 946| 151| y().serialize_to(pack.next()); 947| 151| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 151| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 151| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 151] | | ------------------ ------------------ 948| 151| } pcurves_secp521r1.cpp:_ZN5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm6EEC2ERKNS_16AffineCurvePointINS_6IntModINS3_7P521RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 1405| 1| m_table(basemul_booth_setup(p, BlindedScalar::Bits + 1)) {} pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11from_affineERKNS_16AffineCurvePointISB_EE: 1016| 137| static constexpr Self from_affine(const AffinePoint& pt) { 1017| | /* 1018| | * If the point is the identity element (x=0, y=0) then instead of 1019| | * creating (x, y, 1) = (0, 0, 1) we want our projective identity 1020| | * encoding of (0, 1, 0) 1021| | * 1022| | * Which we can achieve by a conditional swap of y and z if the 1023| | * affine point is the identity. 1024| | */ 1025| | 1026| 137| auto x = pt.x(); 1027| 137| auto y = pt.y(); 1028| 137| auto z = FieldElement::one(); 1029| | 1030| 137| FieldElement::conditional_swap(pt.is_identity(), y, z); 1031| | 1032| 137| return ProjectiveCurvePoint(x, y, z); 1033| 137| } pcurves_secp521r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1xEv: 971| 414k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp521r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE1yEv: 976| 403k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE3oneEv: 200| 11.8k| static constexpr Self one() { return Self(Rep::one()); } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEC2ENSt3__15arrayImLm9EEE: 898| 352k| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE16conditional_swapENS_2CT6ChoiceERSA_SD_: 410| 137| static constexpr void conditional_swap(CT::Choice cond, Self& x, Self& y) { 411| 137| const W mask = cond.into_bitmask(); 412| | 413| 1.37k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (413:28): [True: 1.23k, False: 137] ------------------ 414| 1.23k| auto nx = Botan::choose(mask, y.m_val[i], x.m_val[i]); 415| 1.23k| auto ny = Botan::choose(mask, x.m_val[i], y.m_val[i]); 416| 1.23k| x.m_val[i] = nx; 417| 1.23k| y.m_val[i] = ny; 418| 1.23k| } 419| 137| } pcurves_secp521r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE11is_identityEv: 928| 12.2k| constexpr CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE7is_zeroEv: 225| 68.4k| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EC2ERKSB_SE_SE_: 1056| 15.2k| m_x(x), m_y(y), m_z(z) {} pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3dblEv: 1121| 1.64k| constexpr Self dbl() const { 1122| 1.64k| if constexpr(Self::A_is_minus_3) { 1123| 1.64k| return dbl_a_minus_3(*this); 1124| | } else if constexpr(Self::A_is_zero) { 1125| | return dbl_a_zero(*this); 1126| | } else { 1127| | return dbl_generic(*this, A); 1128| | } 1129| 1.64k| } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1zEv: 1172| 86.3k| constexpr const FieldElement& z() const { return m_z; } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6squareEv: 426| 51.4k| constexpr BOTAN_FORCE_INLINE Self square() const { 427| 51.4k| std::array z; // NOLINT(*-member-init) 428| 51.4k| comba_sqr(z.data(), this->data()); 429| 51.4k| return Self(Rep::redc(z)); 430| 51.4k| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4dataEv: 896| 412k| constexpr const W* data() const { return m_val.data(); } pcurves_secp521r1.cpp:_ZN5BotanmlERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 346| 136k| friend constexpr BOTAN_FORCE_INLINE Self operator*(const Self& a, const Self& b) { 347| 136k| std::array z; // NOLINT(*-member-init) 348| 136k| comba_mul(z.data(), a.data(), b.data()); 349| 136k| return Self(Rep::redc(z)); 350| 136k| } pcurves_secp521r1.cpp:_ZN5BotanmiERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 281| 85.5k| friend constexpr BOTAN_FORCE_INLINE Self operator-(const Self& a, const Self& b) { 282| 85.5k| std::array r; // NOLINT(*-member-init) 283| 85.5k| W carry = 0; 284| 855k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (284:28): [True: 769k, False: 85.5k] ------------------ 285| 769k| r[i] = word_sub(a.m_val[i], b.m_val[i], &carry); 286| 769k| } 287| | 288| 85.5k| const auto mask = CT::Mask::expand(carry).value(); 289| | 290| 85.5k| carry = 0; 291| | 292| 855k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (292:28): [True: 769k, False: 85.5k] ------------------ 293| 769k| r[i] = word_add(r[i], P[i] & mask, &carry); 294| 769k| } 295| | 296| 85.5k| return Self(r); 297| 85.5k| } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1xEv: 1162| 49.5k| constexpr const FieldElement& x() const { return m_x; } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul3Ev: 335| 1.64k| constexpr inline Self mul3() const { return mul2() + (*this); } pcurves_secp521r1.cpp:_ZN5BotanplERKNS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEESC_: 265| 17.2k| friend constexpr BOTAN_FORCE_INLINE Self operator+(const Self& a, const Self& b) { 266| 17.2k| std::array t; // NOLINT(*-member-init) 267| | 268| 17.2k| W carry = 0; 269| 172k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (269:28): [True: 155k, False: 17.2k] ------------------ 270| 155k| t[i] = word_add(a.m_val[i], b.m_val[i], &carry); 271| 155k| } 272| | 273| 17.2k| std::array r; // NOLINT(*-member-init) 274| 17.2k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 275| 17.2k| return Self(r); 276| 17.2k| } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E1yEv: 1167| 47.8k| constexpr const FieldElement& y() const { return m_y; } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul4Ev: 338| 1.64k| constexpr inline Self mul4() const { return mul2().mul2(); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul2Ev: 325| 13.1k| constexpr BOTAN_FORCE_INLINE Self mul2() const { 326| 13.1k| std::array t = value(); 327| 13.1k| const W carry = shift_left<1>(t); 328| | 329| 13.1k| std::array r; // NOLINT(*-member-init) 330| 13.1k| bigint_monty_maybe_sub(r.data(), carry, t.data(), P.data()); 331| 13.1k| return Self(r); 332| 13.1k| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE5valueEv: 894| 13.1k| constexpr const std::array& value() const { return m_val; } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4mul8Ev: 341| 1.64k| constexpr inline Self mul8() const { return mul2().mul2().mul2(); } pcurves_secp521r1.cpp:_ZN5BotanplERKNS_20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_EESE_: 1064| 1.45k| friend constexpr Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E3addERKSC_SE_: 1103| 1.45k| constexpr static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E11is_identityEv: 1082| 17.7k| constexpr CT::Choice is_identity() const { return z().is_zero(); } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_SB_NS_2CT6ChoiceERKSA_SF_SF_: 395| 26.4k| Self& x, Self& y, Self& z, CT::Choice cond, const Self& nx, const Self& ny, const Self& nz) { 396| 26.4k| const W mask = cond.into_bitmask(); 397| | 398| 264k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (398:28): [True: 237k, False: 26.4k] ------------------ 399| 237k| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 400| 237k| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 401| 237k| z.m_val[i] = Botan::choose(mask, nz.m_val[i], z.m_val[i]); 402| 237k| } 403| 26.4k| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEmLERKSA_: 355| 1.63k| constexpr BOTAN_FORCE_INLINE Self& operator*=(const Self& other) { 356| 1.63k| std::array z; // NOLINT(*-member-init) 357| 1.63k| comba_mul(z.data(), data(), other.data()); 358| 1.63k| m_val = Rep::redc(z); 359| 1.63k| return (*this); 360| 1.63k| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8square_nEm: 439| 1.49k| constexpr void square_n(size_t n) { 440| 1.49k| std::array z; // NOLINT(*-member-init) 441| 71.9k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (441:28): [True: 70.4k, False: 1.49k] ------------------ 442| 70.4k| comba_sqr(z.data(), this->data()); 443| 70.4k| m_val = Rep::redc(z); 444| 70.4k| } 445| 1.49k| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE14invert_vartimeEv: 598| 1| constexpr Self invert_vartime() const { 599| | // Conditional ok: this function is variable time 600| 1| if(this->is_zero().as_bool()) { ------------------ | Branch (600:13): [True: 0, False: 1] ------------------ 601| 0| return Self::zero(); 602| 0| } 603| | 604| 1| auto x = Self(std::array{1}); // 1 in standard domain 605| 1| auto b = Self(this->to_words()); // *this in standard domain 606| | 607| | // First loop iteration 608| 1| Self::_invert_vartime_div2_helper(b, x); 609| | 610| 1| auto a = b.negate(); 611| | // y += x but y is zero at the outset 612| 1| auto y = x; 613| | 614| | // First half of second loop iteration 615| 1| Self::_invert_vartime_div2_helper(a, y); 616| | 617| 350| for(;;) { 618| | // Conditional ok: this function is variable time 619| 350| if(a.m_val == b.m_val) { ------------------ | Branch (619:16): [True: 1, False: 349] ------------------ 620| | // At this point it should be that a == b == 1 621| 1| auto r = y.negate(); 622| | 623| | // Convert back to Montgomery if required 624| 1| r.m_val = Rep::to_rep(r.m_val); 625| 1| return r; 626| 1| } 627| | 628| 349| auto nx = x + y; 629| | 630| | /* 631| | * Otherwise either b > a or a > b 632| | * 633| | * If b > a we want to set b to b - a 634| | * Otherwise we want to set a to a - b 635| | * 636| | * Compute r = b - a and check if it underflowed 637| | * If it did not then we are in the b > a path 638| | */ 639| 349| std::array r; // NOLINT(*-member-init) 640| 349| const word carry = bigint_sub3(r.data(), b.data(), N, a.data(), N); 641| | 642| | // Conditional ok: this function is variable time 643| 349| if(carry == 0) { ------------------ | Branch (643:16): [True: 170, False: 179] ------------------ 644| | // b > a 645| 170| b.m_val = r; 646| 170| x = nx; 647| 170| Self::_invert_vartime_div2_helper(b, x); 648| 179| } else { 649| | // We know this can't underflow because a > b 650| 179| bigint_sub3(r.data(), a.data(), N, b.data(), N); 651| 179| a.m_val = r; 652| 179| y = nx; 653| 179| Self::_invert_vartime_div2_helper(a, y); 654| 179| } 655| 349| } 656| 1| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE4zeroEv: 195| 23.6k| static constexpr Self zero() { return Self(std::array{0}); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE8to_wordsEv: 734| 1| constexpr std::array to_words() const { return Rep::from_rep(m_val); } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE27_invert_vartime_div2_helperERSA_SB_: 547| 351| static constexpr void _invert_vartime_div2_helper(Self& a, Self& x) { 548| 351| constexpr auto INV_2 = p_div_2_plus_1(Rep::P); 549| | 550| | // Conditional ok: this function is variable time 551| 1.09k| while((a.m_val[0] & 1) != 1) { ------------------ | Branch (551:16): [True: 742, False: 351] ------------------ 552| 742| shift_right<1>(a.m_val); 553| | 554| 742| const W borrow = shift_right<1>(x.m_val); 555| | 556| | // Conditional ok: this function is variable time 557| 742| if(borrow) { ------------------ | Branch (557:16): [True: 109, False: 633] ------------------ 558| 109| bigint_add2(x.m_val.data(), N, INV_2.data(), N); 559| 109| } 560| 742| } 561| 351| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE6negateEv: 452| 11.8k| constexpr Self negate() const { 453| 11.8k| const W x_is_zero = ~CT::all_zeros(this->data(), N).value(); 454| | 455| 11.8k| std::array r; // NOLINT(*-member-init) 456| 11.8k| W carry = 0; 457| 118k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (457:28): [True: 106k, False: 11.8k] ------------------ 458| 106k| r[i] = word_sub(P[i] & x_is_zero, m_val[i], &carry); 459| 106k| } 460| | 461| 11.8k| return Self(r); 462| 11.8k| } pcurves_secp521r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEEC2ERKSB_SE_: 917| 15.3k| constexpr AffineCurvePoint(const FieldElement& x, const FieldElement& y) : m_x(x), m_y(y) {} pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 682| std::array stash_value() const { 760| 682| static_assert(L >= N); 761| 682| std::array stash = {}; 762| 6.82k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 6.13k, False: 682] ------------------ 763| 6.13k| stash[i] = m_val[i]; 764| 6.13k| } 765| 682| return stash; 766| 682| } pcurves_secp521r1.cpp:_ZNK5Botan23PrecomputedBaseMulTableINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm6EE3mulERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_7P521RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1407| 136| ProjectivePoint mul(const Scalar& s, RandomNumberGenerator& rng) const { 1408| 136| const BlindedScalar scalar(s, rng); 1409| 136| return basemul_booth_exec(m_table, scalar, rng); 1410| 136| } pcurves_secp521r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm7EEC2ERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_7P521RepEE12ScalarParamsEEEEERNS_21RandomNumberGeneratorE: 1307| 136| BlindedScalarBits(const typename C::Scalar& scalar, RandomNumberGenerator& rng) { 1308| 136| if(BlindingBits > 0 && rng.is_seeded()) { ------------------ | Branch (1308:13): [True: 136, Folded] | Branch (1308:33): [True: 0, False: 136] ------------------ 1309| 0| constexpr size_t MaskWords = (BlindingBits + WordInfo::bits - 1) / WordInfo::bits; 1310| 0| constexpr size_t MaskBytes = MaskWords * WordInfo::bytes; 1311| | 1312| 0| constexpr size_t n_words = C::Words; 1313| | 1314| 0| uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0}; 1315| 0| rng.randomize(maskb, MaskBytes); 1316| | 1317| 0| W mask[n_words] = {0}; 1318| 0| load_le(mask, maskb, MaskWords); 1319| | 1320| | // Mask to exactly BlindingBits 1321| 0| constexpr size_t ExcessBits = MaskWords * WordInfo::bits - BlindingBits; 1322| 0| if constexpr(ExcessBits > 0) { 1323| 0| constexpr W ExcessMask = (static_cast(1) << (WordInfo::bits - ExcessBits)) - 1; 1324| 0| mask[MaskWords - 1] &= ExcessMask; 1325| 0| } 1326| | 1327| | // Set top and bottom bits of mask 1328| 0| constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo::bits; 1329| 0| mask[(BlindingBits - 1) / WordInfo::bits] |= static_cast(1) << TopMaskBit; 1330| 0| mask[0] |= 1; 1331| | 1332| 0| W mask_n[2 * n_words] = {0}; 1333| | 1334| 0| const auto sw = scalar.to_words(); 1335| | 1336| | // Compute masked scalar s + k*n 1337| 0| comba_mul(mask_n, mask, C::NW.data()); 1338| 0| bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size()); 1339| | 1340| 0| std::reverse(mask_n, mask_n + 2 * n_words); 1341| 0| m_bytes = store_be>(mask_n); 1342| 0| m_bits = C::Scalar::BITS + BlindingBits; 1343| 136| } else { 1344| | // No RNG available, skip blinding 1345| 136| m_bytes.resize(C::Scalar::BYTES); 1346| 136| scalar.serialize_to(std::span{m_bytes}.template first()); 1347| 136| m_bits = C::Scalar::BITS; 1348| 136| } 1349| | 1350| 136| CT::poison(m_bytes.data(), m_bytes.size()); 1351| 136| } pcurves_secp521r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS4_7P521RepEE12ScalarParamsEE8from_repERKNSt3__15arrayImLm9EEE: 137| 362| constexpr static std::array from_rep(const std::array& z) { 138| 362| std::array ze = {}; 139| 362| copy_mem(std::span{ze}.template first(), z); 140| 362| return Self::redc(ze); 141| 362| } pcurves_secp521r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS4_7P521RepEE12ScalarParamsEE4redcERKNSt3__15arrayImLm18EEE: 104| 589| constexpr static std::array redc(const std::array& z) { 105| | if constexpr(P_dash == 1) { 106| | return monty_redc_pdash1(z, P); 107| 589| } else { 108| 589| return monty_redc(z, P, P_dash); 109| 589| } 110| 589| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE12serialize_toENSt3__14spanIhLm66EEE: 739| 362| constexpr void serialize_to(std::span bytes) const { 740| 362| auto v = Rep::from_rep(m_val); 741| 362| std::reverse(v.begin(), v.end()); 742| | 743| | if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| | store_be(bytes, v); 745| 362| } else { 746| | // Remove leading zero bytes 747| 362| const auto padded_bytes = store_be(v); 748| 362| constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| 362| copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| 362| } 751| 362| } pcurves_secp521r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm7EE4bitsEv: 1305| 136| size_t bits() const { return m_bits; } pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18conditional_assignENS_2CT6ChoiceERKSC_: 1084| 136| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 1085| 136| FieldElement::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1086| 136| } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E6negateEv: 1134| 136| constexpr Self negate() const { return Self(x(), y().negate(), z()); } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E18_const_time_poisonEv: 1174| 136| constexpr void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18_const_time_poisonEv: 889| 408| constexpr void _const_time_poison() const { CT::poison(m_val); } pcurves_secp521r1.cpp:_ZNK5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm7EE10get_windowEm: 1353| 11.8k| size_t get_window(size_t offset) const { 1354| | // Extract a WindowBits sized window out of s, depending on offset. 1355| 11.8k| return read_window_bits(std::span{m_bytes}, offset); 1356| 11.8k| } pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E10add_or_subERKSC_RKNS_16AffineCurvePointISB_EENS_2CT6ChoiceE: 1096| 11.6k| constexpr static Self add_or_sub(const Self& a, const AffinePoint& b, CT::Choice sub) { 1097| 11.6k| return point_add_or_sub_mixed(a, b, sub, FieldElement::one()); 1098| 11.6k| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignENS_2CT6ChoiceERKSA_: 367| 11.6k| constexpr void conditional_assign(CT::Choice cond, const Self& nx) { 368| 11.6k| const W mask = cond.into_bitmask(); 369| | 370| 116k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (370:28): [True: 105k, False: 11.6k] ------------------ 371| 105k| m_val[i] = Botan::choose(mask, nx.m_val[i], m_val[i]); 372| 105k| } 373| 11.6k| } pcurves_secp521r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE9ct_selectENSt3__14spanIKSC_Lm18446744073709551615EEEm: 955| 11.8k| static constexpr auto ct_select(std::span pts, size_t idx) { 956| 11.8k| auto result = Self::identity(pts[0]); 957| | 958| | // Intentionally wrapping; set to maximum size_t if idx == 0 959| 11.8k| const size_t idx1 = static_cast(idx - 1); 960| 390k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (960:28): [True: 378k, False: 11.8k] ------------------ 961| 378k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 962| 378k| result.conditional_assign(found, pts[i]); 963| 378k| } 964| | 965| 11.8k| return result; 966| 11.8k| } pcurves_secp521r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE8identityERKSC_: 924| 11.8k| static constexpr Self identity(const Self& /*unused*/) { 925| 11.8k| return Self(FieldElement::zero(), FieldElement::zero()); 926| 11.8k| } pcurves_secp521r1.cpp:_ZN5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE18conditional_assignENS_2CT6ChoiceERKSC_: 981| 378k| constexpr void conditional_assign(CT::Choice cond, const Self& pt) { 982| 378k| FieldElement::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 983| 378k| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE18conditional_assignERSA_SB_NS_2CT6ChoiceERKSA_SF_: 380| 378k| static constexpr void conditional_assign(Self& x, Self& y, CT::Choice cond, const Self& nx, const Self& ny) { 381| 378k| const W mask = cond.into_bitmask(); 382| | 383| 3.78M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (383:28): [True: 3.40M, False: 378k] ------------------ 384| 3.40M| x.m_val[i] = Botan::choose(mask, nx.m_val[i], x.m_val[i]); 385| 3.40M| y.m_val[i] = Botan::choose(mask, ny.m_val[i], y.m_val[i]); 386| 3.40M| } 387| 378k| } pcurves_secp521r1.cpp:_ZN5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E13randomize_repERNS_21RandomNumberGeneratorE: 1142| 544| void randomize_rep(RandomNumberGenerator& rng) { 1143| | // In certain contexts we may be called with a Null_RNG; in that case the 1144| | // caller is accepting that randomization will not occur 1145| | 1146| | // Conditional ok: caller's RNG state (seeded vs not) is presumed public 1147| 544| if(rng.is_seeded()) { ------------------ | Branch (1147:13): [True: 0, False: 544] ------------------ 1148| 0| auto r = FieldElement::random(rng); 1149| | 1150| 0| auto r2 = r.square(); 1151| 0| auto r3 = r2 * r; 1152| | 1153| 0| m_x *= r2; 1154| 0| m_y *= r3; 1155| 0| m_z *= r; 1156| 0| } 1157| 544| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 162| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 162| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 162] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 162| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 162| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 5, False: 157] ------------------ 802| 5| return {}; 803| 5| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 157| return Self::from_words(words); 807| 162| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_wordsILm9EEESA_NSt3__15arrayImXT_EEE: 211| 157| static constexpr Self from_words(std::array w) { 212| 157| if constexpr(L == N) { 213| 157| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 157| } pcurves_secp521r1.cpp:_ZNK5Botan20ProjectiveCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEES7_E20_const_time_unpoisonEv: 1176| 136| constexpr void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE20_const_time_unpoisonEv: 891| 408| constexpr void _const_time_unpoison() const { CT::unpoison(m_val); } pcurves_secp521r1.cpp:_ZN5Botan17BlindedScalarBitsINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm7EED2Ev: 1358| 136| ~BlindedScalarBits() { 1359| 136| secure_zeroize_buffer(m_bytes.data(), m_bytes.size()); 1360| 136| CT::unpoison(m_bytes.data(), m_bytes.size()); 1361| 136| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE10from_stashILm9EEESB_RKNSt3__15arrayImXT_EEE: 774| 588| static Self from_stash(const std::array& stash) { 775| 588| static_assert(L >= N); 776| 588| std::array val = {}; 777| 5.88k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 5.29k, False: 588] ------------------ 778| 5.29k| val[i] = stash[i]; 779| 5.29k| } 780| 588| return Self(val); 781| 588| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEEC2ENSt3__15arrayImLm9EEE: 898| 815| explicit constexpr IntMod(std::array v) : m_val(v) {} pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE12serialize_toENSt3__14spanIhLm66EEE: 739| 274| constexpr void serialize_to(std::span bytes) const { 740| 274| auto v = Rep::from_rep(m_val); 741| 274| std::reverse(v.begin(), v.end()); 742| | 743| | if constexpr(Self::BYTES == N * WordInfo::bytes) { 744| | store_be(bytes, v); 745| 274| } else { 746| | // Remove leading zero bytes 747| 274| const auto padded_bytes = store_be(v); 748| 274| constexpr size_t extra = N * WordInfo::bytes - Self::BYTES; 749| 274| copy_mem(bytes, std::span{padded_bytes}.template subspan()); 750| 274| } 751| 274| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE11stash_valueILm9EEENSt3__15arrayImXT_EEEv: 759| 226| std::array stash_value() const { 760| 226| static_assert(L >= N); 761| 226| std::array stash = {}; 762| 2.26k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (762:28): [True: 2.03k, False: 226] ------------------ 763| 2.03k| stash[i] = m_val[i]; 764| 2.03k| } 765| 226| return stash; 766| 226| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEE10from_stashILm9EEESA_RKNSt3__15arrayImXT_EEE: 774| 956| static Self from_stash(const std::array& stash) { 775| 956| static_assert(L >= N); 776| 956| std::array val = {}; 777| 9.56k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (777:28): [True: 8.60k, False: 956] ------------------ 778| 8.60k| val[i] = stash[i]; 779| 8.60k| } 780| 956| return Self(val); 781| 956| } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE7is_zeroEv: 225| 453| constexpr CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_val.size()).as_choice(); } pcurves_secp521r1.cpp:_ZNK5Botan6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS3_6ParamsES4_E11FieldParamsEEEEeqERKSA_: 722| 213| constexpr CT::Choice operator==(const Self& other) const { 723| 213| return CT::is_equal(this->data(), other.data(), N).as_choice(); 724| 213| } pcurves_secp521r1.cpp:_ZN5Botan13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS3_7P521RepEE7x3_ax_bERKNS_6IntModINS5_INS6_11FieldParamsEEEEE: 1275| 213| static constexpr FieldElement x3_ax_b(const FieldElement& x) { return (x.square() + A) * x + B; } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE11deserializeENSt3__14spanIKhLm18446744073709551615EEE: 792| 229| static std::optional deserialize(std::span bytes) { 793| | // Conditional ok: input length is public 794| 229| if(bytes.size() != Self::BYTES) { ------------------ | Branch (794:13): [True: 0, False: 229] ------------------ 795| 0| return {}; 796| 0| } 797| | 798| 229| const auto words = bytes_to_words(bytes.first()); 799| | 800| | // Conditional acceptable: std::optional is implicitly not constant time 801| 229| if(!bigint_ct_is_lt(words.data(), N, P.data(), N).as_bool()) { ------------------ | Branch (801:13): [True: 2, False: 227] ------------------ 802| 2| return {}; 803| 2| } 804| | 805| | // Safe because we checked above that words is an integer < P 806| 227| return Self::from_words(words); 807| 229| } pcurves_secp521r1.cpp:_ZN5Botan6IntModINS_13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS5_7P521RepEE12ScalarParamsEEEE10from_wordsILm9EEESB_NSt3__15arrayImXT_EEE: 211| 227| static constexpr Self from_words(std::array w) { 212| 227| if constexpr(L == N) { 213| 227| return Self(Rep::to_rep(w)); 214| | } else { 215| | static_assert(L < N); 216| | std::array ew = {}; 217| | copy_mem(std::span{ew}.template first(), w); 218| | return Self(Rep::to_rep(ew)); 219| | } 220| 227| } pcurves_secp521r1.cpp:_ZN5Botan13MontgomeryRepINS_13EllipticCurveINS_6PCurve12_GLOBAL__N_19secp521r16ParamsENS4_7P521RepEE12ScalarParamsEE6to_repERKNSt3__15arrayImLm9EEE: 115| 227| constexpr static std::array to_rep(const std::array& x) { 116| 227| std::array z; // NOLINT(*-member-init) 117| 227| comba_mul(z.data(), x.data(), R2.data()); 118| 227| return Self::redc(z); 119| 227| } pcurves_secp521r1.cpp:_ZNK5Botan16AffineCurvePointINS_6IntModINS_6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS4_6ParamsES5_E11FieldParamsEEEEEE12serialize_toENSt3__14spanIhLm133EEE: 941| 137| constexpr void serialize_to(std::span bytes) const { 942| 137| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 137| do { \ | | 52| 137| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 137| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 137] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 137| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 137] | | ------------------ ------------------ 943| 137| BufferStuffer pack(bytes); 944| 137| pack.append(0x04); 945| 137| x().serialize_to(pack.next()); 946| 137| y().serialize_to(pack.next()); 947| 137| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 137| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 137| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 137] | | ------------------ ------------------ 948| 137| } pcurves_brainpool256r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 50| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 49, False: 1] ------------------ 270| 49| table.push_back(accum); 271| | 272| 1.56k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 1.51k, False: 49] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 1.51k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 784, False: 735] ------------------ 275| 784| table.emplace_back(table[i + j / 2].dbl()); 276| 784| } else { 277| 735| table.emplace_back(table[i + j - 1] + table[i]); 278| 735| } 279| 1.51k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 49| accum = table[i + WindowElements - 1].dbl(); 284| 49| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_brainpool256r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 152| RandomNumberGenerator& rng) { 309| 152| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 152| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 152| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 152| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 152| const size_t raw = w_bits << 1; 317| 152| const auto [tidx, tneg] = booth_recode(raw); 318| 152| const auto tbl_0 = table.first(WindowElements); 319| | 320| 152| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 152| pt.conditional_assign(tneg, pt.negate()); 322| 152| CT::poison(pt); 323| 152| pt.randomize_rep(rng); 324| 152| return pt; 325| 152| }(); 326| | 327| 6.53k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 6.38k, False: 152] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 6.38k| const size_t bit_pos = WindowBits * i - 1; 330| 6.38k| const size_t raw = scalar.get_window(bit_pos); 331| 6.38k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 6.38k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 6.38k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 6.38k| if(i <= 3) { ------------------ | Branch (338:10): [True: 456, False: 5.92k] ------------------ 339| 456| accum.randomize_rep(rng); 340| 456| } 341| 6.38k| } 342| | 343| 152| CT::unpoison(accum); 344| 152| return accum; 345| 152|} pcurves_brainpool256r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool256r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 152| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 152| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 152| const size_t raw = w_bits << 1; 317| 152| const auto [tidx, tneg] = booth_recode(raw); 318| 152| const auto tbl_0 = table.first(WindowElements); 319| | 320| 152| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 152| pt.conditional_assign(tneg, pt.negate()); 322| 152| CT::poison(pt); 323| 152| pt.randomize_rep(rng); 324| 152| return pt; 325| 152| }(); _ZN5Botan12booth_recodeILm6ETkNSt3__117unsigned_integralEmEENS1_4pairImNS_2CT6ChoiceEEET0_: 294| 96.1k|constexpr std::pair booth_recode(T x) { 295| 96.1k| static_assert(WindowBits >= 1 && WindowBits <= 8); 296| | 297| 96.1k| auto s_mask = CT::Mask::expand(x >> WindowBits); 298| 96.1k| const T neg_x = (1 << (WindowBits + 1)) - x - 1; 299| 96.1k| T d = s_mask.select(neg_x, x); 300| 96.1k| d = (d >> 1) + (d & 1); 301| | 302| 96.1k| return std::make_pair(static_cast(d), s_mask.as_choice()); 303| 96.1k|} _ZN5Botan20scalar_blinding_bitsEm: 41| 895|constexpr size_t scalar_blinding_bits(size_t scalar_bits) { 42| | // For blinding use 1/8 the order length for most curves; for P-521 we round down a bit 43| | // so the masked scalar fits exactly in 9 or 18 words. 44| | 45| 895| if(scalar_bits == 521) { ------------------ | Branch (45:7): [True: 53, False: 842] ------------------ 46| 53| return 55; 47| 842| } else { 48| 842| return scalar_bits / 8; 49| 842| } 50| 895|} pcurves_brainpool384r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 74| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 73, False: 1] ------------------ 270| 73| table.push_back(accum); 271| | 272| 2.33k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 2.26k, False: 73] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 2.26k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 1.16k, False: 1.09k] ------------------ 275| 1.16k| table.emplace_back(table[i + j / 2].dbl()); 276| 1.16k| } else { 277| 1.09k| table.emplace_back(table[i + j - 1] + table[i]); 278| 1.09k| } 279| 2.26k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 73| accum = table[i + WindowElements - 1].dbl(); 284| 73| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_brainpool384r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 185| RandomNumberGenerator& rng) { 309| 185| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 185| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 185| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 185| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 185| const size_t raw = w_bits << 1; 317| 185| const auto [tidx, tneg] = booth_recode(raw); 318| 185| const auto tbl_0 = table.first(WindowElements); 319| | 320| 185| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 185| pt.conditional_assign(tneg, pt.negate()); 322| 185| CT::poison(pt); 323| 185| pt.randomize_rep(rng); 324| 185| return pt; 325| 185| }(); 326| | 327| 12.0k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 11.8k, False: 185] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 11.8k| const size_t bit_pos = WindowBits * i - 1; 330| 11.8k| const size_t raw = scalar.get_window(bit_pos); 331| 11.8k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 11.8k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 11.8k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 11.8k| if(i <= 3) { ------------------ | Branch (338:10): [True: 555, False: 11.2k] ------------------ 339| 555| accum.randomize_rep(rng); 340| 555| } 341| 11.8k| } 342| | 343| 185| CT::unpoison(accum); 344| 185| return accum; 345| 185|} pcurves_brainpool384r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool384r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 185| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 185| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 185| const size_t raw = w_bits << 1; 317| 185| const auto [tidx, tneg] = booth_recode(raw); 318| 185| const auto tbl_0 = table.first(WindowElements); 319| | 320| 185| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 185| pt.conditional_assign(tneg, pt.negate()); 322| 185| CT::poison(pt); 323| 185| pt.randomize_rep(rng); 324| 185| return pt; 325| 185| }(); pcurves_brainpool512r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 98| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 97, False: 1] ------------------ 270| 97| table.push_back(accum); 271| | 272| 3.10k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 3.00k, False: 97] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 3.00k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 1.55k, False: 1.45k] ------------------ 275| 1.55k| table.emplace_back(table[i + j / 2].dbl()); 276| 1.55k| } else { 277| 1.45k| table.emplace_back(table[i + j - 1] + table[i]); 278| 1.45k| } 279| 3.00k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 97| accum = table[i + WindowElements - 1].dbl(); 284| 97| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_brainpool512r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 151| RandomNumberGenerator& rng) { 309| 151| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 151| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 151| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 151| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 151| const size_t raw = w_bits << 1; 317| 151| const auto [tidx, tneg] = booth_recode(raw); 318| 151| const auto tbl_0 = table.first(WindowElements); 319| | 320| 151| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 151| pt.conditional_assign(tneg, pt.negate()); 322| 151| CT::poison(pt); 323| 151| pt.randomize_rep(rng); 324| 151| return pt; 325| 151| }(); 326| | 327| 12.9k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 12.8k, False: 151] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 12.8k| const size_t bit_pos = WindowBits * i - 1; 330| 12.8k| const size_t raw = scalar.get_window(bit_pos); 331| 12.8k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 12.8k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 12.8k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 12.8k| if(i <= 3) { ------------------ | Branch (338:10): [True: 453, False: 12.3k] ------------------ 339| 453| accum.randomize_rep(rng); 340| 453| } 341| 12.8k| } 342| | 343| 151| CT::unpoison(accum); 344| 151| return accum; 345| 151|} pcurves_brainpool512r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_114brainpool512r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 151| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 151| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 151| const size_t raw = w_bits << 1; 317| 151| const auto [tidx, tneg] = booth_recode(raw); 318| 151| const auto tbl_0 = table.first(WindowElements); 319| | 320| 151| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 151| pt.conditional_assign(tneg, pt.negate()); 322| 151| CT::poison(pt); 323| 151| pt.randomize_rep(rng); 324| 151| return pt; 325| 151| }(); pcurves_generic.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_112GenericCurveELm6ENS2_24GenericBlindedScalarBitsEEENT_15ProjectivePointENSt3__14spanIKNS5_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 371| RandomNumberGenerator& rng) { 309| 371| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 371| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 371| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 371| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 371| const size_t raw = w_bits << 1; 317| 371| const auto [tidx, tneg] = booth_recode(raw); 318| 371| const auto tbl_0 = table.first(WindowElements); 319| | 320| 371| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 371| pt.conditional_assign(tneg, pt.negate()); 322| 371| CT::poison(pt); 323| 371| pt.randomize_rep(rng); 324| 371| return pt; 325| 371| }(); 326| | 327| 14.2k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 13.9k, False: 371] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 13.9k| const size_t bit_pos = WindowBits * i - 1; 330| 13.9k| const size_t raw = scalar.get_window(bit_pos); 331| 13.9k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 13.9k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 13.9k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 13.9k| if(i <= 3) { ------------------ | Branch (338:10): [True: 1.11k, False: 12.8k] ------------------ 339| 1.11k| accum.randomize_rep(rng); 340| 1.11k| } 341| 13.9k| } 342| | 343| 371| CT::unpoison(accum); 344| 371| return accum; 345| 371|} pcurves_generic.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_112GenericCurveELm6ENS2_24GenericBlindedScalarBitsEEENT_15ProjectivePointENSt3__14spanIKNS5_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 371| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 371| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 371| const size_t raw = w_bits << 1; 317| 371| const auto [tidx, tneg] = booth_recode(raw); 318| 371| const auto tbl_0 = table.first(WindowElements); 319| | 320| 371| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 371| pt.conditional_assign(tneg, pt.negate()); 322| 371| CT::poison(pt); 323| 371| pt.randomize_rep(rng); 324| 371| return pt; 325| 371| }(); pcurves_generic.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_112GenericCurveELm6EEENSt3__16vectorINT_11AffinePointENS4_9allocatorIS7_EEEERKS7_m: 254| 524|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 524| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 524| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 524| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 524| const size_t TableSize = Windows * WindowElements; 263| | 264| 524| std::vector table; 265| 524| table.reserve(TableSize); 266| | 267| 524| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 26.0k| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 25.5k, False: 524] ------------------ 270| 25.5k| table.push_back(accum); 271| | 272| 817k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 791k, False: 25.5k] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 791k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 408k, False: 382k] ------------------ 275| 408k| table.emplace_back(table[i + j / 2].dbl()); 276| 408k| } else { 277| 382k| table.emplace_back(table[i + j - 1] + table[i]); 278| 382k| } 279| 791k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 25.5k| accum = table[i + WindowElements - 1].dbl(); 284| 25.5k| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 524| return to_affine_batch(table); 288| 524|} pcurves_secp192r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 38| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 37, False: 1] ------------------ 270| 37| table.push_back(accum); 271| | 272| 1.18k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 1.14k, False: 37] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 1.14k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 592, False: 555] ------------------ 275| 592| table.emplace_back(table[i + j / 2].dbl()); 276| 592| } else { 277| 555| table.emplace_back(table[i + j - 1] + table[i]); 278| 555| } 279| 1.14k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 37| accum = table[i + WindowElements - 1].dbl(); 284| 37| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp192r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 189| RandomNumberGenerator& rng) { 309| 189| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 189| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 189| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 189| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 189| const size_t raw = w_bits << 1; 317| 189| const auto [tidx, tneg] = booth_recode(raw); 318| 189| const auto tbl_0 = table.first(WindowElements); 319| | 320| 189| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 189| pt.conditional_assign(tneg, pt.negate()); 322| 189| CT::poison(pt); 323| 189| pt.randomize_rep(rng); 324| 189| return pt; 325| 189| }(); 326| | 327| 6.23k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 6.04k, False: 189] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 6.04k| const size_t bit_pos = WindowBits * i - 1; 330| 6.04k| const size_t raw = scalar.get_window(bit_pos); 331| 6.04k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 6.04k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 6.04k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 6.04k| if(i <= 3) { ------------------ | Branch (338:10): [True: 567, False: 5.48k] ------------------ 339| 567| accum.randomize_rep(rng); 340| 567| } 341| 6.04k| } 342| | 343| 189| CT::unpoison(accum); 344| 189| return accum; 345| 189|} pcurves_secp192r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp192r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 189| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 189| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 189| const size_t raw = w_bits << 1; 317| 189| const auto [tidx, tneg] = booth_recode(raw); 318| 189| const auto tbl_0 = table.first(WindowElements); 319| | 320| 189| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 189| pt.conditional_assign(tneg, pt.negate()); 322| 189| CT::poison(pt); 323| 189| pt.randomize_rep(rng); 324| 189| return pt; 325| 189| }(); pcurves_secp224r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 44| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 43, False: 1] ------------------ 270| 43| table.push_back(accum); 271| | 272| 1.37k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 1.33k, False: 43] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 1.33k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 688, False: 645] ------------------ 275| 688| table.emplace_back(table[i + j / 2].dbl()); 276| 688| } else { 277| 645| table.emplace_back(table[i + j - 1] + table[i]); 278| 645| } 279| 1.33k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 43| accum = table[i + WindowElements - 1].dbl(); 284| 43| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp224r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 168| RandomNumberGenerator& rng) { 309| 168| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 168| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 168| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 168| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 168| const size_t raw = w_bits << 1; 317| 168| const auto [tidx, tneg] = booth_recode(raw); 318| 168| const auto tbl_0 = table.first(WindowElements); 319| | 320| 168| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 168| pt.conditional_assign(tneg, pt.negate()); 322| 168| CT::poison(pt); 323| 168| pt.randomize_rep(rng); 324| 168| return pt; 325| 168| }(); 326| | 327| 6.38k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 6.21k, False: 168] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 6.21k| const size_t bit_pos = WindowBits * i - 1; 330| 6.21k| const size_t raw = scalar.get_window(bit_pos); 331| 6.21k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 6.21k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 6.21k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 6.21k| if(i <= 3) { ------------------ | Branch (338:10): [True: 504, False: 5.71k] ------------------ 339| 504| accum.randomize_rep(rng); 340| 504| } 341| 6.21k| } 342| | 343| 168| CT::unpoison(accum); 344| 168| return accum; 345| 168|} pcurves_secp224r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp224r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 168| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 168| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 168| const size_t raw = w_bits << 1; 317| 168| const auto [tidx, tneg] = booth_recode(raw); 318| 168| const auto tbl_0 = table.first(WindowElements); 319| | 320| 168| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 168| pt.conditional_assign(tneg, pt.negate()); 322| 168| CT::poison(pt); 323| 168| pt.randomize_rep(rng); 324| 168| return pt; 325| 168| }(); pcurves_secp256k1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 50| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 49, False: 1] ------------------ 270| 49| table.push_back(accum); 271| | 272| 1.56k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 1.51k, False: 49] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 1.51k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 784, False: 735] ------------------ 275| 784| table.emplace_back(table[i + j / 2].dbl()); 276| 784| } else { 277| 735| table.emplace_back(table[i + j - 1] + table[i]); 278| 735| } 279| 1.51k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 49| accum = table[i + WindowElements - 1].dbl(); 284| 49| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp256k1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 157| RandomNumberGenerator& rng) { 309| 157| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 157| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 157| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 157| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 157| const size_t raw = w_bits << 1; 317| 157| const auto [tidx, tneg] = booth_recode(raw); 318| 157| const auto tbl_0 = table.first(WindowElements); 319| | 320| 157| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 157| pt.conditional_assign(tneg, pt.negate()); 322| 157| CT::poison(pt); 323| 157| pt.randomize_rep(rng); 324| 157| return pt; 325| 157| }(); 326| | 327| 6.75k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 6.59k, False: 157] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 6.59k| const size_t bit_pos = WindowBits * i - 1; 330| 6.59k| const size_t raw = scalar.get_window(bit_pos); 331| 6.59k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 6.59k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 6.59k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 6.59k| if(i <= 3) { ------------------ | Branch (338:10): [True: 471, False: 6.12k] ------------------ 339| 471| accum.randomize_rep(rng); 340| 471| } 341| 6.59k| } 342| | 343| 157| CT::unpoison(accum); 344| 157| return accum; 345| 157|} pcurves_secp256k1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp256k15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 157| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 157| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 157| const size_t raw = w_bits << 1; 317| 157| const auto [tidx, tneg] = booth_recode(raw); 318| 157| const auto tbl_0 = table.first(WindowElements); 319| | 320| 157| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 157| pt.conditional_assign(tneg, pt.negate()); 322| 157| CT::poison(pt); 323| 157| pt.randomize_rep(rng); 324| 157| return pt; 325| 157| }(); pcurves_secp256r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 50| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 49, False: 1] ------------------ 270| 49| table.push_back(accum); 271| | 272| 1.56k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 1.51k, False: 49] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 1.51k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 784, False: 735] ------------------ 275| 784| table.emplace_back(table[i + j / 2].dbl()); 276| 784| } else { 277| 735| table.emplace_back(table[i + j - 1] + table[i]); 278| 735| } 279| 1.51k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 49| accum = table[i + WindowElements - 1].dbl(); 284| 49| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp256r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 215| RandomNumberGenerator& rng) { 309| 215| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 215| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 215| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 215| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 215| const size_t raw = w_bits << 1; 317| 215| const auto [tidx, tneg] = booth_recode(raw); 318| 215| const auto tbl_0 = table.first(WindowElements); 319| | 320| 215| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 215| pt.conditional_assign(tneg, pt.negate()); 322| 215| CT::poison(pt); 323| 215| pt.randomize_rep(rng); 324| 215| return pt; 325| 215| }(); 326| | 327| 9.24k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 9.03k, False: 215] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 9.03k| const size_t bit_pos = WindowBits * i - 1; 330| 9.03k| const size_t raw = scalar.get_window(bit_pos); 331| 9.03k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 9.03k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 9.03k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 9.03k| if(i <= 3) { ------------------ | Branch (338:10): [True: 645, False: 8.38k] ------------------ 339| 645| accum.randomize_rep(rng); 340| 645| } 341| 9.03k| } 342| | 343| 215| CT::unpoison(accum); 344| 215| return accum; 345| 215|} pcurves_secp256r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp256r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 215| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 215| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 215| const size_t raw = w_bits << 1; 317| 215| const auto [tidx, tneg] = booth_recode(raw); 318| 215| const auto tbl_0 = table.first(WindowElements); 319| | 320| 215| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 215| pt.conditional_assign(tneg, pt.negate()); 322| 215| CT::poison(pt); 323| 215| pt.randomize_rep(rng); 324| 215| return pt; 325| 215| }(); pcurves_secp384r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 74| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 73, False: 1] ------------------ 270| 73| table.push_back(accum); 271| | 272| 2.33k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 2.26k, False: 73] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 2.26k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 1.16k, False: 1.09k] ------------------ 275| 1.16k| table.emplace_back(table[i + j / 2].dbl()); 276| 1.16k| } else { 277| 1.09k| table.emplace_back(table[i + j - 1] + table[i]); 278| 1.09k| } 279| 2.26k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 73| accum = table[i + WindowElements - 1].dbl(); 284| 73| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp384r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 151| RandomNumberGenerator& rng) { 309| 151| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 151| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 151| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 151| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 151| const size_t raw = w_bits << 1; 317| 151| const auto [tidx, tneg] = booth_recode(raw); 318| 151| const auto tbl_0 = table.first(WindowElements); 319| | 320| 151| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 151| pt.conditional_assign(tneg, pt.negate()); 322| 151| CT::poison(pt); 323| 151| pt.randomize_rep(rng); 324| 151| return pt; 325| 151| }(); 326| | 327| 9.81k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 9.66k, False: 151] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 9.66k| const size_t bit_pos = WindowBits * i - 1; 330| 9.66k| const size_t raw = scalar.get_window(bit_pos); 331| 9.66k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 9.66k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 9.66k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 9.66k| if(i <= 3) { ------------------ | Branch (338:10): [True: 453, False: 9.21k] ------------------ 339| 453| accum.randomize_rep(rng); 340| 453| } 341| 9.66k| } 342| | 343| 151| CT::unpoison(accum); 344| 151| return accum; 345| 151|} pcurves_secp384r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp384r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 151| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 151| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 151| const size_t raw = w_bits << 1; 317| 151| const auto [tidx, tneg] = booth_recode(raw); 318| 151| const auto tbl_0 = table.first(WindowElements); 319| | 320| 151| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 151| pt.conditional_assign(tneg, pt.negate()); 322| 151| CT::poison(pt); 323| 151| pt.randomize_rep(rng); 324| 151| return pt; 325| 151| }(); pcurves_secp521r1.cpp:_ZN5Botan19basemul_booth_setupINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm6EEENSt3__16vectorINT_11AffinePointENS5_9allocatorIS8_EEEERKS8_m: 254| 1|std::vector basemul_booth_setup(const typename C::AffinePoint& p, size_t max_scalar_bits) { 255| 1| static_assert(WindowBits >= 1 && WindowBits <= 8); 256| | 257| | // 2^(W-1) elements per window [1*base .. 2^(W-1)*base] 258| 1| constexpr size_t WindowElements = 1 << (WindowBits - 1); 259| | 260| 1| const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits; 261| | 262| 1| const size_t TableSize = Windows * WindowElements; 263| | 264| 1| std::vector table; 265| 1| table.reserve(TableSize); 266| | 267| 1| auto accum = C::ProjectivePoint::from_affine(p); 268| | 269| 98| for(size_t i = 0; i != TableSize; i += WindowElements) { ------------------ | Branch (269:22): [True: 97, False: 1] ------------------ 270| 97| table.push_back(accum); 271| | 272| 3.10k| for(size_t j = 1; j != WindowElements; ++j) { ------------------ | Branch (272:25): [True: 3.00k, False: 97] ------------------ 273| | // Conditional ok: loop iteration count is public 274| 3.00k| if(j % 2 == 1) { ------------------ | Branch (274:13): [True: 1.55k, False: 1.45k] ------------------ 275| 1.55k| table.emplace_back(table[i + j / 2].dbl()); 276| 1.55k| } else { 277| 1.45k| table.emplace_back(table[i + j - 1] + table[i]); 278| 1.45k| } 279| 3.00k| } 280| | 281| | // Advance to next window's base: 2^W * current_base 282| | // The last entry is 2^(W-1) * base, so doubling gives 2^W * base 283| 97| accum = table[i + WindowElements - 1].dbl(); 284| 97| } 285| | 286| | // Variable time batch conversion is fine since generator is public 287| 1| return to_affine_batch(table); 288| 1|} pcurves_secp521r1.cpp:_ZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorE: 308| 136| RandomNumberGenerator& rng) { 309| 136| static constexpr size_t WindowElements = 1 << (WindowBits - 1); 310| | 311| 136| const size_t windows = (scalar.bits() + WindowBits) / WindowBits; 312| | 313| 136| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 136| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 136| const size_t raw = w_bits << 1; 317| 136| const auto [tidx, tneg] = booth_recode(raw); 318| 136| const auto tbl_0 = table.first(WindowElements); 319| | 320| 136| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 136| pt.conditional_assign(tneg, pt.negate()); 322| 136| CT::poison(pt); 323| 136| pt.randomize_rep(rng); 324| 136| return pt; 325| 136| }(); 326| | 327| 11.8k| for(size_t i = 1; i != windows; ++i) { ------------------ | Branch (327:22): [True: 11.6k, False: 136] ------------------ 328| | // Extract W+1 bits overlapping by 1 with the previous window 329| 11.6k| const size_t bit_pos = WindowBits * i - 1; 330| 11.6k| const size_t raw = scalar.get_window(bit_pos); 331| 11.6k| const auto [tidx, tneg] = booth_recode(raw); 332| | 333| 11.6k| const auto tbl_i = table.subspan(WindowElements * i, WindowElements); 334| | 335| 11.6k| accum = C::ProjectivePoint::add_or_sub(accum, C::AffinePoint::ct_select(tbl_i, tidx), tneg); 336| | 337| | // Conditional ok: loop iteration count is public 338| 11.6k| if(i <= 3) { ------------------ | Branch (338:10): [True: 408, False: 11.2k] ------------------ 339| 408| accum.randomize_rep(rng); 340| 408| } 341| 11.6k| } 342| | 343| 136| CT::unpoison(accum); 344| 136| return accum; 345| 136|} pcurves_secp521r1.cpp:_ZZN5Botan18basemul_booth_execINS_6PCurve12_GLOBAL__N_19secp521r15CurveELm6ENS_17BlindedScalarBitsIS4_Lm7EEEEENT_15ProjectivePointENSt3__14spanIKNS7_11AffinePointELm18446744073709551615EEERKT1_RNS_21RandomNumberGeneratorEENKUlvE_clEv: 313| 136| auto accum = [&]() { 314| | // First window: extract W bits, shift left 1 to insert implicit carry in of zero 315| 136| const size_t w_bits = scalar.get_window(0) & ((1 << WindowBits) - 1); 316| 136| const size_t raw = w_bits << 1; 317| 136| const auto [tidx, tneg] = booth_recode(raw); 318| 136| const auto tbl_0 = table.first(WindowElements); 319| | 320| 136| auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, tidx)); 321| 136| pt.conditional_assign(tneg, pt.negate()); 322| 136| CT::poison(pt); 323| 136| pt.randomize_rep(rng); 324| 136| return pt; 325| 136| }(); _ZN5Botan20solinas_correct_redcILm3ETkNS_8WordTypeEmEEvRNSt3__15arrayIT0_XT_EEERKS4_S7_: 84| 128k|constexpr inline void solinas_correct_redc(std::array& r, const std::array& P, const std::array& C) { 85| 128k| W borrow = 0; 86| 512k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (86:22): [True: 384k, False: 128k] ------------------ 87| 384k| r[i] = word_sub(r[i], C[i], &borrow); 88| 384k| } 89| | 90| | // borrow is either 0 or 1, perfect for setting up a mask without extra work 91| 128k| const W mask = CT::value_barrier(0 - borrow); 92| | 93| 128k| W carry = 0; 94| | 95| 512k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (95:22): [True: 384k, False: 128k] ------------------ 96| 384k| r[i] = word_add(r[i], P[i] & mask, &carry); 97| 384k| } 98| 128k|} _ZN5Botan10get_uint32ITkNS_8WordTypeEmEEjPKT_m: 33| 9.95M|constexpr uint32_t get_uint32(const W xw[], size_t i) { 34| 9.95M| static_assert(WordInfo::bits == 32 || WordInfo::bits == 64); 35| | 36| | if constexpr(WordInfo::bits == 32) { 37| | return xw[i]; 38| 9.95M| } else { 39| 9.95M| return static_cast(xw[i / 2] >> ((i % 2) * 32)); 40| 9.95M| } 41| 9.95M|} _ZN5Botan12SolinasAccumImLm4EEC2ERNSt3__15arrayImLm4EEE: 50| 322k| constexpr explicit SolinasAccum(std::array& r) : m_r(r) {} _ZN5Botan12SolinasAccumImLm4EE5accumEl: 52| 2.44M| constexpr void accum(int64_t v) { 53| 2.44M| BOTAN_DEBUG_ASSERT(m_idx < N32); ------------------ | | 130| 2.44M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 2.44M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 2.44M] | | ------------------ ------------------ 54| | 55| 2.44M| m_S += v; 56| 2.44M| const uint32_t r = static_cast(m_S); 57| 2.44M| m_S >>= 32; 58| | 59| | if constexpr(WordInfo::bits == 32) { 60| | m_r[m_idx] = r; 61| 2.44M| } else { 62| 2.44M| m_r[m_idx / 2] |= static_cast(r) << (32 * (m_idx % 2)); 63| 2.44M| } 64| | 65| 2.44M| m_idx += 1; 66| 2.44M| } _ZN5Botan12SolinasAccumImLm4EE11final_carryEl: 68| 322k| constexpr W final_carry(int64_t C) { 69| 322k| m_S += C; 70| 322k| BOTAN_DEBUG_ASSERT(m_S >= 0); ------------------ | | 130| 322k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 322k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 322k] | | ------------------ ------------------ 71| 322k| return static_cast(m_S); 72| 322k| } _ZN5Botan20solinas_correct_redcILm4ETkNS_8WordTypeEmEEvRNSt3__15arrayIT0_XT_EEERKS4_S7_: 84| 322k|constexpr inline void solinas_correct_redc(std::array& r, const std::array& P, const std::array& C) { 85| 322k| W borrow = 0; 86| 1.61M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (86:22): [True: 1.28M, False: 322k] ------------------ 87| 1.28M| r[i] = word_sub(r[i], C[i], &borrow); 88| 1.28M| } 89| | 90| | // borrow is either 0 or 1, perfect for setting up a mask without extra work 91| 322k| const W mask = CT::value_barrier(0 - borrow); 92| | 93| 322k| W carry = 0; 94| | 95| 1.61M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (95:22): [True: 1.28M, False: 322k] ------------------ 96| 1.28M| r[i] = word_add(r[i], P[i] & mask, &carry); 97| 1.28M| } 98| 322k|} _ZN5Botan12SolinasAccumImLm6EEC2ERNSt3__15arrayImLm6EEE: 50| 210k| constexpr explicit SolinasAccum(std::array& r) : m_r(r) {} _ZN5Botan12SolinasAccumImLm6EE5accumEl: 52| 2.53M| constexpr void accum(int64_t v) { 53| 2.53M| BOTAN_DEBUG_ASSERT(m_idx < N32); ------------------ | | 130| 2.53M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 2.53M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 2.53M] | | ------------------ ------------------ 54| | 55| 2.53M| m_S += v; 56| 2.53M| const uint32_t r = static_cast(m_S); 57| 2.53M| m_S >>= 32; 58| | 59| | if constexpr(WordInfo::bits == 32) { 60| | m_r[m_idx] = r; 61| 2.53M| } else { 62| 2.53M| m_r[m_idx / 2] |= static_cast(r) << (32 * (m_idx % 2)); 63| 2.53M| } 64| | 65| 2.53M| m_idx += 1; 66| 2.53M| } _ZN5Botan12SolinasAccumImLm6EE11final_carryEl: 68| 210k| constexpr W final_carry(int64_t C) { 69| 210k| m_S += C; 70| 210k| BOTAN_DEBUG_ASSERT(m_S >= 0); ------------------ | | 130| 210k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 210k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 210k] | | ------------------ ------------------ 71| 210k| return static_cast(m_S); 72| 210k| } _ZN5Botan20solinas_correct_redcILm6ETkNS_8WordTypeEmEEvRNSt3__15arrayIT0_XT_EEERKS4_S7_: 84| 210k|constexpr inline void solinas_correct_redc(std::array& r, const std::array& P, const std::array& C) { 85| 210k| W borrow = 0; 86| 1.47M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (86:22): [True: 1.26M, False: 210k] ------------------ 87| 1.26M| r[i] = word_sub(r[i], C[i], &borrow); 88| 1.26M| } 89| | 90| | // borrow is either 0 or 1, perfect for setting up a mask without extra work 91| 210k| const W mask = CT::value_barrier(0 - borrow); 92| | 93| 210k| W carry = 0; 94| | 95| 1.47M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (95:22): [True: 1.26M, False: 210k] ------------------ 96| 1.26M| r[i] = word_add(r[i], P[i] & mask, &carry); 97| 1.26M| } 98| 210k|} _ZN5Botan10monty_redcITkNS_8WordTypeEmLm4EEENSt3__15arrayIT_XT0_EEERKNS2_IS3_XmlLi2ET0_EEERKS4_S3_: 110| 154k| -> std::array { 111| 154k| static_assert(N >= 1); 112| | 113| 154k| std::array ws; // NOLINT(*-member-init) 114| 154k| std::array r; // NOLINT(*-member-init) 115| | 116| | // Conditional ok: the parameter size is public 117| 154k| if(!std::is_constant_evaluated()) { ------------------ | Branch (117:7): [True: 154k, Folded] ------------------ 118| | // This range ensures we cover fields of 256, 384 and 512 bits for both 32 and 64 bit words 119| 154k| if constexpr(N == 4) { 120| 154k| bigint_monty_redc_4(r.data(), z.data(), p.data(), p_dash, ws.data()); 121| 154k| return r; 122| | } else if constexpr(N == 6) { 123| | bigint_monty_redc_6(r.data(), z.data(), p.data(), p_dash, ws.data()); 124| | return r; 125| | } else if constexpr(N == 8) { 126| | bigint_monty_redc_8(r.data(), z.data(), p.data(), p_dash, ws.data()); 127| | return r; 128| | } else if constexpr(N == 12) { 129| | bigint_monty_redc_12(r.data(), z.data(), p.data(), p_dash, ws.data()); 130| | return r; 131| | } else if constexpr(N == 16) { 132| | bigint_monty_redc_16(r.data(), z.data(), p.data(), p_dash, ws.data()); 133| | return r; 134| | } 135| 154k| } 136| | 137| 0| word3 accum; 138| | 139| 154k| accum.add(z[0]); 140| | 141| 154k| ws[0] = accum.monty_step(p[0], p_dash); 142| | 143| 154k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (143:22): [True: 0, False: 154k] ------------------ 144| 0| for(size_t j = 0; j < i; ++j) { ------------------ | Branch (144:25): [True: 0, False: 0] ------------------ 145| 0| accum.mul(ws[j], p[i - j]); 146| 0| } 147| | 148| 0| accum.add(z[i]); 149| | 150| 0| ws[i] = accum.monty_step(p[0], p_dash); 151| 0| } 152| | 153| 154k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (153:22): [True: 0, False: 154k] ------------------ 154| 0| for(size_t j = i + 1; j != N; ++j) { ------------------ | Branch (154:29): [True: 0, False: 0] ------------------ 155| 0| accum.mul(ws[j], p[N + i - j]); 156| 0| } 157| | 158| 0| accum.add(z[N + i]); 159| | 160| 0| ws[i] = accum.extract(); 161| 0| } 162| | 163| 154k| accum.add(z[2 * N - 1]); 164| | 165| 154k| ws[N - 1] = accum.extract(); 166| | // w1 is the final part, which is not stored in the workspace 167| 154k| const W w1 = accum.extract(); 168| | 169| 154k| bigint_monty_maybe_sub(r.data(), w1, ws.data(), p.data()); 170| | 171| 154k| return r; 172| 154k|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm4ELm32EEEDaNSt3__14spanIKhXT1_EEE: 287| 579|inline constexpr auto bytes_to_words(std::span bytes) { 288| 579| static_assert(L <= WordInfo::bytes * N); 289| | 290| 579| std::array r = {}; 291| | 292| 579| constexpr size_t full_words = L / WordInfo::bytes; 293| 579| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 579| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 2.89k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 2.31k, False: 579] ------------------ 298| 2.31k| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 2.31k| } 300| | 301| | if constexpr(extra_bytes > 0) { 302| | constexpr size_t shift = extra_bytes * 8; 303| | shift_left(r); 304| | 305| | for(size_t i = 0; i != extra_bytes; ++i) { 306| | const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| | r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| | } 309| | } 310| | 311| 579| return r; 312| 579|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm8ELm64EEEDaNSt3__14spanIKhXT1_EEE: 287| 155|inline constexpr auto bytes_to_words(std::span bytes) { 288| 155| static_assert(L <= WordInfo::bytes * N); 289| | 290| 155| std::array r = {}; 291| | 292| 155| constexpr size_t full_words = L / WordInfo::bytes; 293| 155| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 155| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 1.39k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 1.24k, False: 155] ------------------ 298| 1.24k| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 1.24k| } 300| | 301| | if constexpr(extra_bytes > 0) { 302| | constexpr size_t shift = extra_bytes * 8; 303| | shift_left(r); 304| | 305| | for(size_t i = 0; i != extra_bytes; ++i) { 306| | const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| | r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| | } 309| | } 310| | 311| 155| return r; 312| 155|} _ZN5Botan10monty_redcITkNS_8WordTypeEmLm6EEENSt3__15arrayIT_XT0_EEERKNS2_IS3_XmlLi2ET0_EEERKS4_S3_: 110| 268k| -> std::array { 111| 268k| static_assert(N >= 1); 112| | 113| 268k| std::array ws; // NOLINT(*-member-init) 114| 268k| std::array r; // NOLINT(*-member-init) 115| | 116| | // Conditional ok: the parameter size is public 117| 268k| if(!std::is_constant_evaluated()) { ------------------ | Branch (117:7): [True: 268k, Folded] ------------------ 118| | // This range ensures we cover fields of 256, 384 and 512 bits for both 32 and 64 bit words 119| | if constexpr(N == 4) { 120| | bigint_monty_redc_4(r.data(), z.data(), p.data(), p_dash, ws.data()); 121| | return r; 122| 268k| } else if constexpr(N == 6) { 123| 268k| bigint_monty_redc_6(r.data(), z.data(), p.data(), p_dash, ws.data()); 124| 268k| return r; 125| | } else if constexpr(N == 8) { 126| | bigint_monty_redc_8(r.data(), z.data(), p.data(), p_dash, ws.data()); 127| | return r; 128| | } else if constexpr(N == 12) { 129| | bigint_monty_redc_12(r.data(), z.data(), p.data(), p_dash, ws.data()); 130| | return r; 131| | } else if constexpr(N == 16) { 132| | bigint_monty_redc_16(r.data(), z.data(), p.data(), p_dash, ws.data()); 133| | return r; 134| | } 135| 268k| } 136| | 137| 0| word3 accum; 138| | 139| 268k| accum.add(z[0]); 140| | 141| 268k| ws[0] = accum.monty_step(p[0], p_dash); 142| | 143| 268k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (143:22): [True: 0, False: 268k] ------------------ 144| 0| for(size_t j = 0; j < i; ++j) { ------------------ | Branch (144:25): [True: 0, False: 0] ------------------ 145| 0| accum.mul(ws[j], p[i - j]); 146| 0| } 147| | 148| 0| accum.add(z[i]); 149| | 150| 0| ws[i] = accum.monty_step(p[0], p_dash); 151| 0| } 152| | 153| 268k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (153:22): [True: 0, False: 268k] ------------------ 154| 0| for(size_t j = i + 1; j != N; ++j) { ------------------ | Branch (154:29): [True: 0, False: 0] ------------------ 155| 0| accum.mul(ws[j], p[N + i - j]); 156| 0| } 157| | 158| 0| accum.add(z[N + i]); 159| | 160| 0| ws[i] = accum.extract(); 161| 0| } 162| | 163| 268k| accum.add(z[2 * N - 1]); 164| | 165| 268k| ws[N - 1] = accum.extract(); 166| | // w1 is the final part, which is not stored in the workspace 167| 268k| const W w1 = accum.extract(); 168| | 169| 268k| bigint_monty_maybe_sub(r.data(), w1, ws.data(), p.data()); 170| | 171| 268k| return r; 172| 268k|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm6ELm48EEEDaNSt3__14spanIKhXT1_EEE: 287| 365|inline constexpr auto bytes_to_words(std::span bytes) { 288| 365| static_assert(L <= WordInfo::bytes * N); 289| | 290| 365| std::array r = {}; 291| | 292| 365| constexpr size_t full_words = L / WordInfo::bytes; 293| 365| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 365| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 2.55k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 2.19k, False: 365] ------------------ 298| 2.19k| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 2.19k| } 300| | 301| | if constexpr(extra_bytes > 0) { 302| | constexpr size_t shift = extra_bytes * 8; 303| | shift_left(r); 304| | 305| | for(size_t i = 0; i != extra_bytes; ++i) { 306| | const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| | r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| | } 309| | } 310| | 311| 365| return r; 312| 365|} _ZN5Botan10monty_redcITkNS_8WordTypeEmLm8EEENSt3__15arrayIT_XT0_EEERKNS2_IS3_XmlLi2ET0_EEERKS4_S3_: 110| 301k| -> std::array { 111| 301k| static_assert(N >= 1); 112| | 113| 301k| std::array ws; // NOLINT(*-member-init) 114| 301k| std::array r; // NOLINT(*-member-init) 115| | 116| | // Conditional ok: the parameter size is public 117| 301k| if(!std::is_constant_evaluated()) { ------------------ | Branch (117:7): [True: 301k, Folded] ------------------ 118| | // This range ensures we cover fields of 256, 384 and 512 bits for both 32 and 64 bit words 119| | if constexpr(N == 4) { 120| | bigint_monty_redc_4(r.data(), z.data(), p.data(), p_dash, ws.data()); 121| | return r; 122| | } else if constexpr(N == 6) { 123| | bigint_monty_redc_6(r.data(), z.data(), p.data(), p_dash, ws.data()); 124| | return r; 125| 301k| } else if constexpr(N == 8) { 126| 301k| bigint_monty_redc_8(r.data(), z.data(), p.data(), p_dash, ws.data()); 127| 301k| return r; 128| | } else if constexpr(N == 12) { 129| | bigint_monty_redc_12(r.data(), z.data(), p.data(), p_dash, ws.data()); 130| | return r; 131| | } else if constexpr(N == 16) { 132| | bigint_monty_redc_16(r.data(), z.data(), p.data(), p_dash, ws.data()); 133| | return r; 134| | } 135| 301k| } 136| | 137| 0| word3 accum; 138| | 139| 301k| accum.add(z[0]); 140| | 141| 301k| ws[0] = accum.monty_step(p[0], p_dash); 142| | 143| 301k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (143:22): [True: 0, False: 301k] ------------------ 144| 0| for(size_t j = 0; j < i; ++j) { ------------------ | Branch (144:25): [True: 0, False: 0] ------------------ 145| 0| accum.mul(ws[j], p[i - j]); 146| 0| } 147| | 148| 0| accum.add(z[i]); 149| | 150| 0| ws[i] = accum.monty_step(p[0], p_dash); 151| 0| } 152| | 153| 301k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (153:22): [True: 0, False: 301k] ------------------ 154| 0| for(size_t j = i + 1; j != N; ++j) { ------------------ | Branch (154:29): [True: 0, False: 0] ------------------ 155| 0| accum.mul(ws[j], p[N + i - j]); 156| 0| } 157| | 158| 0| accum.add(z[N + i]); 159| | 160| 0| ws[i] = accum.extract(); 161| 0| } 162| | 163| 301k| accum.add(z[2 * N - 1]); 164| | 165| 301k| ws[N - 1] = accum.extract(); 166| | // w1 is the final part, which is not stored in the workspace 167| 301k| const W w1 = accum.extract(); 168| | 169| 301k| bigint_monty_maybe_sub(r.data(), w1, ws.data(), p.data()); 170| | 171| 301k| return r; 172| 301k|} _ZN5Botan10monty_redcITkNS_8WordTypeEmLm3EEENSt3__15arrayIT_XT0_EEERKNS2_IS3_XmlLi2ET0_EEERKS4_S3_: 110| 568| -> std::array { 111| 568| static_assert(N >= 1); 112| | 113| 568| std::array ws; // NOLINT(*-member-init) 114| 568| std::array r; // NOLINT(*-member-init) 115| | 116| | // Conditional ok: the parameter size is public 117| 568| if(!std::is_constant_evaluated()) { ------------------ | Branch (117:7): [True: 568, Folded] ------------------ 118| | // This range ensures we cover fields of 256, 384 and 512 bits for both 32 and 64 bit words 119| | if constexpr(N == 4) { 120| | bigint_monty_redc_4(r.data(), z.data(), p.data(), p_dash, ws.data()); 121| | return r; 122| | } else if constexpr(N == 6) { 123| | bigint_monty_redc_6(r.data(), z.data(), p.data(), p_dash, ws.data()); 124| | return r; 125| | } else if constexpr(N == 8) { 126| | bigint_monty_redc_8(r.data(), z.data(), p.data(), p_dash, ws.data()); 127| | return r; 128| | } else if constexpr(N == 12) { 129| | bigint_monty_redc_12(r.data(), z.data(), p.data(), p_dash, ws.data()); 130| | return r; 131| 568| } else if constexpr(N == 16) { 132| 568| bigint_monty_redc_16(r.data(), z.data(), p.data(), p_dash, ws.data()); 133| 568| return r; 134| 568| } 135| 568| } 136| | 137| 568| word3 accum; 138| | 139| 568| accum.add(z[0]); 140| | 141| 568| ws[0] = accum.monty_step(p[0], p_dash); 142| | 143| 1.70k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (143:22): [True: 1.13k, False: 568] ------------------ 144| 2.84k| for(size_t j = 0; j < i; ++j) { ------------------ | Branch (144:25): [True: 1.70k, False: 1.13k] ------------------ 145| 1.70k| accum.mul(ws[j], p[i - j]); 146| 1.70k| } 147| | 148| 1.13k| accum.add(z[i]); 149| | 150| 1.13k| ws[i] = accum.monty_step(p[0], p_dash); 151| 1.13k| } 152| | 153| 1.70k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (153:22): [True: 1.13k, False: 568] ------------------ 154| 2.84k| for(size_t j = i + 1; j != N; ++j) { ------------------ | Branch (154:29): [True: 1.70k, False: 1.13k] ------------------ 155| 1.70k| accum.mul(ws[j], p[N + i - j]); 156| 1.70k| } 157| | 158| 1.13k| accum.add(z[N + i]); 159| | 160| 1.13k| ws[i] = accum.extract(); 161| 1.13k| } 162| | 163| 568| accum.add(z[2 * N - 1]); 164| | 165| 568| ws[N - 1] = accum.extract(); 166| | // w1 is the final part, which is not stored in the workspace 167| 568| const W w1 = accum.extract(); 168| | 169| 568| bigint_monty_maybe_sub(r.data(), w1, ws.data(), p.data()); 170| | 171| 568| return r; 172| 568|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm3ELm24EEEDaNSt3__14spanIKhXT1_EEE: 287| 190|inline constexpr auto bytes_to_words(std::span bytes) { 288| 190| static_assert(L <= WordInfo::bytes * N); 289| | 290| 190| std::array r = {}; 291| | 292| 190| constexpr size_t full_words = L / WordInfo::bytes; 293| 190| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 190| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 760| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 570, False: 190] ------------------ 298| 570| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 570| } 300| | 301| | if constexpr(extra_bytes > 0) { 302| | constexpr size_t shift = extra_bytes * 8; 303| | shift_left(r); 304| | 305| | for(size_t i = 0; i != extra_bytes; ++i) { 306| | const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| | r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| | } 309| | } 310| | 311| 190| return r; 312| 190|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm4ELm28EEEDaNSt3__14spanIKhXT1_EEE: 287| 426|inline constexpr auto bytes_to_words(std::span bytes) { 288| 426| static_assert(L <= WordInfo::bytes * N); 289| | 290| 426| std::array r = {}; 291| | 292| 426| constexpr size_t full_words = L / WordInfo::bytes; 293| 426| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 426| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 1.70k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 1.27k, False: 426] ------------------ 298| 1.27k| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 1.27k| } 300| | 301| 426| if constexpr(extra_bytes > 0) { 302| 426| constexpr size_t shift = extra_bytes * 8; 303| 426| shift_left(r); 304| | 305| 2.13k| for(size_t i = 0; i != extra_bytes; ++i) { ------------------ | Branch (305:25): [True: 1.70k, False: 426] ------------------ 306| 1.70k| const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| 1.70k| r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| 1.70k| } 309| 426| } 310| | 311| 426| return r; 312| 426|} _ZN5Botan10monty_redcITkNS_8WordTypeEmLm9EEENSt3__15arrayIT_XT0_EEERKNS2_IS3_XmlLi2ET0_EEERKS4_S3_: 110| 589| -> std::array { 111| 589| static_assert(N >= 1); 112| | 113| 589| std::array ws; // NOLINT(*-member-init) 114| 589| std::array r; // NOLINT(*-member-init) 115| | 116| | // Conditional ok: the parameter size is public 117| 589| if(!std::is_constant_evaluated()) { ------------------ | Branch (117:7): [True: 589, Folded] ------------------ 118| | // This range ensures we cover fields of 256, 384 and 512 bits for both 32 and 64 bit words 119| | if constexpr(N == 4) { 120| | bigint_monty_redc_4(r.data(), z.data(), p.data(), p_dash, ws.data()); 121| | return r; 122| | } else if constexpr(N == 6) { 123| | bigint_monty_redc_6(r.data(), z.data(), p.data(), p_dash, ws.data()); 124| | return r; 125| | } else if constexpr(N == 8) { 126| | bigint_monty_redc_8(r.data(), z.data(), p.data(), p_dash, ws.data()); 127| | return r; 128| | } else if constexpr(N == 12) { 129| | bigint_monty_redc_12(r.data(), z.data(), p.data(), p_dash, ws.data()); 130| | return r; 131| 589| } else if constexpr(N == 16) { 132| 589| bigint_monty_redc_16(r.data(), z.data(), p.data(), p_dash, ws.data()); 133| 589| return r; 134| 589| } 135| 589| } 136| | 137| 589| word3 accum; 138| | 139| 589| accum.add(z[0]); 140| | 141| 589| ws[0] = accum.monty_step(p[0], p_dash); 142| | 143| 5.30k| for(size_t i = 1; i != N; ++i) { ------------------ | Branch (143:22): [True: 4.71k, False: 589] ------------------ 144| 25.9k| for(size_t j = 0; j < i; ++j) { ------------------ | Branch (144:25): [True: 21.2k, False: 4.71k] ------------------ 145| 21.2k| accum.mul(ws[j], p[i - j]); 146| 21.2k| } 147| | 148| 4.71k| accum.add(z[i]); 149| | 150| 4.71k| ws[i] = accum.monty_step(p[0], p_dash); 151| 4.71k| } 152| | 153| 5.30k| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (153:22): [True: 4.71k, False: 589] ------------------ 154| 25.9k| for(size_t j = i + 1; j != N; ++j) { ------------------ | Branch (154:29): [True: 21.2k, False: 4.71k] ------------------ 155| 21.2k| accum.mul(ws[j], p[N + i - j]); 156| 21.2k| } 157| | 158| 4.71k| accum.add(z[N + i]); 159| | 160| 4.71k| ws[i] = accum.extract(); 161| 4.71k| } 162| | 163| 589| accum.add(z[2 * N - 1]); 164| | 165| 589| ws[N - 1] = accum.extract(); 166| | // w1 is the final part, which is not stored in the workspace 167| 589| const W w1 = accum.extract(); 168| | 169| 589| bigint_monty_maybe_sub(r.data(), w1, ws.data(), p.data()); 170| | 171| 589| return r; 172| 589|} _ZN5Botan14bytes_to_wordsITkNS_8WordTypeEmLm9ELm66EEEDaNSt3__14spanIKhXT1_EEE: 287| 391|inline constexpr auto bytes_to_words(std::span bytes) { 288| 391| static_assert(L <= WordInfo::bytes * N); 289| | 290| 391| std::array r = {}; 291| | 292| 391| constexpr size_t full_words = L / WordInfo::bytes; 293| 391| constexpr size_t extra_bytes = L % WordInfo::bytes; 294| | 295| 391| static_assert(full_words + (extra_bytes ? 1 : 0) <= N); 296| | 297| 3.51k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (297:22): [True: 3.12k, False: 391] ------------------ 298| 3.12k| r[i] = load_be(bytes.data(), full_words - 1 - i); 299| 3.12k| } 300| | 301| 391| if constexpr(extra_bytes > 0) { 302| 391| constexpr size_t shift = extra_bytes * 8; 303| 391| shift_left(r); 304| | 305| 1.17k| for(size_t i = 0; i != extra_bytes; ++i) { ------------------ | Branch (305:25): [True: 782, False: 391] ------------------ 306| 782| const W b0 = bytes[WordInfo::bytes * full_words + i]; 307| 782| r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 308| 782| } 309| 391| } 310| | 311| 391| return r; 312| 391|} pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE8instanceEv: 338| 1.60k| static std::shared_ptr instance() { 339| 1.60k| static auto g_curve = std::make_shared>(); 340| 1.60k| return g_curve; 341| 1.60k| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE19field_element_bytesEv: 36| 304| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 152| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 152| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 152| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 152| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 152| auto x_w = pt.x().template stash_value(); 372| 152| auto y_w = pt.y().template stash_value(); 373| 152| auto z_w = pt.z().template stash_value(); 374| 152| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 152| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 498| static typename C::Scalar from_stash(const Scalar& s) { 349| 498| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 498] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 498| return C::Scalar::from_stash(s._value()); 353| 498| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEE: 344| 173| static Scalar stash(const typename C::Scalar& s) { 345| 173| return Scalar::_create(instance(), s.template stash_value()); 346| 173| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 304| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 304| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 304] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 304| auto x = C::FieldElement::from_stash(pt._x()); 366| 304| auto y = C::FieldElement::from_stash(pt._y()); 367| 304| return typename C::AffinePoint(x, y); 368| 304| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 152| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 152| auto x_w = pt.x().template stash_value(); 357| 152| auto y_w = pt.y().template stash_value(); 358| 152| return AffinePoint::_create(instance(), x_w, y_w); 359| 152| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 21| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 21| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 21] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 21| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 21| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 21| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 21| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 21] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 21| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 21] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 21| return {}; 278| 21| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 174| std::optional deserialize_scalar(std::span bytes) const override { 225| 174| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 174, False: 0] ------------------ 226| 174| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 173, False: 1] ------------------ 227| 173| return stash(*scalar); 228| 173| } 229| 174| } 230| | 231| 1| return {}; 232| 174| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 152| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 152| auto affine = to_affine(from_stash(pt)); 194| | 195| 152| const auto y2 = affine.y().square(); 196| 152| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 152| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 152| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 152| do { \ | | 65| 152| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 152| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 152] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 152| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 152] | | ------------------ ------------------ 200| | 201| 152| return stash(affine); 202| 152| } pcurves_brainpool256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 152| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 152| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 152] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 152| auto x = C::FieldElement::from_stash(pt._x()); 382| 152| auto y = C::FieldElement::from_stash(pt._y()); 383| 152| auto z = C::FieldElement::from_stash(pt._z()); 384| 152| return typename C::ProjectivePoint(x, y, z); 385| 152| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 152| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 152| return from_stash(pt).is_identity().as_bool(); 212| 152| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 152| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 152| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 152| do { \ | | 36| 152| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 152| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 152] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 152| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 152] | | ------------------ ------------------ 216| 152| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 152| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 173| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 173| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 173| do { \ | | 36| 173| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 173| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 173] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 173| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 173] | | ------------------ ------------------ 221| 173| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 173| } pcurves_brainpool256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool256r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 173| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE8instanceEv: 338| 1.92k| static std::shared_ptr instance() { 339| 1.92k| static auto g_curve = std::make_shared>(); 340| 1.92k| return g_curve; 341| 1.92k| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE19field_element_bytesEv: 36| 370| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 185| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 185| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 185| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 185| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 185| auto x_w = pt.x().template stash_value(); 372| 185| auto y_w = pt.y().template stash_value(); 373| 185| auto z_w = pt.z().template stash_value(); 374| 185| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 185| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 591| static typename C::Scalar from_stash(const Scalar& s) { 349| 591| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 591] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 591| return C::Scalar::from_stash(s._value()); 353| 591| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEE: 344| 203| static Scalar stash(const typename C::Scalar& s) { 345| 203| return Scalar::_create(instance(), s.template stash_value()); 346| 203| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 370| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 370| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 370] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 370| auto x = C::FieldElement::from_stash(pt._x()); 366| 370| auto y = C::FieldElement::from_stash(pt._y()); 367| 370| return typename C::AffinePoint(x, y); 368| 370| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 185| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 185| auto x_w = pt.x().template stash_value(); 357| 185| auto y_w = pt.y().template stash_value(); 358| 185| return AffinePoint::_create(instance(), x_w, y_w); 359| 185| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 18| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 18| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 18] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 18| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 18| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 18| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 18| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 18] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 18| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 18] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 18| return {}; 278| 18| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 204| std::optional deserialize_scalar(std::span bytes) const override { 225| 204| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 204, False: 0] ------------------ 226| 204| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 203, False: 1] ------------------ 227| 203| return stash(*scalar); 228| 203| } 229| 204| } 230| | 231| 1| return {}; 232| 204| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 185| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 185| auto affine = to_affine(from_stash(pt)); 194| | 195| 185| const auto y2 = affine.y().square(); 196| 185| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 185| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 185| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 185| do { \ | | 65| 185| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 185| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 185] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 185| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 185] | | ------------------ ------------------ 200| | 201| 185| return stash(affine); 202| 185| } pcurves_brainpool384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 185| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 185| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 185] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 185| auto x = C::FieldElement::from_stash(pt._x()); 382| 185| auto y = C::FieldElement::from_stash(pt._y()); 383| 185| auto z = C::FieldElement::from_stash(pt._z()); 384| 185| return typename C::ProjectivePoint(x, y, z); 385| 185| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 185| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 185| return from_stash(pt).is_identity().as_bool(); 212| 185| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 185| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 185| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 185| do { \ | | 36| 185| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 185| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 185] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 185| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 185] | | ------------------ ------------------ 216| 185| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 185| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 203| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 203| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 203| do { \ | | 36| 203| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 203| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 203] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 203| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 203] | | ------------------ ------------------ 221| 203| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 203| } pcurves_brainpool384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool384r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 203| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE8instanceEv: 338| 1.52k| static std::shared_ptr instance() { 339| 1.52k| static auto g_curve = std::make_shared>(); 340| 1.52k| return g_curve; 341| 1.52k| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE19field_element_bytesEv: 36| 302| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 151| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 151| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 151| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 151| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 151| auto x_w = pt.x().template stash_value(); 372| 151| auto y_w = pt.y().template stash_value(); 373| 151| auto z_w = pt.z().template stash_value(); 374| 151| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 151| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 457| static typename C::Scalar from_stash(const Scalar& s) { 349| 457| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 457] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 457| return C::Scalar::from_stash(s._value()); 353| 457| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES7_E12ScalarParamsEEEEE: 344| 153| static Scalar stash(const typename C::Scalar& s) { 345| 153| return Scalar::_create(instance(), s.template stash_value()); 346| 153| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 302| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 302| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 302] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 302| auto x = C::FieldElement::from_stash(pt._x()); 366| 302| auto y = C::FieldElement::from_stash(pt._y()); 367| 302| return typename C::AffinePoint(x, y); 368| 302| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 151| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 151| auto x_w = pt.x().template stash_value(); 357| 151| auto y_w = pt.y().template stash_value(); 358| 151| return AffinePoint::_create(instance(), x_w, y_w); 359| 151| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 2| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 2| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 2] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 2| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 2| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 2| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 2| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 2] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 2| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 2] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 2| return {}; 278| 2| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 155| std::optional deserialize_scalar(std::span bytes) const override { 225| 155| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 155, False: 0] ------------------ 226| 155| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 153, False: 2] ------------------ 227| 153| return stash(*scalar); 228| 153| } 229| 155| } 230| | 231| 2| return {}; 232| 155| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 151| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 151| auto affine = to_affine(from_stash(pt)); 194| | 195| 151| const auto y2 = affine.y().square(); 196| 151| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 151| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 151| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 151| do { \ | | 65| 151| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 151| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 151] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 151| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 151] | | ------------------ ------------------ 200| | 201| 151| return stash(affine); 202| 151| } pcurves_brainpool512r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 151| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 151| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 151] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 151| auto x = C::FieldElement::from_stash(pt._x()); 382| 151| auto y = C::FieldElement::from_stash(pt._y()); 383| 151| auto z = C::FieldElement::from_stash(pt._z()); 384| 151| return typename C::ProjectivePoint(x, y, z); 385| 151| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 151| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 151| return from_stash(pt).is_identity().as_bool(); 212| 151| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 151| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 151| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 151| do { \ | | 36| 151| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 151| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 151] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 151| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 151] | | ------------------ ------------------ 216| 151| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 151| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 153| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 153| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 153| do { \ | | 36| 153| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 153| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 153] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 153| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 153] | | ------------------ ------------------ 221| 153| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 153| } pcurves_brainpool512r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_114brainpool512r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 153| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE8instanceEv: 338| 1.89k| static std::shared_ptr instance() { 339| 1.89k| static auto g_curve = std::make_shared>(); 340| 1.89k| return g_curve; 341| 1.89k| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE19field_element_bytesEv: 36| 378| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 189| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 189| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 189| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS3_12Secp192r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 189| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 189| auto x_w = pt.x().template stash_value(); 372| 189| auto y_w = pt.y().template stash_value(); 373| 189| auto z_w = pt.z().template stash_value(); 374| 189| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 189| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 567| static typename C::Scalar from_stash(const Scalar& s) { 349| 567| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 567] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 567| return C::Scalar::from_stash(s._value()); 353| 567| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp192r1RepEE12ScalarParamsEEEEE: 344| 189| static Scalar stash(const typename C::Scalar& s) { 345| 189| return Scalar::_create(instance(), s.template stash_value()); 346| 189| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 378| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 378| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 378] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 378| auto x = C::FieldElement::from_stash(pt._x()); 366| 378| auto y = C::FieldElement::from_stash(pt._y()); 367| 378| return typename C::AffinePoint(x, y); 368| 378| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS3_12Secp192r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 189| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 189| auto x_w = pt.x().template stash_value(); 357| 189| auto y_w = pt.y().template stash_value(); 358| 189| return AffinePoint::_create(instance(), x_w, y_w); 359| 189| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 190| std::optional deserialize_scalar(std::span bytes) const override { 225| 190| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 190, False: 0] ------------------ 226| 190| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 189, False: 1] ------------------ 227| 189| return stash(*scalar); 228| 189| } 229| 190| } 230| | 231| 1| return {}; 232| 190| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 189| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 189| auto affine = to_affine(from_stash(pt)); 194| | 195| 189| const auto y2 = affine.y().square(); 196| 189| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 189| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 189| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 189| do { \ | | 65| 189| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 189| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 189] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 189| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 189] | | ------------------ ------------------ 200| | 201| 189| return stash(affine); 202| 189| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 189| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 189| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 189] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 189| auto x = C::FieldElement::from_stash(pt._x()); 382| 189| auto y = C::FieldElement::from_stash(pt._y()); 383| 189| auto z = C::FieldElement::from_stash(pt._z()); 384| 189| return typename C::ProjectivePoint(x, y, z); 385| 189| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 189| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 189| return from_stash(pt).is_identity().as_bool(); 212| 189| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 189| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 189| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 189| do { \ | | 36| 189| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 189| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 189] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 189| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 189] | | ------------------ ------------------ 216| 189| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 189| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 189| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 189| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 189| do { \ | | 36| 189| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 189| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 189] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 189| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 189] | | ------------------ ------------------ 221| 189| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 189| } pcurves_secp192r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp192r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 189| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE8instanceEv: 338| 2.07k| static std::shared_ptr instance() { 339| 2.07k| static auto g_curve = std::make_shared>(); 340| 2.07k| return g_curve; 341| 2.07k| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE19field_element_bytesEv: 36| 338| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 168| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 168| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 168| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS3_12Secp224r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 168| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 168| auto x_w = pt.x().template stash_value(); 372| 168| auto y_w = pt.y().template stash_value(); 373| 168| auto z_w = pt.z().template stash_value(); 374| 168| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 168| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 688| static typename C::Scalar from_stash(const Scalar& s) { 349| 688| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 688] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 688| return C::Scalar::from_stash(s._value()); 353| 688| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp224r1RepEE12ScalarParamsEEEEE: 344| 260| static Scalar stash(const typename C::Scalar& s) { 345| 260| return Scalar::_create(instance(), s.template stash_value()); 346| 260| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 338| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 338| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 338] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 338| auto x = C::FieldElement::from_stash(pt._x()); 366| 338| auto y = C::FieldElement::from_stash(pt._y()); 367| 338| return typename C::AffinePoint(x, y); 368| 338| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS3_12Secp224r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 169| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 169| auto x_w = pt.x().template stash_value(); 357| 169| auto y_w = pt.y().template stash_value(); 358| 169| return AffinePoint::_create(instance(), x_w, y_w); 359| 169| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 92| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 92| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 92] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 92| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 92| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 92| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 92| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 92, False: 0] | Branch (253:50): [True: 82, False: 10] ------------------ 254| 82| const auto encoded_point = bytes.subspan(1); 255| 82| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 82| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 82| if(x && y) { ------------------ | Branch (258:16): [True: 80, False: 2] | Branch (258:21): [True: 77, False: 3] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 77| const auto lhs = (*y).square(); 261| 77| const auto rhs = C::x3_ax_b(*x); 262| 77| const auto valid = (lhs == rhs); 263| 77| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 1, False: 76] ------------------ 264| 1| return stash(typename C::AffinePoint(*x, *y)); 265| 1| } 266| 77| } 267| 82| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 10] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 91| return {}; 278| 92| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 262| std::optional deserialize_scalar(std::span bytes) const override { 225| 262| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 261, False: 1] ------------------ 226| 261| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 260, False: 1] ------------------ 227| 260| return stash(*scalar); 228| 260| } 229| 261| } 230| | 231| 2| return {}; 232| 262| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 168| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 168| auto affine = to_affine(from_stash(pt)); 194| | 195| 168| const auto y2 = affine.y().square(); 196| 168| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 168| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 168| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 168| do { \ | | 65| 168| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 168| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 168] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 168| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 168] | | ------------------ ------------------ 200| | 201| 168| return stash(affine); 202| 168| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 168| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 168| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 168] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 168| auto x = C::FieldElement::from_stash(pt._x()); 382| 168| auto y = C::FieldElement::from_stash(pt._y()); 383| 168| auto z = C::FieldElement::from_stash(pt._z()); 384| 168| return typename C::ProjectivePoint(x, y, z); 385| 168| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 169| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 169| return from_stash(pt).is_identity().as_bool(); 212| 169| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 169| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 169| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 169| do { \ | | 36| 169| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 169| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 169] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 169| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 169] | | ------------------ ------------------ 216| 169| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 169| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 260| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 260| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 260| do { \ | | 36| 260| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 260| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 260] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 260| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 260] | | ------------------ ------------------ 221| 260| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 260| } pcurves_secp224r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp224r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 260| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE8instanceEv: 338| 1.62k| static std::shared_ptr instance() { 339| 1.62k| static auto g_curve = std::make_shared>(); 340| 1.62k| return g_curve; 341| 1.62k| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE19field_element_bytesEv: 36| 314| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 157| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 157| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 157| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS3_12Secp256k1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 157| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 157| auto x_w = pt.x().template stash_value(); 372| 157| auto y_w = pt.y().template stash_value(); 373| 157| auto z_w = pt.z().template stash_value(); 374| 157| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 157| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 493| static typename C::Scalar from_stash(const Scalar& s) { 349| 493| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 493] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 493| return C::Scalar::from_stash(s._value()); 353| 493| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_12Secp256k1RepEE12ScalarParamsEEEEE: 344| 168| static Scalar stash(const typename C::Scalar& s) { 345| 168| return Scalar::_create(instance(), s.template stash_value()); 346| 168| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 314| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 314| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 314] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 314| auto x = C::FieldElement::from_stash(pt._x()); 366| 314| auto y = C::FieldElement::from_stash(pt._y()); 367| 314| return typename C::AffinePoint(x, y); 368| 314| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS3_12Secp256k1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 157| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 157| auto x_w = pt.x().template stash_value(); 357| 157| auto y_w = pt.y().template stash_value(); 358| 157| return AffinePoint::_create(instance(), x_w, y_w); 359| 157| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 11| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 11| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 11] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 11| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 11| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 11| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 11| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 11] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 11| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 11] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 11| return {}; 278| 11| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 169| std::optional deserialize_scalar(std::span bytes) const override { 225| 169| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 169, False: 0] ------------------ 226| 169| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 168, False: 1] ------------------ 227| 168| return stash(*scalar); 228| 168| } 229| 169| } 230| | 231| 1| return {}; 232| 169| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 157| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 157| auto affine = to_affine(from_stash(pt)); 194| | 195| 157| const auto y2 = affine.y().square(); 196| 157| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 157| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 157| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 157| do { \ | | 65| 157| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 157| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 157] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 157| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 157] | | ------------------ ------------------ 200| | 201| 157| return stash(affine); 202| 157| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 157| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 157| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 157] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 157| auto x = C::FieldElement::from_stash(pt._x()); 382| 157| auto y = C::FieldElement::from_stash(pt._y()); 383| 157| auto z = C::FieldElement::from_stash(pt._z()); 384| 157| return typename C::ProjectivePoint(x, y, z); 385| 157| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 157| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 157| return from_stash(pt).is_identity().as_bool(); 212| 157| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 157| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 157| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 157| do { \ | | 36| 157| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 157| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 157] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 157| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 157] | | ------------------ ------------------ 216| 157| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 157| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 168| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 168| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 168| do { \ | | 36| 168| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 168| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 168] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 168| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 168] | | ------------------ ------------------ 221| 168| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 168| } pcurves_secp256k1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256k15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 168| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE8instanceEv: 338| 2.26k| static std::shared_ptr instance() { 339| 2.26k| static auto g_curve = std::make_shared>(); 340| 2.26k| return g_curve; 341| 2.26k| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE19field_element_bytesEv: 36| 430| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 215| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 215| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 215| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS2_12Secp256r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 215| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 215| auto x_w = pt.x().template stash_value(); 372| 215| auto y_w = pt.y().template stash_value(); 373| 215| auto z_w = pt.z().template stash_value(); 374| 215| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 215| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 685| static typename C::Scalar from_stash(const Scalar& s) { 349| 685| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 685] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 685| return C::Scalar::from_stash(s._value()); 353| 685| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp256r1RepEE12ScalarParamsEEEEE: 344| 235| static Scalar stash(const typename C::Scalar& s) { 345| 235| return Scalar::_create(instance(), s.template stash_value()); 346| 235| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 430| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 430| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 430] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 430| auto x = C::FieldElement::from_stash(pt._x()); 366| 430| auto y = C::FieldElement::from_stash(pt._y()); 367| 430| return typename C::AffinePoint(x, y); 368| 430| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS2_12Secp256r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 215| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 215| auto x_w = pt.x().template stash_value(); 357| 215| auto y_w = pt.y().template stash_value(); 358| 215| return AffinePoint::_create(instance(), x_w, y_w); 359| 215| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 20| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 20| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 20] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 20| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 20| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 20| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 20| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 20] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 20| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 20] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 20| return {}; 278| 20| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 236| std::optional deserialize_scalar(std::span bytes) const override { 225| 236| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 236, False: 0] ------------------ 226| 236| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 235, False: 1] ------------------ 227| 235| return stash(*scalar); 228| 235| } 229| 236| } 230| | 231| 1| return {}; 232| 236| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 215| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 215| auto affine = to_affine(from_stash(pt)); 194| | 195| 215| const auto y2 = affine.y().square(); 196| 215| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 215| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 215| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 215| do { \ | | 65| 215| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 215| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 215] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 215| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 215] | | ------------------ ------------------ 200| | 201| 215| return stash(affine); 202| 215| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 215| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 215| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 215] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 215| auto x = C::FieldElement::from_stash(pt._x()); 382| 215| auto y = C::FieldElement::from_stash(pt._y()); 383| 215| auto z = C::FieldElement::from_stash(pt._z()); 384| 215| return typename C::ProjectivePoint(x, y, z); 385| 215| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 215| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 215| return from_stash(pt).is_identity().as_bool(); 212| 215| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 215| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 215| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 215| do { \ | | 36| 215| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 215| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 215] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 215| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 215] | | ------------------ ------------------ 216| 215| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 215| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 235| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 235| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 235| do { \ | | 36| 235| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 235| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 235] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 235| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 235] | | ------------------ ------------------ 221| 235| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 235| } pcurves_secp256r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp256r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 235| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE8instanceEv: 338| 1.55k| static std::shared_ptr instance() { 339| 1.55k| static auto g_curve = std::make_shared>(); 340| 1.55k| return g_curve; 341| 1.55k| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE19field_element_bytesEv: 36| 302| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 151| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 151| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 151| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS2_12Secp384r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 151| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 151| auto x_w = pt.x().template stash_value(); 372| 151| auto y_w = pt.y().template stash_value(); 373| 151| auto z_w = pt.z().template stash_value(); 374| 151| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 151| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 471| static typename C::Scalar from_stash(const Scalar& s) { 349| 471| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 471] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 471| return C::Scalar::from_stash(s._value()); 353| 471| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS2_12Secp384r1RepEE12ScalarParamsEEEEE: 344| 160| static Scalar stash(const typename C::Scalar& s) { 345| 160| return Scalar::_create(instance(), s.template stash_value()); 346| 160| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 302| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 302| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 302] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 302| auto x = C::FieldElement::from_stash(pt._x()); 366| 302| auto y = C::FieldElement::from_stash(pt._y()); 367| 302| return typename C::AffinePoint(x, y); 368| 302| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS2_12Secp384r1RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 151| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 151| auto x_w = pt.x().template stash_value(); 357| 151| auto y_w = pt.y().template stash_value(); 358| 151| return AffinePoint::_create(instance(), x_w, y_w); 359| 151| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 9| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 9| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 9] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 9| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 9| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 9| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 9| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 0, False: 9] | Branch (253:50): [True: 0, False: 0] ------------------ 254| 0| const auto encoded_point = bytes.subspan(1); 255| 0| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 0| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 0| if(x && y) { ------------------ | Branch (258:16): [True: 0, False: 0] | Branch (258:21): [True: 0, False: 0] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 0| const auto lhs = (*y).square(); 261| 0| const auto rhs = C::x3_ax_b(*x); 262| 0| const auto valid = (lhs == rhs); 263| 0| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 0, False: 0] ------------------ 264| 0| return stash(typename C::AffinePoint(*x, *y)); 265| 0| } 266| 0| } 267| 9| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 9] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 9| return {}; 278| 9| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 161| std::optional deserialize_scalar(std::span bytes) const override { 225| 161| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 161, False: 0] ------------------ 226| 161| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 160, False: 1] ------------------ 227| 160| return stash(*scalar); 228| 160| } 229| 161| } 230| | 231| 1| return {}; 232| 161| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 151| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 151| auto affine = to_affine(from_stash(pt)); 194| | 195| 151| const auto y2 = affine.y().square(); 196| 151| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 151| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 151| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 151| do { \ | | 65| 151| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 151| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 151] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 151| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 151] | | ------------------ ------------------ 200| | 201| 151| return stash(affine); 202| 151| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 151| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 151| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 151] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 151| auto x = C::FieldElement::from_stash(pt._x()); 382| 151| auto y = C::FieldElement::from_stash(pt._y()); 383| 151| auto z = C::FieldElement::from_stash(pt._z()); 384| 151| return typename C::ProjectivePoint(x, y, z); 385| 151| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 151| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 151| return from_stash(pt).is_identity().as_bool(); 212| 151| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 151| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 151| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 151| do { \ | | 36| 151| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 151| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 151] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 151| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 151] | | ------------------ ------------------ 216| 151| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 151| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 160| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 160| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 160| do { \ | | 36| 160| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 160| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 160] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 160| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 160] | | ------------------ ------------------ 221| 160| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 160| } pcurves_secp384r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp384r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 160| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE8instanceEv: 338| 1.80k| static std::shared_ptr instance() { 339| 1.80k| static auto g_curve = std::make_shared>(); 340| 1.80k| return g_curve; 341| 1.80k| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEEC2Ev: 336| 1| PrimeOrderCurveImpl() : m_mul_by_g(C::G) {} pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE19field_element_bytesEv: 36| 274| size_t field_element_bytes() const override { return C::FieldElement::BYTES; } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 38| 136| ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override { 39| 136| return stash(m_mul_by_g.mul(from_stash(scalar), rng)); 40| 136| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE5stashERKNS_20ProjectiveCurvePointINS_6IntModINS3_7P521RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEESA_EE: 370| 136| static ProjectivePoint stash(const typename C::ProjectivePoint& pt) { 371| 136| auto x_w = pt.x().template stash_value(); 372| 136| auto y_w = pt.y().template stash_value(); 373| 136| auto z_w = pt.z().template stash_value(); 374| 136| return ProjectivePoint::_create(instance(), x_w, y_w, z_w); 375| 136| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 348| 588| static typename C::Scalar from_stash(const Scalar& s) { 349| 588| if(s._curve() != instance()) { ------------------ | Branch (349:13): [True: 0, False: 588] ------------------ 350| 0| throw Invalid_Argument("Curve mismatch"); 351| 0| } 352| 588| return C::Scalar::from_stash(s._value()); 353| 588| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE5stashERKNS_6IntModINS_13MontgomeryRepINS_13EllipticCurveINS3_6ParamsENS3_7P521RepEE12ScalarParamsEEEEE: 344| 226| static Scalar stash(const typename C::Scalar& s) { 345| 226| return Scalar::_create(instance(), s.template stash_value()); 346| 226| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 361| 274| static typename C::AffinePoint from_stash(const AffinePoint& pt) { 362| 274| if(pt._curve() != instance()) { ------------------ | Branch (362:13): [True: 0, False: 274] ------------------ 363| 0| throw Invalid_Argument("Curve mismatch"); 364| 0| } 365| 274| auto x = C::FieldElement::from_stash(pt._x()); 366| 274| auto y = C::FieldElement::from_stash(pt._y()); 367| 274| return typename C::AffinePoint(x, y); 368| 274| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE5stashERKNS_16AffineCurvePointINS_6IntModINS3_7P521RepINS_13EllipticCurveINS3_6ParamsES8_E11FieldParamsEEEEEEE: 355| 137| static AffinePoint stash(const typename C::AffinePoint& pt) { 356| 137| auto x_w = pt.x().template stash_value(); 357| 137| auto y_w = pt.y().template stash_value(); 358| 137| return AffinePoint::_create(instance(), x_w, y_w); 359| 137| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 242| 90| std::optional deserialize_point(std::span bytes) const override { 243| | // The identity element (see SEC1 section 2.3.4) 244| | // TODO(Botan4) remove this - we should reject the identity encoding 245| 90| if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (245:13): [True: 0, False: 90] | Branch (245:34): [True: 0, False: 0] ------------------ 246| 0| return stash(C::AffinePoint::identity()); 247| 0| } 248| | 249| 90| constexpr size_t FieldElementBytes = C::FieldElement::BYTES; 250| 90| constexpr size_t CompressedBytes = C::FieldElement::BYTES + 1; 251| 90| constexpr size_t UncompressedBytes = 2 * C::FieldElement::BYTES + 1; 252| | 253| 90| if(bytes.size() == UncompressedBytes && bytes[0] == 0x04) { ------------------ | Branch (253:13): [True: 82, False: 8] | Branch (253:50): [True: 81, False: 1] ------------------ 254| 81| const auto encoded_point = bytes.subspan(1); 255| 81| auto x = C::FieldElement::deserialize(encoded_point.first(FieldElementBytes)); 256| 81| auto y = C::FieldElement::deserialize(encoded_point.last(FieldElementBytes)); 257| | 258| 81| if(x && y) { ------------------ | Branch (258:16): [True: 80, False: 1] | Branch (258:21): [True: 77, False: 3] ------------------ 259| | // Check that y^2 = x^3 + ax + b 260| 77| const auto lhs = (*y).square(); 261| 77| const auto rhs = C::x3_ax_b(*x); 262| 77| const auto valid = (lhs == rhs); 263| 77| if(valid.as_bool()) { ------------------ | Branch (263:19): [True: 1, False: 76] ------------------ 264| 1| return stash(typename C::AffinePoint(*x, *y)); 265| 1| } 266| 77| } 267| 81| } else if(bytes.size() == CompressedBytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (267:20): [True: 0, False: 9] | Branch (267:56): [True: 0, False: 0] | Branch (267:76): [True: 0, False: 0] ------------------ 268| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 269| | 270| 0| if(auto x = C::FieldElement::deserialize(bytes.subspan(1, FieldElementBytes))) { ------------------ | Branch (270:21): [True: 0, False: 0] ------------------ 271| 0| if(auto y = sqrt_field_element(C::x3_ax_b(*x)).as_optional_vartime()) { ------------------ | Branch (271:24): [True: 0, False: 0] ------------------ 272| 0| return stash(typename C::AffinePoint(*x, y->correct_sign(y_is_even))); 273| 0| } 274| 0| } 275| 0| } 276| | 277| 89| return {}; 278| 90| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 224| 229| std::optional deserialize_scalar(std::span bytes) const override { 225| 229| if(auto scalar = C::Scalar::deserialize(bytes)) { ------------------ | Branch (225:18): [True: 227, False: 2] ------------------ 226| 227| if(!scalar->is_zero().as_bool()) { ------------------ | Branch (226:16): [True: 226, False: 1] ------------------ 227| 226| return stash(*scalar); 228| 226| } 229| 227| } 230| | 231| 3| return {}; 232| 229| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 192| 136| AffinePoint point_to_affine(const ProjectivePoint& pt) const override { 193| 136| auto affine = to_affine(from_stash(pt)); 194| | 195| 136| const auto y2 = affine.y().square(); 196| 136| const auto x3_ax_b = C::x3_ax_b(affine.x()); 197| 136| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 198| | 199| 136| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 136| do { \ | | 65| 136| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 136| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 136] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 136| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 136] | | ------------------ ------------------ 200| | 201| 136| return stash(affine); 202| 136| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 377| 136| static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) { 378| 136| if(pt._curve() != instance()) { ------------------ | Branch (378:13): [True: 0, False: 136] ------------------ 379| 0| throw Invalid_Argument("Curve mismatch"); 380| 0| } 381| 136| auto x = C::FieldElement::from_stash(pt._x()); 382| 136| auto y = C::FieldElement::from_stash(pt._y()); 383| 136| auto z = C::FieldElement::from_stash(pt._z()); 384| 136| return typename C::ProjectivePoint(x, y, z); 385| 136| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 210| 137| bool affine_point_is_identity(const AffinePoint& pt) const override { 211| 137| return from_stash(pt).is_identity().as_bool(); 212| 137| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 214| 137| void serialize_point(std::span bytes, const AffinePoint& pt) const override { 215| 137| BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point"); ------------------ | | 35| 137| do { \ | | 36| 137| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 137| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 137] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 137| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 137] | | ------------------ ------------------ 216| 137| from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>()); 217| 137| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 219| 226| void serialize_scalar(std::span bytes, const Scalar& scalar) const override { 220| 226| BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar"); ------------------ | | 35| 226| do { \ | | 36| 226| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 226| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 226] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 226| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 226] | | ------------------ ------------------ 221| 226| return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>()); 222| 226| } pcurves_secp521r1.cpp:_ZNK5Botan6PCurve19PrimeOrderCurveImplINS0_12_GLOBAL__N_19secp521r15CurveEE14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 326| 226| bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEC2EOS4_: 409| 996| PolynomialVector(ThisPolynomialVector&& other) noexcept = default; _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE4sizeEv: 414| 933| size_t size() const { return m_vec.size(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EED2Ev: 412| 1.49k| ~PolynomialVector() = default; _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EED2Ev: 274| 9.09k| ~Polynomial() = default; _ZN5Botan8CRYSTALS3nttITkNS0_14crystals_traitENS_19DilithiumPolyTraitsEEENS0_16PolynomialVectorIT_LNS0_6DomainE1EEENS3_IS4_LS5_0EEE: 574| 83|PolynomialVector ntt(PolynomialVector polyvec) { 575| 83| auto polyvec_ntt = detail::domain_cast(std::move(polyvec)); 576| 449| for(auto& poly : polyvec_ntt) { ------------------ | Branch (576:19): [True: 449, False: 83] ------------------ 577| 449| Trait::ntt(poly.coefficients()); 578| 449| } 579| 83| return polyvec_ntt; 580| 83|} _ZN5Botan8CRYSTALS6detail11domain_castILNS0_6DomainE1ETtTyTnS3_ENS0_16PolynomialVectorETkNS0_14crystals_traitENS_19DilithiumPolyTraitsELS3_0EQneT_T2_EET0_IT1_XT_EEOS6_IS7_XT2_EE: 163| 83|StructureT domain_cast(StructureT&& p) { 164| | // The public factory method `from_domain_cast` is just a workaround for 165| | // Xcode and NDK not understanding the friend declaration to allow this 166| | // to directly call the private constructor. 167| 83| return StructureT::from_domain_cast(std::move(p)); 168| 83|} _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EE16from_domain_castILS3_0EQneT0_TL0__EES4_ONS1_IS2_XT_EEE: 396| 83| static PolynomialVector from_domain_cast(PolynomialVector&& other) { 397| 83| return PolynomialVector(std::move(other)); 398| 83| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EEC2ILS3_0EQneT0_TL0__EEONS1_IS2_XT_EEE: 379| 83| m_polys_storage(std::move(other.m_polys_storage)) { 380| 83| BOTAN_DEBUG_ASSERT(m_polys_storage.size() % Trait::N == 0); ------------------ | | 130| 83| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 83| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 83] | | ------------------ ------------------ 381| 83| const size_t vecsize = m_polys_storage.size() / Trait::N; 382| 532| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (382:28): [True: 449, False: 83] ------------------ 383| 449| m_vec.emplace_back( 384| 449| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 385| 449| } 386| 83| } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EEC2EOS4_: 261| 8.33k| m_coeffs_storage(std::move(other.m_coeffs_storage)), m_coeffs(other.m_coeffs) {} _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EEC2ENSt3__14spanIiLm256EEE: 256| 3.88k| explicit Polynomial(std::span coeffs) : m_coeffs(coeffs) { BOTAN_DEBUG_ASSERT(!owns_storage()); } ------------------ | | 130| 3.88k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 3.88k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 3.88k] | | ------------------ ------------------ _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EED2Ev: 274| 12.2k| ~Polynomial() = default; _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EE5beginEv: 481| 83| decltype(auto) begin() { return m_vec.begin(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EE3endEv: 485| 83| decltype(auto) end() { return m_vec.end(); } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE5fqmulEii: 96| 1.86M| static constexpr T fqmul(T a, T b) { return DerivedT::montgomery_reduce_coefficient(static_cast(a) * b); } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EE12coefficientsEv: 302| 1.48k| std::span coefficients() { return m_coeffs; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEC2Em: 401| 415| explicit PolynomialVector(size_t vecsize) : m_polys_storage(vecsize * Trait::N) { 402| 2.86k| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (402:28): [True: 2.45k, False: 415] ------------------ 403| 2.45k| m_vec.emplace_back( 404| 2.45k| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 405| 2.45k| } 406| 415| } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EEC2EOS4_: 261| 6.12k| m_coeffs_storage(std::move(other.m_coeffs_storage)), m_coeffs(other.m_coeffs) {} _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EEC2ENSt3__14spanIiLm256EEE: 256| 2.97k| explicit Polynomial(std::span coeffs) : m_coeffs(coeffs) { BOTAN_DEBUG_ASSERT(!owns_storage()); } ------------------ | | 130| 2.97k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 2.97k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 2.97k] | | ------------------ ------------------ _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEixEm: 479| 265k| const Polynomial& operator[](size_t i) const { return m_vec[i]; } _ZNK5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EEixEm: 308| 265k| T operator[](size_t i) const { return m_coeffs[i]; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEixEm: 477| 265k| Polynomial& operator[](size_t i) { return m_vec[i]; } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EEixEm: 306| 265k| T& operator[](size_t i) { return m_coeffs[i]; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EED2Ev: 412| 767| ~PolynomialVector() = default; _ZN5Botan8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEED2Ev: 509| 83| ~PolynomialMatrix() = default; _ZN5Botan8CRYSTALSmlITkNS0_14crystals_traitENS_19DilithiumPolyTraitsEEENS0_16PolynomialVectorIT_LNS0_6DomainE1EEERKNS0_16PolynomialMatrixIS4_EERKS6_: 618| 83| const PolynomialVector& vec) { 619| 83| PolynomialVector result(mat.size()); 620| 601| for(size_t i = 0; i < mat.size(); ++i) { ------------------ | Branch (620:22): [True: 518, False: 83] ------------------ 621| 518| Trait::polyvec_pointwise_acc_montgomery(result[i].coefficients(), mat[i].coefficients(), vec.coefficients()); 622| 518| } 623| 83| return result; 624| 83|} _ZNK5Botan8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEE4sizeEv: 511| 684| size_t size() const { return m_mat.size(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EEC2Em: 401| 601| explicit PolynomialVector(size_t vecsize) : m_polys_storage(vecsize * Trait::N) { 402| 4.03k| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (402:28): [True: 3.43k, False: 601] ------------------ 403| 3.43k| m_vec.emplace_back( 404| 3.43k| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 405| 3.43k| } 406| 601| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE32polyvec_pointwise_acc_montgomeryENSt3__14spanIiLm256EEENS6_IKiLm18446744073709551615EEES9_: 131| 518| std::span v) { 132| 518| clear_mem(w); 133| 518| std::array t{}; 134| 3.43k| for(size_t i = 0; i < polys_in_polyvec(u); ++i) { ------------------ | Branch (134:28): [True: 2.91k, False: 518] ------------------ 135| 2.91k| DerivedT::poly_pointwise_montgomery(t, poly_in_polyvec(u, i), poly_in_polyvec(v, i)); 136| 2.91k| poly_add(w, w, t); 137| 2.91k| } 138| 518| barrett_reduce(w); 139| 518| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE16polys_in_polyvecENSt3__14spanIKiLm18446744073709551615EEE: 81| 3.43k| static constexpr size_t polys_in_polyvec(std::span polyvec) { 82| 3.43k| BOTAN_DEBUG_ASSERT(polyvec.size() % N == 0); ------------------ | | 130| 3.43k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 3.43k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 3.43k] | | ------------------ ------------------ 83| 3.43k| return polyvec.size() / N; 84| 3.43k| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE15poly_in_polyvecIKiQoosr3stdE7same_asINT_1TETL0__Esr3stdE7same_asIKS8_S9_EEENSt3__14spanIS7_Lm256EEENSC_IS7_Lm18446744073709551615EEEm: 89| 5.83k| static constexpr std::span poly_in_polyvec(std::span polyvec, size_t index) { 90| 5.83k| BOTAN_DEBUG_ASSERT(polyvec.size() % N == 0); ------------------ | | 130| 5.83k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 5.83k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 5.83k] | | ------------------ ------------------ 91| 5.83k| BOTAN_DEBUG_ASSERT(polyvec.size() / N > index); ------------------ | | 130| 5.83k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 5.83k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 5.83k] | | ------------------ ------------------ 92| 5.83k| auto polyspan = polyvec.subspan(index * N, N); 93| 5.83k| return std::span{polyspan.data(), polyspan.size()}; 94| 5.83k| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE8poly_addENSt3__14spanIiLm256EEENS6_IKiLm256EEES9_: 99| 3.43k| static constexpr void poly_add(std::span result, std::span lhs, std::span rhs) { 100| 883k| for(size_t i = 0; i < N; ++i) { ------------------ | Branch (100:28): [True: 879k, False: 3.43k] ------------------ 101| 879k| result[i] = lhs[i] + rhs[i]; 102| 879k| } 103| 3.43k| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE14barrett_reduceENSt3__14spanIiLm256EEE: 122| 1.03k| constexpr static void barrett_reduce(std::span poly) { 123| 265k| for(auto& coeff : poly) { ------------------ | Branch (123:26): [True: 265k, False: 1.03k] ------------------ 124| 265k| coeff = DerivedT::barrett_reduce_coefficient(coeff); 125| 265k| } 126| 1.03k| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EEixEm: 477| 3.43k| Polynomial& operator[](size_t i) { return m_vec[i]; } _ZNK5Botan8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEEixEm: 522| 518| const PolynomialVector& operator[](size_t i) const { return m_mat[i]; } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EE12coefficientsEv: 445| 1.03k| std::span coefficients() const { return m_polys_storage; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EE6reduceEv: 463| 83| ThisPolynomialVector& reduce() { 464| 518| for(auto& p : m_vec) { ------------------ | Branch (464:22): [True: 518, False: 83] ------------------ 465| 518| Trait::barrett_reduce(p.coefficients()); 466| 518| } 467| 83| return *this; 468| 83| } _ZN5Botan8CRYSTALS11inverse_nttITkNS0_14crystals_traitENS_19DilithiumPolyTraitsEEENS0_16PolynomialVectorIT_LNS0_6DomainE0EEENS3_IS4_LS5_1EEE: 583| 83|PolynomialVector inverse_ntt(PolynomialVector polyvec_ntt) { 584| 83| auto polyvec = detail::domain_cast(std::move(polyvec_ntt)); 585| 518| for(auto& poly : polyvec) { ------------------ | Branch (585:19): [True: 518, False: 83] ------------------ 586| 518| Trait::inverse_ntt(poly.coefficients()); 587| 518| } 588| 83| return polyvec; 589| 83|} _ZN5Botan8CRYSTALS6detail11domain_castILNS0_6DomainE0ETtTyTnS3_ENS0_16PolynomialVectorETkNS0_14crystals_traitENS_19DilithiumPolyTraitsELS3_1EQneT_T2_EET0_IT1_XT_EEOS6_IS7_XT2_EE: 163| 83|StructureT domain_cast(StructureT&& p) { 164| | // The public factory method `from_domain_cast` is just a workaround for 165| | // Xcode and NDK not understanding the friend declaration to allow this 166| | // to directly call the private constructor. 167| 83| return StructureT::from_domain_cast(std::move(p)); 168| 83|} _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE16from_domain_castILS3_1EQneT0_TL0__EES4_ONS1_IS2_XT_EEE: 396| 83| static PolynomialVector from_domain_cast(PolynomialVector&& other) { 397| 83| return PolynomialVector(std::move(other)); 398| 83| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEC2ILS3_1EQneT0_TL0__EEONS1_IS2_XT_EEE: 379| 83| m_polys_storage(std::move(other.m_polys_storage)) { 380| 83| BOTAN_DEBUG_ASSERT(m_polys_storage.size() % Trait::N == 0); ------------------ | | 130| 83| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 83| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 83] | | ------------------ ------------------ 381| 83| const size_t vecsize = m_polys_storage.size() / Trait::N; 382| 601| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (382:28): [True: 518, False: 83] ------------------ 383| 518| m_vec.emplace_back( 384| 518| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 385| 518| } 386| 83| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE5beginEv: 481| 249| decltype(auto) begin() { return m_vec.begin(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE3endEv: 485| 249| decltype(auto) end() { return m_vec.end(); } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE12coefficientsEv: 302| 2.07k| std::span coefficients() { return m_coeffs; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE1EEC2EOS4_: 409| 83| PolynomialVector(ThisPolynomialVector&& other) noexcept = default; _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE17conditional_add_qEv: 470| 83| ThisPolynomialVector& conditional_add_q() { 471| 518| for(auto& v : m_vec) { ------------------ | Branch (471:22): [True: 518, False: 83] ------------------ 472| 518| Trait::poly_cadd_q(v.coefficients()); 473| 518| } 474| 83| return *this; 475| 83| } _ZN5Botan8CRYSTALS10Trait_BaseINS_18DilithiumConstantsENS_19DilithiumPolyTraitsEE11poly_cadd_qENSt3__14spanIiLm256EEE: 112| 518| static constexpr void poly_cadd_q(std::span coeffs) { 113| 132k| for(auto& coeff : coeffs) { ------------------ | Branch (113:26): [True: 132k, False: 518] ------------------ 114| 132k| using unsigned_T = std::make_unsigned_t; 115| 132k| const auto is_negative = CT::Mask::expand_top_bit(static_cast(coeff)); 116| 132k| coeff += is_negative.if_set_return(Q); 117| 132k| } 118| 518| } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE5cloneEv: 418| 83| ThisPolynomialVector clone() const { 419| 83| ThisPolynomialVector res(size()); 420| | 421| | // The default-constructed PolynomialVector has set up res.m_vec to 422| | // point to res.m_polys_storage. Therefore we can just copy the data 423| | // into res.m_polys_storage to fill the non-owning polynomials. 424| 83| copy_mem(res.m_polys_storage, m_polys_storage); 425| | 426| 83| return res; 427| 83| } _ZNK5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE18_const_time_poisonEv: 330| 967| void _const_time_poison() const { CT::poison(m_coeffs); } _ZNK5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE12coefficientsEv: 304| 518| std::span coefficients() const { return m_coeffs; } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE20_const_time_unpoisonEv: 491| 332| void _const_time_unpoison() const { CT::unpoison_range(m_vec); } _ZNK5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE20_const_time_unpoisonEv: 332| 2.00k| void _const_time_unpoison() const { CT::unpoison(m_coeffs); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EEpLERKS4_: 447| 83| ThisPolynomialVector& operator+=(const ThisPolynomialVector& other) { 448| 83| BOTAN_ASSERT(m_vec.size() == other.m_vec.size(), "cannot add polynomial vectors of differing lengths"); ------------------ | | 64| 83| do { \ | | 65| 83| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 83| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 83] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 83| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 83] | | ------------------ ------------------ 449| 601| for(size_t i = 0; i < m_vec.size(); ++i) { ------------------ | Branch (449:28): [True: 518, False: 83] ------------------ 450| 518| Trait::poly_add(m_vec[i].coefficients(), m_vec[i].coefficients(), other.m_vec[i].coefficients()); 451| 518| } 452| 83| return *this; 453| 83| } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE5beginEv: 310| 967| decltype(auto) begin() { return m_coeffs.begin(); } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE3endEv: 314| 967| decltype(auto) end() { return m_coeffs.end(); } _ZNK5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE0EE4sizeEv: 276| 166k| constexpr size_t size() const { return m_coeffs.size(); } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE5beginEv: 483| 83| decltype(auto) begin() const { return m_vec.begin(); } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS0_6DomainE0EE3endEv: 487| 83| decltype(auto) end() const { return m_vec.end(); } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EE5beginEv: 310| 2.91k| decltype(auto) begin() { return m_coeffs.begin(); } _ZN5Botan8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS0_6DomainE1EE3endEv: 314| 2.91k| decltype(auto) end() { return m_coeffs.end(); } _ZN5Botan8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEEC2Emm: 513| 83| PolynomialMatrix(size_t rows, size_t cols) { 514| 83| m_mat.reserve(rows); 515| 601| for(size_t i = 0; i < rows; ++i) { ------------------ | Branch (515:28): [True: 518, False: 83] ------------------ 516| 518| m_mat.emplace_back(cols); 517| 518| } 518| 83| } _ZN5Botan8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEEixEm: 520| 2.91k| PolynomialVector& operator[](size_t i) { return m_mat[i]; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EED2Ev: 412| 332| ~PolynomialVector() = default; _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EED2Ev: 274| 1.61k| ~Polynomial() = default; _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EEC2Em: 401| 122| explicit PolynomialVector(size_t vecsize) : m_polys_storage(vecsize * Trait::N) { 402| 514| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (402:28): [True: 392, False: 122] ------------------ 403| 392| m_vec.emplace_back( 404| 392| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 405| 392| } 406| 122| } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EEC2EOS4_: 261| 1.04k| m_coeffs_storage(std::move(other.m_coeffs_storage)), m_coeffs(other.m_coeffs) {} _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EEC2ENSt3__14spanIsLm256EEE: 256| 576| explicit Polynomial(std::span coeffs) : m_coeffs(coeffs) { BOTAN_DEBUG_ASSERT(!owns_storage()); } ------------------ | | 130| 576| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 576| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 576] | | ------------------ ------------------ _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EEC2EOS4_: 409| 150| PolynomialVector(ThisPolynomialVector&& other) noexcept = default; _ZN5Botan8CRYSTALS16PolynomialMatrixINS_15KyberPolyTraitsEED2Ev: 509| 30| ~PolynomialMatrix() = default; _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE5fqmulEss: 96| 380k| static constexpr T fqmul(T a, T b) { return DerivedT::montgomery_reduce_coefficient(static_cast(a) * b); } _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE14barrett_reduceENSt3__14spanIsLm256EEE: 122| 368| constexpr static void barrett_reduce(std::span poly) { 123| 94.2k| for(auto& coeff : poly) { ------------------ | Branch (123:26): [True: 94.2k, False: 368] ------------------ 124| 94.2k| coeff = DerivedT::barrett_reduce_coefficient(coeff); 125| 94.2k| } 126| 368| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE0EE5beginEv: 481| 60| decltype(auto) begin() { return m_vec.begin(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE0EE3endEv: 485| 60| decltype(auto) end() { return m_vec.end(); } _ZNK5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE0EE4sizeEv: 276| 7.28k| constexpr size_t size() const { return m_coeffs.size(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE5beginEv: 481| 90| decltype(auto) begin() { return m_vec.begin(); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE3endEv: 485| 90| decltype(auto) end() { return m_vec.end(); } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE5beginEv: 310| 392| decltype(auto) begin() { return m_coeffs.begin(); } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE3endEv: 314| 392| decltype(auto) end() { return m_coeffs.end(); } _ZNK5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE4sizeEv: 276| 5.98k| constexpr size_t size() const { return m_coeffs.size(); } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE20_const_time_unpoisonEv: 491| 60| void _const_time_unpoison() const { CT::unpoison_range(m_vec); } _ZNK5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE20_const_time_unpoisonEv: 332| 184| void _const_time_unpoison() const { CT::unpoison(m_coeffs); } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE5beginEv: 483| 30| decltype(auto) begin() const { return m_vec.begin(); } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE3endEv: 487| 30| decltype(auto) end() const { return m_vec.end(); } _ZNK5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EEixEm: 308| 23.5k| T operator[](size_t i) const { return m_coeffs[i]; } _ZNK5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE12coefficientsEv: 304| 92| std::span coefficients() const { return m_coeffs; } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE0EED2Ev: 274| 516| ~Polynomial() = default; _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE0EED2Ev: 412| 60| ~PolynomialVector() = default; _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE0EEC2Em: 401| 60| explicit PolynomialVector(size_t vecsize) : m_polys_storage(vecsize * Trait::N) { 402| 244| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (402:28): [True: 184, False: 60] ------------------ 403| 184| m_vec.emplace_back( 404| 184| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 405| 184| } 406| 60| } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE0EEC2EOS4_: 261| 332| m_coeffs_storage(std::move(other.m_coeffs_storage)), m_coeffs(other.m_coeffs) {} _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE0EEC2ENSt3__14spanIsLm256EEE: 256| 184| explicit Polynomial(std::span coeffs) : m_coeffs(coeffs) { BOTAN_DEBUG_ASSERT(!owns_storage()); } ------------------ | | 130| 184| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 184| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 184] | | ------------------ ------------------ _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE0EEixEm: 306| 47.1k| T& operator[](size_t i) { return m_coeffs[i]; } _ZN5Botan8CRYSTALS3nttITkNS0_14crystals_traitENS_15KyberPolyTraitsEEENS0_16PolynomialVectorIT_LNS0_6DomainE1EEENS3_IS4_LS5_0EEE: 574| 60|PolynomialVector ntt(PolynomialVector polyvec) { 575| 60| auto polyvec_ntt = detail::domain_cast(std::move(polyvec)); 576| 184| for(auto& poly : polyvec_ntt) { ------------------ | Branch (576:19): [True: 184, False: 60] ------------------ 577| 184| Trait::ntt(poly.coefficients()); 578| 184| } 579| 60| return polyvec_ntt; 580| 60|} _ZN5Botan8CRYSTALS6detail11domain_castILNS0_6DomainE1ETtTyTnS3_ENS0_16PolynomialVectorETkNS0_14crystals_traitENS_15KyberPolyTraitsELS3_0EQneT_T2_EET0_IT1_XT_EEOS6_IS7_XT2_EE: 163| 60|StructureT domain_cast(StructureT&& p) { 164| | // The public factory method `from_domain_cast` is just a workaround for 165| | // Xcode and NDK not understanding the friend declaration to allow this 166| | // to directly call the private constructor. 167| 60| return StructureT::from_domain_cast(std::move(p)); 168| 60|} _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE16from_domain_castILS3_0EQneT0_TL0__EES4_ONS1_IS2_XT_EEE: 396| 60| static PolynomialVector from_domain_cast(PolynomialVector&& other) { 397| 60| return PolynomialVector(std::move(other)); 398| 60| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EEC2ILS3_0EQneT0_TL0__EEONS1_IS2_XT_EEE: 379| 60| m_polys_storage(std::move(other.m_polys_storage)) { 380| 60| BOTAN_DEBUG_ASSERT(m_polys_storage.size() % Trait::N == 0); ------------------ | | 130| 60| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 60| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 60] | | ------------------ ------------------ 381| 60| const size_t vecsize = m_polys_storage.size() / Trait::N; 382| 244| for(size_t i = 0; i < vecsize; ++i) { ------------------ | Branch (382:28): [True: 184, False: 60] ------------------ 383| 184| m_vec.emplace_back( 384| 184| Polynomial(std::span{m_polys_storage}.subspan(i * Trait::N).template first())); 385| 184| } 386| 60| } _ZN5Botan8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS0_6DomainE1EE12coefficientsEv: 302| 552| std::span coefficients() { return m_coeffs; } _ZN5Botan8CRYSTALSmlITkNS0_14crystals_traitENS_15KyberPolyTraitsEEENS0_16PolynomialVectorIT_LNS0_6DomainE1EEERKNS0_16PolynomialMatrixIS4_EERKS6_: 618| 30| const PolynomialVector& vec) { 619| 30| PolynomialVector result(mat.size()); 620| 122| for(size_t i = 0; i < mat.size(); ++i) { ------------------ | Branch (620:22): [True: 92, False: 30] ------------------ 621| 92| Trait::polyvec_pointwise_acc_montgomery(result[i].coefficients(), mat[i].coefficients(), vec.coefficients()); 622| 92| } 623| 30| return result; 624| 30|} _ZNK5Botan8CRYSTALS16PolynomialMatrixINS_15KyberPolyTraitsEE4sizeEv: 511| 152| size_t size() const { return m_mat.size(); } _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE32polyvec_pointwise_acc_montgomeryENSt3__14spanIsLm256EEENS6_IKsLm18446744073709551615EEES9_: 131| 92| std::span v) { 132| 92| clear_mem(w); 133| 92| std::array t{}; 134| 392| for(size_t i = 0; i < polys_in_polyvec(u); ++i) { ------------------ | Branch (134:28): [True: 300, False: 92] ------------------ 135| 300| DerivedT::poly_pointwise_montgomery(t, poly_in_polyvec(u, i), poly_in_polyvec(v, i)); 136| 300| poly_add(w, w, t); 137| 300| } 138| 92| barrett_reduce(w); 139| 92| } _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE16polys_in_polyvecENSt3__14spanIKsLm18446744073709551615EEE: 81| 392| static constexpr size_t polys_in_polyvec(std::span polyvec) { 82| 392| BOTAN_DEBUG_ASSERT(polyvec.size() % N == 0); ------------------ | | 130| 392| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 392| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 392] | | ------------------ ------------------ 83| 392| return polyvec.size() / N; 84| 392| } _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE15poly_in_polyvecIKsQoosr3stdE7same_asINT_1TETL0__Esr3stdE7same_asIKS8_S9_EEENSt3__14spanIS7_Lm256EEENSC_IS7_Lm18446744073709551615EEEm: 89| 600| static constexpr std::span poly_in_polyvec(std::span polyvec, size_t index) { 90| 600| BOTAN_DEBUG_ASSERT(polyvec.size() % N == 0); ------------------ | | 130| 600| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 600| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 600] | | ------------------ ------------------ 91| 600| BOTAN_DEBUG_ASSERT(polyvec.size() / N > index); ------------------ | | 130| 600| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 600| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 600] | | ------------------ ------------------ 92| 600| auto polyspan = polyvec.subspan(index * N, N); 93| 600| return std::span{polyspan.data(), polyspan.size()}; 94| 600| } _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE8poly_addENSt3__14spanIsLm256EEENS6_IKsLm256EEES9_: 99| 392| static constexpr void poly_add(std::span result, std::span lhs, std::span rhs) { 100| 100k| for(size_t i = 0; i < N; ++i) { ------------------ | Branch (100:28): [True: 100k, False: 392] ------------------ 101| 100k| result[i] = lhs[i] + rhs[i]; 102| 100k| } 103| 392| } _ZNK5Botan8CRYSTALS16PolynomialMatrixINS_15KyberPolyTraitsEEixEm: 522| 92| const PolynomialVector& operator[](size_t i) const { return m_mat[i]; } _ZNK5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE12coefficientsEv: 445| 184| std::span coefficients() const { return m_polys_storage; } _ZN5Botan8CRYSTALS10montgomeryITkNS0_14crystals_traitENS_15KyberPolyTraitsELNS0_6DomainE1EEENS0_16PolynomialVectorIT_XT0_EEES6_: 598| 30|PolynomialVector montgomery(PolynomialVector polyvec) { 599| 92| for(auto& p : polyvec) { ------------------ | Branch (599:16): [True: 92, False: 30] ------------------ 600| 92| detail::montgomery(p); 601| 92| } 602| 30| return polyvec; 603| 30|} _ZN5Botan8CRYSTALS6detail10montgomeryITkNS0_14crystals_traitENS_15KyberPolyTraitsELNS0_6DomainE1EEEvRNS0_10PolynomialIT_XT0_EEE: 540| 92|void montgomery(Polynomial& p) { 541| 23.5k| for(auto& c : p) { ------------------ | Branch (541:16): [True: 23.5k, False: 92] ------------------ 542| 23.5k| c = Trait::to_montgomery(c); 543| 23.5k| } 544| 92|} _ZN5Botan8CRYSTALS10Trait_BaseINS_14KyberConstantsENS_15KyberPolyTraitsEE13to_montgomeryEs: 120| 23.5k| static constexpr T to_montgomery(T a) { return fqmul(a, MONTY_SQUARED); } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EEpLERKS4_: 447| 30| ThisPolynomialVector& operator+=(const ThisPolynomialVector& other) { 448| 30| BOTAN_ASSERT(m_vec.size() == other.m_vec.size(), "cannot add polynomial vectors of differing lengths"); ------------------ | | 64| 30| do { \ | | 65| 30| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 30| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 30] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 30| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 30] | | ------------------ ------------------ 449| 122| for(size_t i = 0; i < m_vec.size(); ++i) { ------------------ | Branch (449:28): [True: 92, False: 30] ------------------ 450| 92| Trait::poly_add(m_vec[i].coefficients(), m_vec[i].coefficients(), other.m_vec[i].coefficients()); 451| 92| } 452| 30| return *this; 453| 30| } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EE6reduceEv: 463| 30| ThisPolynomialVector& reduce() { 464| 92| for(auto& p : m_vec) { ------------------ | Branch (464:22): [True: 92, False: 30] ------------------ 465| 92| Trait::barrett_reduce(p.coefficients()); 466| 92| } 467| 30| return *this; 468| 30| } _ZN5Botan8CRYSTALS16PolynomialMatrixINS_15KyberPolyTraitsEEC2Emm: 513| 30| PolynomialMatrix(size_t rows, size_t cols) { 514| 30| m_mat.reserve(rows); 515| 122| for(size_t i = 0; i < rows; ++i) { ------------------ | Branch (515:28): [True: 92, False: 30] ------------------ 516| 92| m_mat.emplace_back(cols); 517| 92| } 518| 30| } _ZN5Botan8CRYSTALS16PolynomialMatrixINS_15KyberPolyTraitsEEixEm: 520| 300| PolynomialVector& operator[](size_t i) { return m_mat[i]; } _ZN5Botan8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS0_6DomainE1EEixEm: 477| 392| Polynomial& operator[](size_t i) { return m_vec[i]; } _ZN5Botan8CRYSTALS4packILi1023ETkNS0_14crystals_traitENS_19DilithiumPolyTraitsELNS0_6DomainE0EEEvRKNS0_10PolynomialIT0_XT1_EEERNS_13BufferStufferE: 223| 518|constexpr void pack(const Polynomial& p, BufferStuffer& stuffer) { 224| 518| using unsigned_T = std::make_unsigned_t; 225| 518| pack(p, stuffer, [](typename PolyTrait::T x) { return static_cast(x); }); 226| 518|} _ZN5Botan8CRYSTALS4packILi1023ETkNS0_14crystals_traitENS_19DilithiumPolyTraitsELNS0_6DomainE0ETkNS0_12coeff_map_fnINT0_1TEEEZNS0_4packILi1023ETkNS0_14crystals_traitES2_LS3_0EEEvRKNS0_10PolynomialIS5_XT1_EEERNS_13BufferStufferEEUliE_EEvSB_SD_T2_: 117| 518|constexpr void pack(const Polynomial& p, BufferStuffer& stuffer, MapFnT map) { 118| 518| using trait = BitPackingTrait; 119| | 120| 518| BOTAN_DEBUG_ASSERT(stuffer.remaining_capacity() >= p.size() * trait::bits_per_coeff / 8); ------------------ | | 130| 518| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 518| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 518] | | ------------------ ------------------ 121| | 122| | // Bit-packing example that shows a coefficients' bit-pack that spills across 123| | // more than one 64-bit collectors. This illustrates the algorithm below. 124| | // 125| | // 0 64 128 126| | // Collectors (64 bits): | collectors[0] | collectors[1] | 127| | // | | | 128| | // Coefficients (11 bits): | c[0] | c[1] | c[2] | c[3] | c[4] | c[5] | c[6] | c[7] | | | | | ... 129| | // | | | 130| | // | < byte-aligned coefficient pack > | < byte-aligned pad. > | 131| | // | (one inner loop iteration) | 132| | // 0 88 (divisible by 8) 133| | 134| 33.6k| for(size_t i = 0; i < p.size(); i += trait::coeffs_per_pack) { ------------------ | Branch (134:22): [True: 33.1k, False: 518] ------------------ 135| | // The collectors array is filled with bit-packed coefficients to produce 136| | // a byte-aligned pack of coefficients. When coefficients fall onto the 137| | // boundary of two collectors, their bits must be split. 138| 33.1k| typename trait::collector_array collectors = {0}; 139| 165k| for(size_t j = 0, bit_offset = 0, c = 0; j < trait::coeffs_per_pack; ++j) { ------------------ | Branch (139:48): [True: 132k, False: 33.1k] ------------------ 140| | // Transform p[i] via a custom map function (that may be a NOOP). 141| 132k| const typename trait::unsigned_T mapped_coeff = map(p[i + j]); 142| 132k| const auto coeff_value = static_cast(mapped_coeff); 143| | 144| | // pack() is called only on data produced by us. If the values returned 145| | // by the map function are not in the range [0, range] we have a bug. 146| 132k| BOTAN_DEBUG_ASSERT(coeff_value <= range); ------------------ | | 130| 132k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 132k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 132k] | | ------------------ ------------------ 147| | 148| | // Bit-pack the coefficient into the collectors array and keep track of 149| | // the bit-offset within the current collector. Note that this might 150| | // shift some high-bits of the coefficient out of the current collector. 151| 132k| collectors[c] |= coeff_value << bit_offset; 152| 132k| bit_offset += trait::bits_per_coeff; 153| | 154| | // If the bit-offset now exceeds the collector's bit-width, we fill the 155| | // next collector with the high-bits that didn't fit into the previous. 156| | // The bit-offset is adjusted to now point into the new collector. 157| 132k| if(bit_offset > trait::bits_in_collector) { ------------------ | Branch (157:13): [True: 0, False: 132k] ------------------ 158| 0| bit_offset = bit_offset - trait::bits_in_collector; 159| 0| collectors[++c] = coeff_value >> (trait::bits_per_coeff - bit_offset); 160| 0| } 161| 132k| } 162| | 163| | // One byte-aligned pack of bit-packed coefficients is now stored in the 164| | // collectors and can be written to an output buffer. Note that we might 165| | // have to remove some padding bytes of unused collector space. 166| 33.1k| const auto bytes = store_le(collectors); 167| 33.1k| stuffer.append(std::span{bytes}.template first()); 168| 33.1k| } 169| 518|} _ZZN5Botan8CRYSTALS4packILi1023ETkNS0_14crystals_traitENS_19DilithiumPolyTraitsELNS0_6DomainE0EEEvRKNS0_10PolynomialIT0_XT1_EEERNS_13BufferStufferEENKUliE_clEi: 225| 132k| pack(p, stuffer, [](typename PolyTrait::T x) { return static_cast(x); }); _ZN5Botan8CRYSTALS4packILi3328ETkNS0_14crystals_traitENS_15KyberPolyTraitsELNS0_6DomainE1EEEvRKNS0_10PolynomialIT0_XT1_EEERNS_13BufferStufferE: 223| 92|constexpr void pack(const Polynomial& p, BufferStuffer& stuffer) { 224| 92| using unsigned_T = std::make_unsigned_t; 225| 92| pack(p, stuffer, [](typename PolyTrait::T x) { return static_cast(x); }); 226| 92|} _ZN5Botan8CRYSTALS4packILi3328ETkNS0_14crystals_traitENS_15KyberPolyTraitsELNS0_6DomainE1ETkNS0_12coeff_map_fnINT0_1TEEEZNS0_4packILi3328ETkNS0_14crystals_traitES2_LS3_1EEEvRKNS0_10PolynomialIS5_XT1_EEERNS_13BufferStufferEEUlsE_EEvSB_SD_T2_: 117| 92|constexpr void pack(const Polynomial& p, BufferStuffer& stuffer, MapFnT map) { 118| 92| using trait = BitPackingTrait; 119| | 120| 92| BOTAN_DEBUG_ASSERT(stuffer.remaining_capacity() >= p.size() * trait::bits_per_coeff / 8); ------------------ | | 130| 92| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 92| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 92] | | ------------------ ------------------ 121| | 122| | // Bit-packing example that shows a coefficients' bit-pack that spills across 123| | // more than one 64-bit collectors. This illustrates the algorithm below. 124| | // 125| | // 0 64 128 126| | // Collectors (64 bits): | collectors[0] | collectors[1] | 127| | // | | | 128| | // Coefficients (11 bits): | c[0] | c[1] | c[2] | c[3] | c[4] | c[5] | c[6] | c[7] | | | | | ... 129| | // | | | 130| | // | < byte-aligned coefficient pack > | < byte-aligned pad. > | 131| | // | (one inner loop iteration) | 132| | // 0 88 (divisible by 8) 133| | 134| 5.98k| for(size_t i = 0; i < p.size(); i += trait::coeffs_per_pack) { ------------------ | Branch (134:22): [True: 5.88k, False: 92] ------------------ 135| | // The collectors array is filled with bit-packed coefficients to produce 136| | // a byte-aligned pack of coefficients. When coefficients fall onto the 137| | // boundary of two collectors, their bits must be split. 138| 5.88k| typename trait::collector_array collectors = {0}; 139| 29.4k| for(size_t j = 0, bit_offset = 0, c = 0; j < trait::coeffs_per_pack; ++j) { ------------------ | Branch (139:48): [True: 23.5k, False: 5.88k] ------------------ 140| | // Transform p[i] via a custom map function (that may be a NOOP). 141| 23.5k| const typename trait::unsigned_T mapped_coeff = map(p[i + j]); 142| 23.5k| const auto coeff_value = static_cast(mapped_coeff); 143| | 144| | // pack() is called only on data produced by us. If the values returned 145| | // by the map function are not in the range [0, range] we have a bug. 146| 23.5k| BOTAN_DEBUG_ASSERT(coeff_value <= range); ------------------ | | 130| 23.5k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 23.5k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 23.5k] | | ------------------ ------------------ 147| | 148| | // Bit-pack the coefficient into the collectors array and keep track of 149| | // the bit-offset within the current collector. Note that this might 150| | // shift some high-bits of the coefficient out of the current collector. 151| 23.5k| collectors[c] |= coeff_value << bit_offset; 152| 23.5k| bit_offset += trait::bits_per_coeff; 153| | 154| | // If the bit-offset now exceeds the collector's bit-width, we fill the 155| | // next collector with the high-bits that didn't fit into the previous. 156| | // The bit-offset is adjusted to now point into the new collector. 157| 23.5k| if(bit_offset > trait::bits_in_collector) { ------------------ | Branch (157:13): [True: 0, False: 23.5k] ------------------ 158| 0| bit_offset = bit_offset - trait::bits_in_collector; 159| 0| collectors[++c] = coeff_value >> (trait::bits_per_coeff - bit_offset); 160| 0| } 161| 23.5k| } 162| | 163| | // One byte-aligned pack of bit-packed coefficients is now stored in the 164| | // collectors and can be written to an output buffer. Note that we might 165| | // have to remove some padding bytes of unused collector space. 166| 5.88k| const auto bytes = store_le(collectors); 167| 5.88k| stuffer.append(std::span{bytes}.template first()); 168| 5.88k| } 169| 92|} _ZZN5Botan8CRYSTALS4packILi3328ETkNS0_14crystals_traitENS_15KyberPolyTraitsELNS0_6DomainE1EEEvRKNS0_10PolynomialIT0_XT1_EEERNS_13BufferStufferEENKUlsE_clEs: 225| 23.5k| pack(p, stuffer, [](typename PolyTrait::T x) { return static_cast(x); }); _ZN5Botan6bitlenEm: 101| 913|constexpr auto bitlen(size_t x) { 102| 913| return ceil_log2(x + 1); 103| 913|} _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm894EEC2ES3_: 173| 2.91k| explicit Bounded_XOF(XofT xof) : m_xof(xof), m_bytes_consumed(0) {} dilithium_algos.cpp:_ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm894EE4nextILm3EZNS_15Dilithium_Algos12_GLOBAL__N_118sample_ntt_uniformENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNSA_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNSJ_6DomainE1EEEtRKNS_18DilithiumConstantsEE3$_0ZNS7_18sample_ntt_uniformESI_SO_tSR_E3$_1Qaasr3stdE9invocableITL0_0_NSA_5arrayIhXTL0__EEEEsr3stdE9invocableITL0_1_NSA_20__invoke_result_implIvJSU_SW_EE4typeEEEEDaRKT0_RKT1_: 195| 747k| const PredicateFnT& predicate = default_predicate>) { 196| 747k| while(true) { ------------------ | Branch (196:16): [True: 747k, Folded] ------------------ 197| 747k| auto output = transformer(take()); 198| 747k| if(predicate(output)) { ------------------ | Branch (198:16): [True: 747k, False: 770] ------------------ 199| 747k| return output; 200| 747k| } 201| 747k| } 202| 747k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm894EE4takeILm3EEENSt3__15arrayIhXT_EEEv: 206| 747k| constexpr std::array take() { 207| 747k| m_bytes_consumed += bytes; 208| 747k| if(m_bytes_consumed > bound) { ------------------ | Branch (208:13): [True: 0, False: 747k] ------------------ 209| 0| throw Internal_Error("XOF consumed more bytes than allowed"); 210| 0| } 211| 747k| return m_xof.template output(); 212| 747k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EEC2ES3_: 173| 967| explicit Bounded_XOF(XofT xof) : m_xof(xof), m_bytes_consumed(0) {} _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EE9next_byteIFbhEQsr3stdE9invocableITL0__hEEEDaOT_: 180| 177k| constexpr auto next_byte(PredicateFnT&& predicate = default_predicate<1, uint8_t>) { 181| 177k| return next<1>([](const auto bytes) { return bytes[0]; }, std::forward(predicate)); 182| 177k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EE4nextILm1EZNS4_9next_byteIFbhEQsr3stdE9invocableITL0__hEEEDaOT_EUlS9_E_S7_Qaasr3stdE9invocableITL0_0_NSt3__15arrayIhXTL0__EEEEsr3stdE9invocableITL0_1_NSD_20__invoke_result_implIvJSC_SF_EE4typeEEEEDaRKT0_RKT1_: 195| 177k| const PredicateFnT& predicate = default_predicate>) { 196| 177k| while(true) { ------------------ | Branch (196:16): [True: 177k, Folded] ------------------ 197| 177k| auto output = transformer(take()); 198| 177k| if(predicate(output)) { ------------------ | Branch (198:16): [True: 177k, False: 0] ------------------ 199| 177k| return output; 200| 177k| } 201| 177k| } 202| 177k| } _ZZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EE9next_byteIFbhEQsr3stdE9invocableITL0__hEEEDaOT_ENKUlS8_E_clINSt3__15arrayIhLm1EEEEEDaS8_: 181| 177k| return next<1>([](const auto bytes) { return bytes[0]; }, std::forward(predicate)); _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EE4takeILm1EEENSt3__15arrayIhXT_EEEv: 206| 177k| constexpr std::array take() { 207| 177k| m_bytes_consumed += bytes; 208| 177k| if(m_bytes_consumed > bound) { ------------------ | Branch (208:13): [True: 0, False: 177k] ------------------ 209| 0| throw Internal_Error("XOF consumed more bytes than allowed"); 210| 0| } 211| 177k| return m_xof.template output(); 212| 177k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm481EE17default_predicateILm1EhEEbT0_: 164| 177k| constexpr static bool default_predicate(T /*v*/) { 165| 177k| return true; 166| 177k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm840EEC2ES3_: 173| 300| explicit Bounded_XOF(XofT xof) : m_xof(xof), m_bytes_consumed(0) {} kyber_algos.cpp:_ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm840EE4nextILm3EZZNS_11Kyber_Algos12_GLOBAL__N_118sample_ntt_uniformERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS8_6DomainE1EEES3_EN3$_0clEvEUlT_E_FbNSt3__14pairINSH_8optionalItEESK_EEEQaasr3stdE9invocableITL0_0_NSH_5arrayIhXTL0__EEEEsr3stdE9invocableITL0_1_NSH_20__invoke_result_implIvJSN_SP_EE4typeEEEEDaRKT0_RKT1_: 195| 47.7k| const PredicateFnT& predicate = default_predicate>) { 196| 47.7k| while(true) { ------------------ | Branch (196:16): [True: 47.7k, Folded] ------------------ 197| 47.7k| auto output = transformer(take()); 198| 47.7k| if(predicate(output)) { ------------------ | Branch (198:16): [True: 47.7k, False: 0] ------------------ 199| 47.7k| return output; 200| 47.7k| } 201| 47.7k| } 202| 47.7k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm840EE4takeILm3EEENSt3__15arrayIhXT_EEEv: 206| 47.7k| constexpr std::array take() { 207| 47.7k| m_bytes_consumed += bytes; 208| 47.7k| if(m_bytes_consumed > bound) { ------------------ | Branch (208:13): [True: 0, False: 47.7k] ------------------ 209| 0| throw Internal_Error("XOF consumed more bytes than allowed"); 210| 0| } 211| 47.7k| return m_xof.template output(); 212| 47.7k| } _ZN5Botan6detail11Bounded_XOFIRNS_3XOFELm840EE17default_predicateILm3ENSt3__14pairINS6_8optionalItEES9_EEEEbT0_: 164| 47.7k| constexpr static bool default_predicate(T /*v*/) { 165| 47.7k| return true; 166| 47.7k| } _ZN5Botan3rhoILm14ELm18ELm41ETkNSt3__117unsigned_integralEmEET2_S2_: 53| 160|BOTAN_FORCE_INLINE constexpr T rho(T x) { 54| 160| return rotr(x) ^ rotr(x) ^ rotr(x); 55| 160|} _ZN5Botan4rotrILm14ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan4rotrILm18ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan4rotrILm41ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan3rhoILm28ELm34ELm39ETkNSt3__117unsigned_integralEmEET2_S2_: 53| 160|BOTAN_FORCE_INLINE constexpr T rho(T x) { 54| 160| return rotr(x) ^ rotr(x) ^ rotr(x); 55| 160|} _ZN5Botan4rotrILm28ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan4rotrILm34ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan4rotrILm39ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 37| 160|{ 38| 160| return static_cast((input >> ROT) | (input << (8 * sizeof(T) - ROT))); 39| 160|} _ZN5Botan4rotlILm21ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm1ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 2.76M|{ 26| 2.76M| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 2.76M|} _ZN5Botan4rotlILm44ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm43ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm14ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm28ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm20ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm3ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm45ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm61ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm6ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm25ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm8ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm18ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm27ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm36ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm10ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm15ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm56ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm62ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm55ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm39ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm41ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan4rotlILm2ETkNSt3__117unsigned_integralEmEET0_S2_QaagtT_Li0EltT_mlLi8EstS2_: 25| 460k|{ 26| 460k| return static_cast((input << ROT) | (input >> (8 * sizeof(T) - ROT))); 27| 460k|} _ZN5Botan8round_upEmm: 26| 49.6k|constexpr inline size_t round_up(size_t n, size_t align_to) { 27| | // Arguably returning n in this case would also be sensible 28| 49.6k| BOTAN_ARG_CHECK(align_to != 0, "align_to must not be 0"); ------------------ | | 35| 49.6k| do { \ | | 36| 49.6k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 49.6k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 49.6k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 49.6k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 49.6k] | | ------------------ ------------------ 29| | 30| 49.6k| if(n % align_to > 0) { ------------------ | Branch (30:7): [True: 46.4k, False: 3.26k] ------------------ 31| 46.4k| const size_t adj = align_to - (n % align_to); 32| 46.4k| BOTAN_ARG_CHECK(n + adj >= n, "Integer overflow during rounding"); ------------------ | | 35| 46.4k| do { \ | | 36| 46.4k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 46.4k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 46.4k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 46.4k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 46.4k] | | ------------------ ------------------ 33| 46.4k| n += adj; 34| 46.4k| } 35| 49.6k| return n; 36| 49.6k|} _ZNK5Botan9SCAN_Name9arg_countEv: 49| 4.17k| size_t arg_count() const { return m_args.size(); } _ZNK5Botan9SCAN_Name9algo_nameEv: 44| 5.69k| const std::string& algo_name() const { return m_alg_name; } _ZN5Botan14scoped_cleanupIZNS_2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS8_EEEDaDpRKS8_EUlvE_EC2ESC_: 26| 1| explicit scoped_cleanup(FunT cleanup) : m_cleanup(std::move(cleanup)) {} _ZN5Botan14scoped_cleanupIZNS_2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS8_EEEDaDpRKS8_EUlvE_EC2EOSD_: 31| 1| scoped_cleanup(scoped_cleanup&& other) noexcept : m_cleanup(std::move(other.m_cleanup)) { other.disengage(); } _ZN5Botan14scoped_cleanupIZNS_2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS8_EEEDaDpRKS8_EUlvE_E9disengageEv: 50| 1| void disengage() noexcept { m_cleanup.reset(); } _ZN5Botan14scoped_cleanupIZNS_2CT13scoped_poisonIJNSt3__16vectorIhNS_16secure_allocatorIhEEEEEQaaaagtsZT_Li0Efraa10poisonableIT_Efraa12unpoisonableIS8_EEEDaDpRKS8_EUlvE_ED2Ev: 41| 2| ~scoped_cleanup() { 42| 2| if(m_cleanup.has_value()) { ------------------ | Branch (42:13): [True: 1, False: 1] ------------------ 43| 1| (*m_cleanup)(); // NOLINT(bugprone-exception-escape) clang-tidy bug 44| 1| } 45| 2| } _ZNK5Botan7SHA_51213output_lengthEv: 74| 2| size_t output_length() const override { return output_bytes; } _ZN5Botan9SHA2_64_FEmmmRmmmmS0_m: 42| 160| uint64_t A, uint64_t B, uint64_t C, uint64_t& D, uint64_t E, uint64_t F, uint64_t G, uint64_t& H, uint64_t M) { 43| 160| H += rho<14, 18, 41>(E) + choose(E, F, G) + M; 44| 160| D += H; 45| 160| H += rho<28, 34, 39>(A) + majority(A, B, C); 46| 160|} _ZNK5Botan5SHA_313output_lengthEv: 31| 60| size_t output_length() const override { return m_output_length; } _ZN5Botan13SHAKE_128_XOFC2Ev: 52| 2.94k| SHAKE_128_XOF() : SHAKE_XOF(256) {} _ZN5Botan13SHAKE_256_XOFC2Ev: 66| 1.16k| SHAKE_256_XOF() : SHAKE_XOF(512) {} _ZN5Botan9SIMD_2x64C2Ev: 50| 16| m_simd(_mm_setzero_si128()) 51| |#elif defined(BOTAN_SIMD_USE_SIMD128) 52| | m_simd(wasm_u64x2_const_splat(0)) 53| |#endif 54| 16| { 55| 16| } _ZN5Botan9SIMD_2x647load_beEPKv: 90| 16| static SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 load_be(const void* in) { return SIMD_2x64::load_le(in).bswap(); } _ZNK5Botan9SIMD_2x645bswapEv: 100| 16| SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 bswap() const { 101| 16|#if defined(BOTAN_SIMD_USE_SSSE3) 102| 16| const auto idx = _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 0, 1, 2, 3, 4, 5, 6, 7); 103| 16| return SIMD_2x64(_mm_shuffle_epi8(m_simd, idx)); 104| |#elif defined(BOTAN_SIMD_USE_SIMD128) 105| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 7, 6, 5, 4, 3, 2, 1, 0, 15, 14, 13, 12, 11, 10, 9, 8)); 106| |#endif 107| 16| } _ZN5Botan9SIMD_2x64C2EDv2_x: 316| 624| explicit BOTAN_FN_ISA_SIMD_2X64 SIMD_2x64(native_simd_type x) : m_simd(x) {} _ZNK5Botan9SIMD_2x64plERKS0_: 144| 272| SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 operator+(const SIMD_2x64& other) const { 145| 272| SIMD_2x64 retval(*this); 146| 272| retval += other; 147| 272| return retval; 148| 272| } _ZN5Botan9SIMD_2x64pLERKS0_: 156| 272| void BOTAN_FN_ISA_SIMD_2X64 operator+=(const SIMD_2x64& other) { 157| 272|#if defined(BOTAN_SIMD_USE_SSSE3) 158| 272| m_simd = _mm_add_epi64(m_simd, other.m_simd); 159| |#elif defined(BOTAN_SIMD_USE_SIMD128) 160| | m_simd = wasm_i64x2_add(m_simd, other.m_simd); 161| |#endif 162| 272| } _ZN5Botan9SIMD_2x647load_leEPKv: 82| 96| static SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 load_le(const void* in) { 83| 96|#if defined(BOTAN_SIMD_USE_SSSE3) 84| 96| return SIMD_2x64(_mm_loadu_si128(reinterpret_cast(in))); 85| |#elif defined(BOTAN_SIMD_USE_SIMD128) 86| | return SIMD_2x64(wasm_v128_load(in)); 87| |#endif 88| 96| } _ZNK5Botan9SIMD_2x648store_leEPm: 126| 80| void BOTAN_FN_ISA_SIMD_2X64 store_le(uint64_t out[2]) const { this->store_le(reinterpret_cast(out)); } _ZNK5Botan9SIMD_2x648store_leEPh: 128| 80| void BOTAN_FN_ISA_SIMD_2X64 store_le(uint8_t out[]) const { 129| 80|#if defined(BOTAN_SIMD_USE_SSSE3) 130| 80| _mm_storeu_si128(reinterpret_cast<__m128i*>(out), m_simd); 131| |#elif defined(BOTAN_SIMD_USE_SIMD128) 132| | wasm_v128_store(out, m_simd); 133| |#endif 134| 80| } _ZN5Botan9SIMD_2x647alignr8ERKS0_S2_: 240| 128| static SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 alignr8(const SIMD_2x64& a, const SIMD_2x64& b) { 241| 128|#if defined(BOTAN_SIMD_USE_SSSE3) 242| 128| return SIMD_2x64(_mm_alignr_epi8(a.m_simd, b.m_simd, 8)); 243| |#elif defined(BOTAN_SIMD_USE_SIMD128) 244| | return SIMD_2x64( 245| | wasm_i8x16_shuffle(b.m_simd, a.m_simd, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)); 246| |#endif 247| 128| } _ZNK5Botan9SIMD_2x644rotrILm1EEES0_vQaagtT_Li0EltT_Li64E: 184| 64| { 185| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 186| | if constexpr(ROT == 8) { 187| | auto tab = _mm_setr_epi8(1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8); 188| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 189| | } else if constexpr(ROT == 16) { 190| | auto tab = _mm_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9); 191| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 192| | } else if constexpr(ROT == 24) { 193| | auto tab = _mm_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10); 194| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 195| | } else if constexpr(ROT == 32) { 196| | auto tab = _mm_setr_epi8(4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11); 197| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 198| 64| } else { 199| 64| return SIMD_2x64(_mm_or_si128(_mm_srli_epi64(m_simd, static_cast(ROT)), 200| 64| _mm_slli_epi64(m_simd, static_cast(64 - ROT)))); 201| 64| } 202| |#elif defined(BOTAN_SIMD_USE_SIMD128) 203| | if constexpr(ROT == 8) { 204| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8)); 205| | } else if constexpr(ROT == 16) { 206| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9)); 207| | } else if constexpr(ROT == 24) { 208| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10)); 209| | } else if constexpr(ROT == 32) { 210| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11)); 211| | } else { 212| | return SIMD_2x64(wasm_v128_or(wasm_u64x2_shr(m_simd, ROT), wasm_i64x2_shl(m_simd, 64 - ROT))); 213| | } 214| |#endif 215| 64| } _ZNK5Botan9SIMD_2x64eoERKS0_: 150| 256| SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 operator^(const SIMD_2x64& other) const { 151| 256| SIMD_2x64 retval(*this); 152| 256| retval ^= other; 153| 256| return retval; 154| 256| } _ZN5Botan9SIMD_2x64eOERKS0_: 164| 256| void BOTAN_FN_ISA_SIMD_2X64 operator^=(const SIMD_2x64& other) { 165| 256|#if defined(BOTAN_SIMD_USE_SSSE3) 166| 256| m_simd = _mm_xor_si128(m_simd, other.m_simd); 167| |#elif defined(BOTAN_SIMD_USE_SIMD128) 168| | m_simd = wasm_v128_xor(m_simd, other.m_simd); 169| |#endif 170| 256| } _ZNK5Botan9SIMD_2x644rotrILm8EEES0_vQaagtT_Li0EltT_Li64E: 184| 64| { 185| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 186| 64| if constexpr(ROT == 8) { 187| 64| auto tab = _mm_setr_epi8(1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8); 188| 64| return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 189| | } else if constexpr(ROT == 16) { 190| | auto tab = _mm_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9); 191| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 192| | } else if constexpr(ROT == 24) { 193| | auto tab = _mm_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10); 194| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 195| | } else if constexpr(ROT == 32) { 196| | auto tab = _mm_setr_epi8(4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11); 197| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 198| | } else { 199| | return SIMD_2x64(_mm_or_si128(_mm_srli_epi64(m_simd, static_cast(ROT)), 200| | _mm_slli_epi64(m_simd, static_cast(64 - ROT)))); 201| | } 202| |#elif defined(BOTAN_SIMD_USE_SIMD128) 203| | if constexpr(ROT == 8) { 204| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8)); 205| | } else if constexpr(ROT == 16) { 206| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9)); 207| | } else if constexpr(ROT == 24) { 208| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10)); 209| | } else if constexpr(ROT == 32) { 210| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11)); 211| | } else { 212| | return SIMD_2x64(wasm_v128_or(wasm_u64x2_shr(m_simd, ROT), wasm_i64x2_shl(m_simd, 64 - ROT))); 213| | } 214| |#endif 215| 64| } _ZNK5Botan9SIMD_2x643shrILi7EEES0_v: 223| 64| SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 shr() const noexcept { 224| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 225| 64| return SIMD_2x64(_mm_srli_epi64(m_simd, SHIFT)); 226| |#elif defined(BOTAN_SIMD_USE_SIMD128) 227| | return SIMD_2x64(wasm_u64x2_shr(m_simd, SHIFT)); 228| |#endif 229| 64| } _ZNK5Botan9SIMD_2x644rotrILm19EEES0_vQaagtT_Li0EltT_Li64E: 184| 64| { 185| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 186| | if constexpr(ROT == 8) { 187| | auto tab = _mm_setr_epi8(1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8); 188| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 189| | } else if constexpr(ROT == 16) { 190| | auto tab = _mm_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9); 191| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 192| | } else if constexpr(ROT == 24) { 193| | auto tab = _mm_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10); 194| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 195| | } else if constexpr(ROT == 32) { 196| | auto tab = _mm_setr_epi8(4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11); 197| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 198| 64| } else { 199| 64| return SIMD_2x64(_mm_or_si128(_mm_srli_epi64(m_simd, static_cast(ROT)), 200| 64| _mm_slli_epi64(m_simd, static_cast(64 - ROT)))); 201| 64| } 202| |#elif defined(BOTAN_SIMD_USE_SIMD128) 203| | if constexpr(ROT == 8) { 204| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8)); 205| | } else if constexpr(ROT == 16) { 206| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9)); 207| | } else if constexpr(ROT == 24) { 208| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10)); 209| | } else if constexpr(ROT == 32) { 210| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11)); 211| | } else { 212| | return SIMD_2x64(wasm_v128_or(wasm_u64x2_shr(m_simd, ROT), wasm_i64x2_shl(m_simd, 64 - ROT))); 213| | } 214| |#endif 215| 64| } _ZNK5Botan9SIMD_2x644rotrILm61EEES0_vQaagtT_Li0EltT_Li64E: 184| 64| { 185| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 186| | if constexpr(ROT == 8) { 187| | auto tab = _mm_setr_epi8(1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8); 188| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 189| | } else if constexpr(ROT == 16) { 190| | auto tab = _mm_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9); 191| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 192| | } else if constexpr(ROT == 24) { 193| | auto tab = _mm_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10); 194| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 195| | } else if constexpr(ROT == 32) { 196| | auto tab = _mm_setr_epi8(4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11); 197| | return SIMD_2x64(_mm_shuffle_epi8(m_simd, tab)); 198| 64| } else { 199| 64| return SIMD_2x64(_mm_or_si128(_mm_srli_epi64(m_simd, static_cast(ROT)), 200| 64| _mm_slli_epi64(m_simd, static_cast(64 - ROT)))); 201| 64| } 202| |#elif defined(BOTAN_SIMD_USE_SIMD128) 203| | if constexpr(ROT == 8) { 204| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 1, 2, 3, 4, 5, 6, 7, 0, 9, 10, 11, 12, 13, 14, 15, 8)); 205| | } else if constexpr(ROT == 16) { 206| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9)); 207| | } else if constexpr(ROT == 24) { 208| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10)); 209| | } else if constexpr(ROT == 32) { 210| | return SIMD_2x64(wasm_i8x16_shuffle(m_simd, m_simd, 4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11)); 211| | } else { 212| | return SIMD_2x64(wasm_v128_or(wasm_u64x2_shr(m_simd, ROT), wasm_i64x2_shl(m_simd, 64 - ROT))); 213| | } 214| |#endif 215| 64| } _ZNK5Botan9SIMD_2x643shrILi6EEES0_v: 223| 64| SIMD_2x64 BOTAN_FN_ISA_SIMD_2X64 shr() const noexcept { 224| 64|#if defined(BOTAN_SIMD_USE_SSSE3) 225| 64| return SIMD_2x64(_mm_srli_epi64(m_simd, SHIFT)); 226| |#elif defined(BOTAN_SIMD_USE_SIMD128) 227| | return SIMD_2x64(wasm_u64x2_shr(m_simd, SHIFT)); 228| |#endif 229| 64| } _ZN5Botan6SpongeILm25EmE11state_bytesEv: 43| 4.17k| constexpr static size_t state_bytes() { return sizeof(state_t); } _ZN5Botan6SpongeILm25EmE10state_bitsEv: 45| 4.17k| constexpr static size_t state_bits() { return state_bytes() * 8; } _ZNK5Botan6SpongeILm25EmE9byte_rateEv: 49| 987k| constexpr size_t byte_rate() const { return m_bit_rate / 8; } _ZN5Botan6SpongeILm25EmEC2ENS1_6ConfigE: 39| 4.17k| constexpr explicit Sponge(Config config) : m_S(config.initial_state), m_S_cursor(0), m_bit_rate(config.bit_rate) { 40| 4.17k| BOTAN_ARG_CHECK(m_bit_rate % word_bits == 0 && m_bit_rate < words * word_bits, "Invalid sponge bit rate"); ------------------ | | 35| 4.17k| do { \ | | 36| 4.17k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 8.34k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 4.17k, False: 0] | | | Branch (37:12): [True: 4.17k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 4.17k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 4.17k] | | ------------------ ------------------ 41| 4.17k| } _ZN5Botan6SpongeILm25EmE5stateEv: 55| 1.44M| constexpr auto& state() { return m_S; } _ZN5Botan6SpongeILm25EmE12reset_cursorEv: 62| 5.13k| void reset_cursor() { m_S_cursor = 0; } _ZN5Botan6SpongeILm25EmE7_cursorEv: 59| 982k| size_t& _cursor() { return m_S_cursor; } _ZNK5Botan6SpongeILm25EmE6cursorEv: 57| 9.19k| size_t cursor() const { return m_S_cursor; } _ZN5Botan18absorb_into_spongeITkNS_6detail28SpongeLikeWithTrivialPermuteENS_18Keccak_PermutationEEEvRT_NSt3__14spanIKhLm18446744073709551615EEE: 233| 9.07k|inline void absorb_into_sponge(detail::SpongeLikeWithTrivialPermute auto& sponge, std::span input) { 234| 9.07k| absorb_into_sponge(sponge, input, [&sponge] { sponge.permute(); }); 235| 9.07k|} _ZN5Botan18absorb_into_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_18absorb_into_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIKhLm18446744073709551615EEEEUlvE_EEvS5_S9_RKT0_: 223| 9.07k| const detail::PermutationFn auto& permutation_fn) { 224| 9.07k| using word_t = typename SpongeT::word_t; 225| | 226| 9.07k| BufferSlicer input_slicer(input); 227| 9.07k| process_bytes_in_sponge(sponge, input.size(), permutation_fn, [&](word_t state_word, auto bounds) { 228| 9.07k| return state_word ^ bounds.read_from(input_slicer); 229| 9.07k| }); 230| 9.07k| BOTAN_ASSERT_NOMSG(input_slicer.empty()); ------------------ | | 77| 9.07k| do { \ | | 78| 9.07k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 9.07k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 9.07k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 9.07k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 9.07k] | | ------------------ ------------------ 231| 9.07k|} _ZN5Botan23process_bytes_in_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_18absorb_into_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIKhLm18446744073709551615EEEEUlvE_TkNS1_10ModifierFnIS4_EEZNS_18absorb_into_spongeITkNS1_10SpongeLikeES2_TkNS1_13PermutationFnESA_EEvS5_S9_RKT0_EUlmS4_E_EEvS5_mSF_RKT1_: 139| 9.07k| const detail::ModifierFn auto& modifier_fn) { 140| 9.07k| if(bytes_to_process == 0) { ------------------ | Branch (140:7): [True: 0, False: 9.07k] ------------------ 141| 0| return; 142| 0| } 143| | 144| 9.07k| constexpr auto word_bytes = SpongeT::word_bytes; 145| 9.07k| const auto byte_rate = sponge.byte_rate(); 146| 9.07k| auto& S = sponge.state(); 147| 9.07k| auto& cursor = sponge._cursor(); 148| | 149| | // If necessary, try to get aligned with the sponge state's words array 150| 9.07k| const auto bytes_out_of_word_alignment = static_cast(cursor % word_bytes); 151| 9.07k| if(bytes_out_of_word_alignment > 0) { ------------------ | Branch (151:7): [True: 0, False: 9.07k] ------------------ 152| 0| const auto bytes_until_word_alignment = word_bytes - bytes_out_of_word_alignment; 153| 0| const auto bytes_from_input = std::min(bytes_to_process, bytes_until_word_alignment); 154| 0| BOTAN_DEBUG_ASSERT(bytes_from_input < word_bytes); ------------------ | | 130| 0| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 0| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 0] | | ------------------ ------------------ 155| | 156| 0| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], 157| 0| detail::PartialWordBounds{ 158| 0| .offset = bytes_out_of_word_alignment, 159| 0| .length = bytes_from_input, 160| 0| }); 161| 0| cursor += bytes_from_input; 162| 0| bytes_to_process -= bytes_from_input; 163| | 164| 0| if(cursor == byte_rate) { ------------------ | Branch (164:10): [True: 0, False: 0] ------------------ 165| 0| permutation_fn(); 166| 0| cursor = 0; 167| 0| } 168| 0| } 169| | 170| | // If we didn't exhaust the bytes to process for this invocation, we should 171| | // be word-aligned with the sponge state now 172| 9.07k| BOTAN_DEBUG_ASSERT(bytes_to_process == 0 || cursor % word_bytes == 0); ------------------ | | 130| 9.07k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 9.07k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 9.07k] | | ------------------ ------------------ 173| | 174| | // Block-wise incorporation of the input data into the sponge state until 175| | // all input bytes are processed 176| 15.1k| while(bytes_to_process >= word_bytes) { ------------------ | Branch (176:10): [True: 6.05k, False: 9.07k] ------------------ 177| | // Process full words until we either run out of data or reach the 178| | // end of the current sponge state block 179| 53.4k| while(bytes_to_process >= word_bytes && cursor < byte_rate) { ------------------ | Branch (179:13): [True: 48.8k, False: 4.59k] | Branch (179:47): [True: 47.3k, False: 1.45k] ------------------ 180| 47.3k| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], detail::FullWordBounds{}); 181| 47.3k| cursor += word_bytes; 182| 47.3k| bytes_to_process -= word_bytes; 183| 47.3k| } 184| | 185| 6.05k| if(cursor == byte_rate) { ------------------ | Branch (185:10): [True: 1.45k, False: 4.59k] ------------------ 186| 1.45k| permutation_fn(); 187| 1.45k| cursor = 0; 188| 1.45k| } 189| 6.05k| } 190| | 191| | // Process the remaining bytes that don't fill an entire word. 192| | // Therefore, leaving the sponge state in an unaligned state that won't 193| | // need another permutation until the next call to process(). 194| 9.07k| BOTAN_DEBUG_ASSERT(bytes_to_process < word_bytes && cursor < byte_rate); ------------------ | | 130| 9.07k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 9.07k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 9.07k] | | ------------------ ------------------ 195| 9.07k| if(bytes_to_process > 0) { ------------------ | Branch (195:7): [True: 4.48k, False: 4.59k] ------------------ 196| 4.48k| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], 197| 4.48k| detail::PartialWordBounds{ 198| 4.48k| .offset = 0, 199| 4.48k| .length = bytes_to_process, 200| 4.48k| }); 201| 4.48k| cursor += bytes_to_process; 202| 4.48k| } 203| 9.07k|} _ZZN5Botan18absorb_into_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_18absorb_into_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIKhLm18446744073709551615EEEEUlvE_EEvS5_S9_RKT0_ENKUlmS4_E_clINS1_17PartialWordBoundsIS2_EEEEDamS4_: 227| 4.48k| process_bytes_in_sponge(sponge, input.size(), permutation_fn, [&](word_t state_word, auto bounds) { 228| 4.48k| return state_word ^ bounds.read_from(input_slicer); 229| 4.48k| }); _ZNK5Botan6detail17PartialWordBoundsINS_18Keccak_PermutationEE9read_fromERNS_12BufferSlicerE: 59| 4.48k| word_t read_from(BufferSlicer& slicer) const { 60| 4.48k| std::array partial_word_bytes{}; 61| 4.48k| slicer.copy_into(std::span{partial_word_bytes}.subspan(offset, length)); 62| 4.48k| return load_le(partial_word_bytes); 63| 4.48k| } _ZZN5Botan18absorb_into_spongeITkNS_6detail28SpongeLikeWithTrivialPermuteENS_18Keccak_PermutationEEEvRT_NSt3__14spanIKhLm18446744073709551615EEEENKUlvE_clEv: 234| 1.45k| absorb_into_sponge(sponge, input, [&sponge] { sponge.permute(); }); _ZZN5Botan18absorb_into_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_18absorb_into_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIKhLm18446744073709551615EEEEUlvE_EEvS5_S9_RKT0_ENKUlmS4_E_clINS1_14FullWordBoundsIS2_EEEEDamS4_: 227| 47.3k| process_bytes_in_sponge(sponge, input.size(), permutation_fn, [&](word_t state_word, auto bounds) { 228| 47.3k| return state_word ^ bounds.read_from(input_slicer); 229| 47.3k| }); _ZNK5Botan6detail14FullWordBoundsINS_18Keccak_PermutationEE9read_fromERNS_12BufferSlicerE: 97| 47.3k| word_t read_from(BufferSlicer& slicer) const { return load_le(slicer.take()); } _ZN5Botan19squeeze_from_spongeITkNS_6detail28SpongeLikeWithTrivialPermuteENS_18Keccak_PermutationEEEvRT_NSt3__14spanIhLm18446744073709551615EEE: 258| 973k|inline void squeeze_from_sponge(detail::SpongeLikeWithTrivialPermute auto& sponge, std::span output) { 259| 973k| squeeze_from_sponge(sponge, output, [&sponge] { sponge.permute(); }); 260| 973k|} _ZN5Botan19squeeze_from_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_19squeeze_from_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIhLm18446744073709551615EEEEUlvE_EEvS5_S8_RKT0_: 247| 973k| const detail::PermutationFn auto& permutation_fn) { 248| 973k| using word_t = typename SpongeT::word_t; 249| | 250| 973k| BufferStuffer output_stuffer(output); 251| 973k| process_bytes_in_sponge(sponge, output.size(), permutation_fn, [&](word_t state_word, auto bounds) { 252| 973k| bounds.write_into(output_stuffer, state_word); 253| 973k| return state_word; 254| 973k| }); 255| 973k| BOTAN_ASSERT_NOMSG(output_stuffer.full()); ------------------ | | 77| 973k| do { \ | | 78| 973k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 973k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 973k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 973k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 973k] | | ------------------ ------------------ 256| 973k|} _ZN5Botan23process_bytes_in_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_19squeeze_from_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIhLm18446744073709551615EEEEUlvE_TkNS1_10ModifierFnIS4_EEZNS_19squeeze_from_spongeITkNS1_10SpongeLikeES2_TkNS1_13PermutationFnES9_EEvS5_S8_RKT0_EUlmS4_E_EEvS5_mSE_RKT1_: 139| 973k| const detail::ModifierFn auto& modifier_fn) { 140| 973k| if(bytes_to_process == 0) { ------------------ | Branch (140:7): [True: 0, False: 973k] ------------------ 141| 0| return; 142| 0| } 143| | 144| 973k| constexpr auto word_bytes = SpongeT::word_bytes; 145| 973k| const auto byte_rate = sponge.byte_rate(); 146| 973k| auto& S = sponge.state(); 147| 973k| auto& cursor = sponge._cursor(); 148| | 149| | // If necessary, try to get aligned with the sponge state's words array 150| 973k| const auto bytes_out_of_word_alignment = static_cast(cursor % word_bytes); 151| 973k| if(bytes_out_of_word_alignment > 0) { ------------------ | Branch (151:7): [True: 850k, False: 123k] ------------------ 152| 850k| const auto bytes_until_word_alignment = word_bytes - bytes_out_of_word_alignment; 153| 850k| const auto bytes_from_input = std::min(bytes_to_process, bytes_until_word_alignment); 154| 850k| BOTAN_DEBUG_ASSERT(bytes_from_input < word_bytes); ------------------ | | 130| 850k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 850k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 850k] | | ------------------ ------------------ 155| | 156| 850k| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], 157| 850k| detail::PartialWordBounds{ 158| 850k| .offset = bytes_out_of_word_alignment, 159| 850k| .length = bytes_from_input, 160| 850k| }); 161| 850k| cursor += bytes_from_input; 162| 850k| bytes_to_process -= bytes_from_input; 163| | 164| 850k| if(cursor == byte_rate) { ------------------ | Branch (164:10): [True: 13.1k, False: 837k] ------------------ 165| 13.1k| permutation_fn(); 166| 13.1k| cursor = 0; 167| 13.1k| } 168| 850k| } 169| | 170| | // If we didn't exhaust the bytes to process for this invocation, we should 171| | // be word-aligned with the sponge state now 172| 973k| BOTAN_DEBUG_ASSERT(bytes_to_process == 0 || cursor % word_bytes == 0); ------------------ | | 130| 973k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 973k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 973k] | | ------------------ ------------------ 173| | 174| | // Block-wise incorporation of the input data into the sponge state until 175| | // all input bytes are processed 176| 974k| while(bytes_to_process >= word_bytes) { ------------------ | Branch (176:10): [True: 608, False: 973k] ------------------ 177| | // Process full words until we either run out of data or reach the 178| | // end of the current sponge state block 179| 6.16k| while(bytes_to_process >= word_bytes && cursor < byte_rate) { ------------------ | Branch (179:13): [True: 5.58k, False: 576] | Branch (179:47): [True: 5.55k, False: 32] ------------------ 180| 5.55k| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], detail::FullWordBounds{}); 181| 5.55k| cursor += word_bytes; 182| 5.55k| bytes_to_process -= word_bytes; 183| 5.55k| } 184| | 185| 608| if(cursor == byte_rate) { ------------------ | Branch (185:10): [True: 32, False: 576] ------------------ 186| 32| permutation_fn(); 187| 32| cursor = 0; 188| 32| } 189| 608| } 190| | 191| | // Process the remaining bytes that don't fill an entire word. 192| | // Therefore, leaving the sponge state in an unaligned state that won't 193| | // need another permutation until the next call to process(). 194| 973k| BOTAN_DEBUG_ASSERT(bytes_to_process < word_bytes && cursor < byte_rate); ------------------ | | 130| 973k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 973k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 973k] | | ------------------ ------------------ 195| 973k| if(bytes_to_process > 0) { ------------------ | Branch (195:7): [True: 321k, False: 652k] ------------------ 196| 321k| S[cursor / word_bytes] = modifier_fn(S[cursor / word_bytes], 197| 321k| detail::PartialWordBounds{ 198| 321k| .offset = 0, 199| 321k| .length = bytes_to_process, 200| 321k| }); 201| 321k| cursor += bytes_to_process; 202| 321k| } 203| 973k|} _ZZN5Botan19squeeze_from_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_19squeeze_from_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIhLm18446744073709551615EEEEUlvE_EEvS5_S8_RKT0_ENKUlmS4_E_clINS1_17PartialWordBoundsIS2_EEEEDamS4_: 251| 1.17M| process_bytes_in_sponge(sponge, output.size(), permutation_fn, [&](word_t state_word, auto bounds) { 252| 1.17M| bounds.write_into(output_stuffer, state_word); 253| 1.17M| return state_word; 254| 1.17M| }); _ZNK5Botan6detail17PartialWordBoundsINS_18Keccak_PermutationEE10write_intoERNS_13BufferStufferEm: 69| 1.17M| void write_into(BufferStuffer& stuffer, word_t partial_word) const { 70| 1.17M| const auto partial_word_bytes = store_le(partial_word); 71| 1.17M| stuffer.append(std::span{partial_word_bytes}.subspan(offset, length)); 72| 1.17M| } _ZZN5Botan19squeeze_from_spongeITkNS_6detail28SpongeLikeWithTrivialPermuteENS_18Keccak_PermutationEEEvRT_NSt3__14spanIhLm18446744073709551615EEEENKUlvE_clEv: 259| 13.1k| squeeze_from_sponge(sponge, output, [&sponge] { sponge.permute(); }); _ZZN5Botan19squeeze_from_spongeITkNS_6detail10SpongeLikeENS_18Keccak_PermutationETkNS1_13PermutationFnEZNS_19squeeze_from_spongeITkNS1_28SpongeLikeWithTrivialPermuteES2_EEvRT_NSt3__14spanIhLm18446744073709551615EEEEUlvE_EEvS5_S8_RKT0_ENKUlmS4_E_clINS1_14FullWordBoundsIS2_EEEEDamS4_: 251| 5.55k| process_bytes_in_sponge(sponge, output.size(), permutation_fn, [&](word_t state_word, auto bounds) { 252| 5.55k| bounds.write_into(output_stuffer, state_word); 253| 5.55k| return state_word; 254| 5.55k| }); _ZNK5Botan6detail14FullWordBoundsINS_18Keccak_PermutationEE10write_intoERNS_13BufferStufferEm: 99| 5.55k| void write_into(BufferStuffer& stuffer, word_t full_word) const { stuffer.append(store_le(full_word)); } _ZN5Botan2CT13value_barrierITkNSt3__117unsigned_integralEmQntsr3stdE7same_asIbT_EEES3_S3_: 43| 1.04G|constexpr inline T value_barrier(T x) { 44| 1.04G| if(std::is_constant_evaluated()) { ------------------ | Branch (44:7): [Folded, False: 1.04G] ------------------ 45| 0| return x; 46| 1.04G| } else { 47| 1.04G|#if defined(BOTAN_CT_VALUE_BARRIER_USE_ASM) 48| | /* 49| | * We may want a "stronger" statement such as 50| | * asm volatile("" : "+r,m"(x) : : "memory); 51| | * (see https://theunixzoo.co.uk/blog/2021-10-14-preventing-optimisations.html) 52| | * however the current approach seems sufficient with current compilers, 53| | * and is minimally damaging with regards to degrading code generation. 54| | */ 55| 1.04G| asm("" : "+r"(x) : /* no input */); // NOLINT(*-no-assembler) 56| 1.04G| return x; 57| |#elif defined(BOTAN_CT_VALUE_BARRIER_USE_VOLATILE) 58| | volatile T vx = x; 59| | return vx; 60| |#else 61| | return x; 62| |#endif 63| 1.04G| } 64| 1.04G|} _ZN5Botan2CT13value_barrierITkNSt3__117unsigned_integralEjQntsr3stdE7same_asIbT_EEES3_S3_: 43| 286k|constexpr inline T value_barrier(T x) { 44| 286k| if(std::is_constant_evaluated()) { ------------------ | Branch (44:7): [Folded, False: 286k] ------------------ 45| 0| return x; 46| 286k| } else { 47| 286k|#if defined(BOTAN_CT_VALUE_BARRIER_USE_ASM) 48| | /* 49| | * We may want a "stronger" statement such as 50| | * asm volatile("" : "+r,m"(x) : : "memory); 51| | * (see https://theunixzoo.co.uk/blog/2021-10-14-preventing-optimisations.html) 52| | * however the current approach seems sufficient with current compilers, 53| | * and is minimally damaging with regards to degrading code generation. 54| | */ 55| 286k| asm("" : "+r"(x) : /* no input */); // NOLINT(*-no-assembler) 56| 286k| return x; 57| |#elif defined(BOTAN_CT_VALUE_BARRIER_USE_VOLATILE) 58| | volatile T vx = x; 59| | return vx; 60| |#else 61| | return x; 62| |#endif 63| 286k| } 64| 286k|} _ZN5Botan2CT13value_barrierITkNSt3__117unsigned_integralEhQntsr3stdE7same_asIbT_EEES3_S3_: 43| 3.36M|constexpr inline T value_barrier(T x) { 44| 3.36M| if(std::is_constant_evaluated()) { ------------------ | Branch (44:7): [Folded, False: 3.36M] ------------------ 45| 0| return x; 46| 3.36M| } else { 47| 3.36M|#if defined(BOTAN_CT_VALUE_BARRIER_USE_ASM) 48| | /* 49| | * We may want a "stronger" statement such as 50| | * asm volatile("" : "+r,m"(x) : : "memory); 51| | * (see https://theunixzoo.co.uk/blog/2021-10-14-preventing-optimisations.html) 52| | * however the current approach seems sufficient with current compilers, 53| | * and is minimally damaging with regards to degrading code generation. 54| | */ 55| 3.36M| asm("" : "+r"(x) : /* no input */); // NOLINT(*-no-assembler) 56| 3.36M| return x; 57| |#elif defined(BOTAN_CT_VALUE_BARRIER_USE_VOLATILE) 58| | volatile T vx = x; 59| | return vx; 60| |#else 61| | return x; 62| |#endif 63| 3.36M| } 64| 3.36M|} _ZN5Botan21Allocator_InitializerC2Ev: 50| 1| Allocator_Initializer() { initialize_allocator(); } _ZNK5Botan10BER_Object6is_setEv: 138| 186k| bool is_set() const { return m_type_tag != ASN1_Type::NoObject; } _ZNK5Botan10BER_Object7taggingEv: 140| 76.7k| uint32_t tagging() const { return type_tag() | class_tag(); } _ZNK5Botan10BER_Object8type_tagEv: 142| 80.9k| ASN1_Type type_tag() const { return m_type_tag; } _ZNK5Botan10BER_Object9class_tagEv: 144| 92.0k| ASN1_Class class_tag() const { return m_class_tag; } _ZNK5Botan10BER_Object4bitsEv: 150| 906k| const uint8_t* bits() const { return m_value.data(); } _ZNK5Botan10BER_Object6lengthEv: 152| 1.91M| size_t length() const { return m_value.size(); } _ZNK5Botan10BER_Object4dataEv: 154| 28.6k| std::span data() const { return std::span{m_value}; } _ZN5Botan10BER_Object12mutable_bitsEm: 171| 65.1k| uint8_t* mutable_bits(size_t length) { 172| 65.1k| m_value.resize(length); 173| 65.1k| return m_value.data(); 174| 65.1k| } _ZNK5Botan3OID5emptyEv: 265| 9.38k| bool empty() const { return m_id.empty(); } _ZNK5Botan3OID9has_valueEv: 271| 4.21k| bool has_value() const { return !empty(); } _ZNK5Botan3OIDeqERKS0_: 301| 49.8k| bool operator==(const OID& other) const { return m_id == other.m_id; } _ZNK5Botan19AlgorithmIdentifier3oidEv: 407| 13.1k| const OID& oid() const { return m_oid; } _ZNK5Botan19AlgorithmIdentifier10parametersEv: 409| 4.46k| const std::vector& parameters() const { return m_parameters; } _ZN5BotanorENS_10ASN1_ClassES0_: 78| 20.7k|inline ASN1_Class operator|(ASN1_Class x, ASN1_Class y) { 79| 20.7k| return static_cast(static_cast(x) | static_cast(y)); 80| 20.7k|} _ZN5BotanorENS_9ASN1_TypeENS_10ASN1_ClassE: 82| 76.7k|inline uint32_t operator|(ASN1_Type x, ASN1_Class y) { 83| 76.7k| return static_cast(x) | static_cast(y); 84| 76.7k|} _ZN5BotanorENS_10ASN1_ClassENS_9ASN1_TypeE: 86| 11.6k|inline uint32_t operator|(ASN1_Class x, ASN1_Type y) { 87| 11.6k| return static_cast(x) | static_cast(y); 88| 11.6k|} _ZN5BotanneERKNS_3OIDES2_: 342| 4.06k|inline bool operator!=(const OID& a, const OID& b) { 343| 4.06k| return !(a == b); 344| 4.06k|} _ZNKSt3__14hashIN5Botan3OIDEEclERKS2_: 441| 1.74k| size_t operator()(const Botan::OID& oid) const noexcept { return static_cast(oid.hash_code()); } _ZN5Botan3OIDC2Ev: 220| 27.2k| explicit OID() = default; _ZN5Botan11ASN1_ObjectC2Ev: 117| 89.6k| ASN1_Object() = default; _ZN5Botan11ASN1_ObjectD2Ev: 122| 93.6k| virtual ~ASN1_Object() = default; _ZN5Botan11ASN1_ObjectC2ERKS0_: 118| 3.21k| ASN1_Object(const ASN1_Object&) = default; _ZN5Botan11ASN1_ObjectaSERKS0_: 119| 3.05k| ASN1_Object& operator=(const ASN1_Object&) = default; _ZN5Botan19AlgorithmIdentifierC2Ev: 399| 15.1k| AlgorithmIdentifier() = default; _ZN5Botan11ASN1_ObjectC2EOS0_: 120| 822| ASN1_Object(ASN1_Object&&) = default; _ZN5Botan10BER_ObjectC2Ev: 130| 119k| BER_Object() = default; _ZN5Botan10BER_ObjectaSEOS0_: 135| 29.3k| BER_Object& operator=(BER_Object&& other) = default; _ZN5Botan10BER_ObjectC2EOS0_: 133| 27.1k| BER_Object(BER_Object&& other) = default; _ZN5Botan13ignore_paramsIJPKmmEEEvDpRKT_: 142| 55.8M|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJmEEEvDpRKT_: 142| 44.8k|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJNSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEEEEvDpRKT_: 142| 1.12k|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJPKhmEEEvDpRKT_: 142| 3.44k|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJPKbmEEEvDpRKT_: 142| 354k|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJPKimEEEvDpRKT_: 142| 2.97k|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJPKsmEEEvDpRKT_: 142| 184|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan13ignore_paramsIJNSt3__14spanIKhLm18446744073709551615EEES4_EEEvDpRKT_: 142| 4.53k|constexpr void ignore_params([[maybe_unused]] const T&... args) {} _ZN5Botan11BER_Decoder6Limits3DEREv: 35| 15.0k| static Limits DER() { return Limits(false, 0); } _ZN5Botan11BER_Decoder6LimitsC2Ebm: 54| 15.0k| m_allow_ber(allow_ber), m_max_nested_indef(max_nested_indef) {} _ZN5Botan11BER_Decoder14start_sequenceEv: 160| 20.9k| BER_Decoder start_sequence() { return start_cons(ASN1_Type::Sequence, ASN1_Class::Universal); } _ZN5Botan11BER_Decoder6decodeERNS_6BigIntE: 230| 4.29k| BER_Decoder& decode(BigInt& out) { return decode(out, ASN1_Type::Integer, ASN1_Class::Universal); } _ZN5Botan11BER_Decoder6decodeINSt3__19allocatorIhEEEERS0_RNS2_6vectorIhT_EENS_9ASN1_TypeE: 242| 1.17k| BER_Decoder& decode(std::vector& out, ASN1_Type real_type) { 243| 1.17k| return decode(out, real_type, real_type, ASN1_Class::Universal); 244| 1.17k| } _ZN5Botan11BER_Decoder16decode_and_checkImEERS0_RKT_NSt3__117basic_string_viewIcNS6_11char_traitsIcEEEE: 327| 11.4k| BER_Decoder& decode_and_check(const T& expected, std::string_view error_msg) { 328| 11.4k| T actual; 329| 11.4k| decode(actual); 330| | 331| 11.4k| if(actual != expected) { ------------------ | Branch (331:13): [True: 76, False: 11.4k] ------------------ 332| 76| throw Decoding_Error(error_msg); 333| 76| } 334| | 335| 11.4k| return (*this); 336| 11.4k| } _ZN5Botan11BER_Decoder6decodeERm: 225| 11.4k| BER_Decoder& decode(size_t& out) { return decode(out, ASN1_Type::Integer, ASN1_Class::Universal); } _ZN5Botan11BER_Decoder16decode_and_checkINS_3OIDEEERS0_RKT_NSt3__117basic_string_viewIcNS7_11char_traitsIcEEEE: 327| 1.19k| BER_Decoder& decode_and_check(const T& expected, std::string_view error_msg) { 328| 1.19k| T actual; 329| 1.19k| decode(actual); 330| | 331| 1.19k| if(actual != expected) { ------------------ | Branch (331:13): [True: 9, False: 1.19k] ------------------ 332| 9| throw Decoding_Error(error_msg); 333| 9| } 334| | 335| 1.19k| return (*this); 336| 1.19k| } _ZN5Botan11BER_Decoder22decode_optional_stringINSt3__19allocatorIhEEEERS0_RNS2_6vectorIhT_EENS_9ASN1_TypeESA_NS_10ASN1_ClassE: 369| 1.18k| ASN1_Class class_tag = ASN1_Class::ContextSpecific) { 370| 1.18k| return decode_optional_string(out, real_type, static_cast(expected_tag), class_tag); 371| 1.18k| } _ZN5Botan11BER_Decoder22decode_optional_stringINSt3__19allocatorIhEEEERS0_RNS2_6vectorIhT_EENS_9ASN1_TypeEjNS_10ASN1_ClassE: 345| 1.18k| ASN1_Class class_tag = ASN1_Class::ContextSpecific) { 346| 1.18k| BER_Object obj = get_next_object(); 347| | 348| 1.18k| const ASN1_Type type_tag = static_cast(expected_tag); 349| | 350| 1.18k| if(obj.is_a(type_tag, class_tag)) { ------------------ | Branch (350:13): [True: 1.17k, False: 6] ------------------ 351| 1.17k| if(class_tag == ASN1_Class::ExplicitContextSpecific) { ------------------ | Branch (351:16): [True: 0, False: 1.17k] ------------------ 352| 0| BER_Decoder(obj, m_limits).decode(out, real_type).verify_end(); 353| 1.17k| } else { 354| 1.17k| push_back(std::move(obj)); 355| 1.17k| decode(out, real_type, type_tag, class_tag); 356| 1.17k| } 357| 1.17k| } else { 358| 6| out.clear(); 359| 6| push_back(std::move(obj)); 360| 6| } 361| | 362| 1.18k| return (*this); 363| 1.18k| } _ZN5Botan11BER_DecoderC2ERKNS_10BER_ObjectENS0_6LimitsE: 81| 1.76k| BER_Decoder(obj.data(), limits) {} _ZNK5Botan11BER_Decoder6Limits18allow_ber_encodingEv: 44| 161k| bool allow_ber_encoding() const { return m_allow_ber; } _ZNK5Botan11BER_Decoder6Limits20require_der_encodingEv: 46| 96.2k| bool require_der_encoding() const { return !allow_ber_encoding(); } _ZNK5Botan11BER_Decoder6limitsEv: 98| 20.7k| Limits limits() const { return m_limits; } _ZN5Botan11BER_Decoder6decodeINS_16secure_allocatorIhEEEERS0_RNSt3__16vectorIhT_EENS_9ASN1_TypeE: 242| 13.0k| BER_Decoder& decode(std::vector& out, ASN1_Type real_type) { 243| 13.0k| return decode(out, real_type, real_type, ASN1_Class::Universal); 244| 13.0k| } _ZN5Botan11BER_Decoder9raw_bytesINSt3__19allocatorIhEEEERS0_RNS2_6vectorIhT_EE: 203| 6.61k| BER_Decoder& raw_bytes(std::vector& out) { 204| 6.61k| out.clear(); 205| 522k| for(;;) { 206| 522k| if(auto next = this->read_next_byte()) { ------------------ | Branch (206:21): [True: 516k, False: 6.61k] ------------------ 207| 516k| out.push_back(*next); 208| 516k| } else { 209| 6.61k| break; 210| 6.61k| } 211| 522k| } 212| 6.61k| return (*this); 213| 6.61k| } _ZN5Botan11BER_Decoder15decode_optionalINS_3OIDEEERS0_RT_NS_9ASN1_TypeENS_10ASN1_ClassERKS4_: 285| 3.05k| BER_Decoder& decode_optional(T& out, ASN1_Type type_tag, ASN1_Class class_tag, const T& default_value = T()) { 286| 3.05k| std::optional optval; 287| 3.05k| this->decode_optional(optval, type_tag, class_tag); 288| 3.05k| out = optval ? *optval : default_value; ------------------ | Branch (288:16): [True: 755, False: 2.30k] ------------------ 289| 3.05k| return (*this); 290| 3.05k| } _ZN5Botan11BER_Decoder15decode_optionalINS_3OIDEEERS0_RNSt3__18optionalIT_EENS_9ASN1_TypeENS_10ASN1_ClassE: 394| 3.05k|BER_Decoder& BER_Decoder::decode_optional(std::optional& optval, ASN1_Type type_tag, ASN1_Class class_tag) { 395| 3.05k| BER_Object obj = get_next_object(); 396| | 397| 3.05k| if(obj.is_a(type_tag, class_tag)) { ------------------ | Branch (397:7): [True: 758, False: 2.30k] ------------------ 398| 758| T out{}; 399| 758| if(class_tag == ASN1_Class::ExplicitContextSpecific) { ------------------ | Branch (399:10): [True: 758, False: 0] ------------------ 400| 758| BER_Decoder(obj, m_limits).decode(out).verify_end(); 401| 758| } else { 402| 0| this->push_back(std::move(obj)); 403| 0| this->decode(out, type_tag, class_tag); 404| 0| } 405| 758| optval = std::move(out); 406| 2.30k| } else { 407| 2.30k| this->push_back(std::move(obj)); 408| 2.30k| optval = std::nullopt; 409| 2.30k| } 410| | 411| 3.05k| return (*this); 412| 3.05k|} _ZN5Botan11BER_Decoder22decode_optional_stringINS_16secure_allocatorIhEEEERS0_RNSt3__16vectorIhT_EENS_9ASN1_TypeEjNS_10ASN1_ClassE: 345| 3.05k| ASN1_Class class_tag = ASN1_Class::ContextSpecific) { 346| 3.05k| BER_Object obj = get_next_object(); 347| | 348| 3.05k| const ASN1_Type type_tag = static_cast(expected_tag); 349| | 350| 3.05k| if(obj.is_a(type_tag, class_tag)) { ------------------ | Branch (350:13): [True: 1.00k, False: 2.05k] ------------------ 351| 1.00k| if(class_tag == ASN1_Class::ExplicitContextSpecific) { ------------------ | Branch (351:16): [True: 1.00k, False: 0] ------------------ 352| 1.00k| BER_Decoder(obj, m_limits).decode(out, real_type).verify_end(); 353| 1.00k| } else { 354| 0| push_back(std::move(obj)); 355| 0| decode(out, real_type, type_tag, class_tag); 356| 0| } 357| 2.05k| } else { 358| 2.05k| out.clear(); 359| 2.05k| push_back(std::move(obj)); 360| 2.05k| } 361| | 362| 3.05k| return (*this); 363| 3.05k| } _ZN5Botan6BigInt4zeroEv: 50| 43.7k| static BigInt zero() { return BigInt(); } _ZN5Botan6BigInt3oneEv: 55| 1.89k| static BigInt one() { return BigInt::from_u64(1); } _ZN5Botan6BigIntC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 98| 18.6k| explicit BigInt(std::string_view str) { *this = BigInt::from_string(str); } _ZN5Botan6BigIntC2ENSt3__14spanIKhLm18446744073709551615EEE: 139| 691| explicit BigInt(std::span bytes) { assign_from_bytes(bytes); } _ZN5Botan6BigIntC2EOS0_: 183| 72.0k| BigInt(BigInt&& other) noexcept { this->swap(other); } _ZN5Botan6BigIntD2Ev: 185| 9.95M| ~BigInt() { _const_time_unpoison(); } _ZN5Botan6BigIntaSEOS0_: 190| 3.71M| BigInt& operator=(BigInt&& other) noexcept { 191| 3.71M| if(this != &other) { ------------------ | Branch (191:13): [True: 3.71M, False: 0] ------------------ 192| 3.71M| this->swap(other); 193| 3.71M| } 194| | 195| 3.71M| return (*this); 196| 3.71M| } _ZN5Botan6BigInt4swapERS0_: 207| 6.16M| void swap(BigInt& other) noexcept { 208| 6.16M| m_data.swap(other.m_data); 209| 6.16M| std::swap(m_signedness, other.m_signedness); 210| 6.16M| } _ZN5Botan6BigInt8swap_regERNSt3__16vectorImNS_16secure_allocatorImEEEE: 214| 1.69M| BOTAN_DEPRECATED("Deprecated no replacement") void swap_reg(secure_vector& reg) { 215| 1.69M| m_data.swap(reg); 216| | // sign left unchanged 217| 1.69M| } _ZN5Botan6BigIntpLEm: 229| 2.50k| BigInt& operator+=(word y) { return add(&y, 1, Positive); } _ZN5Botan6BigIntmIEm: 241| 1.86k| BigInt& operator-=(word y) { return sub(&y, 1, Positive); } _ZN5Botan6BigInt3subEPKmmNS0_4SignE: 332| 86.1k| BigInt& sub(const word y[], size_t y_words, Sign sign) { 333| 86.1k| return add(y, y_words, sign == Positive ? Negative : Positive); ------------------ | Branch (333:33): [True: 86.1k, False: 0] ------------------ 334| 86.1k| } _ZN5Botan6BigInt5clearEv: 415| 45.4k| void clear() { 416| 45.4k| m_data.set_to_zero(); 417| 45.4k| m_signedness = Positive; 418| 45.4k| } _ZNK5Botan6BigInt7is_evenEv: 455| 10.6k| bool is_even() const { return !get_bit(0); } _ZNK5Botan6BigInt6is_oddEv: 461| 1.01M| bool is_odd() const { return get_bit(0); } _ZNK5Botan6BigInt6signumEv: 467| 20.9M| int signum() const { 468| 20.9M| if(sig_words() == 0) { ------------------ | Branch (468:13): [True: 17.3k, False: 20.9M] ------------------ 469| 17.3k| return 0; 470| 17.3k| } 471| 20.9M| return (sign() == Negative) ? -1 : 1; ------------------ | Branch (471:17): [True: 8.42k, False: 20.9M] ------------------ 472| 20.9M| } _ZNK5Botan6BigInt7is_zeroEv: 484| 1.97M| bool is_zero() const { return sig_words() == 0; } _ZN5Botan6BigInt7set_bitEm: 490| 21.2k| void set_bit(size_t n) { conditionally_set_bit(n, true); } _ZN5Botan6BigInt21conditionally_set_bitEmb: 500| 738k| void conditionally_set_bit(size_t n, bool set_it) { 501| 738k| const size_t which = n / (sizeof(word) * 8); 502| 738k| const word mask = static_cast(set_it) << (n % (sizeof(word) * 8)); 503| 738k| m_data.set_word_at(which, word_at(which) | mask); 504| 738k| } _ZNK5Botan6BigInt7get_bitEm: 523| 1.74M| bool get_bit(size_t n) const { return ((word_at(n / (sizeof(word) * 8)) >> (n % (sizeof(word) * 8))) & 1) == 1; } _ZNK5Botan6BigInt7word_atEm: 574| 29.6M| word word_at(size_t n) const { return m_data.get_word_at(n); } _ZN5Botan6BigInt11set_word_atEmm: 576| 14.0M| BOTAN_DEPRECATED("Deprecated no replacement") void set_word_at(size_t i, word w) { m_data.set_word_at(i, w); } _ZN5Botan6BigInt9set_wordsEPKmm: 578| 45.0k| BOTAN_DEPRECATED("Deprecated no replacement") void set_words(const word w[], size_t len) { 579| 45.0k| m_data.set_words(w, len); 580| 45.0k| } _ZNK5Botan6BigInt4signEv: 604| 26.2M| Sign sign() const { return (m_signedness); } _ZNK5Botan6BigInt12reverse_signEv: 609| 4.54k| Sign reverse_sign() const { 610| 4.54k| if(sign() == Positive) { ------------------ | Branch (610:13): [True: 3.64k, False: 902] ------------------ 611| 3.64k| return Negative; 612| 3.64k| } 613| 902| return Positive; 614| 4.54k| } _ZN5Botan6BigInt9flip_signEv: 619| 2.80k| BOTAN_DEPRECATED("Deprecated no replacement") void flip_sign() { set_sign(reverse_sign()); } _ZN5Botan6BigInt8set_signENS0_4SignE: 625| 1.86M| void set_sign(Sign sign) { 626| 1.86M| if(sign == Negative && is_zero()) { ------------------ | Branch (626:13): [True: 5.23k, False: 1.86M] | Branch (626:33): [True: 1.59k, False: 3.64k] ------------------ 627| 1.59k| sign = Positive; 628| 1.59k| } 629| | 630| 1.86M| m_signedness = sign; 631| 1.86M| } _ZNK5Botan6BigInt4sizeEv: 642| 104M| size_t size() const { return m_data.size(); } _ZNK5Botan6BigInt9sig_wordsEv: 648| 43.8M| size_t sig_words() const { return m_data.sig_words(); } _ZN5Botan6BigInt12mutable_dataEv: 673| 36.1M| BOTAN_DEPRECATED("Deprecated no replacement") word* mutable_data() { return m_data.mutable_data(); } _ZNK5Botan6BigInt4dataEv: 679| 15.8k| BOTAN_DEPRECATED("Deprecated no replacement") const word* data() const { return m_data.const_data(); } _ZN5Botan6BigInt15get_word_vectorEv: 684| 1.23M| BOTAN_DEPRECATED("Deprecated no replacement") secure_vector& get_word_vector() { 685| 1.23M| return m_data.mutable_vector(); 686| 1.23M| } _ZNK5Botan6BigInt7grow_toEm: 699| 13.8M| BOTAN_DEPRECATED("Deprecated no replacement") void grow_to(size_t n) const { m_data.grow_to(n); } _ZN5Botan6BigInt10power_of_2Em: 856| 7.99k| static BigInt power_of_2(size_t n) { 857| 7.99k| BigInt b; 858| 7.99k| b.set_bit(n); 859| 7.99k| return b; 860| 7.99k| } _ZN5Botan6BigInt6decodeEPKhm: 893| 1.15k| BOTAN_DEPRECATED("Use BigInt::from_bytes") static BigInt decode(const uint8_t buf[], size_t length) { 894| 1.15k| return BigInt::from_bytes(std::span{buf, length}); 895| 1.15k| } _ZN5Botan6BigInt11encode_1363EPhmRKS0_: 940| 200| static void encode_1363(uint8_t out[], size_t bytes, const BigInt& n) { 941| 200| n.serialize_to(std::span{out, bytes}); 942| 200| } _ZNK5Botan6BigInt8_as_spanEv: 962| 1.31M| std::span _as_span() const { return m_data.const_span(); } _ZNK5Botan6BigInt5_dataEv: 972| 75.6M| const word* _data() const { return m_data.const_data(); } _ZN5Botan6BigInt18_assign_from_bytesENSt3__14spanIKhLm18446744073709551615EEE: 983| 15.3k| void _assign_from_bytes(std::span bytes) { assign_from_bytes(bytes); } _ZN5Botan6BigInt11_from_wordsERNSt3__16vectorImNS_16secure_allocatorImEEEE: 991| 3.02M| static BigInt _from_words(secure_vector& words) { 992| 3.02M| BigInt bn; 993| 3.02M| bn.m_data.swap(words); 994| 3.02M| return bn; 995| 3.02M| } _ZN5Botan6BigInt4Data12mutable_dataEv: 1022| 37.3M| word* mutable_data() { 1023| 37.3M| invalidate_sig_words(); 1024| 37.3M| return m_reg.data(); 1025| 37.3M| } _ZNK5Botan6BigInt4Data10const_dataEv: 1027| 85.6M| const word* const_data() const { return m_reg.data(); } _ZNK5Botan6BigInt4Data10const_spanEv: 1029| 1.31M| std::span const_span() const { return std::span{m_reg}; } _ZN5Botan6BigInt4Data14mutable_vectorEv: 1031| 1.23M| secure_vector& mutable_vector() { 1032| 1.23M| invalidate_sig_words(); 1033| 1.23M| return m_reg; 1034| 1.23M| } _ZNK5Botan6BigInt4Data11get_word_atEm: 1038| 29.6M| word get_word_at(size_t n) const { 1039| 29.6M| if(n < m_reg.size()) { ------------------ | Branch (1039:19): [True: 29.6M, False: 20.4k] ------------------ 1040| 29.6M| return m_reg[n]; 1041| 29.6M| } 1042| 20.4k| return 0; 1043| 29.6M| } _ZN5Botan6BigInt4Data11set_word_atEmm: 1045| 14.7M| void set_word_at(size_t i, word w) { 1046| 14.7M| invalidate_sig_words(); 1047| 14.7M| if(i >= m_reg.size()) { ------------------ | Branch (1047:19): [True: 1.08M, False: 13.6M] ------------------ 1048| 1.08M| if(w == 0) { ------------------ | Branch (1048:22): [True: 1.04M, False: 44.9k] ------------------ 1049| 1.04M| return; 1050| 1.04M| } 1051| 44.9k| grow_to(i + 1); 1052| 44.9k| } 1053| 13.6M| m_reg[i] = w; 1054| 13.6M| } _ZN5Botan6BigInt4Data9set_wordsEPKmm: 1056| 45.0k| void set_words(const word w[], size_t len) { 1057| 45.0k| invalidate_sig_words(); 1058| 45.0k| m_reg.assign(w, w + len); 1059| 45.0k| } _ZNK5Botan6BigInt4Data7grow_toEm: 1065| 13.9M| void grow_to(size_t n) const { 1066| 13.9M| if(n > size()) { ------------------ | Branch (1066:19): [True: 5.96M, False: 8.03M] ------------------ 1067| 5.96M| if(n <= m_reg.capacity()) { ------------------ | Branch (1067:22): [True: 683k, False: 5.27M] ------------------ 1068| 683k| m_reg.resize(n); 1069| 5.27M| } else { 1070| 5.27M| m_reg.resize(n + (8 - (n % 8))); 1071| 5.27M| } 1072| 5.96M| } 1073| 13.9M| } _ZNK5Botan6BigInt4Data4sizeEv: 1075| 129M| size_t size() const { return m_reg.size(); } _ZN5Botan6BigInt4Data4swapERS1_: 1090| 6.16M| void swap(Data& other) noexcept { 1091| 6.16M| m_reg.swap(other.m_reg); 1092| 6.16M| std::swap(m_sig_words, other.m_sig_words); 1093| 6.16M| } _ZN5Botan6BigInt4Data4swapERNSt3__16vectorImNS_16secure_allocatorImEEEE: 1095| 4.76M| void swap(secure_vector& reg) noexcept { 1096| 4.76M| m_reg.swap(reg); 1097| 4.76M| invalidate_sig_words(); 1098| 4.76M| } _ZNK5Botan6BigInt4Data20invalidate_sig_wordsEv: 1100| 58.1M| void invalidate_sig_words() const noexcept { m_sig_words = sig_words_npos; } _ZNK5Botan6BigInt4Data9sig_wordsEv: 1102| 43.8M| size_t sig_words() const { 1103| 43.8M| if(m_sig_words == sig_words_npos) { ------------------ | Branch (1103:19): [True: 16.6M, False: 27.2M] ------------------ 1104| 16.6M| m_sig_words = calc_sig_words(); 1105| 16.6M| } 1106| 43.8M| return m_sig_words; 1107| 43.8M| } _ZN5BotanplERKNS_6BigIntES2_: 1125| 971k|inline BigInt operator+(const BigInt& x, const BigInt& y) { 1126| 971k| return BigInt::add2(x, y._data(), y.sig_words(), y.sign()); 1127| 971k|} _ZN5BotanplERKNS_6BigIntEm: 1129| 3.22k|inline BigInt operator+(const BigInt& x, word y) { 1130| 3.22k| return BigInt::add2(x, &y, 1, BigInt::Positive); 1131| 3.22k|} _ZN5BotanmiERKNS_6BigIntES2_: 1137| 1.73k|inline BigInt operator-(const BigInt& x, const BigInt& y) { 1138| 1.73k| return BigInt::add2(x, y._data(), y.sig_words(), y.reverse_sign()); 1139| 1.73k|} _ZN5BotanmiERKNS_6BigIntEm: 1141| 6.17k|inline BigInt operator-(const BigInt& x, word y) { 1142| 6.17k| return BigInt::add2(x, &y, 1, BigInt::Negative); 1143| 6.17k|} _ZN5BotanmlEmRKNS_6BigIntE: 1148| 78.8k|inline BigInt operator*(word x, const BigInt& y) { 1149| 78.8k| return y * x; 1150| 78.8k|} _ZN5BotaneqERKNS_6BigIntES2_: 1162| 27.5k|inline bool operator==(const BigInt& a, const BigInt& b) { 1163| 27.5k| return a.is_equal(b); 1164| 27.5k|} _ZN5BotanneERKNS_6BigIntES2_: 1166| 5.22k|inline bool operator!=(const BigInt& a, const BigInt& b) { 1167| 5.22k| return !a.is_equal(b); 1168| 5.22k|} _ZN5BotangeERKNS_6BigIntES2_: 1174| 17.6k|inline bool operator>=(const BigInt& a, const BigInt& b) { 1175| 17.6k| return (a.cmp(b) >= 0); 1176| 17.6k|} _ZN5BotanltERKNS_6BigIntES2_: 1178| 68.3k|inline bool operator<(const BigInt& a, const BigInt& b) { 1179| 68.3k| return a.is_less_than(b); 1180| 68.3k|} _ZN5BotangtERKNS_6BigIntES2_: 1182| 46|inline bool operator>(const BigInt& a, const BigInt& b) { 1183| 46| return b.is_less_than(a); 1184| 46|} _ZN5BotaneqERKNS_6BigIntEm: 1186| 138k|inline bool operator==(const BigInt& a, word b) { 1187| 138k| return (a.cmp_word(b) == 0); 1188| 138k|} _ZN5BotanneERKNS_6BigIntEm: 1190| 72.9k|inline bool operator!=(const BigInt& a, word b) { 1191| 72.9k| return (a.cmp_word(b) != 0); 1192| 72.9k|} _ZN5BotanleERKNS_6BigIntEm: 1194| 4.32k|inline bool operator<=(const BigInt& a, word b) { 1195| 4.32k| return (a.cmp_word(b) <= 0); 1196| 4.32k|} _ZN5BotangeERKNS_6BigIntEm: 1198| 10.4k|inline bool operator>=(const BigInt& a, word b) { 1199| 10.4k| return (a.cmp_word(b) >= 0); 1200| 10.4k|} _ZN5BotanltERKNS_6BigIntEm: 1202| 23.2k|inline bool operator<(const BigInt& a, word b) { 1203| 23.2k| return (a.cmp_word(b) < 0); 1204| 23.2k|} _ZN5BotangtERKNS_6BigIntEm: 1206| 5.87k|inline bool operator>(const BigInt& a, word b) { 1207| 5.87k| return (a.cmp_word(b) > 0); 1208| 5.87k|} _ZNK5Botan6BigInt9serializeINSt3__16vectorIhNS2_9allocatorIhEEEEEET_m: 747| 296| T serialize(size_t len) const { 748| | // TODO this supports std::vector and secure_vector 749| | // it would be nice if this also could work with std::array as in 750| | // bn.serialize_to>(32); 751| 296| T out(len); 752| 296| this->serialize_to(out); 753| 296| return out; 754| 296| } _ZN5Botan6BigIntC2Ev: 45| 8.67M| BigInt() = default; _ZN5Botan6BigIntC2ERKS0_: 88| 1.18M| BigInt(const BigInt& other) = default; _ZN5Botan6BigIntaSERKS0_: 201| 2.41M| BigInt& operator=(const BigInt&) = default; _ZN5Botan20Buffered_Computation6updateEPKhm: 34| 2| void update(const uint8_t in[], size_t length) { add_data({in, length}); } _ZN5Botan20Buffered_Computation6updateENSt3__14spanIKhLm18446744073709551615EEE: 40| 90| void update(std::span in) { add_data(in); } _ZN5Botan20Buffered_Computation5finalEPh: 69| 2| void final(uint8_t out[]) { final_result({out, output_length()}); } _ZN5Botan20Buffered_Computation5finalITkNS_8concepts21resizable_byte_bufferENSt3__16vectorIhNS_16secure_allocatorIhEEEEEET_v: 77| 30| T final() { 78| 30| T output(output_length()); 79| 30| final_result(output); 80| 30| return output; 81| 30| } _ZN5Botan20Buffered_ComputationD2Ev: 130| 62| virtual ~Buffered_Computation() = default; _ZN5Botan20Buffered_Computation7processITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_21KyberHashedPublicKey_EJEEEEET_NS4_4spanIKhLm18446744073709551615EEE: 125| 30| T process(std::span in) { 126| 30| update(in); 127| 30| return final(); 128| 30| } _ZN5Botan20Buffered_Computation5finalITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_21KyberHashedPublicKey_EJEEEEET_v: 77| 30| T final() { 78| 30| T output(output_length()); 79| 30| final_result(output); 80| 30| return output; 81| 30| } _ZN5Botan8CurveGFp4swapERS0_: 69| 527k| void swap(CurveGFp& other) noexcept { std::swap(m_group, other.m_group); } _ZNK5Botan8CurveGFpeqERKS0_: 71| 348k| bool operator==(const CurveGFp& other) const { return (m_group == other.m_group); } _ZN5Botan8CurveGFpC2Ev: 62| 619k| CurveGFp() = default; _ZN5Botan17DataSource_MemoryC2ENSt3__14spanIKhLm18446744073709551615EEE: 141| 24.3k| explicit DataSource_Memory(std::span in) : m_source(in.begin(), in.end()), m_offset(0) {} _ZN5Botan10DataSourceC2Ev: 100| 45.0k| DataSource() = default; _ZN5Botan10DataSourceD2Ev: 101| 45.0k| virtual ~DataSource() = default; _ZN5Botan17DataSource_MemoryC2ENSt3__16vectorIhNS_16secure_allocatorIhEEEE: 135| 5| explicit DataSource_Memory(secure_vector in) : m_source(std::move(in)), m_offset(0) {} _ZN5Botan11DER_Encoder10add_objectENS_9ASN1_TypeENS_10ASN1_ClassENSt3__14spanIKhLm18446744073709551615EEE: 185| 3.05k| DER_Encoder& add_object(ASN1_Type type_tag, ASN1_Class class_tag, std::span rep) { 186| 3.05k| return add_object(type_tag, class_tag, rep.data(), rep.size()); 187| 3.05k| } _ZN5Botan11DER_Encoder10add_objectENS_9ASN1_TypeENS_10ASN1_ClassERKNSt3__16vectorIhNS3_9allocatorIhEEEE: 189| 3.05k| DER_Encoder& add_object(ASN1_Type type_tag, ASN1_Class class_tag, const std::vector& rep) { 190| 3.05k| return add_object(type_tag, class_tag, std::span{rep}); 191| 3.05k| } _ZN5Botan12DH_PublicKeyC2Ev: 68| 108| DH_PublicKey() = default; _ZNK5Botan13DilithiumMode19is_dilithium_round3Ev: 49| 169| bool is_dilithium_round3() const { return !is_ml_dsa(); } _ZNK5Botan13DilithiumMode4modeEv: 53| 507| Mode mode() const { return m_mode; } _ZN5Botan19Dilithium_PublicKeyC2Ev: 101| 86| Dilithium_PublicKey() = default; _ZN5Botan13DSA_PublicKeyC2Ev: 71| 111| DSA_PublicKey() = default; _ZNK5Botan14EC_AffinePoint5innerEv: 274| 1.97k| const EC_AffinePoint_Data& inner() const { return *m_point; } _ZNK5Botan8EC_Group5_dataEv: 458| 3.96k| const std::shared_ptr& _data() const { return m_data; } _ZN5Botan8EC_GroupC2EOS0_: 221| 4.93k| EC_Group(EC_Group&&) = default; _ZN5Botan8EC_PointC2EOS0_: 62| 200| EC_Point(EC_Point&& other) noexcept { this->swap(other); } _ZN5Botan8EC_PointaSEOS0_: 72| 440k| EC_Point& operator=(EC_Point&& other) noexcept { 73| 440k| if(this != &other) { ------------------ | Branch (73:13): [True: 440k, False: 0] ------------------ 74| 440k| this->swap(other); 75| 440k| } 76| 440k| return (*this); 77| 440k| } _ZNK5Botan8EC_Point7is_zeroEv: 163| 1.22M| bool is_zero() const { return m_z.is_zero(); } _ZNK5Botan8EC_Point5get_xEv: 238| 609k| BOTAN_DEPRECATED("Use affine coordinates only") const BigInt& get_x() const { return m_x; } _ZNK5Botan8EC_Point5get_yEv: 245| 609k| BOTAN_DEPRECATED("Use affine coordinates only") const BigInt& get_y() const { return m_y; } _ZNK5Botan8EC_Point4plusERKS0_RNSt3__16vectorINS_6BigIntENS3_9allocatorIS5_EEEE: 338| 348k| EC_Point plus(const EC_Point& other, std::vector& workspace) const { 339| 348k| EC_Point x = (*this); 340| 348k| x.add(other, workspace); 341| 348k| return x; 342| 348k| } _ZNK5Botan8EC_Point9get_curveEv: 361| 736| BOTAN_DEPRECATED("Deprecated no replacement") const CurveGFp& get_curve() const { return m_curve; } _ZN5Botan8EC_PointD2Ev: 79| 970k| ~EC_Point() = default; _ZN5Botan8EC_PointC2Ev: 46| 616k| EC_Point() = default; _ZN5Botan8EC_PointC2ERKS0_: 57| 349k| EC_Point(const EC_Point&) = default; _ZN5Botan8EC_PointaSERKS0_: 67| 348k| EC_Point& operator=(const EC_Point&) = default; _ZNK5Botan9EC_Scalar10is_nonzeroEv: 161| 2.95k| bool is_nonzero() const { return !is_zero(); } _ZNK5Botan9EC_Scalar6_innerEv: 244| 1.97k| const EC_Scalar_Data& _inner() const { return inner(); } _ZNK5Botan9EC_Scalar5innerEv: 253| 9.86k| const EC_Scalar_Data& inner() const { return *m_scalar; } _ZN5Botan12EC_PublicKeyC2Ev: 137| 4.24k| EC_PublicKey() = default; _ZN5Botan12EC_PublicKeyD2Ev: 42| 4.24k| ~EC_PublicKey() override = default; _ZN5Botan13EC_PrivateKeyD2Ev: 170| 1.97k| ~EC_PrivateKey() override = default; _ZN5Botan15ECDH_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 87| 1.57k| EC_PrivateKey(alg_id, key_bits) {} _ZN5Botan14ECDH_PublicKeyC2Ev: 67| 1.26k| ECDH_PublicKey() = default; _ZN5Botan16ECDSA_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 98| 2.67k| EC_PrivateKey(alg_id, key_bits) {} _ZN5Botan15ECDSA_PublicKeyC2Ev: 79| 2.67k| ECDSA_PublicKey() = default; _ZN5Botan17Ed25519_PublicKeyC2Ev: 60| 10| Ed25519_PublicKey() = default; _ZN5Botan15Ed448_PublicKeyC2Ev: 66| 2| Ed448_PublicKey() = default; _ZNK5Botan9Exception4whatEv: 94| 979| const char* what() const noexcept override { return m_msg.c_str(); } _ZN5Botan20GOST_3410_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 91| 2| EC_PrivateKey(alg_id, key_bits) {} _ZN5Botan19GOST_3410_PublicKeyC2Ev: 72| 2| GOST_3410_PublicKey() = default; _ZN5Botan15Kyber_PublicKeyD2Ev: 105| 38| ~Kyber_PublicKey() override = default; _ZNK5Botan9KyberMode4modeEv: 60| 68| Mode mode() const { return m_mode; } _ZN5Botan15Kyber_PublicKeyC2Ev: 135| 38| Kyber_PublicKey() = default; _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIhLm18446744073709551615EEETkNS1_16contiguous_rangeENS3_IKhLm18446744073709551615EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeENS8_IXsr21__is_primary_templateINS9_Iu14__remove_cvrefIDTclL_ZNSB_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSH_ISP_EESQ_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISU_EEEvOSC_RKSM_: 160| 1.61k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 1.61k| ranges::assert_equal_byte_lengths(out, in); 162| 1.61k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 1.61k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 1.61k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 1.61k, False: 0] ------------------ 165| 1.61k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 1.61k| } 167| 1.61k|} _ZN5Botan11clear_bytesEPvm: 101| 24.5M|inline constexpr void clear_bytes(void* ptr, size_t bytes) { 102| 24.5M| if(bytes > 0) { ------------------ | Branch (102:7): [True: 24.5M, False: 45.4k] ------------------ 103| 24.5M| std::memset(ptr, 0, bytes); 104| 24.5M| } 105| 24.5M|} _ZN5Botan9clear_memImEEvPT_m: 118| 5.49M|inline constexpr void clear_mem(T* ptr, size_t n) { 119| 5.49M| clear_bytes(ptr, sizeof(T) * n); 120| 5.49M|} _ZN5Botan8copy_memIhQsr3stdE12is_trivial_vIu7__decayIT_EEEEvPS1_PKS1_m: 144| 2.22M|inline constexpr void copy_mem(T* out, const T* in, size_t n) { 145| 2.22M| BOTAN_ASSERT_IMPLICATION(n > 0, in != nullptr && out != nullptr, "If n > 0 then args are not null"); ------------------ | | 103| 2.22M| do { \ | | 104| 2.22M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 105| 4.39M| if((expr1) && !(expr2)) { \ | | ------------------ | | | Branch (105:10): [True: 2.19M, False: 25.4k] | | | Branch (105:23): [True: 2.19M, False: 0] | | | Branch (105:23): [True: 2.19M, False: 0] | | ------------------ | | 106| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 107| 0| Botan::assertion_failure(#expr1 " implies " #expr2, msg, __func__, __FILE__, __LINE__); \ | | 108| 0| } \ | | 109| 2.22M| } while(0) | | ------------------ | | | Branch (109:12): [Folded, False: 2.22M] | | ------------------ ------------------ 146| | 147| 2.22M| if(in != nullptr && out != nullptr && n > 0) { ------------------ | Branch (147:7): [True: 2.22M, False: 31] | Branch (147:24): [True: 2.22M, False: 1.33k] | Branch (147:42): [True: 2.19M, False: 24.0k] ------------------ 148| 2.19M| std::memmove(out, in, sizeof(T) * n); 149| 2.19M| } 150| 2.22M|} _ZN5Botan19secure_scrub_memoryITkNS_6ranges23contiguous_output_rangeERNSt3__16vectorIhNS2_9allocatorIhEEEEEEvOT_: 59| 146k|void secure_scrub_memory(ranges::contiguous_output_range auto&& data) { 60| 146k| secure_scrub_memory(std::ranges::data(data), ranges::size_bytes(data)); 61| 146k|} _ZN5Botan9clear_memIhEEvPT_m: 118| 21.3k|inline constexpr void clear_mem(T* ptr, size_t n) { 119| 21.3k| clear_bytes(ptr, sizeof(T) * n); 120| 21.3k|} _ZN5Botan8copy_memImQsr3stdE12is_trivial_vIu7__decayIT_EEEEvPS1_PKS1_m: 144| 4.25M|inline constexpr void copy_mem(T* out, const T* in, size_t n) { 145| 4.25M| BOTAN_ASSERT_IMPLICATION(n > 0, in != nullptr && out != nullptr, "If n > 0 then args are not null"); ------------------ | | 103| 4.25M| do { \ | | 104| 4.25M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 105| 8.50M| if((expr1) && !(expr2)) { \ | | ------------------ | | | Branch (105:10): [True: 4.25M, False: 0] | | | Branch (105:23): [True: 4.25M, False: 0] | | | Branch (105:23): [True: 4.25M, False: 0] | | ------------------ | | 106| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 107| 0| Botan::assertion_failure(#expr1 " implies " #expr2, msg, __func__, __FILE__, __LINE__); \ | | 108| 0| } \ | | 109| 4.25M| } while(0) | | ------------------ | | | Branch (109:12): [Folded, False: 4.25M] | | ------------------ ------------------ 146| | 147| 4.25M| if(in != nullptr && out != nullptr && n > 0) { ------------------ | Branch (147:7): [True: 4.25M, False: 0] | Branch (147:24): [True: 4.25M, False: 0] | Branch (147:42): [True: 4.25M, False: 0] ------------------ 148| 4.25M| std::memmove(out, in, sizeof(T) * n); 149| 4.25M| } 150| 4.25M|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERKNSt3__14spanIhLm8EEEmQaaaasr3stdE23is_trivially_copyable_vIT0_Entsr3std6rangesE5rangeIS7_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEEEvOSC_RKS7_: 199| 52.2k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromT& in) { 200| 52.2k| typecast_copy(out, std::span(&in, 1)); 201| 52.2k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERKNSt3__14spanIhLm8EEETkNS1_16contiguous_rangeENS3_IKmLm1EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISG_EESH_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS9_IXsr21__is_primary_templateINSA_Iu14__remove_cvrefIDTclL_ZNSC_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSI_ISQ_EESR_E4type10value_typeEEEEvOSN_RKSD_: 176| 52.2k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 52.2k| ranges::assert_equal_byte_lengths(out, in); 178| 52.2k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 52.2k|} _ZN5Botan13typecast_copyImTkNS_6ranges16contiguous_rangeENSt3__14spanIKhLm8EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vIS6_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEEES6_RKSB_: 210| 205k|inline constexpr ToT typecast_copy(const FromR& src) { 211| 205k| ToT dst; // NOLINT(*-member-init) 212| 205k| typecast_copy(dst, src); 213| 205k| return dst; 214| 205k|} _ZN5Botan13typecast_copyImTkNS_6ranges16contiguous_rangeENSt3__14spanIKhLm8EEEQaaaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIT_Entsr3std6rangesE5rangeISK_EEEvRSK_RKSA_: 188| 205k|inline constexpr void typecast_copy(ToT& out, const FromR& in) { 189| 205k| typecast_copy(std::span(&out, 1), in); 190| 205k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm1EEETkNS1_16contiguous_rangeENS3_IKhLm8EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEEEvOSL_RKSB_: 176| 205k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 205k| ranges::assert_equal_byte_lengths(out, in); 178| 205k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 205k|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanIhLm18446744073709551615EEETkNS1_16contiguous_rangeENS3_IKhLm18446744073709551615EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 33.3k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 33.3k| ranges::assert_equal_byte_lengths(out, in); 162| 33.3k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 33.3k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 33.3k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 33.3k, False: 1] ------------------ 165| 33.3k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 33.3k| } 167| 33.3k|} _ZN5Botan13typecast_copyImTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm8EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vIS5_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEEES5_RKSA_: 210| 35.3k|inline constexpr ToT typecast_copy(const FromR& src) { 211| 35.3k| ToT dst; // NOLINT(*-member-init) 212| 35.3k| typecast_copy(dst, src); 213| 35.3k| return dst; 214| 35.3k|} _ZN5Botan13typecast_copyImTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm8EEEQaaaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISC_EESD_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIT_Entsr3std6rangesE5rangeISJ_EEEvRSJ_RKS9_: 188| 35.3k|inline constexpr void typecast_copy(ToT& out, const FromR& in) { 189| 35.3k| typecast_copy(std::span(&out, 1), in); 190| 35.3k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm1EEETkNS1_16contiguous_rangeENS3_IhLm8EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS6_IXsr21__is_primary_templateINS7_Iu14__remove_cvrefIDTclL_ZNS9_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSF_ISN_EESO_E4type10value_typeEEEEvOSK_RKSA_: 176| 35.3k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 35.3k| ranges::assert_equal_byte_lengths(out, in); 178| 35.3k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 35.3k|} _ZN5Botan9clear_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm18446744073709551615EEEEEvOT_Qsr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRS5_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEE: 132| 3.01M|{ 133| 3.01M| clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem)); 134| 3.01M|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm18446744073709551615EEETkNS1_16contiguous_rangeENS3_IKmLm18446744073709551615EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 15.6k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 15.6k| ranges::assert_equal_byte_lengths(out, in); 162| 15.6k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 15.6k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 15.6k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 15.6k, False: 6] ------------------ 165| 15.6k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 15.6k| } 167| 15.6k|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__16vectorImNS_16secure_allocatorImEEEETkNS1_16contiguous_rangeENS2_4spanImLm18446744073709551615EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISH_EESI_E4type10value_typeENSA_IXsr21__is_primary_templateINSB_Iu14__remove_cvrefIDTclL_ZNSD_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSJ_ISR_EESS_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISW_EEEvOSE_RKSO_: 160| 746k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 746k| ranges::assert_equal_byte_lengths(out, in); 162| 746k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 746k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 746k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 746k, False: 0] ------------------ 165| 746k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 746k| } 167| 746k|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm4EEETkNS1_16contiguous_rangeENS2_5arrayImLm4EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 1.83k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 1.83k| ranges::assert_equal_byte_lengths(out, in); 162| 1.83k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 1.83k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 1.83k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 1.83k, False: 0] ------------------ 165| 1.83k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 1.83k| } 167| 1.83k|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm6EEETkNS1_16contiguous_rangeENS2_5arrayImLm6EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 1.07k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 1.07k| ranges::assert_equal_byte_lengths(out, in); 162| 1.07k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 1.07k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 1.07k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 1.07k, False: 0] ------------------ 165| 1.07k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 1.07k| } 167| 1.07k|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm8EEETkNS1_16contiguous_rangeENS2_5arrayImLm8EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 607|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 607| ranges::assert_equal_byte_lengths(out, in); 162| 607| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 607] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 607| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 607, False: 0] ------------------ 165| 607| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 607| } 167| 607|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm9EEETkNS1_16contiguous_rangeENS2_5arrayImLm9EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 1.97k|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 1.97k| ranges::assert_equal_byte_lengths(out, in); 162| 1.97k| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 1.97k] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 1.97k| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 1.97k, False: 0] ------------------ 165| 1.97k| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 1.97k| } 167| 1.97k|} _ZN5Botan9clear_memITkNS_6ranges23contiguous_output_rangeERNSt3__15arrayImLm18EEEEEvOT_Qsr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRS6_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEE: 132| 16.0M|{ 133| 16.0M| clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem)); 134| 16.0M|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeENSt3__14spanImLm3EEETkNS1_16contiguous_rangeENS2_5arrayImLm3EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeENS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIST_EEEvOSB_RKSL_: 160| 378|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 378| ranges::assert_equal_byte_lengths(out, in); 162| 378| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 378] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 378| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 378, False: 0] ------------------ 165| 378| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 378| } 167| 378|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIhLm28EEETkNS1_16contiguous_rangeENS3_IKhLm28EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeENS8_IXsr21__is_primary_templateINS9_Iu14__remove_cvrefIDTclL_ZNSB_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSH_ISP_EESQ_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISU_EEEvOSC_RKSM_: 160| 766|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 766| ranges::assert_equal_byte_lengths(out, in); 162| 766| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 766] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 766| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 766, False: 0] ------------------ 165| 766| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 766| } 167| 766|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIhLm66EEETkNS1_16contiguous_rangeENS3_IKhLm66EEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeENS8_IXsr21__is_primary_templateINS9_Iu14__remove_cvrefIDTclL_ZNSB_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSH_ISP_EESQ_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISU_EEEvOSC_RKSM_: 160| 636|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 636| ranges::assert_equal_byte_lengths(out, in); 162| 636| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 636] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 636| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 636, False: 0] ------------------ 165| 636| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 636| } 167| 636|} _ZN5Botan13typecast_copyIjTkNS_6ranges16contiguous_rangeENSt3__14spanIKhLm4EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vIS6_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEEES6_RKSB_: 210| 4.86k|inline constexpr ToT typecast_copy(const FromR& src) { 211| 4.86k| ToT dst; // NOLINT(*-member-init) 212| 4.86k| typecast_copy(dst, src); 213| 4.86k| return dst; 214| 4.86k|} _ZN5Botan13typecast_copyIjTkNS_6ranges16contiguous_rangeENSt3__14spanIKhLm4EEEQaaaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIT_Entsr3std6rangesE5rangeISK_EEEvRSK_RKSA_: 188| 4.86k|inline constexpr void typecast_copy(ToT& out, const FromR& in) { 189| 4.86k| typecast_copy(std::span(&out, 1), in); 190| 4.86k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeENSt3__14spanIjLm1EEETkNS1_16contiguous_rangeENS3_IKhLm4EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEEEvOSL_RKSB_: 176| 4.86k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 4.86k| ranges::assert_equal_byte_lengths(out, in); 178| 4.86k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 4.86k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERKNSt3__14spanIhLm2EEEtQaaaasr3stdE23is_trivially_copyable_vIT0_Entsr3std6rangesE5rangeIS7_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEEEvOSC_RKS7_: 199| 300|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromT& in) { 200| 300| typecast_copy(out, std::span(&in, 1)); 201| 300|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERKNSt3__14spanIhLm2EEETkNS1_16contiguous_rangeENS3_IKtLm1EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISG_EESH_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS9_IXsr21__is_primary_templateINSA_Iu14__remove_cvrefIDTclL_ZNSC_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSI_ISQ_EESR_E4type10value_typeEEEEvOSN_RKSD_: 176| 300|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 300| ranges::assert_equal_byte_lengths(out, in); 178| 300| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 300|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERNSt3__15arrayIhLm8EEETkNS1_16contiguous_rangeENS3_ImLm1EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEEEvOSL_RKSB_: 176| 1.21M|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 1.21M| ranges::assert_equal_byte_lengths(out, in); 178| 1.21M| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 1.21M|} _ZN5Botan13typecast_copyIjTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm4EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vIS5_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEEES5_RKSA_: 210| 49.7k|inline constexpr ToT typecast_copy(const FromR& src) { 211| 49.7k| ToT dst; // NOLINT(*-member-init) 212| 49.7k| typecast_copy(dst, src); 213| 49.7k| return dst; 214| 49.7k|} _ZN5Botan13typecast_copyIjTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm4EEEQaaaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISC_EESD_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIT_Entsr3std6rangesE5rangeISJ_EEEvRSJ_RKS9_: 188| 49.7k|inline constexpr void typecast_copy(ToT& out, const FromR& in) { 189| 49.7k| typecast_copy(std::span(&out, 1), in); 190| 49.7k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeENSt3__14spanIjLm1EEETkNS1_16contiguous_rangeENS3_IhLm4EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS6_IXsr21__is_primary_templateINS7_Iu14__remove_cvrefIDTclL_ZNS9_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSF_ISN_EESO_E4type10value_typeEEEEvOSK_RKSA_: 176| 49.7k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 49.7k| ranges::assert_equal_byte_lengths(out, in); 178| 49.7k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 49.7k|} _ZN5Botan13typecast_copyItTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm2EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vIS5_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEEES5_RKSA_: 210| 2.91k|inline constexpr ToT typecast_copy(const FromR& src) { 211| 2.91k| ToT dst; // NOLINT(*-member-init) 212| 2.91k| typecast_copy(dst, src); 213| 2.91k| return dst; 214| 2.91k|} _ZN5Botan13typecast_copyItTkNS_6ranges16contiguous_rangeENSt3__14spanIhLm2EEEQaaaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISC_EESD_E4type10value_typeEEsr3stdE23is_trivially_copyable_vIT_Entsr3std6rangesE5rangeISJ_EEEvRSJ_RKS9_: 188| 2.91k|inline constexpr void typecast_copy(ToT& out, const FromR& in) { 189| 2.91k| typecast_copy(std::span(&out, 1), in); 190| 2.91k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeENSt3__14spanItLm1EEETkNS1_16contiguous_rangeENS3_IhLm2EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISD_EESE_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS6_IXsr21__is_primary_templateINS7_Iu14__remove_cvrefIDTclL_ZNS9_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSF_ISN_EESO_E4type10value_typeEEEEvOSK_RKSA_: 176| 2.91k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 2.91k| ranges::assert_equal_byte_lengths(out, in); 178| 2.91k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 2.91k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIhLm56EEETkNS1_16contiguous_rangeENS2_5arrayImLm7EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS8_IXsr21__is_primary_templateINS9_Iu14__remove_cvrefIDTclL_ZNSB_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSH_ISP_EESQ_E4type10value_typeEEEEvOSM_RKSC_: 176| 1|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 1| ranges::assert_equal_byte_lengths(out, in); 178| 1| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 1|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIhLm56EEETkNS1_16contiguous_rangeENS2_6vectorIhNS_16secure_allocatorIhEEEEQaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISH_EESI_E4type10value_typeENSA_IXsr21__is_primary_templateINSB_Iu14__remove_cvrefIDTclL_ZNSD_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSJ_ISR_EESS_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISW_EEEvOSE_RKSO_: 160| 1|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 1| ranges::assert_equal_byte_lengths(out, in); 162| 1| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 1] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 1| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 1, False: 0] ------------------ 165| 1| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 1| } 167| 1|} _ZN5Botan13typecast_copyINS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEETkNS_6ranges16contiguous_rangeENS2_4spanIKhLm18446744073709551615EEEQaaaasr3stdE26is_default_constructible_vIT_Esr3stdE23is_trivially_copyable_vISB_Esr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEEESB_RKSG_: 210| 1|inline constexpr ToT typecast_copy(const FromR& src) { 211| 1| ToT dst; // NOLINT(*-member-init) 212| 1| typecast_copy(dst, src); 213| 1| return dst; 214| 1|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERNS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEETkNS1_16contiguous_rangeENS3_4spanIKhLm18446744073709551615EEEQaasr3stdE23is_trivially_copyable_vINS3_11conditionalIXsr21__is_primary_templateINS3_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS3_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS3_26indirectly_readable_traitsISJ_EESK_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINSC_IXsr21__is_primary_templateINSD_Iu14__remove_cvrefIDTclL_ZNSF_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSL_IST_EESU_E4type10value_typeEEEEvOSQ_RKSG_: 176| 1|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 1| ranges::assert_equal_byte_lengths(out, in); 178| 1| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 1|} _ZN5Botan9clear_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIiLm256EEEEEvOT_Qsr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRS6_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEE: 132| 518|{ 133| 518| clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem)); 134| 518|} _ZN5Botan8copy_memITkNS_6ranges23contiguous_output_rangeERNSt3__16vectorIiNS2_9allocatorIiEEEETkNS1_16contiguous_rangeES6_Qaasr3stdE9is_same_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISF_EESG_E4type10value_typeENS8_IXsr21__is_primary_templateINS9_Iu14__remove_cvrefIDTclL_ZNSB_5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENSH_ISP_EESQ_E4type10value_typeEEsr3stdE23is_trivially_copyable_vISU_EEEvOSC_RKSM_: 160| 83|inline constexpr void copy_mem(OutR&& out /* NOLINT(*-std-forward) */, const InR& in) { 161| 83| ranges::assert_equal_byte_lengths(out, in); 162| 83| if(std::is_constant_evaluated()) { ------------------ | Branch (162:7): [Folded, False: 83] ------------------ 163| 0| std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out)); 164| 83| } else if(ranges::size_bytes(out) > 0) { ------------------ | Branch (164:14): [True: 83, False: 0] ------------------ 165| 83| std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 166| 83| } 167| 83|} _ZN5Botan9clear_memITkNS_6ranges23contiguous_output_rangeERNSt3__14spanIsLm256EEEEEvOT_Qsr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRS6_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEE: 132| 92|{ 133| 92| clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem)); 134| 92|} _ZN5Botan9clear_memIjEEvPT_m: 118| 6|inline constexpr void clear_mem(T* ptr, size_t n) { 119| 6| clear_bytes(ptr, sizeof(T) * n); 120| 6|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERNSt3__15arrayImLm7EEETkNS1_16contiguous_rangeENS2_4spanIKhLm56EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISG_EESH_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS9_IXsr21__is_primary_templateINSA_Iu14__remove_cvrefIDTclL_ZNSC_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSI_ISQ_EESR_E4type10value_typeEEEEvOSN_RKSD_: 176| 2|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 2| ranges::assert_equal_byte_lengths(out, in); 178| 2| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 2|} _ZN5Botan9clear_memITkNS_6ranges23contiguous_output_rangeERNSt3__15arrayImLm7EEEEEvOT_Qsr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRS6_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEE: 132| 8.06k|{ 133| 8.06k| clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem)); 134| 8.06k|} _ZN5Botan13typecast_copyITkNS_6ranges23contiguous_output_rangeERNSt3__15arrayIhLm2EEETkNS1_16contiguous_rangeENS3_ItLm1EEEQaasr3stdE23is_trivially_copyable_vINS2_11conditionalIXsr21__is_primary_templateINS2_15iterator_traitsIu14__remove_cvrefIDTclL_ZNS2_6ranges5__cpo5beginEEclsr3stdE7declvalIRT0_EEEEEEEEE5valueENS2_26indirectly_readable_traitsISE_EESF_E4type10value_typeEEsr3stdE23is_trivially_copyable_vINS7_IXsr21__is_primary_templateINS8_Iu14__remove_cvrefIDTclL_ZNSA_5beginEEclsr3stdE7declvalIRT_EEEEEEEEE5valueENSG_ISO_EESP_E4type10value_typeEEEEvOSL_RKSB_: 176| 3.88k|inline constexpr void typecast_copy(ToR&& out /* NOLINT(*-std-forward) */, const FromR& in) { 177| 3.88k| ranges::assert_equal_byte_lengths(out, in); 178| 3.88k| std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out)); 179| 3.88k|} _ZN5Botan14Asymmetric_KeyD2Ev: 62| 4.66k| virtual ~Asymmetric_Key() = default; _ZN5Botan15PKCS8_ExceptionC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 30| 1.80k| explicit PKCS8_Exception(std::string_view error) : Decoding_Error("PKCS #8", error) {} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm18446744073709551615EEETpTkNS0_14spanable_rangeEJNS3_IKhLm18446744073709551615EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 34.9k|{ 101| 34.9k| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 34.9k| } else { 107| 34.9k| const size_t expected_size = s0.size_bytes(); 108| 34.9k| const bool correct_size = 109| 34.9k| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 34.9k| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 34.9k] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 34.9k| } 115| 34.9k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm18446744073709551615EEEEEmRKT_: 59| 69.9k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 69.9k| return std::span{r}.size_bytes(); 61| 69.9k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm32ETkNS0_14spanable_rangeENSt3__14spanIhLm32EEEEEvRKT0_: 77| 2|inline constexpr void assert_exact_byte_length(const R& r) { 78| 2| const std::span s{r}; 79| 2| if constexpr(statically_spanable_range) { 80| 2| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 2|} _ZN5Botan6ranges24assert_exact_byte_lengthILm32ETkNS0_14spanable_rangeENSt3__15arrayImLm4EEEEEvRKT0_: 77| 4.74k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 4.74k| const std::span s{r}; 79| 4.74k| if constexpr(statically_spanable_range) { 80| 4.74k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 4.74k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm32EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm4EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 2.14k|{ 101| 2.14k| const std::span s0{r0}; 102| | 103| 2.14k| if constexpr(statically_spanable_range) { 104| 2.14k| constexpr size_t expected_size = s0.size_bytes(); 105| 2.14k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 2.14k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__16vectorIhNS2_9allocatorIhEEEEEEmRKT_: 59| 146k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 146k| return std::span{r}.size_bytes(); 61| 146k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm8ETkNS0_14spanable_rangeENSt3__14spanIhLm8EEEEEvRKT0_: 77| 134k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 134k| const std::span s{r}; 79| 134k| if constexpr(statically_spanable_range) { 80| 134k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 134k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm8EEETpTkNS0_14spanable_rangeEJNS3_IKmLm1EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 52.2k|{ 101| 52.2k| const std::span s0{r0}; 102| | 103| 52.2k| if constexpr(statically_spanable_range) { 104| 52.2k| constexpr size_t expected_size = s0.size_bytes(); 105| 52.2k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 52.2k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm8ETkNS0_14spanable_rangeENSt3__14spanIKmLm1EEEEEvRKT0_: 77| 52.2k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 52.2k| const std::span s{r}; 79| 52.2k| if constexpr(statically_spanable_range) { 80| 52.2k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 52.2k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm8EEEEEmRKT_: 59| 52.2k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 52.2k| return std::span{r}.size_bytes(); 61| 52.2k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm8ETkNS0_14spanable_rangeENSt3__14spanIKhLm8EEEEEvRKT0_: 77| 411k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 411k| const std::span s{r}; 79| 411k| if constexpr(statically_spanable_range) { 80| 411k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 411k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm1EEETpTkNS0_14spanable_rangeEJNS3_IKhLm8EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 205k|{ 101| 205k| const std::span s0{r0}; 102| | 103| 205k| if constexpr(statically_spanable_range) { 104| 205k| constexpr size_t expected_size = s0.size_bytes(); 105| 205k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 205k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm1EEEEEmRKT_: 59| 241k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 241k| return std::span{r}.size_bytes(); 61| 241k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm8ETkNS0_14spanable_rangeENSt3__15arrayIhLm8EEEEEvRKT0_: 77| 35.3k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 35.3k| const std::span s{r}; 79| 35.3k| if constexpr(statically_spanable_range) { 80| 35.3k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 35.3k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm1EEETpTkNS0_14spanable_rangeEJNS3_IhLm8EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 35.3k|{ 101| 35.3k| const std::span s0{r0}; 102| | 103| 35.3k| if constexpr(statically_spanable_range) { 104| 35.3k| constexpr size_t expected_size = s0.size_bytes(); 105| 35.3k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 35.3k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm18446744073709551615EEEEEmRKT_: 59| 3.04M|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 3.04M| return std::span{r}.size_bytes(); 61| 3.04M|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm18446744073709551615EEETpTkNS0_14spanable_rangeEJNS3_IKmLm18446744073709551615EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 15.6k|{ 101| 15.6k| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 15.6k| } else { 107| 15.6k| const size_t expected_size = s0.size_bytes(); 108| 15.6k| const bool correct_size = 109| 15.6k| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 15.6k| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 15.6k] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 15.6k| } 115| 15.6k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__16vectorImNS_16secure_allocatorImEEEETpTkNS0_14spanable_rangeEJNS2_4spanImLm18446744073709551615EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 746k|{ 101| 746k| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 746k| } else { 107| 746k| const size_t expected_size = s0.size_bytes(); 108| 746k| const bool correct_size = 109| 746k| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 746k| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 746k] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 746k| } 115| 746k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__16vectorImNS_16secure_allocatorImEEEEEEmRKT_: 59| 1.49M|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1.49M| return std::span{r}.size_bytes(); 61| 1.49M|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm4EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm4EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1.83k|{ 101| 1.83k| const std::span s0{r0}; 102| | 103| 1.83k| if constexpr(statically_spanable_range) { 104| 1.83k| constexpr size_t expected_size = s0.size_bytes(); 105| 1.83k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 1.83k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm4EEEEEmRKT_: 59| 3.66k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 3.66k| return std::span{r}.size_bytes(); 61| 3.66k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm8ETkNS0_14spanable_rangeENSt3__15arrayImLm1EEEEEvRKT0_: 77| 2.43M|inline constexpr void assert_exact_byte_length(const R& r) { 78| 2.43M| const std::span s{r}; 79| 2.43M| if constexpr(statically_spanable_range) { 80| 2.43M| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 2.43M|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm6EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm6EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1.07k|{ 101| 1.07k| const std::span s0{r0}; 102| | 103| 1.07k| if constexpr(statically_spanable_range) { 104| 1.07k| constexpr size_t expected_size = s0.size_bytes(); 105| 1.07k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 1.07k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm48ETkNS0_14spanable_rangeENSt3__15arrayImLm6EEEEEvRKT0_: 77| 2.44k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 2.44k| const std::span s{r}; 79| 2.44k| if constexpr(statically_spanable_range) { 80| 2.44k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 2.44k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm6EEEEEmRKT_: 59| 2.14k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 2.14k| return std::span{r}.size_bytes(); 61| 2.14k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm48EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm6EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1.37k|{ 101| 1.37k| const std::span s0{r0}; 102| | 103| 1.37k| if constexpr(statically_spanable_range) { 104| 1.37k| constexpr size_t expected_size = s0.size_bytes(); 105| 1.37k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 1.37k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm8EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm8EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 607|{ 101| 607| const std::span s0{r0}; 102| | 103| 607| if constexpr(statically_spanable_range) { 104| 607| constexpr size_t expected_size = s0.size_bytes(); 105| 607| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 607|} _ZN5Botan6ranges24assert_exact_byte_lengthILm64ETkNS0_14spanable_rangeENSt3__15arrayImLm8EEEEEvRKT0_: 77| 1.21k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 1.21k| const std::span s{r}; 79| 1.21k| if constexpr(statically_spanable_range) { 80| 1.21k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 1.21k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm8EEEEEmRKT_: 59| 1.21k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1.21k| return std::span{r}.size_bytes(); 61| 1.21k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm64EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm8EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 606|{ 101| 606| const std::span s0{r0}; 102| | 103| 606| if constexpr(statically_spanable_range) { 104| 606| constexpr size_t expected_size = s0.size_bytes(); 105| 606| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 606|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm9EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm9EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1.97k|{ 101| 1.97k| const std::span s0{r0}; 102| | 103| 1.97k| if constexpr(statically_spanable_range) { 104| 1.97k| constexpr size_t expected_size = s0.size_bytes(); 105| 1.97k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 1.97k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm72ETkNS0_14spanable_rangeENSt3__15arrayImLm9EEEEEvRKT0_: 77| 4.23k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 4.23k| const std::span s{r}; 79| 4.23k| if constexpr(statically_spanable_range) { 80| 4.23k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 4.23k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm9EEEEEmRKT_: 59| 3.95k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 3.95k| return std::span{r}.size_bytes(); 61| 3.95k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__15arrayImLm18EEEEEmRKT_: 59| 16.0M|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 16.0M| return std::span{r}.size_bytes(); 61| 16.0M|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayIhLm72EEETpTkNS0_14spanable_rangeEJNS3_ImLm9EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 2.25k|{ 101| 2.25k| const std::span s0{r0}; 102| | 103| 2.25k| if constexpr(statically_spanable_range) { 104| 2.25k| constexpr size_t expected_size = s0.size_bytes(); 105| 2.25k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 2.25k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanImLm3EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm3EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 378|{ 101| 378| const std::span s0{r0}; 102| | 103| 378| if constexpr(statically_spanable_range) { 104| 378| constexpr size_t expected_size = s0.size_bytes(); 105| 378| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 378|} _ZN5Botan6ranges24assert_exact_byte_lengthILm24ETkNS0_14spanable_rangeENSt3__15arrayImLm3EEEEEvRKT0_: 77| 1.13k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 1.13k| const std::span s{r}; 79| 1.13k| if constexpr(statically_spanable_range) { 80| 1.13k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 1.13k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanImLm3EEEEEmRKT_: 59| 756|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 756| return std::span{r}.size_bytes(); 61| 756|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm24EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm3EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 756|{ 101| 756| const std::span s0{r0}; 102| | 103| 756| if constexpr(statically_spanable_range) { 104| 756| constexpr size_t expected_size = s0.size_bytes(); 105| 756| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 756|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayIhLm32EEETpTkNS0_14spanable_rangeEJNS3_ImLm4EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 766|{ 101| 766| const std::span s0{r0}; 102| | 103| 766| if constexpr(statically_spanable_range) { 104| 766| constexpr size_t expected_size = s0.size_bytes(); 105| 766| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 766|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm28EEETpTkNS0_14spanable_rangeEJNS3_IKhLm28EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 766|{ 101| 766| const std::span s0{r0}; 102| | 103| 766| if constexpr(statically_spanable_range) { 104| 766| constexpr size_t expected_size = s0.size_bytes(); 105| 766| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 766|} _ZN5Botan6ranges24assert_exact_byte_lengthILm28ETkNS0_14spanable_rangeENSt3__14spanIKhLm28EEEEEvRKT0_: 77| 766|inline constexpr void assert_exact_byte_length(const R& r) { 78| 766| const std::span s{r}; 79| 766| if constexpr(statically_spanable_range) { 80| 766| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 766|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm28EEEEEmRKT_: 59| 1.53k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1.53k| return std::span{r}.size_bytes(); 61| 1.53k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm66EEETpTkNS0_14spanable_rangeEJNS3_IKhLm66EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 636|{ 101| 636| const std::span s0{r0}; 102| | 103| 636| if constexpr(statically_spanable_range) { 104| 636| constexpr size_t expected_size = s0.size_bytes(); 105| 636| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 636|} _ZN5Botan6ranges24assert_exact_byte_lengthILm66ETkNS0_14spanable_rangeENSt3__14spanIKhLm66EEEEEvRKT0_: 77| 636|inline constexpr void assert_exact_byte_length(const R& r) { 78| 636| const std::span s{r}; 79| 636| if constexpr(statically_spanable_range) { 80| 636| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 636|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm66EEEEEmRKT_: 59| 1.27k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1.27k| return std::span{r}.size_bytes(); 61| 1.27k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayIhLm1EEETpTkNS0_14spanable_rangeEJS4_EEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 184|{ 101| 184| const std::span s0{r0}; 102| | 103| 184| if constexpr(statically_spanable_range) { 104| 184| constexpr size_t expected_size = s0.size_bytes(); 105| 184| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 184|} _ZN5Botan6ranges24assert_exact_byte_lengthILm1ETkNS0_14spanable_rangeENSt3__15arrayIhLm1EEEEEvRKT0_: 77| 184|inline constexpr void assert_exact_byte_length(const R& r) { 78| 184| const std::span s{r}; 79| 184| if constexpr(statically_spanable_range) { 80| 184| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 184|} _ZN5Botan6ranges24assert_exact_byte_lengthILm1ETkNS0_14spanable_rangeENSt3__14spanIhLm1EEEEEvRKT0_: 77| 368|inline constexpr void assert_exact_byte_length(const R& r) { 78| 368| const std::span s{r}; 79| 368| if constexpr(statically_spanable_range) { 80| 368| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 368|} _ZN5Botan6ranges24assert_exact_byte_lengthILm4ETkNS0_14spanable_rangeENSt3__14spanIhLm4EEEEEvRKT0_: 77| 49.7k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 49.7k| const std::span s{r}; 79| 49.7k| if constexpr(statically_spanable_range) { 80| 49.7k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 49.7k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm4ETkNS0_14spanable_rangeENSt3__14spanIKhLm4EEEEEvRKT0_: 77| 9.72k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 9.72k| const std::span s{r}; 79| 9.72k| if constexpr(statically_spanable_range) { 80| 9.72k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 9.72k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIjLm1EEETpTkNS0_14spanable_rangeEJNS3_IKhLm4EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 4.86k|{ 101| 4.86k| const std::span s0{r0}; 102| | 103| 4.86k| if constexpr(statically_spanable_range) { 104| 4.86k| constexpr size_t expected_size = s0.size_bytes(); 105| 4.86k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 4.86k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIjLm1EEEEEmRKT_: 59| 54.6k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 54.6k| return std::span{r}.size_bytes(); 61| 54.6k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanItLm1EEEEEmRKT_: 59| 2.91k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 2.91k| return std::span{r}.size_bytes(); 61| 2.91k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm2ETkNS0_14spanable_rangeENSt3__14spanIhLm2EEEEEvRKT0_: 77| 3.51k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 3.51k| const std::span s{r}; 79| 3.51k| if constexpr(statically_spanable_range) { 80| 3.51k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 3.51k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm2EEETpTkNS0_14spanable_rangeEJNS3_IKtLm1EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 300|{ 101| 300| const std::span s0{r0}; 102| | 103| 300| if constexpr(statically_spanable_range) { 104| 300| constexpr size_t expected_size = s0.size_bytes(); 105| 300| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 300|} _ZN5Botan6ranges24assert_exact_byte_lengthILm2ETkNS0_14spanable_rangeENSt3__14spanIKtLm1EEEEEvRKT0_: 77| 300|inline constexpr void assert_exact_byte_length(const R& r) { 78| 300| const std::span s{r}; 79| 300| if constexpr(statically_spanable_range) { 80| 300| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 300|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm2EEEEEmRKT_: 59| 300|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 300| return std::span{r}.size_bytes(); 61| 300|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm18446744073709551615EEETpTkNS0_14spanable_rangeEJNS3_IKmLm18446744073709551615EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 2|{ 101| 2| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 2| } else { 107| 2| const size_t expected_size = s0.size_bytes(); 108| 2| const bool correct_size = 109| 2| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 2| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 2] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 2| } 115| 2|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayIhLm8EEETpTkNS0_14spanable_rangeEJNS3_ImLm1EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 2.43M|{ 101| 2.43M| const std::span s0{r0}; 102| | 103| 2.43M| if constexpr(statically_spanable_range) { 104| 2.43M| constexpr size_t expected_size = s0.size_bytes(); 105| 2.43M| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 2.43M|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__15arrayIhLm8EEEEEmRKT_: 59| 1.21M|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1.21M| return std::span{r}.size_bytes(); 61| 1.21M|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIjLm1EEETpTkNS0_14spanable_rangeEJNS3_IhLm4EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 49.7k|{ 101| 49.7k| const std::span s0{r0}; 102| | 103| 49.7k| if constexpr(statically_spanable_range) { 104| 49.7k| constexpr size_t expected_size = s0.size_bytes(); 105| 49.7k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 49.7k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanItLm1EEETpTkNS0_14spanable_rangeEJNS3_IhLm2EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 2.91k|{ 101| 2.91k| const std::span s0{r0}; 102| | 103| 2.91k| if constexpr(statically_spanable_range) { 104| 2.91k| constexpr size_t expected_size = s0.size_bytes(); 105| 2.91k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 2.91k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__15arrayImLm7EEEEEmRKT_: 59| 8.07k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 8.07k| return std::span{r}.size_bytes(); 61| 8.07k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm56EEETpTkNS0_14spanable_rangeEJNS2_5arrayImLm7EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 2|{ 101| 2| const std::span s0{r0}; 102| | 103| 2| if constexpr(statically_spanable_range) { 104| 2| constexpr size_t expected_size = s0.size_bytes(); 105| 2| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 2|} _ZN5Botan6ranges24assert_exact_byte_lengthILm56ETkNS0_14spanable_rangeENSt3__15arrayImLm7EEEEEvRKT0_: 77| 2|inline constexpr void assert_exact_byte_length(const R& r) { 78| 2| const std::span s{r}; 79| 2| if constexpr(statically_spanable_range) { 80| 2| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 2|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIhLm56EEEEEmRKT_: 59| 3|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 3| return std::span{r}.size_bytes(); 61| 3|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__14spanIhLm56EEETpTkNS0_14spanable_rangeEJNS2_6vectorIhNS_16secure_allocatorIhEEEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1|{ 101| 1| const std::span s0{r0}; 102| | 103| 1| if constexpr(statically_spanable_range) { 104| 1| constexpr size_t expected_size = s0.size_bytes(); 105| 1| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 1|} _ZN5Botan6ranges24assert_exact_byte_lengthILm56ETkNS0_14spanable_rangeENSt3__16vectorIhNS_16secure_allocatorIhEEEEEEvRKT0_: 77| 1|inline constexpr void assert_exact_byte_length(const R& r) { 78| 1| const std::span s{r}; 79| | if constexpr(statically_spanable_range) { 80| | static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| 1| } else { 82| 1| if(s.size_bytes() != expected) { ------------------ | Branch (82:10): [True: 0, False: 1] ------------------ 83| 0| memory_region_size_violation(); 84| 0| } 85| 1| } 86| 1|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEETpTkNS0_14spanable_rangeEJNS3_4spanIKhLm18446744073709551615EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 1|{ 101| 1| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 1| } else { 107| 1| const size_t expected_size = s0.size_bytes(); 108| 1| const bool correct_size = 109| 1| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 1| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 1] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 1| } 115| 1|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEEEEmRKT_: 59| 1|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 1| return std::span{r}.size_bytes(); 61| 1|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIiLm256EEEEEmRKT_: 59| 518|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 518| return std::span{r}.size_bytes(); 61| 518|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__16vectorIiNS2_9allocatorIiEEEETpTkNS0_14spanable_rangeEJS6_EEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 83|{ 101| 83| const std::span s0{r0}; 102| | 103| | if constexpr(statically_spanable_range) { 104| | constexpr size_t expected_size = s0.size_bytes(); 105| | (assert_exact_byte_length(rs), ...); 106| 83| } else { 107| 83| const size_t expected_size = s0.size_bytes(); 108| 83| const bool correct_size = 109| 83| ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| 83| if(!correct_size) { ------------------ | Branch (111:10): [True: 0, False: 83] ------------------ 112| 0| memory_region_size_violation(); 113| 0| } 114| 83| } 115| 83|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__16vectorIiNS2_9allocatorIiEEEEEEmRKT_: 59| 166|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 166| return std::span{r}.size_bytes(); 61| 166|} _ZN5Botan6ranges24assert_exact_byte_lengthILm2ETkNS0_14spanable_rangeENSt3__15arrayIhLm2EEEEEvRKT0_: 77| 2.91k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 2.91k| const std::span s{r}; 79| 2.91k| if constexpr(statically_spanable_range) { 80| 2.91k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 2.91k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm2ETkNS0_14spanable_rangeENSt3__15arrayItLm1EEEEEvRKT0_: 77| 8.07k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 8.07k| const std::span s{r}; 79| 8.07k| if constexpr(statically_spanable_range) { 80| 8.07k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 8.07k|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayIhLm2EEETpTkNS0_14spanable_rangeEJNS3_ItLm1EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 8.07k|{ 101| 8.07k| const std::span s0{r0}; 102| | 103| 8.07k| if constexpr(statically_spanable_range) { 104| 8.07k| constexpr size_t expected_size = s0.size_bytes(); 105| 8.07k| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 8.07k|} _ZN5Botan6ranges24assert_exact_byte_lengthILm4ETkNS0_14spanable_rangeENSt3__15arrayIhLm4EEEEEvRKT0_: 77| 49.7k|inline constexpr void assert_exact_byte_length(const R& r) { 78| 49.7k| const std::span s{r}; 79| 49.7k| if constexpr(statically_spanable_range) { 80| 49.7k| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 49.7k|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__14spanIsLm256EEEEEmRKT_: 59| 92|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 92| return std::span{r}.size_bytes(); 61| 92|} _ZN5Botan6ranges25assert_equal_byte_lengthsITkNS0_14spanable_rangeENSt3__15arrayImLm7EEETpTkNS0_14spanable_rangeEJNS2_4spanIKhLm56EEEEEEvRKT_DpRKT0_QgtsZT0_Li0E: 100| 4|{ 101| 4| const std::span s0{r0}; 102| | 103| 4| if constexpr(statically_spanable_range) { 104| 4| constexpr size_t expected_size = s0.size_bytes(); 105| 4| (assert_exact_byte_length(rs), ...); 106| | } else { 107| | const size_t expected_size = s0.size_bytes(); 108| | const bool correct_size = 109| | ((std::span>{rs}.size_bytes() == expected_size) && ...); 110| | 111| | if(!correct_size) { 112| | memory_region_size_violation(); 113| | } 114| | } 115| 4|} _ZN5Botan6ranges24assert_exact_byte_lengthILm56ETkNS0_14spanable_rangeENSt3__14spanIKhLm56EEEEEvRKT0_: 77| 4|inline constexpr void assert_exact_byte_length(const R& r) { 78| 4| const std::span s{r}; 79| 4| if constexpr(statically_spanable_range) { 80| 4| static_assert(s.size_bytes() == expected, "memory region does not have expected byte lengths"); 81| | } else { 82| | if(s.size_bytes() != expected) { 83| | memory_region_size_violation(); 84| | } 85| | } 86| 4|} _ZN5Botan6ranges10size_bytesITkNS0_14spanable_rangeENSt3__15arrayIhLm2EEEEEmRKT_: 59| 3.88k|inline constexpr size_t size_bytes(const spanable_range auto& r) { 60| 3.88k| return std::span{r}.size_bytes(); 61| 3.88k|} _ZNK5Botan8Null_RNG9is_seededEv: 352| 9.57k| bool is_seeded() const override { return false; } _ZN5Botan21RandomNumberGeneratorC2Ev: 54| 1.97k| RandomNumberGenerator() = default; _ZN5Botan13RSA_PublicKeyC2Ev: 87| 41| RSA_PublicKey() = default; _ZN5Botan16secure_allocatorIhE8allocateEm: 52| 134k| T* allocate(std::size_t n) { return static_cast(allocate_memory(n, sizeof(T))); } _ZN5Botan16secure_allocatorIhE10deallocateEPhm: 54| 134k| void deallocate(T* p, std::size_t n) { deallocate_memory(p, n, sizeof(T)); } _ZN5Botan16secure_allocatorImE10deallocateEPmm: 54| 18.8M| void deallocate(T* p, std::size_t n) { deallocate_memory(p, n, sizeof(T)); } _ZN5Botan16secure_allocatorImE8allocateEm: 52| 18.8M| T* allocate(std::size_t n) { return static_cast(allocate_memory(n, sizeof(T))); } _ZN5BotanneIhhEEbRKNS_16secure_allocatorIT_EERKNS1_IT0_EE: 63| 18.8k|inline bool operator!=(const secure_allocator& /*a*/, const secure_allocator& /*b*/) { 64| 18.8k| return false; 65| 18.8k|} _ZN5BotanpLIhNS_16secure_allocatorIhEES2_EERNSt3__16vectorIT_T0_EES8_RKNS4_IS5_T1_EE: 92| 2.62k|std::vector& operator+=(std::vector& out, const std::vector& in) { 93| 2.62k| out.insert(out.end(), in.begin(), in.end()); 94| 2.62k| return out; 95| 2.62k|} _ZNK5Botan18Sphincs_Parameters9hash_typeEv: 71| 15| Sphincs_Hash_Type hash_type() const { return m_hash_type; } _ZNK5Botan18Sphincs_Parameters13parameter_setEv: 76| 15| Sphincs_Parameter_Set parameter_set() const { return m_set; } _ZNK5Botan18Sphincs_Parameters1nEv: 96| 8| size_t n() const { return m_n; } _ZNK5Botan18Sphincs_Parameters16public_key_bytesEv: 195| 29| uint32_t public_key_bytes() const { return m_n * 2; } _ZNK5Botan18Sphincs_Parameters17private_key_bytesEv: 200| 21| uint32_t private_key_bytes() const { return m_n * 2 + public_key_bytes(); } _ZN5Botan18unwrap_strong_typeIRmEEDcOT_: 243| 52.2k|[[nodiscard]] constexpr decltype(auto) unwrap_strong_type(T&& t) { 244| 52.2k| if constexpr(!concepts::strong_type>) { 245| | // If the parameter type isn't a strong type, return it as is. 246| 52.2k| return std::forward(t); 247| | } else { 248| | // Unwrap the strong type and return the underlying value. 249| | return std::forward(t).get(); 250| | } 251| 52.2k|} _ZN5Botan16wrap_strong_typeImRmQoosr3stdE18constructible_fromIT_T0_Eaasr8conceptsE11strong_typeIS2_Esr3stdE18constructible_fromINS2_12wrapped_typeES3_EEEDcOS3_: 268| 241k|[[nodiscard]] constexpr decltype(auto) wrap_strong_type(ParamT&& t) { 269| 241k| if constexpr(std::same_as, T>) { 270| | // Noop, if the parameter type already is the desired return type. 271| 241k| return std::forward(t); 272| | } else if constexpr(std::constructible_from) { 273| | // Implicit conversion from the parameter type to the return type. 274| | return T{std::forward(t)}; 275| | } else { 276| | // Explicitly calling the wrapped type's constructor to support 277| | // implicit conversions on types that mark their constructors as explicit. 278| | static_assert(concepts::strong_type && std::constructible_from); 279| | return T{typename T::wrapped_type{std::forward(t)}}; 280| | } 281| 241k|} _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE4sizeEv: 141| 731| size_type size() const noexcept(noexcept(this->get().size())) { return this->get().size(); } _ZNKR5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE3getEv: 87| 1.23k| constexpr const T& get() const& { return m_value; } _ZN5Botan18unwrap_strong_typeIRNSt3__16vectorIhNS1_9allocatorIhEEEEEEDcOT_: 243| 60|[[nodiscard]] constexpr decltype(auto) unwrap_strong_type(T&& t) { 244| 60| if constexpr(!concepts::strong_type>) { 245| | // If the parameter type isn't a strong type, return it as is. 246| 60| return std::forward(t); 247| | } else { 248| | // Unwrap the strong type and return the underlying value. 249| | return std::forward(t).get(); 250| | } 251| 60|} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEED2Ev: 81| 686| ~Strong_Base() = default; _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEED2Ev: 81| 1.27k| ~Strong_Base() = default; _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEE4sizeEv: 141| 1.15k| size_type size() const noexcept(noexcept(this->get().size())) { return this->get().size(); } _ZNKR5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEE3getEv: 87| 1.87k| constexpr const T& get() const& { return m_value; } _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEC2Ev: 76| 34| Strong_Base() = default; _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEC2INS2_11__wrap_iterIPKhEEEET_SD_: 122| 34| Container_Strong_Adapter_Base(InputIt begin, InputIt end) : Container_Strong_Adapter_Base(T(begin, end)) {} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEC2ES6_: 83| 343| constexpr explicit Strong_Base(T v) : m_value(std::move(v)) {} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEaSEOS7_: 80| 34| Strong_Base& operator=(Strong_Base&&) noexcept = default; _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEC2EmQsr8conceptsE19resizable_containerIT_E: 119| 279| : Container_Strong_Adapter_Base(T(size)) {} _ZNR5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE3getEv: 85| 339| constexpr T& get() & { return m_value; } _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE3endEv: 129| 30| decltype(auto) end() noexcept(noexcept(this->get().end())) { return this->get().end(); } _ZN5Botan18unwrap_strong_typeIRhEEDcOT_: 243| 184|[[nodiscard]] constexpr decltype(auto) unwrap_strong_type(T&& t) { 244| 184| if constexpr(!concepts::strong_type>) { 245| | // If the parameter type isn't a strong type, return it as is. 246| 184| return std::forward(t); 247| | } else { 248| | // Unwrap the strong type and return the underlying value. 249| | return std::forward(t).get(); 250| | } 251| 184|} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEEC2EOS7_: 78| 309| Strong_Base(Strong_Base&&) noexcept = default; _ZNK5Botan6detail14Strong_AdapterINSt3__16vectorIhNS2_9allocatorIhEEEEE4dataEv: 200| 422| decltype(auto) data() const noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2Ev: 76| 34| Strong_Base() = default; _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2INS2_11__wrap_iterIPKhEEEET_SD_: 122| 94| Container_Strong_Adapter_Base(InputIt begin, InputIt end) : Container_Strong_Adapter_Base(T(begin, end)) {} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2ES6_: 83| 530| constexpr explicit Strong_Base(T v) : m_value(std::move(v)) {} _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEaSEOS7_: 80| 34| Strong_Base& operator=(Strong_Base&&) noexcept = default; _ZNR5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEE3getEv: 85| 350| constexpr T& get() & { return m_value; } _ZN5Botan6detail14Strong_AdapterINSt3__16vectorIhNS_16secure_allocatorIhEEEEE4dataEv: 198| 350| decltype(auto) data() noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZN5Botan6detail11Strong_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2EOS7_: 78| 708| Strong_Base(Strong_Base&&) noexcept = default; _ZN5Botan6detail14Strong_AdapterINSt3__16vectorIhNS2_9allocatorIhEEEEE4dataEv: 198| 279| decltype(auto) data() noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZNK5Botan6detail14Strong_AdapterINSt3__16vectorIhNS_16secure_allocatorIhEEEEE4dataEv: 200| 719| decltype(auto) data() const noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE5beginEv: 125| 30| decltype(auto) begin() noexcept(noexcept(this->get().begin())) { return this->get().begin(); } _ZN5Botan16wrap_strong_typeIjRjQoosr3stdE18constructible_fromIT_T0_Eaasr8conceptsE11strong_typeIS2_Esr3stdE18constructible_fromINS2_12wrapped_typeES3_EEEDcOS3_: 268| 54.6k|[[nodiscard]] constexpr decltype(auto) wrap_strong_type(ParamT&& t) { 269| 54.6k| if constexpr(std::same_as, T>) { 270| | // Noop, if the parameter type already is the desired return type. 271| 54.6k| return std::forward(t); 272| | } else if constexpr(std::constructible_from) { 273| | // Implicit conversion from the parameter type to the return type. 274| | return T{std::forward(t)}; 275| | } else { 276| | // Explicitly calling the wrapped type's constructor to support 277| | // implicit conversions on types that mark their constructors as explicit. 278| | static_assert(concepts::strong_type && std::constructible_from); 279| | return T{typename T::wrapped_type{std::forward(t)}}; 280| | } 281| 54.6k|} _ZN5Botan16wrap_strong_typeItRtQoosr3stdE18constructible_fromIT_T0_Eaasr8conceptsE11strong_typeIS2_Esr3stdE18constructible_fromINS2_12wrapped_typeES3_EEEDcOS3_: 268| 2.91k|[[nodiscard]] constexpr decltype(auto) wrap_strong_type(ParamT&& t) { 269| 2.91k| if constexpr(std::same_as, T>) { 270| | // Noop, if the parameter type already is the desired return type. 271| 2.91k| return std::forward(t); 272| | } else if constexpr(std::constructible_from) { 273| | // Implicit conversion from the parameter type to the return type. 274| | return T{std::forward(t)}; 275| | } else { 276| | // Explicitly calling the wrapped type's constructor to support 277| | // implicit conversions on types that mark their constructors as explicit. 278| | static_assert(concepts::strong_type && std::constructible_from); 279| | return T{typename T::wrapped_type{std::forward(t)}}; 280| | } 281| 2.91k|} _ZN5Botan18unwrap_strong_typeIRtEEDcOT_: 243| 300|[[nodiscard]] constexpr decltype(auto) unwrap_strong_type(T&& t) { 244| 300| if constexpr(!concepts::strong_type>) { 245| | // If the parameter type isn't a strong type, return it as is. 246| 300| return std::forward(t); 247| | } else { 248| | // Unwrap the strong type and return the underlying value. 249| | return std::forward(t).get(); 250| | } 251| 300|} _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2EmQsr8conceptsE19resizable_containerIT_E: 119| 350| : Container_Strong_Adapter_Base(T(size)) {} _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__15arrayIhLm56EEEE5beginEv: 127| 1| decltype(auto) begin() const noexcept(noexcept(this->get().begin())) { return this->get().begin(); } _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__15arrayIhLm56EEEE3endEv: 131| 1| decltype(auto) end() const noexcept(noexcept(this->get().end())) { return this->get().end(); } _ZNK5Botan6detail14Strong_AdapterINSt3__15arrayIhLm56EEEE4dataEv: 200| 2| decltype(auto) data() const noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__15arrayIhLm56EEEE4sizeEv: 141| 2| size_type size() const noexcept(noexcept(this->get().size())) { return this->get().size(); } _ZN5Botan6detail14Strong_AdapterINSt3__15arrayIhLm56EEEE4dataEv: 198| 1| decltype(auto) data() noexcept(noexcept(this->get().data())) { return this->get().data(); } _ZNR5Botan6detail11Strong_BaseINSt3__15arrayIhLm56EEEE3getEv: 85| 3| constexpr T& get() & { return m_value; } _ZN5Botan6detail29Container_Strong_Adapter_BaseINSt3__15arrayIhLm56EEEEixIiEEDcOT_: 167| 2| decltype(auto) operator[](U&& i) noexcept(noexcept(this->get().operator[](i))) { 168| 2| return this->get()[std::forward(i)]; 169| 2| } _ZNKR5Botan6detail11Strong_BaseINSt3__15arrayIhLm56EEEE3getEv: 87| 456| constexpr const T& get() const& { return m_value; } _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__15arrayIhLm56EEEEixImEEDcOT_: 162| 448| decltype(auto) operator[](U&& i) const noexcept(noexcept(this->get().operator[](i))) { 163| 448| return this->get()[std::forward(i)]; 164| 448| } _ZN5Botan6detail11Strong_BaseINSt3__15arrayIhLm56EEEEC2ES4_: 83| 1| constexpr explicit Strong_Base(T v) : m_value(std::move(v)) {} _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_29DilithiumSerializedPublicKey_EJEEEE4dataEv: 712| 83| decltype(auto) data() const noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_29DilithiumSerializedPublicKey_EJEEEE4sizeEv: 714| 83| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_29DilithiumSerializedPublicKey_EJEEEEC2ERS9_: 675| 83| StrongSpan(T& strong) : m_span(strong) {} _ZNK5Botan6detail29Container_Strong_Adapter_BaseINSt3__16vectorIhNS2_9allocatorIhEEEEE5emptyEvQsr8conceptsE9has_emptyIT_E: 145| 83| { 146| 83| return this->get().empty(); 147| 83| } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEC2ERS9_: 675| 166| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEEC2ERS9_: 675| 83| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEE4dataEv: 710| 83| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEE4sizeEv: 714| 83| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEE4dataEv: 710| 3.00k| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEE4sizeEv: 714| 3.00k| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEE4dataEv: 710| 967| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEE4sizeEv: 714| 967| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEEEC2ERS9_: 675| 83| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan6detail14Strong_AdapterINSt3__16vectorIhNS_16secure_allocatorIhEEEEEC2ENS2_4spanIKhLm18446744073709551615EEE: 188| 86| Strong_Adapter(T(span.begin(), span.end())) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_13KyberSeedRho_EJEEEEC2ERS9_: 675| 30| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_25KyberSerializedPublicKey_EJEEEE4dataEv: 710| 30| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_25KyberSerializedPublicKey_EJEEEE4sizeEv: 714| 30| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_13KyberSeedRho_EJEEEE4dataEv: 710| 300| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_13KyberSeedRho_EJEEEE4sizeEv: 714| 330| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEE4dataEv: 712| 30| decltype(auto) data() const noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEE4sizeEv: 714| 30| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEE4dataEv: 710| 184| decltype(auto) data() noexcept(noexcept(this->m_span.data())) { return this->m_span.data(); } _ZNK5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEE4sizeEv: 714| 184| decltype(auto) size() const noexcept(noexcept(this->m_span.size())) { return this->m_span.size(); } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_20KyberSeedRandomness_EJEEEEC2ERS9_: 675| 30| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEEC2ERS9_: 675| 30| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15KyberSeedSigma_EJEEEE3getEv: 708| 184| underlying_span get() { return m_span; } _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEEC2ERS9_: 675| 184| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan10StrongSpanIKNS_6StrongINSt3__16vectorIhNS2_9allocatorIhEEEENS_25KyberSerializedPublicKey_EJEEEEC2ERS9_: 675| 30| StrongSpan(T& strong) : m_span(strong) {} _ZN5Botan24Key_Length_SpecificationC2Em: 28| 4.53k| explicit Key_Length_Specification(size_t keylen) : m_min_keylen(keylen), m_max_keylen(keylen), m_keylen_mod(1) {} _ZNK5Botan24Key_Length_Specification15valid_keylengthEm: 43| 4.53k| bool valid_keylength(size_t length) const { 44| 4.53k| return ((length >= m_min_keylen) && (length <= m_max_keylen) && (length % m_keylen_mod == 0)); ------------------ | Branch (44:18): [True: 4.53k, False: 0] | Branch (44:46): [True: 4.53k, False: 0] | Branch (44:74): [True: 4.53k, False: 0] ------------------ 45| 4.53k| } _ZN5Botan16X25519_PublicKeyC2Ev: 52| 8| X25519_PublicKey() = default; _ZN5Botan14X448_PublicKeyC2Ev: 57| 1| X448_PublicKey() = default; _ZN5Botan3XOF5clearEv: 64| 484| void clear() { 65| 484| m_xof_started = false; 66| 484| reset(); 67| 484| } _ZN5Botan3XOF6updateENSt3__14spanIKhLm18446744073709551615EEE: 140| 8.98k| void update(std::span input) { 141| 8.98k| if(!m_xof_started) { ------------------ | Branch (141:13): [True: 4.53k, False: 4.45k] ------------------ 142| | // If the user didn't start() before the first input, we enforce 143| | // it with a default value, here. 144| 4.53k| start(); 145| 4.53k| } 146| 8.98k| add_data(input); 147| 8.98k| } _ZN5Botan3XOFD2Ev: 31| 4.11k| virtual ~XOF() = default; _ZNK5Botan3XOF8key_specEv: 97| 4.53k| virtual Key_Length_Specification key_spec() const { 98| | // Keys are not supported by default 99| 4.53k| return Key_Length_Specification(0); 100| 4.53k| } _ZNK5Botan3XOF17valid_salt_lengthEm: 89| 4.53k| virtual bool valid_salt_length(size_t salt_len) const { 90| | // Salts are not supported by default 91| 4.53k| return salt_len == 0; 92| 4.53k| } _ZN5Botan3XOF6outputITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_25DilithiumHashedPublicKey_EJEEEEET_m: 153| 83| T output(size_t bytes) { 154| 83| T out(bytes); 155| 83| generate_bytes(out); 156| 83| return out; 157| 83| } _ZN5Botan3XOF6outputITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEET_m: 153| 83| T output(size_t bytes) { 154| 83| T out(bytes); 155| 83| generate_bytes(out); 156| 83| return out; 157| 83| } _ZN5Botan3XOF6outputITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEEET_m: 153| 83| T output(size_t bytes) { 154| 83| T out(bytes); 155| 83| generate_bytes(out); 156| 83| return out; 157| 83| } _ZN5Botan3XOF6outputITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_15DilithiumSeedK_EJEEEEET_m: 153| 83| T output(size_t bytes) { 154| 83| T out(bytes); 155| 83| generate_bytes(out); 156| 83| return out; 157| 83| } _ZN5Botan3XOF6outputILm1EEENSt3__15arrayIhXT_EEEv: 163| 177k| std::array output() { 164| 177k| std::array out; // NOLINT(*-member-init) 165| 177k| generate_bytes(out); 166| 177k| return out; 167| 177k| } _ZN5Botan3XOF6outputILm3EEENSt3__15arrayIhXT_EEEv: 163| 795k| std::array output() { 164| 795k| std::array out; // NOLINT(*-member-init) 165| 795k| generate_bytes(out); 166| 795k| return out; 167| 795k| } _ZN5Botan3XOF6outputITkNS_8concepts21resizable_byte_bufferENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEEET_m: 153| 184| T output(size_t bytes) { 154| 184| T out(bytes); 155| 184| generate_bytes(out); 156| 184| return out; 157| 184| } LLVMFuzzerInitialize: 28| 2|extern "C" int LLVMFuzzerInitialize(int* /*argc*/, char*** /*argv*/) { 29| | /* 30| | * This disables the mlock pool, as overwrites within the pool are 31| | * opaque to ASan or other instrumentation. 32| | */ 33| 2| ::setenv("BOTAN_MLOCK_POOL_SIZE", "0", 1); 34| 2| return 0; 35| 2|} LLVMFuzzerTestOneInput: 39| 7.55k|extern "C" int LLVMFuzzerTestOneInput(const uint8_t in[], size_t len) { 40| 7.55k| if(len <= max_fuzzer_input_size) { ------------------ | Branch (40:7): [True: 7.55k, False: 1] ------------------ 41| 7.55k| try { 42| 7.55k| fuzz(std::span(in, len)); 43| 7.55k| } catch(const std::exception& e) { 44| 0| std::cerr << "Uncaught exception from fuzzer driver " << e.what() << "\n"; 45| 0| abort(); 46| 0| } catch(...) { 47| 0| std::cerr << "Uncaught exception from fuzzer driver (unknown type)\n"; 48| 0| abort(); 49| 0| } 50| 7.55k| } 51| 7.55k| return 0; 52| 7.55k|} _Z4fuzzNSt3__14spanIKhLm18446744073709551615EEE: 14| 7.55k|void fuzz(std::span in) { 15| 7.55k| try { 16| 7.55k| Botan::DataSource_Memory input(in); 17| 7.55k| Botan::PKCS8::load_key(input); 18| 7.55k| } catch(const Botan::Exception& e) {} 19| | 20| | /* 21| | * This avoids OOMs in OSS-Fuzz caused by storing precomputations 22| | * for thousands of curves randomly generated by the fuzzer. 23| | * 24| | * TODO(Botan4) we can remove this call once support for explicit curves 25| | * is removed 26| | */ 27| 7.55k| Botan::EC_Group::clear_registered_curve_data(); 28| 7.55k|} _ZN5Botan19AlgorithmIdentifier11decode_fromERNS_11BER_DecoderE: 82| 6.67k|void AlgorithmIdentifier::decode_from(BER_Decoder& codec) { 83| 6.67k| codec.start_sequence().decode(m_oid).raw_bytes(m_parameters).end_cons(); 84| 6.67k|} _ZN5Botan10BER_ObjectD2Ev: 27| 146k|BER_Object::~BER_Object() { 28| 146k| secure_scrub_memory(m_value); 29| 146k|} _ZNK5Botan10BER_Object11assert_is_aENS_9ASN1_TypeENS_10ASN1_ClassENSt3__117basic_string_viewIcNS3_11char_traitsIcEEEE: 34| 51.6k|void BER_Object::assert_is_a(ASN1_Type expected_type_tag, ASN1_Class expected_class_tag, std::string_view descr) const { 35| 51.6k| if(!this->is_a(expected_type_tag, expected_class_tag)) { ------------------ | Branch (35:7): [True: 228, False: 51.4k] ------------------ 36| 228| std::stringstream msg; 37| | 38| 228| msg << "Tag mismatch when decoding " << descr << " got "; 39| | 40| 228| if(m_class_tag == ASN1_Class::NoObject && m_type_tag == ASN1_Type::NoObject) { ------------------ | Branch (40:10): [True: 34, False: 194] | Branch (40:49): [True: 34, False: 0] ------------------ 41| 34| msg << "EOF"; 42| 194| } else { 43| 194| if(m_class_tag == ASN1_Class::Universal || m_class_tag == ASN1_Class::Constructed) { ------------------ | Branch (43:13): [True: 71, False: 123] | Branch (43:53): [True: 92, False: 31] ------------------ 44| 163| msg << asn1_tag_to_string(m_type_tag); 45| 163| } else { 46| 31| msg << std::to_string(static_cast(m_type_tag)); 47| 31| } 48| | 49| 194| msg << "/" << asn1_class_to_string(m_class_tag); 50| 194| } 51| | 52| 228| msg << " expected "; 53| | 54| 228| if(expected_class_tag == ASN1_Class::Universal || expected_class_tag == ASN1_Class::Constructed) { ------------------ | Branch (54:10): [True: 193, False: 35] | Branch (54:57): [True: 35, False: 0] ------------------ 55| 228| msg << asn1_tag_to_string(expected_type_tag); 56| 228| } else { 57| 0| msg << std::to_string(static_cast(expected_type_tag)); 58| 0| } 59| | 60| 228| msg << "/" << asn1_class_to_string(expected_class_tag); 61| | 62| 228| throw BER_Decoding_Error(msg.str()); 63| 228| } 64| 51.6k|} _ZNK5Botan10BER_Object4is_aENS_9ASN1_TypeENS_10ASN1_ClassE: 66| 58.9k|bool BER_Object::is_a(ASN1_Type expected_type_tag, ASN1_Class expected_class_tag) const { 67| 58.9k| return (m_type_tag == expected_type_tag && m_class_tag == expected_class_tag); ------------------ | Branch (67:12): [True: 54.4k, False: 4.56k] | Branch (67:47): [True: 54.3k, False: 12] ------------------ 68| 58.9k|} _ZN5Botan10BER_Object11set_taggingENS_9ASN1_TypeENS_10ASN1_ClassE: 74| 68.7k|void BER_Object::set_tagging(ASN1_Type type_tag, ASN1_Class class_tag) { 75| 68.7k| m_type_tag = type_tag; 76| 68.7k| m_class_tag = class_tag; 77| 68.7k|} _ZN5Botan20asn1_class_to_stringENS_10ASN1_ClassE: 79| 422|std::string asn1_class_to_string(ASN1_Class type) { 80| 422| switch(type) { 81| 264| case ASN1_Class::Universal: ------------------ | Branch (81:7): [True: 264, False: 158] ------------------ 82| 264| return "UNIVERSAL"; 83| 127| case ASN1_Class::Constructed: ------------------ | Branch (83:7): [True: 127, False: 295] ------------------ 84| 127| return "CONSTRUCTED"; 85| 5| case ASN1_Class::ContextSpecific: ------------------ | Branch (85:7): [True: 5, False: 417] ------------------ 86| 5| return "CONTEXT_SPECIFIC"; 87| 3| case ASN1_Class::Application: ------------------ | Branch (87:7): [True: 3, False: 419] ------------------ 88| 3| return "APPLICATION"; 89| 1| case ASN1_Class::Private: ------------------ | Branch (89:7): [True: 1, False: 421] ------------------ 90| 1| return "PRIVATE"; 91| 0| case ASN1_Class::NoObject: ------------------ | Branch (91:7): [True: 0, False: 422] ------------------ 92| 0| return "NO_OBJECT"; 93| 22| default: ------------------ | Branch (93:7): [True: 22, False: 400] ------------------ 94| 22| return "CLASS(" + std::to_string(static_cast(type)) + ")"; 95| 422| } 96| 422|} _ZN5Botan18asn1_tag_to_stringENS_9ASN1_TypeE: 98| 434|std::string asn1_tag_to_string(ASN1_Type type) { 99| 434| switch(type) { 100| 38| case ASN1_Type::Sequence: ------------------ | Branch (100:7): [True: 38, False: 396] ------------------ 101| 38| return "SEQUENCE"; 102| | 103| 7| case ASN1_Type::Set: ------------------ | Branch (103:7): [True: 7, False: 427] ------------------ 104| 7| return "SET"; 105| | 106| 2| case ASN1_Type::PrintableString: ------------------ | Branch (106:7): [True: 2, False: 432] ------------------ 107| 2| return "PRINTABLE STRING"; 108| | 109| 3| case ASN1_Type::NumericString: ------------------ | Branch (109:7): [True: 3, False: 431] ------------------ 110| 3| return "NUMERIC STRING"; 111| | 112| 1| case ASN1_Type::Ia5String: ------------------ | Branch (112:7): [True: 1, False: 433] ------------------ 113| 1| return "IA5 STRING"; 114| | 115| 1| case ASN1_Type::TeletexString: ------------------ | Branch (115:7): [True: 1, False: 433] ------------------ 116| 1| return "T61 STRING"; 117| | 118| 2| case ASN1_Type::Utf8String: ------------------ | Branch (118:7): [True: 2, False: 432] ------------------ 119| 2| return "UTF8 STRING"; 120| | 121| 4| case ASN1_Type::VisibleString: ------------------ | Branch (121:7): [True: 4, False: 430] ------------------ 122| 4| return "VISIBLE STRING"; 123| | 124| 1| case ASN1_Type::BmpString: ------------------ | Branch (124:7): [True: 1, False: 433] ------------------ 125| 1| return "BMP STRING"; 126| | 127| 2| case ASN1_Type::UniversalString: ------------------ | Branch (127:7): [True: 2, False: 432] ------------------ 128| 2| return "UNIVERSAL STRING"; 129| | 130| 1| case ASN1_Type::UtcTime: ------------------ | Branch (130:7): [True: 1, False: 433] ------------------ 131| 1| return "UTC TIME"; 132| | 133| 1| case ASN1_Type::GeneralizedTime: ------------------ | Branch (133:7): [True: 1, False: 433] ------------------ 134| 1| return "GENERALIZED TIME"; 135| | 136| 36| case ASN1_Type::OctetString: ------------------ | Branch (136:7): [True: 36, False: 398] ------------------ 137| 36| return "OCTET STRING"; 138| | 139| 12| case ASN1_Type::BitString: ------------------ | Branch (139:7): [True: 12, False: 422] ------------------ 140| 12| return "BIT STRING"; 141| | 142| 1| case ASN1_Type::Enumerated: ------------------ | Branch (142:7): [True: 1, False: 433] ------------------ 143| 1| return "ENUMERATED"; 144| | 145| 161| case ASN1_Type::Integer: ------------------ | Branch (145:7): [True: 161, False: 273] ------------------ 146| 161| return "INTEGER"; 147| | 148| 2| case ASN1_Type::Null: ------------------ | Branch (148:7): [True: 2, False: 432] ------------------ 149| 2| return "NULL"; 150| | 151| 3| case ASN1_Type::ObjectId: ------------------ | Branch (151:7): [True: 3, False: 431] ------------------ 152| 3| return "OBJECT"; 153| | 154| 9| case ASN1_Type::Boolean: ------------------ | Branch (154:7): [True: 9, False: 425] ------------------ 155| 9| return "BOOLEAN"; 156| | 157| 7| case ASN1_Type::NoObject: ------------------ | Branch (157:7): [True: 7, False: 427] ------------------ 158| 7| return "NO_OBJECT"; 159| | 160| 140| default: ------------------ | Branch (160:7): [True: 140, False: 294] ------------------ 161| 140| return "TAG(" + std::to_string(static_cast(type)) + ")"; 162| 434| } 163| 434|} _ZN5Botan18BER_Decoding_ErrorC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 168| 818|BER_Decoding_Error::BER_Decoding_Error(std::string_view err) : Decoding_Error(fmt("BER: {}", err)) {} _ZN5Botan11BER_Bad_TagC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEj: 170| 9|BER_Bad_Tag::BER_Bad_Tag(std::string_view str, uint32_t tagging) : BER_Decoding_Error(fmt("{}: {}", str, tagging)) {} _ZN5Botan4ASN19maybe_BERERNS_10DataSourceE: 197| 7.55k|bool maybe_BER(DataSource& source) { 198| 7.55k| uint8_t first_u8 = 0; 199| 7.55k| if(source.peek_byte(first_u8) == 0) { ------------------ | Branch (199:7): [True: 0, False: 7.55k] ------------------ 200| 0| BOTAN_ASSERT_EQUAL(source.read_byte(first_u8), 0, "Expected EOF"); ------------------ | | 90| 0| do { \ | | 91| 0| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 92| 0| if((expr1) != (expr2)) { \ | | ------------------ | | | Branch (92:10): [True: 0, False: 0] | | ------------------ | | 93| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 94| 0| Botan::assertion_failure(#expr1 " == " #expr2, assertion_made, __func__, __FILE__, __LINE__); \ | | 95| 0| } \ | | 96| 0| } while(0) | | ------------------ | | | Branch (96:12): [Folded, False: 0] | | ------------------ ------------------ 201| 0| throw Stream_IO_Error("ASN1::maybe_BER: Source was empty"); 202| 0| } 203| | 204| 7.55k| const auto cons_seq = static_cast(ASN1_Class::Constructed) | static_cast(ASN1_Type::Sequence); 205| 7.55k| return first_u8 == cons_seq; 206| 7.55k|} _ZN5Botan3OID11from_stringENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 86| 15|OID OID::from_string(std::string_view str) { 87| 15| if(str.empty()) { ------------------ | Branch (87:7): [True: 0, False: 15] ------------------ 88| 0| throw Invalid_Argument("OID::from_string argument must be non-empty"); 89| 0| } 90| | 91| 15| OID o = OID_Map::global_registry().str2oid(str); 92| 15| if(o.has_value()) { ------------------ | Branch (92:7): [True: 15, False: 0] ------------------ 93| 15| return o; 94| 15| } 95| | 96| | // Try to parse as a dotted decimal 97| 0| try { 98| 0| return OID(str); 99| 0| } catch(...) {} 100| | 101| 0| throw Lookup_Error(fmt("No OID associated with name '{}'", str)); 102| 0|} _ZN5Botan3OIDC2ESt16initializer_listIjE: 104| 47.2k|OID::OID(std::initializer_list init) : m_id(init) { 105| 47.2k| oid_valid_check(m_id); 106| 47.2k|} _ZNK5Botan3OID9to_stringEv: 125| 1.85k|std::string OID::to_string() const { 126| 1.85k| std::ostringstream out; 127| | 128| 63.2k| for(size_t i = 0; i != m_id.size(); ++i) { ------------------ | Branch (128:22): [True: 61.4k, False: 1.85k] ------------------ 129| | // avoid locale issues with integer formatting 130| 61.4k| out << std::to_string(m_id[i]); 131| 61.4k| if(i != m_id.size() - 1) { ------------------ | Branch (131:10): [True: 59.5k, False: 1.85k] ------------------ 132| 59.5k| out << "."; 133| 59.5k| } 134| 61.4k| } 135| | 136| 1.85k| return out.str(); 137| 1.85k|} _ZNK5Botan3OID19to_formatted_stringEv: 139| 4.93k|std::string OID::to_formatted_string() const { 140| 4.93k| std::string s = this->human_name_or_empty(); 141| 4.93k| if(!s.empty()) { ------------------ | Branch (141:7): [True: 4.93k, False: 0] ------------------ 142| 4.93k| return s; 143| 4.93k| } 144| 0| return this->to_string(); 145| 4.93k|} _ZNK5Botan3OID19human_name_or_emptyEv: 147| 14.5k|std::string OID::human_name_or_empty() const { 148| 14.5k| return OID_Map::global_registry().oid2str(*this); 149| 14.5k|} _ZNK5Botan3OID7matchesESt16initializer_listIjE: 155| 13.1k|bool OID::matches(std::initializer_list other) const { 156| | // TODO: once all target compilers support it, use std::ranges::equal 157| 13.1k| return std::equal(m_id.begin(), m_id.end(), other.begin(), other.end()); 158| 13.1k|} _ZNK5Botan3OID9hash_codeEv: 160| 16.2k|uint64_t OID::hash_code() const { 161| | // If this is changed also update gen_oids.py to match 162| 16.2k| uint64_t hash = 0x621F302327D9A49A; 163| 196k| for(auto id : m_id) { ------------------ | Branch (163:16): [True: 196k, False: 16.2k] ------------------ 164| 196k| hash *= 193; 165| 196k| hash += id; 166| 196k| } 167| 16.2k| return hash; 168| 16.2k|} _ZNK5Botan3OID11encode_intoERNS_11DER_EncoderE: 183| 3.05k|void OID::encode_into(DER_Encoder& der) const { 184| 3.05k| if(m_id.size() < 2) { ------------------ | Branch (184:7): [True: 0, False: 3.05k] ------------------ 185| 0| throw Invalid_Argument("OID::encode_into: OID is invalid"); 186| 0| } 187| | 188| 3.05k| auto append = [](std::vector& encoding, uint32_t z) { 189| 3.05k| if(z <= 0x7F) { 190| 3.05k| encoding.push_back(static_cast(z)); 191| 3.05k| } else { 192| 3.05k| const size_t z7 = (high_bit(z) + 7 - 1) / 7; 193| | 194| 3.05k| for(size_t j = 0; j != z7; ++j) { 195| 3.05k| uint8_t zp = static_cast(z >> (7 * (z7 - j - 1)) & 0x7F); 196| | 197| 3.05k| if(j != z7 - 1) { 198| 3.05k| zp |= 0x80; 199| 3.05k| } 200| | 201| 3.05k| encoding.push_back(zp); 202| 3.05k| } 203| 3.05k| } 204| 3.05k| }; 205| | 206| 3.05k| std::vector encoding; 207| | 208| | // We know 40 * root can't overflow because root is between 0 and 2 209| 3.05k| auto first = checked_add(40 * m_id[0], m_id[1]); 210| 3.05k| BOTAN_ASSERT_NOMSG(first.has_value()); ------------------ | | 77| 3.05k| do { \ | | 78| 3.05k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 3.05k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 3.05k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 3.05k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 3.05k] | | ------------------ ------------------ 211| | 212| 3.05k| append(encoding, *first); 213| | 214| 17.3k| for(size_t i = 2; i != m_id.size(); ++i) { ------------------ | Branch (214:22): [True: 14.3k, False: 3.05k] ------------------ 215| 14.3k| append(encoding, m_id[i]); 216| 14.3k| } 217| 3.05k| der.add_object(ASN1_Type::ObjectId, ASN1_Class::Universal, encoding); 218| 3.05k|} _ZN5Botan3OID11decode_fromERNS_11BER_DecoderE: 223| 11.6k|void OID::decode_from(BER_Decoder& decoder) { 224| 11.6k| const BER_Object obj = decoder.get_next_object(); 225| 11.6k| if(obj.tagging() != (ASN1_Class::Universal | ASN1_Type::ObjectId)) { ------------------ | Branch (225:7): [True: 9, False: 11.6k] ------------------ 226| 9| throw BER_Bad_Tag("Error decoding OID, unknown tag", obj.tagging()); 227| 9| } 228| | 229| 11.6k| if(obj.length() == 0) { ------------------ | Branch (229:7): [True: 1, False: 11.6k] ------------------ 230| 1| throw BER_Decoding_Error("OID encoding is too short"); 231| 1| } 232| | 233| 11.6k| auto consume = [](BufferSlicer& data) -> uint32_t { 234| 11.6k| BOTAN_ASSERT_NOMSG(!data.empty()); 235| 11.6k| uint32_t b = data.take_byte(); 236| | 237| 11.6k| if(b > 0x7F) { 238| 11.6k| b &= 0x7F; 239| | 240| | // Even BER requires that the OID have minimal length, ie that 241| | // the first byte of a multibyte encoding cannot be zero 242| | // See X.690 section 8.19.2 243| 11.6k| if(b == 0) { 244| 11.6k| throw Decoding_Error("Leading zero byte in multibyte OID encoding"); 245| 11.6k| } 246| | 247| 11.6k| while(true) { 248| 11.6k| if(data.empty()) { 249| 11.6k| throw Decoding_Error("Truncated OID value"); 250| 11.6k| } 251| | 252| 11.6k| const uint8_t next = data.take_byte(); 253| 11.6k| const bool more = (next & 0x80) == 0x80; 254| 11.6k| const uint8_t value = next & 0x7F; 255| | 256| 11.6k| if((b >> (32 - 7)) != 0) { 257| 11.6k| throw Decoding_Error("OID component overflow"); 258| 11.6k| } 259| | 260| 11.6k| b = (b << 7) | value; 261| | 262| 11.6k| if(!more) { 263| 11.6k| break; 264| 11.6k| } 265| 11.6k| } 266| 11.6k| } 267| | 268| 11.6k| return b; 269| 11.6k| }; 270| | 271| 11.6k| BufferSlicer data(obj.data()); 272| 11.6k| std::vector parts; 273| 156k| while(!data.empty()) { ------------------ | Branch (273:10): [True: 144k, False: 11.6k] ------------------ 274| 144k| const uint32_t comp = consume(data); 275| | 276| 144k| if(parts.empty()) { ------------------ | Branch (276:10): [True: 11.5k, False: 132k] ------------------ 277| | // divide into root and second arc 278| | 279| 11.5k| const uint32_t root_arc = [](uint32_t b0) -> uint32_t { 280| 11.5k| if(b0 < 40) { 281| 11.5k| return 0; 282| 11.5k| } else if(b0 < 80) { 283| 11.5k| return 1; 284| 11.5k| } else { 285| 11.5k| return 2; 286| 11.5k| } 287| 11.5k| }(comp); 288| | 289| 11.5k| parts.push_back(root_arc); 290| 11.5k| BOTAN_ASSERT_NOMSG(comp >= 40 * root_arc); ------------------ | | 77| 11.5k| do { \ | | 78| 11.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 11.5k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 11.5k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 11.5k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 11.5k] | | ------------------ ------------------ 291| 11.5k| parts.push_back(comp - 40 * root_arc); 292| 132k| } else { 293| 132k| parts.push_back(comp); 294| 132k| } 295| 144k| } 296| | 297| 11.6k| m_id = parts; 298| 11.6k|} _ZN5BotanlsERNSt3__113basic_ostreamIcNS0_11char_traitsIcEEEERKNS_3OIDE: 300| 1.74k|std::ostream& operator<<(std::ostream& out, const OID& oid) { 301| 1.74k| out << oid.to_string(); 302| 1.74k| return out; 303| 1.74k|} asn1_oid.cpp:_ZN5Botan12_GLOBAL__N_115oid_valid_checkENSt3__14spanIKjLm18446744073709551615EEE: 26| 47.2k|void oid_valid_check(std::span oid) { 27| 47.2k| BOTAN_ARG_CHECK(oid.size() >= 2, "OID too short to be valid"); ------------------ | | 35| 47.2k| do { \ | | 36| 47.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 47.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 47.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 47.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 47.2k] | | ------------------ ------------------ 28| 47.2k| BOTAN_ARG_CHECK(oid[0] <= 2, "OID root out of range"); ------------------ | | 35| 47.2k| do { \ | | 36| 47.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 47.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 47.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 47.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 47.2k] | | ------------------ ------------------ 29| 47.2k| BOTAN_ARG_CHECK(oid[1] <= 39 || oid[0] == 2, "OID second arc too large"); ------------------ | | 35| 47.2k| do { \ | | 36| 47.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 47.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 47.2k, False: 0] | | | Branch (37:12): [True: 0, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 47.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 47.2k] | | ------------------ ------------------ 30| | // This last is a limitation of using 32 bit integers when decoding 31| | // not a limitation of ASN.1 object identifiers in general 32| 47.2k| BOTAN_ARG_CHECK(oid[1] <= 0xFFFFFFAF, "OID second arc too large"); ------------------ | | 35| 47.2k| do { \ | | 36| 47.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 47.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 47.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 47.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 47.2k] | | ------------------ ------------------ 33| 47.2k|} asn1_oid.cpp:_ZZNK5Botan3OID11encode_intoERNS_11DER_EncoderEENK3$_0clERNSt3__16vectorIhNS4_9allocatorIhEEEEj: 188| 17.3k| auto append = [](std::vector& encoding, uint32_t z) { 189| 17.3k| if(z <= 0x7F) { ------------------ | Branch (189:10): [True: 14.3k, False: 3.03k] ------------------ 190| 14.3k| encoding.push_back(static_cast(z)); 191| 14.3k| } else { 192| 3.03k| const size_t z7 = (high_bit(z) + 7 - 1) / 7; 193| | 194| 9.10k| for(size_t j = 0; j != z7; ++j) { ------------------ | Branch (194:28): [True: 6.07k, False: 3.03k] ------------------ 195| 6.07k| uint8_t zp = static_cast(z >> (7 * (z7 - j - 1)) & 0x7F); 196| | 197| 6.07k| if(j != z7 - 1) { ------------------ | Branch (197:16): [True: 3.03k, False: 3.03k] ------------------ 198| 3.03k| zp |= 0x80; 199| 3.03k| } 200| | 201| 6.07k| encoding.push_back(zp); 202| 6.07k| } 203| 3.03k| } 204| 17.3k| }; asn1_oid.cpp:_ZZN5Botan3OID11decode_fromERNS_11BER_DecoderEENK3$_0clERNS_12BufferSlicerE: 233| 144k| auto consume = [](BufferSlicer& data) -> uint32_t { 234| 144k| BOTAN_ASSERT_NOMSG(!data.empty()); ------------------ | | 77| 144k| do { \ | | 78| 144k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 144k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 144k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 144k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 144k] | | ------------------ ------------------ 235| 144k| uint32_t b = data.take_byte(); 236| | 237| 144k| if(b > 0x7F) { ------------------ | Branch (237:10): [True: 24.3k, False: 120k] ------------------ 238| 24.3k| b &= 0x7F; 239| | 240| | // Even BER requires that the OID have minimal length, ie that 241| | // the first byte of a multibyte encoding cannot be zero 242| | // See X.690 section 8.19.2 243| 24.3k| if(b == 0) { ------------------ | Branch (243:13): [True: 1, False: 24.3k] ------------------ 244| 1| throw Decoding_Error("Leading zero byte in multibyte OID encoding"); 245| 1| } 246| | 247| 28.3k| while(true) { ------------------ | Branch (247:16): [True: 28.3k, Folded] ------------------ 248| 28.3k| if(data.empty()) { ------------------ | Branch (248:16): [True: 21, False: 28.3k] ------------------ 249| 21| throw Decoding_Error("Truncated OID value"); 250| 21| } 251| | 252| 28.3k| const uint8_t next = data.take_byte(); 253| 28.3k| const bool more = (next & 0x80) == 0x80; 254| 28.3k| const uint8_t value = next & 0x7F; 255| | 256| 28.3k| if((b >> (32 - 7)) != 0) { ------------------ | Branch (256:16): [True: 23, False: 28.3k] ------------------ 257| 23| throw Decoding_Error("OID component overflow"); 258| 23| } 259| | 260| 28.3k| b = (b << 7) | value; 261| | 262| 28.3k| if(!more) { ------------------ | Branch (262:16): [True: 24.3k, False: 3.98k] ------------------ 263| 24.3k| break; 264| 24.3k| } 265| 28.3k| } 266| 24.3k| } 267| | 268| 144k| return b; 269| 144k| }; asn1_oid.cpp:_ZZN5Botan3OID11decode_fromERNS_11BER_DecoderEENK3$_1clEj: 279| 11.5k| const uint32_t root_arc = [](uint32_t b0) -> uint32_t { 280| 11.5k| if(b0 < 40) { ------------------ | Branch (280:16): [True: 1.00k, False: 10.5k] ------------------ 281| 1.00k| return 0; 282| 10.5k| } else if(b0 < 80) { ------------------ | Branch (282:23): [True: 9.35k, False: 1.22k] ------------------ 283| 9.35k| return 1; 284| 9.35k| } else { 285| 1.22k| return 2; 286| 1.22k| } 287| 11.5k| }(comp); _ZN5Botan11BER_DecoderD2Ev: 366| 37.5k|BER_Decoder::~BER_Decoder() = default; _ZN5Botan11BER_Decoder10verify_endEv: 381| 12.5k|BER_Decoder& BER_Decoder::verify_end() { 382| 12.5k| return verify_end("BER_Decoder::verify_end called, but data remains"); 383| 12.5k|} _ZN5Botan11BER_Decoder10verify_endENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 388| 12.5k|BER_Decoder& BER_Decoder::verify_end(std::string_view err) { 389| 12.5k| if(!m_source->end_of_data() || m_pushed.is_set()) { ------------------ | Branch (389:7): [True: 21, False: 12.5k] | Branch (389:35): [True: 0, False: 12.5k] ------------------ 390| 21| throw Decoding_Error(err); 391| 21| } 392| 12.5k| return (*this); 393| 12.5k|} _ZN5Botan11BER_Decoder17discard_remainingEv: 398| 6.65k|BER_Decoder& BER_Decoder::discard_remaining() { 399| 6.65k| m_pushed = BER_Object(); 400| 6.65k| uint8_t buf = 0; 401| 175k| while(m_source->read_byte(buf) != 0) {} ------------------ | Branch (401:10): [True: 168k, False: 6.65k] ------------------ 402| 6.65k| return (*this); 403| 6.65k|} _ZN5Botan11BER_Decoder14read_next_byteEv: 405| 522k|std::optional BER_Decoder::read_next_byte() { 406| 522k| BOTAN_ASSERT_NOMSG(m_source != nullptr); ------------------ | | 77| 522k| do { \ | | 78| 522k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 522k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 522k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 522k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 522k] | | ------------------ ------------------ 407| 522k| uint8_t b = 0; 408| 522k| if(m_source->read_byte(b) != 0) { ------------------ | Branch (408:7): [True: 516k, False: 6.61k] ------------------ 409| 516k| return b; 410| 516k| } else { 411| 6.61k| return {}; 412| 6.61k| } 413| 522k|} _ZN5Botan11BER_Decoder16peek_next_objectEv: 415| 4.24k|const BER_Object& BER_Decoder::peek_next_object() { 416| 4.24k| if(!m_pushed.is_set()) { ------------------ | Branch (416:7): [True: 4.24k, False: 0] ------------------ 417| 4.24k| m_pushed = get_next_object(); 418| 4.24k| } 419| | 420| 4.24k| return m_pushed; 421| 4.24k|} _ZN5Botan11BER_Decoder15get_next_objectEv: 426| 75.2k|BER_Object BER_Decoder::get_next_object() { 427| 75.2k| BER_Object next; 428| | 429| 75.2k| if(m_pushed.is_set()) { ------------------ | Branch (429:7): [True: 6.43k, False: 68.8k] ------------------ 430| 6.43k| std::swap(next, m_pushed); 431| 6.43k| return next; 432| 6.43k| } 433| | 434| 68.8k| for(;;) { 435| 68.8k| ASN1_Type type_tag = ASN1_Type::NoObject; 436| 68.8k| ASN1_Class class_tag = ASN1_Class::NoObject; 437| 68.8k| decode_tag(m_source, type_tag, class_tag); 438| 68.8k| next.set_tagging(type_tag, class_tag); 439| 68.8k| if(next.is_set() == false) { // no more objects ------------------ | Branch (439:10): [True: 3.27k, False: 65.5k] ------------------ 440| 3.27k| return next; 441| 3.27k| } 442| | 443| 65.5k| const size_t allow_indef = m_limits.allow_ber_encoding() ? m_limits.max_nested_indefinite_length() : 0; ------------------ | Branch (443:34): [True: 0, False: 65.5k] ------------------ 444| 65.5k| const bool der_mode = m_limits.require_der_encoding(); 445| 65.5k| const auto dl = decode_length(m_source, allow_indef, der_mode, is_constructed(class_tag)); 446| | 447| | // Per X.690 8.1.5 the only valid EOC encoding is the two-octet 448| | // sequence 0x00 0x00. Reject any other length encoding on a tag of 449| | // (Eoc, Universal) before we consume the "content" bytes. 450| 65.5k| if(type_tag == ASN1_Type::Eoc && class_tag == ASN1_Class::Universal && ------------------ | Branch (450:10): [True: 826, False: 64.7k] | Branch (450:40): [True: 54, False: 772] ------------------ 451| 54| (dl.content_length() != 0 || dl.indefinite_length())) { ------------------ | Branch (451:11): [True: 39, False: 15] | Branch (451:39): [True: 0, False: 15] ------------------ 452| 39| throw BER_Decoding_Error("EOC marker with non-zero length"); 453| 39| } 454| | 455| 65.5k| if(!m_source->check_available(dl.total_length())) { ------------------ | Branch (455:10): [True: 206, False: 65.3k] ------------------ 456| 206| throw BER_Decoding_Error("Value truncated"); 457| 206| } 458| | 459| 65.3k| uint8_t* out = next.mutable_bits(dl.content_length()); 460| 65.3k| if(m_source->read(out, dl.content_length()) != dl.content_length()) { ------------------ | Branch (460:10): [True: 0, False: 65.3k] ------------------ 461| 0| throw BER_Decoding_Error("Value truncated"); 462| 0| } 463| | 464| 65.3k| if(dl.indefinite_length()) { ------------------ | Branch (464:10): [True: 0, False: 65.3k] ------------------ 465| | // After reading the data consume the 2-byte EOC 466| 0| uint8_t eoc[2] = {0xFF, 0xFF}; 467| 0| if(m_source->read(eoc, 2) != 2 || eoc[0] != 0x00 || eoc[1] != 0x00) { ------------------ | Branch (467:13): [True: 0, False: 0] | Branch (467:44): [True: 0, False: 0] | Branch (467:62): [True: 0, False: 0] ------------------ 468| 0| throw BER_Decoding_Error("Missing or malformed EOC marker"); 469| 0| } 470| 0| } 471| | 472| 65.3k| if(next.tagging() == static_cast(ASN1_Type::Eoc)) { ------------------ | Branch (472:10): [True: 15, False: 65.2k] ------------------ 473| 15| if(m_limits.require_der_encoding()) { ------------------ | Branch (473:13): [True: 15, False: 0] ------------------ 474| 15| throw BER_Decoding_Error("Detected EOC marker in DER structure"); 475| 15| } 476| 0| continue; 477| 65.2k| } else { 478| 65.2k| break; 479| 65.2k| } 480| 65.3k| } 481| | 482| 65.2k| return next; 483| 68.8k|} _ZN5Botan11BER_Decoder9push_backEONS_10BER_ObjectE: 507| 5.53k|void BER_Decoder::push_back(BER_Object&& obj) { 508| 5.53k| if(m_pushed.is_set()) { ------------------ | Branch (508:7): [True: 0, False: 5.53k] ------------------ 509| 0| throw Invalid_State("BER_Decoder: Only one push back is allowed"); 510| 0| } 511| 5.53k| m_pushed = std::move(obj); 512| 5.53k|} _ZN5Botan11BER_Decoder10start_consENS_9ASN1_TypeENS_10ASN1_ClassE: 514| 20.9k|BER_Decoder BER_Decoder::start_cons(ASN1_Type type_tag, ASN1_Class class_tag) { 515| 20.9k| BER_Object obj = get_next_object(); 516| 20.9k| obj.assert_is_a(type_tag, class_tag | ASN1_Class::Constructed); 517| 20.9k| BER_Decoder child(std::move(obj), this); 518| 20.9k| return child; 519| 20.9k|} _ZN5Botan11BER_Decoder8end_consEv: 524| 19.7k|BER_Decoder& BER_Decoder::end_cons() { 525| 19.7k| if(m_parent == nullptr) { ------------------ | Branch (525:7): [True: 0, False: 19.7k] ------------------ 526| 0| throw Invalid_State("BER_Decoder::end_cons called with null parent"); 527| 0| } 528| 19.7k| if(!m_source->end_of_data() || m_pushed.is_set()) { ------------------ | Branch (528:7): [True: 37, False: 19.6k] | Branch (528:35): [True: 23, False: 19.6k] ------------------ 529| 60| throw Decoding_Error("BER_Decoder::end_cons called with data left"); 530| 60| } 531| 19.6k| return (*m_parent); 532| 19.7k|} _ZN5Botan11BER_DecoderC2EONS_10BER_ObjectEPS0_: 535| 20.7k| m_limits(parent != nullptr ? parent->limits() : BER_Decoder::Limits::BER()), m_parent(parent) { ------------------ | Branch (535:16): [True: 20.7k, False: 0] ------------------ 536| 20.7k| m_data_src = std::make_unique(std::move(obj)); 537| 20.7k| m_source = m_data_src.get(); 538| 20.7k|} _ZN5Botan11BER_DecoderC2ERNS_10DataSourceENS0_6LimitsE: 543| 5|BER_Decoder::BER_Decoder(DataSource& src, Limits limits) : m_limits(limits), m_source(&src) {} _ZN5Botan11BER_DecoderC2ENSt3__14spanIKhLm18446744073709551615EEENS0_6LimitsE: 548| 16.7k|BER_Decoder::BER_Decoder(std::span buf, Limits limits) : m_limits(limits) { 549| 16.7k| m_data_src = std::make_unique(buf); 550| 16.7k| m_source = m_data_src.get(); 551| 16.7k|} _ZN5Botan11BER_Decoder6decodeERNS_11ASN1_ObjectENS_9ASN1_TypeENS_10ASN1_ClassE: 560| 18.2k|BER_Decoder& BER_Decoder::decode(ASN1_Object& obj, ASN1_Type /*unused*/, ASN1_Class /*unused*/) { 561| 18.2k| obj.decode_from(*this); 562| 18.2k| return (*this); 563| 18.2k|} _ZN5Botan11BER_Decoder26decode_octet_string_bigintERNS_6BigIntE: 577| 2.37k|BER_Decoder& BER_Decoder::decode_octet_string_bigint(BigInt& out) { 578| 2.37k| secure_vector out_vec; 579| 2.37k| decode(out_vec, ASN1_Type::OctetString); 580| 2.37k| out = BigInt::from_bytes(out_vec); 581| 2.37k| return (*this); 582| 2.37k|} _ZN5Botan11BER_Decoder6decodeERmNS_9ASN1_TypeENS_10ASN1_ClassE: 610| 11.4k|BER_Decoder& BER_Decoder::decode(size_t& out, ASN1_Type type_tag, ASN1_Class class_tag) { 611| 11.4k| BigInt integer; 612| 11.4k| decode(integer, type_tag, class_tag); 613| | 614| 11.4k| if(integer.signum() < 0) { ------------------ | Branch (614:7): [True: 64, False: 11.4k] ------------------ 615| 64| throw BER_Decoding_Error("Decoded small integer value was negative"); 616| 64| } 617| | 618| 11.4k| if(integer.bits() > 32) { ------------------ | Branch (618:7): [True: 56, False: 11.3k] ------------------ 619| 56| throw BER_Decoding_Error("Decoded integer value larger than expected"); 620| 56| } 621| | 622| 11.3k| out = 0; 623| 55.4k| for(size_t i = 0; i != 4; ++i) { ------------------ | Branch (623:22): [True: 44.0k, False: 11.3k] ------------------ 624| 44.0k| out = (out << 8) | integer.byte_at(3 - i); 625| 44.0k| } 626| | 627| 11.3k| return (*this); 628| 11.4k|} _ZN5Botan11BER_Decoder6decodeERNS_6BigIntENS_9ASN1_TypeENS_10ASN1_ClassE: 660| 15.7k|BER_Decoder& BER_Decoder::decode(BigInt& out, ASN1_Type type_tag, ASN1_Class class_tag) { 661| 15.7k| const BER_Object obj = get_next_object(); 662| 15.7k| obj.assert_is_a(type_tag, class_tag); 663| | 664| | // DER requires minimal INTEGER encoding (X.690 section 8.3.2) 665| 15.7k| if(m_limits.require_der_encoding()) { ------------------ | Branch (665:7): [True: 15.3k, False: 393] ------------------ 666| 15.3k| if(obj.length() == 0) { ------------------ | Branch (666:10): [True: 1, False: 15.3k] ------------------ 667| 1| throw BER_Decoding_Error("Detected empty INTEGER encoding in DER structure"); 668| 1| } 669| 15.3k| if(obj.length() > 1) { ------------------ | Branch (669:10): [True: 3.19k, False: 12.1k] ------------------ 670| 3.19k| if(obj.bits()[0] == 0x00 && (obj.bits()[1] & 0x80) == 0) { ------------------ | Branch (670:13): [True: 1.31k, False: 1.87k] | Branch (670:38): [True: 4, False: 1.30k] ------------------ 671| 4| throw BER_Decoding_Error("Detected non-minimal INTEGER encoding in DER structure"); 672| 4| } 673| 3.18k| if(obj.bits()[0] == 0xFF && (obj.bits()[1] & 0x80) != 0) { ------------------ | Branch (673:13): [True: 21, False: 3.16k] | Branch (673:38): [True: 2, False: 19] ------------------ 674| 2| throw BER_Decoding_Error("Detected non-minimal INTEGER encoding in DER structure"); 675| 2| } 676| 3.18k| } 677| 15.3k| } 678| | 679| 15.7k| if(obj.length() == 0) { ------------------ | Branch (679:7): [True: 0, False: 15.7k] ------------------ 680| 0| out.clear(); 681| 15.7k| } else { 682| 15.7k| const uint8_t first = obj.bits()[0]; 683| 15.7k| const bool negative = (first & 0x80) == 0x80; 684| | 685| 15.7k| if(negative) { ------------------ | Branch (685:10): [True: 100, False: 15.6k] ------------------ 686| 100| secure_vector vec(obj.bits(), obj.bits() + obj.length()); 687| 464| for(size_t i = obj.length(); i > 0; --i) { ------------------ | Branch (687:39): [True: 464, False: 0] ------------------ 688| 464| const bool gt0 = (vec[i - 1] > 0); 689| 464| vec[i - 1] -= 1; 690| 464| if(gt0) { ------------------ | Branch (690:16): [True: 100, False: 364] ------------------ 691| 100| break; 692| 100| } 693| 464| } 694| 9.92k| for(size_t i = 0; i != obj.length(); ++i) { ------------------ | Branch (694:28): [True: 9.82k, False: 100] ------------------ 695| 9.82k| vec[i] = ~vec[i]; 696| 9.82k| } 697| 100| out._assign_from_bytes(vec); 698| 100| out.flip_sign(); 699| 15.6k| } else { 700| 15.6k| out._assign_from_bytes(obj.data()); 701| 15.6k| } 702| 15.7k| } 703| | 704| 15.7k| return (*this); 705| 15.7k|} _ZN5Botan11BER_Decoder6decodeERNSt3__16vectorIhNS_16secure_allocatorIhEEEENS_9ASN1_TypeES7_NS_10ASN1_ClassE: 769| 13.0k| ASN1_Class class_tag) { 770| 13.0k| if(real_type != ASN1_Type::OctetString && real_type != ASN1_Type::BitString) { ------------------ | Branch (770:7): [True: 1.00k, False: 12.0k] | Branch (770:46): [True: 0, False: 1.00k] ------------------ 771| 0| throw BER_Bad_Tag("Bad tag for {BIT,OCTET} STRING", static_cast(real_type)); 772| 0| } 773| | 774| 13.0k| asn1_decode_binary_string( 775| 13.0k| buffer, get_next_object(), real_type, type_tag, class_tag, m_limits.require_der_encoding()); 776| 13.0k| return (*this); 777| 13.0k|} _ZN5Botan11BER_Decoder6decodeERNSt3__16vectorIhNS1_9allocatorIhEEEENS_9ASN1_TypeES7_NS_10ASN1_ClassE: 782| 2.34k| ASN1_Class class_tag) { 783| 2.34k| if(real_type != ASN1_Type::OctetString && real_type != ASN1_Type::BitString) { ------------------ | Branch (783:7): [True: 1.17k, False: 1.17k] | Branch (783:46): [True: 0, False: 1.17k] ------------------ 784| 0| throw BER_Bad_Tag("Bad tag for {BIT,OCTET} STRING", static_cast(real_type)); 785| 0| } 786| | 787| 2.34k| asn1_decode_binary_string( 788| 2.34k| buffer, get_next_object(), real_type, type_tag, class_tag, m_limits.require_der_encoding()); 789| 2.34k| return (*this); 790| 2.34k|} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_110decode_tagEPNS_10DataSourceERNS_9ASN1_TypeERNS_10ASN1_ClassE: 27| 68.8k|size_t decode_tag(DataSource* ber, ASN1_Type& type_tag, ASN1_Class& class_tag) { 28| 68.8k| auto b = ber->read_byte(); 29| | 30| 68.8k| if(!b) { ------------------ | Branch (30:7): [True: 3.27k, False: 65.5k] ------------------ 31| 3.27k| type_tag = ASN1_Type::NoObject; 32| 3.27k| class_tag = ASN1_Class::NoObject; 33| 3.27k| return 0; 34| 3.27k| } 35| | 36| 65.5k| if((*b & 0x1F) != 0x1F) { ------------------ | Branch (36:7): [True: 65.2k, False: 302] ------------------ 37| 65.2k| type_tag = ASN1_Type(*b & 0x1F); 38| 65.2k| class_tag = ASN1_Class(*b & 0xE0); 39| 65.2k| return 1; 40| 65.2k| } 41| | 42| 302| size_t tag_bytes = 1; 43| 302| class_tag = ASN1_Class(*b & 0xE0); 44| | 45| 302| uint32_t tag_buf = 0; 46| 1.07k| while(true) { ------------------ | Branch (46:10): [True: 1.07k, Folded] ------------------ 47| 1.07k| b = ber->read_byte(); 48| 1.07k| if(!b) { ------------------ | Branch (48:10): [True: 21, False: 1.05k] ------------------ 49| 21| throw BER_Decoding_Error("Long-form tag truncated"); 50| 21| } 51| 1.05k| if((tag_buf >> 24) != 0) { ------------------ | Branch (51:10): [True: 19, False: 1.03k] ------------------ 52| 19| throw BER_Decoding_Error("Long-form tag overflowed 32 bits"); 53| 19| } 54| | // This is required even by BER (see X.690 section 8.1.2.4.2 sentence c). 55| | // Bits 7-1 of the first subsequent octet must not be all zero; this rules 56| | // out both 0x80 (continuation with no data) and 0x00 (a long-form encoding 57| | // of tag value 0, which collides with the EOC marker). 58| 1.03k| if(tag_bytes == 1 && (*b & 0x7F) == 0) { ------------------ | Branch (58:10): [True: 299, False: 735] | Branch (58:28): [True: 1, False: 298] ------------------ 59| 1| throw BER_Decoding_Error("Long form tag with leading zero"); 60| 1| } 61| 1.03k| ++tag_bytes; 62| 1.03k| tag_buf = (tag_buf << 7) | (*b & 0x7F); 63| 1.03k| if((*b & 0x80) == 0) { ------------------ | Branch (63:10): [True: 261, False: 772] ------------------ 64| 261| break; 65| 261| } 66| 1.03k| } 67| | // Per X.690 8.1.2.2, tag values 0-30 shall be encoded in the short form. 68| | // Long-form encoding is reserved for tag values >= 31 (X.690 8.1.2.3). 69| | // This is unconditional and applies to BER as well as DER. 70| 261| if(tag_buf <= 30) { ------------------ | Branch (70:7): [True: 6, False: 255] ------------------ 71| 6| throw BER_Decoding_Error("Long-form tag encoding used for small tag value"); 72| 6| } 73| | 74| 255| if(tag_buf == static_cast(ASN1_Type::NoObject)) { ------------------ | Branch (74:7): [True: 1, False: 254] ------------------ 75| 1| throw BER_Decoding_Error("Tag value collides with internal sentinel"); 76| 1| } 77| | 78| | // NOLINTNEXTLINE(clang-analyzer-optin.core.EnumCastOutOfRange) 79| 254| type_tag = ASN1_Type(tag_buf); 80| 254| return tag_bytes; 81| 255|} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_113decode_lengthEPNS_10DataSourceEmbb: 126| 65.5k|BerDecodedLength decode_length(DataSource* ber, size_t allow_indef, bool der_mode, bool constructed) { 127| 65.5k| uint8_t b = 0; 128| 65.5k| if(ber->read_byte(b) == 0) { ------------------ | Branch (128:7): [True: 70, False: 65.4k] ------------------ 129| 70| throw BER_Decoding_Error("Length field not found"); 130| 70| } 131| 65.4k| if((b & 0x80) == 0) { ------------------ | Branch (131:7): [True: 59.0k, False: 6.35k] ------------------ 132| 59.0k| return BerDecodedLength(b, 1); 133| 59.0k| } 134| | 135| 6.35k| const size_t num_length_bytes = (b & 0x7F); 136| 6.35k| if(num_length_bytes > 4) { ------------------ | Branch (136:7): [True: 32, False: 6.32k] ------------------ 137| 32| throw BER_Decoding_Error("Length field is too large"); 138| 32| } 139| | 140| 6.32k| const size_t field_size = 1 + num_length_bytes; 141| | 142| 6.32k| if(num_length_bytes == 0) { ------------------ | Branch (142:7): [True: 9, False: 6.31k] ------------------ 143| 9| if(der_mode) { ------------------ | Branch (143:10): [True: 9, False: 0] ------------------ 144| 9| throw BER_Decoding_Error("Detected indefinite-length encoding in DER structure"); 145| 9| } else if(!constructed) { ------------------ | Branch (145:17): [True: 0, False: 0] ------------------ 146| | // Indefinite length is only valid for constructed types (X.690 8.1.3.2) 147| 0| throw BER_Decoding_Error("Indefinite-length encoding used with non-constructed type"); 148| 0| } else if(allow_indef == 0) { ------------------ | Branch (148:17): [True: 0, False: 0] ------------------ 149| 0| throw BER_Decoding_Error("Nested EOC markers too deep, rejecting to avoid stack exhaustion"); 150| 0| } else { 151| | // find_eoc returns bytes up to and including the EOC marker. 152| | // Return the content length; the caller consumes the EOC separately. 153| 0| const size_t eoc_len = find_eoc(ber, /*base_offset=*/0, allow_indef - 1); 154| 0| if(eoc_len < 2) { ------------------ | Branch (154:13): [True: 0, False: 0] ------------------ 155| 0| throw BER_Decoding_Error("Invalid EOC encoding"); 156| 0| } 157| 0| return BerDecodedLength::indefinite(eoc_len - 2, field_size); 158| 0| } 159| 9| } 160| | 161| 6.31k| size_t length = 0; 162| | 163| 16.3k| for(size_t i = 0; i != num_length_bytes; ++i) { ------------------ | Branch (163:22): [True: 10.0k, False: 6.30k] ------------------ 164| 10.0k| if(ber->read_byte(b) == 0) { ------------------ | Branch (164:10): [True: 7, False: 10.0k] ------------------ 165| 7| throw BER_Decoding_Error("Corrupted length field"); 166| 7| } 167| | // Can't overflow since we already checked that num_length_bytes <= 4 168| 10.0k| length = (length << 8) | b; 169| 10.0k| } 170| | 171| | // DER requires shortest possible length encoding 172| 6.30k| if(der_mode) { ------------------ | Branch (172:7): [True: 6.30k, False: 0] ------------------ 173| 6.30k| if(length < 128) { ------------------ | Branch (173:10): [True: 10, False: 6.29k] ------------------ 174| 10| throw BER_Decoding_Error("Detected non-canonical length encoding in DER structure"); 175| 10| } 176| 6.29k| if(num_length_bytes > 1 && length < (size_t(1) << ((num_length_bytes - 1) * 8))) { ------------------ | Branch (176:10): [True: 3.56k, False: 2.72k] | Branch (176:34): [True: 2, False: 3.56k] ------------------ 177| 2| throw BER_Decoding_Error("Detected non-canonical length encoding in DER structure"); 178| 2| } 179| 6.29k| } 180| | 181| 6.29k| return BerDecodedLength(length, field_size); 182| 6.30k|} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_116BerDecodedLengthC2Emm: 99| 65.3k| BerDecodedLength(content_length, field_length, false) {} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_116BerDecodedLengthC2Emmb: 116| 65.3k| m_content_length(content_length), m_field_length(field_length), m_indefinite(indefinite) {} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_114is_constructedENS_10ASN1_ClassE: 20| 80.8k|bool is_constructed(ASN1_Class class_tag) { 21| 80.8k| return (static_cast(class_tag) & static_cast(ASN1_Class::Constructed)) != 0; 22| 80.8k|} ber_dec.cpp:_ZNK5Botan12_GLOBAL__N_116BerDecodedLength14content_lengthEv: 105| 195k| size_t content_length() const { return m_content_length; } ber_dec.cpp:_ZNK5Botan12_GLOBAL__N_116BerDecodedLength17indefinite_lengthEv: 112| 65.1k| bool indefinite_length() const { return m_indefinite; } ber_dec.cpp:_ZNK5Botan12_GLOBAL__N_116BerDecodedLength12total_lengthEv: 108| 65.3k| size_t total_length() const { return m_indefinite ? m_content_length + 2 : m_content_length; } ------------------ | Branch (108:44): [True: 0, False: 65.3k] ------------------ ber_dec.cpp:_ZN5Botan12_GLOBAL__N_120DataSource_BERObjectC2EONS_10BER_ObjectE: 357| 20.7k| explicit DataSource_BERObject(BER_Object&& obj) : m_obj(std::move(obj)) {} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_120DataSource_BERObject4readEPhm: 327| 852k| size_t read(uint8_t out[], size_t length) override { 328| 852k| BOTAN_ASSERT_NOMSG(m_offset <= m_obj.length()); ------------------ | | 77| 852k| do { \ | | 78| 852k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 852k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 852k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 852k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 852k] | | ------------------ ------------------ 329| 852k| const size_t got = std::min(m_obj.length() - m_offset, length); 330| 852k| copy_mem(out, m_obj.bits() + m_offset, got); 331| 852k| m_offset += got; 332| 852k| return got; 333| 852k| } ber_dec.cpp:_ZN5Botan12_GLOBAL__N_120DataSource_BERObject15check_availableEm: 348| 48.6k| bool check_available(size_t n) override { 349| 48.6k| BOTAN_ASSERT_NOMSG(m_offset <= m_obj.length()); ------------------ | | 77| 48.6k| do { \ | | 78| 48.6k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 48.6k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 48.6k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 48.6k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 48.6k] | | ------------------ ------------------ 350| 48.6k| return (n <= (m_obj.length() - m_offset)); 351| 48.6k| } ber_dec.cpp:_ZNK5Botan12_GLOBAL__N_120DataSource_BERObject11end_of_dataEv: 353| 19.8k| bool end_of_data() const override { return get_bytes_read() == m_obj.length(); } ber_dec.cpp:_ZNK5Botan12_GLOBAL__N_120DataSource_BERObject14get_bytes_readEv: 355| 19.8k| size_t get_bytes_read() const override { return m_offset; } ber_dec.cpp:_ZN5Botan12_GLOBAL__N_125asn1_decode_binary_stringINS_16secure_allocatorIhEEEEvRNSt3__16vectorIhT_EERKNS_10BER_ObjectENS_9ASN1_TypeESC_NS_10ASN1_ClassEb: 719| 13.0k| bool require_der) { 720| 13.0k| obj.assert_is_a(type_tag, class_tag); 721| | 722| | // DER requires BIT STRING and OCTET STRING to use primitive encoding 723| 13.0k| if(require_der && is_constructed(obj)) { ------------------ | Branch (723:7): [True: 12.9k, False: 33] | Branch (723:22): [True: 0, False: 12.9k] ------------------ 724| 0| throw BER_Decoding_Error("Detected constructed string encoding in DER structure"); 725| 0| } 726| | 727| 13.0k| if(real_type == ASN1_Type::OctetString) { ------------------ | Branch (727:7): [True: 11.9k, False: 1.03k] ------------------ 728| 11.9k| buffer.assign(obj.bits(), obj.bits() + obj.length()); 729| 11.9k| } else { 730| 1.03k| if(obj.length() == 0) { ------------------ | Branch (730:10): [True: 1, False: 1.03k] ------------------ 731| 1| throw BER_Decoding_Error("Invalid BIT STRING"); 732| 1| } 733| | 734| 1.03k| const uint8_t unused_bits = obj.bits()[0]; 735| | 736| 1.03k| if(unused_bits >= 8) { ------------------ | Branch (736:10): [True: 5, False: 1.02k] ------------------ 737| 5| throw BER_Decoding_Error("Bad number of unused bits in BIT STRING"); 738| 5| } 739| | 740| | // Empty BIT STRING with unused bits > 0 ... 741| 1.02k| if(unused_bits > 0 && obj.length() < 2) { ------------------ | Branch (741:10): [True: 49, False: 979] | Branch (741:29): [True: 1, False: 48] ------------------ 742| 1| throw BER_Decoding_Error("Invalid BIT STRING"); 743| 1| } 744| | 745| | // DER requires unused bits in BIT STRING to be zero (X.690 section 11.2.2) 746| 1.02k| if(require_der && unused_bits > 0) { ------------------ | Branch (746:10): [True: 994, False: 33] | Branch (746:25): [True: 48, False: 946] ------------------ 747| 48| const uint8_t last_byte = obj.bits()[obj.length() - 1]; 748| 48| if((last_byte & ((1 << unused_bits) - 1)) != 0) { ------------------ | Branch (748:13): [True: 1, False: 47] ------------------ 749| 1| throw BER_Decoding_Error("Detected non-zero padding bits in BIT STRING in DER structure"); 750| 1| } 751| 48| } 752| | 753| 1.02k| buffer.resize(obj.length() - 1); 754| | 755| 1.02k| if(obj.length() > 1) { ------------------ | Branch (755:10): [True: 992, False: 34] ------------------ 756| 992| copy_mem(buffer.data(), obj.bits() + 1, obj.length() - 1); 757| 992| } 758| 1.02k| } 759| 13.0k|} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_114is_constructedERKNS_10BER_ObjectE: 709| 15.3k|bool is_constructed(const BER_Object& obj) { 710| 15.3k| return is_constructed(obj.class_tag()); 711| 15.3k|} ber_dec.cpp:_ZN5Botan12_GLOBAL__N_125asn1_decode_binary_stringINSt3__19allocatorIhEEEEvRNS2_6vectorIhT_EERKNS_10BER_ObjectENS_9ASN1_TypeESC_NS_10ASN1_ClassEb: 719| 2.34k| bool require_der) { 720| 2.34k| obj.assert_is_a(type_tag, class_tag); 721| | 722| | // DER requires BIT STRING and OCTET STRING to use primitive encoding 723| 2.34k| if(require_der && is_constructed(obj)) { ------------------ | Branch (723:7): [True: 2.34k, False: 0] | Branch (723:22): [True: 0, False: 2.34k] ------------------ 724| 0| throw BER_Decoding_Error("Detected constructed string encoding in DER structure"); 725| 0| } 726| | 727| 2.34k| if(real_type == ASN1_Type::OctetString) { ------------------ | Branch (727:7): [True: 1.17k, False: 1.17k] ------------------ 728| 1.17k| buffer.assign(obj.bits(), obj.bits() + obj.length()); 729| 1.17k| } else { 730| 1.17k| if(obj.length() == 0) { ------------------ | Branch (730:10): [True: 1, False: 1.17k] ------------------ 731| 1| throw BER_Decoding_Error("Invalid BIT STRING"); 732| 1| } 733| | 734| 1.17k| const uint8_t unused_bits = obj.bits()[0]; 735| | 736| 1.17k| if(unused_bits >= 8) { ------------------ | Branch (736:10): [True: 4, False: 1.17k] ------------------ 737| 4| throw BER_Decoding_Error("Bad number of unused bits in BIT STRING"); 738| 4| } 739| | 740| | // Empty BIT STRING with unused bits > 0 ... 741| 1.17k| if(unused_bits > 0 && obj.length() < 2) { ------------------ | Branch (741:10): [True: 6, False: 1.16k] | Branch (741:29): [True: 1, False: 5] ------------------ 742| 1| throw BER_Decoding_Error("Invalid BIT STRING"); 743| 1| } 744| | 745| | // DER requires unused bits in BIT STRING to be zero (X.690 section 11.2.2) 746| 1.17k| if(require_der && unused_bits > 0) { ------------------ | Branch (746:10): [True: 1.17k, False: 0] | Branch (746:25): [True: 5, False: 1.16k] ------------------ 747| 5| const uint8_t last_byte = obj.bits()[obj.length() - 1]; 748| 5| if((last_byte & ((1 << unused_bits) - 1)) != 0) { ------------------ | Branch (748:13): [True: 1, False: 4] ------------------ 749| 1| throw BER_Decoding_Error("Detected non-zero padding bits in BIT STRING in DER structure"); 750| 1| } 751| 5| } 752| | 753| 1.17k| buffer.resize(obj.length() - 1); 754| | 755| 1.17k| if(obj.length() > 1) { ------------------ | Branch (755:10): [True: 1.17k, False: 1] ------------------ 756| 1.17k| copy_mem(buffer.data(), obj.bits() + 1, obj.length() - 1); 757| 1.17k| } 758| 1.17k| } 759| 2.34k|} _ZN5Botan11DER_EncoderC2ERNSt3__16vectorIhNS1_9allocatorIhEEEE: 72| 3.05k|DER_Encoder::DER_Encoder(std::vector& vec) { 73| 3.05k| m_append_output = [&vec](const uint8_t b[], size_t l) { vec.insert(vec.end(), b, b + l); }; 74| 3.05k|} _ZN5Botan11DER_Encoder10add_objectENS_9ASN1_TypeENS_10ASN1_ClassEPKhm: 244| 3.05k|DER_Encoder& DER_Encoder::add_object(ASN1_Type type_tag, ASN1_Class class_tag, const uint8_t rep[], size_t length) { 245| 3.05k| std::vector hdr; 246| 3.05k| encode_tag(hdr, type_tag, class_tag); 247| 3.05k| encode_length(hdr, length); 248| | 249| 3.05k| if(!m_subsequences.empty()) { ------------------ | Branch (249:7): [True: 0, False: 3.05k] ------------------ 250| 0| m_subsequences[m_subsequences.size() - 1].add_bytes(hdr.data(), hdr.size(), rep, length); 251| 3.05k| } else if(m_append_output) { ------------------ | Branch (251:14): [True: 3.05k, False: 0] ------------------ 252| 3.05k| m_append_output(hdr.data(), hdr.size()); 253| 3.05k| m_append_output(rep, length); 254| 3.05k| } else { 255| 0| m_default_outbuf += hdr; 256| 0| m_default_outbuf += std::make_pair(rep, length); 257| 0| } 258| | 259| 3.05k| return (*this); 260| 3.05k|} _ZN5Botan11DER_Encoder6encodeERKNS_11ASN1_ObjectE: 365| 3.05k|DER_Encoder& DER_Encoder::encode(const ASN1_Object& obj) { 366| 3.05k| obj.encode_into(*this); 367| 3.05k| return (*this); 368| 3.05k|} der_enc.cpp:_ZN5Botan12_GLOBAL__N_110encode_tagERNSt3__16vectorIhNS1_9allocatorIhEEEENS_9ASN1_TypeENS_10ASN1_ClassE: 25| 3.05k|void encode_tag(std::vector& encoded_tag, ASN1_Type type_tag_e, ASN1_Class class_tag_e) { 26| 3.05k| const uint32_t type_tag = static_cast(type_tag_e); 27| 3.05k| const uint32_t class_tag = static_cast(class_tag_e); 28| | 29| 3.05k| if((class_tag | 0xE0) != 0xE0) { ------------------ | Branch (29:7): [True: 0, False: 3.05k] ------------------ 30| 0| throw Encoding_Error(fmt("DER_Encoder: Invalid class tag {}", std::to_string(class_tag))); 31| 0| } 32| | 33| 3.05k| if(type_tag <= 30) { ------------------ | Branch (33:7): [True: 3.05k, False: 0] ------------------ 34| 3.05k| encoded_tag.push_back(static_cast(type_tag | class_tag)); 35| 3.05k| } else { 36| 0| size_t blocks = high_bit(static_cast(type_tag)) + 6; 37| 0| blocks = (blocks - (blocks % 7)) / 7; 38| | 39| 0| BOTAN_ASSERT_NOMSG(blocks > 0); ------------------ | | 77| 0| do { \ | | 78| 0| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 0| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 0| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 0] | | ------------------ ------------------ 40| | 41| 0| encoded_tag.push_back(static_cast(class_tag | 0x1F)); 42| 0| for(size_t i = 0; i != blocks - 1; ++i) { ------------------ | Branch (42:25): [True: 0, False: 0] ------------------ 43| 0| encoded_tag.push_back(0x80 | ((type_tag >> 7 * (blocks - i - 1)) & 0x7F)); 44| 0| } 45| 0| encoded_tag.push_back(type_tag & 0x7F); 46| 0| } 47| 3.05k|} der_enc.cpp:_ZN5Botan12_GLOBAL__N_113encode_lengthERNSt3__16vectorIhNS1_9allocatorIhEEEEm: 52| 3.05k|void encode_length(std::vector& encoded_length, size_t length) { 53| 3.05k| if(length <= 127) { ------------------ | Branch (53:7): [True: 3.05k, False: 0] ------------------ 54| 3.05k| encoded_length.push_back(static_cast(length)); 55| 3.05k| } else { 56| 0| const size_t bytes_needed = significant_bytes(length); 57| | 58| 0| encoded_length.push_back(static_cast(0x80 | bytes_needed)); 59| | 60| 0| for(size_t i = sizeof(length) - bytes_needed; i < sizeof(length); ++i) { ------------------ | Branch (60:53): [True: 0, False: 0] ------------------ 61| 0| encoded_length.push_back(get_byte_var(i, length)); 62| 0| } 63| 0| } 64| 3.05k|} der_enc.cpp:_ZZN5Botan11DER_EncoderC1ERNSt3__16vectorIhNS1_9allocatorIhEEEEENK3$_0clEPKhm: 73| 6.10k| m_append_output = [&vec](const uint8_t b[], size_t l) { vec.insert(vec.end(), b, b + l); }; _ZN5Botan7OID_MapC2Ev: 11| 1|OID_Map::OID_Map() { 12| 1| m_str2oid = OID_Map::load_str2oid_map(); 13| 1| m_oid2str = OID_Map::load_oid2str_map(); 14| 1|} _ZN5Botan7OID_Map15global_registryEv: 16| 14.5k|OID_Map& OID_Map::global_registry() { 17| 14.5k| static OID_Map g_map; 18| 14.5k| return g_map; 19| 14.5k|} _ZN5Botan7OID_Map7oid2strERKNS_3OIDE: 69| 14.5k|std::string OID_Map::oid2str(const OID& oid) { 70| 14.5k| if(auto name = lookup_static_oid(oid)) { ------------------ | Branch (70:12): [True: 12.7k, False: 1.74k] ------------------ 71| 12.7k| return std::string(*name); 72| 12.7k| } 73| | 74| 1.74k| const lock_guard_type lock(m_mutex); 75| | 76| 1.74k| auto i = m_oid2str.find(oid); 77| 1.74k| if(i != m_oid2str.end()) { ------------------ | Branch (77:7): [True: 0, False: 1.74k] ------------------ 78| 0| return i->second; 79| 0| } 80| | 81| 1.74k| return ""; 82| 1.74k|} _ZN5Botan7OID_Map7str2oidENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 84| 15|OID OID_Map::str2oid(std::string_view str) { 85| 15| if(auto oid = lookup_static_oid_name(str)) { ------------------ | Branch (85:12): [True: 15, False: 0] ------------------ 86| 15| return std::move(*oid); 87| 15| } 88| | 89| 0| const lock_guard_type lock(m_mutex); 90| 0| auto i = m_str2oid.find(std::string(str)); 91| 0| if(i != m_str2oid.end()) { ------------------ | Branch (91:7): [True: 0, False: 0] ------------------ 92| 0| return i->second; 93| 0| } 94| | 95| 0| return OID(); 96| 0|} _ZN5Botan7OID_Map17lookup_static_oidERKNS_3OIDE: 48| 14.5k|std::optional OID_Map::lookup_static_oid(const OID& oid) { 49| 14.5k| const uint32_t hc = static_cast(oid.hash_code() % 858701); 50| | 51| 14.5k| switch(hc) { 52| 3| case 0x01506: ------------------ | Branch (52:7): [True: 3, False: 14.5k] ------------------ 53| 3| return if_match(oid, {1, 2, 840, 10045, 4, 3, 1}, "ECDSA/SHA-224"); 54| 3| case 0x01507: ------------------ | Branch (54:7): [True: 3, False: 14.5k] ------------------ 55| 3| return if_match(oid, {1, 2, 840, 10045, 4, 3, 2}, "ECDSA/SHA-256"); 56| 3| case 0x01508: ------------------ | Branch (56:7): [True: 3, False: 14.5k] ------------------ 57| 3| return if_match(oid, {1, 2, 840, 10045, 4, 3, 3}, "ECDSA/SHA-384"); 58| 3| case 0x01509: ------------------ | Branch (58:7): [True: 3, False: 14.5k] ------------------ 59| 3| return if_match(oid, {1, 2, 840, 10045, 4, 3, 4}, "ECDSA/SHA-512"); 60| 1| case 0x04C1E: ------------------ | Branch (60:7): [True: 1, False: 14.5k] ------------------ 61| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 3029, 1, 2, 1}, "ElGamal"); 62| 1| case 0x04E61: ------------------ | Branch (62:7): [True: 1, False: 14.5k] ------------------ 63| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 3029, 1, 5, 1}, "OpenPGP.Curve25519"); 64| 3| case 0x0779B: ------------------ | Branch (64:7): [True: 3, False: 14.5k] ------------------ 65| 3| return if_match(oid, {1, 2, 840, 113549, 2, 5}, "MD5"); 66| 3| case 0x0779D: ------------------ | Branch (66:7): [True: 3, False: 14.5k] ------------------ 67| 3| return if_match(oid, {1, 2, 840, 113549, 2, 7}, "HMAC(SHA-1)"); 68| 3| case 0x0779E: ------------------ | Branch (68:7): [True: 3, False: 14.5k] ------------------ 69| 3| return if_match(oid, {1, 2, 840, 113549, 2, 8}, "HMAC(SHA-224)"); 70| 3| case 0x0779F: ------------------ | Branch (70:7): [True: 3, False: 14.5k] ------------------ 71| 3| return if_match(oid, {1, 2, 840, 113549, 2, 9}, "HMAC(SHA-256)"); 72| 3| case 0x077A0: ------------------ | Branch (72:7): [True: 3, False: 14.5k] ------------------ 73| 3| return if_match(oid, {1, 2, 840, 113549, 2, 10}, "HMAC(SHA-384)"); 74| 3| case 0x077A1: ------------------ | Branch (74:7): [True: 3, False: 14.5k] ------------------ 75| 3| return if_match(oid, {1, 2, 840, 113549, 2, 11}, "HMAC(SHA-512)"); 76| 3| case 0x077A3: ------------------ | Branch (76:7): [True: 3, False: 14.5k] ------------------ 77| 3| return if_match(oid, {1, 2, 840, 113549, 2, 13}, "HMAC(SHA-512-256)"); 78| 3| case 0x0785E: ------------------ | Branch (78:7): [True: 3, False: 14.5k] ------------------ 79| 3| return if_match(oid, {1, 2, 840, 113549, 3, 7}, "TripleDES/CBC"); 80| 1| case 0x0C904: ------------------ | Branch (80:7): [True: 1, False: 14.5k] ------------------ 81| 1| return if_match(oid, {1, 0, 14888, 3, 0, 5}, "ECKCDSA"); 82| 1| case 0x11547: ------------------ | Branch (82:7): [True: 1, False: 14.5k] ------------------ 83| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 1}, "SphincsPlus-shake-128s-r3.1"); 84| 1| case 0x11548: ------------------ | Branch (84:7): [True: 1, False: 14.5k] ------------------ 85| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 2}, "SphincsPlus-shake-128f-r3.1"); 86| 1| case 0x11549: ------------------ | Branch (86:7): [True: 1, False: 14.5k] ------------------ 87| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 3}, "SphincsPlus-shake-192s-r3.1"); 88| 1| case 0x1154A: ------------------ | Branch (88:7): [True: 1, False: 14.5k] ------------------ 89| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 4}, "SphincsPlus-shake-192f-r3.1"); 90| 1| case 0x1154B: ------------------ | Branch (90:7): [True: 1, False: 14.5k] ------------------ 91| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 5}, "SphincsPlus-shake-256s-r3.1"); 92| 1| case 0x1154C: ------------------ | Branch (92:7): [True: 1, False: 14.5k] ------------------ 93| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 6}, "SphincsPlus-shake-256f-r3.1"); 94| 1| case 0x11608: ------------------ | Branch (94:7): [True: 1, False: 14.5k] ------------------ 95| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 1}, "SphincsPlus-sha2-128s-r3.1"); 96| 1| case 0x11609: ------------------ | Branch (96:7): [True: 1, False: 14.5k] ------------------ 97| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 2}, "SphincsPlus-sha2-128f-r3.1"); 98| 1| case 0x1160A: ------------------ | Branch (98:7): [True: 1, False: 14.5k] ------------------ 99| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 3}, "SphincsPlus-sha2-192s-r3.1"); 100| 1| case 0x1160B: ------------------ | Branch (100:7): [True: 1, False: 14.5k] ------------------ 101| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 4}, "SphincsPlus-sha2-192f-r3.1"); 102| 1| case 0x1160C: ------------------ | Branch (102:7): [True: 1, False: 14.5k] ------------------ 103| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 5}, "SphincsPlus-sha2-256s-r3.1"); 104| 1| case 0x1160D: ------------------ | Branch (104:7): [True: 1, False: 14.5k] ------------------ 105| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 6}, "SphincsPlus-sha2-256f-r3.1"); 106| 1| case 0x116C9: ------------------ | Branch (106:7): [True: 1, False: 14.5k] ------------------ 107| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 1}, "SphincsPlus-haraka-128s-r3.1"); 108| 2| case 0x116CA: ------------------ | Branch (108:7): [True: 2, False: 14.5k] ------------------ 109| 2| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 2}, "SphincsPlus-haraka-128f-r3.1"); 110| 1| case 0x116CB: ------------------ | Branch (110:7): [True: 1, False: 14.5k] ------------------ 111| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 3}, "SphincsPlus-haraka-192s-r3.1"); 112| 1| case 0x116CC: ------------------ | Branch (112:7): [True: 1, False: 14.5k] ------------------ 113| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 4}, "SphincsPlus-haraka-192f-r3.1"); 114| 1| case 0x116CD: ------------------ | Branch (114:7): [True: 1, False: 14.5k] ------------------ 115| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 5}, "SphincsPlus-haraka-256s-r3.1"); 116| 1| case 0x116CE: ------------------ | Branch (116:7): [True: 1, False: 14.5k] ------------------ 117| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 6}, "SphincsPlus-haraka-256f-r3.1"); 118| 1| case 0x1533B: ------------------ | Branch (118:7): [True: 1, False: 14.5k] ------------------ 119| 1| return if_match(oid, {1, 2, 156, 10197, 1, 104, 2}, "SM4/CBC"); 120| 1| case 0x15341: ------------------ | Branch (120:7): [True: 1, False: 14.5k] ------------------ 121| 1| return if_match(oid, {1, 2, 156, 10197, 1, 104, 8}, "SM4/GCM"); 122| 1| case 0x1539D: ------------------ | Branch (122:7): [True: 1, False: 14.5k] ------------------ 123| 1| return if_match(oid, {1, 2, 156, 10197, 1, 104, 100}, "SM4/OCB"); 124| 3| case 0x187D7: ------------------ | Branch (124:7): [True: 3, False: 14.5k] ------------------ 125| 3| return if_match(oid, {1, 3, 14, 3, 2, 7}, "DES/CBC"); 126| 3| case 0x187EA: ------------------ | Branch (126:7): [True: 3, False: 14.5k] ------------------ 127| 3| return if_match(oid, {1, 3, 14, 3, 2, 26}, "SHA-1"); 128| 11| case 0x19933: ------------------ | Branch (128:7): [True: 11, False: 14.4k] ------------------ 129| 11| return if_match(oid, {1, 3, 132, 0, 8}, "secp160r1"); 130| 10| case 0x19934: ------------------ | Branch (130:7): [True: 10, False: 14.4k] ------------------ 131| 10| return if_match(oid, {1, 3, 132, 0, 9}, "secp160k1"); 132| 178| case 0x19935: ------------------ | Branch (132:7): [True: 178, False: 14.3k] ------------------ 133| 178| return if_match(oid, {1, 3, 132, 0, 10}, "secp256k1"); 134| 12| case 0x19949: ------------------ | Branch (134:7): [True: 12, False: 14.4k] ------------------ 135| 12| return if_match(oid, {1, 3, 132, 0, 30}, "secp160r2"); 136| 9| case 0x1994A: ------------------ | Branch (136:7): [True: 9, False: 14.4k] ------------------ 137| 9| return if_match(oid, {1, 3, 132, 0, 31}, "secp192k1"); 138| 636| case 0x1994B: ------------------ | Branch (138:7): [True: 636, False: 13.8k] ------------------ 139| 636| return if_match(oid, {1, 3, 132, 0, 32}, "secp224k1"); 140| 287| case 0x1994C: ------------------ | Branch (140:7): [True: 287, False: 14.2k] ------------------ 141| 287| return if_match(oid, {1, 3, 132, 0, 33}, "secp224r1"); 142| 168| case 0x1994D: ------------------ | Branch (142:7): [True: 168, False: 14.3k] ------------------ 143| 168| return if_match(oid, {1, 3, 132, 0, 34}, "secp384r1"); 144| 309| case 0x1994E: ------------------ | Branch (144:7): [True: 309, False: 14.1k] ------------------ 145| 309| return if_match(oid, {1, 3, 132, 0, 35}, "secp521r1"); 146| 3.14k| case 0x199F8: ------------------ | Branch (146:7): [True: 3.14k, False: 11.3k] ------------------ 147| 3.14k| return if_match(oid, {1, 3, 132, 1, 12}, "ECDH"); 148| 1| case 0x1E7BF: ------------------ | Branch (148:7): [True: 1, False: 14.5k] ------------------ 149| 1| return if_match(oid, {1, 2, 156, 10197, 1, 301, 1}, "SM2"); 150| 1| case 0x1E7C0: ------------------ | Branch (150:7): [True: 1, False: 14.5k] ------------------ 151| 1| return if_match(oid, {1, 2, 156, 10197, 1, 301, 2}, "SM2_Kex"); 152| 1| case 0x1E7C1: ------------------ | Branch (152:7): [True: 1, False: 14.5k] ------------------ 153| 1| return if_match(oid, {1, 2, 156, 10197, 1, 301, 3}, "SM2_Enc"); 154| 1| case 0x21960: ------------------ | Branch (154:7): [True: 1, False: 14.5k] ------------------ 155| 1| return if_match(oid, {1, 3, 36, 3, 3, 1, 2}, "RSA/PKCS1v15(RIPEMD-160)"); 156| 1| case 0x2198A: ------------------ | Branch (156:7): [True: 1, False: 14.5k] ------------------ 157| 1| return if_match(oid, {1, 2, 840, 113533, 7, 66, 10}, "CAST-128/CBC"); 158| 1| case 0x2198F: ------------------ | Branch (158:7): [True: 1, False: 14.5k] ------------------ 159| 1| return if_match(oid, {1, 2, 840, 113533, 7, 66, 15}, "KeyWrap.CAST-128"); 160| 17| case 0x227C0: ------------------ | Branch (160:7): [True: 17, False: 14.4k] ------------------ 161| 17| return if_match(oid, {1, 3, 101, 110}, "X25519"); 162| 9| case 0x227C1: ------------------ | Branch (162:7): [True: 9, False: 14.4k] ------------------ 163| 9| return if_match(oid, {1, 3, 101, 111}, "X448"); 164| 21| case 0x227C2: ------------------ | Branch (164:7): [True: 21, False: 14.4k] ------------------ 165| 21| return if_match(oid, {1, 3, 101, 112}, "Ed25519"); 166| 5| case 0x227C3: ------------------ | Branch (166:7): [True: 5, False: 14.5k] ------------------ 167| 5| return if_match(oid, {1, 3, 101, 113}, "Ed448"); 168| 1| case 0x27565: ------------------ | Branch (168:7): [True: 1, False: 14.5k] ------------------ 169| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 48, 1, 1}, "PKIX.OCSP.BasicResponse"); 170| 1| case 0x27569: ------------------ | Branch (170:7): [True: 1, False: 14.5k] ------------------ 171| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 48, 1, 5}, "PKIX.OCSP.NoCheck"); 172| 1| case 0x29F7C: ------------------ | Branch (172:7): [True: 1, False: 14.5k] ------------------ 173| 1| return if_match(oid, {1, 2, 410, 200004, 1, 100, 4, 3}, "ECKCDSA/SHA-1"); 174| 1| case 0x29F7D: ------------------ | Branch (174:7): [True: 1, False: 14.5k] ------------------ 175| 1| return if_match(oid, {1, 2, 410, 200004, 1, 100, 4, 4}, "ECKCDSA/SHA-224"); 176| 1| case 0x29F7E: ------------------ | Branch (176:7): [True: 1, False: 14.5k] ------------------ 177| 1| return if_match(oid, {1, 2, 410, 200004, 1, 100, 4, 5}, "ECKCDSA/SHA-256"); 178| 1| case 0x2AC3B: ------------------ | Branch (178:7): [True: 1, False: 14.5k] ------------------ 179| 1| return if_match(oid, {2, 5, 29, 32, 0}, "X509v3.AnyPolicy"); 180| 1| case 0x2B000: ------------------ | Branch (180:7): [True: 1, False: 14.5k] ------------------ 181| 1| return if_match(oid, {2, 5, 29, 37, 0}, "X509v3.AnyExtendedKeyUsage"); 182| 5.31k| case 0x2B5C9: ------------------ | Branch (182:7): [True: 5.31k, False: 9.19k] ------------------ 183| 5.31k| return if_match(oid, {1, 2, 840, 10045, 2, 1}, "ECDSA"); 184| 13| case 0x2B74B: ------------------ | Branch (184:7): [True: 13, False: 14.4k] ------------------ 185| 13| return if_match(oid, {1, 2, 840, 10045, 4, 1}, "ECDSA/SHA-1"); 186| 217| case 0x3474A: ------------------ | Branch (186:7): [True: 217, False: 14.2k] ------------------ 187| 217| return if_match(oid, {1, 2, 840, 10046, 2, 1}, "DH"); 188| 1| case 0x38D6D: ------------------ | Branch (188:7): [True: 1, False: 14.5k] ------------------ 189| 1| return if_match(oid, {1, 2, 643, 7, 1, 2, 1, 1, 1}, "gost_256A"); 190| 1| case 0x38D6E: ------------------ | Branch (190:7): [True: 1, False: 14.5k] ------------------ 191| 1| return if_match(oid, {1, 2, 643, 7, 1, 2, 1, 1, 2}, "gost_256B"); 192| 1| case 0x38E2E: ------------------ | Branch (192:7): [True: 1, False: 14.5k] ------------------ 193| 1| return if_match(oid, {1, 2, 643, 7, 1, 2, 1, 2, 1}, "gost_512A"); 194| 1| case 0x38E2F: ------------------ | Branch (194:7): [True: 1, False: 14.5k] ------------------ 195| 1| return if_match(oid, {1, 2, 643, 7, 1, 2, 1, 2, 2}, "gost_512B"); 196| 3| case 0x38F2C: ------------------ | Branch (196:7): [True: 3, False: 14.5k] ------------------ 197| 3| return if_match(oid, {1, 2, 643, 2, 2, 3}, "GOST-34.10/GOST-R-34.11-94"); 198| 3| case 0x38F3C: ------------------ | Branch (198:7): [True: 3, False: 14.5k] ------------------ 199| 3| return if_match(oid, {1, 2, 643, 2, 2, 19}, "GOST-34.10"); 200| 1| case 0x3D7B8: ------------------ | Branch (200:7): [True: 1, False: 14.5k] ------------------ 201| 1| return if_match(oid, {0, 3, 4401, 5, 3, 1, 9, 6}, "Camellia-128/GCM"); 202| 1| case 0x3D7CC: ------------------ | Branch (202:7): [True: 1, False: 14.5k] ------------------ 203| 1| return if_match(oid, {0, 3, 4401, 5, 3, 1, 9, 26}, "Camellia-192/GCM"); 204| 1| case 0x3D7E0: ------------------ | Branch (204:7): [True: 1, False: 14.5k] ------------------ 205| 1| return if_match(oid, {0, 3, 4401, 5, 3, 1, 9, 46}, "Camellia-256/GCM"); 206| 3| case 0x3F20F: ------------------ | Branch (206:7): [True: 3, False: 14.5k] ------------------ 207| 3| return if_match(oid, {1, 3, 36, 3, 2, 1}, "RIPEMD-160"); 208| 1| case 0x4266E: ------------------ | Branch (208:7): [True: 1, False: 14.5k] ------------------ 209| 1| return if_match(oid, {0, 4, 0, 127, 0, 15, 1, 1, 13, 0}, "XMSS"); 210| 1| case 0x478C4: ------------------ | Branch (210:7): [True: 1, False: 14.5k] ------------------ 211| 1| return if_match(oid, {1, 2, 410, 200004, 1, 4}, "SEED/CBC"); 212| 1| case 0x47D98: ------------------ | Branch (212:7): [True: 1, False: 14.5k] ------------------ 213| 1| return if_match(oid, {1, 2, 156, 10197, 1, 301}, "sm2p256v1"); 214| 1| case 0x47DFC: ------------------ | Branch (214:7): [True: 1, False: 14.5k] ------------------ 215| 1| return if_match(oid, {1, 2, 156, 10197, 1, 401}, "SM3"); 216| 1| case 0x47E60: ------------------ | Branch (216:7): [True: 1, False: 14.5k] ------------------ 217| 1| return if_match(oid, {1, 2, 156, 10197, 1, 501}, "SM2_Sig/SM3"); 218| 1| case 0x47E63: ------------------ | Branch (218:7): [True: 1, False: 14.5k] ------------------ 219| 1| return if_match(oid, {1, 2, 156, 10197, 1, 504}, "RSA/PKCS1v15(SM3)"); 220| 1| case 0x52B13: ------------------ | Branch (220:7): [True: 1, False: 14.5k] ------------------ 221| 1| return if_match(oid, {1, 2, 643, 3, 131, 1, 1}, "GOST.INN"); 222| 1| case 0x635AE: ------------------ | Branch (222:7): [True: 1, False: 14.5k] ------------------ 223| 1| return if_match(oid, {1, 2, 250, 1, 223, 101, 256, 1}, "frp256v1"); 224| 1| case 0x6A784: ------------------ | Branch (224:7): [True: 1, False: 14.5k] ------------------ 225| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 1}, "PKCS12.KeyBag"); 226| 1| case 0x6A785: ------------------ | Branch (226:7): [True: 1, False: 14.5k] ------------------ 227| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 2}, "PKCS12.PKCS8ShroudedKeyBag"); 228| 2| case 0x6A786: ------------------ | Branch (228:7): [True: 2, False: 14.5k] ------------------ 229| 2| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 3}, "PKCS12.CertBag"); 230| 1| case 0x6A787: ------------------ | Branch (230:7): [True: 1, False: 14.5k] ------------------ 231| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 4}, "PKCS12.CRLBag"); 232| 1| case 0x6A788: ------------------ | Branch (232:7): [True: 1, False: 14.5k] ------------------ 233| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 5}, "PKCS12.SecretBag"); 234| 1| case 0x6A789: ------------------ | Branch (234:7): [True: 1, False: 14.5k] ------------------ 235| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 10, 1, 6}, "PKCS12.SafeContentsBag"); 236| 1| case 0x6EB86: ------------------ | Branch (236:7): [True: 1, False: 14.5k] ------------------ 237| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 6, 1}, "GOST-34.10-2012-256/SHA-256"); 238| 1| case 0x6EC47: ------------------ | Branch (238:7): [True: 1, False: 14.5k] ------------------ 239| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 7, 1}, "Kyber-512-r3"); 240| 1| case 0x6EC48: ------------------ | Branch (240:7): [True: 1, False: 14.5k] ------------------ 241| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 7, 2}, "Kyber-768-r3"); 242| 1| case 0x6EC49: ------------------ | Branch (242:7): [True: 1, False: 14.5k] ------------------ 243| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 7, 3}, "Kyber-1024-r3"); 244| 1| case 0x6EDC9: ------------------ | Branch (244:7): [True: 1, False: 14.5k] ------------------ 245| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 9, 1}, "Dilithium-4x4-r3"); 246| 1| case 0x6EDCA: ------------------ | Branch (246:7): [True: 1, False: 14.5k] ------------------ 247| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 9, 2}, "Dilithium-6x5-r3"); 248| 1| case 0x6EDCB: ------------------ | Branch (248:7): [True: 1, False: 14.5k] ------------------ 249| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 9, 3}, "Dilithium-8x7-r3"); 250| 1| case 0x6EE8A: ------------------ | Branch (250:7): [True: 1, False: 14.5k] ------------------ 251| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 10, 1}, "Dilithium-4x4-AES-r3"); 252| 1| case 0x6EE8B: ------------------ | Branch (252:7): [True: 1, False: 14.5k] ------------------ 253| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 10, 2}, "Dilithium-6x5-AES-r3"); 254| 1| case 0x6EE8C: ------------------ | Branch (254:7): [True: 1, False: 14.5k] ------------------ 255| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 10, 3}, "Dilithium-8x7-AES-r3"); 256| 1| case 0x6EF4B: ------------------ | Branch (256:7): [True: 1, False: 14.5k] ------------------ 257| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 11, 1}, "Kyber-512-90s-r3"); 258| 1| case 0x6EF4C: ------------------ | Branch (258:7): [True: 1, False: 14.5k] ------------------ 259| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 11, 2}, "Kyber-768-90s-r3"); 260| 1| case 0x6EF4D: ------------------ | Branch (260:7): [True: 1, False: 14.5k] ------------------ 261| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 11, 3}, "Kyber-1024-90s-r3"); 262| 1| case 0x6F18E: ------------------ | Branch (262:7): [True: 1, False: 14.5k] ------------------ 263| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 14, 1}, "FrodoKEM-640-SHAKE"); 264| 1| case 0x6F18F: ------------------ | Branch (264:7): [True: 1, False: 14.5k] ------------------ 265| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 14, 2}, "FrodoKEM-976-SHAKE"); 266| 1| case 0x6F190: ------------------ | Branch (266:7): [True: 1, False: 14.5k] ------------------ 267| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 14, 3}, "FrodoKEM-1344-SHAKE"); 268| 1| case 0x6F24F: ------------------ | Branch (268:7): [True: 1, False: 14.5k] ------------------ 269| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 15, 1}, "FrodoKEM-640-AES"); 270| 1| case 0x6F250: ------------------ | Branch (270:7): [True: 1, False: 14.5k] ------------------ 271| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 15, 2}, "FrodoKEM-976-AES"); 272| 1| case 0x6F251: ------------------ | Branch (272:7): [True: 1, False: 14.5k] ------------------ 273| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 15, 3}, "FrodoKEM-1344-AES"); 274| 1| case 0x6F310: ------------------ | Branch (274:7): [True: 1, False: 14.5k] ------------------ 275| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 16, 1}, "eFrodoKEM-640-SHAKE"); 276| 1| case 0x6F311: ------------------ | Branch (276:7): [True: 1, False: 14.5k] ------------------ 277| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 16, 2}, "eFrodoKEM-976-SHAKE"); 278| 1| case 0x6F312: ------------------ | Branch (278:7): [True: 1, False: 14.5k] ------------------ 279| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 16, 3}, "eFrodoKEM-1344-SHAKE"); 280| 1| case 0x6F3D1: ------------------ | Branch (280:7): [True: 1, False: 14.5k] ------------------ 281| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 17, 1}, "eFrodoKEM-640-AES"); 282| 1| case 0x6F3D2: ------------------ | Branch (282:7): [True: 1, False: 14.5k] ------------------ 283| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 17, 2}, "eFrodoKEM-976-AES"); 284| 1| case 0x6F3D3: ------------------ | Branch (284:7): [True: 1, False: 14.5k] ------------------ 285| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 17, 3}, "eFrodoKEM-1344-AES"); 286| 1| case 0x6F492: ------------------ | Branch (286:7): [True: 1, False: 14.5k] ------------------ 287| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 1}, "ClassicMcEliece_6688128pc"); 288| 1| case 0x6F493: ------------------ | Branch (288:7): [True: 1, False: 14.5k] ------------------ 289| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 2}, "ClassicMcEliece_6688128pcf"); 290| 1| case 0x6F494: ------------------ | Branch (290:7): [True: 1, False: 14.5k] ------------------ 291| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 3}, "ClassicMcEliece_6960119pc"); 292| 1| case 0x6F495: ------------------ | Branch (292:7): [True: 1, False: 14.5k] ------------------ 293| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 4}, "ClassicMcEliece_6960119pcf"); 294| 1| case 0x6F496: ------------------ | Branch (294:7): [True: 1, False: 14.5k] ------------------ 295| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 5}, "ClassicMcEliece_8192128pc"); 296| 1| case 0x6F497: ------------------ | Branch (296:7): [True: 1, False: 14.5k] ------------------ 297| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 18, 6}, "ClassicMcEliece_8192128pcf"); 298| 1| case 0x6F79D: ------------------ | Branch (298:7): [True: 1, False: 14.5k] ------------------ 299| 1| return if_match(oid, {2, 16, 840, 1, 113730, 1, 13}, "Certificate Comment"); 300| 1| case 0x701A0: ------------------ | Branch (300:7): [True: 1, False: 14.5k] ------------------ 301| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 2, 1}, "ECGDSA"); 302| 1| case 0x70322: ------------------ | Branch (302:7): [True: 1, False: 14.5k] ------------------ 303| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 1}, "ECGDSA/RIPEMD-160"); 304| 1| case 0x70323: ------------------ | Branch (304:7): [True: 1, False: 14.5k] ------------------ 305| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 2}, "ECGDSA/SHA-1"); 306| 1| case 0x70324: ------------------ | Branch (306:7): [True: 1, False: 14.5k] ------------------ 307| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 3}, "ECGDSA/SHA-224"); 308| 1| case 0x70325: ------------------ | Branch (308:7): [True: 1, False: 14.5k] ------------------ 309| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 4}, "ECGDSA/SHA-256"); 310| 1| case 0x70326: ------------------ | Branch (310:7): [True: 1, False: 14.5k] ------------------ 311| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 5}, "ECGDSA/SHA-384"); 312| 1| case 0x70327: ------------------ | Branch (312:7): [True: 1, False: 14.5k] ------------------ 313| 1| return if_match(oid, {1, 3, 36, 3, 3, 2, 5, 4, 6}, "ECGDSA/SHA-512"); 314| 1| case 0x72B21: ------------------ | Branch (314:7): [True: 1, False: 14.5k] ------------------ 315| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 1, 1}, "GOST-34.10-2012-256"); 316| 1| case 0x72B22: ------------------ | Branch (316:7): [True: 1, False: 14.5k] ------------------ 317| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 1, 2}, "GOST-34.10-2012-512"); 318| 1| case 0x72BE3: ------------------ | Branch (318:7): [True: 1, False: 14.5k] ------------------ 319| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 2, 2}, "Streebog-256"); 320| 1| case 0x72BE4: ------------------ | Branch (320:7): [True: 1, False: 14.5k] ------------------ 321| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 2, 3}, "Streebog-512"); 322| 1| case 0x72CA4: ------------------ | Branch (322:7): [True: 1, False: 14.5k] ------------------ 323| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 3, 2}, "GOST-34.10-2012-256/Streebog-256"); 324| 1| case 0x72CA5: ------------------ | Branch (324:7): [True: 1, False: 14.5k] ------------------ 325| 1| return if_match(oid, {1, 2, 643, 7, 1, 1, 3, 3}, "GOST-34.10-2012-512/Streebog-512"); 326| 1| case 0x7C7C7: ------------------ | Branch (326:7): [True: 1, False: 14.5k] ------------------ 327| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 22, 1}, "PKCS9.X509Certificate"); 328| 1| case 0x7C7C8: ------------------ | Branch (328:7): [True: 1, False: 14.5k] ------------------ 329| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 22, 2}, "PKCS9.SDSICertificate"); 330| 1| case 0x7C888: ------------------ | Branch (330:7): [True: 1, False: 14.5k] ------------------ 331| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 23, 1}, "PKCS9.X509CRL"); 332| 3| case 0x7E10F: ------------------ | Branch (332:7): [True: 3, False: 14.5k] ------------------ 333| 3| return if_match(oid, {2, 5, 4, 3}, "X520.CommonName"); 334| 3| case 0x7E110: ------------------ | Branch (334:7): [True: 3, False: 14.5k] ------------------ 335| 3| return if_match(oid, {2, 5, 4, 4}, "X520.Surname"); 336| 3| case 0x7E111: ------------------ | Branch (336:7): [True: 3, False: 14.5k] ------------------ 337| 3| return if_match(oid, {2, 5, 4, 5}, "X520.SerialNumber"); 338| 3| case 0x7E112: ------------------ | Branch (338:7): [True: 3, False: 14.5k] ------------------ 339| 3| return if_match(oid, {2, 5, 4, 6}, "X520.Country"); 340| 3| case 0x7E113: ------------------ | Branch (340:7): [True: 3, False: 14.5k] ------------------ 341| 3| return if_match(oid, {2, 5, 4, 7}, "X520.Locality"); 342| 3| case 0x7E114: ------------------ | Branch (342:7): [True: 3, False: 14.5k] ------------------ 343| 3| return if_match(oid, {2, 5, 4, 8}, "X520.State"); 344| 3| case 0x7E115: ------------------ | Branch (344:7): [True: 3, False: 14.5k] ------------------ 345| 3| return if_match(oid, {2, 5, 4, 9}, "X520.StreetAddress"); 346| 3| case 0x7E116: ------------------ | Branch (346:7): [True: 3, False: 14.5k] ------------------ 347| 3| return if_match(oid, {2, 5, 4, 10}, "X520.Organization"); 348| 3| case 0x7E117: ------------------ | Branch (348:7): [True: 3, False: 14.5k] ------------------ 349| 3| return if_match(oid, {2, 5, 4, 11}, "X520.OrganizationalUnit"); 350| 5| case 0x7E118: ------------------ | Branch (350:7): [True: 5, False: 14.5k] ------------------ 351| 5| return if_match(oid, {2, 5, 4, 12}, "X520.Title"); 352| 3| case 0x7E136: ------------------ | Branch (352:7): [True: 3, False: 14.5k] ------------------ 353| 3| return if_match(oid, {2, 5, 4, 42}, "X520.GivenName"); 354| 3| case 0x7E137: ------------------ | Branch (354:7): [True: 3, False: 14.5k] ------------------ 355| 3| return if_match(oid, {2, 5, 4, 43}, "X520.Initials"); 356| 3| case 0x7E138: ------------------ | Branch (356:7): [True: 3, False: 14.5k] ------------------ 357| 3| return if_match(oid, {2, 5, 4, 44}, "X520.GenerationalQualifier"); 358| 3| case 0x7E13A: ------------------ | Branch (358:7): [True: 3, False: 14.5k] ------------------ 359| 3| return if_match(oid, {2, 5, 4, 46}, "X520.DNQualifier"); 360| 3| case 0x7E14D: ------------------ | Branch (360:7): [True: 3, False: 14.5k] ------------------ 361| 3| return if_match(oid, {2, 5, 4, 65}, "X520.Pseudonym"); 362| 3| case 0x7F3F3: ------------------ | Branch (362:7): [True: 3, False: 14.5k] ------------------ 363| 3| return if_match(oid, {2, 5, 29, 14}, "X509v3.SubjectKeyIdentifier"); 364| 3| case 0x7F3F4: ------------------ | Branch (364:7): [True: 3, False: 14.5k] ------------------ 365| 3| return if_match(oid, {2, 5, 29, 15}, "X509v3.KeyUsage"); 366| 3| case 0x7F3F5: ------------------ | Branch (366:7): [True: 3, False: 14.5k] ------------------ 367| 3| return if_match(oid, {2, 5, 29, 16}, "X509v3.PrivateKeyUsagePeriod"); 368| 3| case 0x7F3F6: ------------------ | Branch (368:7): [True: 3, False: 14.5k] ------------------ 369| 3| return if_match(oid, {2, 5, 29, 17}, "X509v3.SubjectAlternativeName"); 370| 3| case 0x7F3F7: ------------------ | Branch (370:7): [True: 3, False: 14.5k] ------------------ 371| 3| return if_match(oid, {2, 5, 29, 18}, "X509v3.IssuerAlternativeName"); 372| 3| case 0x7F3F8: ------------------ | Branch (372:7): [True: 3, False: 14.5k] ------------------ 373| 3| return if_match(oid, {2, 5, 29, 19}, "X509v3.BasicConstraints"); 374| 3| case 0x7F3F9: ------------------ | Branch (374:7): [True: 3, False: 14.5k] ------------------ 375| 3| return if_match(oid, {2, 5, 29, 20}, "X509v3.CRLNumber"); 376| 3| case 0x7F3FA: ------------------ | Branch (376:7): [True: 3, False: 14.5k] ------------------ 377| 3| return if_match(oid, {2, 5, 29, 21}, "X509v3.ReasonCode"); 378| 3| case 0x7F3FC: ------------------ | Branch (378:7): [True: 3, False: 14.5k] ------------------ 379| 3| return if_match(oid, {2, 5, 29, 23}, "X509v3.HoldInstructionCode"); 380| 3| case 0x7F3FD: ------------------ | Branch (380:7): [True: 3, False: 14.5k] ------------------ 381| 3| return if_match(oid, {2, 5, 29, 24}, "X509v3.InvalidityDate"); 382| 3| case 0x7F401: ------------------ | Branch (382:7): [True: 3, False: 14.5k] ------------------ 383| 3| return if_match(oid, {2, 5, 29, 28}, "X509v3.CRLIssuingDistributionPoint"); 384| 3| case 0x7F403: ------------------ | Branch (384:7): [True: 3, False: 14.5k] ------------------ 385| 3| return if_match(oid, {2, 5, 29, 30}, "X509v3.NameConstraints"); 386| 3| case 0x7F404: ------------------ | Branch (386:7): [True: 3, False: 14.5k] ------------------ 387| 3| return if_match(oid, {2, 5, 29, 31}, "X509v3.CRLDistributionPoints"); 388| 3| case 0x7F405: ------------------ | Branch (388:7): [True: 3, False: 14.5k] ------------------ 389| 3| return if_match(oid, {2, 5, 29, 32}, "X509v3.CertificatePolicies"); 390| 3| case 0x7F408: ------------------ | Branch (390:7): [True: 3, False: 14.5k] ------------------ 391| 3| return if_match(oid, {2, 5, 29, 35}, "X509v3.AuthorityKeyIdentifier"); 392| 3| case 0x7F409: ------------------ | Branch (392:7): [True: 3, False: 14.5k] ------------------ 393| 3| return if_match(oid, {2, 5, 29, 36}, "X509v3.PolicyConstraints"); 394| 3| case 0x7F40A: ------------------ | Branch (394:7): [True: 3, False: 14.5k] ------------------ 395| 3| return if_match(oid, {2, 5, 29, 37}, "X509v3.ExtendedKeyUsage"); 396| 3| case 0x7F41D: ------------------ | Branch (396:7): [True: 3, False: 14.5k] ------------------ 397| 3| return if_match(oid, {2, 5, 29, 56}, "X509v3.NoRevocationAvailable"); 398| 1| case 0x80B84: ------------------ | Branch (398:7): [True: 1, False: 14.5k] ------------------ 399| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 1}, "AES-128/OCB"); 400| 1| case 0x80B85: ------------------ | Branch (400:7): [True: 1, False: 14.5k] ------------------ 401| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 2}, "AES-192/OCB"); 402| 1| case 0x80B86: ------------------ | Branch (402:7): [True: 1, False: 14.5k] ------------------ 403| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 3}, "AES-256/OCB"); 404| 1| case 0x80B87: ------------------ | Branch (404:7): [True: 1, False: 14.5k] ------------------ 405| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 4}, "Serpent/OCB"); 406| 1| case 0x80B88: ------------------ | Branch (406:7): [True: 1, False: 14.5k] ------------------ 407| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 5}, "Twofish/OCB"); 408| 1| case 0x80B89: ------------------ | Branch (408:7): [True: 1, False: 14.5k] ------------------ 409| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 6}, "Camellia-128/OCB"); 410| 1| case 0x80B8A: ------------------ | Branch (410:7): [True: 1, False: 14.5k] ------------------ 411| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 7}, "Camellia-192/OCB"); 412| 1| case 0x80B8B: ------------------ | Branch (412:7): [True: 1, False: 14.5k] ------------------ 413| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2, 8}, "Camellia-256/OCB"); 414| 1| case 0x80D06: ------------------ | Branch (414:7): [True: 1, False: 14.5k] ------------------ 415| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 1}, "AES-128/SIV"); 416| 1| case 0x80D07: ------------------ | Branch (416:7): [True: 1, False: 14.5k] ------------------ 417| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 2}, "AES-192/SIV"); 418| 1| case 0x80D08: ------------------ | Branch (418:7): [True: 1, False: 14.5k] ------------------ 419| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 3}, "AES-256/SIV"); 420| 1| case 0x80D09: ------------------ | Branch (420:7): [True: 1, False: 14.5k] ------------------ 421| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 4}, "Serpent/SIV"); 422| 1| case 0x80D0A: ------------------ | Branch (422:7): [True: 1, False: 14.5k] ------------------ 423| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 5}, "Twofish/SIV"); 424| 1| case 0x80D0B: ------------------ | Branch (424:7): [True: 1, False: 14.5k] ------------------ 425| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 6}, "Camellia-128/SIV"); 426| 1| case 0x80D0C: ------------------ | Branch (426:7): [True: 1, False: 14.5k] ------------------ 427| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 7}, "Camellia-192/SIV"); 428| 1| case 0x80D0D: ------------------ | Branch (428:7): [True: 1, False: 14.5k] ------------------ 429| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 8}, "Camellia-256/SIV"); 430| 1| case 0x80D0E: ------------------ | Branch (430:7): [True: 1, False: 14.5k] ------------------ 431| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 4, 9}, "SM4/SIV"); 432| 1| case 0x84C6A: ------------------ | Branch (432:7): [True: 1, False: 14.5k] ------------------ 433| 1| return if_match(oid, {1, 2, 392, 200011, 61, 1, 1, 1, 2}, "Camellia-128/CBC"); 434| 2| case 0x84C6B: ------------------ | Branch (434:7): [True: 2, False: 14.5k] ------------------ 435| 2| return if_match(oid, {1, 2, 392, 200011, 61, 1, 1, 1, 3}, "Camellia-192/CBC"); 436| 1| case 0x84C6C: ------------------ | Branch (436:7): [True: 1, False: 14.5k] ------------------ 437| 1| return if_match(oid, {1, 2, 392, 200011, 61, 1, 1, 1, 4}, "Camellia-256/CBC"); 438| 1| case 0x88CD3: ------------------ | Branch (438:7): [True: 1, False: 14.5k] ------------------ 439| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 16, 3, 6}, "KeyWrap.TripleDES"); 440| 1| case 0x88CD5: ------------------ | Branch (440:7): [True: 1, False: 14.5k] ------------------ 441| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 16, 3, 8}, "Compression.Zlib"); 442| 1| case 0x88CDE: ------------------ | Branch (442:7): [True: 1, False: 14.5k] ------------------ 443| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 16, 3, 17}, "HSS-LMS"); 444| 1| case 0x88CDF: ------------------ | Branch (444:7): [True: 1, False: 14.5k] ------------------ 445| 1| return if_match(oid, {1, 2, 840, 113549, 1, 9, 16, 3, 18}, "ChaCha20Poly1305"); 446| 3| case 0x92296: ------------------ | Branch (446:7): [True: 3, False: 14.5k] ------------------ 447| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 2}, "AES-128/CBC"); 448| 3| case 0x92299: ------------------ | Branch (448:7): [True: 3, False: 14.5k] ------------------ 449| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 5}, "KeyWrap.AES-128"); 450| 3| case 0x9229A: ------------------ | Branch (450:7): [True: 3, False: 14.5k] ------------------ 451| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 6}, "AES-128/GCM"); 452| 3| case 0x9229B: ------------------ | Branch (452:7): [True: 3, False: 14.5k] ------------------ 453| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 7}, "AES-128/CCM"); 454| 3| case 0x922AA: ------------------ | Branch (454:7): [True: 3, False: 14.5k] ------------------ 455| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 22}, "AES-192/CBC"); 456| 3| case 0x922AD: ------------------ | Branch (456:7): [True: 3, False: 14.5k] ------------------ 457| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 25}, "KeyWrap.AES-192"); 458| 3| case 0x922AE: ------------------ | Branch (458:7): [True: 3, False: 14.5k] ------------------ 459| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 26}, "AES-192/GCM"); 460| 3| case 0x922AF: ------------------ | Branch (460:7): [True: 3, False: 14.5k] ------------------ 461| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 27}, "AES-192/CCM"); 462| 4| case 0x922BE: ------------------ | Branch (462:7): [True: 4, False: 14.5k] ------------------ 463| 4| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 42}, "AES-256/CBC"); 464| 3| case 0x922C1: ------------------ | Branch (464:7): [True: 3, False: 14.5k] ------------------ 465| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 45}, "KeyWrap.AES-256"); 466| 3| case 0x922C2: ------------------ | Branch (466:7): [True: 3, False: 14.5k] ------------------ 467| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 46}, "AES-256/GCM"); 468| 3| case 0x922C3: ------------------ | Branch (468:7): [True: 3, False: 14.5k] ------------------ 469| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 1, 47}, "AES-256/CCM"); 470| 3| case 0x92356: ------------------ | Branch (470:7): [True: 3, False: 14.5k] ------------------ 471| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 1}, "SHA-256"); 472| 3| case 0x92357: ------------------ | Branch (472:7): [True: 3, False: 14.5k] ------------------ 473| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 2}, "SHA-384"); 474| 3| case 0x92358: ------------------ | Branch (474:7): [True: 3, False: 14.5k] ------------------ 475| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 3}, "SHA-512"); 476| 3| case 0x92359: ------------------ | Branch (476:7): [True: 3, False: 14.5k] ------------------ 477| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 4}, "SHA-224"); 478| 3| case 0x9235B: ------------------ | Branch (478:7): [True: 3, False: 14.5k] ------------------ 479| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 6}, "SHA-512-256"); 480| 3| case 0x9235C: ------------------ | Branch (480:7): [True: 3, False: 14.5k] ------------------ 481| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 7}, "SHA-3(224)"); 482| 3| case 0x9235D: ------------------ | Branch (482:7): [True: 3, False: 14.5k] ------------------ 483| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 8}, "SHA-3(256)"); 484| 3| case 0x9235E: ------------------ | Branch (484:7): [True: 3, False: 14.5k] ------------------ 485| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 9}, "SHA-3(384)"); 486| 3| case 0x9235F: ------------------ | Branch (486:7): [True: 3, False: 14.5k] ------------------ 487| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 10}, "SHA-3(512)"); 488| 3| case 0x92360: ------------------ | Branch (488:7): [True: 3, False: 14.5k] ------------------ 489| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 11}, "SHAKE-128"); 490| 3| case 0x92361: ------------------ | Branch (490:7): [True: 3, False: 14.5k] ------------------ 491| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 2, 12}, "SHAKE-256"); 492| 4| case 0x92417: ------------------ | Branch (492:7): [True: 4, False: 14.5k] ------------------ 493| 4| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 1}, "DSA/SHA-224"); 494| 3| case 0x92418: ------------------ | Branch (494:7): [True: 3, False: 14.5k] ------------------ 495| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 2}, "DSA/SHA-256"); 496| 3| case 0x92419: ------------------ | Branch (496:7): [True: 3, False: 14.5k] ------------------ 497| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 3}, "DSA/SHA-384"); 498| 3| case 0x9241A: ------------------ | Branch (498:7): [True: 3, False: 14.5k] ------------------ 499| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 4}, "DSA/SHA-512"); 500| 3| case 0x9241B: ------------------ | Branch (500:7): [True: 3, False: 14.5k] ------------------ 501| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 5}, "DSA/SHA-3(224)"); 502| 3| case 0x9241C: ------------------ | Branch (502:7): [True: 3, False: 14.5k] ------------------ 503| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 6}, "DSA/SHA-3(256)"); 504| 4| case 0x9241D: ------------------ | Branch (504:7): [True: 4, False: 14.5k] ------------------ 505| 4| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 7}, "DSA/SHA-3(384)"); 506| 3| case 0x9241E: ------------------ | Branch (506:7): [True: 3, False: 14.5k] ------------------ 507| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 8}, "DSA/SHA-3(512)"); 508| 5| case 0x9241F: ------------------ | Branch (508:7): [True: 5, False: 14.5k] ------------------ 509| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 9}, "ECDSA/SHA-3(224)"); 510| 3| case 0x92420: ------------------ | Branch (510:7): [True: 3, False: 14.5k] ------------------ 511| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 10}, "ECDSA/SHA-3(256)"); 512| 5| case 0x92421: ------------------ | Branch (512:7): [True: 5, False: 14.5k] ------------------ 513| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 11}, "ECDSA/SHA-3(384)"); 514| 3| case 0x92422: ------------------ | Branch (514:7): [True: 3, False: 14.5k] ------------------ 515| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 12}, "ECDSA/SHA-3(512)"); 516| 7| case 0x92423: ------------------ | Branch (516:7): [True: 7, False: 14.4k] ------------------ 517| 7| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 13}, "RSA/PKCS1v15(SHA-3(224))"); 518| 49| case 0x92424: ------------------ | Branch (518:7): [True: 49, False: 14.4k] ------------------ 519| 49| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 14}, "RSA/PKCS1v15(SHA-3(256))"); 520| 6| case 0x92425: ------------------ | Branch (520:7): [True: 6, False: 14.5k] ------------------ 521| 6| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 15}, "RSA/PKCS1v15(SHA-3(384))"); 522| 3| case 0x92426: ------------------ | Branch (522:7): [True: 3, False: 14.5k] ------------------ 523| 3| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 16}, "RSA/PKCS1v15(SHA-3(512))"); 524| 47| case 0x92427: ------------------ | Branch (524:7): [True: 47, False: 14.4k] ------------------ 525| 47| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 17}, "ML-DSA-4x4"); 526| 139| case 0x92428: ------------------ | Branch (526:7): [True: 139, False: 14.3k] ------------------ 527| 139| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 18}, "ML-DSA-6x5"); 528| 76| case 0x92429: ------------------ | Branch (528:7): [True: 76, False: 14.4k] ------------------ 529| 76| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 19}, "ML-DSA-8x7"); 530| 5| case 0x9242A: ------------------ | Branch (530:7): [True: 5, False: 14.5k] ------------------ 531| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 20}, "SLH-DSA-SHA2-128s"); 532| 9| case 0x9242B: ------------------ | Branch (532:7): [True: 9, False: 14.4k] ------------------ 533| 9| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 21}, "SLH-DSA-SHA2-128f"); 534| 5| case 0x9242C: ------------------ | Branch (534:7): [True: 5, False: 14.5k] ------------------ 535| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 22}, "SLH-DSA-SHA2-192s"); 536| 9| case 0x9242D: ------------------ | Branch (536:7): [True: 9, False: 14.4k] ------------------ 537| 9| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 23}, "SLH-DSA-SHA2-192f"); 538| 5| case 0x9242E: ------------------ | Branch (538:7): [True: 5, False: 14.5k] ------------------ 539| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 24}, "SLH-DSA-SHA2-256s"); 540| 5| case 0x9242F: ------------------ | Branch (540:7): [True: 5, False: 14.5k] ------------------ 541| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 25}, "SLH-DSA-SHA2-256f"); 542| 5| case 0x92430: ------------------ | Branch (542:7): [True: 5, False: 14.5k] ------------------ 543| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 26}, "SLH-DSA-SHAKE-128s"); 544| 9| case 0x92431: ------------------ | Branch (544:7): [True: 9, False: 14.4k] ------------------ 545| 9| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 27}, "SLH-DSA-SHAKE-128f"); 546| 5| case 0x92432: ------------------ | Branch (546:7): [True: 5, False: 14.5k] ------------------ 547| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 28}, "SLH-DSA-SHAKE-192s"); 548| 6| case 0x92433: ------------------ | Branch (548:7): [True: 6, False: 14.5k] ------------------ 549| 6| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 29}, "SLH-DSA-SHAKE-192f"); 550| 5| case 0x92434: ------------------ | Branch (550:7): [True: 5, False: 14.5k] ------------------ 551| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 30}, "SLH-DSA-SHAKE-256s"); 552| 5| case 0x92435: ------------------ | Branch (552:7): [True: 5, False: 14.5k] ------------------ 553| 5| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 3, 31}, "SLH-DSA-SHAKE-256f"); 554| 28| case 0x924D8: ------------------ | Branch (554:7): [True: 28, False: 14.4k] ------------------ 555| 28| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 4, 1}, "ML-KEM-512"); 556| 46| case 0x924D9: ------------------ | Branch (556:7): [True: 46, False: 14.4k] ------------------ 557| 46| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 4, 2}, "ML-KEM-768"); 558| 43| case 0x924DA: ------------------ | Branch (558:7): [True: 43, False: 14.4k] ------------------ 559| 43| return if_match(oid, {2, 16, 840, 1, 101, 3, 4, 4, 3}, "ML-KEM-1024"); 560| 1| case 0x9479F: ------------------ | Branch (560:7): [True: 1, False: 14.5k] ------------------ 561| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 1, 1}, "PKIX.AuthorityInformationAccess"); 562| 1| case 0x947A5: ------------------ | Branch (562:7): [True: 1, False: 14.5k] ------------------ 563| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 1, 7}, "PKIX.IpAddrBlocks"); 564| 1| case 0x947A6: ------------------ | Branch (564:7): [True: 1, False: 14.5k] ------------------ 565| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 1, 8}, "PKIX.AutonomousSysIds"); 566| 1| case 0x947B8: ------------------ | Branch (566:7): [True: 1, False: 14.5k] ------------------ 567| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 1, 26}, "PKIX.TNAuthList"); 568| 1| case 0x94921: ------------------ | Branch (568:7): [True: 1, False: 14.5k] ------------------ 569| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 1}, "PKIX.ServerAuth"); 570| 2| case 0x94922: ------------------ | Branch (570:7): [True: 2, False: 14.5k] ------------------ 571| 2| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 2}, "PKIX.ClientAuth"); 572| 1| case 0x94923: ------------------ | Branch (572:7): [True: 1, False: 14.5k] ------------------ 573| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 3}, "PKIX.CodeSigning"); 574| 1| case 0x94924: ------------------ | Branch (574:7): [True: 1, False: 14.5k] ------------------ 575| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 4}, "PKIX.EmailProtection"); 576| 1| case 0x94925: ------------------ | Branch (576:7): [True: 1, False: 14.5k] ------------------ 577| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 5}, "PKIX.IPsecEndSystem"); 578| 1| case 0x94926: ------------------ | Branch (578:7): [True: 1, False: 14.5k] ------------------ 579| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 6}, "PKIX.IPsecTunnel"); 580| 1| case 0x94927: ------------------ | Branch (580:7): [True: 1, False: 14.5k] ------------------ 581| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 7}, "PKIX.IPsecUser"); 582| 1| case 0x94928: ------------------ | Branch (582:7): [True: 1, False: 14.5k] ------------------ 583| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 8}, "PKIX.TimeStamping"); 584| 1| case 0x94929: ------------------ | Branch (584:7): [True: 1, False: 14.5k] ------------------ 585| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 3, 9}, "PKIX.OCSPSigning"); 586| 1| case 0x94CEA: ------------------ | Branch (586:7): [True: 1, False: 14.5k] ------------------ 587| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 8, 5}, "PKIX.XMPPAddr"); 588| 1| case 0x94CEE: ------------------ | Branch (588:7): [True: 1, False: 14.5k] ------------------ 589| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 8, 9}, "PKIX.SmtpUTF8Mailbox"); 590| 1| case 0x954DB: ------------------ | Branch (590:7): [True: 1, False: 14.5k] ------------------ 591| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 311, 20, 2, 2}, "Microsoft SmartcardLogon"); 592| 1| case 0x954DC: ------------------ | Branch (592:7): [True: 1, False: 14.5k] ------------------ 593| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 311, 20, 2, 3}, "Microsoft UPN"); 594| 1| case 0x96B0E: ------------------ | Branch (594:7): [True: 1, False: 14.5k] ------------------ 595| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 48, 1}, "PKIX.OCSP"); 596| 1| case 0x96B0F: ------------------ | Branch (596:7): [True: 1, False: 14.5k] ------------------ 597| 1| return if_match(oid, {1, 3, 6, 1, 5, 5, 7, 48, 2}, "PKIX.CertificateAuthorityIssuers"); 598| 1| case 0x96C77: ------------------ | Branch (598:7): [True: 1, False: 14.5k] ------------------ 599| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 1, 3}, "PBE-SHA1-3DES"); 600| 1| case 0x96C78: ------------------ | Branch (600:7): [True: 1, False: 14.5k] ------------------ 601| 1| return if_match(oid, {1, 2, 840, 113549, 1, 12, 1, 4}, "PBE-SHA1-2DES"); 602| 56| case 0x9A008: ------------------ | Branch (602:7): [True: 56, False: 14.4k] ------------------ 603| 56| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 1}, "brainpool160r1"); 604| 11| case 0x9A00A: ------------------ | Branch (604:7): [True: 11, False: 14.4k] ------------------ 605| 11| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 3}, "brainpool192r1"); 606| 92| case 0x9A00C: ------------------ | Branch (606:7): [True: 92, False: 14.4k] ------------------ 607| 92| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 5}, "brainpool224r1"); 608| 179| case 0x9A00E: ------------------ | Branch (608:7): [True: 179, False: 14.3k] ------------------ 609| 179| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 7}, "brainpool256r1"); 610| 55| case 0x9A010: ------------------ | Branch (610:7): [True: 55, False: 14.4k] ------------------ 611| 55| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 9}, "brainpool320r1"); 612| 210| case 0x9A012: ------------------ | Branch (612:7): [True: 210, False: 14.2k] ------------------ 613| 210| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 11}, "brainpool384r1"); 614| 160| case 0x9A014: ------------------ | Branch (614:7): [True: 160, False: 14.3k] ------------------ 615| 160| return if_match(oid, {1, 3, 36, 3, 3, 2, 8, 1, 1, 13}, "brainpool512r1"); 616| 1| case 0xA0D61: ------------------ | Branch (616:7): [True: 1, False: 14.5k] ------------------ 617| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 3}, "McEliece"); 618| 1| case 0xA0D63: ------------------ | Branch (618:7): [True: 1, False: 14.5k] ------------------ 619| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 5}, "XMSS-draft6"); 620| 1| case 0xA0D66: ------------------ | Branch (620:7): [True: 1, False: 14.5k] ------------------ 621| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 8}, "XMSS-draft12"); 622| 1| case 0xA0D6B: ------------------ | Branch (622:7): [True: 1, False: 14.5k] ------------------ 623| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 1, 13}, "HSS-LMS-Private-Key"); 624| 1| case 0xA0EE1: ------------------ | Branch (624:7): [True: 1, False: 14.5k] ------------------ 625| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 1}, "Serpent/CBC"); 626| 1| case 0xA0EE2: ------------------ | Branch (626:7): [True: 1, False: 14.5k] ------------------ 627| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 2}, "Threefish-512/CBC"); 628| 1| case 0xA0EE3: ------------------ | Branch (628:7): [True: 1, False: 14.5k] ------------------ 629| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 3}, "Twofish/CBC"); 630| 1| case 0xA0F45: ------------------ | Branch (630:7): [True: 1, False: 14.5k] ------------------ 631| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 101}, "Serpent/GCM"); 632| 1| case 0xA0F46: ------------------ | Branch (632:7): [True: 1, False: 14.5k] ------------------ 633| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 3, 102}, "Twofish/GCM"); 634| 1| case 0xA0FA2: ------------------ | Branch (634:7): [True: 1, False: 14.5k] ------------------ 635| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 4, 1}, "numsp256d1"); 636| 1| case 0xA0FA3: ------------------ | Branch (636:7): [True: 1, False: 14.5k] ------------------ 637| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 4, 2}, "numsp384d1"); 638| 1| case 0xA0FA4: ------------------ | Branch (638:7): [True: 1, False: 14.5k] ------------------ 639| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 25258, 4, 3}, "numsp512d1"); 640| 1| case 0xA244B: ------------------ | Branch (640:7): [True: 1, False: 14.5k] ------------------ 641| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 1}, "ClassicMcEliece_348864"); 642| 1| case 0xA244C: ------------------ | Branch (642:7): [True: 1, False: 14.5k] ------------------ 643| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 2}, "ClassicMcEliece_348864f"); 644| 1| case 0xA244D: ------------------ | Branch (644:7): [True: 1, False: 14.5k] ------------------ 645| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 3}, "ClassicMcEliece_460896"); 646| 1| case 0xA244E: ------------------ | Branch (646:7): [True: 1, False: 14.5k] ------------------ 647| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 4}, "ClassicMcEliece_460896f"); 648| 1| case 0xA244F: ------------------ | Branch (648:7): [True: 1, False: 14.5k] ------------------ 649| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 5}, "ClassicMcEliece_6688128"); 650| 1| case 0xA2450: ------------------ | Branch (650:7): [True: 1, False: 14.5k] ------------------ 651| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 6}, "ClassicMcEliece_6688128f"); 652| 1| case 0xA2451: ------------------ | Branch (652:7): [True: 1, False: 14.5k] ------------------ 653| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 7}, "ClassicMcEliece_6960119"); 654| 1| case 0xA2452: ------------------ | Branch (654:7): [True: 1, False: 14.5k] ------------------ 655| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 8}, "ClassicMcEliece_6960119f"); 656| 1| case 0xA2453: ------------------ | Branch (656:7): [True: 1, False: 14.5k] ------------------ 657| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 9}, "ClassicMcEliece_8192128"); 658| 1| case 0xA2454: ------------------ | Branch (658:7): [True: 1, False: 14.5k] ------------------ 659| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 22554, 5, 1, 10}, "ClassicMcEliece_8192128f"); 660| 3| case 0xAF989: ------------------ | Branch (660:7): [True: 3, False: 14.5k] ------------------ 661| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 1}, "RSA"); 662| 3| case 0xAF98A: ------------------ | Branch (662:7): [True: 3, False: 14.5k] ------------------ 663| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 2}, "RSA/PKCS1v15(MD2)"); 664| 3| case 0xAF98C: ------------------ | Branch (664:7): [True: 3, False: 14.5k] ------------------ 665| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 4}, "RSA/PKCS1v15(MD5)"); 666| 3| case 0xAF98D: ------------------ | Branch (666:7): [True: 3, False: 14.5k] ------------------ 667| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 5}, "RSA/PKCS1v15(SHA-1)"); 668| 3| case 0xAF98F: ------------------ | Branch (668:7): [True: 3, False: 14.5k] ------------------ 669| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 7}, "RSA/OAEP"); 670| 3| case 0xAF990: ------------------ | Branch (670:7): [True: 3, False: 14.5k] ------------------ 671| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 8}, "MGF1"); 672| 3| case 0xAF992: ------------------ | Branch (672:7): [True: 3, False: 14.5k] ------------------ 673| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 10}, "RSA/PSS"); 674| 3| case 0xAF993: ------------------ | Branch (674:7): [True: 3, False: 14.5k] ------------------ 675| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 11}, "RSA/PKCS1v15(SHA-256)"); 676| 3| case 0xAF994: ------------------ | Branch (676:7): [True: 3, False: 14.5k] ------------------ 677| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 12}, "RSA/PKCS1v15(SHA-384)"); 678| 3| case 0xAF995: ------------------ | Branch (678:7): [True: 3, False: 14.5k] ------------------ 679| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 13}, "RSA/PKCS1v15(SHA-512)"); 680| 3| case 0xAF996: ------------------ | Branch (680:7): [True: 3, False: 14.5k] ------------------ 681| 3| return if_match(oid, {1, 2, 840, 113549, 1, 1, 14}, "RSA/PKCS1v15(SHA-224)"); 682| 4| case 0xAF998: ------------------ | Branch (682:7): [True: 4, False: 14.5k] ------------------ 683| 4| return if_match(oid, {1, 2, 840, 113549, 1, 1, 16}, "RSA/PKCS1v15(SHA-512-256)"); 684| 3| case 0xAFC98: ------------------ | Branch (684:7): [True: 3, False: 14.5k] ------------------ 685| 3| return if_match(oid, {1, 2, 840, 113549, 1, 5, 12}, "PKCS5.PBKDF2"); 686| 3| case 0xAFC99: ------------------ | Branch (686:7): [True: 3, False: 14.5k] ------------------ 687| 3| return if_match(oid, {1, 2, 840, 113549, 1, 5, 13}, "PBE-PKCS5v20"); 688| 3| case 0xAFE0F: ------------------ | Branch (688:7): [True: 3, False: 14.5k] ------------------ 689| 3| return if_match(oid, {1, 2, 840, 113549, 1, 7, 1}, "PKCS7.Data"); 690| 3| case 0xAFE14: ------------------ | Branch (690:7): [True: 3, False: 14.5k] ------------------ 691| 3| return if_match(oid, {1, 2, 840, 113549, 1, 7, 6}, "PKCS7.EncryptedData"); 692| 3| case 0xAFF91: ------------------ | Branch (692:7): [True: 3, False: 14.5k] ------------------ 693| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 1}, "PKCS9.EmailAddress"); 694| 3| case 0xAFF92: ------------------ | Branch (694:7): [True: 3, False: 14.5k] ------------------ 695| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 2}, "PKCS9.UnstructuredName"); 696| 3| case 0xAFF93: ------------------ | Branch (696:7): [True: 3, False: 14.5k] ------------------ 697| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 3}, "PKCS9.ContentType"); 698| 3| case 0xAFF94: ------------------ | Branch (698:7): [True: 3, False: 14.5k] ------------------ 699| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 4}, "PKCS9.MessageDigest"); 700| 3| case 0xAFF97: ------------------ | Branch (700:7): [True: 3, False: 14.5k] ------------------ 701| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 7}, "PKCS9.ChallengePassword"); 702| 3| case 0xAFF9E: ------------------ | Branch (702:7): [True: 3, False: 14.5k] ------------------ 703| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 14}, "PKCS9.ExtensionRequest"); 704| 3| case 0xAFFA4: ------------------ | Branch (704:7): [True: 3, False: 14.5k] ------------------ 705| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 20}, "PKCS9.FriendlyName"); 706| 3| case 0xAFFA5: ------------------ | Branch (706:7): [True: 3, False: 14.5k] ------------------ 707| 3| return if_match(oid, {1, 2, 840, 113549, 1, 9, 21}, "PKCS9.LocalKeyId"); 708| 1| case 0xC0226: ------------------ | Branch (708:7): [True: 1, False: 14.5k] ------------------ 709| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 11591, 4, 11}, "Scrypt"); 710| 1| case 0xC0A67: ------------------ | Branch (710:7): [True: 1, False: 14.5k] ------------------ 711| 1| return if_match(oid, {1, 3, 6, 1, 4, 1, 11591, 15, 1}, "OpenPGP.Ed25519"); 712| 3| case 0xC4CE5: ------------------ | Branch (712:7): [True: 3, False: 14.5k] ------------------ 713| 3| return if_match(oid, {1, 2, 643, 100, 1}, "GOST.OGRN"); 714| 3| case 0xC4D53: ------------------ | Branch (714:7): [True: 3, False: 14.5k] ------------------ 715| 3| return if_match(oid, {1, 2, 643, 100, 111}, "GOST.SubjectSigningTool"); 716| 3| case 0xC4D54: ------------------ | Branch (716:7): [True: 3, False: 14.5k] ------------------ 717| 3| return if_match(oid, {1, 2, 643, 100, 112}, "GOST.IssuerSigningTool"); 718| 198| case 0xC9C50: ------------------ | Branch (718:7): [True: 198, False: 14.3k] ------------------ 719| 198| return if_match(oid, {1, 2, 840, 10045, 3, 1, 1}, "secp192r1"); 720| 44| case 0xC9C51: ------------------ | Branch (720:7): [True: 44, False: 14.4k] ------------------ 721| 44| return if_match(oid, {1, 2, 840, 10045, 3, 1, 2}, "x962_p192v2"); 722| 41| case 0xC9C52: ------------------ | Branch (722:7): [True: 41, False: 14.4k] ------------------ 723| 41| return if_match(oid, {1, 2, 840, 10045, 3, 1, 3}, "x962_p192v3"); 724| 67| case 0xC9C53: ------------------ | Branch (724:7): [True: 67, False: 14.4k] ------------------ 725| 67| return if_match(oid, {1, 2, 840, 10045, 3, 1, 4}, "x962_p239v1"); 726| 76| case 0xC9C54: ------------------ | Branch (726:7): [True: 76, False: 14.4k] ------------------ 727| 76| return if_match(oid, {1, 2, 840, 10045, 3, 1, 5}, "x962_p239v2"); 728| 43| case 0xC9C55: ------------------ | Branch (728:7): [True: 43, False: 14.4k] ------------------ 729| 43| return if_match(oid, {1, 2, 840, 10045, 3, 1, 6}, "x962_p239v3"); 730| 273| case 0xC9C56: ------------------ | Branch (730:7): [True: 273, False: 14.2k] ------------------ 731| 273| return if_match(oid, {1, 2, 840, 10045, 3, 1, 7}, "secp256r1"); 732| 5| case 0xCFA13: ------------------ | Branch (732:7): [True: 5, False: 14.5k] ------------------ 733| 5| return if_match(oid, {1, 2, 840, 10040, 4, 1}, "DSA"); 734| 203| case 0xCFA15: ------------------ | Branch (734:7): [True: 203, False: 14.3k] ------------------ 735| 203| return if_match(oid, {1, 2, 840, 10040, 4, 3}, "DSA/SHA-1"); 736| 1.38k| default: ------------------ | Branch (736:7): [True: 1.38k, False: 13.1k] ------------------ 737| 1.38k| return {}; 738| 14.5k| } 739| 14.5k|} _ZN5Botan7OID_Map22lookup_static_oid_nameENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 742| 15|std::optional OID_Map::lookup_static_oid_name(std::string_view req) { 743| 15| const uint32_t hc = hash_oid_name(req); 744| | 745| 15| switch(hc) { 746| 0| case 0x00545: ------------------ | Branch (746:7): [True: 0, False: 15] ------------------ 747| 0| return if_match(req, "Twofish/GCM", {1, 3, 6, 1, 4, 1, 25258, 3, 102}); 748| 0| case 0x00CF3: ------------------ | Branch (748:7): [True: 0, False: 15] ------------------ 749| 0| return if_match(req, "SphincsPlus-sha2-192f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 4}); 750| 0| case 0x015FE: ------------------ | Branch (750:7): [True: 0, False: 15] ------------------ 751| 0| return if_match(req, "FrodoKEM-640-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 14, 1}); 752| 0| case 0x01F9E: ------------------ | Branch (752:7): [True: 0, False: 15] ------------------ 753| 0| return if_match(req, "MD5", {1, 2, 840, 113549, 2, 5}); 754| 0| case 0x02293: ------------------ | Branch (754:7): [True: 0, False: 15] ------------------ 755| 0| return if_match(req, "SphincsPlus-shake-192f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 4}); 756| 0| case 0x02B93: ------------------ | Branch (756:7): [True: 0, False: 15] ------------------ 757| 0| return if_match(req, "Microsoft SmartcardLogon", {1, 3, 6, 1, 4, 1, 311, 20, 2, 2}); 758| 0| case 0x041D5: ------------------ | Branch (758:7): [True: 0, False: 15] ------------------ 759| 0| return if_match(req, "secp160k1", {1, 3, 132, 0, 9}); 760| 0| case 0x044B3: ------------------ | Branch (760:7): [True: 0, False: 15] ------------------ 761| 0| return if_match(req, "Camellia-256/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 8}); 762| 0| case 0x048B2: ------------------ | Branch (762:7): [True: 0, False: 15] ------------------ 763| 0| return if_match(req, "secp160r1", {1, 3, 132, 0, 8}); 764| 0| case 0x048B3: ------------------ | Branch (764:7): [True: 0, False: 15] ------------------ 765| 0| return if_match(req, "secp160r2", {1, 3, 132, 0, 30}); 766| 0| case 0x05CDA: ------------------ | Branch (766:7): [True: 0, False: 15] ------------------ 767| 0| return if_match(req, "X520.Country", {2, 5, 4, 6}); 768| 0| case 0x07783: ------------------ | Branch (768:7): [True: 0, False: 15] ------------------ 769| 0| return if_match(req, "PKIX.ServerAuth", {1, 3, 6, 1, 5, 5, 7, 3, 1}); 770| 0| case 0x086C7: ------------------ | Branch (770:7): [True: 0, False: 15] ------------------ 771| 0| return if_match(req, "numsp384d1", {1, 3, 6, 1, 4, 1, 25258, 4, 2}); 772| 0| case 0x08A92: ------------------ | Branch (772:7): [True: 0, False: 15] ------------------ 773| 0| return if_match(req, "RSA/PKCS1v15(SHA-1)", {1, 2, 840, 113549, 1, 1, 5}); 774| 0| case 0x09EA0: ------------------ | Branch (774:7): [True: 0, False: 15] ------------------ 775| 0| return if_match(req, "DES/CBC", {1, 3, 14, 3, 2, 7}); 776| 0| case 0x0B2D6: ------------------ | Branch (776:7): [True: 0, False: 15] ------------------ 777| 0| return if_match(req, "ECDSA/SHA-3(512)", {2, 16, 840, 1, 101, 3, 4, 3, 12}); 778| 0| case 0x0BA72: ------------------ | Branch (778:7): [True: 0, False: 15] ------------------ 779| 0| return if_match(req, "SphincsPlus-sha2-128s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 1}); 780| 0| case 0x0BE23: ------------------ | Branch (780:7): [True: 0, False: 15] ------------------ 781| 0| return if_match(req, "ECGDSA", {1, 3, 36, 3, 3, 2, 5, 2, 1}); 782| 0| case 0x0C109: ------------------ | Branch (782:7): [True: 0, False: 15] ------------------ 783| 0| return if_match(req, "PKCS9.FriendlyName", {1, 2, 840, 113549, 1, 9, 20}); 784| 0| case 0x0D012: ------------------ | Branch (784:7): [True: 0, False: 15] ------------------ 785| 0| return if_match(req, "SphincsPlus-shake-128s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 1}); 786| 0| case 0x0DCE9: ------------------ | Branch (786:7): [True: 0, False: 15] ------------------ 787| 0| return if_match(req, "ClassicMcEliece_8192128f", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 10}); 788| 0| case 0x0E52A: ------------------ | Branch (788:7): [True: 0, False: 15] ------------------ 789| 0| return if_match(req, "numsp512d1", {1, 3, 6, 1, 4, 1, 25258, 4, 3}); 790| 0| case 0x0F9CC: ------------------ | Branch (790:7): [True: 0, False: 15] ------------------ 791| 0| return if_match(req, "PKCS9.UnstructuredName", {1, 2, 840, 113549, 1, 9, 2}); 792| 0| case 0x0FF45: ------------------ | Branch (792:7): [True: 0, False: 15] ------------------ 793| 0| return if_match(req, "Camellia-256/GCM", {0, 3, 4401, 5, 3, 1, 9, 46}); 794| 0| case 0x1033D: ------------------ | Branch (794:7): [True: 0, False: 15] ------------------ 795| 0| return if_match(req, "DSA/SHA-3(384)", {2, 16, 840, 1, 101, 3, 4, 3, 7}); 796| 0| case 0x1139D: ------------------ | Branch (796:7): [True: 0, False: 15] ------------------ 797| 0| return if_match(req, "secp192k1", {1, 3, 132, 0, 31}); 798| 0| case 0x113D6: ------------------ | Branch (798:7): [True: 0, False: 15] ------------------ 799| 0| return if_match(req, "X520.DNQualifier", {2, 5, 4, 46}); 800| 0| case 0x11A7A: ------------------ | Branch (800:7): [True: 0, False: 15] ------------------ 801| 0| return if_match(req, "secp192r1", {1, 2, 840, 10045, 3, 1, 1}); 802| 0| case 0x12096: ------------------ | Branch (802:7): [True: 0, False: 15] ------------------ 803| 0| return if_match(req, "SM2_Kex", {1, 2, 156, 10197, 1, 301, 2}); 804| 0| case 0x13FC1: ------------------ | Branch (804:7): [True: 0, False: 15] ------------------ 805| 0| return if_match(req, "X520.GenerationalQualifier", {2, 5, 4, 44}); 806| 0| case 0x1445B: ------------------ | Branch (806:7): [True: 0, False: 15] ------------------ 807| 0| return if_match(req, "PKCS5.PBKDF2", {1, 2, 840, 113549, 1, 5, 12}); 808| 0| case 0x1495D: ------------------ | Branch (808:7): [True: 0, False: 15] ------------------ 809| 0| return if_match(req, "eFrodoKEM-1344-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 17, 3}); 810| 0| case 0x14E30: ------------------ | Branch (810:7): [True: 0, False: 15] ------------------ 811| 0| return if_match(req, "ClassicMcEliece_460896", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 3}); 812| 0| case 0x14FB1: ------------------ | Branch (812:7): [True: 0, False: 15] ------------------ 813| 0| return if_match(req, "XMSS-draft12", {1, 3, 6, 1, 4, 1, 25258, 1, 8}); 814| 0| case 0x156E3: ------------------ | Branch (814:7): [True: 0, False: 15] ------------------ 815| 0| return if_match(req, "Compression.Zlib", {1, 2, 840, 113549, 1, 9, 16, 3, 8}); 816| 0| case 0x1579E: ------------------ | Branch (816:7): [True: 0, False: 15] ------------------ 817| 0| return if_match(req, "Streebog-512", {1, 2, 643, 7, 1, 1, 2, 3}); 818| 0| case 0x1701A: ------------------ | Branch (818:7): [True: 0, False: 15] ------------------ 819| 0| return if_match(req, "X509v3.AnyExtendedKeyUsage", {2, 5, 29, 37, 0}); 820| 0| case 0x175EF: ------------------ | Branch (820:7): [True: 0, False: 15] ------------------ 821| 0| return if_match(req, "Kyber-1024-90s-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 11, 3}); 822| 0| case 0x17709: ------------------ | Branch (822:7): [True: 0, False: 15] ------------------ 823| 0| return if_match(req, "X520.GivenName", {2, 5, 4, 42}); 824| 0| case 0x17AD9: ------------------ | Branch (824:7): [True: 0, False: 15] ------------------ 825| 0| return if_match(req, "RSA/PKCS1v15(SM3)", {1, 2, 156, 10197, 1, 504}); 826| 1| case 0x17CE2: ------------------ | Branch (826:7): [True: 1, False: 14] ------------------ 827| 1| return if_match(req, "SLH-DSA-SHA2-256f", {2, 16, 840, 1, 101, 3, 4, 3, 25}); 828| 1| case 0x17CEF: ------------------ | Branch (828:7): [True: 1, False: 14] ------------------ 829| 1| return if_match(req, "SLH-DSA-SHA2-256s", {2, 16, 840, 1, 101, 3, 4, 3, 24}); 830| 0| case 0x18618: ------------------ | Branch (830:7): [True: 0, False: 15] ------------------ 831| 0| return if_match(req, "FrodoKEM-976-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 15, 2}); 832| 0| case 0x19480: ------------------ | Branch (832:7): [True: 0, False: 15] ------------------ 833| 0| return if_match(req, "eFrodoKEM-1344-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 16, 3}); 834| 0| case 0x1958A: ------------------ | Branch (834:7): [True: 0, False: 15] ------------------ 835| 0| return if_match(req, "X509v3.InvalidityDate", {2, 5, 29, 24}); 836| 0| case 0x19851: ------------------ | Branch (836:7): [True: 0, False: 15] ------------------ 837| 0| return if_match(req, "DSA/SHA-1", {1, 2, 840, 10040, 4, 3}); 838| 0| case 0x1B2E7: ------------------ | Branch (838:7): [True: 0, False: 15] ------------------ 839| 0| return if_match(req, "KeyWrap.AES-128", {2, 16, 840, 1, 101, 3, 4, 1, 5}); 840| 0| case 0x1B9BE: ------------------ | Branch (840:7): [True: 0, False: 15] ------------------ 841| 0| return if_match(req, "KeyWrap.AES-192", {2, 16, 840, 1, 101, 3, 4, 1, 25}); 842| 0| case 0x1D439: ------------------ | Branch (842:7): [True: 0, False: 15] ------------------ 843| 0| return if_match(req, "SphincsPlus-haraka-192f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 4}); 844| 0| case 0x2065B: ------------------ | Branch (844:7): [True: 0, False: 15] ------------------ 845| 0| return if_match(req, "KeyWrap.CAST-128", {1, 2, 840, 113533, 7, 66, 15}); 846| 0| case 0x216A0: ------------------ | Branch (846:7): [True: 0, False: 15] ------------------ 847| 0| return if_match(req, "ML-KEM-512", {2, 16, 840, 1, 101, 3, 4, 4, 1}); 848| 0| case 0x2216B: ------------------ | Branch (848:7): [True: 0, False: 15] ------------------ 849| 0| return if_match(req, "GOST-34.10-2012-512", {1, 2, 643, 7, 1, 1, 1, 2}); 850| 0| case 0x22C2C: ------------------ | Branch (850:7): [True: 0, False: 15] ------------------ 851| 0| return if_match(req, "ElGamal", {1, 3, 6, 1, 4, 1, 3029, 1, 2, 1}); 852| 0| case 0x2559A: ------------------ | Branch (852:7): [True: 0, False: 15] ------------------ 853| 0| return if_match(req, "X520.Initials", {2, 5, 4, 43}); 854| 0| case 0x271AC: ------------------ | Branch (854:7): [True: 0, False: 15] ------------------ 855| 0| return if_match(req, "PKIX.AutonomousSysIds", {1, 3, 6, 1, 5, 5, 7, 1, 8}); 856| 0| case 0x2808B: ------------------ | Branch (856:7): [True: 0, False: 15] ------------------ 857| 0| return if_match(req, "PKCS7.Data", {1, 2, 840, 113549, 1, 7, 1}); 858| 0| case 0x281B8: ------------------ | Branch (858:7): [True: 0, False: 15] ------------------ 859| 0| return if_match(req, "SphincsPlus-haraka-128s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 1}); 860| 0| case 0x29999: ------------------ | Branch (860:7): [True: 0, False: 15] ------------------ 861| 0| return if_match(req, "DSA/SHA-3(256)", {2, 16, 840, 1, 101, 3, 4, 3, 6}); 862| 0| case 0x2A83D: ------------------ | Branch (862:7): [True: 0, False: 15] ------------------ 863| 0| return if_match(req, "SHA-224", {2, 16, 840, 1, 101, 3, 4, 2, 4}); 864| 0| case 0x2AB30: ------------------ | Branch (864:7): [True: 0, False: 15] ------------------ 865| 0| return if_match(req, "SHA-256", {2, 16, 840, 1, 101, 3, 4, 2, 1}); 866| 0| case 0x2ABEF: ------------------ | Branch (866:7): [True: 0, False: 15] ------------------ 867| 0| return if_match(req, "KeyWrap.AES-256", {2, 16, 840, 1, 101, 3, 4, 1, 45}); 868| 0| case 0x2BAEF: ------------------ | Branch (868:7): [True: 0, False: 15] ------------------ 869| 0| return if_match(req, "SM2_Sig/SM3", {1, 2, 156, 10197, 1, 501}); 870| 0| case 0x2C39A: ------------------ | Branch (870:7): [True: 0, False: 15] ------------------ 871| 0| return if_match(req, "ECGDSA/RIPEMD-160", {1, 3, 36, 3, 3, 2, 5, 4, 1}); 872| 0| case 0x2C54F: ------------------ | Branch (872:7): [True: 0, False: 15] ------------------ 873| 0| return if_match(req, "ECDSA/SHA-3(224)", {2, 16, 840, 1, 101, 3, 4, 3, 9}); 874| 0| case 0x2EEA6: ------------------ | Branch (874:7): [True: 0, False: 15] ------------------ 875| 0| return if_match(req, "RSA/PKCS1v15(RIPEMD-160)", {1, 3, 36, 3, 3, 1, 2}); 876| 0| case 0x2EFBA: ------------------ | Branch (876:7): [True: 0, False: 15] ------------------ 877| 0| return if_match(req, "Kyber-512-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 7, 1}); 878| 0| case 0x2F0AD: ------------------ | Branch (878:7): [True: 0, False: 15] ------------------ 879| 0| return if_match(req, "PKCS7.EncryptedData", {1, 2, 840, 113549, 1, 7, 6}); 880| 0| case 0x2F219: ------------------ | Branch (880:7): [True: 0, False: 15] ------------------ 881| 0| return if_match(req, "PBE-SHA1-2DES", {1, 2, 840, 113549, 1, 12, 1, 4}); 882| 2| case 0x3133E: ------------------ | Branch (882:7): [True: 2, False: 13] ------------------ 883| 2| return if_match(req, "SLH-DSA-SHA2-128f", {2, 16, 840, 1, 101, 3, 4, 3, 21}); 884| 1| case 0x3134B: ------------------ | Branch (884:7): [True: 1, False: 14] ------------------ 885| 1| return if_match(req, "SLH-DSA-SHA2-128s", {2, 16, 840, 1, 101, 3, 4, 3, 20}); 886| 0| case 0x3160D: ------------------ | Branch (886:7): [True: 0, False: 15] ------------------ 887| 0| return if_match(req, "RSA/PKCS1v15(SHA-3(224))", {2, 16, 840, 1, 101, 3, 4, 3, 13}); 888| 0| case 0x319E0: ------------------ | Branch (888:7): [True: 0, False: 15] ------------------ 889| 0| return if_match(req, "GOST-34.10-2012-256/Streebog-256", {1, 2, 643, 7, 1, 1, 3, 2}); 890| 0| case 0x31B3D: ------------------ | Branch (890:7): [True: 0, False: 15] ------------------ 891| 0| return if_match(req, "HMAC(SHA-512)", {1, 2, 840, 113549, 2, 11}); 892| 0| case 0x31C6D: ------------------ | Branch (892:7): [True: 0, False: 15] ------------------ 893| 0| return if_match(req, "secp384r1", {1, 3, 132, 0, 34}); 894| 0| case 0x32899: ------------------ | Branch (894:7): [True: 0, False: 15] ------------------ 895| 0| return if_match(req, "TripleDES/CBC", {1, 2, 840, 113549, 3, 7}); 896| 0| case 0x33C9C: ------------------ | Branch (896:7): [True: 0, False: 15] ------------------ 897| 0| return if_match(req, "PKIX.SmtpUTF8Mailbox", {1, 3, 6, 1, 5, 5, 7, 8, 9}); 898| 0| case 0x33D04: ------------------ | Branch (898:7): [True: 0, False: 15] ------------------ 899| 0| return if_match(req, "PKCS12.SecretBag", {1, 2, 840, 113549, 1, 12, 10, 1, 5}); 900| 0| case 0x3615D: ------------------ | Branch (900:7): [True: 0, False: 15] ------------------ 901| 0| return if_match(req, "FrodoKEM-976-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 14, 2}); 902| 0| case 0x361B8: ------------------ | Branch (902:7): [True: 0, False: 15] ------------------ 903| 0| return if_match(req, "Ed25519", {1, 3, 101, 112}); 904| 0| case 0x3649D: ------------------ | Branch (904:7): [True: 0, False: 15] ------------------ 905| 0| return if_match(req, "SHAKE-128", {2, 16, 840, 1, 101, 3, 4, 2, 11}); 906| 0| case 0x36693: ------------------ | Branch (906:7): [True: 0, False: 15] ------------------ 907| 0| return if_match(req, "ClassicMcEliece_348864", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 1}); 908| 0| case 0x373C7: ------------------ | Branch (908:7): [True: 0, False: 15] ------------------ 909| 0| return if_match(req, "ML-DSA-4x4", {2, 16, 840, 1, 101, 3, 4, 3, 17}); 910| 0| case 0x3750B: ------------------ | Branch (910:7): [True: 0, False: 15] ------------------ 911| 0| return if_match(req, "ClassicMcEliece_8192128", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 9}); 912| 0| case 0x39890: ------------------ | Branch (912:7): [True: 0, False: 15] ------------------ 913| 0| return if_match(req, "Ed448", {1, 3, 101, 113}); 914| 0| case 0x3A438: ------------------ | Branch (914:7): [True: 0, False: 15] ------------------ 915| 0| return if_match(req, "SHA-384", {2, 16, 840, 1, 101, 3, 4, 2, 2}); 916| 0| case 0x3A963: ------------------ | Branch (916:7): [True: 0, False: 15] ------------------ 917| 0| return if_match(req, "DH", {1, 2, 840, 10046, 2, 1}); 918| 0| case 0x3AC83: ------------------ | Branch (918:7): [True: 0, False: 15] ------------------ 919| 0| return if_match(req, "MGF1", {1, 2, 840, 113549, 1, 1, 8}); 920| 0| case 0x3ACBA: ------------------ | Branch (920:7): [True: 0, False: 15] ------------------ 921| 0| return if_match(req, "X509v3.IssuerAlternativeName", {2, 5, 29, 18}); 922| 0| case 0x3B273: ------------------ | Branch (922:7): [True: 0, False: 15] ------------------ 923| 0| return if_match(req, "KeyWrap.TripleDES", {1, 2, 840, 113549, 1, 9, 16, 3, 6}); 924| 0| case 0x3B91E: ------------------ | Branch (924:7): [True: 0, False: 15] ------------------ 925| 0| return if_match(req, "X509v3.PrivateKeyUsagePeriod", {2, 5, 29, 16}); 926| 1| case 0x3BC8A: ------------------ | Branch (926:7): [True: 1, False: 14] ------------------ 927| 1| return if_match(req, "SLH-DSA-SHAKE-192f", {2, 16, 840, 1, 101, 3, 4, 3, 29}); 928| 1| case 0x3BC97: ------------------ | Branch (928:7): [True: 1, False: 14] ------------------ 929| 1| return if_match(req, "SLH-DSA-SHAKE-192s", {2, 16, 840, 1, 101, 3, 4, 3, 28}); 930| 0| case 0x3D127: ------------------ | Branch (930:7): [True: 0, False: 15] ------------------ 931| 0| return if_match(req, "DSA", {1, 2, 840, 10040, 4, 1}); 932| 0| case 0x3E249: ------------------ | Branch (932:7): [True: 0, False: 15] ------------------ 933| 0| return if_match(req, "HSS-LMS", {1, 2, 840, 113549, 1, 9, 16, 3, 17}); 934| 0| case 0x3E7D5: ------------------ | Branch (934:7): [True: 0, False: 15] ------------------ 935| 0| return if_match(req, "RSA/PKCS1v15(SHA-3(256))", {2, 16, 840, 1, 101, 3, 4, 3, 14}); 936| 0| case 0x3F748: ------------------ | Branch (936:7): [True: 0, False: 15] ------------------ 937| 0| return if_match(req, "GOST.OGRN", {1, 2, 643, 100, 1}); 938| 0| case 0x3F99F: ------------------ | Branch (938:7): [True: 0, False: 15] ------------------ 939| 0| return if_match(req, "X509v3.BasicConstraints", {2, 5, 29, 19}); 940| 0| case 0x40726: ------------------ | Branch (940:7): [True: 0, False: 15] ------------------ 941| 0| return if_match(req, "SHA-3(512)", {2, 16, 840, 1, 101, 3, 4, 2, 10}); 942| 0| case 0x407BF: ------------------ | Branch (942:7): [True: 0, False: 15] ------------------ 943| 0| return if_match(req, "ML-KEM-768", {2, 16, 840, 1, 101, 3, 4, 4, 2}); 944| 0| case 0x41334: ------------------ | Branch (944:7): [True: 0, False: 15] ------------------ 945| 0| return if_match(req, "ECDSA/SHA-3(384)", {2, 16, 840, 1, 101, 3, 4, 3, 11}); 946| 0| case 0x42DF3: ------------------ | Branch (946:7): [True: 0, False: 15] ------------------ 947| 0| return if_match(req, "X509v3.CRLDistributionPoints", {2, 5, 29, 31}); 948| 0| case 0x437FB: ------------------ | Branch (948:7): [True: 0, False: 15] ------------------ 949| 0| return if_match(req, "brainpool160r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 1}); 950| 0| case 0x441F5: ------------------ | Branch (950:7): [True: 0, False: 15] ------------------ 951| 0| return if_match(req, "gost_256A", {1, 2, 643, 7, 1, 2, 1, 1, 1}); 952| 0| case 0x441F6: ------------------ | Branch (952:7): [True: 0, False: 15] ------------------ 953| 0| return if_match(req, "gost_256B", {1, 2, 643, 7, 1, 2, 1, 1, 2}); 954| 0| case 0x44221: ------------------ | Branch (954:7): [True: 0, False: 15] ------------------ 955| 0| return if_match(req, "GOST-34.10-2012-512/Streebog-512", {1, 2, 643, 7, 1, 1, 3, 3}); 956| 0| case 0x44322: ------------------ | Branch (956:7): [True: 0, False: 15] ------------------ 957| 0| return if_match(req, "ClassicMcEliece_6960119pc", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 3}); 958| 0| case 0x44973: ------------------ | Branch (958:7): [True: 0, False: 15] ------------------ 959| 0| return if_match(req, "Kyber-512-90s-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 11, 1}); 960| 0| case 0x45C27: ------------------ | Branch (960:7): [True: 0, False: 15] ------------------ 961| 0| return if_match(req, "RSA/PKCS1v15(SHA-512-256)", {1, 2, 840, 113549, 1, 1, 16}); 962| 0| case 0x45C85: ------------------ | Branch (962:7): [True: 0, False: 15] ------------------ 963| 0| return if_match(req, "X509v3.ReasonCode", {2, 5, 29, 21}); 964| 0| case 0x45DA5: ------------------ | Branch (964:7): [True: 0, False: 15] ------------------ 965| 0| return if_match(req, "SHAKE-256", {2, 16, 840, 1, 101, 3, 4, 2, 12}); 966| 0| case 0x4663C: ------------------ | Branch (966:7): [True: 0, False: 15] ------------------ 967| 0| return if_match(req, "X509v3.PolicyConstraints", {2, 5, 29, 36}); 968| 0| case 0x480F7: ------------------ | Branch (968:7): [True: 0, False: 15] ------------------ 969| 0| return if_match(req, "Serpent/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 4}); 970| 0| case 0x48627: ------------------ | Branch (970:7): [True: 0, False: 15] ------------------ 971| 0| return if_match(req, "Dilithium-4x4-AES-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 10, 1}); 972| 0| case 0x48861: ------------------ | Branch (972:7): [True: 0, False: 15] ------------------ 973| 0| return if_match(req, "ChaCha20Poly1305", {1, 2, 840, 113549, 1, 9, 16, 3, 18}); 974| 0| case 0x4A292: ------------------ | Branch (974:7): [True: 0, False: 15] ------------------ 975| 0| return if_match(req, "frp256v1", {1, 2, 250, 1, 223, 101, 256, 1}); 976| 0| case 0x4A9EE: ------------------ | Branch (976:7): [True: 0, False: 15] ------------------ 977| 0| return if_match(req, "ClassicMcEliece_6960119f", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 8}); 978| 0| case 0x4BF87: ------------------ | Branch (978:7): [True: 0, False: 15] ------------------ 979| 0| return if_match(req, "PKIX.TNAuthList", {1, 3, 6, 1, 5, 5, 7, 1, 26}); 980| 0| case 0x4C088: ------------------ | Branch (980:7): [True: 0, False: 15] ------------------ 981| 0| return if_match(req, "eFrodoKEM-976-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 17, 2}); 982| 0| case 0x4C513: ------------------ | Branch (982:7): [True: 0, False: 15] ------------------ 983| 0| return if_match(req, "DSA/SHA-224", {2, 16, 840, 1, 101, 3, 4, 3, 1}); 984| 0| case 0x4C806: ------------------ | Branch (984:7): [True: 0, False: 15] ------------------ 985| 0| return if_match(req, "DSA/SHA-256", {2, 16, 840, 1, 101, 3, 4, 3, 2}); 986| 0| case 0x4D740: ------------------ | Branch (986:7): [True: 0, False: 15] ------------------ 987| 0| return if_match(req, "X509v3.AnyPolicy", {2, 5, 29, 32, 0}); 988| 0| case 0x4DE49: ------------------ | Branch (988:7): [True: 0, False: 15] ------------------ 989| 0| return if_match(req, "RSA/PKCS1v15(SHA-512)", {1, 2, 840, 113549, 1, 1, 13}); 990| 0| case 0x4ED5D: ------------------ | Branch (990:7): [True: 0, False: 15] ------------------ 991| 0| return if_match(req, "CAST-128/CBC", {1, 2, 840, 113533, 7, 66, 10}); 992| 0| case 0x4FCDC: ------------------ | Branch (992:7): [True: 0, False: 15] ------------------ 993| 0| return if_match(req, "RSA", {1, 2, 840, 113549, 1, 1, 1}); 994| 0| case 0x501CB: ------------------ | Branch (994:7): [True: 0, False: 15] ------------------ 995| 0| return if_match(req, "ECDSA/SHA-224", {1, 2, 840, 10045, 4, 3, 1}); 996| 0| case 0x50395: ------------------ | Branch (996:7): [True: 0, False: 15] ------------------ 997| 0| return if_match(req, "GOST-34.10/GOST-R-34.11-94", {1, 2, 643, 2, 2, 3}); 998| 0| case 0x504BE: ------------------ | Branch (998:7): [True: 0, False: 15] ------------------ 999| 0| return if_match(req, "ECDSA/SHA-256", {1, 2, 840, 10045, 4, 3, 2}); 1000| 0| case 0x509C3: ------------------ | Branch (1000:7): [True: 0, False: 15] ------------------ 1001| 0| return if_match(req, "brainpool192r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 3}); 1002| 0| case 0x509F9: ------------------ | Branch (1002:7): [True: 0, False: 15] ------------------ 1003| 0| return if_match(req, "PKCS9.ContentType", {1, 2, 840, 113549, 1, 9, 3}); 1004| 0| case 0x50B26: ------------------ | Branch (1004:7): [True: 0, False: 15] ------------------ 1005| 0| return if_match(req, "FrodoKEM-640-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 15, 1}); 1006| 0| case 0x50D78: ------------------ | Branch (1006:7): [True: 0, False: 15] ------------------ 1007| 0| return if_match(req, "x962_p192v2", {1, 2, 840, 10045, 3, 1, 2}); 1008| 0| case 0x50D79: ------------------ | Branch (1008:7): [True: 0, False: 15] ------------------ 1009| 0| return if_match(req, "x962_p192v3", {1, 2, 840, 10045, 3, 1, 3}); 1010| 0| case 0x51DC6: ------------------ | Branch (1010:7): [True: 0, False: 15] ------------------ 1011| 0| return if_match(req, "AES-128/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 1}); 1012| 0| case 0x52DB6: ------------------ | Branch (1012:7): [True: 0, False: 15] ------------------ 1013| 0| return if_match(req, "HMAC(SHA-224)", {1, 2, 840, 113549, 2, 8}); 1014| 0| case 0x53E11: ------------------ | Branch (1014:7): [True: 0, False: 15] ------------------ 1015| 0| return if_match(req, "FrodoKEM-1344-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 14, 3}); 1016| 0| case 0x54012: ------------------ | Branch (1016:7): [True: 0, False: 15] ------------------ 1017| 0| return if_match(req, "PKIX.TimeStamping", {1, 3, 6, 1, 5, 5, 7, 3, 8}); 1018| 0| case 0x5407A: ------------------ | Branch (1018:7): [True: 0, False: 15] ------------------ 1019| 0| return if_match(req, "Serpent/CBC", {1, 3, 6, 1, 4, 1, 25258, 3, 1}); 1020| 0| case 0x5576D: ------------------ | Branch (1020:7): [True: 0, False: 15] ------------------ 1021| 0| return if_match(req, "SphincsPlus-sha2-128f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 2}); 1022| 0| case 0x55EF6: ------------------ | Branch (1022:7): [True: 0, False: 15] ------------------ 1023| 0| return if_match(req, "AES-192/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 2}); 1024| 0| case 0x55FFA: ------------------ | Branch (1024:7): [True: 0, False: 15] ------------------ 1025| 0| return if_match(req, "ML-DSA-6x5", {2, 16, 840, 1, 101, 3, 4, 3, 18}); 1026| 0| case 0x56826: ------------------ | Branch (1026:7): [True: 0, False: 15] ------------------ 1027| 0| return if_match(req, "brainpool320r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 9}); 1028| 0| case 0x56D0D: ------------------ | Branch (1028:7): [True: 0, False: 15] ------------------ 1029| 0| return if_match(req, "SphincsPlus-shake-128f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 2}); 1030| 0| case 0x57077: ------------------ | Branch (1030:7): [True: 0, False: 15] ------------------ 1031| 0| return if_match(req, "XMSS-draft6", {1, 3, 6, 1, 4, 1, 25258, 1, 5}); 1032| 0| case 0x5818B: ------------------ | Branch (1032:7): [True: 0, False: 15] ------------------ 1033| 0| return if_match(req, "ECGDSA/SHA-224", {1, 3, 36, 3, 3, 2, 5, 4, 3}); 1034| 0| case 0x5847E: ------------------ | Branch (1034:7): [True: 0, False: 15] ------------------ 1035| 0| return if_match(req, "ECGDSA/SHA-256", {1, 3, 36, 3, 3, 2, 5, 4, 4}); 1036| 0| case 0x5898B: ------------------ | Branch (1036:7): [True: 0, False: 15] ------------------ 1037| 0| return if_match(req, "SHA-512", {2, 16, 840, 1, 101, 3, 4, 2, 3}); 1038| 0| case 0x58991: ------------------ | Branch (1038:7): [True: 0, False: 15] ------------------ 1039| 0| return if_match(req, "PKIX.OCSP.NoCheck", {1, 3, 6, 1, 5, 5, 7, 48, 1, 5}); 1040| 0| case 0x59717: ------------------ | Branch (1040:7): [True: 0, False: 15] ------------------ 1041| 0| return if_match(req, "X509v3.SubjectKeyIdentifier", {2, 5, 29, 14}); 1042| 0| case 0x5A1E1: ------------------ | Branch (1042:7): [True: 0, False: 15] ------------------ 1043| 0| return if_match(req, "PKCS12.KeyBag", {1, 2, 840, 113549, 1, 12, 10, 1, 1}); 1044| 0| case 0x5A570: ------------------ | Branch (1044:7): [True: 0, False: 15] ------------------ 1045| 0| return if_match(req, "X520.CommonName", {2, 5, 4, 3}); 1046| 0| case 0x5A990: ------------------ | Branch (1046:7): [True: 0, False: 15] ------------------ 1047| 0| return if_match(req, "ECDSA/SHA-3(256)", {2, 16, 840, 1, 101, 3, 4, 3, 10}); 1048| 0| case 0x5AB0E: ------------------ | Branch (1048:7): [True: 0, False: 15] ------------------ 1049| 0| return if_match(req, "SphincsPlus-sha2-256s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 5}); 1050| 0| case 0x5AC4A: ------------------ | Branch (1050:7): [True: 0, False: 15] ------------------ 1051| 0| return if_match(req, "X520.Surname", {2, 5, 4, 4}); 1052| 0| case 0x5AF2C: ------------------ | Branch (1052:7): [True: 0, False: 15] ------------------ 1053| 0| return if_match(req, "ClassicMcEliece_8192128pc", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 5}); 1054| 0| case 0x5BC39: ------------------ | Branch (1054:7): [True: 0, False: 15] ------------------ 1055| 0| return if_match(req, "X509v3.KeyUsage", {2, 5, 29, 15}); 1056| 0| case 0x5BDDB: ------------------ | Branch (1056:7): [True: 0, False: 15] ------------------ 1057| 0| return if_match(req, "numsp256d1", {1, 3, 6, 1, 4, 1, 25258, 4, 1}); 1058| 0| case 0x5C0AE: ------------------ | Branch (1058:7): [True: 0, False: 15] ------------------ 1059| 0| return if_match(req, "SphincsPlus-shake-256s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 5}); 1060| 0| case 0x5C10E: ------------------ | Branch (1060:7): [True: 0, False: 15] ------------------ 1061| 0| return if_match(req, "DSA/SHA-384", {2, 16, 840, 1, 101, 3, 4, 3, 3}); 1062| 0| case 0x5CFE5: ------------------ | Branch (1062:7): [True: 0, False: 15] ------------------ 1063| 0| return if_match(req, "PKCS9.X509Certificate", {1, 2, 840, 113549, 1, 9, 22, 1}); 1064| 0| case 0x5D1CF: ------------------ | Branch (1064:7): [True: 0, False: 15] ------------------ 1065| 0| return if_match(req, "X520.SerialNumber", {2, 5, 4, 5}); 1066| 0| case 0x5D375: ------------------ | Branch (1066:7): [True: 0, False: 15] ------------------ 1067| 0| return if_match(req, "SM4/OCB", {1, 2, 156, 10197, 1, 104, 100}); 1068| 0| case 0x5DD49: ------------------ | Branch (1068:7): [True: 0, False: 15] ------------------ 1069| 0| return if_match(req, "AES-128/CBC", {2, 16, 840, 1, 101, 3, 4, 1, 2}); 1070| 0| case 0x5DE4E: ------------------ | Branch (1070:7): [True: 0, False: 15] ------------------ 1071| 0| return if_match(req, "AES-128/CCM", {2, 16, 840, 1, 101, 3, 4, 1, 7}); 1072| 0| case 0x5DF23: ------------------ | Branch (1072:7): [True: 0, False: 15] ------------------ 1073| 0| return if_match(req, "HMAC(SHA-512-256)", {1, 2, 840, 113549, 2, 13}); 1074| 0| case 0x5ED04: ------------------ | Branch (1074:7): [True: 0, False: 15] ------------------ 1075| 0| return if_match(req, "SM2", {1, 2, 156, 10197, 1, 301, 1}); 1076| 0| case 0x5ED05: ------------------ | Branch (1076:7): [True: 0, False: 15] ------------------ 1077| 0| return if_match(req, "SM3", {1, 2, 156, 10197, 1, 401}); 1078| 0| case 0x5FDC6: ------------------ | Branch (1078:7): [True: 0, False: 15] ------------------ 1079| 0| return if_match(req, "ECDSA/SHA-384", {1, 2, 840, 10045, 4, 3, 3}); 1080| 0| case 0x6199F: ------------------ | Branch (1080:7): [True: 0, False: 15] ------------------ 1081| 0| return if_match(req, "SHA-3(224)", {2, 16, 840, 1, 101, 3, 4, 2, 7}); 1082| 0| case 0x61E79: ------------------ | Branch (1082:7): [True: 0, False: 15] ------------------ 1083| 0| return if_match(req, "AES-192/CBC", {2, 16, 840, 1, 101, 3, 4, 1, 22}); 1084| 0| case 0x61F7E: ------------------ | Branch (1084:7): [True: 0, False: 15] ------------------ 1085| 0| return if_match(req, "AES-192/CCM", {2, 16, 840, 1, 101, 3, 4, 1, 27}); 1086| 0| case 0x64947: ------------------ | Branch (1086:7): [True: 0, False: 15] ------------------ 1087| 0| return if_match(req, "OpenPGP.Ed25519", {1, 3, 6, 1, 4, 1, 11591, 15, 1}); 1088| 0| case 0x652E7: ------------------ | Branch (1088:7): [True: 0, False: 15] ------------------ 1089| 0| return if_match(req, "sm2p256v1", {1, 2, 156, 10197, 1, 301}); 1090| 0| case 0x6697B: ------------------ | Branch (1090:7): [True: 0, False: 15] ------------------ 1091| 0| return if_match(req, "FrodoKEM-1344-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 15, 3}); 1092| 0| case 0x67B2C: ------------------ | Branch (1092:7): [True: 0, False: 15] ------------------ 1093| 0| return if_match(req, "X520.State", {2, 5, 4, 8}); 1094| 0| case 0x67B9B: ------------------ | Branch (1094:7): [True: 0, False: 15] ------------------ 1095| 0| return if_match(req, "HMAC(SHA-384)", {1, 2, 840, 113549, 2, 10}); 1096| 0| case 0x67D86: ------------------ | Branch (1096:7): [True: 0, False: 15] ------------------ 1097| 0| return if_match(req, "ECGDSA/SHA-384", {1, 3, 36, 3, 3, 2, 5, 4, 5}); 1098| 0| case 0x68A0B: ------------------ | Branch (1098:7): [True: 0, False: 15] ------------------ 1099| 0| return if_match(req, "Camellia-128/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 6}); 1100| 0| case 0x68E33: ------------------ | Branch (1100:7): [True: 0, False: 15] ------------------ 1101| 0| return if_match(req, "PKCS9.ExtensionRequest", {1, 2, 840, 113549, 1, 9, 14}); 1102| 0| case 0x69126: ------------------ | Branch (1102:7): [True: 0, False: 15] ------------------ 1103| 0| return if_match(req, "X509v3.SubjectAlternativeName", {2, 5, 29, 17}); 1104| 0| case 0x692F8: ------------------ | Branch (1104:7): [True: 0, False: 15] ------------------ 1105| 0| return if_match(req, "SM4/CBC", {1, 2, 156, 10197, 1, 104, 2}); 1106| 0| case 0x695E1: ------------------ | Branch (1106:7): [True: 0, False: 15] ------------------ 1107| 0| return if_match(req, "Dilithium-4x4-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 9, 1}); 1108| 0| case 0x696DC: ------------------ | Branch (1108:7): [True: 0, False: 15] ------------------ 1109| 0| return if_match(req, "PKIX.IpAddrBlocks", {1, 3, 6, 1, 5, 5, 7, 1, 7}); 1110| 0| case 0x6A7CA: ------------------ | Branch (1110:7): [True: 0, False: 15] ------------------ 1111| 0| return if_match(req, "ECDSA", {1, 2, 840, 10045, 2, 1}); 1112| 0| case 0x6BD26: ------------------ | Branch (1112:7): [True: 0, False: 15] ------------------ 1113| 0| return if_match(req, "GOST.INN", {1, 2, 643, 3, 131, 1, 1}); 1114| 0| case 0x6CB3B: ------------------ | Branch (1114:7): [True: 0, False: 15] ------------------ 1115| 0| return if_match(req, "Camellia-192/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 7}); 1116| 0| case 0x6E602: ------------------ | Branch (1116:7): [True: 0, False: 15] ------------------ 1117| 0| return if_match(req, "Dilithium-8x7-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 9, 3}); 1118| 0| case 0x6F0C2: ------------------ | Branch (1118:7): [True: 0, False: 15] ------------------ 1119| 0| return if_match(req, "RSA/PKCS1v15(SHA-224)", {1, 2, 840, 113549, 1, 1, 14}); 1120| 0| case 0x6F9F8: ------------------ | Branch (1120:7): [True: 0, False: 15] ------------------ 1121| 0| return if_match(req, "PKCS12.SafeContentsBag", {1, 2, 840, 113549, 1, 12, 10, 1, 6}); 1122| 0| case 0x6FB26: ------------------ | Branch (1122:7): [True: 0, False: 15] ------------------ 1123| 0| return if_match(req, "PKIX.AuthorityInformationAccess", {1, 3, 6, 1, 5, 5, 7, 1, 1}); 1124| 0| case 0x70BB6: ------------------ | Branch (1124:7): [True: 0, False: 15] ------------------ 1125| 0| return if_match(req, "brainpool384r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 11}); 1126| 0| case 0x70EA6: ------------------ | Branch (1126:7): [True: 0, False: 15] ------------------ 1127| 0| return if_match(req, "PKCS12.PKCS8ShroudedKeyBag", {1, 2, 840, 113549, 1, 12, 10, 1, 2}); 1128| 0| case 0x71EB3: ------------------ | Branch (1128:7): [True: 0, False: 15] ------------------ 1129| 0| return if_match(req, "SphincsPlus-haraka-128f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 2}); 1130| 0| case 0x7382C: ------------------ | Branch (1130:7): [True: 0, False: 15] ------------------ 1131| 0| return if_match(req, "ML-KEM-1024", {2, 16, 840, 1, 101, 3, 4, 4, 3}); 1132| 0| case 0x743BD: ------------------ | Branch (1132:7): [True: 0, False: 15] ------------------ 1133| 0| return if_match(req, "AES-256/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 3}); 1134| 0| case 0x7498E: ------------------ | Branch (1134:7): [True: 0, False: 15] ------------------ 1135| 0| return if_match(req, "Camellia-128/CBC", {1, 2, 392, 200011, 61, 1, 1, 1, 2}); 1136| 0| case 0x74C2E: ------------------ | Branch (1136:7): [True: 0, False: 15] ------------------ 1137| 0| return if_match(req, "ML-DSA-8x7", {2, 16, 840, 1, 101, 3, 4, 3, 19}); 1138| 0| case 0x7505F: ------------------ | Branch (1138:7): [True: 0, False: 15] ------------------ 1139| 0| return if_match(req, "PKIX.XMPPAddr", {1, 3, 6, 1, 5, 5, 7, 8, 5}); 1140| 0| case 0x7517A: ------------------ | Branch (1140:7): [True: 0, False: 15] ------------------ 1141| 0| return if_match(req, "RSA/PKCS1v15(MD2)", {1, 2, 840, 113549, 1, 1, 2}); 1142| 0| case 0x7546B: ------------------ | Branch (1142:7): [True: 0, False: 15] ------------------ 1143| 0| return if_match(req, "RSA/PKCS1v15(MD5)", {1, 2, 840, 113549, 1, 1, 4}); 1144| 0| case 0x75921: ------------------ | Branch (1144:7): [True: 0, False: 15] ------------------ 1145| 0| return if_match(req, "ClassicMcEliece_348864f", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 2}); 1146| 0| case 0x76784: ------------------ | Branch (1146:7): [True: 0, False: 15] ------------------ 1147| 0| return if_match(req, "SHA-3(384)", {2, 16, 840, 1, 101, 3, 4, 2, 9}); 1148| 0| case 0x768FD: ------------------ | Branch (1148:7): [True: 0, False: 15] ------------------ 1149| 0| return if_match(req, "PKCS9.LocalKeyId", {1, 2, 840, 113549, 1, 9, 21}); 1150| 0| case 0x76A19: ------------------ | Branch (1150:7): [True: 0, False: 15] ------------------ 1151| 0| return if_match(req, "brainpool512r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 13}); 1152| 0| case 0x77254: ------------------ | Branch (1152:7): [True: 0, False: 15] ------------------ 1153| 0| return if_match(req, "SphincsPlus-haraka-256s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 5}); 1154| 0| case 0x77ADC: ------------------ | Branch (1154:7): [True: 0, False: 15] ------------------ 1155| 0| return if_match(req, "secp224k1", {1, 3, 132, 0, 32}); 1156| 0| case 0x781B9: ------------------ | Branch (1156:7): [True: 0, False: 15] ------------------ 1157| 0| return if_match(req, "secp224r1", {1, 3, 132, 0, 33}); 1158| 0| case 0x78ABE: ------------------ | Branch (1158:7): [True: 0, False: 15] ------------------ 1159| 0| return if_match(req, "Camellia-192/CBC", {1, 2, 392, 200011, 61, 1, 1, 1, 3}); 1160| 0| case 0x792F2: ------------------ | Branch (1160:7): [True: 0, False: 15] ------------------ 1161| 0| return if_match(req, "ClassicMcEliece_6688128pc", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 1}); 1162| 0| case 0x7A661: ------------------ | Branch (1162:7): [True: 0, False: 15] ------------------ 1163| 0| return if_match(req, "DSA/SHA-512", {2, 16, 840, 1, 101, 3, 4, 3, 4}); 1164| 0| case 0x7A977: ------------------ | Branch (1164:7): [True: 0, False: 15] ------------------ 1165| 0| return if_match(req, "X509v3.ExtendedKeyUsage", {2, 5, 29, 37}); 1166| 0| case 0x7AE67: ------------------ | Branch (1166:7): [True: 0, False: 15] ------------------ 1167| 0| return if_match(req, "SM2_Enc", {1, 2, 156, 10197, 1, 301, 3}); 1168| 0| case 0x7B602: ------------------ | Branch (1168:7): [True: 0, False: 15] ------------------ 1169| 0| return if_match(req, "Twofish/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 5}); 1170| 0| case 0x7B9A1: ------------------ | Branch (1170:7): [True: 0, False: 15] ------------------ 1171| 0| return if_match(req, "SphincsPlus-sha2-192s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 3}); 1172| 1| case 0x7BB0A: ------------------ | Branch (1172:7): [True: 1, False: 14] ------------------ 1173| 1| return if_match(req, "SLH-DSA-SHAKE-256f", {2, 16, 840, 1, 101, 3, 4, 3, 31}); 1174| 1| case 0x7BB17: ------------------ | Branch (1174:7): [True: 1, False: 14] ------------------ 1175| 1| return if_match(req, "SLH-DSA-SHAKE-256s", {2, 16, 840, 1, 101, 3, 4, 3, 30}); 1176| 0| case 0x7BCF3: ------------------ | Branch (1176:7): [True: 0, False: 15] ------------------ 1177| 0| return if_match(req, "PKIX.EmailProtection", {1, 3, 6, 1, 5, 5, 7, 3, 4}); 1178| 0| case 0x7CC2C: ------------------ | Branch (1178:7): [True: 0, False: 15] ------------------ 1179| 0| return if_match(req, "SHA-512-256", {2, 16, 840, 1, 101, 3, 4, 2, 6}); 1180| 0| case 0x7CF41: ------------------ | Branch (1180:7): [True: 0, False: 15] ------------------ 1181| 0| return if_match(req, "SphincsPlus-shake-192s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 3}); 1182| 0| case 0x7DB91: ------------------ | Branch (1182:7): [True: 0, False: 15] ------------------ 1183| 0| return if_match(req, "GOST-34.10", {1, 2, 643, 2, 2, 19}); 1184| 0| case 0x7E319: ------------------ | Branch (1184:7): [True: 0, False: 15] ------------------ 1185| 0| return if_match(req, "ECDSA/SHA-512", {1, 2, 840, 10045, 4, 3, 4}); 1186| 0| case 0x7E874: ------------------ | Branch (1186:7): [True: 0, False: 15] ------------------ 1187| 0| return if_match(req, "ClassicMcEliece_6688128f", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 6}); 1188| 0| case 0x7EAAF: ------------------ | Branch (1188:7): [True: 0, False: 15] ------------------ 1189| 0| return if_match(req, "eFrodoKEM-640-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 16, 1}); 1190| 0| case 0x7F51F: ------------------ | Branch (1190:7): [True: 0, False: 15] ------------------ 1191| 0| return if_match(req, "PKIX.IPsecTunnel", {1, 3, 6, 1, 5, 5, 7, 3, 6}); 1192| 0| case 0x80272: ------------------ | Branch (1192:7): [True: 0, False: 15] ------------------ 1193| 0| return if_match(req, "X520.Organization", {2, 5, 4, 10}); 1194| 0| case 0x80340: ------------------ | Branch (1194:7): [True: 0, False: 15] ------------------ 1195| 0| return if_match(req, "AES-256/CBC", {2, 16, 840, 1, 101, 3, 4, 1, 42}); 1196| 0| case 0x80445: ------------------ | Branch (1196:7): [True: 0, False: 15] ------------------ 1197| 0| return if_match(req, "AES-256/CCM", {2, 16, 840, 1, 101, 3, 4, 1, 47}); 1198| 0| case 0x811F7: ------------------ | Branch (1198:7): [True: 0, False: 15] ------------------ 1199| 0| return if_match(req, "HMAC(SHA-256)", {1, 2, 840, 113549, 2, 9}); 1200| 0| case 0x82434: ------------------ | Branch (1200:7): [True: 0, False: 15] ------------------ 1201| 0| return if_match(req, "PKCS9.X509CRL", {1, 2, 840, 113549, 1, 9, 23, 1}); 1202| 0| case 0x82B47: ------------------ | Branch (1202:7): [True: 0, False: 15] ------------------ 1203| 0| return if_match(req, "Threefish-512/CBC", {1, 3, 6, 1, 4, 1, 25258, 3, 2}); 1204| 0| case 0x83EA7: ------------------ | Branch (1204:7): [True: 0, False: 15] ------------------ 1205| 0| return if_match(req, "RSA/PKCS1v15(SHA-384)", {1, 2, 840, 113549, 1, 1, 12}); 1206| 0| case 0x84596: ------------------ | Branch (1206:7): [True: 0, False: 15] ------------------ 1207| 0| return if_match(req, "eFrodoKEM-640-AES", {1, 3, 6, 1, 4, 1, 25258, 1, 17, 1}); 1208| 0| case 0x8469F: ------------------ | Branch (1208:7): [True: 0, False: 15] ------------------ 1209| 0| return if_match(req, "ClassicMcEliece_6960119pcf", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 4}); 1210| 0| case 0x84CA4: ------------------ | Branch (1210:7): [True: 0, False: 15] ------------------ 1211| 0| return if_match(req, "secp256k1", {1, 3, 132, 0, 10}); 1212| 0| case 0x85381: ------------------ | Branch (1212:7): [True: 0, False: 15] ------------------ 1213| 0| return if_match(req, "secp256r1", {1, 2, 840, 10045, 3, 1, 7}); 1214| 0| case 0x854FC: ------------------ | Branch (1214:7): [True: 0, False: 15] ------------------ 1215| 0| return if_match(req, "PKIX.IPsecUser", {1, 3, 6, 1, 5, 5, 7, 3, 7}); 1216| 0| case 0x85F51: ------------------ | Branch (1216:7): [True: 0, False: 15] ------------------ 1217| 0| return if_match(req, "Serpent/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 4}); 1218| 0| case 0x862D9: ------------------ | Branch (1218:7): [True: 0, False: 15] ------------------ 1219| 0| return if_match(req, "ECGDSA/SHA-512", {1, 3, 36, 3, 3, 2, 5, 4, 6}); 1220| 0| case 0x87585: ------------------ | Branch (1220:7): [True: 0, False: 15] ------------------ 1221| 0| return if_match(req, "Twofish/CBC", {1, 3, 6, 1, 4, 1, 25258, 3, 3}); 1222| 0| case 0x877D1: ------------------ | Branch (1222:7): [True: 0, False: 15] ------------------ 1223| 0| return if_match(req, "PKCS9.EmailAddress", {1, 2, 840, 113549, 1, 9, 1}); 1224| 0| case 0x87D27: ------------------ | Branch (1224:7): [True: 0, False: 15] ------------------ 1225| 0| return if_match(req, "PKIX.CertificateAuthorityIssuers", {1, 3, 6, 1, 5, 5, 7, 48, 2}); 1226| 0| case 0x87E42: ------------------ | Branch (1226:7): [True: 0, False: 15] ------------------ 1227| 0| return if_match(req, "X509v3.AuthorityKeyIdentifier", {2, 5, 29, 35}); 1228| 0| case 0x889B1: ------------------ | Branch (1228:7): [True: 0, False: 15] ------------------ 1229| 0| return if_match(req, "ECDSA/SHA-1", {1, 2, 840, 10045, 4, 1}); 1230| 0| case 0x89658: ------------------ | Branch (1230:7): [True: 0, False: 15] ------------------ 1231| 0| return if_match(req, "PBE-PKCS5v20", {1, 2, 840, 113549, 1, 5, 13}); 1232| 0| case 0x8976D: ------------------ | Branch (1232:7): [True: 0, False: 15] ------------------ 1233| 0| return if_match(req, "PKCS9.MessageDigest", {1, 2, 840, 113549, 1, 9, 4}); 1234| 0| case 0x8B002: ------------------ | Branch (1234:7): [True: 0, False: 15] ------------------ 1235| 0| return if_match(req, "Camellia-256/OCB", {1, 3, 6, 1, 4, 1, 25258, 3, 2, 8}); 1236| 0| case 0x8B935: ------------------ | Branch (1236:7): [True: 0, False: 15] ------------------ 1237| 0| return if_match(req, "ClassicMcEliece_6688128", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 5}); 1238| 0| case 0x8BB11: ------------------ | Branch (1238:7): [True: 0, False: 15] ------------------ 1239| 0| return if_match(req, "X509v3.NoRevocationAvailable", {2, 5, 29, 56}); 1240| 0| case 0x8CE3D: ------------------ | Branch (1240:7): [True: 0, False: 15] ------------------ 1241| 0| return if_match(req, "PKCS9.ChallengePassword", {1, 2, 840, 113549, 1, 9, 7}); 1242| 0| case 0x8D45C: ------------------ | Branch (1242:7): [True: 0, False: 15] ------------------ 1243| 0| return if_match(req, "ECKCDSA", {1, 0, 14888, 3, 0, 5}); 1244| 0| case 0x8E0C1: ------------------ | Branch (1244:7): [True: 0, False: 15] ------------------ 1245| 0| return if_match(req, "X509v3.CertificatePolicies", {2, 5, 29, 32}); 1246| 0| case 0x8E39A: ------------------ | Branch (1246:7): [True: 0, False: 15] ------------------ 1247| 0| return if_match(req, "HSS-LMS-Private-Key", {1, 3, 6, 1, 4, 1, 25258, 1, 13}); 1248| 0| case 0x8EC51: ------------------ | Branch (1248:7): [True: 0, False: 15] ------------------ 1249| 0| return if_match(req, "Kyber-768-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 7, 2}); 1250| 0| case 0x8F94A: ------------------ | Branch (1250:7): [True: 0, False: 15] ------------------ 1251| 0| return if_match(req, "Dilithium-6x5-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 9, 2}); 1252| 0| case 0x8FC20: ------------------ | Branch (1252:7): [True: 0, False: 15] ------------------ 1253| 0| return if_match(req, "AES-128/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 1}); 1254| 0| case 0x8FDE0: ------------------ | Branch (1254:7): [True: 0, False: 15] ------------------ 1255| 0| return if_match(req, "SHA-3(256)", {2, 16, 840, 1, 101, 3, 4, 2, 8}); 1256| 0| case 0x919E3: ------------------ | Branch (1256:7): [True: 0, False: 15] ------------------ 1257| 0| return if_match(req, "Serpent/GCM", {1, 3, 6, 1, 4, 1, 25258, 3, 101}); 1258| 0| case 0x91C1A: ------------------ | Branch (1258:7): [True: 0, False: 15] ------------------ 1259| 0| return if_match(req, "X25519", {1, 3, 101, 110}); 1260| 0| case 0x91DC4: ------------------ | Branch (1260:7): [True: 0, False: 15] ------------------ 1261| 0| return if_match(req, "McEliece", {1, 3, 6, 1, 4, 1, 25258, 1, 3}); 1262| 0| case 0x93467: ------------------ | Branch (1262:7): [True: 0, False: 15] ------------------ 1263| 0| return if_match(req, "Dilithium-6x5-AES-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 10, 2}); 1264| 0| case 0x93D50: ------------------ | Branch (1264:7): [True: 0, False: 15] ------------------ 1265| 0| return if_match(req, "AES-192/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 2}); 1266| 2| case 0x95166: ------------------ | Branch (1266:7): [True: 2, False: 13] ------------------ 1267| 2| return if_match(req, "SLH-DSA-SHAKE-128f", {2, 16, 840, 1, 101, 3, 4, 3, 27}); 1268| 1| case 0x95173: ------------------ | Branch (1268:7): [True: 1, False: 14] ------------------ 1269| 1| return if_match(req, "SLH-DSA-SHAKE-128s", {2, 16, 840, 1, 101, 3, 4, 3, 26}); 1270| 0| case 0x952D6: ------------------ | Branch (1270:7): [True: 0, False: 15] ------------------ 1271| 0| return if_match(req, "PKIX.OCSP", {1, 3, 6, 1, 5, 5, 7, 48, 1}); 1272| 0| case 0x959B9: ------------------ | Branch (1272:7): [True: 0, False: 15] ------------------ 1273| 0| return if_match(req, "PKIX.IPsecEndSystem", {1, 3, 6, 1, 5, 5, 7, 3, 5}); 1274| 0| case 0x96F85: ------------------ | Branch (1274:7): [True: 0, False: 15] ------------------ 1275| 0| return if_match(req, "Camellia-256/CBC", {1, 2, 392, 200011, 61, 1, 1, 1, 4}); 1276| 0| case 0x97D5E: ------------------ | Branch (1276:7): [True: 0, False: 15] ------------------ 1277| 0| return if_match(req, "HMAC(SHA-1)", {1, 2, 840, 113549, 2, 7}); 1278| 0| case 0x9805C: ------------------ | Branch (1278:7): [True: 0, False: 15] ------------------ 1279| 0| return if_match(req, "SEED/CBC", {1, 2, 410, 200004, 1, 4}); 1280| 0| case 0x980E7: ------------------ | Branch (1280:7): [True: 0, False: 15] ------------------ 1281| 0| return if_match(req, "SphincsPlus-haraka-192s-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 3}); 1282| 0| case 0x980F5: ------------------ | Branch (1282:7): [True: 0, False: 15] ------------------ 1283| 0| return if_match(req, "GOST.SubjectSigningTool", {1, 2, 643, 100, 111}); 1284| 0| case 0x98B03: ------------------ | Branch (1284:7): [True: 0, False: 15] ------------------ 1285| 0| return if_match(req, "XMSS", {0, 4, 0, 127, 0, 15, 1, 1, 13, 0}); 1286| 0| case 0x9A6B2: ------------------ | Branch (1286:7): [True: 0, False: 15] ------------------ 1287| 0| return if_match(req, "ECKCDSA/SHA-1", {1, 2, 410, 200004, 1, 100, 4, 3}); 1288| 0| case 0x9B1CF: ------------------ | Branch (1288:7): [True: 0, False: 15] ------------------ 1289| 0| return if_match(req, "SM4/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 9}); 1290| 0| case 0x9B6B2: ------------------ | Branch (1290:7): [True: 0, False: 15] ------------------ 1291| 0| return if_match(req, "AES-128/GCM", {2, 16, 840, 1, 101, 3, 4, 1, 6}); 1292| 0| case 0x9B6BB: ------------------ | Branch (1292:7): [True: 0, False: 15] ------------------ 1293| 0| return if_match(req, "X520.OrganizationalUnit", {2, 5, 4, 11}); 1294| 0| case 0x9B851: ------------------ | Branch (1294:7): [True: 0, False: 15] ------------------ 1295| 0| return if_match(req, "OpenPGP.Curve25519", {1, 3, 6, 1, 4, 1, 3029, 1, 5, 1}); 1296| 2| case 0x9C80B: ------------------ | Branch (1296:7): [True: 2, False: 13] ------------------ 1297| 2| return if_match(req, "SLH-DSA-SHA2-192f", {2, 16, 840, 1, 101, 3, 4, 3, 23}); 1298| 1| case 0x9C818: ------------------ | Branch (1298:7): [True: 1, False: 14] ------------------ 1299| 1| return if_match(req, "SLH-DSA-SHA2-192s", {2, 16, 840, 1, 101, 3, 4, 3, 22}); 1300| 0| case 0x9CD2B: ------------------ | Branch (1300:7): [True: 0, False: 15] ------------------ 1301| 0| return if_match(req, "Scrypt", {1, 3, 6, 1, 4, 1, 11591, 4, 11}); 1302| 0| case 0x9CDE1: ------------------ | Branch (1302:7): [True: 0, False: 15] ------------------ 1303| 0| return if_match(req, "GOST-34.10-2012-256/SHA-256", {1, 3, 6, 1, 4, 1, 25258, 1, 6, 1}); 1304| 0| case 0x9CF73: ------------------ | Branch (1304:7): [True: 0, False: 15] ------------------ 1305| 0| return if_match(req, "ClassicMcEliece_460896f", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 4}); 1306| 0| case 0x9D354: ------------------ | Branch (1306:7): [True: 0, False: 15] ------------------ 1307| 0| return if_match(req, "RIPEMD-160", {1, 3, 36, 3, 2, 1}); 1308| 0| case 0x9D503: ------------------ | Branch (1308:7): [True: 0, False: 15] ------------------ 1309| 0| return if_match(req, "RSA/PKCS1v15(SHA-256)", {1, 2, 840, 113549, 1, 1, 11}); 1310| 0| case 0x9EC88: ------------------ | Branch (1310:7): [True: 0, False: 15] ------------------ 1311| 0| return if_match(req, "DSA/SHA-3(512)", {2, 16, 840, 1, 101, 3, 4, 3, 8}); 1312| 0| case 0x9EF36: ------------------ | Branch (1312:7): [True: 0, False: 15] ------------------ 1313| 0| return if_match(req, "ClassicMcEliece_6960119", {1, 3, 6, 1, 4, 1, 22554, 5, 1, 7}); 1314| 0| case 0x9F764: ------------------ | Branch (1314:7): [True: 0, False: 15] ------------------ 1315| 0| return if_match(req, "X448", {1, 3, 101, 111}); 1316| 0| case 0x9F7E2: ------------------ | Branch (1316:7): [True: 0, False: 15] ------------------ 1317| 0| return if_match(req, "AES-192/GCM", {2, 16, 840, 1, 101, 3, 4, 1, 26}); 1318| 0| case 0x9F9C5: ------------------ | Branch (1318:7): [True: 0, False: 15] ------------------ 1319| 0| return if_match(req, "ClassicMcEliece_6688128pcf", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 2}); 1320| 0| case 0xA0805: ------------------ | Branch (1320:7): [True: 0, False: 15] ------------------ 1321| 0| return if_match(req, "PKCS9.SDSICertificate", {1, 2, 840, 113549, 1, 9, 22, 2}); 1322| 0| case 0xA2B5B: ------------------ | Branch (1322:7): [True: 0, False: 15] ------------------ 1323| 0| return if_match(req, "X509v3.CRLNumber", {2, 5, 29, 20}); 1324| 0| case 0xA3005: ------------------ | Branch (1324:7): [True: 0, False: 15] ------------------ 1325| 0| return if_match(req, "X520.Title", {2, 5, 4, 12}); 1326| 0| case 0xA323F: ------------------ | Branch (1326:7): [True: 0, False: 15] ------------------ 1327| 0| return if_match(req, "X509v3.NameConstraints", {2, 5, 29, 30}); 1328| 0| case 0xA3C55: ------------------ | Branch (1328:7): [True: 0, False: 15] ------------------ 1329| 0| return if_match(req, "X520.Pseudonym", {2, 5, 4, 65}); 1330| 0| case 0xA4809: ------------------ | Branch (1330:7): [True: 0, False: 15] ------------------ 1331| 0| return if_match(req, "SphincsPlus-sha2-256f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 2, 6}); 1332| 0| case 0xA57AF: ------------------ | Branch (1332:7): [True: 0, False: 15] ------------------ 1333| 0| return if_match(req, "secp521r1", {1, 3, 132, 0, 35}); 1334| 0| case 0xA5DA9: ------------------ | Branch (1334:7): [True: 0, False: 15] ------------------ 1335| 0| return if_match(req, "SphincsPlus-shake-256f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 1, 6}); 1336| 0| case 0xA6865: ------------------ | Branch (1336:7): [True: 0, False: 15] ------------------ 1337| 0| return if_match(req, "Camellia-128/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 6}); 1338| 0| case 0xA6C61: ------------------ | Branch (1338:7): [True: 0, False: 15] ------------------ 1339| 0| return if_match(req, "SM4/GCM", {1, 2, 156, 10197, 1, 104, 8}); 1340| 0| case 0xA8439: ------------------ | Branch (1340:7): [True: 0, False: 15] ------------------ 1341| 0| return if_match(req, "PKCS12.CertBag", {1, 2, 840, 113549, 1, 12, 10, 1, 3}); 1342| 0| case 0xA9061: ------------------ | Branch (1342:7): [True: 0, False: 15] ------------------ 1343| 0| return if_match(req, "Kyber-768-90s-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 11, 2}); 1344| 0| case 0xAA995: ------------------ | Branch (1344:7): [True: 0, False: 15] ------------------ 1345| 0| return if_match(req, "Camellia-192/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 7}); 1346| 0| case 0xAAE2B: ------------------ | Branch (1346:7): [True: 0, False: 15] ------------------ 1347| 0| return if_match(req, "Dilithium-8x7-AES-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 10, 3}); 1348| 0| case 0xABCED: ------------------ | Branch (1348:7): [True: 0, False: 15] ------------------ 1349| 0| return if_match(req, "GOST.IssuerSigningTool", {1, 2, 643, 100, 112}); 1350| 0| case 0xABD24: ------------------ | Branch (1350:7): [True: 0, False: 15] ------------------ 1351| 0| return if_match(req, "RSA/OAEP", {1, 2, 840, 113549, 1, 1, 7}); 1352| 0| case 0xAC2EC: ------------------ | Branch (1352:7): [True: 0, False: 15] ------------------ 1353| 0| return if_match(req, "Streebog-256", {1, 2, 643, 7, 1, 1, 2, 2}); 1354| 0| case 0xAC3DD: ------------------ | Branch (1354:7): [True: 0, False: 15] ------------------ 1355| 0| return if_match(req, "Certificate Comment", {2, 16, 840, 1, 113730, 1, 13}); 1356| 0| case 0xAC511: ------------------ | Branch (1356:7): [True: 0, False: 15] ------------------ 1357| 0| return if_match(req, "PBE-SHA1-3DES", {1, 2, 840, 113549, 1, 12, 1, 3}); 1358| 0| case 0xAE6FE: ------------------ | Branch (1358:7): [True: 0, False: 15] ------------------ 1359| 0| return if_match(req, "PKIX.ClientAuth", {1, 3, 6, 1, 5, 5, 7, 3, 2}); 1360| 0| case 0xAE8D3: ------------------ | Branch (1360:7): [True: 0, False: 15] ------------------ 1361| 0| return if_match(req, "ClassicMcEliece_8192128pcf", {1, 3, 6, 1, 4, 1, 25258, 1, 18, 6}); 1362| 0| case 0xAF476: ------------------ | Branch (1362:7): [True: 0, False: 15] ------------------ 1363| 0| return if_match(req, "ECDH", {1, 3, 132, 1, 12}); 1364| 0| case 0xAFA6A: ------------------ | Branch (1364:7): [True: 0, False: 15] ------------------ 1365| 0| return if_match(req, "RSA/PKCS1v15(SHA-3(384))", {2, 16, 840, 1, 101, 3, 4, 3, 15}); 1366| 0| case 0xB2217: ------------------ | Branch (1366:7): [True: 0, False: 15] ------------------ 1367| 0| return if_match(req, "AES-256/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 3}); 1368| 0| case 0xB22F7: ------------------ | Branch (1368:7): [True: 0, False: 15] ------------------ 1369| 0| return if_match(req, "Camellia-128/GCM", {0, 3, 4401, 5, 3, 1, 9, 6}); 1370| 0| case 0xB23DE: ------------------ | Branch (1370:7): [True: 0, False: 15] ------------------ 1371| 0| return if_match(req, "X520.Locality", {2, 5, 4, 7}); 1372| 0| case 0xB2FBD: ------------------ | Branch (1372:7): [True: 0, False: 15] ------------------ 1373| 0| return if_match(req, "ECKCDSA/SHA-224", {1, 2, 410, 200004, 1, 100, 4, 4}); 1374| 0| case 0xB32B0: ------------------ | Branch (1374:7): [True: 0, False: 15] ------------------ 1375| 0| return if_match(req, "ECKCDSA/SHA-256", {1, 2, 410, 200004, 1, 100, 4, 5}); 1376| 0| case 0xB360E: ------------------ | Branch (1376:7): [True: 0, False: 15] ------------------ 1377| 0| return if_match(req, "eFrodoKEM-976-SHAKE", {1, 3, 6, 1, 4, 1, 25258, 1, 16, 2}); 1378| 0| case 0xB4368: ------------------ | Branch (1378:7): [True: 0, False: 15] ------------------ 1379| 0| return if_match(req, "ECGDSA/SHA-1", {1, 3, 36, 3, 3, 2, 5, 4, 2}); 1380| 0| case 0xB58CD: ------------------ | Branch (1380:7): [True: 0, False: 15] ------------------ 1381| 0| return if_match(req, "RSA/PKCS1v15(SHA-3(512))", {2, 16, 840, 1, 101, 3, 4, 3, 16}); 1382| 0| case 0xB6427: ------------------ | Branch (1382:7): [True: 0, False: 15] ------------------ 1383| 0| return if_match(req, "Camellia-192/GCM", {0, 3, 4401, 5, 3, 1, 9, 26}); 1384| 0| case 0xB7102: ------------------ | Branch (1384:7): [True: 0, False: 15] ------------------ 1385| 0| return if_match(req, "brainpool224r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 5}); 1386| 0| case 0xB710D: ------------------ | Branch (1386:7): [True: 0, False: 15] ------------------ 1387| 0| return if_match(req, "X509v3.CRLIssuingDistributionPoint", {2, 5, 29, 28}); 1388| 0| case 0xB72D4: ------------------ | Branch (1388:7): [True: 0, False: 15] ------------------ 1389| 0| return if_match(req, "Microsoft UPN", {1, 3, 6, 1, 4, 1, 311, 20, 2, 3}); 1390| 0| case 0xB73A5: ------------------ | Branch (1390:7): [True: 0, False: 15] ------------------ 1391| 0| return if_match(req, "RSA/PSS", {1, 2, 840, 113549, 1, 1, 10}); 1392| 0| case 0xB84B3: ------------------ | Branch (1392:7): [True: 0, False: 15] ------------------ 1393| 0| return if_match(req, "PKIX.CodeSigning", {1, 3, 6, 1, 5, 5, 7, 3, 3}); 1394| 0| case 0xB8CB9: ------------------ | Branch (1394:7): [True: 0, False: 15] ------------------ 1395| 0| return if_match(req, "GOST-34.10-2012-256", {1, 2, 643, 7, 1, 1, 1, 1}); 1396| 0| case 0xB945C: ------------------ | Branch (1396:7): [True: 0, False: 15] ------------------ 1397| 0| return if_match(req, "Twofish/SIV", {1, 3, 6, 1, 4, 1, 25258, 3, 4, 5}); 1398| 0| case 0xB94E4: ------------------ | Branch (1398:7): [True: 0, False: 15] ------------------ 1399| 0| return if_match(req, "gost_512A", {1, 2, 643, 7, 1, 2, 1, 2, 1}); 1400| 0| case 0xB94E5: ------------------ | Branch (1400:7): [True: 0, False: 15] ------------------ 1401| 0| return if_match(req, "gost_512B", {1, 2, 643, 7, 1, 2, 1, 2, 2}); 1402| 0| case 0xBA1D8: ------------------ | Branch (1402:7): [True: 0, False: 15] ------------------ 1403| 0| return if_match(req, "X520.StreetAddress", {2, 5, 4, 9}); 1404| 0| case 0xBCB45: ------------------ | Branch (1404:7): [True: 0, False: 15] ------------------ 1405| 0| return if_match(req, "PKCS12.CRLBag", {1, 2, 840, 113549, 1, 12, 10, 1, 4}); 1406| 0| case 0xBCC82: ------------------ | Branch (1406:7): [True: 0, False: 15] ------------------ 1407| 0| return if_match(req, "x962_p239v1", {1, 2, 840, 10045, 3, 1, 4}); 1408| 0| case 0xBCC83: ------------------ | Branch (1408:7): [True: 0, False: 15] ------------------ 1409| 0| return if_match(req, "x962_p239v2", {1, 2, 840, 10045, 3, 1, 5}); 1410| 0| case 0xBCC84: ------------------ | Branch (1410:7): [True: 0, False: 15] ------------------ 1411| 0| return if_match(req, "x962_p239v3", {1, 2, 840, 10045, 3, 1, 6}); 1412| 0| case 0xBD92B: ------------------ | Branch (1412:7): [True: 0, False: 15] ------------------ 1413| 0| return if_match(req, "X509v3.HoldInstructionCode", {2, 5, 29, 23}); 1414| 0| case 0xBDCA9: ------------------ | Branch (1414:7): [True: 0, False: 15] ------------------ 1415| 0| return if_match(req, "AES-256/GCM", {2, 16, 840, 1, 101, 3, 4, 1, 46}); 1416| 0| case 0xBE48D: ------------------ | Branch (1416:7): [True: 0, False: 15] ------------------ 1417| 0| return if_match(req, "PKIX.OCSP.BasicResponse", {1, 3, 6, 1, 5, 5, 7, 48, 1, 1}); 1418| 0| case 0xBF71E: ------------------ | Branch (1418:7): [True: 0, False: 15] ------------------ 1419| 0| return if_match(req, "Kyber-1024-r3", {1, 3, 6, 1, 4, 1, 25258, 1, 7, 3}); 1420| 0| case 0xBFF01: ------------------ | Branch (1420:7): [True: 0, False: 15] ------------------ 1421| 0| return if_match(req, "DSA/SHA-3(224)", {2, 16, 840, 1, 101, 3, 4, 3, 5}); 1422| 0| case 0xC0F4F: ------------------ | Branch (1422:7): [True: 0, False: 15] ------------------ 1423| 0| return if_match(req, "SphincsPlus-haraka-256f-r3.1", {1, 3, 6, 1, 4, 1, 25258, 1, 12, 3, 6}); 1424| 0| case 0xC1875: ------------------ | Branch (1424:7): [True: 0, False: 15] ------------------ 1425| 0| return if_match(req, "SHA-1", {1, 3, 14, 3, 2, 26}); 1426| 0| case 0xC28D1: ------------------ | Branch (1426:7): [True: 0, False: 15] ------------------ 1427| 0| return if_match(req, "PKIX.OCSPSigning", {1, 3, 6, 1, 5, 5, 7, 3, 9}); 1428| 0| case 0xC42CA: ------------------ | Branch (1428:7): [True: 0, False: 15] ------------------ 1429| 0| return if_match(req, "brainpool256r1", {1, 3, 36, 3, 3, 2, 8, 1, 1, 7}); 1430| 0| default: ------------------ | Branch (1430:7): [True: 0, False: 15] ------------------ 1431| 0| return {}; 1432| 15| } 1433| 15|} _ZN5Botan7OID_Map16load_oid2str_mapEv: 1435| 1|std::unordered_map OID_Map::load_oid2str_map() { 1436| 1| return { 1437| 1| {OID{2, 5, 8, 1, 1}, "RSA"}, 1438| 1| {OID{1, 3, 6, 1, 4, 1, 8301, 3, 1, 2, 9, 0, 38}, "secp521r1"}, 1439| 1| {OID{1, 2, 643, 2, 2, 35, 1}, "gost_256A"}, 1440| 1| {OID{1, 2, 643, 2, 2, 36, 0}, "gost_256A"}, 1441| 1| }; 1442| 1|} _ZN5Botan7OID_Map16load_str2oid_mapEv: 1444| 1|std::unordered_map OID_Map::load_str2oid_map() { 1445| 1| return { 1446| 1| {"Curve25519", OID{1, 3, 101, 110}}, 1447| 1| {"SM2_Sig", OID{1, 2, 156, 10197, 1, 301, 1}}, 1448| 1| {"RSA/EMSA3(MD2)", OID{1, 2, 840, 113549, 1, 1, 2}}, 1449| 1| {"RSA/EMSA3(MD5)", OID{1, 2, 840, 113549, 1, 1, 4}}, 1450| 1| {"RSA/EMSA3(SHA-1)", OID{1, 2, 840, 113549, 1, 1, 5}}, 1451| 1| {"RSA/EMSA3(SHA-256)", OID{1, 2, 840, 113549, 1, 1, 11}}, 1452| 1| {"RSA/EMSA3(SHA-384)", OID{1, 2, 840, 113549, 1, 1, 12}}, 1453| 1| {"RSA/EMSA3(SHA-512)", OID{1, 2, 840, 113549, 1, 1, 13}}, 1454| 1| {"RSA/EMSA3(SHA-224)", OID{1, 2, 840, 113549, 1, 1, 14}}, 1455| 1| {"RSA/EMSA3(SHA-512-256)", OID{1, 2, 840, 113549, 1, 1, 16}}, 1456| 1| {"RSA/EMSA3(SHA-3(224))", OID{2, 16, 840, 1, 101, 3, 4, 3, 13}}, 1457| 1| {"RSA/EMSA3(SHA-3(256))", OID{2, 16, 840, 1, 101, 3, 4, 3, 14}}, 1458| 1| {"RSA/EMSA3(SHA-3(384))", OID{2, 16, 840, 1, 101, 3, 4, 3, 15}}, 1459| 1| {"RSA/EMSA3(SHA-3(512))", OID{2, 16, 840, 1, 101, 3, 4, 3, 16}}, 1460| 1| {"RSA/EMSA3(SM3)", OID{1, 2, 156, 10197, 1, 504}}, 1461| 1| {"RSA/EMSA3(RIPEMD-160)", OID{1, 3, 36, 3, 3, 1, 2}}, 1462| 1| {"RSA/EMSA4", OID{1, 2, 840, 113549, 1, 1, 10}}, 1463| 1| {"PBES2", OID{1, 2, 840, 113549, 1, 5, 13}}, 1464| 1| }; 1465| 1|} static_oids.cpp:_ZN5Botan12_GLOBAL__N_18if_matchERKNS_3OIDESt16initializer_listIjENSt3__117basic_string_viewIcNS6_11char_traitsIcEEEE: 18| 13.1k|std::optional if_match(const OID& oid, std::initializer_list val, std::string_view name) { 19| 13.1k| if(oid.matches(val)) { ------------------ | Branch (19:7): [True: 12.7k, False: 353] ------------------ 20| 12.7k| return name; 21| 12.7k| } else { 22| 353| return {}; 23| 353| } 24| 13.1k|} static_oids.cpp:_ZN5Botan12_GLOBAL__N_113hash_oid_nameENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 34| 15|uint32_t hash_oid_name(std::string_view s) { 35| 15| uint64_t hash = 0x8188B31879A4879A; 36| | 37| 262| for(const char c : s) { ------------------ | Branch (37:21): [True: 262, False: 15] ------------------ 38| 262| hash *= 251; 39| 262| hash += c; 40| 262| } 41| | 42| 15| return static_cast(hash % 805289); 43| 15|} static_oids.cpp:_ZN5Botan12_GLOBAL__N_18if_matchENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_St16initializer_listIjE: 26| 15|std::optional if_match(std::string_view req, std::string_view actual, std::initializer_list oid) { 27| 15| if(req == actual) { ------------------ | Branch (27:7): [True: 15, False: 0] ------------------ 28| 15| return OID(oid); 29| 15| } else { 30| 0| return {}; 31| 0| } 32| 15|} _ZN5Botan13base64_decodeEPKcmb: 187| 124|secure_vector base64_decode(const char input[], size_t input_length, bool ignore_ws) { 188| 124| return base_decode_to_vec>(Base64(), input, input_length, ignore_ws); 189| 124|} base64.cpp:_ZN5Botan12_GLOBAL__N_16Base6417decode_max_outputEm: 42| 248| static constexpr size_t decode_max_output(size_t input_length) { 43| 248| return (round_up(input_length, m_encoding_bytes_out) * m_encoding_bytes_in) / m_encoding_bytes_out; 44| 248| } base64.cpp:_ZN5Botan12_GLOBAL__N_16Base6419lookup_binary_valueEc: 110| 39.4k|uint8_t Base64::lookup_binary_value(char input) noexcept { 111| 39.4k| auto has_zero_byte = [](uint64_t v) { return ((v - 0x0101010101010101) & ~(v) & 0x8080808080808080); }; 112| | 113| | // Assumes each byte is either 0x00 or 0x80 114| 39.4k| auto index_of_first_set_byte = [](uint64_t v) { 115| 39.4k| return ((((v - 1) & 0x0101010101010101) * 0x0101010101010101) >> 56) - 1; 116| 39.4k| }; 117| | 118| 39.4k| constexpr uint64_t lo = 0x0101010101010101; 119| | 120| 39.4k| const uint8_t x = static_cast(input); 121| | 122| 39.4k| const uint64_t x8 = x * lo; 123| | 124| | // Defines the valid ASCII ranges of base64, except the special chars (below) 125| 39.4k| constexpr uint64_t val_l = make_uint64(0, 0, 0, 0, 0, 'A', 'a', '0'); 126| 39.4k| constexpr uint64_t val_u = make_uint64(0, 0, 0, 0, 0, 26, 26, 10); 127| | 128| | // If x is in one of the ranges return a mask. Otherwise we xor in at the 129| | // high word which will be our invalid marker 130| 39.4k| auto v_mask = swar_in_range(x8, val_l, val_u) ^ 0x80000000; 131| | 132| | // This is the offset added to x to get the value 133| 39.4k| const uint64_t val_v = 0xbfb904 ^ (0xFF000000 - (x << 24)); 134| | 135| 39.4k| const uint8_t z = x + static_cast(val_v >> (8 * index_of_first_set_byte(v_mask))); 136| | 137| | // Valid base64 special characters, and some whitespace chars 138| 39.4k| constexpr uint64_t specials_i = make_uint64(0, '+', '/', '=', ' ', '\n', '\t', '\r'); 139| | 140| 39.4k| const uint64_t specials_v = 0x3e3f8180808080 ^ (static_cast(z) << 56); 141| | 142| 39.4k| const uint64_t smask = has_zero_byte(x8 ^ specials_i) ^ 0x8000000000000000; 143| | 144| 39.4k| return static_cast(specials_v >> (8 * index_of_first_set_byte(smask))); 145| 39.4k|} base64.cpp:_ZZN5Botan12_GLOBAL__N_16Base6419lookup_binary_valueEcENK3$_0clEm: 114| 78.8k| auto index_of_first_set_byte = [](uint64_t v) { 115| 78.8k| return ((((v - 1) & 0x0101010101010101) * 0x0101010101010101) >> 56) - 1; 116| 78.8k| }; base64.cpp:_ZZN5Botan12_GLOBAL__N_16Base6419lookup_binary_valueEcENK3$_1clEm: 111| 39.4k| auto has_zero_byte = [](uint64_t v) { return ((v - 0x0101010101010101) & ~(v) & 0x8080808080808080); }; base64.cpp:_ZN5Botan12_GLOBAL__N_16Base6414check_bad_charEhcb: 148| 31.8k|bool Base64::check_bad_char(uint8_t bin, char input, bool ignore_ws) { 149| 31.8k| if(bin <= 0x3F) { ------------------ | Branch (149:7): [True: 1.55k, False: 30.2k] ------------------ 150| 1.55k| return true; 151| 30.2k| } else if(!(bin == 0x81 || (bin == 0x80 && ignore_ws))) { ------------------ | Branch (151:16): [True: 868, False: 29.3k] | Branch (151:32): [True: 29.3k, False: 34] | Branch (151:47): [True: 29.3k, False: 0] ------------------ 152| 34| throw Invalid_Argument(fmt("base64_decode: invalid character '{}'", format_char_for_display(input))); 153| 34| } 154| 30.2k| return false; 155| 31.8k|} base64.cpp:_ZN5Botan12_GLOBAL__N_16Base646decodeEPhPKh: 52| 402| static void decode(uint8_t* out_ptr, const uint8_t decode_buf[4]) { 53| 402| out_ptr[0] = (decode_buf[0] << 2) | (decode_buf[1] >> 4); 54| 402| out_ptr[1] = (decode_buf[1] << 4) | (decode_buf[2] >> 2); 55| 402| out_ptr[2] = (decode_buf[2] << 6) | decode_buf[3]; 56| 402| } base64.cpp:_ZN5Botan12_GLOBAL__N_16Base6415bytes_to_removeEm: 58| 90| static size_t bytes_to_remove(size_t final_truncate) { return final_truncate; } base64.cpp:_ZN5Botan12_GLOBAL__N_16Base644nameEv: 24| 21| static std::string name() noexcept { return "base64"; } _ZN5Botan10hex_decodeEPhPKcmRmb: 72| 21.2k|size_t hex_decode(uint8_t output[], const char input[], size_t input_length, size_t& input_consumed, bool ignore_ws) { 73| 21.2k| uint8_t* out_ptr = output; 74| 21.2k| bool top_nibble = true; 75| | 76| 21.2k| clear_mem(output, input_length / 2); 77| | 78| 1.30M| for(size_t i = 0; i != input_length; ++i) { ------------------ | Branch (78:22): [True: 1.28M, False: 21.2k] ------------------ 79| 1.28M| const uint8_t bin = hex_char_to_bin(input[i]); 80| | 81| 1.28M| if(bin >= 0x10) { ------------------ | Branch (81:10): [True: 0, False: 1.28M] ------------------ 82| 0| if(bin == 0x80 && ignore_ws) { ------------------ | Branch (82:13): [True: 0, False: 0] | Branch (82:28): [True: 0, False: 0] ------------------ 83| 0| continue; 84| 0| } 85| | 86| 0| throw Invalid_Argument(fmt("hex_decode: invalid character '{}'", format_char_for_display(input[i]))); 87| 0| } 88| | 89| 1.28M| if(top_nibble) { ------------------ | Branch (89:10): [True: 642k, False: 642k] ------------------ 90| 642k| *out_ptr |= bin << 4; 91| 642k| } else { 92| 642k| *out_ptr |= bin; 93| 642k| } 94| | 95| 1.28M| top_nibble = !top_nibble; 96| 1.28M| if(top_nibble) { ------------------ | Branch (96:10): [True: 642k, False: 642k] ------------------ 97| 642k| ++out_ptr; 98| 642k| } 99| 1.28M| } 100| | 101| 21.2k| input_consumed = input_length; 102| 21.2k| const size_t written = (out_ptr - output); 103| | 104| | /* 105| | * We only got half of a uint8_t at the end; zap the half-written 106| | * output and mark it as unread 107| | */ 108| 21.2k| if(!top_nibble) { ------------------ | Branch (108:7): [True: 0, False: 21.2k] ------------------ 109| 0| *out_ptr = 0; 110| 0| input_consumed -= 1; 111| 0| } 112| | 113| 21.2k| return written; 114| 21.2k|} _ZN5Botan10hex_decodeEPhPKcmb: 116| 21.2k|size_t hex_decode(uint8_t output[], const char input[], size_t input_length, bool ignore_ws) { 117| 21.2k| size_t consumed = 0; 118| 21.2k| const size_t written = hex_decode(output, input, input_length, consumed, ignore_ws); 119| | 120| 21.2k| if(consumed != input_length) { ------------------ | Branch (120:7): [True: 0, False: 21.2k] ------------------ 121| 0| throw Invalid_Argument("hex_decode: input did not have full bytes"); 122| 0| } 123| | 124| 21.2k| return written; 125| 21.2k|} _ZN5Botan17hex_decode_lockedEPKcmb: 135| 21.2k|secure_vector hex_decode_locked(const char input[], size_t input_length, bool ignore_ws) { 136| 21.2k| secure_vector bin(1 + input_length / 2); 137| | 138| 21.2k| const size_t written = hex_decode(bin.data(), input, input_length, ignore_ws); 139| | 140| 21.2k| bin.resize(written); 141| 21.2k| return bin; 142| 21.2k|} _ZN5Botan17hex_decode_lockedENSt3__117basic_string_viewIcNS0_11char_traitsIcEEEEb: 144| 14.3k|secure_vector hex_decode_locked(std::string_view input, bool ignore_ws) { 145| 14.3k| return hex_decode_locked(input.data(), input.size(), ignore_ws); 146| 14.3k|} hex.cpp:_ZN5Botan12_GLOBAL__N_115hex_char_to_binEc: 54| 1.28M|uint8_t hex_char_to_bin(char input) { 55| | // Starts of valid value ranges (v_lo) and their lengths (v_range) 56| 1.28M| constexpr uint64_t v_lo = make_uint64(0, '0', 'a', 'A', ' ', '\n', '\t', '\r'); 57| 1.28M| constexpr uint64_t v_range = make_uint64(0, 10, 6, 6, 1, 1, 1, 1); 58| | 59| 1.28M| const uint8_t x = static_cast(input); 60| 1.28M| const uint64_t x8 = x * 0x0101010101010101; 61| | 62| 1.28M| const uint64_t v_mask = swar_in_range(x8, v_lo, v_range) ^ 0x8000000000000000; 63| | 64| | // This is the offset added to x to get the value we need 65| 1.28M| const uint64_t val_v = 0xd0a9c960767773 ^ static_cast(0xFF - x) << 56; 66| | 67| 1.28M| return x + static_cast(val_v >> (8 * index_of_first_set_byte(v_mask))); 68| 1.28M|} _ZN5Botan12HashFunction6createENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_: 111| 62|std::unique_ptr HashFunction::create(std::string_view algo_spec, std::string_view provider) { 112| |#if defined(BOTAN_HAS_COMMONCRYPTO) 113| | if(provider.empty() || provider == "commoncrypto") { 114| | if(auto hash = make_commoncrypto_hash(algo_spec)) 115| | return hash; 116| | 117| | if(!provider.empty()) 118| | return nullptr; 119| | } 120| |#endif 121| | 122| 62| if(provider.empty() == false && provider != "base") { ------------------ | Branch (122:7): [True: 0, False: 62] | Branch (122:36): [True: 0, False: 0] ------------------ 123| 0| return nullptr; // unknown provider 124| 0| } 125| | 126| 62|#if defined(BOTAN_HAS_SHA1) 127| 62| if(algo_spec == "SHA-1") { ------------------ | Branch (127:7): [True: 0, False: 62] ------------------ 128| 0| return std::make_unique(); 129| 0| } 130| 62|#endif 131| | 132| 62|#if defined(BOTAN_HAS_SHA2_32) 133| 62| if(algo_spec == "SHA-224") { ------------------ | Branch (133:7): [True: 0, False: 62] ------------------ 134| 0| return std::make_unique(); 135| 0| } 136| | 137| 62| if(algo_spec == "SHA-256") { ------------------ | Branch (137:7): [True: 0, False: 62] ------------------ 138| 0| return std::make_unique(); 139| 0| } 140| 62|#endif 141| | 142| 62|#if defined(BOTAN_HAS_SHA2_64) 143| 62| if(algo_spec == "SHA-384") { ------------------ | Branch (143:7): [True: 0, False: 62] ------------------ 144| 0| return std::make_unique(); 145| 0| } 146| | 147| 62| if(algo_spec == "SHA-512") { ------------------ | Branch (147:7): [True: 2, False: 60] ------------------ 148| 2| return std::make_unique(); 149| 2| } 150| | 151| 60| if(algo_spec == "SHA-512-256") { ------------------ | Branch (151:7): [True: 0, False: 60] ------------------ 152| 0| return std::make_unique(); 153| 0| } 154| 60|#endif 155| | 156| 60|#if defined(BOTAN_HAS_RIPEMD_160) 157| 60| if(algo_spec == "RIPEMD-160") { ------------------ | Branch (157:7): [True: 0, False: 60] ------------------ 158| 0| return std::make_unique(); 159| 0| } 160| 60|#endif 161| | 162| 60|#if defined(BOTAN_HAS_WHIRLPOOL) 163| 60| if(algo_spec == "Whirlpool") { ------------------ | Branch (163:7): [True: 0, False: 60] ------------------ 164| 0| return std::make_unique(); 165| 0| } 166| 60|#endif 167| | 168| 60|#if defined(BOTAN_HAS_MD5) 169| 60| if(algo_spec == "MD5") { ------------------ | Branch (169:7): [True: 0, False: 60] ------------------ 170| 0| return std::make_unique(); 171| 0| } 172| 60|#endif 173| | 174| 60|#if defined(BOTAN_HAS_MD4) 175| 60| if(algo_spec == "MD4") { ------------------ | Branch (175:7): [True: 0, False: 60] ------------------ 176| 0| return std::make_unique(); 177| 0| } 178| 60|#endif 179| | 180| 60|#if defined(BOTAN_HAS_GOST_34_11) 181| 60| if(algo_spec == "GOST-R-34.11-94" || algo_spec == "GOST-34.11") { ------------------ | Branch (181:7): [True: 0, False: 60] | Branch (181:41): [True: 0, False: 60] ------------------ 182| 0| return std::make_unique(); 183| 0| } 184| 60|#endif 185| | 186| 60|#if defined(BOTAN_HAS_ADLER32) 187| 60| if(algo_spec == "Adler32") { ------------------ | Branch (187:7): [True: 0, False: 60] ------------------ 188| 0| return std::make_unique(); 189| 0| } 190| 60|#endif 191| | 192| 60|#if defined(BOTAN_HAS_ASCON_HASH256) 193| 60| if(algo_spec == "Ascon-Hash256") { ------------------ | Branch (193:7): [True: 0, False: 60] ------------------ 194| 0| return std::make_unique(); 195| 0| } 196| 60|#endif 197| | 198| 60|#if defined(BOTAN_HAS_CRC24) 199| 60| if(algo_spec == "CRC24") { ------------------ | Branch (199:7): [True: 0, False: 60] ------------------ 200| 0| return std::make_unique(); 201| 0| } 202| 60|#endif 203| | 204| 60|#if defined(BOTAN_HAS_CRC32) 205| 60| if(algo_spec == "CRC32") { ------------------ | Branch (205:7): [True: 0, False: 60] ------------------ 206| 0| return std::make_unique(); 207| 0| } 208| 60|#endif 209| | 210| 60|#if defined(BOTAN_HAS_STREEBOG) 211| 60| if(algo_spec == "Streebog-256") { ------------------ | Branch (211:7): [True: 0, False: 60] ------------------ 212| 0| return std::make_unique(256); 213| 0| } 214| 60| if(algo_spec == "Streebog-512") { ------------------ | Branch (214:7): [True: 0, False: 60] ------------------ 215| 0| return std::make_unique(512); 216| 0| } 217| 60|#endif 218| | 219| 60|#if defined(BOTAN_HAS_SM3) 220| 60| if(algo_spec == "SM3") { ------------------ | Branch (220:7): [True: 0, False: 60] ------------------ 221| 0| return std::make_unique(); 222| 0| } 223| 60|#endif 224| | 225| 60| const SCAN_Name req(algo_spec); 226| | 227| 60|#if defined(BOTAN_HAS_SKEIN_512) 228| 60| if(req.algo_name() == "Skein-512") { ------------------ | Branch (228:7): [True: 0, False: 60] ------------------ 229| 0| return std::make_unique(req.arg_as_integer(0, 512), req.arg(1, "")); 230| 0| } 231| 60|#endif 232| | 233| 60|#if defined(BOTAN_HAS_BLAKE2B) 234| 60| if(req.algo_name() == "Blake2b" || req.algo_name() == "BLAKE2b") { ------------------ | Branch (234:7): [True: 0, False: 60] | Branch (234:39): [True: 0, False: 60] ------------------ 235| 0| return std::make_unique(req.arg_as_integer(0, 512)); 236| 0| } 237| 60|#endif 238| | 239| 60|#if defined(BOTAN_HAS_BLAKE2S) 240| 60| if(req.algo_name() == "Blake2s" || req.algo_name() == "BLAKE2s") { ------------------ | Branch (240:7): [True: 0, False: 60] | Branch (240:39): [True: 0, False: 60] ------------------ 241| 0| return std::make_unique(req.arg_as_integer(0, 256)); 242| 0| } 243| 60|#endif 244| | 245| 60|#if defined(BOTAN_HAS_KECCAK) 246| 60| if(req.algo_name() == "Keccak-1600") { ------------------ | Branch (246:7): [True: 0, False: 60] ------------------ 247| 0| return std::make_unique(req.arg_as_integer(0, 512)); 248| 0| } 249| 60|#endif 250| | 251| 60|#if defined(BOTAN_HAS_SHA3) 252| 60| if(req.algo_name() == "SHA-3") { ------------------ | Branch (252:7): [True: 60, False: 0] ------------------ 253| 60| return std::make_unique(req.arg_as_integer(0, 512)); 254| 60| } 255| 0|#endif 256| | 257| 0|#if defined(BOTAN_HAS_SHAKE) 258| 0| if(req.algo_name() == "SHAKE-128" && req.arg_count() == 1) { ------------------ | Branch (258:7): [True: 0, False: 0] | Branch (258:41): [True: 0, False: 0] ------------------ 259| 0| return std::make_unique(req.arg_as_integer(0)); 260| 0| } 261| 0| if(req.algo_name() == "SHAKE-256" && req.arg_count() == 1) { ------------------ | Branch (261:7): [True: 0, False: 0] | Branch (261:41): [True: 0, False: 0] ------------------ 262| 0| return std::make_unique(req.arg_as_integer(0)); 263| 0| } 264| 0|#endif 265| | 266| 0|#if defined(BOTAN_HAS_PARALLEL_HASH) 267| 0| if(req.algo_name() == "Parallel") { ------------------ | Branch (267:7): [True: 0, False: 0] ------------------ 268| 0| std::vector> hashes; 269| | 270| 0| for(size_t i = 0; i != req.arg_count(); ++i) { ------------------ | Branch (270:25): [True: 0, False: 0] ------------------ 271| 0| auto h = HashFunction::create(req.arg(i)); 272| 0| if(!h) { ------------------ | Branch (272:13): [True: 0, False: 0] ------------------ 273| 0| return nullptr; 274| 0| } 275| 0| hashes.push_back(std::move(h)); 276| 0| } 277| | 278| 0| return std::make_unique(hashes); 279| 0| } 280| 0|#endif 281| | 282| 0|#if defined(BOTAN_HAS_TRUNCATED_HASH) 283| 0| if(req.algo_name() == "Truncated" && req.arg_count() == 2) { ------------------ | Branch (283:7): [True: 0, False: 0] | Branch (283:41): [True: 0, False: 0] ------------------ 284| 0| auto hash = HashFunction::create(req.arg(0)); 285| 0| if(!hash) { ------------------ | Branch (285:10): [True: 0, False: 0] ------------------ 286| 0| return nullptr; 287| 0| } 288| | 289| 0| return std::make_unique(std::move(hash), req.arg_as_integer(1)); 290| 0| } 291| 0|#endif 292| | 293| 0|#if defined(BOTAN_HAS_COMB4P) 294| 0| if(req.algo_name() == "Comb4P" && req.arg_count() == 2) { ------------------ | Branch (294:7): [True: 0, False: 0] | Branch (294:38): [True: 0, False: 0] ------------------ 295| 0| auto h1 = HashFunction::create(req.arg(0)); 296| 0| auto h2 = HashFunction::create(req.arg(1)); 297| | 298| 0| if(h1 && h2) { ------------------ | Branch (298:10): [True: 0, False: 0] | Branch (298:16): [True: 0, False: 0] ------------------ 299| 0| return std::make_unique(std::move(h1), std::move(h2)); 300| 0| } 301| 0| } 302| 0|#endif 303| | 304| 0| return nullptr; 305| 0|} _ZN5Botan12HashFunction15create_or_throwENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_: 308| 62|std::unique_ptr HashFunction::create_or_throw(std::string_view algo, std::string_view provider) { 309| 62| if(auto hash = HashFunction::create(algo, provider)) { ------------------ | Branch (309:12): [True: 62, False: 0] ------------------ 310| 62| return hash; 311| 62| } 312| 0| throw Lookup_Error("Hash", algo, provider); 313| 62|} _ZN5Botan7SHA_51215compress_digestERNSt3__16vectorImNS_16secure_allocatorImEEEENS1_4spanIKhLm18446744073709551615EEEm: 56| 2|void SHA_512::compress_digest(digest_type& digest, std::span input, size_t blocks) { 57| 2|#if defined(BOTAN_HAS_SHA2_64_X86) 58| 2| if(CPUID::has(CPUID::Feature::SHA512)) { ------------------ | Branch (58:7): [True: 0, False: 2] ------------------ 59| 0| return compress_digest_x86(digest, input, blocks); 60| 0| } 61| 2|#endif 62| | 63| |#if defined(BOTAN_HAS_SHA2_64_ARMV8) 64| | if(CPUID::has(CPUID::Feature::SHA2_512)) { 65| | return compress_digest_armv8(digest, input, blocks); 66| | } 67| |#endif 68| | 69| 2|#if defined(BOTAN_HAS_SHA2_64_X86_AVX512) 70| 2| if(CPUID::has(CPUID::Feature::AVX512, CPUID::Feature::BMI)) { ------------------ | Branch (70:7): [True: 0, False: 2] ------------------ 71| 0| return compress_digest_x86_avx512(digest, input, blocks); 72| 0| } 73| 2|#endif 74| | 75| 2|#if defined(BOTAN_HAS_SHA2_64_X86_AVX2) 76| 2| if(CPUID::has(CPUID::Feature::AVX2, CPUID::Feature::BMI)) { ------------------ | Branch (76:7): [True: 2, False: 0] ------------------ 77| 2| return compress_digest_x86_avx2(digest, input, blocks); 78| 2| } 79| 0|#endif 80| | 81| 0| uint64_t A = digest[0]; 82| 0| uint64_t B = digest[1]; 83| 0| uint64_t C = digest[2]; 84| 0| uint64_t D = digest[3]; 85| 0| uint64_t E = digest[4]; 86| 0| uint64_t F = digest[5]; 87| 0| uint64_t G = digest[6]; 88| 0| uint64_t H = digest[7]; 89| | 90| 0| std::array W{}; 91| | 92| 0| BufferSlicer in(input); 93| | 94| 0| for(size_t i = 0; i != blocks; ++i) { ------------------ | Branch (94:22): [True: 0, False: 0] ------------------ 95| 0| load_be(W, in.take()); 96| | 97| | // clang-format off 98| | 99| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 0], W[14], W[ 9], W[ 1], 0x428A2F98D728AE22); 100| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 1], W[15], W[10], W[ 2], 0x7137449123EF65CD); 101| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[ 2], W[ 0], W[11], W[ 3], 0xB5C0FBCFEC4D3B2F); 102| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[ 3], W[ 1], W[12], W[ 4], 0xE9B5DBA58189DBBC); 103| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[ 4], W[ 2], W[13], W[ 5], 0x3956C25BF348B538); 104| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[ 5], W[ 3], W[14], W[ 6], 0x59F111F1B605D019); 105| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[ 6], W[ 4], W[15], W[ 7], 0x923F82A4AF194F9B); 106| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[ 7], W[ 5], W[ 0], W[ 8], 0xAB1C5ED5DA6D8118); 107| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 8], W[ 6], W[ 1], W[ 9], 0xD807AA98A3030242); 108| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 9], W[ 7], W[ 2], W[10], 0x12835B0145706FBE); 109| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10], W[ 8], W[ 3], W[11], 0x243185BE4EE4B28C); 110| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11], W[ 9], W[ 4], W[12], 0x550C7DC3D5FFB4E2); 111| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12], W[10], W[ 5], W[13], 0x72BE5D74F27B896F); 112| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13], W[11], W[ 6], W[14], 0x80DEB1FE3B1696B1); 113| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14], W[12], W[ 7], W[15], 0x9BDC06A725C71235); 114| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15], W[13], W[ 8], W[ 0], 0xC19BF174CF692694); 115| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 0], W[14], W[ 9], W[ 1], 0xE49B69C19EF14AD2); 116| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 1], W[15], W[10], W[ 2], 0xEFBE4786384F25E3); 117| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[ 2], W[ 0], W[11], W[ 3], 0x0FC19DC68B8CD5B5); 118| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[ 3], W[ 1], W[12], W[ 4], 0x240CA1CC77AC9C65); 119| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[ 4], W[ 2], W[13], W[ 5], 0x2DE92C6F592B0275); 120| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[ 5], W[ 3], W[14], W[ 6], 0x4A7484AA6EA6E483); 121| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[ 6], W[ 4], W[15], W[ 7], 0x5CB0A9DCBD41FBD4); 122| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[ 7], W[ 5], W[ 0], W[ 8], 0x76F988DA831153B5); 123| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 8], W[ 6], W[ 1], W[ 9], 0x983E5152EE66DFAB); 124| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 9], W[ 7], W[ 2], W[10], 0xA831C66D2DB43210); 125| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10], W[ 8], W[ 3], W[11], 0xB00327C898FB213F); 126| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11], W[ 9], W[ 4], W[12], 0xBF597FC7BEEF0EE4); 127| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12], W[10], W[ 5], W[13], 0xC6E00BF33DA88FC2); 128| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13], W[11], W[ 6], W[14], 0xD5A79147930AA725); 129| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14], W[12], W[ 7], W[15], 0x06CA6351E003826F); 130| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15], W[13], W[ 8], W[ 0], 0x142929670A0E6E70); 131| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 0], W[14], W[ 9], W[ 1], 0x27B70A8546D22FFC); 132| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 1], W[15], W[10], W[ 2], 0x2E1B21385C26C926); 133| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[ 2], W[ 0], W[11], W[ 3], 0x4D2C6DFC5AC42AED); 134| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[ 3], W[ 1], W[12], W[ 4], 0x53380D139D95B3DF); 135| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[ 4], W[ 2], W[13], W[ 5], 0x650A73548BAF63DE); 136| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[ 5], W[ 3], W[14], W[ 6], 0x766A0ABB3C77B2A8); 137| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[ 6], W[ 4], W[15], W[ 7], 0x81C2C92E47EDAEE6); 138| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[ 7], W[ 5], W[ 0], W[ 8], 0x92722C851482353B); 139| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 8], W[ 6], W[ 1], W[ 9], 0xA2BFE8A14CF10364); 140| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 9], W[ 7], W[ 2], W[10], 0xA81A664BBC423001); 141| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10], W[ 8], W[ 3], W[11], 0xC24B8B70D0F89791); 142| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11], W[ 9], W[ 4], W[12], 0xC76C51A30654BE30); 143| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12], W[10], W[ 5], W[13], 0xD192E819D6EF5218); 144| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13], W[11], W[ 6], W[14], 0xD69906245565A910); 145| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14], W[12], W[ 7], W[15], 0xF40E35855771202A); 146| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15], W[13], W[ 8], W[ 0], 0x106AA07032BBD1B8); 147| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 0], W[14], W[ 9], W[ 1], 0x19A4C116B8D2D0C8); 148| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 1], W[15], W[10], W[ 2], 0x1E376C085141AB53); 149| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[ 2], W[ 0], W[11], W[ 3], 0x2748774CDF8EEB99); 150| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[ 3], W[ 1], W[12], W[ 4], 0x34B0BCB5E19B48A8); 151| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[ 4], W[ 2], W[13], W[ 5], 0x391C0CB3C5C95A63); 152| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[ 5], W[ 3], W[14], W[ 6], 0x4ED8AA4AE3418ACB); 153| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[ 6], W[ 4], W[15], W[ 7], 0x5B9CCA4F7763E373); 154| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[ 7], W[ 5], W[ 0], W[ 8], 0x682E6FF3D6B2B8A3); 155| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 8], W[ 6], W[ 1], W[ 9], 0x748F82EE5DEFB2FC); 156| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 9], W[ 7], W[ 2], W[10], 0x78A5636F43172F60); 157| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10], W[ 8], W[ 3], W[11], 0x84C87814A1F0AB72); 158| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11], W[ 9], W[ 4], W[12], 0x8CC702081A6439EC); 159| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12], W[10], W[ 5], W[13], 0x90BEFFFA23631E28); 160| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13], W[11], W[ 6], W[14], 0xA4506CEBDE82BDE9); 161| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14], W[12], W[ 7], W[15], 0xBEF9A3F7B2C67915); 162| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15], W[13], W[ 8], W[ 0], 0xC67178F2E372532B); 163| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 0], W[14], W[ 9], W[ 1], 0xCA273ECEEA26619C); 164| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 1], W[15], W[10], W[ 2], 0xD186B8C721C0C207); 165| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[ 2], W[ 0], W[11], W[ 3], 0xEADA7DD6CDE0EB1E); 166| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[ 3], W[ 1], W[12], W[ 4], 0xF57D4F7FEE6ED178); 167| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[ 4], W[ 2], W[13], W[ 5], 0x06F067AA72176FBA); 168| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[ 5], W[ 3], W[14], W[ 6], 0x0A637DC5A2C898A6); 169| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[ 6], W[ 4], W[15], W[ 7], 0x113F9804BEF90DAE); 170| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[ 7], W[ 5], W[ 0], W[ 8], 0x1B710B35131C471B); 171| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[ 8], W[ 6], W[ 1], W[ 9], 0x28DB77F523047D84); 172| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[ 9], W[ 7], W[ 2], W[10], 0x32CAAB7B40C72493); 173| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10], W[ 8], W[ 3], W[11], 0x3C9EBE0A15C9BEBC); 174| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11], W[ 9], W[ 4], W[12], 0x431D67C49C100D4C); 175| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12], W[10], W[ 5], W[13], 0x4CC5D4BECB3E42B6); 176| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13], W[11], W[ 6], W[14], 0x597F299CFC657E2A); 177| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14], W[12], W[ 7], W[15], 0x5FCB6FAB3AD6FAEC); 178| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15], W[13], W[ 8], W[ 0], 0x6C44198C4A475817); 179| | 180| | // clang-format on 181| | 182| 0| A = (digest[0] += A); 183| 0| B = (digest[1] += B); 184| 0| C = (digest[2] += C); 185| 0| D = (digest[3] += D); 186| 0| E = (digest[4] += E); 187| 0| F = (digest[5] += F); 188| 0| G = (digest[6] += G); 189| 0| H = (digest[7] += H); 190| 0| } 191| 0|} _ZN5Botan7SHA_51210compress_nERNSt3__16vectorImNS_16secure_allocatorImEEEENS1_4spanIKhLm18446744073709551615EEEm: 213| 2|void SHA_512::compress_n(digest_type& digest, std::span input, size_t blocks) { 214| 2| SHA_512::compress_digest(digest, input, blocks); 215| 2|} _ZN5Botan7SHA_5124initERNSt3__16vectorImNS_16secure_allocatorImEEEE: 239| 4|void SHA_512::init(digest_type& digest) { 240| 4| digest.assign({0x6A09E667F3BCC908, 241| 4| 0xBB67AE8584CAA73B, 242| 4| 0x3C6EF372FE94F82B, 243| 4| 0xA54FF53A5F1D36F1, 244| 4| 0x510E527FADE682D1, 245| 4| 0x9B05688C2B3E6C1F, 246| 4| 0x1F83D9ABFB41BD6B, 247| 4| 0x5BE0CD19137E2179}); 248| 4|} _ZN5Botan7SHA_5128add_dataENSt3__14spanIKhLm18446744073709551615EEE: 278| 2|void SHA_512::add_data(std::span input) { 279| 2| m_md.update(input); 280| 2|} _ZN5Botan7SHA_51212final_resultENSt3__14spanIhLm18446744073709551615EEE: 290| 2|void SHA_512::final_result(std::span output) { 291| 2| m_md.final(output); 292| 2|} _ZN5Botan7SHA_51224compress_digest_x86_avx2ERNSt3__16vectorImNS_16secure_allocatorImEEEENS1_4spanIKhLm18446744073709551615EEEm: 44| 2| size_t blocks) { 45| | // clang-format off 46| 2| alignas(64) const uint64_t K[80] = { 47| 2| 0x428A2F98D728AE22, 0x7137449123EF65CD, 0xB5C0FBCFEC4D3B2F, 0xE9B5DBA58189DBBC, 48| 2| 0x3956C25BF348B538, 0x59F111F1B605D019, 0x923F82A4AF194F9B, 0xAB1C5ED5DA6D8118, 49| 2| 0xD807AA98A3030242, 0x12835B0145706FBE, 0x243185BE4EE4B28C, 0x550C7DC3D5FFB4E2, 50| 2| 0x72BE5D74F27B896F, 0x80DEB1FE3B1696B1, 0x9BDC06A725C71235, 0xC19BF174CF692694, 51| 2| 0xE49B69C19EF14AD2, 0xEFBE4786384F25E3, 0x0FC19DC68B8CD5B5, 0x240CA1CC77AC9C65, 52| 2| 0x2DE92C6F592B0275, 0x4A7484AA6EA6E483, 0x5CB0A9DCBD41FBD4, 0x76F988DA831153B5, 53| 2| 0x983E5152EE66DFAB, 0xA831C66D2DB43210, 0xB00327C898FB213F, 0xBF597FC7BEEF0EE4, 54| 2| 0xC6E00BF33DA88FC2, 0xD5A79147930AA725, 0x06CA6351E003826F, 0x142929670A0E6E70, 55| 2| 0x27B70A8546D22FFC, 0x2E1B21385C26C926, 0x4D2C6DFC5AC42AED, 0x53380D139D95B3DF, 56| 2| 0x650A73548BAF63DE, 0x766A0ABB3C77B2A8, 0x81C2C92E47EDAEE6, 0x92722C851482353B, 57| 2| 0xA2BFE8A14CF10364, 0xA81A664BBC423001, 0xC24B8B70D0F89791, 0xC76C51A30654BE30, 58| 2| 0xD192E819D6EF5218, 0xD69906245565A910, 0xF40E35855771202A, 0x106AA07032BBD1B8, 59| 2| 0x19A4C116B8D2D0C8, 0x1E376C085141AB53, 0x2748774CDF8EEB99, 0x34B0BCB5E19B48A8, 60| 2| 0x391C0CB3C5C95A63, 0x4ED8AA4AE3418ACB, 0x5B9CCA4F7763E373, 0x682E6FF3D6B2B8A3, 61| 2| 0x748F82EE5DEFB2FC, 0x78A5636F43172F60, 0x84C87814A1F0AB72, 0x8CC702081A6439EC, 62| 2| 0x90BEFFFA23631E28, 0xA4506CEBDE82BDE9, 0xBEF9A3F7B2C67915, 0xC67178F2E372532B, 63| 2| 0xCA273ECEEA26619C, 0xD186B8C721C0C207, 0xEADA7DD6CDE0EB1E, 0xF57D4F7FEE6ED178, 64| 2| 0x06F067AA72176FBA, 0x0A637DC5A2C898A6, 0x113F9804BEF90DAE, 0x1B710B35131C471B, 65| 2| 0x28DB77F523047D84, 0x32CAAB7B40C72493, 0x3C9EBE0A15C9BEBC, 0x431D67C49C100D4C, 66| 2| 0x4CC5D4BECB3E42B6, 0x597F299CFC657E2A, 0x5FCB6FAB3AD6FAEC, 0x6C44198C4A475817, 67| 2| }; 68| | // clang-format on 69| | 70| 2| alignas(64) uint64_t W[16] = {0}; 71| 2| alignas(64) uint64_t W2[80]; 72| | 73| 2| uint64_t A = digest[0]; 74| 2| uint64_t B = digest[1]; 75| 2| uint64_t C = digest[2]; 76| 2| uint64_t D = digest[3]; 77| 2| uint64_t E = digest[4]; 78| 2| uint64_t F = digest[5]; 79| 2| uint64_t G = digest[6]; 80| 2| uint64_t H = digest[7]; 81| | 82| 2| const uint8_t* data = input.data(); 83| | 84| 2| while(blocks >= 2) { ------------------ | Branch (84:10): [True: 0, False: 2] ------------------ 85| 0| SIMD_4x64 WS[8]; 86| | 87| 0| for(size_t i = 0; i < 8; i++) { ------------------ | Branch (87:25): [True: 0, False: 0] ------------------ 88| 0| WS[i] = SIMD_4x64::load_be2(&data[16 * i], &data[128 + 16 * i]); 89| 0| auto WK = WS[i] + SIMD_4x64::broadcast_2x64(&K[2 * i]); 90| 0| WK.store_le2(&W[2 * i], &W2[2 * i]); 91| 0| } 92| | 93| 0| data += 2 * 128; 94| 0| blocks -= 2; 95| | 96| | // First 64 rounds of SHA-512 97| 0| for(size_t r = 0; r != 64; r += 16) { ------------------ | Branch (97:25): [True: 0, False: 0] ------------------ 98| 0| auto w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 16]); 99| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[0]); 100| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[1]); 101| 0| w.store_le2(&W[0], &W2[r + 16]); 102| | 103| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 18]); 104| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[2]); 105| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[3]); 106| 0| w.store_le2(&W[2], &W2[r + 18]); 107| | 108| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 20]); 109| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[4]); 110| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[5]); 111| 0| w.store_le2(&W[4], &W2[r + 20]); 112| | 113| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 22]); 114| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[6]); 115| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[7]); 116| 0| w.store_le2(&W[6], &W2[r + 22]); 117| | 118| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 24]); 119| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[8]); 120| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[9]); 121| 0| w.store_le2(&W[8], &W2[r + 24]); 122| | 123| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 26]); 124| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10]); 125| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11]); 126| 0| w.store_le2(&W[10], &W2[r + 26]); 127| | 128| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 28]); 129| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12]); 130| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13]); 131| 0| w.store_le2(&W[12], &W2[r + 28]); 132| | 133| 0| w = sha512_next_w(WS) + SIMD_4x64::broadcast_2x64(&K[r + 30]); 134| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14]); 135| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15]); 136| 0| w.store_le2(&W[14], &W2[r + 30]); 137| 0| } 138| | 139| | // Final 16 rounds of SHA-512 140| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[0]); 141| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[1]); 142| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[2]); 143| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[3]); 144| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[4]); 145| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[5]); 146| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[6]); 147| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[7]); 148| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W[8]); 149| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W[9]); 150| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W[10]); 151| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W[11]); 152| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W[12]); 153| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W[13]); 154| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W[14]); 155| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W[15]); 156| | 157| 0| A = (digest[0] += A); 158| 0| B = (digest[1] += B); 159| 0| C = (digest[2] += C); 160| 0| D = (digest[3] += D); 161| 0| E = (digest[4] += E); 162| 0| F = (digest[5] += F); 163| 0| G = (digest[6] += G); 164| 0| H = (digest[7] += H); 165| | 166| | // Second block of SHA-512 compression, with pre-expanded message 167| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[0]); 168| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[1]); 169| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[2]); 170| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[3]); 171| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[4]); 172| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[5]); 173| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[6]); 174| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[7]); 175| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[8]); 176| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[9]); 177| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[10]); 178| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[11]); 179| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[12]); 180| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[13]); 181| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[14]); 182| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[15]); 183| | 184| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[16]); 185| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[17]); 186| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[18]); 187| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[19]); 188| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[20]); 189| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[21]); 190| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[22]); 191| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[23]); 192| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[24]); 193| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[25]); 194| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[26]); 195| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[27]); 196| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[28]); 197| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[29]); 198| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[30]); 199| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[31]); 200| | 201| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[32]); 202| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[33]); 203| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[34]); 204| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[35]); 205| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[36]); 206| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[37]); 207| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[38]); 208| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[39]); 209| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[40]); 210| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[41]); 211| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[42]); 212| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[43]); 213| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[44]); 214| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[45]); 215| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[46]); 216| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[47]); 217| | 218| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[48]); 219| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[49]); 220| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[50]); 221| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[51]); 222| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[52]); 223| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[53]); 224| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[54]); 225| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[55]); 226| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[56]); 227| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[57]); 228| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[58]); 229| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[59]); 230| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[60]); 231| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[61]); 232| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[62]); 233| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[63]); 234| | 235| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[64]); 236| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[65]); 237| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[66]); 238| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[67]); 239| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[68]); 240| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[69]); 241| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[70]); 242| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[71]); 243| 0| SHA2_64_F(A, B, C, D, E, F, G, H, W2[72]); 244| 0| SHA2_64_F(H, A, B, C, D, E, F, G, W2[73]); 245| 0| SHA2_64_F(G, H, A, B, C, D, E, F, W2[74]); 246| 0| SHA2_64_F(F, G, H, A, B, C, D, E, W2[75]); 247| 0| SHA2_64_F(E, F, G, H, A, B, C, D, W2[76]); 248| 0| SHA2_64_F(D, E, F, G, H, A, B, C, W2[77]); 249| 0| SHA2_64_F(C, D, E, F, G, H, A, B, W2[78]); 250| 0| SHA2_64_F(B, C, D, E, F, G, H, A, W2[79]); 251| | 252| 0| A = (digest[0] += A); 253| 0| B = (digest[1] += B); 254| 0| C = (digest[2] += C); 255| 0| D = (digest[3] += D); 256| 0| E = (digest[4] += E); 257| 0| F = (digest[5] += F); 258| 0| G = (digest[6] += G); 259| 0| H = (digest[7] += H); 260| 0| } 261| | 262| 4| while(blocks > 0) { ------------------ | Branch (262:10): [True: 2, False: 2] ------------------ 263| 2| SIMD_2x64 WS[8]; 264| | 265| 18| for(size_t i = 0; i < 8; i++) { ------------------ | Branch (265:25): [True: 16, False: 2] ------------------ 266| 16| WS[i] = SIMD_2x64::load_be(&data[16 * i]); 267| 16| auto WK = WS[i] + SIMD_2x64::load_le(&K[2 * i]); 268| 16| WK.store_le(&W[2 * i]); 269| 16| } 270| | 271| 2| data += 128; 272| 2| blocks -= 1; 273| | 274| | // First 64 rounds of SHA-512 275| 10| for(size_t r = 0; r != 64; r += 16) { ------------------ | Branch (275:25): [True: 8, False: 2] ------------------ 276| 8| auto w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 16]); 277| 8| SHA2_64_F(A, B, C, D, E, F, G, H, W[0]); 278| 8| SHA2_64_F(H, A, B, C, D, E, F, G, W[1]); 279| 8| w.store_le(&W[0]); 280| | 281| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 18]); 282| 8| SHA2_64_F(G, H, A, B, C, D, E, F, W[2]); 283| 8| SHA2_64_F(F, G, H, A, B, C, D, E, W[3]); 284| 8| w.store_le(&W[2]); 285| | 286| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 20]); 287| 8| SHA2_64_F(E, F, G, H, A, B, C, D, W[4]); 288| 8| SHA2_64_F(D, E, F, G, H, A, B, C, W[5]); 289| 8| w.store_le(&W[4]); 290| | 291| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 22]); 292| 8| SHA2_64_F(C, D, E, F, G, H, A, B, W[6]); 293| 8| SHA2_64_F(B, C, D, E, F, G, H, A, W[7]); 294| 8| w.store_le(&W[6]); 295| | 296| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 24]); 297| 8| SHA2_64_F(A, B, C, D, E, F, G, H, W[8]); 298| 8| SHA2_64_F(H, A, B, C, D, E, F, G, W[9]); 299| 8| w.store_le(&W[8]); 300| | 301| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 26]); 302| 8| SHA2_64_F(G, H, A, B, C, D, E, F, W[10]); 303| 8| SHA2_64_F(F, G, H, A, B, C, D, E, W[11]); 304| 8| w.store_le(&W[10]); 305| | 306| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 28]); 307| 8| SHA2_64_F(E, F, G, H, A, B, C, D, W[12]); 308| 8| SHA2_64_F(D, E, F, G, H, A, B, C, W[13]); 309| 8| w.store_le(&W[12]); 310| | 311| 8| w = sha512_next_w(WS) + SIMD_2x64::load_le(&K[r + 30]); 312| 8| SHA2_64_F(C, D, E, F, G, H, A, B, W[14]); 313| 8| SHA2_64_F(B, C, D, E, F, G, H, A, W[15]); 314| 8| w.store_le(&W[14]); 315| 8| } 316| | 317| | // Final 16 rounds of SHA-512 318| 2| SHA2_64_F(A, B, C, D, E, F, G, H, W[0]); 319| 2| SHA2_64_F(H, A, B, C, D, E, F, G, W[1]); 320| 2| SHA2_64_F(G, H, A, B, C, D, E, F, W[2]); 321| 2| SHA2_64_F(F, G, H, A, B, C, D, E, W[3]); 322| 2| SHA2_64_F(E, F, G, H, A, B, C, D, W[4]); 323| 2| SHA2_64_F(D, E, F, G, H, A, B, C, W[5]); 324| 2| SHA2_64_F(C, D, E, F, G, H, A, B, W[6]); 325| 2| SHA2_64_F(B, C, D, E, F, G, H, A, W[7]); 326| 2| SHA2_64_F(A, B, C, D, E, F, G, H, W[8]); 327| 2| SHA2_64_F(H, A, B, C, D, E, F, G, W[9]); 328| 2| SHA2_64_F(G, H, A, B, C, D, E, F, W[10]); 329| 2| SHA2_64_F(F, G, H, A, B, C, D, E, W[11]); 330| 2| SHA2_64_F(E, F, G, H, A, B, C, D, W[12]); 331| 2| SHA2_64_F(D, E, F, G, H, A, B, C, W[13]); 332| 2| SHA2_64_F(C, D, E, F, G, H, A, B, W[14]); 333| 2| SHA2_64_F(B, C, D, E, F, G, H, A, W[15]); 334| | 335| 2| A = (digest[0] += A); 336| 2| B = (digest[1] += B); 337| 2| C = (digest[2] += C); 338| 2| D = (digest[3] += D); 339| 2| E = (digest[4] += E); 340| 2| F = (digest[5] += F); 341| 2| G = (digest[6] += G); 342| 2| H = (digest[7] += H); 343| 2| } 344| 2|} sha2_64_avx2.cpp:_ZN5Botan12_GLOBAL__N_113sha512_next_wINS_9SIMD_2x64EEET_PS3_: 19| 64|BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_BMI2 SIMD_T sha512_next_w(SIMD_T x[8]) { 20| 64| auto t0 = SIMD_T::alignr8(x[1], x[0]); 21| 64| auto t1 = SIMD_T::alignr8(x[5], x[4]); 22| | 23| 64| auto s0 = t0.template rotr<1>() ^ t0.template rotr<8>() ^ t0.template shr<7>(); 24| 64| auto s1 = x[7].template rotr<19>() ^ x[7].template rotr<61>() ^ x[7].template shr<6>(); 25| | 26| 64| auto nx = x[0] + s0 + s1 + t1; 27| | 28| 64| x[0] = x[1]; 29| 64| x[1] = x[2]; 30| 64| x[2] = x[3]; 31| 64| x[3] = x[4]; 32| 64| x[4] = x[5]; 33| 64| x[5] = x[6]; 34| 64| x[6] = x[7]; 35| 64| x[7] = nx; 36| | 37| 64| return x[7]; 38| 64|} _ZN5Botan5SHA_3C2Em: 17| 60| m_keccak({.capacity_bits = output_bits * 2, .padding = KeccakPadding::sha3()}), m_output_length(output_bits / 8) { 18| | // We only support the parameters for SHA-3 in this constructor 19| | 20| 60| if(output_bits != 224 && output_bits != 256 && output_bits != 384 && output_bits != 512) { ------------------ | Branch (20:7): [True: 60, False: 0] | Branch (20:29): [True: 30, False: 30] | Branch (20:51): [True: 30, False: 0] | Branch (20:73): [True: 0, False: 30] ------------------ 21| 0| throw Invalid_Argument(fmt("SHA_3: Invalid output length {}", output_bits)); 22| 0| } 23| 60|} _ZN5Botan5SHA_38add_dataENSt3__14spanIKhLm18446744073709551615EEE: 45| 90|void SHA_3::add_data(std::span input) { 46| 90| m_keccak.absorb(input); 47| 90|} _ZN5Botan5SHA_312final_resultENSt3__14spanIhLm18446744073709551615EEE: 49| 60|void SHA_3::final_result(std::span output) { 50| 60| m_keccak.finish(); 51| 60| m_keccak.squeeze(output); 52| 60| m_keccak.clear(); 53| 60|} _ZN5Botan6BigInt17from_radix_digitsENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEEm: 125| 18.6k|BigInt BigInt::from_radix_digits(std::string_view digits, size_t radix) { 126| 18.6k| if(radix == 16) { ------------------ | Branch (126:7): [True: 18.6k, False: 0] ------------------ 127| 18.6k| secure_vector binary; 128| | 129| 18.6k| if(digits.size() % 2 == 1) { ------------------ | Branch (129:10): [True: 4.26k, False: 14.3k] ------------------ 130| | // Handle lack of leading 0 131| 4.26k| const char buf0_with_leading_0[2] = {'0', digits[0]}; 132| | 133| 4.26k| binary = hex_decode_locked(buf0_with_leading_0, 2); 134| | 135| 4.26k| if(digits.size() > 1) { ------------------ | Branch (135:13): [True: 2.62k, False: 1.64k] ------------------ 136| 2.62k| binary += hex_decode_locked(&digits[1], digits.size() - 1, false); 137| 2.62k| } 138| 14.3k| } else { 139| 14.3k| binary = hex_decode_locked(digits, false); 140| 14.3k| } 141| | 142| 18.6k| return BigInt::from_bytes(binary); 143| 18.6k| } else if(radix == 10) { ------------------ | Branch (143:14): [True: 0, False: 0] ------------------ 144| | // Use the largest power of 10 that fits in a word, accumulating 145| | // groups of digits into word-sized chunks to minimize the number 146| | // of multiprecision multiplications. 147| 0| constexpr word conversion_radix = decimal_conversion_radix(); 148| 0| constexpr size_t radix_digits = decimal_conversion_radix_digits(); 149| | 150| 0| BigInt r; 151| | 152| | // Handle the initial partial block (if digit count is not a multiple of radix_digits) 153| 0| const size_t partial_block = digits.size() % radix_digits; 154| | 155| 0| if(partial_block > 0) { ------------------ | Branch (155:10): [True: 0, False: 0] ------------------ 156| 0| word acc = 0; 157| 0| for(size_t i = 0; i < partial_block; ++i) { ------------------ | Branch (157:28): [True: 0, False: 0] ------------------ 158| 0| const char c = digits[i]; 159| 0| BOTAN_ARG_CHECK(c >= '0' && c <= '9', "Invalid decimal character"); ------------------ | | 35| 0| do { \ | | 36| 0| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 0| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 0, False: 0] | | | Branch (37:12): [True: 0, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 0| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 0] | | ------------------ ------------------ 160| 0| acc = acc * 10 + static_cast(c - '0'); 161| 0| } 162| 0| r += acc; 163| 0| } 164| | 165| | // Process full blocks of radix_digits 166| 0| for(size_t i = partial_block; i != digits.size(); i += radix_digits) { ------------------ | Branch (166:37): [True: 0, False: 0] ------------------ 167| 0| word acc = 0; 168| 0| for(size_t j = 0; j < radix_digits; ++j) { ------------------ | Branch (168:28): [True: 0, False: 0] ------------------ 169| 0| const char c = digits[i + j]; 170| 0| BOTAN_ARG_CHECK(c >= '0' && c <= '9', "Invalid decimal character"); ------------------ | | 35| 0| do { \ | | 36| 0| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 0| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 0, False: 0] | | | Branch (37:12): [True: 0, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 0| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 0] | | ------------------ ------------------ 171| 0| acc = acc * 10 + static_cast(c - '0'); 172| 0| } 173| 0| r *= conversion_radix; 174| 0| r += acc; 175| 0| } 176| | 177| 0| return r; 178| 0| } else { 179| 0| throw Invalid_Argument("BigInt::from_radix_digits unknown radix"); 180| 0| } 181| 18.6k|} _ZN5Botan6BigIntpLERKS0_: 16| 1.02k|BigInt& BigInt::operator+=(const BigInt& y) { 17| 1.02k| if(&y == this) { ------------------ | Branch (17:7): [True: 0, False: 1.02k] ------------------ 18| 0| return *this <<= 1; 19| 0| } 20| 1.02k| return add(y._data(), y.sig_words(), y.sign()); 21| 1.02k|} _ZN5Botan6BigIntmIERKS0_: 23| 84.2k|BigInt& BigInt::operator-=(const BigInt& y) { 24| 84.2k| if(&y == this) { ------------------ | Branch (24:7): [True: 0, False: 84.2k] ------------------ 25| 0| this->clear(); 26| 0| this->set_sign(Positive); 27| 0| return *this; 28| 0| } 29| 84.2k| return sub(y._data(), y.sig_words(), y.sign()); 30| 84.2k|} _ZN5Botan6BigInt3addEPKmmNS0_4SignE: 32| 89.6k|BigInt& BigInt::add(const word y[], size_t y_words, Sign y_sign) { 33| 89.6k| const size_t x_sw = sig_words(); 34| | 35| 89.6k| grow_to(std::max(x_sw, y_words) + 1); 36| | 37| 89.6k| if(sign() == y_sign) { ------------------ | Branch (37:7): [True: 2.69k, False: 86.9k] ------------------ 38| 2.69k| const word carry = bigint_add2(mutable_data(), size() - 1, y, y_words); 39| 2.69k| mutable_data()[size() - 1] += carry; 40| 86.9k| } else { 41| 86.9k| const int32_t relative_size = bigint_cmp(_data(), x_sw, y, y_words); 42| | 43| 86.9k| if(relative_size >= 0) { ------------------ | Branch (43:10): [True: 84.3k, False: 2.57k] ------------------ 44| | // *this >= y 45| 84.3k| bigint_sub2(mutable_data(), x_sw, y, y_words); 46| 84.3k| } else { 47| | // *this < y: compute *this = y - *this 48| 2.57k| bigint_sub2_rev(mutable_data(), y, y_words); 49| 2.57k| } 50| | 51| 86.9k| if(relative_size < 0) { ------------------ | Branch (51:10): [True: 2.57k, False: 84.3k] ------------------ 52| 2.57k| set_sign(y_sign); 53| 84.3k| } else if(relative_size == 0) { ------------------ | Branch (53:17): [True: 2, False: 84.3k] ------------------ 54| 2| set_sign(Positive); 55| 2| } 56| 86.9k| } 57| | 58| 89.6k| return (*this); 59| 89.6k|} _ZN5Botan6BigInt7mod_addERKS0_S2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 61| 44.8k|BigInt& BigInt::mod_add(const BigInt& s, const BigInt& mod, secure_vector& ws) { 62| 44.8k| if(this->signum() < 0 || s.signum() < 0 || mod.signum() < 0) { ------------------ | Branch (62:7): [True: 0, False: 44.8k] | Branch (62:29): [True: 0, False: 44.8k] | Branch (62:47): [True: 0, False: 44.8k] ------------------ 63| 0| throw Invalid_Argument("BigInt::mod_add expects all arguments are positive"); 64| 0| } 65| | 66| 44.8k| BOTAN_DEBUG_ASSERT(*this < mod); ------------------ | | 130| 44.8k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 44.8k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 44.8k] | | ------------------ ------------------ 67| 44.8k| BOTAN_DEBUG_ASSERT(s < mod); ------------------ | | 130| 44.8k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 44.8k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 44.8k] | | ------------------ ------------------ 68| | 69| | /* 70| | t + s or t + s - p == t - (p - s) 71| | 72| | So first compute ws = p - s 73| | 74| | Then compute t + s and t - ws 75| | 76| | If t - ws does not borrow, then that is the correct valued 77| | */ 78| | 79| 44.8k| const size_t mod_sw = mod.sig_words(); 80| 44.8k| BOTAN_ARG_CHECK(mod_sw > 0, "BigInt::mod_add modulus must be positive"); ------------------ | | 35| 44.8k| do { \ | | 36| 44.8k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 44.8k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 44.8k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 44.8k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 44.8k] | | ------------------ ------------------ 81| | 82| 44.8k| this->grow_to(mod_sw); 83| 44.8k| s.grow_to(mod_sw); 84| | 85| | // First mod_sw for p - s, 2*mod_sw for bigint_addsub workspace 86| 44.8k| if(ws.size() < 3 * mod_sw) { ------------------ | Branch (86:7): [True: 32.7k, False: 12.1k] ------------------ 87| 32.7k| ws.resize(3 * mod_sw); 88| 32.7k| } 89| | 90| | // NOLINTBEGIN(readability-container-data-pointer) 91| | 92| 44.8k| word borrow = bigint_sub3(&ws[0], mod._data(), mod_sw, s._data(), mod_sw); 93| 44.8k| BOTAN_DEBUG_ASSERT(borrow == 0); ------------------ | | 130| 44.8k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 44.8k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 44.8k] | | ------------------ ------------------ 94| 44.8k| BOTAN_UNUSED(borrow); ------------------ | | 144| 44.8k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 95| | 96| | // Compute t - ws 97| 44.8k| borrow = bigint_sub3(&ws[mod_sw], this->_data(), mod_sw, &ws[0], mod_sw); 98| | 99| | // Compute t + s 100| 44.8k| bigint_add3(&ws[mod_sw * 2], this->_data(), mod_sw, s._data(), mod_sw); 101| | 102| 44.8k| CT::conditional_copy_mem(borrow, &ws[0], &ws[mod_sw * 2], &ws[mod_sw], mod_sw); 103| 44.8k| set_words(&ws[0], mod_sw); 104| | 105| | // NOLINTEND(readability-container-data-pointer) 106| | 107| 44.8k| return (*this); 108| 44.8k|} _ZN5Botan6BigInt7mod_subERKS0_S2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 110| 3.56M|BigInt& BigInt::mod_sub(const BigInt& s, const BigInt& mod, secure_vector& ws) { 111| 3.56M| if(this->signum() < 0 || s.signum() < 0 || mod.signum() < 0) { ------------------ | Branch (111:7): [True: 0, False: 3.56M] | Branch (111:29): [True: 0, False: 3.56M] | Branch (111:47): [True: 0, False: 3.56M] ------------------ 112| 0| throw Invalid_Argument("BigInt::mod_sub expects all arguments are positive"); 113| 0| } 114| | 115| | // We are assuming in this function that *this and s are no more than mod_sw words long 116| 3.56M| BOTAN_DEBUG_ASSERT(*this < mod); ------------------ | | 130| 3.56M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 3.56M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 3.56M] | | ------------------ ------------------ 117| 3.56M| BOTAN_DEBUG_ASSERT(s < mod); ------------------ | | 130| 3.56M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 3.56M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 3.56M] | | ------------------ ------------------ 118| | 119| 3.56M| const size_t mod_sw = mod.sig_words(); 120| | 121| 3.56M| this->grow_to(mod_sw); 122| 3.56M| s.grow_to(mod_sw); 123| | 124| 3.56M| if(ws.size() < mod_sw) { ------------------ | Branch (124:7): [True: 0, False: 3.56M] ------------------ 125| 0| ws.resize(mod_sw); 126| 0| } 127| | 128| 3.56M| const word borrow = bigint_sub3(ws.data(), mutable_data(), mod_sw, s._data(), mod_sw); 129| | 130| | // Conditionally add back the modulus 131| 3.56M| bigint_cnd_add(borrow, ws.data(), mod._data(), mod_sw); 132| | 133| 3.56M| unchecked_copy_memory(mutable_data(), ws.data(), mod_sw); 134| | 135| 3.56M| return (*this); 136| 3.56M|} _ZN5Botan6BigInt7mod_mulEhRKS0_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 138| 1.04M|BigInt& BigInt::mod_mul(uint8_t y, const BigInt& mod, secure_vector& ws) { 139| 1.04M| BOTAN_ARG_CHECK(this->signum() >= 0, "*this must be positive"); ------------------ | | 35| 1.04M| do { \ | | 36| 1.04M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.04M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.04M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.04M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.04M] | | ------------------ ------------------ 140| 1.04M| BOTAN_ARG_CHECK(y < 16, "y too large"); ------------------ | | 35| 1.04M| do { \ | | 36| 1.04M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.04M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.04M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.04M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.04M] | | ------------------ ------------------ 141| | 142| 1.04M| BOTAN_DEBUG_ASSERT(*this < mod); ------------------ | | 130| 1.04M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 1.04M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 1.04M] | | ------------------ ------------------ 143| | 144| 1.04M| *this *= static_cast(y); 145| 1.04M| this->reduce_below(mod, ws); 146| 1.04M| return (*this); 147| 1.04M|} _ZN5Botan6BigIntmLEm: 205| 1.04M|BigInt& BigInt::operator*=(word y) { 206| 1.04M| if(y == 0) { ------------------ | Branch (206:7): [True: 0, False: 1.04M] ------------------ 207| 0| clear(); 208| 0| set_sign(Positive); 209| 0| } 210| | 211| 1.04M| const word carry = bigint_linmul2(mutable_data(), size(), y); 212| 1.04M| set_word_at(size(), carry); 213| | 214| 1.04M| return (*this); 215| 1.04M|} _ZN5Botan6BigIntrMERKS0_: 232| 46.8k|BigInt& BigInt::operator%=(const BigInt& mod) { 233| 46.8k| return (*this = (*this) % mod); 234| 46.8k|} _ZN5Botan6BigIntlSEm: 269| 67.8k|BigInt& BigInt::operator<<=(size_t shift) { 270| 67.8k| if(shift >= 65536) { ------------------ | Branch (270:7): [True: 0, False: 67.8k] ------------------ 271| 0| throw Invalid_Argument("BigInt left shift count too large"); 272| 0| } 273| | 274| 67.8k| const size_t sw = sig_words(); 275| 67.8k| const size_t new_size = sw + (shift + WordInfo::bits - 1) / WordInfo::bits; 276| | 277| 67.8k| m_data.grow_to(new_size); 278| | 279| 67.8k| bigint_shl1(m_data.mutable_data(), new_size, sw, shift); 280| | 281| 67.8k| return (*this); 282| 67.8k|} _ZN5Botan6BigIntrSEm: 287| 1.14M|BigInt& BigInt::operator>>=(size_t shift) { 288| 1.14M| bigint_shr1(m_data.mutable_data(), m_data.size(), shift); 289| | 290| 1.14M| if(sig_words() == 0 && m_signedness == Negative) { ------------------ | Branch (290:7): [True: 943, False: 1.14M] | Branch (290:27): [True: 0, False: 943] ------------------ 291| 0| m_signedness = Positive; 292| 0| } 293| | 294| 1.14M| return (*this); 295| 1.14M|} _ZN5Botan6BigInt4add2ERKS0_PKmmNS0_4SignE: 20| 982k|BigInt BigInt::add2(const BigInt& x, const word y[], size_t y_size, BigInt::Sign y_sign) { 21| 982k| const size_t x_sw = x.sig_words(); 22| | 23| 982k| BigInt z = BigInt::with_capacity(std::max(x_sw, y_size) + 1); 24| | 25| 982k| if(x.sign() == y_sign) { ------------------ | Branch (25:7): [True: 974k, False: 7.91k] ------------------ 26| 974k| const word carry = bigint_add3(z.mutable_data(), x._data(), x_sw, y, y_size); 27| 974k| z.mutable_data()[std::max(x_sw, y_size)] += carry; 28| 974k| z.set_sign(x.sign()); 29| 974k| } else { 30| 7.91k| const int32_t relative_size = bigint_cmp(x.data(), x_sw, y, y_size); 31| | 32| 7.91k| if(relative_size < 0) { ------------------ | Branch (32:10): [True: 0, False: 7.91k] ------------------ 33| | // x < y so z = abs(y - x) 34| | // NOLINTNEXTLINE(*-suspicious-call-argument) intentionally swapping x and y here 35| 0| bigint_sub3(z.mutable_data(), y, y_size, x.data(), x_sw); 36| 0| z.set_sign(y_sign); 37| 7.91k| } else if(relative_size == 0) { ------------------ | Branch (37:17): [True: 0, False: 7.91k] ------------------ 38| | // Positive zero (nothing to do in this case) 39| 7.91k| } else { 40| | /* 41| | * We know at this point that x >= y so if y_size is larger than 42| | * x_sw, we are guaranteed they are just leading zeros which can 43| | * be ignored 44| | */ 45| 7.91k| y_size = std::min(x_sw, y_size); 46| 7.91k| bigint_sub3(z.mutable_data(), x.data(), x_sw, y, y_size); 47| 7.91k| z.set_sign(x.sign()); 48| 7.91k| } 49| 7.91k| } 50| | 51| 982k| return z; 52| 982k|} _ZN5BotanmlERKNS_6BigIntES2_: 57| 1.61k|BigInt operator*(const BigInt& x, const BigInt& y) { 58| 1.61k| const size_t x_sw = x.sig_words(); 59| 1.61k| const size_t y_sw = y.sig_words(); 60| | 61| 1.61k| BigInt z = BigInt::with_capacity(x.size() + y.size()); 62| | 63| 1.61k| if(x_sw == 1 && y_sw > 0) { ------------------ | Branch (63:7): [True: 58, False: 1.55k] | Branch (63:20): [True: 58, False: 0] ------------------ 64| 58| bigint_linmul3(z.mutable_data(), y._data(), y_sw, x.word_at(0)); 65| 1.55k| } else if(y_sw == 1 && x_sw > 0) { ------------------ | Branch (65:14): [True: 18, False: 1.54k] | Branch (65:27): [True: 18, False: 0] ------------------ 66| 18| bigint_linmul3(z.mutable_data(), x._data(), x_sw, y.word_at(0)); 67| 1.54k| } else if(x_sw > 0 && y_sw > 0) { ------------------ | Branch (67:14): [True: 1.53k, False: 4] | Branch (67:26): [True: 1.53k, False: 2] ------------------ 68| 1.53k| secure_vector workspace(z.size()); 69| | 70| 1.53k| bigint_mul(z.mutable_data(), 71| 1.53k| z.size(), 72| 1.53k| x._data(), 73| 1.53k| x.size(), 74| 1.53k| x_sw, 75| 1.53k| y._data(), 76| 1.53k| y.size(), 77| 1.53k| y_sw, 78| 1.53k| workspace.data(), 79| 1.53k| workspace.size()); 80| 1.53k| } 81| | 82| 1.61k| z.cond_flip_sign(x_sw > 0 && y_sw > 0 && x.sign() != y.sign()); ------------------ | Branch (82:21): [True: 1.61k, False: 4] | Branch (82:33): [True: 1.61k, False: 2] | Branch (82:45): [True: 0, False: 1.61k] ------------------ 83| | 84| 1.61k| return z; 85| 1.61k|} _ZN5BotanmlERKNS_6BigIntEm: 90| 78.8k|BigInt operator*(const BigInt& x, word y) { 91| 78.8k| const size_t x_sw = x.sig_words(); 92| | 93| 78.8k| BigInt z = BigInt::with_capacity(x_sw + 1); 94| | 95| 78.8k| if(x_sw > 0 && y > 0) { ------------------ | Branch (95:7): [True: 78.8k, False: 0] | Branch (95:19): [True: 78.8k, False: 0] ------------------ 96| 78.8k| bigint_linmul3(z.mutable_data(), x._data(), x_sw, y); 97| 78.8k| z.set_sign(x.sign()); 98| 78.8k| } 99| | 100| 78.8k| return z; 101| 78.8k|} _ZN5BotandvERKNS_6BigIntES2_: 106| 505|BigInt operator/(const BigInt& x, const BigInt& y) { 107| 505| if(y.sig_words() == 1 && y.signum() >= 0) { ------------------ | Branch (107:7): [True: 0, False: 505] | Branch (107:29): [True: 0, False: 0] ------------------ 108| 0| return x / y.word_at(0); 109| 0| } 110| | 111| 505| BigInt q; 112| 505| BigInt r; 113| 505| vartime_divide(x, y, q, r); 114| 505| return q; 115| 505|} _ZN5BotandvERKNS_6BigIntEm: 120| 1.57k|BigInt operator/(const BigInt& x, word y) { 121| 1.57k| if(y == 0) { ------------------ | Branch (121:7): [True: 0, False: 1.57k] ------------------ 122| 0| throw Invalid_Argument("BigInt::operator/ divide by zero"); 123| 0| } 124| | 125| 1.57k| BigInt q; 126| 1.57k| word r = 0; 127| 1.57k| ct_divide_word(x, y, q, r); 128| 1.57k| return q; 129| 1.57k|} _ZN5BotanrmERKNS_6BigIntES2_: 134| 47.3k|BigInt operator%(const BigInt& n, const BigInt& mod) { 135| 47.3k| if(mod.is_zero()) { ------------------ | Branch (135:7): [True: 0, False: 47.3k] ------------------ 136| 0| throw Invalid_Argument("BigInt::operator% divide by zero"); 137| 0| } 138| 47.3k| if(mod.signum() < 0) { ------------------ | Branch (138:7): [True: 0, False: 47.3k] ------------------ 139| 0| throw Invalid_Argument("BigInt::operator% modulus must be > 0"); 140| 0| } 141| 47.3k| if(n.signum() >= 0 && mod.signum() >= 0 && n < mod) { ------------------ | Branch (141:7): [True: 45.7k, False: 1.59k] | Branch (141:26): [True: 45.7k, False: 0] | Branch (141:47): [True: 45, False: 45.6k] ------------------ 142| 45| return n; 143| 45| } 144| | 145| 47.2k| if(mod.sig_words() == 1) { ------------------ | Branch (145:7): [True: 16.4k, False: 30.8k] ------------------ 146| 16.4k| return BigInt::from_word(n % mod.word_at(0)); 147| 16.4k| } 148| | 149| 30.8k| BigInt q; 150| 30.8k| BigInt r; 151| 30.8k| vartime_divide(n, mod, q, r); 152| 30.8k| return r; 153| 47.2k|} _ZN5BotanrmERKNS_6BigIntEm: 158| 42.3k|word operator%(const BigInt& n, word mod) { 159| 42.3k| if(mod == 0) { ------------------ | Branch (159:7): [True: 0, False: 42.3k] ------------------ 160| 0| throw Invalid_Argument("BigInt::operator% divide by zero"); 161| 0| } 162| | 163| 42.3k| if(mod == 1) { ------------------ | Branch (163:7): [True: 0, False: 42.3k] ------------------ 164| 0| return 0; 165| 0| } 166| | 167| 42.3k| word remainder = 0; 168| | 169| 42.3k| if(n.signum() >= 0 && is_power_of_2(mod)) { ------------------ | Branch (169:7): [True: 42.3k, False: 3] | Branch (169:26): [True: 25.8k, False: 16.4k] ------------------ 170| 25.8k| remainder = (n.word_at(0) & (mod - 1)); 171| 25.8k| } else { 172| 16.4k| const divide_precomp redc_mod(mod); 173| 16.4k| const size_t sw = n.sig_words(); 174| 50.0k| for(size_t i = sw; i > 0; --i) { ------------------ | Branch (174:26): [True: 33.6k, False: 16.4k] ------------------ 175| 33.6k| remainder = redc_mod.vartime_mod_2to1(remainder, n.word_at(i - 1)); 176| 33.6k| } 177| 16.4k| } 178| | 179| 42.3k| if(remainder != 0 && n.sign() == BigInt::Negative) { ------------------ | Branch (179:7): [True: 42.3k, False: 0] | Branch (179:25): [True: 3, False: 42.3k] ------------------ 180| 3| return mod - remainder; 181| 3| } 182| 42.3k| return remainder; 183| 42.3k|} _ZN5BotanlsERKNS_6BigIntEm: 188| 43.7k|BigInt operator<<(const BigInt& x, size_t shift) { 189| 43.7k| if(shift >= 65536) { ------------------ | Branch (189:7): [True: 0, False: 43.7k] ------------------ 190| 0| throw Invalid_Argument("BigInt left shift count too large"); 191| 0| } 192| | 193| 43.7k| if(x.is_zero()) { ------------------ | Branch (193:7): [True: 0, False: 43.7k] ------------------ 194| 0| return BigInt::zero(); 195| 0| } 196| | 197| 43.7k| const size_t x_sw = x.sig_words(); 198| | 199| 43.7k| const size_t new_size = x_sw + shift / WordInfo::bits + 1; 200| 43.7k| BigInt y = BigInt::with_capacity(new_size); 201| 43.7k| bigint_shl2(y.mutable_data(), new_size, x._data(), x_sw, shift); 202| 43.7k| y.set_sign(x.sign()); 203| 43.7k| return y; 204| 43.7k|} _ZN5BotanrsERKNS_6BigIntEm: 209| 1.82k|BigInt operator>>(const BigInt& x, size_t shift) { 210| 1.82k| const size_t shift_words = shift / WordInfo::bits; 211| 1.82k| const size_t x_sw = x.sig_words(); 212| | 213| 1.82k| if(shift_words >= x_sw) { ------------------ | Branch (213:7): [True: 0, False: 1.82k] ------------------ 214| 0| return BigInt::zero(); 215| 0| } 216| | 217| 1.82k| const size_t new_size = x_sw - shift_words; 218| 1.82k| BigInt y = BigInt::with_capacity(new_size); 219| 1.82k| bigint_shr2(y.mutable_data(), new_size, x._data(), x_sw, shift); 220| | 221| 1.82k| if(x.signum() < 0 && y.is_zero()) { ------------------ | Branch (221:7): [True: 0, False: 1.82k] | Branch (221:25): [True: 0, False: 0] ------------------ 222| 0| y.set_sign(BigInt::Positive); 223| 1.82k| } else { 224| 1.82k| y.set_sign(x.sign()); 225| 1.82k| } 226| | 227| 1.82k| return y; 228| 1.82k|} _ZN5Botan6BigIntC2Em: 20| 5.35k|BigInt::BigInt(uint64_t n) { 21| 5.35k| if constexpr(sizeof(word) == 8) { 22| 5.35k| m_data.set_word_at(0, static_cast(n)); 23| | } else { 24| | m_data.set_word_at(1, static_cast(n >> 32)); 25| | m_data.set_word_at(0, static_cast(n)); 26| | } 27| 5.35k|} _ZN5Botan6BigInt8from_u64Em: 30| 2.09k|BigInt BigInt::from_u64(uint64_t n) { 31| 2.09k| return BigInt(n); 32| 2.09k|} _ZN5Botan6BigInt9from_wordEm: 35| 19.5k|BigInt BigInt::from_word(word n) { 36| 19.5k| BigInt bn; 37| 19.5k| bn.set_word_at(0, n); 38| 19.5k| return bn; 39| 19.5k|} _ZN5Botan6BigInt8from_s32Ei: 42| 206|BigInt BigInt::from_s32(int32_t n) { 43| 206| if(n >= 0) { ------------------ | Branch (43:7): [True: 0, False: 206] ------------------ 44| 0| return BigInt::from_u64(static_cast(n)); 45| 206| } else { 46| 206| return -BigInt::from_u64(static_cast(-static_cast(n))); 47| 206| } 48| 206|} _ZN5Botan6BigInt13with_capacityEm: 51| 2.95M|BigInt BigInt::with_capacity(size_t size) { 52| 2.95M| BigInt bn; 53| 2.95M| bn.grow_to(size); 54| 2.95M| return bn; 55| 2.95M|} _ZN5Botan6BigInt11from_stringENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 57| 18.6k|BigInt BigInt::from_string(std::string_view str) { 58| 18.6k| size_t prefix_bytes = 0; 59| 18.6k| bool negative = false; 60| 18.6k| size_t radix = 10; 61| | 62| 18.6k| if(!str.empty() && str[0] == '-') { ------------------ | Branch (62:7): [True: 18.6k, False: 0] | Branch (62:23): [True: 0, False: 18.6k] ------------------ 63| 0| prefix_bytes += 1; 64| 0| negative = true; 65| 0| } 66| | 67| 18.6k| if(str.length() > prefix_bytes + 2 && str[prefix_bytes] == '0' && str[prefix_bytes + 1] == 'x') { ------------------ | Branch (67:7): [True: 18.6k, False: 0] | Branch (67:42): [True: 18.6k, False: 0] | Branch (67:70): [True: 18.6k, False: 0] ------------------ 68| 18.6k| prefix_bytes += 2; 69| 18.6k| radix = 16; 70| 18.6k| } 71| | 72| 18.6k| BigInt r = BigInt::from_radix_digits(str.substr(prefix_bytes), radix); 73| | 74| 18.6k| if(negative) { ------------------ | Branch (74:7): [True: 0, False: 18.6k] ------------------ 75| 0| r.set_sign(Negative); 76| 18.6k| } else { 77| 18.6k| r.set_sign(Positive); 78| 18.6k| } 79| | 80| 18.6k| return r; 81| 18.6k|} _ZN5Botan6BigInt10from_bytesENSt3__14spanIKhLm18446744073709551615EEE: 83| 29.3k|BigInt BigInt::from_bytes(std::span input) { 84| 29.3k| BigInt r; 85| 29.3k| r.assign_from_bytes(input); 86| 29.3k| return r; 87| 29.3k|} _ZNK5Botan6BigInt7byte_atEm: 118| 44.0k|uint8_t BigInt::byte_at(size_t n) const { 119| 44.0k| return get_byte_var(sizeof(word) - (n % sizeof(word)) - 1, word_at(n / sizeof(word))); 120| 44.0k|} _ZNK5Botan6BigInt8cmp_wordEm: 122| 255k|int32_t BigInt::cmp_word(word other) const { 123| 255k| if(signum() < 0) { ------------------ | Branch (123:7): [True: 3.40k, False: 252k] ------------------ 124| 3.40k| return -1; // other is positive ... 125| 3.40k| } 126| | 127| 252k| const size_t sw = this->sig_words(); 128| 252k| if(sw > 1) { ------------------ | Branch (128:7): [True: 194k, False: 57.5k] ------------------ 129| 194k| return 1; // must be larger since other is just one word ... 130| 194k| } 131| | 132| 57.5k| return bigint_cmp(this->_data(), sw, &other, 1); 133| 252k|} _ZNK5Botan6BigInt3cmpERKS0_b: 138| 17.6k|int32_t BigInt::cmp(const BigInt& other, bool check_signs) const { 139| 17.6k| if(check_signs) { ------------------ | Branch (139:7): [True: 17.6k, False: 0] ------------------ 140| 17.6k| if(other.signum() >= 0 && this->signum() < 0) { ------------------ | Branch (140:10): [True: 17.6k, False: 0] | Branch (140:33): [True: 0, False: 17.6k] ------------------ 141| 0| return -1; 142| 0| } 143| | 144| 17.6k| if(other.signum() < 0 && this->signum() >= 0) { ------------------ | Branch (144:10): [True: 0, False: 17.6k] | Branch (144:32): [True: 0, False: 0] ------------------ 145| 0| return 1; 146| 0| } 147| | 148| 17.6k| if(other.signum() < 0 && this->signum() < 0) { ------------------ | Branch (148:10): [True: 0, False: 17.6k] | Branch (148:32): [True: 0, False: 0] ------------------ 149| 0| return (-bigint_cmp(this->_data(), this->size(), other._data(), other.size())); 150| 0| } 151| 17.6k| } 152| | 153| 17.6k| return bigint_cmp(this->_data(), this->size(), other._data(), other.size()); 154| 17.6k|} _ZNK5Botan6BigInt8is_equalERKS0_: 156| 32.7k|bool BigInt::is_equal(const BigInt& other) const { 157| 32.7k| if(this->sign() != other.sign()) { ------------------ | Branch (157:7): [True: 0, False: 32.7k] ------------------ 158| 0| return false; 159| 0| } 160| | 161| 32.7k| return bigint_ct_is_eq(this->_data(), this->size(), other._data(), other.size()).as_bool(); 162| 32.7k|} _ZNK5Botan6BigInt12is_less_thanERKS0_: 164| 68.4k|bool BigInt::is_less_than(const BigInt& other) const { 165| 68.4k| if(this->signum() < 0 && other.signum() >= 0) { ------------------ | Branch (165:7): [True: 0, False: 68.4k] | Branch (165:29): [True: 0, False: 0] ------------------ 166| 0| return true; 167| 0| } 168| | 169| 68.4k| if(this->signum() >= 0 && other.signum() < 0) { ------------------ | Branch (169:7): [True: 68.4k, False: 0] | Branch (169:30): [True: 0, False: 68.4k] ------------------ 170| 0| return false; 171| 0| } 172| | 173| 68.4k| if(other.signum() < 0 && this->signum() < 0) { ------------------ | Branch (173:7): [True: 0, False: 68.4k] | Branch (173:29): [True: 0, False: 0] ------------------ 174| 0| return bigint_ct_is_lt(other._data(), other.size(), this->_data(), this->size()).as_bool(); 175| 0| } 176| | 177| 68.4k| return bigint_ct_is_lt(this->_data(), this->size(), other._data(), other.size()).as_bool(); 178| 68.4k|} _ZNK5Botan6BigInt12encode_wordsEPmm: 180| 1.21M|void BigInt::encode_words(word out[], size_t size) const { 181| 1.21M| const size_t words = sig_words(); 182| | 183| 1.21M| if(words > size) { ------------------ | Branch (183:7): [True: 0, False: 1.21M] ------------------ 184| 0| throw Encoding_Error("BigInt::encode_words value too large to encode"); 185| 0| } 186| | 187| 1.21M| clear_mem(out, size); 188| 1.21M| copy_mem(out, _data(), words); 189| 1.21M|} _ZN5Botan6BigInt4Data11set_to_zeroEv: 191| 45.4k|void BigInt::Data::set_to_zero() { 192| 45.4k| m_reg.resize(m_reg.capacity()); 193| 45.4k| clear_mem(m_reg.data(), m_reg.size()); 194| 45.4k| m_sig_words = 0; 195| 45.4k|} _ZNK5Botan6BigInt4Data14calc_sig_wordsEv: 215| 16.6M|size_t BigInt::Data::calc_sig_words() const { 216| 16.6M| const size_t sz = m_reg.size(); 217| 16.6M| size_t sig = sz; 218| | 219| 16.6M| word sub = 1; 220| | 221| 231M| for(size_t i = 0; i != sz; ++i) { ------------------ | Branch (221:22): [True: 214M, False: 16.6M] ------------------ 222| 214M| const word w = m_reg[sz - i - 1]; 223| 214M| sub &= ct_is_zero(w); 224| 214M| sig -= sub; 225| 214M| } 226| | 227| | /* 228| | * This depends on the data so is poisoned, but unpoison it here as 229| | * later conditionals are made on the size. 230| | */ 231| 16.6M| CT::unpoison(sig); 232| | 233| 16.6M| return sig; 234| 16.6M|} _ZNK5Botan6BigInt13get_substringEmm: 239| 154k|uint32_t BigInt::get_substring(size_t offset, size_t length) const { 240| 154k| if(length == 0 || length > 32) { ------------------ | Branch (240:7): [True: 0, False: 154k] | Branch (240:22): [True: 0, False: 154k] ------------------ 241| 0| throw Invalid_Argument("BigInt::get_substring invalid substring length"); 242| 0| } 243| | 244| 154k| const uint32_t mask = 0xFFFFFFFF >> (32 - length); 245| | 246| 154k| const size_t word_offset = offset / WordInfo::bits; 247| 154k| const size_t wshift = (offset % WordInfo::bits); 248| | 249| | /* 250| | * The substring is contained within one or at most two words. The 251| | * offset and length are not secret, so we can perform conditional 252| | * operations on those values. 253| | */ 254| 154k| const word w0 = word_at(word_offset); 255| | 256| 154k| if(wshift == 0 || (offset + length) / WordInfo::bits == word_offset) { ------------------ | Branch (256:7): [True: 11.8k, False: 142k] | Branch (256:22): [True: 133k, False: 8.98k] ------------------ 257| 145k| return static_cast(w0 >> wshift) & mask; 258| 145k| } else { 259| 8.98k| const word w1 = word_at(word_offset + 1); 260| 8.98k| return static_cast((w0 >> wshift) | (w1 << (WordInfo::bits - wshift))) & mask; 261| 8.98k| } 262| 154k|} _ZNK5Botan6BigInt5bytesEv: 294| 3.15k|size_t BigInt::bytes() const { 295| 3.15k| return round_up(bits(), 8) / 8; 296| 3.15k|} _ZNK5Botan6BigInt13top_bits_freeEv: 298| 85.1k|size_t BigInt::top_bits_free() const { 299| 85.1k| const size_t words = sig_words(); 300| | 301| 85.1k| const word top_word = word_at(words - 1); 302| 85.1k| const size_t bits_used = high_bit(CT::value_barrier(top_word)); 303| 85.1k| CT::unpoison(bits_used); 304| 85.1k| return WordInfo::bits - bits_used; 305| 85.1k|} _ZNK5Botan6BigInt4bitsEv: 307| 48.2k|size_t BigInt::bits() const { 308| 48.2k| const size_t words = sig_words(); 309| | 310| 48.2k| if(words == 0) { ------------------ | Branch (310:7): [True: 6.68k, False: 41.5k] ------------------ 311| 6.68k| return 0; 312| 6.68k| } 313| | 314| 41.5k| const size_t full_words = (words - 1) * WordInfo::bits; 315| 41.5k| const size_t top_bits = WordInfo::bits - top_bits_free(); 316| | 317| 41.5k| return full_words + top_bits; 318| 48.2k|} _ZNK5Botan6BigIntngEv: 323| 206|BigInt BigInt::operator-() const { 324| 206| BigInt x = (*this); 325| 206| x.flip_sign(); 326| 206| return x; 327| 206|} _ZN5Botan6BigInt12reduce_belowERKS0_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 329| 1.08M|size_t BigInt::reduce_below(const BigInt& p, secure_vector& ws) { 330| 1.08M| if(p.signum() < 0 || this->signum() < 0) { ------------------ | Branch (330:7): [True: 0, False: 1.08M] | Branch (330:25): [True: 0, False: 1.08M] ------------------ 331| 0| throw Invalid_Argument("BigInt::reduce_below both values must be positive"); 332| 0| } 333| | 334| 1.08M| const size_t p_words = p.sig_words(); 335| | 336| 1.08M| if(size() < p_words + 1) { ------------------ | Branch (336:7): [True: 2.75k, False: 1.08M] ------------------ 337| 2.75k| grow_to(p_words + 1); 338| 2.75k| } 339| | 340| 1.08M| if(ws.size() < p_words + 1) { ------------------ | Branch (340:7): [True: 43.5k, False: 1.04M] ------------------ 341| 43.5k| ws.resize(p_words + 1); 342| 43.5k| } 343| | 344| 1.08M| clear_mem(ws.data(), ws.size()); 345| | 346| 1.08M| size_t reductions = 0; 347| | 348| 2.78M| for(;;) { 349| 2.78M| const word borrow = bigint_sub3(ws.data(), _data(), p_words + 1, p._data(), p_words); 350| 2.78M| if(borrow > 0) { ------------------ | Branch (350:10): [True: 1.08M, False: 1.69M] ------------------ 351| 1.08M| break; 352| 1.08M| } 353| | 354| 1.69M| ++reductions; 355| 1.69M| swap_reg(ws); 356| 1.69M| } 357| | 358| 1.08M| return reductions; 359| 1.08M|} _ZNK5Botan6BigInt3absEv: 386| 1.59k|BigInt BigInt::abs() const { 387| 1.59k| BigInt x = (*this); 388| 1.59k| x.set_sign(Positive); 389| 1.59k| return x; 390| 1.59k|} _ZNK5Botan6BigInt12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 395| 1.18k|void BigInt::serialize_to(std::span output) const { 396| 1.18k| BOTAN_ARG_CHECK(this->bytes() <= output.size(), "Insufficient output space"); ------------------ | | 35| 1.18k| do { \ | | 36| 1.18k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.18k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.18k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.18k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.18k] | | ------------------ ------------------ 397| | 398| 1.18k| this->binary_encode(output.data(), output.size()); 399| 1.18k|} _ZNK5Botan6BigInt13binary_encodeEPhm: 404| 1.18k|void BigInt::binary_encode(uint8_t output[], size_t len) const { 405| 1.18k| const size_t full_words = len / sizeof(word); 406| 1.18k| const size_t extra_bytes = len % sizeof(word); 407| | 408| 6.15k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (408:22): [True: 4.96k, False: 1.18k] ------------------ 409| 4.96k| const word w = word_at(i); 410| 4.96k| store_be(w, output + (len - (i + 1) * sizeof(word))); 411| 4.96k| } 412| | 413| 1.18k| if(extra_bytes > 0) { ------------------ | Branch (413:7): [True: 1.13k, False: 46] ------------------ 414| 1.13k| const word w = word_at(full_words); 415| | 416| 5.73k| for(size_t i = 0; i != extra_bytes; ++i) { ------------------ | Branch (416:25): [True: 4.60k, False: 1.13k] ------------------ 417| 4.60k| output[extra_bytes - i - 1] = get_byte_var(sizeof(word) - i - 1, w); 418| 4.60k| } 419| 1.13k| } 420| 1.18k|} _ZN5Botan6BigInt17assign_from_bytesENSt3__14spanIKhLm18446744073709551615EEE: 425| 45.4k|void BigInt::assign_from_bytes(std::span bytes) { 426| 45.4k| clear(); 427| | 428| 45.4k| const size_t length = bytes.size(); 429| 45.4k| const size_t full_words = length / sizeof(word); 430| 45.4k| const size_t extra_bytes = length % sizeof(word); 431| | 432| 45.4k| secure_vector reg((round_up(full_words + (extra_bytes > 0 ? 1 : 0), 8))); ------------------ | Branch (432:52): [True: 30.9k, False: 14.5k] ------------------ 433| | 434| 190k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (434:22): [True: 144k, False: 45.4k] ------------------ 435| 144k| reg[i] = load_be(bytes.last()); 436| 144k| bytes = bytes.first(bytes.size() - sizeof(word)); 437| 144k| } 438| | 439| 45.4k| if(!bytes.empty()) { ------------------ | Branch (439:7): [True: 30.9k, False: 14.5k] ------------------ 440| 30.9k| BOTAN_ASSERT_NOMSG(extra_bytes == bytes.size()); ------------------ | | 77| 30.9k| do { \ | | 78| 30.9k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 30.9k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 30.9k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 30.9k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 30.9k] | | ------------------ ------------------ 441| 30.9k| std::array last_partial_word = {0}; 442| 30.9k| copy_mem(std::span{last_partial_word}.last(extra_bytes), bytes); 443| 30.9k| reg[full_words] = load_be(last_partial_word); 444| 30.9k| } 445| | 446| 45.4k| m_data.swap(reg); 447| 45.4k|} _ZN5Botan6BigInt11ct_cond_addEbRKS0_: 449| 961k|void BigInt::ct_cond_add(bool predicate, const BigInt& value) { 450| 961k| if(this->signum() < 0 || value.signum() < 0) { ------------------ | Branch (450:7): [True: 0, False: 961k] | Branch (450:29): [True: 0, False: 961k] ------------------ 451| 0| throw Invalid_Argument("BigInt::ct_cond_add requires both values to be positive"); 452| 0| } 453| 961k| const size_t v_words = value.sig_words(); 454| | 455| | // The carry can propagate through every existing word of *this, so the 456| | // output needs one slot above whichever input is wider. 457| 961k| this->grow_to(std::max(this->size(), v_words) + 1); 458| | 459| 961k| const auto mask = CT::Mask::expand(static_cast(predicate)).value(); 460| | 461| 961k| word carry = 0; 462| | 463| 961k| word* x = this->mutable_data(); 464| 961k| const word* y = value._data(); 465| | 466| 7.37M| for(size_t i = 0; i != v_words; ++i) { ------------------ | Branch (466:22): [True: 6.41M, False: 961k] ------------------ 467| 6.41M| x[i] = word_add(x[i], y[i] & mask, &carry); 468| 6.41M| } 469| | 470| 13.9M| for(size_t i = v_words; i != size(); ++i) { ------------------ | Branch (470:28): [True: 12.9M, False: 961k] ------------------ 471| 12.9M| x[i] = word_add(x[i], static_cast(0), &carry); 472| 12.9M| } 473| 961k|} _ZN5Botan6BigInt14cond_flip_signEb: 521| 673k|void BigInt::cond_flip_sign(bool predicate) { 522| | // This code is assuming Negative == 0, Positive == 1 523| | 524| 673k| const auto mask = CT::Mask::expand_bool(predicate); 525| | 526| 673k| const uint8_t current_sign = static_cast(sign()); 527| | 528| 673k| const uint8_t new_sign = mask.select(current_sign ^ 1, current_sign); 529| | 530| 673k| set_sign(static_cast(new_sign)); 531| 673k|} _ZN5Botan6BigInt14ct_cond_assignEbRKS0_: 533| 640k|void BigInt::ct_cond_assign(bool predicate, const BigInt& other) { 534| 640k| const size_t t_words = size(); 535| 640k| const size_t o_words = other.size(); 536| | 537| 640k| if(t_words < o_words) { ------------------ | Branch (537:7): [True: 640k, False: 0] ------------------ 538| 640k| grow_to(o_words); 539| 640k| } 540| | 541| 640k| const size_t r_words = std::max(t_words, o_words); 542| | 543| 640k| const auto mask = CT::Mask::expand_bool(predicate); 544| | 545| 13.5M| for(size_t i = 0; i != r_words; ++i) { ------------------ | Branch (545:22): [True: 12.9M, False: 640k] ------------------ 546| 12.9M| const word o_word = other.word_at(i); 547| 12.9M| const word t_word = this->word_at(i); 548| 12.9M| this->set_word_at(i, mask.select(o_word, t_word)); 549| 12.9M| } 550| | 551| 640k| const auto same_sign = CT::Mask::is_equal(sign(), other.sign()).as_choice(); 552| 640k| cond_flip_sign((mask.as_choice() && !same_sign).as_bool()); 553| 640k|} _ZNK5Botan6BigInt20_const_time_unpoisonEv: 559| 9.95M|void BigInt::_const_time_unpoison() const { 560| 9.95M| CT::unpoison(m_data.const_data(), m_data.size()); 561| 9.95M|} _ZN5Botan15ct_divide_pow2kEmRKNS_6BigIntE: 89| 1.04k|BigInt ct_divide_pow2k(size_t k, const BigInt& y) { 90| 1.04k| BOTAN_ARG_CHECK(y.signum() != 0, "Cannot divide by zero"); ------------------ | | 35| 1.04k| do { \ | | 36| 1.04k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.04k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.04k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.04k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.04k] | | ------------------ ------------------ 91| 1.04k| BOTAN_ARG_CHECK(y.signum() >= 0, "Negative divisor not supported"); ------------------ | | 35| 1.04k| do { \ | | 36| 1.04k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.04k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.04k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.04k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.04k] | | ------------------ ------------------ 92| 1.04k| BOTAN_ARG_CHECK(k > 1, "Invalid k"); ------------------ | | 35| 1.04k| do { \ | | 36| 1.04k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.04k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.04k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.04k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.04k] | | ------------------ ------------------ 93| | 94| 1.04k| const size_t x_bits = k + 1; 95| 1.04k| const size_t y_bits = y.bits(); 96| | 97| 1.04k| if(x_bits < y_bits) { ------------------ | Branch (97:7): [True: 0, False: 1.04k] ------------------ 98| 0| return BigInt::zero(); 99| 0| } 100| | 101| 1.04k| BOTAN_ASSERT_NOMSG(y_bits >= 1); ------------------ | | 77| 1.04k| do { \ | | 78| 1.04k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.04k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 1.04k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 1.04k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 1.04k] | | ------------------ ------------------ 102| 1.04k| const size_t x_words = (x_bits + WordInfo::bits - 1) / WordInfo::bits; 103| 1.04k| const size_t y_words = y.sig_words(); 104| | 105| 1.04k| BigInt q = BigInt::with_capacity(x_words); 106| 1.04k| BigInt r = BigInt::with_capacity(y_words + 1); 107| 1.04k| BigInt t = BigInt::with_capacity(y_words + 1); // a temporary 108| | 109| 1.04k| r.set_bit(y_bits - 1); 110| 314k| for(size_t i = y_bits - 1; i != x_bits; ++i) { ------------------ | Branch (110:31): [True: 313k, False: 1.04k] ------------------ 111| 313k| const size_t b = x_bits - 1 - i; 112| | 113| 313k| if(i >= y_bits) { ------------------ | Branch (113:10): [True: 312k, False: 1.04k] ------------------ 114| 312k| bigint_shl1(r.mutable_data(), r.size(), r.size(), 1); 115| 312k| } 116| | 117| 313k| const bool r_gte_y = bigint_sub3(t.mutable_data(), r._data(), r.size(), y._data(), y_words) == 0; 118| | 119| 313k| q.conditionally_set_bit(b, r_gte_y); 120| | 121| 313k| bigint_cnd_swap(static_cast(r_gte_y), r.mutable_data(), t.mutable_data(), y_words + 1); 122| 313k| } 123| | 124| | // No need for sign fixup 125| | 126| 1.04k| return q; 127| 1.04k|} _ZN5Botan14ct_divide_wordERKNS_6BigIntEmRS0_Rm: 129| 1.57k|void ct_divide_word(const BigInt& x, word y, BigInt& q_out, word& r_out) { 130| 1.57k| if(y == 0) { ------------------ | Branch (130:7): [True: 0, False: 1.57k] ------------------ 131| 0| throw Invalid_Argument("ct_divide_word: cannot divide by zero"); 132| 0| } 133| | 134| 1.57k| const size_t x_words = x.sig_words(); 135| 1.57k| const size_t x_bits = x.bits(); 136| | 137| 1.57k| BigInt q = BigInt::with_capacity(x_words); 138| 1.57k| word r = 0; 139| | 140| 405k| for(size_t i = 0; i != x_bits; ++i) { ------------------ | Branch (140:22): [True: 403k, False: 1.57k] ------------------ 141| 403k| const size_t b = x_bits - 1 - i; 142| 403k| const bool x_b = x.get_bit(b); 143| | 144| 403k| const auto r_carry = CT::Mask::expand_top_bit(r); 145| | 146| 403k| r <<= 1; 147| 403k| r += static_cast(x_b); 148| | 149| 403k| const auto r_gte_y = CT::Mask::is_gte(r, y) | r_carry; 150| 403k| q.conditionally_set_bit(b, r_gte_y.as_bool()); 151| 403k| r = r_gte_y.select(r - y, r); 152| 403k| } 153| | 154| 1.57k| if(x.signum() < 0) { ------------------ | Branch (154:7): [True: 0, False: 1.57k] ------------------ 155| 0| q.flip_sign(); 156| 0| if(r != 0) { ------------------ | Branch (156:10): [True: 0, False: 0] ------------------ 157| 0| --q; 158| 0| r = y - r; 159| 0| } 160| 0| } 161| | 162| 1.57k| r_out = r; 163| 1.57k| q_out = q; 164| 1.57k|} _ZN5Botan20vartime_divide_pow2kEmRKNS_6BigIntE: 232| 12.2k|BigInt vartime_divide_pow2k(size_t k, const BigInt& y_arg) { 233| 12.2k| constexpr size_t WB = WordInfo::bits; 234| | 235| 12.2k| BOTAN_ARG_CHECK(y_arg.signum() != 0, "Cannot divide by zero"); ------------------ | | 35| 12.2k| do { \ | | 36| 12.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 12.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 12.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 12.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 12.2k] | | ------------------ ------------------ 236| 12.2k| BOTAN_ARG_CHECK(y_arg.signum() >= 0, "Negative divisor not supported"); ------------------ | | 35| 12.2k| do { \ | | 36| 12.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 12.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 12.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 12.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 12.2k] | | ------------------ ------------------ 237| 12.2k| BOTAN_ARG_CHECK(k > 1, "Invalid k"); ------------------ | | 35| 12.2k| do { \ | | 36| 12.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 12.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 12.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 12.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 12.2k] | | ------------------ ------------------ 238| | 239| 12.2k| BigInt y = y_arg; 240| | 241| 12.2k| const size_t y_words = y.sig_words(); 242| | 243| 12.2k| BOTAN_ASSERT_NOMSG(y_words > 0); ------------------ | | 77| 12.2k| do { \ | | 78| 12.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 12.2k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 12.2k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 12.2k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 12.2k] | | ------------------ ------------------ 244| | 245| | // Calculate shifts needed to normalize y with high bit set 246| 12.2k| const size_t shifts = y.top_bits_free(); 247| | 248| 12.2k| if(shifts > 0) { ------------------ | Branch (248:7): [True: 6.96k, False: 5.29k] ------------------ 249| 6.96k| y <<= shifts; 250| 6.96k| } 251| | 252| 12.2k| BigInt r; 253| 12.2k| r.set_bit(k + shifts); // (2^k) << shifts 254| | 255| | // we know y has not changed size, since we only shifted up to set high bit 256| 12.2k| const size_t t = y_words - 1; 257| 12.2k| const size_t n = std::max(y_words, r.sig_words()) - 1; 258| | 259| 12.2k| BOTAN_ASSERT_NOMSG(n >= t); ------------------ | | 77| 12.2k| do { \ | | 78| 12.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 12.2k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 12.2k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 12.2k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 12.2k] | | ------------------ ------------------ 260| | 261| 12.2k| BigInt q = BigInt::zero(); 262| 12.2k| q.grow_to(n - t + 1); 263| | 264| 12.2k| word* q_words = q.mutable_data(); 265| | 266| 12.2k| BigInt shifted_y = y << (WB * (n - t)); 267| | 268| | // Set q_{n-t} to number of times r > shifted_y 269| 12.2k| secure_vector ws; 270| 12.2k| q_words[n - t] = r.reduce_below(shifted_y, ws); 271| | 272| 12.2k| const word y_t0 = y.word_at(t); 273| 12.2k| const word y_t1 = y.word_at(t - 1); 274| 12.2k| BOTAN_DEBUG_ASSERT((y_t0 >> (WB - 1)) == 1); ------------------ | | 130| 12.2k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 12.2k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 12.2k] | | ------------------ ------------------ 275| | 276| 12.2k| const divide_precomp div_y_t0(y_t0); 277| | 278| 86.8k| for(size_t i = n; i != t; --i) { ------------------ | Branch (278:22): [True: 74.5k, False: 12.2k] ------------------ 279| 74.5k| const word x_i0 = r.word_at(i); 280| 74.5k| const word x_i1 = r.word_at(i - 1); 281| 74.5k| const word x_i2 = r.word_at(i - 2); 282| | 283| 74.5k| word qit = (x_i0 == y_t0) ? WordInfo::max : div_y_t0.vartime_div_2to1(x_i0, x_i1); ------------------ | Branch (283:18): [True: 887, False: 73.6k] ------------------ 284| | 285| | // Per HAC 14.23, this operation is required at most twice 286| 84.0k| for(size_t j = 0; j != 2; ++j) { ------------------ | Branch (286:25): [True: 83.8k, False: 225] ------------------ 287| 83.8k| if(division_check_vartime(qit, y_t0, y_t1, x_i0, x_i1, x_i2)) { ------------------ | Branch (287:13): [True: 9.52k, False: 74.3k] ------------------ 288| 9.52k| BOTAN_ASSERT_NOMSG(qit > 0); ------------------ | | 77| 9.52k| do { \ | | 78| 9.52k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 9.52k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 9.52k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 9.52k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 9.52k] | | ------------------ ------------------ 289| 9.52k| qit--; 290| 74.3k| } else { 291| 74.3k| break; 292| 74.3k| } 293| 83.8k| } 294| | 295| 74.5k| shifted_y >>= WB; 296| | // Now shifted_y == y << (WB * (i-t-1)) 297| | 298| | /* 299| | * Special case qit == 0 and qit == 1 which occurs relatively often here due to a 300| | * combination of the fixed 2^k and in many cases the typical structure of 301| | * public moduli (as this function is called by Barrett_Reduction::for_public_modulus). 302| | * 303| | * Over the test suite, about 5% of loop iterations have qit == 1 and 10% have qit == 0 304| | */ 305| | 306| 74.5k| if(qit != 0) { ------------------ | Branch (306:10): [True: 54.1k, False: 20.4k] ------------------ 307| 54.1k| if(qit == 1) { ------------------ | Branch (307:13): [True: 7.06k, False: 47.0k] ------------------ 308| 7.06k| r -= shifted_y; 309| 47.0k| } else { 310| 47.0k| r -= qit * shifted_y; 311| 47.0k| } 312| | 313| 54.1k| if(r.signum() < 0) { ------------------ | Branch (313:13): [True: 65, False: 54.0k] ------------------ 314| 65| BOTAN_ASSERT_NOMSG(qit > 0); ------------------ | | 77| 65| do { \ | | 78| 65| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 65| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 65] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 65| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 65] | | ------------------ ------------------ 315| 65| qit--; 316| 65| r += shifted_y; 317| 65| BOTAN_ASSERT_NOMSG(r.signum() >= 0); ------------------ | | 77| 65| do { \ | | 78| 65| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 65| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 65] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 65| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 65] | | ------------------ ------------------ 318| 65| } 319| 54.1k| } 320| | 321| 74.5k| q_words[i - t - 1] = qit; 322| 74.5k| } 323| | 324| 12.2k| return q; 325| 12.2k|} _ZN5Botan14vartime_divideERKNS_6BigIntES2_RS0_S3_: 332| 31.3k|void vartime_divide(const BigInt& x, const BigInt& y_arg, BigInt& q_out, BigInt& r_out) { 333| 31.3k| constexpr size_t WB = WordInfo::bits; 334| | 335| 31.3k| if(y_arg.is_zero()) { ------------------ | Branch (335:7): [True: 0, False: 31.3k] ------------------ 336| 0| throw Invalid_Argument("vartime_divide: cannot divide by zero"); 337| 0| } 338| | 339| 31.3k| const size_t y_words = y_arg.sig_words(); 340| | 341| 31.3k| BOTAN_ASSERT_NOMSG(y_words > 0); ------------------ | | 77| 31.3k| do { \ | | 78| 31.3k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 31.3k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 31.3k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 31.3k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 31.3k] | | ------------------ ------------------ 342| | 343| 31.3k| BigInt y = y_arg; 344| | 345| 31.3k| BigInt r = x; 346| 31.3k| BigInt q = BigInt::zero(); 347| 31.3k| secure_vector ws; 348| | 349| 31.3k| r.set_sign(BigInt::Positive); 350| 31.3k| y.set_sign(BigInt::Positive); 351| | 352| | // Calculate shifts needed to normalize y with high bit set 353| 31.3k| const size_t shifts = y.top_bits_free(); 354| | 355| 31.3k| if(shifts > 0) { ------------------ | Branch (355:7): [True: 30.4k, False: 874] ------------------ 356| 30.4k| y <<= shifts; 357| 30.4k| r <<= shifts; 358| 30.4k| } 359| | 360| | // we know y has not changed size, since we only shifted up to set high bit 361| 31.3k| const size_t t = y_words - 1; 362| 31.3k| const size_t n = std::max(y_words, r.sig_words()) - 1; // r may have changed size however 363| | 364| 31.3k| BOTAN_ASSERT_NOMSG(n >= t); ------------------ | | 77| 31.3k| do { \ | | 78| 31.3k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 31.3k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 31.3k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 31.3k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 31.3k] | | ------------------ ------------------ 365| | 366| 31.3k| q.grow_to(n - t + 1); 367| | 368| 31.3k| word* q_words = q.mutable_data(); 369| | 370| 31.3k| BigInt shifted_y = y << (WB * (n - t)); 371| | 372| | // Set q_{n-t} to number of times r > shifted_y 373| 31.3k| q_words[n - t] = r.reduce_below(shifted_y, ws); 374| | 375| 31.3k| const word y_t0 = y.word_at(t); 376| 31.3k| const word y_t1 = y.word_at(t - 1); 377| 31.3k| BOTAN_DEBUG_ASSERT((y_t0 >> (WB - 1)) == 1); ------------------ | | 130| 31.3k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 31.3k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 31.3k] | | ------------------ ------------------ 378| | 379| 31.3k| const divide_precomp div_y_t0(y_t0); 380| | 381| 61.7k| for(size_t i = n; i != t; --i) { ------------------ | Branch (381:22): [True: 30.4k, False: 31.3k] ------------------ 382| 30.4k| const word x_i0 = r.word_at(i); 383| 30.4k| const word x_i1 = r.word_at(i - 1); 384| 30.4k| const word x_i2 = r.word_at(i - 2); 385| | 386| 30.4k| word qit = (x_i0 == y_t0) ? WordInfo::max : div_y_t0.vartime_div_2to1(x_i0, x_i1); ------------------ | Branch (386:18): [True: 239, False: 30.1k] ------------------ 387| | 388| | // Per HAC 14.23, this operation is required at most twice 389| 32.0k| for(size_t j = 0; j != 2; ++j) { ------------------ | Branch (389:25): [True: 32.0k, False: 35] ------------------ 390| 32.0k| if(division_check_vartime(qit, y_t0, y_t1, x_i0, x_i1, x_i2)) { ------------------ | Branch (390:13): [True: 1.62k, False: 30.4k] ------------------ 391| 1.62k| BOTAN_ASSERT_NOMSG(qit > 0); ------------------ | | 77| 1.62k| do { \ | | 78| 1.62k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.62k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 1.62k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 1.62k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 1.62k] | | ------------------ ------------------ 392| 1.62k| qit--; 393| 30.4k| } else { 394| 30.4k| break; 395| 30.4k| } 396| 32.0k| } 397| | 398| 30.4k| shifted_y >>= WB; 399| | // Now shifted_y == y << (WB * (i-t-1)) 400| | 401| 30.4k| if(qit != 0) { ------------------ | Branch (401:10): [True: 30.1k, False: 289] ------------------ 402| 30.1k| r -= qit * shifted_y; 403| 30.1k| if(r.signum() < 0) { ------------------ | Branch (403:13): [True: 76, False: 30.0k] ------------------ 404| 76| BOTAN_ASSERT_NOMSG(qit > 0); ------------------ | | 77| 76| do { \ | | 78| 76| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 76| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 76] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 76| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 76] | | ------------------ ------------------ 405| 76| qit--; 406| 76| r += shifted_y; 407| 76| BOTAN_ASSERT_NOMSG(r.signum() >= 0); ------------------ | | 77| 76| do { \ | | 78| 76| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 76| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 76] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 76| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 76] | | ------------------ ------------------ 408| 76| } 409| 30.1k| } 410| | 411| 30.4k| q_words[i - t - 1] = qit; 412| 30.4k| } 413| | 414| 31.3k| if(shifts > 0) { ------------------ | Branch (414:7): [True: 30.4k, False: 874] ------------------ 415| 30.4k| r >>= shifts; 416| 30.4k| } 417| | 418| 31.3k| sign_fixup(x, y_arg, q, r); 419| | 420| 31.3k| r_out = r; 421| 31.3k| q_out = q; 422| 31.3k|} divide.cpp:_ZN5Botan12_GLOBAL__N_110sign_fixupERKNS_6BigIntES3_RS1_S4_: 21| 31.3k|void sign_fixup(const BigInt& x, const BigInt& y, BigInt& q, BigInt& r) { 22| 31.3k| q.cond_flip_sign(x.sign() != y.sign()); 23| | 24| 31.3k| if(x.signum() < 0 && r.signum() != 0) { ------------------ | Branch (24:7): [True: 1.59k, False: 29.7k] | Branch (24:25): [True: 1.59k, False: 0] ------------------ 25| 1.59k| if(y.signum() > 0) { ------------------ | Branch (25:10): [True: 1.59k, False: 0] ------------------ 26| 1.59k| q -= 1; 27| 1.59k| } else { 28| 0| q += 1; 29| 0| } 30| 1.59k| r = y.abs() - r; 31| 1.59k| } 32| 31.3k|} divide.cpp:_ZN5Botan12_GLOBAL__N_122division_check_vartimeEmmmmmm: 34| 115k|inline bool division_check_vartime(word q, word y2, word y1, word x3, word x2, word x1) { 35| | /* 36| | Compute (y3,y2,y1) = (y2,y1) * q 37| | and return true if (y3,y2,y1) > (x3,x2,x1) 38| | */ 39| | 40| 115k| word y3 = 0; 41| 115k| y1 = word_madd2(q, y1, &y3); 42| 115k| y2 = word_madd2(q, y2, &y3); 43| | 44| 115k| if(x3 != y3) { ------------------ | Branch (44:7): [True: 51.0k, False: 64.8k] ------------------ 45| 51.0k| return (y3 > x3); 46| 51.0k| } 47| 64.8k| if(x2 != y2) { ------------------ | Branch (47:7): [True: 48.6k, False: 16.2k] ------------------ 48| 48.6k| return (y2 > x2); 49| 48.6k| } 50| 16.2k| return (y1 > x1); 51| 64.8k|} _ZN5Botan17bigint_comba_sqr4EPmPKm: 17| 5.83M|void bigint_comba_sqr4(word z[8], const word x[4]) { 18| 5.83M| word3 accum; 19| | 20| 5.83M| accum.mul(x[0], x[0]); 21| 5.83M| z[0] = accum.extract(); 22| 5.83M| accum.mul_x2(x[0], x[1]); 23| 5.83M| z[1] = accum.extract(); 24| 5.83M| accum.mul_x2(x[0], x[2]); 25| 5.83M| accum.mul(x[1], x[1]); 26| 5.83M| z[2] = accum.extract(); 27| 5.83M| accum.mul_x2(x[0], x[3]); 28| 5.83M| accum.mul_x2(x[1], x[2]); 29| 5.83M| z[3] = accum.extract(); 30| 5.83M| accum.mul_x2(x[1], x[3]); 31| 5.83M| accum.mul(x[2], x[2]); 32| 5.83M| z[4] = accum.extract(); 33| 5.83M| accum.mul_x2(x[2], x[3]); 34| 5.83M| z[5] = accum.extract(); 35| 5.83M| accum.mul(x[3], x[3]); 36| 5.83M| z[6] = accum.extract(); 37| 5.83M| z[7] = accum.extract(); 38| 5.83M|} _ZN5Botan17bigint_comba_mul4EPmPKmS2_: 43| 13.9M|void bigint_comba_mul4(word z[8], const word x[4], const word y[4]) { 44| 13.9M| word3 accum; 45| | 46| 13.9M| accum.mul(x[0], y[0]); 47| 13.9M| z[0] = accum.extract(); 48| 13.9M| accum.mul(x[0], y[1]); 49| 13.9M| accum.mul(x[1], y[0]); 50| 13.9M| z[1] = accum.extract(); 51| 13.9M| accum.mul(x[0], y[2]); 52| 13.9M| accum.mul(x[1], y[1]); 53| 13.9M| accum.mul(x[2], y[0]); 54| 13.9M| z[2] = accum.extract(); 55| 13.9M| accum.mul(x[0], y[3]); 56| 13.9M| accum.mul(x[1], y[2]); 57| 13.9M| accum.mul(x[2], y[1]); 58| 13.9M| accum.mul(x[3], y[0]); 59| 13.9M| z[3] = accum.extract(); 60| 13.9M| accum.mul(x[1], y[3]); 61| 13.9M| accum.mul(x[2], y[2]); 62| 13.9M| accum.mul(x[3], y[1]); 63| 13.9M| z[4] = accum.extract(); 64| 13.9M| accum.mul(x[2], y[3]); 65| 13.9M| accum.mul(x[3], y[2]); 66| 13.9M| z[5] = accum.extract(); 67| 13.9M| accum.mul(x[3], y[3]); 68| 13.9M| z[6] = accum.extract(); 69| 13.9M| z[7] = accum.extract(); 70| 13.9M|} _ZN5Botan17bigint_comba_sqr6EPmPKm: 75| 243k|void bigint_comba_sqr6(word z[12], const word x[6]) { 76| 243k| word3 accum; 77| | 78| 243k| accum.mul(x[0], x[0]); 79| 243k| z[0] = accum.extract(); 80| 243k| accum.mul_x2(x[0], x[1]); 81| 243k| z[1] = accum.extract(); 82| 243k| accum.mul_x2(x[0], x[2]); 83| 243k| accum.mul(x[1], x[1]); 84| 243k| z[2] = accum.extract(); 85| 243k| accum.mul_x2(x[0], x[3]); 86| 243k| accum.mul_x2(x[1], x[2]); 87| 243k| z[3] = accum.extract(); 88| 243k| accum.mul_x2(x[0], x[4]); 89| 243k| accum.mul_x2(x[1], x[3]); 90| 243k| accum.mul(x[2], x[2]); 91| 243k| z[4] = accum.extract(); 92| 243k| accum.mul_x2(x[0], x[5]); 93| 243k| accum.mul_x2(x[1], x[4]); 94| 243k| accum.mul_x2(x[2], x[3]); 95| 243k| z[5] = accum.extract(); 96| 243k| accum.mul_x2(x[1], x[5]); 97| 243k| accum.mul_x2(x[2], x[4]); 98| 243k| accum.mul(x[3], x[3]); 99| 243k| z[6] = accum.extract(); 100| 243k| accum.mul_x2(x[2], x[5]); 101| 243k| accum.mul_x2(x[3], x[4]); 102| 243k| z[7] = accum.extract(); 103| 243k| accum.mul_x2(x[3], x[5]); 104| 243k| accum.mul(x[4], x[4]); 105| 243k| z[8] = accum.extract(); 106| 243k| accum.mul_x2(x[4], x[5]); 107| 243k| z[9] = accum.extract(); 108| 243k| accum.mul(x[5], x[5]); 109| 243k| z[10] = accum.extract(); 110| 243k| z[11] = accum.extract(); 111| 243k|} _ZN5Botan17bigint_comba_mul6EPmPKmS2_: 116| 3.26M|void bigint_comba_mul6(word z[12], const word x[6], const word y[6]) { 117| 3.26M| word3 accum; 118| | 119| 3.26M| accum.mul(x[0], y[0]); 120| 3.26M| z[0] = accum.extract(); 121| 3.26M| accum.mul(x[0], y[1]); 122| 3.26M| accum.mul(x[1], y[0]); 123| 3.26M| z[1] = accum.extract(); 124| 3.26M| accum.mul(x[0], y[2]); 125| 3.26M| accum.mul(x[1], y[1]); 126| 3.26M| accum.mul(x[2], y[0]); 127| 3.26M| z[2] = accum.extract(); 128| 3.26M| accum.mul(x[0], y[3]); 129| 3.26M| accum.mul(x[1], y[2]); 130| 3.26M| accum.mul(x[2], y[1]); 131| 3.26M| accum.mul(x[3], y[0]); 132| 3.26M| z[3] = accum.extract(); 133| 3.26M| accum.mul(x[0], y[4]); 134| 3.26M| accum.mul(x[1], y[3]); 135| 3.26M| accum.mul(x[2], y[2]); 136| 3.26M| accum.mul(x[3], y[1]); 137| 3.26M| accum.mul(x[4], y[0]); 138| 3.26M| z[4] = accum.extract(); 139| 3.26M| accum.mul(x[0], y[5]); 140| 3.26M| accum.mul(x[1], y[4]); 141| 3.26M| accum.mul(x[2], y[3]); 142| 3.26M| accum.mul(x[3], y[2]); 143| 3.26M| accum.mul(x[4], y[1]); 144| 3.26M| accum.mul(x[5], y[0]); 145| 3.26M| z[5] = accum.extract(); 146| 3.26M| accum.mul(x[1], y[5]); 147| 3.26M| accum.mul(x[2], y[4]); 148| 3.26M| accum.mul(x[3], y[3]); 149| 3.26M| accum.mul(x[4], y[2]); 150| 3.26M| accum.mul(x[5], y[1]); 151| 3.26M| z[6] = accum.extract(); 152| 3.26M| accum.mul(x[2], y[5]); 153| 3.26M| accum.mul(x[3], y[4]); 154| 3.26M| accum.mul(x[4], y[3]); 155| 3.26M| accum.mul(x[5], y[2]); 156| 3.26M| z[7] = accum.extract(); 157| 3.26M| accum.mul(x[3], y[5]); 158| 3.26M| accum.mul(x[4], y[4]); 159| 3.26M| accum.mul(x[5], y[3]); 160| 3.26M| z[8] = accum.extract(); 161| 3.26M| accum.mul(x[4], y[5]); 162| 3.26M| accum.mul(x[5], y[4]); 163| 3.26M| z[9] = accum.extract(); 164| 3.26M| accum.mul(x[5], y[5]); 165| 3.26M| z[10] = accum.extract(); 166| 3.26M| z[11] = accum.extract(); 167| 3.26M|} _ZN5Botan17bigint_comba_sqr7EPmPKm: 172| 2.23k|void bigint_comba_sqr7(word z[14], const word x[7]) { 173| 2.23k| word3 accum; 174| | 175| 2.23k| accum.mul(x[0], x[0]); 176| 2.23k| z[0] = accum.extract(); 177| 2.23k| accum.mul_x2(x[0], x[1]); 178| 2.23k| z[1] = accum.extract(); 179| 2.23k| accum.mul_x2(x[0], x[2]); 180| 2.23k| accum.mul(x[1], x[1]); 181| 2.23k| z[2] = accum.extract(); 182| 2.23k| accum.mul_x2(x[0], x[3]); 183| 2.23k| accum.mul_x2(x[1], x[2]); 184| 2.23k| z[3] = accum.extract(); 185| 2.23k| accum.mul_x2(x[0], x[4]); 186| 2.23k| accum.mul_x2(x[1], x[3]); 187| 2.23k| accum.mul(x[2], x[2]); 188| 2.23k| z[4] = accum.extract(); 189| 2.23k| accum.mul_x2(x[0], x[5]); 190| 2.23k| accum.mul_x2(x[1], x[4]); 191| 2.23k| accum.mul_x2(x[2], x[3]); 192| 2.23k| z[5] = accum.extract(); 193| 2.23k| accum.mul_x2(x[0], x[6]); 194| 2.23k| accum.mul_x2(x[1], x[5]); 195| 2.23k| accum.mul_x2(x[2], x[4]); 196| 2.23k| accum.mul(x[3], x[3]); 197| 2.23k| z[6] = accum.extract(); 198| 2.23k| accum.mul_x2(x[1], x[6]); 199| 2.23k| accum.mul_x2(x[2], x[5]); 200| 2.23k| accum.mul_x2(x[3], x[4]); 201| 2.23k| z[7] = accum.extract(); 202| 2.23k| accum.mul_x2(x[2], x[6]); 203| 2.23k| accum.mul_x2(x[3], x[5]); 204| 2.23k| accum.mul(x[4], x[4]); 205| 2.23k| z[8] = accum.extract(); 206| 2.23k| accum.mul_x2(x[3], x[6]); 207| 2.23k| accum.mul_x2(x[4], x[5]); 208| 2.23k| z[9] = accum.extract(); 209| 2.23k| accum.mul_x2(x[4], x[6]); 210| 2.23k| accum.mul(x[5], x[5]); 211| 2.23k| z[10] = accum.extract(); 212| 2.23k| accum.mul_x2(x[5], x[6]); 213| 2.23k| z[11] = accum.extract(); 214| 2.23k| accum.mul(x[6], x[6]); 215| 2.23k| z[12] = accum.extract(); 216| 2.23k| z[13] = accum.extract(); 217| 2.23k|} _ZN5Botan17bigint_comba_mul7EPmPKmS2_: 222| 2.25k|void bigint_comba_mul7(word z[14], const word x[7], const word y[7]) { 223| 2.25k| word3 accum; 224| | 225| 2.25k| accum.mul(x[0], y[0]); 226| 2.25k| z[0] = accum.extract(); 227| 2.25k| accum.mul(x[0], y[1]); 228| 2.25k| accum.mul(x[1], y[0]); 229| 2.25k| z[1] = accum.extract(); 230| 2.25k| accum.mul(x[0], y[2]); 231| 2.25k| accum.mul(x[1], y[1]); 232| 2.25k| accum.mul(x[2], y[0]); 233| 2.25k| z[2] = accum.extract(); 234| 2.25k| accum.mul(x[0], y[3]); 235| 2.25k| accum.mul(x[1], y[2]); 236| 2.25k| accum.mul(x[2], y[1]); 237| 2.25k| accum.mul(x[3], y[0]); 238| 2.25k| z[3] = accum.extract(); 239| 2.25k| accum.mul(x[0], y[4]); 240| 2.25k| accum.mul(x[1], y[3]); 241| 2.25k| accum.mul(x[2], y[2]); 242| 2.25k| accum.mul(x[3], y[1]); 243| 2.25k| accum.mul(x[4], y[0]); 244| 2.25k| z[4] = accum.extract(); 245| 2.25k| accum.mul(x[0], y[5]); 246| 2.25k| accum.mul(x[1], y[4]); 247| 2.25k| accum.mul(x[2], y[3]); 248| 2.25k| accum.mul(x[3], y[2]); 249| 2.25k| accum.mul(x[4], y[1]); 250| 2.25k| accum.mul(x[5], y[0]); 251| 2.25k| z[5] = accum.extract(); 252| 2.25k| accum.mul(x[0], y[6]); 253| 2.25k| accum.mul(x[1], y[5]); 254| 2.25k| accum.mul(x[2], y[4]); 255| 2.25k| accum.mul(x[3], y[3]); 256| 2.25k| accum.mul(x[4], y[2]); 257| 2.25k| accum.mul(x[5], y[1]); 258| 2.25k| accum.mul(x[6], y[0]); 259| 2.25k| z[6] = accum.extract(); 260| 2.25k| accum.mul(x[1], y[6]); 261| 2.25k| accum.mul(x[2], y[5]); 262| 2.25k| accum.mul(x[3], y[4]); 263| 2.25k| accum.mul(x[4], y[3]); 264| 2.25k| accum.mul(x[5], y[2]); 265| 2.25k| accum.mul(x[6], y[1]); 266| 2.25k| z[7] = accum.extract(); 267| 2.25k| accum.mul(x[2], y[6]); 268| 2.25k| accum.mul(x[3], y[5]); 269| 2.25k| accum.mul(x[4], y[4]); 270| 2.25k| accum.mul(x[5], y[3]); 271| 2.25k| accum.mul(x[6], y[2]); 272| 2.25k| z[8] = accum.extract(); 273| 2.25k| accum.mul(x[3], y[6]); 274| 2.25k| accum.mul(x[4], y[5]); 275| 2.25k| accum.mul(x[5], y[4]); 276| 2.25k| accum.mul(x[6], y[3]); 277| 2.25k| z[9] = accum.extract(); 278| 2.25k| accum.mul(x[4], y[6]); 279| 2.25k| accum.mul(x[5], y[5]); 280| 2.25k| accum.mul(x[6], y[4]); 281| 2.25k| z[10] = accum.extract(); 282| 2.25k| accum.mul(x[5], y[6]); 283| 2.25k| accum.mul(x[6], y[5]); 284| 2.25k| z[11] = accum.extract(); 285| 2.25k| accum.mul(x[6], y[6]); 286| 2.25k| z[12] = accum.extract(); 287| 2.25k| z[13] = accum.extract(); 288| 2.25k|} _ZN5Botan17bigint_comba_sqr8EPmPKm: 293| 138k|void bigint_comba_sqr8(word z[16], const word x[8]) { 294| 138k| word3 accum; 295| | 296| 138k| accum.mul(x[0], x[0]); 297| 138k| z[0] = accum.extract(); 298| 138k| accum.mul_x2(x[0], x[1]); 299| 138k| z[1] = accum.extract(); 300| 138k| accum.mul_x2(x[0], x[2]); 301| 138k| accum.mul(x[1], x[1]); 302| 138k| z[2] = accum.extract(); 303| 138k| accum.mul_x2(x[0], x[3]); 304| 138k| accum.mul_x2(x[1], x[2]); 305| 138k| z[3] = accum.extract(); 306| 138k| accum.mul_x2(x[0], x[4]); 307| 138k| accum.mul_x2(x[1], x[3]); 308| 138k| accum.mul(x[2], x[2]); 309| 138k| z[4] = accum.extract(); 310| 138k| accum.mul_x2(x[0], x[5]); 311| 138k| accum.mul_x2(x[1], x[4]); 312| 138k| accum.mul_x2(x[2], x[3]); 313| 138k| z[5] = accum.extract(); 314| 138k| accum.mul_x2(x[0], x[6]); 315| 138k| accum.mul_x2(x[1], x[5]); 316| 138k| accum.mul_x2(x[2], x[4]); 317| 138k| accum.mul(x[3], x[3]); 318| 138k| z[6] = accum.extract(); 319| 138k| accum.mul_x2(x[0], x[7]); 320| 138k| accum.mul_x2(x[1], x[6]); 321| 138k| accum.mul_x2(x[2], x[5]); 322| 138k| accum.mul_x2(x[3], x[4]); 323| 138k| z[7] = accum.extract(); 324| 138k| accum.mul_x2(x[1], x[7]); 325| 138k| accum.mul_x2(x[2], x[6]); 326| 138k| accum.mul_x2(x[3], x[5]); 327| 138k| accum.mul(x[4], x[4]); 328| 138k| z[8] = accum.extract(); 329| 138k| accum.mul_x2(x[2], x[7]); 330| 138k| accum.mul_x2(x[3], x[6]); 331| 138k| accum.mul_x2(x[4], x[5]); 332| 138k| z[9] = accum.extract(); 333| 138k| accum.mul_x2(x[3], x[7]); 334| 138k| accum.mul_x2(x[4], x[6]); 335| 138k| accum.mul(x[5], x[5]); 336| 138k| z[10] = accum.extract(); 337| 138k| accum.mul_x2(x[4], x[7]); 338| 138k| accum.mul_x2(x[5], x[6]); 339| 138k| z[11] = accum.extract(); 340| 138k| accum.mul_x2(x[5], x[7]); 341| 138k| accum.mul(x[6], x[6]); 342| 138k| z[12] = accum.extract(); 343| 138k| accum.mul_x2(x[6], x[7]); 344| 138k| z[13] = accum.extract(); 345| 138k| accum.mul(x[7], x[7]); 346| 138k| z[14] = accum.extract(); 347| 138k| z[15] = accum.extract(); 348| 138k|} _ZN5Botan17bigint_comba_mul8EPmPKmS2_: 353| 389k|void bigint_comba_mul8(word z[16], const word x[8], const word y[8]) { 354| 389k| word3 accum; 355| | 356| 389k| accum.mul(x[0], y[0]); 357| 389k| z[0] = accum.extract(); 358| 389k| accum.mul(x[0], y[1]); 359| 389k| accum.mul(x[1], y[0]); 360| 389k| z[1] = accum.extract(); 361| 389k| accum.mul(x[0], y[2]); 362| 389k| accum.mul(x[1], y[1]); 363| 389k| accum.mul(x[2], y[0]); 364| 389k| z[2] = accum.extract(); 365| 389k| accum.mul(x[0], y[3]); 366| 389k| accum.mul(x[1], y[2]); 367| 389k| accum.mul(x[2], y[1]); 368| 389k| accum.mul(x[3], y[0]); 369| 389k| z[3] = accum.extract(); 370| 389k| accum.mul(x[0], y[4]); 371| 389k| accum.mul(x[1], y[3]); 372| 389k| accum.mul(x[2], y[2]); 373| 389k| accum.mul(x[3], y[1]); 374| 389k| accum.mul(x[4], y[0]); 375| 389k| z[4] = accum.extract(); 376| 389k| accum.mul(x[0], y[5]); 377| 389k| accum.mul(x[1], y[4]); 378| 389k| accum.mul(x[2], y[3]); 379| 389k| accum.mul(x[3], y[2]); 380| 389k| accum.mul(x[4], y[1]); 381| 389k| accum.mul(x[5], y[0]); 382| 389k| z[5] = accum.extract(); 383| 389k| accum.mul(x[0], y[6]); 384| 389k| accum.mul(x[1], y[5]); 385| 389k| accum.mul(x[2], y[4]); 386| 389k| accum.mul(x[3], y[3]); 387| 389k| accum.mul(x[4], y[2]); 388| 389k| accum.mul(x[5], y[1]); 389| 389k| accum.mul(x[6], y[0]); 390| 389k| z[6] = accum.extract(); 391| 389k| accum.mul(x[0], y[7]); 392| 389k| accum.mul(x[1], y[6]); 393| 389k| accum.mul(x[2], y[5]); 394| 389k| accum.mul(x[3], y[4]); 395| 389k| accum.mul(x[4], y[3]); 396| 389k| accum.mul(x[5], y[2]); 397| 389k| accum.mul(x[6], y[1]); 398| 389k| accum.mul(x[7], y[0]); 399| 389k| z[7] = accum.extract(); 400| 389k| accum.mul(x[1], y[7]); 401| 389k| accum.mul(x[2], y[6]); 402| 389k| accum.mul(x[3], y[5]); 403| 389k| accum.mul(x[4], y[4]); 404| 389k| accum.mul(x[5], y[3]); 405| 389k| accum.mul(x[6], y[2]); 406| 389k| accum.mul(x[7], y[1]); 407| 389k| z[8] = accum.extract(); 408| 389k| accum.mul(x[2], y[7]); 409| 389k| accum.mul(x[3], y[6]); 410| 389k| accum.mul(x[4], y[5]); 411| 389k| accum.mul(x[5], y[4]); 412| 389k| accum.mul(x[6], y[3]); 413| 389k| accum.mul(x[7], y[2]); 414| 389k| z[9] = accum.extract(); 415| 389k| accum.mul(x[3], y[7]); 416| 389k| accum.mul(x[4], y[6]); 417| 389k| accum.mul(x[5], y[5]); 418| 389k| accum.mul(x[6], y[4]); 419| 389k| accum.mul(x[7], y[3]); 420| 389k| z[10] = accum.extract(); 421| 389k| accum.mul(x[4], y[7]); 422| 389k| accum.mul(x[5], y[6]); 423| 389k| accum.mul(x[6], y[5]); 424| 389k| accum.mul(x[7], y[4]); 425| 389k| z[11] = accum.extract(); 426| 389k| accum.mul(x[5], y[7]); 427| 389k| accum.mul(x[6], y[6]); 428| 389k| accum.mul(x[7], y[5]); 429| 389k| z[12] = accum.extract(); 430| 389k| accum.mul(x[6], y[7]); 431| 389k| accum.mul(x[7], y[6]); 432| 389k| z[13] = accum.extract(); 433| 389k| accum.mul(x[7], y[7]); 434| 389k| z[14] = accum.extract(); 435| 389k| z[15] = accum.extract(); 436| 389k|} _ZN5Botan17bigint_comba_sqr9EPmPKm: 441| 1.75M|void bigint_comba_sqr9(word z[18], const word x[9]) { 442| 1.75M| word3 accum; 443| | 444| 1.75M| accum.mul(x[0], x[0]); 445| 1.75M| z[0] = accum.extract(); 446| 1.75M| accum.mul_x2(x[0], x[1]); 447| 1.75M| z[1] = accum.extract(); 448| 1.75M| accum.mul_x2(x[0], x[2]); 449| 1.75M| accum.mul(x[1], x[1]); 450| 1.75M| z[2] = accum.extract(); 451| 1.75M| accum.mul_x2(x[0], x[3]); 452| 1.75M| accum.mul_x2(x[1], x[2]); 453| 1.75M| z[3] = accum.extract(); 454| 1.75M| accum.mul_x2(x[0], x[4]); 455| 1.75M| accum.mul_x2(x[1], x[3]); 456| 1.75M| accum.mul(x[2], x[2]); 457| 1.75M| z[4] = accum.extract(); 458| 1.75M| accum.mul_x2(x[0], x[5]); 459| 1.75M| accum.mul_x2(x[1], x[4]); 460| 1.75M| accum.mul_x2(x[2], x[3]); 461| 1.75M| z[5] = accum.extract(); 462| 1.75M| accum.mul_x2(x[0], x[6]); 463| 1.75M| accum.mul_x2(x[1], x[5]); 464| 1.75M| accum.mul_x2(x[2], x[4]); 465| 1.75M| accum.mul(x[3], x[3]); 466| 1.75M| z[6] = accum.extract(); 467| 1.75M| accum.mul_x2(x[0], x[7]); 468| 1.75M| accum.mul_x2(x[1], x[6]); 469| 1.75M| accum.mul_x2(x[2], x[5]); 470| 1.75M| accum.mul_x2(x[3], x[4]); 471| 1.75M| z[7] = accum.extract(); 472| 1.75M| accum.mul_x2(x[0], x[8]); 473| 1.75M| accum.mul_x2(x[1], x[7]); 474| 1.75M| accum.mul_x2(x[2], x[6]); 475| 1.75M| accum.mul_x2(x[3], x[5]); 476| 1.75M| accum.mul(x[4], x[4]); 477| 1.75M| z[8] = accum.extract(); 478| 1.75M| accum.mul_x2(x[1], x[8]); 479| 1.75M| accum.mul_x2(x[2], x[7]); 480| 1.75M| accum.mul_x2(x[3], x[6]); 481| 1.75M| accum.mul_x2(x[4], x[5]); 482| 1.75M| z[9] = accum.extract(); 483| 1.75M| accum.mul_x2(x[2], x[8]); 484| 1.75M| accum.mul_x2(x[3], x[7]); 485| 1.75M| accum.mul_x2(x[4], x[6]); 486| 1.75M| accum.mul(x[5], x[5]); 487| 1.75M| z[10] = accum.extract(); 488| 1.75M| accum.mul_x2(x[3], x[8]); 489| 1.75M| accum.mul_x2(x[4], x[7]); 490| 1.75M| accum.mul_x2(x[5], x[6]); 491| 1.75M| z[11] = accum.extract(); 492| 1.75M| accum.mul_x2(x[4], x[8]); 493| 1.75M| accum.mul_x2(x[5], x[7]); 494| 1.75M| accum.mul(x[6], x[6]); 495| 1.75M| z[12] = accum.extract(); 496| 1.75M| accum.mul_x2(x[5], x[8]); 497| 1.75M| accum.mul_x2(x[6], x[7]); 498| 1.75M| z[13] = accum.extract(); 499| 1.75M| accum.mul_x2(x[6], x[8]); 500| 1.75M| accum.mul(x[7], x[7]); 501| 1.75M| z[14] = accum.extract(); 502| 1.75M| accum.mul_x2(x[7], x[8]); 503| 1.75M| z[15] = accum.extract(); 504| 1.75M| accum.mul(x[8], x[8]); 505| 1.75M| z[16] = accum.extract(); 506| 1.75M| z[17] = accum.extract(); 507| 1.75M|} _ZN5Botan17bigint_comba_mul9EPmPKmS2_: 512| 3.68M|void bigint_comba_mul9(word z[18], const word x[9], const word y[9]) { 513| 3.68M| word3 accum; 514| | 515| 3.68M| accum.mul(x[0], y[0]); 516| 3.68M| z[0] = accum.extract(); 517| 3.68M| accum.mul(x[0], y[1]); 518| 3.68M| accum.mul(x[1], y[0]); 519| 3.68M| z[1] = accum.extract(); 520| 3.68M| accum.mul(x[0], y[2]); 521| 3.68M| accum.mul(x[1], y[1]); 522| 3.68M| accum.mul(x[2], y[0]); 523| 3.68M| z[2] = accum.extract(); 524| 3.68M| accum.mul(x[0], y[3]); 525| 3.68M| accum.mul(x[1], y[2]); 526| 3.68M| accum.mul(x[2], y[1]); 527| 3.68M| accum.mul(x[3], y[0]); 528| 3.68M| z[3] = accum.extract(); 529| 3.68M| accum.mul(x[0], y[4]); 530| 3.68M| accum.mul(x[1], y[3]); 531| 3.68M| accum.mul(x[2], y[2]); 532| 3.68M| accum.mul(x[3], y[1]); 533| 3.68M| accum.mul(x[4], y[0]); 534| 3.68M| z[4] = accum.extract(); 535| 3.68M| accum.mul(x[0], y[5]); 536| 3.68M| accum.mul(x[1], y[4]); 537| 3.68M| accum.mul(x[2], y[3]); 538| 3.68M| accum.mul(x[3], y[2]); 539| 3.68M| accum.mul(x[4], y[1]); 540| 3.68M| accum.mul(x[5], y[0]); 541| 3.68M| z[5] = accum.extract(); 542| 3.68M| accum.mul(x[0], y[6]); 543| 3.68M| accum.mul(x[1], y[5]); 544| 3.68M| accum.mul(x[2], y[4]); 545| 3.68M| accum.mul(x[3], y[3]); 546| 3.68M| accum.mul(x[4], y[2]); 547| 3.68M| accum.mul(x[5], y[1]); 548| 3.68M| accum.mul(x[6], y[0]); 549| 3.68M| z[6] = accum.extract(); 550| 3.68M| accum.mul(x[0], y[7]); 551| 3.68M| accum.mul(x[1], y[6]); 552| 3.68M| accum.mul(x[2], y[5]); 553| 3.68M| accum.mul(x[3], y[4]); 554| 3.68M| accum.mul(x[4], y[3]); 555| 3.68M| accum.mul(x[5], y[2]); 556| 3.68M| accum.mul(x[6], y[1]); 557| 3.68M| accum.mul(x[7], y[0]); 558| 3.68M| z[7] = accum.extract(); 559| 3.68M| accum.mul(x[0], y[8]); 560| 3.68M| accum.mul(x[1], y[7]); 561| 3.68M| accum.mul(x[2], y[6]); 562| 3.68M| accum.mul(x[3], y[5]); 563| 3.68M| accum.mul(x[4], y[4]); 564| 3.68M| accum.mul(x[5], y[3]); 565| 3.68M| accum.mul(x[6], y[2]); 566| 3.68M| accum.mul(x[7], y[1]); 567| 3.68M| accum.mul(x[8], y[0]); 568| 3.68M| z[8] = accum.extract(); 569| 3.68M| accum.mul(x[1], y[8]); 570| 3.68M| accum.mul(x[2], y[7]); 571| 3.68M| accum.mul(x[3], y[6]); 572| 3.68M| accum.mul(x[4], y[5]); 573| 3.68M| accum.mul(x[5], y[4]); 574| 3.68M| accum.mul(x[6], y[3]); 575| 3.68M| accum.mul(x[7], y[2]); 576| 3.68M| accum.mul(x[8], y[1]); 577| 3.68M| z[9] = accum.extract(); 578| 3.68M| accum.mul(x[2], y[8]); 579| 3.68M| accum.mul(x[3], y[7]); 580| 3.68M| accum.mul(x[4], y[6]); 581| 3.68M| accum.mul(x[5], y[5]); 582| 3.68M| accum.mul(x[6], y[4]); 583| 3.68M| accum.mul(x[7], y[3]); 584| 3.68M| accum.mul(x[8], y[2]); 585| 3.68M| z[10] = accum.extract(); 586| 3.68M| accum.mul(x[3], y[8]); 587| 3.68M| accum.mul(x[4], y[7]); 588| 3.68M| accum.mul(x[5], y[6]); 589| 3.68M| accum.mul(x[6], y[5]); 590| 3.68M| accum.mul(x[7], y[4]); 591| 3.68M| accum.mul(x[8], y[3]); 592| 3.68M| z[11] = accum.extract(); 593| 3.68M| accum.mul(x[4], y[8]); 594| 3.68M| accum.mul(x[5], y[7]); 595| 3.68M| accum.mul(x[6], y[6]); 596| 3.68M| accum.mul(x[7], y[5]); 597| 3.68M| accum.mul(x[8], y[4]); 598| 3.68M| z[12] = accum.extract(); 599| 3.68M| accum.mul(x[5], y[8]); 600| 3.68M| accum.mul(x[6], y[7]); 601| 3.68M| accum.mul(x[7], y[6]); 602| 3.68M| accum.mul(x[8], y[5]); 603| 3.68M| z[13] = accum.extract(); 604| 3.68M| accum.mul(x[6], y[8]); 605| 3.68M| accum.mul(x[7], y[7]); 606| 3.68M| accum.mul(x[8], y[6]); 607| 3.68M| z[14] = accum.extract(); 608| 3.68M| accum.mul(x[7], y[8]); 609| 3.68M| accum.mul(x[8], y[7]); 610| 3.68M| z[15] = accum.extract(); 611| 3.68M| accum.mul(x[8], y[8]); 612| 3.68M| z[16] = accum.extract(); 613| 3.68M| z[17] = accum.extract(); 614| 3.68M|} _ZN5Botan18bigint_comba_mul16EPmPKmS2_: 795| 7|void bigint_comba_mul16(word z[32], const word x[16], const word y[16]) { 796| 7| word3 accum; 797| | 798| 7| accum.mul(x[0], y[0]); 799| 7| z[0] = accum.extract(); 800| 7| accum.mul(x[0], y[1]); 801| 7| accum.mul(x[1], y[0]); 802| 7| z[1] = accum.extract(); 803| 7| accum.mul(x[0], y[2]); 804| 7| accum.mul(x[1], y[1]); 805| 7| accum.mul(x[2], y[0]); 806| 7| z[2] = accum.extract(); 807| 7| accum.mul(x[0], y[3]); 808| 7| accum.mul(x[1], y[2]); 809| 7| accum.mul(x[2], y[1]); 810| 7| accum.mul(x[3], y[0]); 811| 7| z[3] = accum.extract(); 812| 7| accum.mul(x[0], y[4]); 813| 7| accum.mul(x[1], y[3]); 814| 7| accum.mul(x[2], y[2]); 815| 7| accum.mul(x[3], y[1]); 816| 7| accum.mul(x[4], y[0]); 817| 7| z[4] = accum.extract(); 818| 7| accum.mul(x[0], y[5]); 819| 7| accum.mul(x[1], y[4]); 820| 7| accum.mul(x[2], y[3]); 821| 7| accum.mul(x[3], y[2]); 822| 7| accum.mul(x[4], y[1]); 823| 7| accum.mul(x[5], y[0]); 824| 7| z[5] = accum.extract(); 825| 7| accum.mul(x[0], y[6]); 826| 7| accum.mul(x[1], y[5]); 827| 7| accum.mul(x[2], y[4]); 828| 7| accum.mul(x[3], y[3]); 829| 7| accum.mul(x[4], y[2]); 830| 7| accum.mul(x[5], y[1]); 831| 7| accum.mul(x[6], y[0]); 832| 7| z[6] = accum.extract(); 833| 7| accum.mul(x[0], y[7]); 834| 7| accum.mul(x[1], y[6]); 835| 7| accum.mul(x[2], y[5]); 836| 7| accum.mul(x[3], y[4]); 837| 7| accum.mul(x[4], y[3]); 838| 7| accum.mul(x[5], y[2]); 839| 7| accum.mul(x[6], y[1]); 840| 7| accum.mul(x[7], y[0]); 841| 7| z[7] = accum.extract(); 842| 7| accum.mul(x[0], y[8]); 843| 7| accum.mul(x[1], y[7]); 844| 7| accum.mul(x[2], y[6]); 845| 7| accum.mul(x[3], y[5]); 846| 7| accum.mul(x[4], y[4]); 847| 7| accum.mul(x[5], y[3]); 848| 7| accum.mul(x[6], y[2]); 849| 7| accum.mul(x[7], y[1]); 850| 7| accum.mul(x[8], y[0]); 851| 7| z[8] = accum.extract(); 852| 7| accum.mul(x[0], y[9]); 853| 7| accum.mul(x[1], y[8]); 854| 7| accum.mul(x[2], y[7]); 855| 7| accum.mul(x[3], y[6]); 856| 7| accum.mul(x[4], y[5]); 857| 7| accum.mul(x[5], y[4]); 858| 7| accum.mul(x[6], y[3]); 859| 7| accum.mul(x[7], y[2]); 860| 7| accum.mul(x[8], y[1]); 861| 7| accum.mul(x[9], y[0]); 862| 7| z[9] = accum.extract(); 863| 7| accum.mul(x[0], y[10]); 864| 7| accum.mul(x[1], y[9]); 865| 7| accum.mul(x[2], y[8]); 866| 7| accum.mul(x[3], y[7]); 867| 7| accum.mul(x[4], y[6]); 868| 7| accum.mul(x[5], y[5]); 869| 7| accum.mul(x[6], y[4]); 870| 7| accum.mul(x[7], y[3]); 871| 7| accum.mul(x[8], y[2]); 872| 7| accum.mul(x[9], y[1]); 873| 7| accum.mul(x[10], y[0]); 874| 7| z[10] = accum.extract(); 875| 7| accum.mul(x[0], y[11]); 876| 7| accum.mul(x[1], y[10]); 877| 7| accum.mul(x[2], y[9]); 878| 7| accum.mul(x[3], y[8]); 879| 7| accum.mul(x[4], y[7]); 880| 7| accum.mul(x[5], y[6]); 881| 7| accum.mul(x[6], y[5]); 882| 7| accum.mul(x[7], y[4]); 883| 7| accum.mul(x[8], y[3]); 884| 7| accum.mul(x[9], y[2]); 885| 7| accum.mul(x[10], y[1]); 886| 7| accum.mul(x[11], y[0]); 887| 7| z[11] = accum.extract(); 888| 7| accum.mul(x[0], y[12]); 889| 7| accum.mul(x[1], y[11]); 890| 7| accum.mul(x[2], y[10]); 891| 7| accum.mul(x[3], y[9]); 892| 7| accum.mul(x[4], y[8]); 893| 7| accum.mul(x[5], y[7]); 894| 7| accum.mul(x[6], y[6]); 895| 7| accum.mul(x[7], y[5]); 896| 7| accum.mul(x[8], y[4]); 897| 7| accum.mul(x[9], y[3]); 898| 7| accum.mul(x[10], y[2]); 899| 7| accum.mul(x[11], y[1]); 900| 7| accum.mul(x[12], y[0]); 901| 7| z[12] = accum.extract(); 902| 7| accum.mul(x[0], y[13]); 903| 7| accum.mul(x[1], y[12]); 904| 7| accum.mul(x[2], y[11]); 905| 7| accum.mul(x[3], y[10]); 906| 7| accum.mul(x[4], y[9]); 907| 7| accum.mul(x[5], y[8]); 908| 7| accum.mul(x[6], y[7]); 909| 7| accum.mul(x[7], y[6]); 910| 7| accum.mul(x[8], y[5]); 911| 7| accum.mul(x[9], y[4]); 912| 7| accum.mul(x[10], y[3]); 913| 7| accum.mul(x[11], y[2]); 914| 7| accum.mul(x[12], y[1]); 915| 7| accum.mul(x[13], y[0]); 916| 7| z[13] = accum.extract(); 917| 7| accum.mul(x[0], y[14]); 918| 7| accum.mul(x[1], y[13]); 919| 7| accum.mul(x[2], y[12]); 920| 7| accum.mul(x[3], y[11]); 921| 7| accum.mul(x[4], y[10]); 922| 7| accum.mul(x[5], y[9]); 923| 7| accum.mul(x[6], y[8]); 924| 7| accum.mul(x[7], y[7]); 925| 7| accum.mul(x[8], y[6]); 926| 7| accum.mul(x[9], y[5]); 927| 7| accum.mul(x[10], y[4]); 928| 7| accum.mul(x[11], y[3]); 929| 7| accum.mul(x[12], y[2]); 930| 7| accum.mul(x[13], y[1]); 931| 7| accum.mul(x[14], y[0]); 932| 7| z[14] = accum.extract(); 933| 7| accum.mul(x[0], y[15]); 934| 7| accum.mul(x[1], y[14]); 935| 7| accum.mul(x[2], y[13]); 936| 7| accum.mul(x[3], y[12]); 937| 7| accum.mul(x[4], y[11]); 938| 7| accum.mul(x[5], y[10]); 939| 7| accum.mul(x[6], y[9]); 940| 7| accum.mul(x[7], y[8]); 941| 7| accum.mul(x[8], y[7]); 942| 7| accum.mul(x[9], y[6]); 943| 7| accum.mul(x[10], y[5]); 944| 7| accum.mul(x[11], y[4]); 945| 7| accum.mul(x[12], y[3]); 946| 7| accum.mul(x[13], y[2]); 947| 7| accum.mul(x[14], y[1]); 948| 7| accum.mul(x[15], y[0]); 949| 7| z[15] = accum.extract(); 950| 7| accum.mul(x[1], y[15]); 951| 7| accum.mul(x[2], y[14]); 952| 7| accum.mul(x[3], y[13]); 953| 7| accum.mul(x[4], y[12]); 954| 7| accum.mul(x[5], y[11]); 955| 7| accum.mul(x[6], y[10]); 956| 7| accum.mul(x[7], y[9]); 957| 7| accum.mul(x[8], y[8]); 958| 7| accum.mul(x[9], y[7]); 959| 7| accum.mul(x[10], y[6]); 960| 7| accum.mul(x[11], y[5]); 961| 7| accum.mul(x[12], y[4]); 962| 7| accum.mul(x[13], y[3]); 963| 7| accum.mul(x[14], y[2]); 964| 7| accum.mul(x[15], y[1]); 965| 7| z[16] = accum.extract(); 966| 7| accum.mul(x[2], y[15]); 967| 7| accum.mul(x[3], y[14]); 968| 7| accum.mul(x[4], y[13]); 969| 7| accum.mul(x[5], y[12]); 970| 7| accum.mul(x[6], y[11]); 971| 7| accum.mul(x[7], y[10]); 972| 7| accum.mul(x[8], y[9]); 973| 7| accum.mul(x[9], y[8]); 974| 7| accum.mul(x[10], y[7]); 975| 7| accum.mul(x[11], y[6]); 976| 7| accum.mul(x[12], y[5]); 977| 7| accum.mul(x[13], y[4]); 978| 7| accum.mul(x[14], y[3]); 979| 7| accum.mul(x[15], y[2]); 980| 7| z[17] = accum.extract(); 981| 7| accum.mul(x[3], y[15]); 982| 7| accum.mul(x[4], y[14]); 983| 7| accum.mul(x[5], y[13]); 984| 7| accum.mul(x[6], y[12]); 985| 7| accum.mul(x[7], y[11]); 986| 7| accum.mul(x[8], y[10]); 987| 7| accum.mul(x[9], y[9]); 988| 7| accum.mul(x[10], y[8]); 989| 7| accum.mul(x[11], y[7]); 990| 7| accum.mul(x[12], y[6]); 991| 7| accum.mul(x[13], y[5]); 992| 7| accum.mul(x[14], y[4]); 993| 7| accum.mul(x[15], y[3]); 994| 7| z[18] = accum.extract(); 995| 7| accum.mul(x[4], y[15]); 996| 7| accum.mul(x[5], y[14]); 997| 7| accum.mul(x[6], y[13]); 998| 7| accum.mul(x[7], y[12]); 999| 7| accum.mul(x[8], y[11]); 1000| 7| accum.mul(x[9], y[10]); 1001| 7| accum.mul(x[10], y[9]); 1002| 7| accum.mul(x[11], y[8]); 1003| 7| accum.mul(x[12], y[7]); 1004| 7| accum.mul(x[13], y[6]); 1005| 7| accum.mul(x[14], y[5]); 1006| 7| accum.mul(x[15], y[4]); 1007| 7| z[19] = accum.extract(); 1008| 7| accum.mul(x[5], y[15]); 1009| 7| accum.mul(x[6], y[14]); 1010| 7| accum.mul(x[7], y[13]); 1011| 7| accum.mul(x[8], y[12]); 1012| 7| accum.mul(x[9], y[11]); 1013| 7| accum.mul(x[10], y[10]); 1014| 7| accum.mul(x[11], y[9]); 1015| 7| accum.mul(x[12], y[8]); 1016| 7| accum.mul(x[13], y[7]); 1017| 7| accum.mul(x[14], y[6]); 1018| 7| accum.mul(x[15], y[5]); 1019| 7| z[20] = accum.extract(); 1020| 7| accum.mul(x[6], y[15]); 1021| 7| accum.mul(x[7], y[14]); 1022| 7| accum.mul(x[8], y[13]); 1023| 7| accum.mul(x[9], y[12]); 1024| 7| accum.mul(x[10], y[11]); 1025| 7| accum.mul(x[11], y[10]); 1026| 7| accum.mul(x[12], y[9]); 1027| 7| accum.mul(x[13], y[8]); 1028| 7| accum.mul(x[14], y[7]); 1029| 7| accum.mul(x[15], y[6]); 1030| 7| z[21] = accum.extract(); 1031| 7| accum.mul(x[7], y[15]); 1032| 7| accum.mul(x[8], y[14]); 1033| 7| accum.mul(x[9], y[13]); 1034| 7| accum.mul(x[10], y[12]); 1035| 7| accum.mul(x[11], y[11]); 1036| 7| accum.mul(x[12], y[10]); 1037| 7| accum.mul(x[13], y[9]); 1038| 7| accum.mul(x[14], y[8]); 1039| 7| accum.mul(x[15], y[7]); 1040| 7| z[22] = accum.extract(); 1041| 7| accum.mul(x[8], y[15]); 1042| 7| accum.mul(x[9], y[14]); 1043| 7| accum.mul(x[10], y[13]); 1044| 7| accum.mul(x[11], y[12]); 1045| 7| accum.mul(x[12], y[11]); 1046| 7| accum.mul(x[13], y[10]); 1047| 7| accum.mul(x[14], y[9]); 1048| 7| accum.mul(x[15], y[8]); 1049| 7| z[23] = accum.extract(); 1050| 7| accum.mul(x[9], y[15]); 1051| 7| accum.mul(x[10], y[14]); 1052| 7| accum.mul(x[11], y[13]); 1053| 7| accum.mul(x[12], y[12]); 1054| 7| accum.mul(x[13], y[11]); 1055| 7| accum.mul(x[14], y[10]); 1056| 7| accum.mul(x[15], y[9]); 1057| 7| z[24] = accum.extract(); 1058| 7| accum.mul(x[10], y[15]); 1059| 7| accum.mul(x[11], y[14]); 1060| 7| accum.mul(x[12], y[13]); 1061| 7| accum.mul(x[13], y[12]); 1062| 7| accum.mul(x[14], y[11]); 1063| 7| accum.mul(x[15], y[10]); 1064| 7| z[25] = accum.extract(); 1065| 7| accum.mul(x[11], y[15]); 1066| 7| accum.mul(x[12], y[14]); 1067| 7| accum.mul(x[13], y[13]); 1068| 7| accum.mul(x[14], y[12]); 1069| 7| accum.mul(x[15], y[11]); 1070| 7| z[26] = accum.extract(); 1071| 7| accum.mul(x[12], y[15]); 1072| 7| accum.mul(x[13], y[14]); 1073| 7| accum.mul(x[14], y[13]); 1074| 7| accum.mul(x[15], y[12]); 1075| 7| z[27] = accum.extract(); 1076| 7| accum.mul(x[13], y[15]); 1077| 7| accum.mul(x[14], y[14]); 1078| 7| accum.mul(x[15], y[13]); 1079| 7| z[28] = accum.extract(); 1080| 7| accum.mul(x[14], y[15]); 1081| 7| accum.mul(x[15], y[14]); 1082| 7| z[29] = accum.extract(); 1083| 7| accum.mul(x[15], y[15]); 1084| 7| z[30] = accum.extract(); 1085| 7| z[31] = accum.extract(); 1086| 7|} _ZN5Botan12basecase_mulEPmmPKmmS2_m: 20| 6.86M|void basecase_mul(word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size) { 21| 6.86M| if(z_size < x_size + y_size) { ------------------ | Branch (21:7): [True: 0, False: 6.86M] ------------------ 22| 0| throw Invalid_Argument("basecase_mul z_size too small"); 23| 0| } 24| | 25| 6.86M| const size_t x_size_8 = x_size - (x_size % 8); 26| | 27| 6.86M| zeroize_buffer(z, z_size); 28| | 29| 49.4M| for(size_t i = 0; i != y_size; ++i) { ------------------ | Branch (29:22): [True: 42.5M, False: 6.86M] ------------------ 30| 42.5M| const word y_i = y[i]; 31| | 32| 42.5M| word carry = 0; 33| | 34| 69.9M| for(size_t j = 0; j != x_size_8; j += 8) { ------------------ | Branch (34:25): [True: 27.3M, False: 42.5M] ------------------ 35| 27.3M| carry = word8_madd3(z + i + j, x + j, y_i, carry); 36| 27.3M| } 37| | 38| 158M| for(size_t j = x_size_8; j != x_size; ++j) { ------------------ | Branch (38:32): [True: 116M, False: 42.5M] ------------------ 39| 116M| z[i + j] = word_madd3(x[j], y_i, z[i + j], &carry); 40| 116M| } 41| | 42| 42.5M| z[x_size + i] = carry; 43| 42.5M| } 44| 6.86M|} _ZN5Botan12basecase_sqrEPmmPKmm: 46| 1.87M|void basecase_sqr(word z[], size_t z_size, const word x[], size_t x_size) { 47| 1.87M| if(z_size < 2 * x_size) { ------------------ | Branch (47:7): [True: 0, False: 1.87M] ------------------ 48| 0| throw Invalid_Argument("basecase_sqr z_size too small"); 49| 0| } 50| | 51| 1.87M| const size_t x_size_8 = x_size - (x_size % 8); 52| | 53| 1.87M| zeroize_buffer(z, z_size); 54| | 55| 9.36M| for(size_t i = 0; i != x_size; ++i) { ------------------ | Branch (55:22): [True: 7.49M, False: 1.87M] ------------------ 56| 7.49M| const word x_i = x[i]; 57| | 58| 7.49M| word carry = 0; 59| | 60| 7.58M| for(size_t j = 0; j != x_size_8; j += 8) { ------------------ | Branch (60:25): [True: 85.8k, False: 7.49M] ------------------ 61| 85.8k| carry = word8_madd3(z + i + j, x + j, x_i, carry); 62| 85.8k| } 63| | 64| 39.4M| for(size_t j = x_size_8; j != x_size; ++j) { ------------------ | Branch (64:32): [True: 31.9M, False: 7.49M] ------------------ 65| 31.9M| z[i + j] = word_madd3(x[j], x_i, z[i + j], &carry); 66| 31.9M| } 67| | 68| 7.49M| z[x_size + i] = carry; 69| 7.49M| } 70| 1.87M|} _ZN5Botan10bigint_mulEPmmPKmmmS2_mmS0_m: 292| 19.6M| size_t ws_size) { 293| 19.6M| zeroize_buffer(z, z_size); 294| | 295| 19.6M| if(x_sw == 1) { ------------------ | Branch (295:7): [True: 120, False: 19.6M] ------------------ 296| 120| bigint_linmul3(z, y, y_sw, x[0]); 297| 19.6M| } else if(y_sw == 1) { ------------------ | Branch (297:14): [True: 121, False: 19.6M] ------------------ 298| 121| bigint_linmul3(z, x, x_sw, y[0]); 299| 19.6M| } else if(sized_for_comba_mul<4>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (299:14): [True: 8.24M, False: 11.3M] ------------------ 300| 8.24M| bigint_comba_mul4(z, x, y); 301| 11.3M| } else if(sized_for_comba_mul<6>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (301:14): [True: 3.00M, False: 8.36M] ------------------ 302| 3.00M| bigint_comba_mul6(z, x, y); 303| 8.36M| } else if(sized_for_comba_mul<8>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (303:14): [True: 225k, False: 8.13M] ------------------ 304| 225k| bigint_comba_mul8(z, x, y); 305| 8.13M| } else if(sized_for_comba_mul<9>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (305:14): [True: 1.27M, False: 6.86M] ------------------ 306| 1.27M| bigint_comba_mul9(z, x, y); 307| 6.86M| } else if(sized_for_comba_mul<16>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (307:14): [True: 7, False: 6.86M] ------------------ 308| 7| bigint_comba_mul16(z, x, y); 309| 6.86M| } else if(sized_for_comba_mul<24>(x_sw, x_size, y_sw, y_size, z_size)) { ------------------ | Branch (309:14): [True: 0, False: 6.86M] ------------------ 310| 0| bigint_comba_mul24(z, x, y); 311| 6.86M| } else if(x_sw < KARATSUBA_MULTIPLY_THRESHOLD || y_sw < KARATSUBA_MULTIPLY_THRESHOLD || workspace == nullptr) { ------------------ | Branch (311:14): [True: 6.86M, False: 0] | Branch (311:53): [True: 0, False: 0] | Branch (311:92): [True: 0, False: 0] ------------------ 312| 6.86M| basecase_mul(z, z_size, x, x_sw, y, y_sw); 313| 6.86M| } else { 314| 0| const size_t N = karatsuba_size(z_size, x_size, x_sw, y_size, y_sw); 315| | 316| 0| if(N > 0 && z_size >= 2 * N && ws_size >= 2 * N) { ------------------ | Branch (316:10): [True: 0, False: 0] | Branch (316:19): [True: 0, False: 0] | Branch (316:38): [True: 0, False: 0] ------------------ 317| 0| karatsuba_mul(z, x, y, N, workspace); 318| 0| } else { 319| 0| basecase_mul(z, z_size, x, x_sw, y, y_sw); 320| 0| } 321| 0| } 322| 19.6M|} _ZN5Botan10bigint_sqrEPmmPKmmmS0_m: 327| 6.01M|void bigint_sqr(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, word workspace[], size_t ws_size) { 328| 6.01M| zeroize_buffer(z, z_size); 329| | 330| 6.01M| BOTAN_ASSERT(z_size / 2 >= x_sw, "Output size is sufficient"); ------------------ | | 64| 6.01M| do { \ | | 65| 6.01M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 6.01M| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 6.01M] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 6.01M| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 6.01M] | | ------------------ ------------------ 331| | 332| 6.01M| if(x_sw == 1) { ------------------ | Branch (332:7): [True: 120, False: 6.01M] ------------------ 333| 120| bigint_linmul3(z, x, x_sw, x[0]); 334| 6.01M| } else if(sized_for_comba_sqr<4>(x_sw, x_size, z_size)) { ------------------ | Branch (334:14): [True: 3.33M, False: 2.67M] ------------------ 335| 3.33M| bigint_comba_sqr4(z, x); 336| 3.33M| } else if(sized_for_comba_sqr<6>(x_sw, x_size, z_size)) { ------------------ | Branch (336:14): [True: 20.9k, False: 2.65M] ------------------ 337| 20.9k| bigint_comba_sqr6(z, x); 338| 2.65M| } else if(sized_for_comba_sqr<8>(x_sw, x_size, z_size)) { ------------------ | Branch (338:14): [True: 1.06k, False: 2.65M] ------------------ 339| 1.06k| bigint_comba_sqr8(z, x); 340| 2.65M| } else if(sized_for_comba_sqr<9>(x_sw, x_size, z_size)) { ------------------ | Branch (340:14): [True: 777k, False: 1.87M] ------------------ 341| 777k| bigint_comba_sqr9(z, x); 342| 1.87M| } else if(sized_for_comba_sqr<16>(x_sw, x_size, z_size)) { ------------------ | Branch (342:14): [True: 0, False: 1.87M] ------------------ 343| 0| bigint_comba_sqr16(z, x); 344| 1.87M| } else if(sized_for_comba_sqr<24>(x_sw, x_size, z_size)) { ------------------ | Branch (344:14): [True: 0, False: 1.87M] ------------------ 345| 0| bigint_comba_sqr24(z, x); 346| 1.87M| } else if(x_size < KARATSUBA_SQUARE_THRESHOLD || workspace == nullptr) { ------------------ | Branch (346:14): [True: 1.87M, False: 133] | Branch (346:53): [True: 0, False: 133] ------------------ 347| 1.87M| basecase_sqr(z, z_size, x, x_sw); 348| 1.87M| } else { 349| 133| const size_t N = karatsuba_size(z_size, x_size, x_sw); 350| | 351| 133| if(N > 0 && z_size >= 2 * N && ws_size >= 2 * N) { ------------------ | Branch (351:10): [True: 95, False: 38] | Branch (351:19): [True: 95, False: 0] | Branch (351:38): [True: 95, False: 0] ------------------ 352| 95| karatsuba_sqr(z, x, N, workspace); 353| 95| } else { 354| 38| basecase_sqr(z, z_size, x, x_sw); 355| 38| } 356| 133| } 357| 6.01M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_114karatsuba_sizeEmmm: 245| 133|size_t karatsuba_size(size_t z_size, size_t x_size, size_t x_sw) { 246| 133| if(x_sw == x_size) { ------------------ | Branch (246:7): [True: 0, False: 133] ------------------ 247| 0| if(x_sw % 2 != 0) { ------------------ | Branch (247:10): [True: 0, False: 0] ------------------ 248| 0| return 0; 249| 0| } 250| 0| return x_sw; 251| 0| } 252| | 253| 171| for(size_t j = x_sw; j <= x_size; ++j) { ------------------ | Branch (253:25): [True: 171, False: 0] ------------------ 254| 171| if(j % 2 != 0) { ------------------ | Branch (254:10): [True: 38, False: 133] ------------------ 255| 38| continue; 256| 38| } 257| | 258| 133| if(2 * j > z_size) { ------------------ | Branch (258:10): [True: 38, False: 95] ------------------ 259| 38| return 0; 260| 38| } 261| | 262| 95| if(j % 4 == 2 && (j + 2) <= x_size && 2 * (j + 2) <= z_size) { ------------------ | Branch (262:10): [True: 95, False: 0] | Branch (262:24): [True: 95, False: 0] | Branch (262:45): [True: 0, False: 95] ------------------ 263| 0| return j + 2; 264| 0| } 265| 95| return j; 266| 95| } 267| | 268| 0| return 0; 269| 133|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_113karatsuba_sqrEPmPKmmS1_: 149| 95|void karatsuba_sqr(word z[], const word x[], size_t N, word workspace[]) { 150| 95| if(N < KARATSUBA_SQUARE_THRESHOLD || N % 2 != 0) { ------------------ | Branch (150:7): [True: 95, False: 0] | Branch (150:41): [True: 0, False: 0] ------------------ 151| 95| switch(N) { 152| 0| case 6: ------------------ | Branch (152:10): [True: 0, False: 95] ------------------ 153| 0| return bigint_comba_sqr6(z, x); 154| 0| case 8: ------------------ | Branch (154:10): [True: 0, False: 95] ------------------ 155| 0| return bigint_comba_sqr8(z, x); 156| 0| case 9: ------------------ | Branch (156:10): [True: 0, False: 95] ------------------ 157| 0| return bigint_comba_sqr9(z, x); 158| 0| case 16: ------------------ | Branch (158:10): [True: 0, False: 95] ------------------ 159| 0| return bigint_comba_sqr16(z, x); 160| 0| case 24: ------------------ | Branch (160:10): [True: 0, False: 95] ------------------ 161| 0| return bigint_comba_sqr24(z, x); 162| 95| default: ------------------ | Branch (162:10): [True: 95, False: 0] ------------------ 163| 95| return basecase_sqr(z, 2 * N, x, N); 164| 95| } 165| 95| } 166| | 167| 0| const size_t N2 = N / 2; 168| | 169| 0| const word* x0 = x; 170| 0| const word* x1 = x + N2; 171| 0| word* z0 = z; 172| 0| word* z1 = z + N; 173| | 174| 0| word* ws0 = workspace; 175| 0| word* ws1 = workspace + N; 176| | 177| 0| zeroize_buffer(workspace, 2 * N); 178| | 179| | // See comment in karatsuba_mul 180| 0| bigint_sub_abs(z0, x0, x1, N2, workspace); 181| 0| karatsuba_sqr(ws0, z0, N2, ws1); 182| | 183| 0| karatsuba_sqr(z0, x0, N2, ws1); 184| 0| karatsuba_sqr(z1, x1, N2, ws1); 185| | 186| 0| const word ws_carry = bigint_add3(ws1, z0, N, z1, N); 187| 0| word z_carry = bigint_add2(z + N2, N, ws1, N); 188| | 189| 0| z_carry += bigint_add2(z + N + N2, N2, &ws_carry, 1); 190| 0| bigint_add2(z + N + N2, N2, &z_carry, 1); 191| | 192| | /* 193| | * This is only actually required if cmp (result of bigint_sub_abs) is != 0, 194| | * however if cmp==0 then ws0[0:N] == 0 and avoiding the jump hides a 195| | * timing channel. 196| | */ 197| 0| bigint_sub2(z + N2, 2 * N - N2, ws0, N); 198| 0|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm4EEEbmmmmm: 272| 19.6M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 19.6M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 10.6M, False: 9.01M] | Branch (273:26): [True: 8.32M, False: 2.27M] | Branch (273:42): [True: 8.32M, False: 0] | Branch (273:56): [True: 8.28M, False: 36.1k] | Branch (273:72): [True: 8.24M, False: 44.9k] ------------------ 274| 19.6M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm6EEEbmmmmm: 272| 11.3M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 11.3M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 6.96M, False: 4.40M] | Branch (273:26): [True: 3.23M, False: 3.73M] | Branch (273:42): [True: 3.23M, False: 0] | Branch (273:56): [True: 3.19M, False: 36.1k] | Branch (273:72): [True: 3.00M, False: 187k] ------------------ 274| 11.3M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm8EEEbmmmmm: 272| 8.36M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 8.36M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 4.24M, False: 4.12M] | Branch (273:26): [True: 466k, False: 3.77M] | Branch (273:42): [True: 433k, False: 32.7k] | Branch (273:56): [True: 403k, False: 29.9k] | Branch (273:72): [True: 225k, False: 177k] ------------------ 274| 8.36M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm9EEEbmmmmm: 272| 8.13M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 8.13M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 5.32M, False: 2.81M] | Branch (273:26): [True: 1.43M, False: 3.89M] | Branch (273:42): [True: 1.43M, False: 0] | Branch (273:56): [True: 1.33M, False: 98.6k] | Branch (273:72): [True: 1.27M, False: 57.4k] ------------------ 274| 8.13M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm16EEEbmmmmm: 272| 6.86M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 6.86M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 6.86M, False: 1.52k] | Branch (273:26): [True: 1.50M, False: 5.35M] | Branch (273:42): [True: 1.50M, False: 0] | Branch (273:56): [True: 1.46M, False: 40.0k] | Branch (273:72): [True: 7, False: 1.46M] ------------------ 274| 6.86M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_mulILm24EEEbmmmmm: 272| 6.86M|inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) { 273| 6.86M| return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (273:12): [True: 6.86M, False: 1.51k] | Branch (273:26): [True: 7.52k, False: 6.85M] | Branch (273:42): [True: 7.52k, False: 0] | Branch (273:56): [True: 7.50k, False: 19] | Branch (273:72): [True: 0, False: 7.50k] ------------------ 274| 6.86M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm4EEEbmmm: 277| 6.01M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 6.01M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 4.31M, False: 1.69M] | Branch (278:26): [True: 3.36M, False: 951k] | Branch (278:42): [True: 3.33M, False: 28.9k] ------------------ 279| 6.01M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm6EEEbmmm: 277| 2.67M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 2.67M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 1.86M, False: 811k] | Branch (278:26): [True: 154k, False: 1.70M] | Branch (278:42): [True: 20.9k, False: 133k] ------------------ 279| 2.67M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm8EEEbmmm: 277| 2.65M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 2.65M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 1.87M, False: 779k] | Branch (278:26): [True: 142k, False: 1.73M] | Branch (278:42): [True: 1.06k, False: 141k] ------------------ 279| 2.65M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm9EEEbmmm: 277| 2.65M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 2.65M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 2.65M, False: 1.10k] | Branch (278:26): [True: 907k, False: 1.74M] | Branch (278:42): [True: 777k, False: 129k] ------------------ 279| 2.65M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm16EEEbmmm: 277| 1.87M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 1.87M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 1.87M, False: 1.10k] | Branch (278:26): [True: 109k, False: 1.76M] | Branch (278:42): [True: 0, False: 109k] ------------------ 279| 1.87M|} mp_karat.cpp:_ZN5Botan12_GLOBAL__N_119sized_for_comba_sqrILm24EEEbmmm: 277| 1.87M|inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) { 278| 1.87M| return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ); ------------------ | Branch (278:12): [True: 1.87M, False: 1.10k] | Branch (278:26): [True: 15.0k, False: 1.85M] | Branch (278:42): [True: 0, False: 15.0k] ------------------ 279| 1.87M|} _ZN5Botan25bigint_monty_redc_genericEPmPKmmS2_mmS0_: 91| 10.1M| word r[], const word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[]) { 92| 10.1M| BOTAN_ARG_CHECK(z_size >= 2 * p_size && p_size > 0, "Invalid sizes for bigint_monty_redc_generic"); ------------------ | | 35| 10.1M| do { \ | | 36| 10.1M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 20.3M| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 10.1M, False: 0] | | | Branch (37:12): [True: 10.1M, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 10.1M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 10.1M] | | ------------------ ------------------ 93| | 94| 10.1M| word3 accum; 95| | 96| 10.1M| accum.add(z[0]); 97| | 98| 10.1M| ws[0] = accum.monty_step(p[0], p_dash); 99| | 100| 61.8M| for(size_t i = 1; i != p_size; ++i) { ------------------ | Branch (100:22): [True: 51.6M, False: 10.1M] ------------------ 101| 51.6M| mul_rev_range(accum, ws, p, i); 102| 51.6M| accum.add(z[i]); 103| 51.6M| ws[i] = accum.monty_step(p[0], p_dash); 104| 51.6M| } 105| | 106| 61.8M| for(size_t i = 0; i != p_size - 1; ++i) { ------------------ | Branch (106:22): [True: 51.6M, False: 10.1M] ------------------ 107| 51.6M| mul_rev_range(accum, &ws[i + 1], &p[i], p_size - (i + 1)); 108| 51.6M| accum.add(z[p_size + i]); 109| 51.6M| ws[i] = accum.extract(); 110| 51.6M| } 111| | 112| 10.1M| accum.add(z[2 * p_size - 1]); 113| | 114| 10.1M| ws[p_size - 1] = accum.extract(); 115| | // w1 is the final part, which is not stored in the workspace 116| 10.1M| const word w1 = accum.extract(); 117| | 118| | /* 119| | * The result might need to be reduced mod p. To avoid a timing 120| | * channel, always perform the subtraction. If in the computation 121| | * of x - p a borrow is required then x was already < p. 122| | * 123| | * x starts at ws[0] and is p_size bytes long plus a possible high 124| | * digit left over in w1. 125| | * 126| | * x - p starts at z[0] and is also p_size bytes long 127| | * 128| | * If borrow was set after the subtraction, then x was already less 129| | * than p and the subtraction was not needed. In that case overwrite 130| | * z[0:p_size] with the original x in ws[0:p_size]. 131| | * 132| | * We only copy out p_size in the final step because we know 133| | * the Montgomery result is < P 134| | */ 135| | 136| 10.1M| bigint_monty_maybe_sub(p_size, r, w1, ws, p); 137| 10.1M|} mp_monty.cpp:_ZN5Botan12_GLOBAL__N_113mul_rev_rangeERNS_5word3ImEEPKmS5_m: 18| 103M|BOTAN_FORCE_INLINE void mul_rev_range(word3& accum, const word ws[], const word p[], size_t bound) { 19| | /* 20| | Unrolled version of: 21| | 22| | for(size_t i = 0; i < bound; ++i) { 23| | accum.mul(ws[i], p[bound - i]); 24| | } 25| | */ 26| | 27| 103M| size_t lower = 0; 28| 255M| while(lower < bound) { ------------------ | Branch (28:10): [True: 152M, False: 103M] ------------------ 29| 152M| const size_t upper = bound - lower; 30| | 31| 152M| if(upper >= 16) { ------------------ | Branch (31:10): [True: 37.8k, False: 152M] ------------------ 32| 37.8k| accum.mul(ws[lower], p[upper]); 33| 37.8k| accum.mul(ws[lower + 1], p[upper - 1]); 34| 37.8k| accum.mul(ws[lower + 2], p[upper - 2]); 35| 37.8k| accum.mul(ws[lower + 3], p[upper - 3]); 36| 37.8k| accum.mul(ws[lower + 4], p[upper - 4]); 37| 37.8k| accum.mul(ws[lower + 5], p[upper - 5]); 38| 37.8k| accum.mul(ws[lower + 6], p[upper - 6]); 39| 37.8k| accum.mul(ws[lower + 7], p[upper - 7]); 40| 37.8k| accum.mul(ws[lower + 8], p[upper - 8]); 41| 37.8k| accum.mul(ws[lower + 9], p[upper - 9]); 42| 37.8k| accum.mul(ws[lower + 10], p[upper - 10]); 43| 37.8k| accum.mul(ws[lower + 11], p[upper - 11]); 44| 37.8k| accum.mul(ws[lower + 12], p[upper - 12]); 45| 37.8k| accum.mul(ws[lower + 13], p[upper - 13]); 46| 37.8k| accum.mul(ws[lower + 14], p[upper - 14]); 47| 37.8k| accum.mul(ws[lower + 15], p[upper - 15]); 48| 37.8k| lower += 16; 49| 152M| } else if(upper >= 8) { ------------------ | Branch (49:17): [True: 8.95M, False: 143M] ------------------ 50| 8.95M| accum.mul(ws[lower], p[upper]); 51| 8.95M| accum.mul(ws[lower + 1], p[upper - 1]); 52| 8.95M| accum.mul(ws[lower + 2], p[upper - 2]); 53| 8.95M| accum.mul(ws[lower + 3], p[upper - 3]); 54| 8.95M| accum.mul(ws[lower + 4], p[upper - 4]); 55| 8.95M| accum.mul(ws[lower + 5], p[upper - 5]); 56| 8.95M| accum.mul(ws[lower + 6], p[upper - 6]); 57| 8.95M| accum.mul(ws[lower + 7], p[upper - 7]); 58| 8.95M| lower += 8; 59| 143M| } else if(upper >= 4) { ------------------ | Branch (59:17): [True: 40.2M, False: 103M] ------------------ 60| 40.2M| accum.mul(ws[lower], p[upper]); 61| 40.2M| accum.mul(ws[lower + 1], p[upper - 1]); 62| 40.2M| accum.mul(ws[lower + 2], p[upper - 2]); 63| 40.2M| accum.mul(ws[lower + 3], p[upper - 3]); 64| 40.2M| lower += 4; 65| 103M| } else if(upper >= 2) { ------------------ | Branch (65:17): [True: 51.6M, False: 51.6M] ------------------ 66| 51.6M| accum.mul(ws[lower], p[upper]); 67| 51.6M| accum.mul(ws[lower + 1], p[upper - 1]); 68| 51.6M| lower += 2; 69| 51.6M| } else { 70| 51.6M| accum.mul(ws[lower], p[upper]); 71| 51.6M| lower += 1; 72| 51.6M| } 73| 152M| } 74| 103M|} _ZN5Botan19bigint_monty_redc_4EPmPKmS2_mS0_: 12| 18.5M|void bigint_monty_redc_4(word r[4], const word z[8], const word p[4], word p_dash, word ws[4]) { 13| 18.5M| word3 accum; 14| 18.5M| accum.add(z[0]); 15| 18.5M| ws[0] = accum.monty_step(p[0], p_dash); 16| 18.5M| accum.mul(ws[0], p[1]); 17| 18.5M| accum.add(z[1]); 18| 18.5M| ws[1] = accum.monty_step(p[0], p_dash); 19| 18.5M| accum.mul(ws[0], p[2]); 20| 18.5M| accum.mul(ws[1], p[1]); 21| 18.5M| accum.add(z[2]); 22| 18.5M| ws[2] = accum.monty_step(p[0], p_dash); 23| 18.5M| accum.mul(ws[0], p[3]); 24| 18.5M| accum.mul(ws[1], p[2]); 25| 18.5M| accum.mul(ws[2], p[1]); 26| 18.5M| accum.add(z[3]); 27| 18.5M| ws[3] = accum.monty_step(p[0], p_dash); 28| 18.5M| accum.mul(ws[1], p[3]); 29| 18.5M| accum.mul(ws[2], p[2]); 30| 18.5M| accum.mul(ws[3], p[1]); 31| 18.5M| accum.add(z[4]); 32| 18.5M| ws[0] = accum.extract(); 33| 18.5M| accum.mul(ws[2], p[3]); 34| 18.5M| accum.mul(ws[3], p[2]); 35| 18.5M| accum.add(z[5]); 36| 18.5M| ws[1] = accum.extract(); 37| 18.5M| accum.mul(ws[3], p[3]); 38| 18.5M| accum.add(z[6]); 39| 18.5M| ws[2] = accum.extract(); 40| 18.5M| accum.add(z[7]); 41| 18.5M| ws[3] = accum.extract(); 42| 18.5M| const word w1 = accum.extract(); 43| 18.5M| bigint_monty_maybe_sub<4>(r, w1, ws, p); 44| 18.5M|} _ZN5Botan19bigint_monty_redc_6EPmPKmS2_mS0_: 46| 284k|void bigint_monty_redc_6(word r[6], const word z[12], const word p[6], word p_dash, word ws[6]) { 47| 284k| word3 accum; 48| 284k| accum.add(z[0]); 49| 284k| ws[0] = accum.monty_step(p[0], p_dash); 50| 284k| accum.mul(ws[0], p[1]); 51| 284k| accum.add(z[1]); 52| 284k| ws[1] = accum.monty_step(p[0], p_dash); 53| 284k| accum.mul(ws[0], p[2]); 54| 284k| accum.mul(ws[1], p[1]); 55| 284k| accum.add(z[2]); 56| 284k| ws[2] = accum.monty_step(p[0], p_dash); 57| 284k| accum.mul(ws[0], p[3]); 58| 284k| accum.mul(ws[1], p[2]); 59| 284k| accum.mul(ws[2], p[1]); 60| 284k| accum.add(z[3]); 61| 284k| ws[3] = accum.monty_step(p[0], p_dash); 62| 284k| accum.mul(ws[0], p[4]); 63| 284k| accum.mul(ws[1], p[3]); 64| 284k| accum.mul(ws[2], p[2]); 65| 284k| accum.mul(ws[3], p[1]); 66| 284k| accum.add(z[4]); 67| 284k| ws[4] = accum.monty_step(p[0], p_dash); 68| 284k| accum.mul(ws[0], p[5]); 69| 284k| accum.mul(ws[1], p[4]); 70| 284k| accum.mul(ws[2], p[3]); 71| 284k| accum.mul(ws[3], p[2]); 72| 284k| accum.mul(ws[4], p[1]); 73| 284k| accum.add(z[5]); 74| 284k| ws[5] = accum.monty_step(p[0], p_dash); 75| 284k| accum.mul(ws[1], p[5]); 76| 284k| accum.mul(ws[2], p[4]); 77| 284k| accum.mul(ws[3], p[3]); 78| 284k| accum.mul(ws[4], p[2]); 79| 284k| accum.mul(ws[5], p[1]); 80| 284k| accum.add(z[6]); 81| 284k| ws[0] = accum.extract(); 82| 284k| accum.mul(ws[2], p[5]); 83| 284k| accum.mul(ws[3], p[4]); 84| 284k| accum.mul(ws[4], p[3]); 85| 284k| accum.mul(ws[5], p[2]); 86| 284k| accum.add(z[7]); 87| 284k| ws[1] = accum.extract(); 88| 284k| accum.mul(ws[3], p[5]); 89| 284k| accum.mul(ws[4], p[4]); 90| 284k| accum.mul(ws[5], p[3]); 91| 284k| accum.add(z[8]); 92| 284k| ws[2] = accum.extract(); 93| 284k| accum.mul(ws[4], p[5]); 94| 284k| accum.mul(ws[5], p[4]); 95| 284k| accum.add(z[9]); 96| 284k| ws[3] = accum.extract(); 97| 284k| accum.mul(ws[5], p[5]); 98| 284k| accum.add(z[10]); 99| 284k| ws[4] = accum.extract(); 100| 284k| accum.add(z[11]); 101| 284k| ws[5] = accum.extract(); 102| 284k| const word w1 = accum.extract(); 103| 284k| bigint_monty_maybe_sub<6>(r, w1, ws, p); 104| 284k|} _ZN5Botan19bigint_monty_redc_8EPmPKmS2_mS0_: 106| 302k|void bigint_monty_redc_8(word r[8], const word z[16], const word p[8], word p_dash, word ws[8]) { 107| 302k| word3 accum; 108| 302k| accum.add(z[0]); 109| 302k| ws[0] = accum.monty_step(p[0], p_dash); 110| 302k| accum.mul(ws[0], p[1]); 111| 302k| accum.add(z[1]); 112| 302k| ws[1] = accum.monty_step(p[0], p_dash); 113| 302k| accum.mul(ws[0], p[2]); 114| 302k| accum.mul(ws[1], p[1]); 115| 302k| accum.add(z[2]); 116| 302k| ws[2] = accum.monty_step(p[0], p_dash); 117| 302k| accum.mul(ws[0], p[3]); 118| 302k| accum.mul(ws[1], p[2]); 119| 302k| accum.mul(ws[2], p[1]); 120| 302k| accum.add(z[3]); 121| 302k| ws[3] = accum.monty_step(p[0], p_dash); 122| 302k| accum.mul(ws[0], p[4]); 123| 302k| accum.mul(ws[1], p[3]); 124| 302k| accum.mul(ws[2], p[2]); 125| 302k| accum.mul(ws[3], p[1]); 126| 302k| accum.add(z[4]); 127| 302k| ws[4] = accum.monty_step(p[0], p_dash); 128| 302k| accum.mul(ws[0], p[5]); 129| 302k| accum.mul(ws[1], p[4]); 130| 302k| accum.mul(ws[2], p[3]); 131| 302k| accum.mul(ws[3], p[2]); 132| 302k| accum.mul(ws[4], p[1]); 133| 302k| accum.add(z[5]); 134| 302k| ws[5] = accum.monty_step(p[0], p_dash); 135| 302k| accum.mul(ws[0], p[6]); 136| 302k| accum.mul(ws[1], p[5]); 137| 302k| accum.mul(ws[2], p[4]); 138| 302k| accum.mul(ws[3], p[3]); 139| 302k| accum.mul(ws[4], p[2]); 140| 302k| accum.mul(ws[5], p[1]); 141| 302k| accum.add(z[6]); 142| 302k| ws[6] = accum.monty_step(p[0], p_dash); 143| 302k| accum.mul(ws[0], p[7]); 144| 302k| accum.mul(ws[1], p[6]); 145| 302k| accum.mul(ws[2], p[5]); 146| 302k| accum.mul(ws[3], p[4]); 147| 302k| accum.mul(ws[4], p[3]); 148| 302k| accum.mul(ws[5], p[2]); 149| 302k| accum.mul(ws[6], p[1]); 150| 302k| accum.add(z[7]); 151| 302k| ws[7] = accum.monty_step(p[0], p_dash); 152| 302k| accum.mul(ws[1], p[7]); 153| 302k| accum.mul(ws[2], p[6]); 154| 302k| accum.mul(ws[3], p[5]); 155| 302k| accum.mul(ws[4], p[4]); 156| 302k| accum.mul(ws[5], p[3]); 157| 302k| accum.mul(ws[6], p[2]); 158| 302k| accum.mul(ws[7], p[1]); 159| 302k| accum.add(z[8]); 160| 302k| ws[0] = accum.extract(); 161| 302k| accum.mul(ws[2], p[7]); 162| 302k| accum.mul(ws[3], p[6]); 163| 302k| accum.mul(ws[4], p[5]); 164| 302k| accum.mul(ws[5], p[4]); 165| 302k| accum.mul(ws[6], p[3]); 166| 302k| accum.mul(ws[7], p[2]); 167| 302k| accum.add(z[9]); 168| 302k| ws[1] = accum.extract(); 169| 302k| accum.mul(ws[3], p[7]); 170| 302k| accum.mul(ws[4], p[6]); 171| 302k| accum.mul(ws[5], p[5]); 172| 302k| accum.mul(ws[6], p[4]); 173| 302k| accum.mul(ws[7], p[3]); 174| 302k| accum.add(z[10]); 175| 302k| ws[2] = accum.extract(); 176| 302k| accum.mul(ws[4], p[7]); 177| 302k| accum.mul(ws[5], p[6]); 178| 302k| accum.mul(ws[6], p[5]); 179| 302k| accum.mul(ws[7], p[4]); 180| 302k| accum.add(z[11]); 181| 302k| ws[3] = accum.extract(); 182| 302k| accum.mul(ws[5], p[7]); 183| 302k| accum.mul(ws[6], p[6]); 184| 302k| accum.mul(ws[7], p[5]); 185| 302k| accum.add(z[12]); 186| 302k| ws[4] = accum.extract(); 187| 302k| accum.mul(ws[6], p[7]); 188| 302k| accum.mul(ws[7], p[6]); 189| 302k| accum.add(z[13]); 190| 302k| ws[5] = accum.extract(); 191| 302k| accum.mul(ws[7], p[7]); 192| 302k| accum.add(z[14]); 193| 302k| ws[6] = accum.extract(); 194| 302k| accum.add(z[15]); 195| 302k| ws[7] = accum.extract(); 196| 302k| const word w1 = accum.extract(); 197| 302k| bigint_monty_maybe_sub<8>(r, w1, ws, p); 198| 302k|} _ZN5Botan17Barrett_ReductionC2ERKNS_6BigIntES1_m: 17| 13.3k| m_modulus(m), m_mu(std::move(mu)), m_mod_words(mw), m_modulus_bits(m.bits()) { 18| | // Give some extra space for Karatsuba 19| 13.3k| m_modulus.grow_to(m_mod_words + 8); 20| 13.3k| m_mu.grow_to(m_mod_words + 8); 21| 13.3k|} _ZN5Botan17Barrett_Reduction18for_secret_modulusERKNS_6BigIntE: 23| 1.04k|Barrett_Reduction Barrett_Reduction::for_secret_modulus(const BigInt& mod) { 24| 1.04k| BOTAN_ARG_CHECK(mod.signum() > 0, "Modulus must be positive"); ------------------ | | 35| 1.04k| do { \ | | 36| 1.04k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.04k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.04k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.04k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.04k] | | ------------------ ------------------ 25| | 26| 1.04k| const size_t mod_words = mod.sig_words(); 27| | 28| | // Compute mu = floor(2^{2k} / m) 29| 1.04k| const size_t mu_bits = 2 * WordInfo::bits * mod_words; 30| 1.04k| return Barrett_Reduction(mod, ct_divide_pow2k(mu_bits, mod), mod_words); 31| 1.04k|} _ZN5Botan17Barrett_Reduction18for_public_modulusERKNS_6BigIntE: 33| 12.2k|Barrett_Reduction Barrett_Reduction::for_public_modulus(const BigInt& mod) { 34| 12.2k| BOTAN_ARG_CHECK(mod.signum() > 0, "Modulus must be positive"); ------------------ | | 35| 12.2k| do { \ | | 36| 12.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 12.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 12.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 12.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 12.2k] | | ------------------ ------------------ 35| | 36| 12.2k| const size_t mod_words = mod.sig_words(); 37| | 38| | // Compute mu = floor(2^{2k} / m) 39| 12.2k| const size_t mu_bits = 2 * WordInfo::bits * mod_words; 40| 12.2k| return Barrett_Reduction(mod, vartime_divide_pow2k(mu_bits, mod), mod_words); 41| 12.2k|} _ZNK5Botan17Barrett_Reduction8multiplyERKNS_6BigIntES3_: 159| 979k|BigInt Barrett_Reduction::multiply(const BigInt& x, const BigInt& y) const { 160| 979k| BOTAN_ARG_CHECK(acceptable_barrett_input(x, m_modulus).as_bool(), "Invalid x param for Barrett multiply"); ------------------ | | 35| 979k| do { \ | | 36| 979k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 979k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 979k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 979k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 979k] | | ------------------ ------------------ 161| 979k| BOTAN_ARG_CHECK(acceptable_barrett_input(y, m_modulus).as_bool(), "Invalid y param for Barrett multiply"); ------------------ | | 35| 979k| do { \ | | 36| 979k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 979k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 979k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 979k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 979k] | | ------------------ ------------------ 162| | 163| 979k| secure_vector ws(2 * (m_mod_words + 2)); 164| 979k| secure_vector xy(2 * m_mod_words); 165| | 166| 979k| bigint_mul(xy.data(), 167| 979k| xy.size(), 168| 979k| x._data(), 169| 979k| x.size(), 170| 979k| std::min(x.size(), m_mod_words), 171| 979k| y._data(), 172| 979k| y.size(), 173| 979k| std::min(y.size(), m_mod_words), 174| 979k| ws.data(), 175| 979k| ws.size()); 176| | 177| 979k| return barrett_reduce(m_mod_words, m_modulus, m_mu, xy, ws); 178| 979k|} _ZNK5Botan17Barrett_Reduction6squareERKNS_6BigIntE: 180| 747k|BigInt Barrett_Reduction::square(const BigInt& x) const { 181| 747k| BOTAN_ARG_CHECK(acceptable_barrett_input(x, m_modulus).as_bool(), "Invalid x param for Barrett square"); ------------------ | | 35| 747k| do { \ | | 36| 747k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 747k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 747k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 747k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 747k] | | ------------------ ------------------ 182| | 183| 747k| secure_vector ws(2 * (m_mod_words + 2)); 184| 747k| secure_vector x2(2 * m_mod_words); 185| | 186| 747k| bigint_sqr(x2.data(), x2.size(), x._data(), x.size(), std::min(x.size(), m_mod_words), ws.data(), ws.size()); 187| | 188| 747k| return barrett_reduce(m_mod_words, m_modulus, m_mu, x2, ws); 189| 747k|} _ZNK5Botan17Barrett_Reduction6reduceERKNS_6BigIntE: 191| 1.29M|BigInt Barrett_Reduction::reduce(const BigInt& x) const { 192| 1.29M| BOTAN_ARG_CHECK(x.signum() >= 0, "Argument must be non-negative"); ------------------ | | 35| 1.29M| do { \ | | 36| 1.29M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.29M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.29M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.29M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.29M] | | ------------------ ------------------ 193| | 194| 1.29M| const size_t x_sw = x.sig_words(); 195| 1.29M| BOTAN_ARG_CHECK(x_sw <= 2 * m_mod_words, "Argument is too large for Barrett reduction"); ------------------ | | 35| 1.29M| do { \ | | 36| 1.29M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.29M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.29M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.29M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.29M] | | ------------------ ------------------ 196| | 197| 1.29M| x.grow_to(2 * m_mod_words); 198| | 199| 1.29M| secure_vector ws; 200| 1.29M| return barrett_reduce(m_mod_words, m_modulus, m_mu, x._as_span(), ws); 201| 1.29M|} barrett.cpp:_ZN5Botan12_GLOBAL__N_124acceptable_barrett_inputERKNS_6BigIntES3_: 151| 2.70M|CT::Choice acceptable_barrett_input(const BigInt& x, const BigInt& modulus) { 152| 2.70M| auto x_is_positive = CT::Choice::from_int(static_cast(x.signum() >= 0)); 153| 2.70M| auto x_lt_mod = bigint_ct_is_lt(x._data(), x.size(), modulus._data(), modulus.sig_words()).as_choice(); 154| 2.70M| return x_is_positive && x_lt_mod; 155| 2.70M|} barrett.cpp:_ZN5Botan12_GLOBAL__N_114barrett_reduceEmRKNS_6BigIntES3_NSt3__14spanIKmLm18446744073709551615EEERNS4_6vectorImNS_16secure_allocatorImEEEE: 54| 3.01M| size_t mod_words, const BigInt& modulus, const BigInt& mu, std::span x_words, secure_vector& ws) { 55| 3.01M| BOTAN_ASSERT_NOMSG(modulus.sig_words() == mod_words); ------------------ | | 77| 3.01M| do { \ | | 78| 3.01M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 3.01M| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 3.01M] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 3.01M| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 3.01M] | | ------------------ ------------------ 56| | 57| | // Caller must expand input to be at least this size 58| 3.01M| BOTAN_ASSERT_NOMSG(x_words.size() >= 2 * mod_words); ------------------ | | 77| 3.01M| do { \ | | 78| 3.01M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 3.01M| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 3.01M] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 3.01M| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 3.01M] | | ------------------ ------------------ 59| | 60| | // Normally mod_words + 1 but can be + 2 if the modulus is a power of 2 61| 3.01M| const size_t mu_words = mu.sig_words(); 62| 3.01M| BOTAN_ASSERT_NOMSG(mu_words <= mod_words + 2); ------------------ | | 77| 3.01M| do { \ | | 78| 3.01M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 3.01M| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 3.01M] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 3.01M| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 3.01M] | | ------------------ ------------------ 63| | 64| 3.01M| if(ws.size() < 2 * (mod_words + 2)) { ------------------ | Branch (64:7): [True: 1.29M, False: 1.72M] ------------------ 65| 1.29M| ws.resize(2 * (mod_words + 2)); 66| 1.29M| } 67| | 68| 3.01M| CT::poison(x_words); 69| | 70| | /* 71| | * Following the notation of Handbook of Applied Cryptography 72| | * Algorithm 14.42 "Barrett modular reduction", page 604 73| | * 74| | * 75| | * Using `mu` for μ in the code 76| | */ 77| | 78| | // Compute q1 = floor(x / 2^(k - 1)) which is equivalent to ignoring the low (k-1) words 79| | 80| | // 2 * mod_words + 1 is sufficient, extra is to enable Karatsuba 81| 3.01M| secure_vector r(2 * mu_words + 2); 82| | 83| 3.01M| copy_mem(r.data(), x_words.data() + (mod_words - 1), mod_words + 1); 84| | 85| | // Now compute q2 = q1 * μ 86| | 87| | // We allocate more size than required since this allows Karatsuba more often; 88| | // just `mu_words + (mod_words + 1)` is sufficient 89| 3.01M| const size_t q2_size = 2 * mu_words + 2; 90| | 91| 3.01M| secure_vector q2(q2_size); 92| | 93| 3.01M| bigint_mul( 94| 3.01M| q2.data(), q2.size(), r.data(), r.size(), mod_words + 1, mu._data(), mu.size(), mu_words, ws.data(), ws.size()); 95| | 96| | // Compute r2 = (floor(q2 / b^(k+1)) * m) mod 2^(k+1) 97| | // The division/floor is again effected by just ignoring the low k + 1 words 98| 3.01M| bigint_mul(r.data(), 99| 3.01M| r.size(), 100| 3.01M| &q2[mod_words + 1], // ignoring the low mod_words + 1 words of the first product 101| 3.01M| q2.size() - (mod_words + 1), 102| 3.01M| mod_words + 1, 103| 3.01M| modulus._data(), 104| 3.01M| modulus.size(), 105| 3.01M| mod_words, 106| 3.01M| ws.data(), 107| 3.01M| ws.size()); 108| | 109| | // Clear the high words of the product, equivalent to computing mod 2^(k+1) 110| | // TODO add masked mul to avoid computing high bits at all 111| 3.01M| clear_mem(std::span{r}.subspan(mod_words + 1)); 112| | 113| | // Compute r = r1 - r2 114| | 115| | // The return value of bigint_sub_abs isn't quite right for what we need here so first compare 116| 3.01M| const int32_t relative_size = bigint_cmp(r.data(), mod_words + 1, x_words.data(), mod_words + 1); 117| | 118| 3.01M| bigint_sub_abs(r.data(), r.data(), x_words.data(), mod_words + 1, ws.data()); 119| | 120| | /* 121| | If r is negative then we have to set r to r + 2^(k+1) 122| | 123| | However for r negative computing this sum is equivalent to computing 2^(k+1) - abs(r) 124| | */ 125| 3.01M| clear_mem(ws.data(), mod_words + 2); 126| 3.01M| ws[mod_words + 1] = 1; 127| 3.01M| bigint_sub2(ws.data(), mod_words + 2, r.data(), mod_words + 2); 128| | 129| | // If relative_size > 0 then assign r to 2^(k+1) - r 130| 3.01M| CT::Mask::is_equal(static_cast(relative_size), 1).select_n(r.data(), ws.data(), r.data(), mod_words + 2); 131| | 132| | /* 133| | * Per HAC Note 14.44 (ii) "step 4 is repeated at most twice since 0 ≤ r < 3m" 134| | */ 135| 3.01M| const size_t bound = 2; 136| | 137| 3.01M| BOTAN_ASSERT_NOMSG(r.size() >= mod_words + 1); ------------------ | | 77| 3.01M| do { \ | | 78| 3.01M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 3.01M| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 3.01M] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 3.01M| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 3.01M] | | ------------------ ------------------ 138| 9.05M| for(size_t i = 0; i != bound; ++i) { ------------------ | Branch (138:22): [True: 6.03M, False: 3.01M] ------------------ 139| 6.03M| const word borrow = bigint_sub3(ws.data(), r.data(), mod_words + 1, modulus._data(), mod_words); 140| 6.03M| CT::Mask::is_zero(borrow).select_n(r.data(), ws.data(), r.data(), mod_words + 1); 141| 6.03M| } 142| | 143| 3.01M| CT::unpoison(q2); 144| 3.01M| CT::unpoison(r); 145| 3.01M| CT::unpoison(ws); 146| 3.01M| CT::unpoison(x_words); 147| | 148| 3.01M| return BigInt::_from_words(r); 149| 3.01M|} _ZN5Botan24inverse_mod_public_primeERKNS_6BigIntES2_: 294| 836|BigInt inverse_mod_public_prime(const BigInt& x, const BigInt& p) { 295| 836| BOTAN_ARG_CHECK(p.signum() > 0, "Modulus must be positive"); ------------------ | | 35| 836| do { \ | | 36| 836| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 836| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 836] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 836| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 836] | | ------------------ ------------------ 296| 836| BOTAN_ARG_CHECK(x.signum() > 0, "Input must be positive"); ------------------ | | 35| 836| do { \ | | 36| 836| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 836| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 836] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 836| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 836] | | ------------------ ------------------ 297| 836| BOTAN_ARG_CHECK(x < p, "Input must be less than modulus"); ------------------ | | 35| 836| do { \ | | 36| 836| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 836| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 836] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 836| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 836] | | ------------------ ------------------ 298| 836| BOTAN_ARG_CHECK(p.is_odd() && p > 1, "Primes are odd integers greater than 1"); ------------------ | | 35| 836| do { \ | | 36| 836| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.67k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 836, False: 0] | | | Branch (37:12): [True: 836, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 836| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 836] | | ------------------ ------------------ 299| | 300| | // TODO possibly use FLT, or the algorithm presented for this case in 301| | // Handbook of Elliptic and Hyperelliptic Curve Cryptography 302| | 303| 836| return inverse_mod_odd_modulus(x, p); 304| 836|} mod_inv.cpp:_ZN5Botan12_GLOBAL__N_123inverse_mod_odd_modulusERKNS_6BigIntES3_: 21| 836|BigInt inverse_mod_odd_modulus(const BigInt& n, const BigInt& mod) { 22| | // Caller should assure these preconditions: 23| 836| BOTAN_ASSERT_NOMSG(n.signum() >= 0); ------------------ | | 77| 836| do { \ | | 78| 836| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 836| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 836] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 836| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 836] | | ------------------ ------------------ 24| 836| BOTAN_ASSERT_NOMSG(mod.signum() > 0); ------------------ | | 77| 836| do { \ | | 78| 836| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 836| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 836] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 836| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 836] | | ------------------ ------------------ 25| 836| BOTAN_ASSERT_NOMSG(n < mod); ------------------ | | 77| 836| do { \ | | 78| 836| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 836| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 836] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 836| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 836] | | ------------------ ------------------ 26| 836| BOTAN_ASSERT_NOMSG(mod >= 3 && mod.is_odd()); ------------------ | | 77| 836| do { \ | | 78| 836| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.67k| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 836, False: 0] | | | Branch (79:12): [True: 836, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 836| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 836] | | ------------------ ------------------ 27| | 28| | /* 29| | This uses a modular inversion algorithm designed by Niels Möller 30| | and implemented in Nettle. The same algorithm was later also 31| | adapted to GMP in mpn_sec_invert. 32| | 33| | It can be easily implemented in a way that does not depend on 34| | secret branches or memory lookups, providing resistance against 35| | some forms of side channel attack. 36| | 37| | There is also a description of the algorithm in Appendix 5 of "Fast 38| | Software Polynomial Multiplication on ARM Processors using the NEON Engine" 39| | by Danilo Câmara, Conrado P. L. Gouvêa, Julio López, and Ricardo 40| | Dahab in LNCS 8182 41| | https://inria.hal.science/hal-01506572/document 42| | 43| | Thanks to Niels for creating the algorithm, explaining some things 44| | about it, and the reference to the paper. 45| | */ 46| | 47| 836| const size_t mod_words = mod.sig_words(); 48| 836| BOTAN_ASSERT(mod_words > 0, "Not empty"); ------------------ | | 64| 836| do { \ | | 65| 836| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 836| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 836] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 836| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 836] | | ------------------ ------------------ 49| | 50| 836| secure_vector tmp_mem(5 * mod_words); 51| | 52| 836| word* v_w = &tmp_mem[0]; // NOLINT(readability-container-data-pointer) 53| 836| word* u_w = &tmp_mem[1 * mod_words]; 54| 836| word* b_w = &tmp_mem[2 * mod_words]; 55| 836| word* a_w = &tmp_mem[3 * mod_words]; 56| 836| word* mp1o2 = &tmp_mem[4 * mod_words]; 57| | 58| 836| copy_mem(a_w, n._data(), std::min(n.size(), mod_words)); 59| 836| copy_mem(b_w, mod._data(), std::min(mod.size(), mod_words)); 60| 836| u_w[0] = 1; 61| | // v_w = 0 62| | 63| | // compute (mod + 1) / 2 which [because mod is odd] is equal to 64| | // (mod / 2) + 1 65| 836| copy_mem(mp1o2, mod._data(), std::min(mod.size(), mod_words)); 66| 836| bigint_shr1(mp1o2, mod_words, 1); 67| 836| const word carry = bigint_add2(mp1o2, mod_words, u_w, 1); 68| 836| BOTAN_ASSERT_NOMSG(carry == 0); ------------------ | | 77| 836| do { \ | | 78| 836| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 836| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 836] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 836| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 836] | | ------------------ ------------------ 69| | 70| 836| CT::poison(tmp_mem.data(), tmp_mem.size()); 71| | 72| | // Only n.bits() + mod.bits() iterations are required, but avoid leaking the size of n 73| 836| const size_t execs = 2 * mod.bits(); 74| | 75| 389k| for(size_t i = 0; i != execs; ++i) { ------------------ | Branch (75:22): [True: 388k, False: 836] ------------------ 76| 388k| const word odd_a = a_w[0] & 1; 77| | 78| | //if(odd_a) a -= b 79| 388k| const word underflow = bigint_cnd_sub(odd_a, a_w, b_w, mod_words); 80| | 81| | //if(underflow) { b -= a; a = abs(a); swap(u, v); } 82| 388k| bigint_cnd_add(underflow, b_w, a_w, mod_words); 83| 388k| bigint_cnd_abs(underflow, a_w, mod_words); 84| 388k| bigint_cnd_swap(underflow, u_w, v_w, mod_words); 85| | 86| | // a >>= 1 87| 388k| bigint_shr1(a_w, mod_words, 1); 88| | 89| | //if(odd_a) u -= v; 90| 388k| const word borrow = bigint_cnd_sub(odd_a, u_w, v_w, mod_words); 91| | 92| | // if(borrow) u += p 93| 388k| bigint_cnd_add(borrow, u_w, mod._data(), mod_words); 94| | 95| 388k| const word odd_u = u_w[0] & 1; 96| | 97| | // u >>= 1 98| 388k| bigint_shr1(u_w, mod_words, 1); 99| | 100| | //if(odd_u) u += mp1o2; 101| 388k| bigint_cnd_add(odd_u, u_w, mp1o2, mod_words); 102| 388k| } 103| | 104| 836| const auto a_is_0 = CT::all_zeros(a_w, mod_words); 105| | 106| 836| auto b_is_1 = CT::Mask::is_equal(b_w[0], 1); 107| 3.46k| for(size_t i = 1; i != mod_words; ++i) { ------------------ | Branch (107:22): [True: 2.62k, False: 836] ------------------ 108| 2.62k| b_is_1 &= CT::Mask::is_zero(b_w[i]); 109| 2.62k| } 110| | 111| 836| BOTAN_ASSERT(a_is_0.as_bool(), "A is zero"); ------------------ | | 64| 836| do { \ | | 65| 836| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 836| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 836] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 836| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 836] | | ------------------ ------------------ 112| | 113| | // if b != 1 then gcd(n,mod) > 1 and inverse does not exist 114| | // in which case zero out the result to indicate this 115| 836| (~b_is_1).if_set_zero_out(v_w, mod_words); 116| | 117| | /* 118| | * We've placed the result in the lowest words of the temp buffer. 119| | * So just clear out the other values and then give that buffer to a 120| | * BigInt. 121| | */ 122| 836| clear_mem(&tmp_mem[mod_words], 4 * mod_words); 123| | 124| 836| CT::unpoison(tmp_mem.data(), tmp_mem.size()); 125| | 126| 836| BigInt r; 127| 836| r.swap_reg(tmp_mem); 128| 836| return r; 129| 836|} _ZN5Botan17Montgomery_Params4DataC2ERKNS_6BigIntERKNS_17Barrett_ReductionE: 40| 6.16k|Montgomery_Params::Data::Data(const BigInt& p, const Barrett_Reduction& mod_p) { 41| 6.16k| if(p.is_even() || p < 3) { ------------------ | Branch (41:7): [True: 0, False: 6.16k] | Branch (41:22): [True: 0, False: 6.16k] ------------------ 42| 0| throw Invalid_Argument("Montgomery_Params invalid modulus"); 43| 0| } 44| | 45| 6.16k| m_p = p; 46| 6.16k| m_p_words = m_p.sig_words(); 47| 6.16k| m_p_dash = monty_inverse(m_p.word_at(0)); 48| | 49| 6.16k| const BigInt r = BigInt::power_of_2(m_p_words * WordInfo::bits); 50| | 51| 6.16k| m_r1 = mod_p.reduce(r); 52| 6.16k| m_r2 = mod_p.square(m_r1); 53| 6.16k| m_r3 = mod_p.multiply(m_r1, m_r2); 54| | 55| | // Barrett should be at least zero prefixing up to modulus size 56| 6.16k| BOTAN_ASSERT_NOMSG(m_r1.size() >= m_p_words); ------------------ | | 77| 6.16k| do { \ | | 78| 6.16k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 6.16k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 6.16k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 6.16k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 6.16k] | | ------------------ ------------------ 57| 6.16k| BOTAN_ASSERT_NOMSG(m_r2.size() >= m_p_words); ------------------ | | 77| 6.16k| do { \ | | 78| 6.16k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 6.16k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 6.16k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 6.16k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 6.16k] | | ------------------ ------------------ 58| 6.16k| BOTAN_ASSERT_NOMSG(m_r3.size() >= m_p_words); ------------------ | | 77| 6.16k| do { \ | | 78| 6.16k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 6.16k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 6.16k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 6.16k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 6.16k] | | ------------------ ------------------ 59| 6.16k|} _ZN5Botan17Montgomery_ParamsC2ERKNS_6BigIntERKNS_17Barrett_ReductionE: 62| 6.16k| m_data(std::make_shared(p, mod_p)) {} _ZN5Botan17Montgomery_ParamsC2ERKNS_6BigIntE: 65| 1.04k| Montgomery_Params(p, Barrett_Reduction::for_secret_modulus(p)) {} _ZNK5Botan17Montgomery_ParamseqERKS0_: 67| 47.7k|bool Montgomery_Params::operator==(const Montgomery_Params& other) const { 68| 47.7k| if(this->m_data == other.m_data) { ------------------ | Branch (68:7): [True: 47.7k, False: 0] ------------------ 69| 47.7k| return true; 70| 47.7k| } 71| | 72| 0| return (this->m_data->p() == other.m_data->p()); 73| 47.7k|} _ZNK5Botan17Montgomery_Params4redcERKNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 75| 367|BigInt Montgomery_Params::redc(const BigInt& x, secure_vector& ws) const { 76| 367| const size_t p_size = this->p_words(); 77| | 78| 367| if(ws.size() < p_size) { ------------------ | Branch (78:7): [True: 200, False: 167] ------------------ 79| 200| ws.resize(p_size); 80| 200| } 81| | 82| 367| BigInt z = x; 83| 367| z.grow_to(2 * p_size); 84| | 85| 367| bigint_monty_redc_inplace(z.mutable_data(), this->p()._data(), p_size, this->p_dash(), ws.data(), ws.size()); 86| | 87| 367| return z; 88| 367|} _ZNK5Botan17Montgomery_Params3mulERKNS_6BigIntES3_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 90| 1.83M|BigInt Montgomery_Params::mul(const BigInt& x, const BigInt& y, secure_vector& ws) const { 91| 1.83M| const size_t p_size = this->p_words(); 92| 1.83M| BigInt z = BigInt::with_capacity(2 * p_size); 93| 1.83M| this->mul(z, x, y, ws); 94| 1.83M| return z; 95| 1.83M|} _ZNK5Botan17Montgomery_Params3mulERNS_6BigIntERKS1_S4_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 97| 7.30M|void Montgomery_Params::mul(BigInt& z, const BigInt& x, const BigInt& y, secure_vector& ws) const { 98| 7.30M| BOTAN_ARG_CHECK(&z != &x && &z != &y, "Montgomery_Params::mul output must not alias inputs"); ------------------ | | 35| 7.30M| do { \ | | 36| 7.30M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 14.6M| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 7.30M, False: 0] | | | Branch (37:12): [True: 7.30M, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 7.30M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 7.30M] | | ------------------ ------------------ 99| | 100| 7.30M| const size_t p_size = this->p_words(); 101| | 102| 7.30M| if(ws.size() < 2 * p_size) { ------------------ | Branch (102:7): [True: 3.81k, False: 7.30M] ------------------ 103| 3.81k| ws.resize(2 * p_size); 104| 3.81k| } 105| | 106| 7.30M| BOTAN_DEBUG_ASSERT(x.sig_words() <= p_size); ------------------ | | 130| 7.30M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 7.30M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 7.30M] | | ------------------ ------------------ 107| 7.30M| BOTAN_DEBUG_ASSERT(y.sig_words() <= p_size); ------------------ | | 130| 7.30M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 7.30M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 7.30M] | | ------------------ ------------------ 108| | 109| 7.30M| if(z.size() < 2 * p_size) { ------------------ | Branch (109:7): [True: 610k, False: 6.69M] ------------------ 110| 610k| z.grow_to(2 * p_size); 111| 610k| } 112| | 113| 7.30M| bigint_mul(z.mutable_data(), 114| 7.30M| z.size(), 115| 7.30M| x._data(), 116| 7.30M| x.size(), 117| 7.30M| std::min(p_size, x.size()), 118| 7.30M| y._data(), 119| 7.30M| y.size(), 120| 7.30M| std::min(p_size, y.size()), 121| 7.30M| ws.data(), 122| 7.30M| ws.size()); 123| | 124| 7.30M| bigint_monty_redc_inplace(z.mutable_data(), this->p()._data(), p_size, this->p_dash(), ws.data(), ws.size()); 125| 7.30M|} _ZNK5Botan17Montgomery_Params3mulERNS_6BigIntERKS1_NSt3__14spanIKmLm18446744073709551615EEERNS5_6vectorImNS_16secure_allocatorImEEEE: 127| 1.40M|void Montgomery_Params::mul(BigInt& z, const BigInt& x, std::span y, secure_vector& ws) const { 128| 1.40M| BOTAN_ARG_CHECK(&z != &x, "Montgomery_Params::mul output must not alias x"); ------------------ | | 35| 1.40M| do { \ | | 36| 1.40M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.40M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.40M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.40M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.40M] | | ------------------ ------------------ 129| 1.40M| BOTAN_ARG_CHECK(!ranges_overlap(z._data(), z.size(), y.data(), y.size()), ------------------ | | 35| 1.40M| do { \ | | 36| 1.40M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.40M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.40M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.40M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.40M] | | ------------------ ------------------ 130| 1.40M| "Montgomery_Params::mul output must not overlap y"); 131| | 132| 1.40M| const size_t p_size = this->p_words(); 133| | 134| 1.40M| if(ws.size() < 2 * p_size) { ------------------ | Branch (134:7): [True: 0, False: 1.40M] ------------------ 135| 0| ws.resize(2 * p_size); 136| 0| } 137| 1.40M| if(z.size() < 2 * p_size) { ------------------ | Branch (137:7): [True: 0, False: 1.40M] ------------------ 138| 0| z.grow_to(2 * p_size); 139| 0| } 140| | 141| 1.40M| BOTAN_DEBUG_ASSERT(x.sig_words() <= p_size); ------------------ | | 130| 1.40M| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 1.40M| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 1.40M] | | ------------------ ------------------ 142| | 143| 1.40M| bigint_mul(z.mutable_data(), 144| 1.40M| z.size(), 145| 1.40M| x._data(), 146| 1.40M| x.size(), 147| 1.40M| std::min(p_size, x.size()), 148| 1.40M| y.data(), 149| 1.40M| y.size(), 150| 1.40M| std::min(p_size, y.size()), 151| 1.40M| ws.data(), 152| 1.40M| ws.size()); 153| | 154| 1.40M| bigint_monty_redc_inplace(z.mutable_data(), this->p()._data(), p_size, this->p_dash(), ws.data(), ws.size()); 155| 1.40M|} _ZNK5Botan17Montgomery_Params6mul_byERNS_6BigIntERKS1_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 157| 10.3k|void Montgomery_Params::mul_by(BigInt& x, const BigInt& y, secure_vector& ws) const { 158| 10.3k| const size_t p_size = this->p_words(); 159| | 160| 10.3k| if(ws.size() < 4 * p_size) { ------------------ | Branch (160:7): [True: 5.15k, False: 5.15k] ------------------ 161| 5.15k| ws.resize(4 * p_size); 162| 5.15k| } 163| | 164| 10.3k| word* z_data = ws.data(); 165| 10.3k| word* ws_data = &ws[2 * p_size]; 166| | 167| 10.3k| BOTAN_DEBUG_ASSERT(x.sig_words() <= p_size); ------------------ | | 130| 10.3k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 10.3k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 10.3k] | | ------------------ ------------------ 168| | 169| 10.3k| bigint_mul(z_data, 170| 10.3k| 2 * p_size, 171| 10.3k| x._data(), 172| 10.3k| x.size(), 173| 10.3k| std::min(p_size, x.size()), 174| 10.3k| y._data(), 175| 10.3k| y.size(), 176| 10.3k| std::min(p_size, y.size()), 177| 10.3k| ws_data, 178| 10.3k| 2 * p_size); 179| | 180| 10.3k| bigint_monty_redc_inplace(z_data, this->p()._data(), p_size, this->p_dash(), ws_data, 2 * p_size); 181| | 182| 10.3k| if(x.size() < 2 * p_size) { ------------------ | Branch (182:7): [True: 3.29k, False: 7.01k] ------------------ 183| 3.29k| x.grow_to(2 * p_size); 184| 3.29k| } 185| 10.3k| copy_mem(x.mutable_data(), z_data, 2 * p_size); 186| 10.3k|} _ZNK5Botan17Montgomery_Params3sqrERKNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 188| 351|BigInt Montgomery_Params::sqr(const BigInt& x, secure_vector& ws) const { 189| 351| BOTAN_DEBUG_ASSERT(x.sig_words() <= this->p_words()); ------------------ | | 130| 351| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 351| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 351] | | ------------------ ------------------ 190| 351| return this->sqr(std::span{x._data(), x.size()}, ws); 191| 351|} _ZNK5Botan17Montgomery_Params3sqrENSt3__14spanIKmLm18446744073709551615EEERNS1_6vectorImNS_16secure_allocatorImEEEE: 193| 351|BigInt Montgomery_Params::sqr(std::span x, secure_vector& ws) const { 194| 351| const size_t p_size = this->p_words(); 195| 351| BigInt z = BigInt::with_capacity(2 * p_size); 196| 351| this->sqr(z, x, ws); 197| 351| return z; 198| 351|} _ZNK5Botan17Montgomery_Params3sqrERNS_6BigIntERKS1_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 200| 2.71M|void Montgomery_Params::sqr(BigInt& z, const BigInt& x, secure_vector& ws) const { 201| 2.71M| BOTAN_ARG_CHECK(&z != &x, "Montgomery_Params::sqr output must not alias input"); ------------------ | | 35| 2.71M| do { \ | | 36| 2.71M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 2.71M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 2.71M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 2.71M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 2.71M] | | ------------------ ------------------ 202| 2.71M| this->sqr(z, std::span{x._data(), x.size()}, ws); 203| 2.71M|} _ZNK5Botan17Montgomery_Params3sqrERNS_6BigIntENSt3__14spanIKmLm18446744073709551615EEERNS3_6vectorImNS_16secure_allocatorImEEEE: 205| 3.06M|void Montgomery_Params::sqr(BigInt& z, std::span x, secure_vector& ws) const { 206| 3.06M| BOTAN_ARG_CHECK(!ranges_overlap(z._data(), z.size(), x.data(), x.size()), ------------------ | | 35| 3.06M| do { \ | | 36| 3.06M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 3.06M| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 3.06M] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 3.06M| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 3.06M] | | ------------------ ------------------ 207| 3.06M| "Montgomery_Params::sqr output must not overlap input"); 208| | 209| 3.06M| const size_t p_size = this->p_words(); 210| | 211| 3.06M| if(ws.size() < 2 * p_size) { ------------------ | Branch (211:7): [True: 83, False: 3.06M] ------------------ 212| 83| ws.resize(2 * p_size); 213| 83| } 214| | 215| 3.06M| if(z.size() < 2 * p_size) { ------------------ | Branch (215:7): [True: 45.7k, False: 3.01M] ------------------ 216| 45.7k| z.grow_to(2 * p_size); 217| 45.7k| } 218| | 219| 3.06M| bigint_sqr(z.mutable_data(), z.size(), x.data(), x.size(), std::min(p_size, x.size()), ws.data(), ws.size()); 220| | 221| 3.06M| bigint_monty_redc_inplace(z.mutable_data(), this->p()._data(), p_size, this->p_dash(), ws.data(), ws.size()); 222| 3.06M|} _ZN5Botan14Montgomery_IntC2ERKNS_17Montgomery_ParamsENSt3__16vectorImNS_16secure_allocatorImEEEE: 227| 25.5k| m_params(params), m_v(std::move(words)) { 228| 25.5k| BOTAN_ASSERT_NOMSG(m_v.size() == m_params.p_words()); ------------------ | | 77| 25.5k| do { \ | | 78| 25.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 25.5k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 25.5k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 25.5k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 25.5k] | | ------------------ ------------------ 229| 25.5k|} _ZN5Botan14Montgomery_Int3oneERKNS_17Montgomery_ParamsE: 231| 3.65k|Montgomery_Int Montgomery_Int::one(const Montgomery_Params& params) { 232| 3.65k| return Montgomery_Int(params, params.R1(), false); 233| 3.65k|} _ZN5Botan14Montgomery_IntC2ERKNS_17Montgomery_ParamsERKNS_6BigIntEb: 242| 7.31k| m_params(params), m_v(m_params.p_words()) { 243| 7.31k| BOTAN_ARG_CHECK(v.signum() >= 0 && v < m_params.p(), "Input out of range"); ------------------ | | 35| 7.31k| do { \ | | 36| 7.31k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 14.6k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 7.31k, False: 0] | | | Branch (37:12): [True: 7.31k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 7.31k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 7.31k] | | ------------------ ------------------ 244| | 245| 7.31k| const size_t p_size = m_params.p_words(); 246| | 247| 7.31k| auto v_span = v._as_span(); 248| | 249| 7.31k| if(v_span.size() > p_size) { ------------------ | Branch (249:7): [True: 6.88k, False: 422] ------------------ 250| | // Safe to truncate the span since we already checked v < p 251| 6.88k| v_span = v_span.first(p_size); 252| 6.88k| } 253| | 254| 7.31k| BOTAN_ASSERT_NOMSG(m_v.size() >= v_span.size()); ------------------ | | 77| 7.31k| do { \ | | 78| 7.31k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 7.31k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 7.31k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 7.31k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 7.31k] | | ------------------ ------------------ 255| | 256| 7.31k| copy_mem(std::span{m_v}.first(v_span.size()), v_span); 257| | 258| 7.31k| if(redc_needed) { ------------------ | Branch (258:7): [True: 3.65k, False: 3.65k] ------------------ 259| 3.65k| secure_vector ws; 260| 3.65k| this->mul_by(m_params.R2()._as_span().first(p_size), ws); 261| 3.65k| } 262| 7.31k|} _ZN5Botan14Montgomery_IntC2ERKNS_17Montgomery_ParamsENSt3__14spanIKmLm18446744073709551615EEE: 265| 1.58k| m_params(params), m_v(words.begin(), words.end()) { 266| 1.58k| BOTAN_ARG_CHECK(m_v.size() == m_params.p_words(), "Invalid input span"); ------------------ | | 35| 1.58k| do { \ | | 36| 1.58k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.58k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.58k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.58k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.58k] | | ------------------ ------------------ 267| 1.58k|} _ZNK5Botan14Montgomery_Int5valueEv: 273| 3.59k|BigInt Montgomery_Int::value() const { 274| 3.59k| secure_vector ws(m_params.p_words()); 275| | 276| 3.59k| secure_vector z = m_v; 277| 3.59k| z.resize(2 * m_params.p_words()); // zero extend 278| | 279| 3.59k| bigint_monty_redc_inplace( 280| 3.59k| z.data(), m_params.p()._data(), m_params.p_words(), m_params.p_dash(), ws.data(), ws.size()); 281| | 282| 3.59k| return BigInt::_from_words(z); 283| 3.59k|} _ZNK5Botan14Montgomery_Int3mulERKS0_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 320| 25.5k|Montgomery_Int Montgomery_Int::mul(const Montgomery_Int& other, secure_vector& ws) const { 321| 25.5k| BOTAN_STATE_CHECK(other.m_params == m_params); ------------------ | | 51| 25.5k| do { \ | | 52| 25.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 25.5k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 25.5k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 25.5k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 25.5k] | | ------------------ ------------------ 322| | 323| 25.5k| const size_t p_size = m_params.p_words(); 324| 25.5k| BOTAN_ASSERT_NOMSG(m_v.size() == p_size && other.m_v.size() == p_size); ------------------ | | 77| 25.5k| do { \ | | 78| 25.5k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 51.1k| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 25.5k, False: 0] | | | Branch (79:12): [True: 25.5k, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 25.5k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 25.5k] | | ------------------ ------------------ 325| | 326| 25.5k| if(ws.size() < 2 * p_size) { ------------------ | Branch (326:7): [True: 0, False: 25.5k] ------------------ 327| 0| ws.resize(2 * p_size); 328| 0| } 329| | 330| 25.5k| secure_vector z(2 * p_size); 331| | 332| 25.5k| bigint_mul(z.data(), z.size(), m_v.data(), p_size, p_size, other.m_v.data(), p_size, p_size, ws.data(), ws.size()); 333| | 334| 25.5k| bigint_monty_redc_inplace(z.data(), m_params.p()._data(), p_size, m_params.p_dash(), ws.data(), ws.size()); 335| 25.5k| z.resize(p_size); // truncate off high zero words 336| | 337| 25.5k| return Montgomery_Int(m_params, std::move(z)); 338| 25.5k|} _ZN5Botan14Montgomery_Int6mul_byERKS0_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 340| 22.1k|Montgomery_Int& Montgomery_Int::mul_by(const Montgomery_Int& other, secure_vector& ws) { 341| 22.1k| BOTAN_STATE_CHECK(other.m_params == m_params); ------------------ | | 51| 22.1k| do { \ | | 52| 22.1k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 22.1k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 22.1k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 22.1k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 22.1k] | | ------------------ ------------------ 342| 22.1k| return this->mul_by(std::span{other.m_v}, ws); 343| 22.1k|} _ZN5Botan14Montgomery_Int6mul_byENSt3__14spanIKmLm18446744073709551615EEERNS1_6vectorImNS_16secure_allocatorImEEEE: 345| 145k|Montgomery_Int& Montgomery_Int::mul_by(std::span other, secure_vector& ws) { 346| 145k| const size_t p_size = m_params.p_words(); 347| 145k| BOTAN_ASSERT_NOMSG(m_v.size() == p_size && other.size() == p_size); ------------------ | | 77| 145k| do { \ | | 78| 145k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 290k| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 145k, False: 0] | | | Branch (79:12): [True: 145k, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 145k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 145k] | | ------------------ ------------------ 348| | 349| 145k| if(ws.size() < 2 * p_size) { ------------------ | Branch (349:7): [True: 3.65k, False: 141k] ------------------ 350| 3.65k| ws.resize(2 * p_size); 351| 3.65k| } 352| | 353| 145k| auto do_mul_by = [&](std::span z) { 354| 145k| bigint_mul(z.data(), z.size(), m_v.data(), p_size, p_size, other.data(), p_size, p_size, ws.data(), ws.size()); 355| | 356| 145k| bigint_monty_redc_inplace(z.data(), m_params.p()._data(), p_size, m_params.p_dash(), ws.data(), ws.size()); 357| | 358| 145k| copy_mem(m_v, z.first(p_size)); 359| 145k| }; 360| | 361| 145k| if(p_size <= MontgomeryUseStackLimit) { ------------------ | Branch (361:7): [True: 145k, False: 0] ------------------ 362| 145k| std::array z{}; 363| 145k| do_mul_by(z); 364| 145k| } else { 365| 0| secure_vector z(2 * p_size); 366| 0| do_mul_by(z); 367| 0| } 368| | 369| 145k| return (*this); 370| 145k|} _ZN5Botan14Montgomery_Int19square_this_n_timesERNSt3__16vectorImNS_16secure_allocatorImEEEEm: 372| 169k|Montgomery_Int& Montgomery_Int::square_this_n_times(secure_vector& ws, size_t n) { 373| 169k| const size_t p_size = m_params.p_words(); 374| 169k| BOTAN_ASSERT_NOMSG(m_v.size() == p_size); ------------------ | | 77| 169k| do { \ | | 78| 169k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 169k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 169k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 169k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 169k] | | ------------------ ------------------ 375| | 376| 169k| if(ws.size() < 2 * p_size) { ------------------ | Branch (376:7): [True: 0, False: 169k] ------------------ 377| 0| ws.resize(2 * p_size); 378| 0| } 379| | 380| 169k| auto do_sqr_n = [&](std::span z) { 381| 169k| for(size_t i = 0; i != n; ++i) { 382| 169k| bigint_sqr(z.data(), 2 * p_size, m_v.data(), p_size, p_size, ws.data(), ws.size()); 383| | 384| 169k| bigint_monty_redc_inplace(z.data(), m_params.p()._data(), p_size, m_params.p_dash(), ws.data(), ws.size()); 385| | 386| 169k| copy_mem(m_v, std::span{z}.first(p_size)); 387| 169k| } 388| 169k| }; 389| | 390| 169k| if(p_size <= MontgomeryUseStackLimit) { ------------------ | Branch (390:7): [True: 169k, False: 0] ------------------ 391| 169k| std::array z{}; 392| 169k| do_sqr_n(z); 393| 169k| } else { 394| 0| secure_vector z(2 * p_size); 395| 0| do_sqr_n(z); 396| 0| } 397| | 398| 169k| return (*this); 399| 169k|} _ZNK5Botan14Montgomery_Int6squareERNSt3__16vectorImNS_16secure_allocatorImEEEE: 401| 25.5k|Montgomery_Int Montgomery_Int::square(secure_vector& ws) const { 402| 25.5k| auto z = (*this); 403| 25.5k| z.square_this_n_times(ws, 1); 404| 25.5k| return z; 405| 25.5k|} monty.cpp:_ZN5Botan12_GLOBAL__N_114ranges_overlapEPKmmS2_m: 30| 4.46M|bool ranges_overlap(const word* a, size_t na, const word* b, size_t nb) { 31| 4.46M| if(na == 0 || nb == 0) { ------------------ | Branch (31:7): [True: 736, False: 4.46M] | Branch (31:18): [True: 0, False: 4.46M] ------------------ 32| 736| return false; 33| 736| } 34| 4.46M| const std::less lt; // NOLINT(modernize-use-transparent-functors) 35| 4.46M| return lt(a, b + nb) && lt(b, a + na); ------------------ | Branch (35:11): [True: 2.93M, False: 1.53M] | Branch (35:28): [True: 0, False: 2.93M] ------------------ 36| 4.46M|} monty.cpp:_ZZN5Botan14Montgomery_Int6mul_byENSt3__14spanIKmLm18446744073709551615EEERNS1_6vectorImNS_16secure_allocatorImEEEEENK3$_0clENS2_ImLm18446744073709551615EEE: 353| 145k| auto do_mul_by = [&](std::span z) { 354| 145k| bigint_mul(z.data(), z.size(), m_v.data(), p_size, p_size, other.data(), p_size, p_size, ws.data(), ws.size()); 355| | 356| 145k| bigint_monty_redc_inplace(z.data(), m_params.p()._data(), p_size, m_params.p_dash(), ws.data(), ws.size()); 357| | 358| 145k| copy_mem(m_v, z.first(p_size)); 359| 145k| }; monty.cpp:_ZZN5Botan14Montgomery_Int19square_this_n_timesERNSt3__16vectorImNS_16secure_allocatorImEEEEmENK3$_0clENS1_4spanImLm18446744073709551615EEE: 380| 169k| auto do_sqr_n = [&](std::span z) { 381| 770k| for(size_t i = 0; i != n; ++i) { ------------------ | Branch (381:25): [True: 601k, False: 169k] ------------------ 382| 601k| bigint_sqr(z.data(), 2 * p_size, m_v.data(), p_size, p_size, ws.data(), ws.size()); 383| | 384| 601k| bigint_monty_redc_inplace(z.data(), m_params.p()._data(), p_size, m_params.p_dash(), ws.data(), ws.size()); 385| | 386| 601k| copy_mem(m_v, std::span{z}.first(p_size)); 387| 601k| } 388| 169k| }; _ZN5Botan31Montgomery_Exponentiation_StateC2ERKNS_14Montgomery_IntEmb: 36| 3.65k| m_params(g._params()), m_window_bits(window_bits == 0 ? 4 : window_bits) { ------------------ | Branch (36:44): [True: 0, False: 3.65k] ------------------ 37| 3.65k| if(m_window_bits < 1 || m_window_bits > 12) { // really even 8 is too large ... ------------------ | Branch (37:7): [True: 0, False: 3.65k] | Branch (37:28): [True: 0, False: 3.65k] ------------------ 38| 0| throw Invalid_Argument("Invalid window bits for Montgomery exponentiation"); 39| 0| } 40| | 41| 3.65k| const size_t window_size = (static_cast(1) << m_window_bits); 42| | 43| 3.65k| m_g.reserve(window_size); 44| | 45| 3.65k| m_g.push_back(Montgomery_Int::one(m_params)); 46| | 47| 3.65k| m_g.push_back(g); 48| | 49| 3.65k| secure_vector ws(2 * m_params.p_words()); 50| | 51| 54.8k| for(size_t i = 2; i != window_size; ++i) { ------------------ | Branch (51:22): [True: 51.1k, False: 3.65k] ------------------ 52| 51.1k| if(i % 2 == 0) { ------------------ | Branch (52:10): [True: 25.5k, False: 25.5k] ------------------ 53| 25.5k| m_g.push_back(m_g[i / 2].square(ws)); 54| 25.5k| } else { 55| 25.5k| m_g.push_back(m_g[1].mul(m_g[i - 1], ws)); 56| 25.5k| } 57| 51.1k| } 58| | 59| 3.65k| if(const_time) { ------------------ | Branch (59:7): [True: 1.63k, False: 2.01k] ------------------ 60| 1.63k| CT::poison_range(m_g); 61| 1.63k| } 62| 3.65k|} _ZNK5Botan31Montgomery_Exponentiation_State14exponentiationERKNS_6BigIntEm: 91| 1.58k|Montgomery_Int Montgomery_Exponentiation_State::exponentiation(const BigInt& scalar, size_t max_k_bits) const { 92| 1.58k| BOTAN_ARG_CHECK(scalar.signum() >= 0, "Invalid scalar for Montgomery exponentiation"); ------------------ | | 35| 1.58k| do { \ | | 36| 1.58k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.58k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.58k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.58k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.58k] | | ------------------ ------------------ 93| 1.58k| BOTAN_DEBUG_ASSERT(scalar.bits() <= max_k_bits); ------------------ | | 130| 1.58k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 1.58k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 1.58k] | | ------------------ ------------------ 94| | // TODO add a const-time implementation of above assert and use it in release builds 95| | 96| 1.58k| const size_t exp_nibbles = (max_k_bits + m_window_bits - 1) / m_window_bits; 97| | 98| 1.58k| if(exp_nibbles == 0) { ------------------ | Branch (98:7): [True: 0, False: 1.58k] ------------------ 99| 0| return Montgomery_Int::one(m_params); 100| 0| } 101| | 102| 1.58k| secure_vector e_bits(m_params.p_words()); 103| 1.58k| secure_vector ws(2 * m_params.p_words()); 104| | 105| 1.58k| const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits * (exp_nibbles - 1), m_window_bits)); 106| 1.58k| Montgomery_Int x(m_params, std::span{e_bits}); 107| | 108| 120k| for(size_t i = exp_nibbles - 1; i > 0; --i) { ------------------ | Branch (108:36): [True: 119k, False: 1.58k] ------------------ 109| 119k| x.square_this_n_times(ws, m_window_bits); 110| 119k| const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits * (i - 1), m_window_bits)); 111| 119k| x.mul_by(e_bits, ws); 112| 119k| } 113| | 114| 1.58k| CT::unpoison(x); 115| 1.58k| return x; 116| 1.58k|} _ZNK5Botan31Montgomery_Exponentiation_State22exponentiation_vartimeERKNS_6BigIntE: 118| 2.01k|Montgomery_Int Montgomery_Exponentiation_State::exponentiation_vartime(const BigInt& scalar) const { 119| 2.01k| const size_t exp_nibbles = (scalar.bits() + m_window_bits - 1) / m_window_bits; 120| | 121| 2.01k| secure_vector ws(2 * m_params.p_words()); 122| | 123| 2.01k| if(exp_nibbles == 0) { ------------------ | Branch (123:7): [True: 0, False: 2.01k] ------------------ 124| 0| return Montgomery_Int::one(m_params); 125| 0| } 126| | 127| 2.01k| Montgomery_Int x = m_g[scalar.get_substring(m_window_bits * (exp_nibbles - 1), m_window_bits)]; 128| | 129| 26.5k| for(size_t i = exp_nibbles - 1; i > 0; --i) { ------------------ | Branch (129:36): [True: 24.5k, False: 2.01k] ------------------ 130| 24.5k| x.square_this_n_times(ws, m_window_bits); 131| | 132| 24.5k| const uint32_t nibble = scalar.get_substring(m_window_bits * (i - 1), m_window_bits); 133| 24.5k| if(nibble > 0) { ------------------ | Branch (133:10): [True: 22.1k, False: 2.42k] ------------------ 134| 22.1k| x.mul_by(m_g[nibble], ws); 135| 22.1k| } 136| 24.5k| } 137| | 138| 2.01k| CT::unpoison(x); 139| 2.01k| return x; 140| 2.01k|} _ZN5Botan16monty_precomputeERKNS_14Montgomery_IntEmb: 144| 3.65k| bool const_time) { 145| 3.65k| return std::make_shared(g, window_bits, const_time); 146| 3.65k|} _ZN5Botan16monty_precomputeERKNS_17Montgomery_ParamsERKNS_6BigIntEmb: 151| 3.65k| bool const_time) { 152| 3.65k| BOTAN_ARG_CHECK(g.signum() >= 0 && g < params.p(), "Montgomery exponentiation base integer out of range"); ------------------ | | 35| 3.65k| do { \ | | 36| 3.65k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 7.31k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 3.65k, False: 0] | | | Branch (37:12): [True: 3.65k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 3.65k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 3.65k] | | ------------------ ------------------ 153| 3.65k| const Montgomery_Int monty_g(params, g); 154| 3.65k| return monty_precompute(monty_g, window_bits, const_time); 155| 3.65k|} _ZN5Botan13monty_executeERKNS_31Montgomery_Exponentiation_StateERKNS_6BigIntEm: 159| 1.58k| size_t max_k_bits) { 160| 1.58k| return precomputed_state.exponentiation(k, max_k_bits); 161| 1.58k|} _ZN5Botan21monty_execute_vartimeERKNS_31Montgomery_Exponentiation_StateERKNS_6BigIntE: 163| 2.01k|Montgomery_Int monty_execute_vartime(const Montgomery_Exponentiation_State& precomputed_state, const BigInt& k) { 164| 2.01k| return precomputed_state.exponentiation_vartime(k); 165| 2.01k|} monty_exp.cpp:_ZN5Botan12_GLOBAL__N_117const_time_lookupERNSt3__16vectorImNS_16secure_allocatorImEEEERKNS2_INS_14Montgomery_IntENS1_9allocatorIS7_EEEEm: 66| 120k|void const_time_lookup(secure_vector& output, const std::vector& g, size_t nibble) { 67| 120k| BOTAN_ASSERT_NOMSG(g.size() % 2 == 0); // actually a power of 2 ------------------ | | 77| 120k| do { \ | | 78| 120k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 120k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 120k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 120k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 120k] | | ------------------ ------------------ 68| | 69| 120k| const size_t words = output.size(); 70| | 71| 120k| clear_mem(output.data(), output.size()); 72| | 73| 1.08M| for(size_t i = 0; i != g.size(); i += 2) { ------------------ | Branch (73:22): [True: 967k, False: 120k] ------------------ 74| 967k| const secure_vector& vec_0 = g[i].repr(); 75| 967k| const secure_vector& vec_1 = g[i + 1].repr(); 76| | 77| 967k| BOTAN_ASSERT_NOMSG(vec_0.size() >= words && vec_1.size() >= words); ------------------ | | 77| 967k| do { \ | | 78| 967k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.93M| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 967k, False: 0] | | | Branch (79:12): [True: 967k, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 967k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 967k] | | ------------------ ------------------ 78| | 79| 967k| const auto mask_0 = CT::Mask::is_equal(nibble, i); 80| 967k| const auto mask_1 = CT::Mask::is_equal(nibble, i + 1); 81| | 82| 6.90M| for(size_t w = 0; w != words; ++w) { ------------------ | Branch (82:25): [True: 5.93M, False: 967k] ------------------ 83| 5.93M| output[w] |= mask_0.if_set_return(vec_0[w]); 84| 5.93M| output[w] |= mask_1.if_set_return(vec_1[w]); 85| 5.93M| } 86| 967k| } 87| 120k|} _ZN5Botan17sqrt_modulo_primeERKNS_6BigIntES2_: 27| 492|BigInt sqrt_modulo_prime(const BigInt& a, const BigInt& p) { 28| 492| BOTAN_ARG_CHECK(p > 1, "invalid prime"); ------------------ | | 35| 492| do { \ | | 36| 492| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 492| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 492] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 492| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 492] | | ------------------ ------------------ 29| 492| BOTAN_ARG_CHECK(a < p, "value to solve for must be less than p"); ------------------ | | 35| 492| do { \ | | 36| 492| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 492| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 492] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 492| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 492] | | ------------------ ------------------ 30| 492| BOTAN_ARG_CHECK(a >= 0, "value to solve for must not be negative"); ------------------ | | 35| 492| do { \ | | 36| 492| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 492| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 492] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 492| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 492] | | ------------------ ------------------ 31| | 32| | // some very easy cases 33| 492| if(p == 2 || a <= 1) { ------------------ | Branch (33:7): [True: 0, False: 492] | Branch (33:17): [True: 0, False: 492] ------------------ 34| 0| return a; 35| 0| } 36| | 37| 492| BOTAN_ARG_CHECK(p.is_odd(), "invalid prime"); ------------------ | | 35| 492| do { \ | | 36| 492| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 492| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 492] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 492| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 492] | | ------------------ ------------------ 38| | 39| 492| if(jacobi(a, p) != 1) { // not a quadratic residue ------------------ | Branch (39:7): [True: 206, False: 286] ------------------ 40| 206| return BigInt::from_s32(-1); 41| 206| } 42| | 43| 286| auto mod_p = Barrett_Reduction::for_public_modulus(p); 44| 286| const Montgomery_Params monty_p(p, mod_p); 45| | 46| | // If p == 3 (mod 4) there is a simple solution 47| 286| if(p % 4 == 3) { ------------------ | Branch (47:7): [True: 18, False: 268] ------------------ 48| 18| return monty_exp_vartime(monty_p, a, ((p + 1) >> 2)).value(); 49| 18| } 50| | 51| | // Otherwise we have to use Shanks-Tonelli 52| 268| size_t s = low_zero_bits(p - 1); 53| 268| BigInt q = p >> s; 54| | 55| 268| q -= 1; 56| 268| q >>= 1; 57| | 58| 268| BigInt r = monty_exp_vartime(monty_p, a, q).value(); 59| 268| BigInt n = mod_p.multiply(a, mod_p.square(r)); 60| 268| r = mod_p.multiply(r, a); 61| | 62| 268| if(n == 1) { ------------------ | Branch (62:7): [True: 107, False: 161] ------------------ 63| 107| return r; 64| 107| } 65| | 66| | // find random quadratic nonresidue z 67| 161| word z = 2; 68| 431| for(;;) { 69| 431| if(jacobi(BigInt::from_word(z), p) == -1) { // found one ------------------ | Branch (69:10): [True: 161, False: 270] ------------------ 70| 161| break; 71| 161| } 72| | 73| 270| z += 1; // try next z 74| | 75| | /* 76| | * The expected number of tests to find a non-residue modulo a 77| | * prime is 2. If we have not found one after 256 then almost 78| | * certainly we have been given a non-prime p. 79| | */ 80| 270| if(z >= 256) { ------------------ | Branch (80:10): [True: 0, False: 270] ------------------ 81| 0| return BigInt::from_s32(-1); 82| 0| } 83| 270| } 84| | 85| 161| BigInt c = monty_exp_vartime(monty_p, BigInt::from_word(z), (q << 1) + 1).value(); 86| | 87| 1.73k| while(n > 1) { ------------------ | Branch (87:10): [True: 1.57k, False: 161] ------------------ 88| 1.57k| q = n; 89| | 90| 1.57k| size_t i = 0; 91| 69.7k| while(q != 1) { ------------------ | Branch (91:13): [True: 68.1k, False: 1.57k] ------------------ 92| 68.1k| q = mod_p.square(q); 93| 68.1k| ++i; 94| | 95| 68.1k| if(i >= s) { ------------------ | Branch (95:13): [True: 0, False: 68.1k] ------------------ 96| 0| return BigInt::from_s32(-1); 97| 0| } 98| 68.1k| } 99| | 100| 1.57k| BOTAN_ASSERT_NOMSG(s >= (i + 1)); // No underflow! ------------------ | | 77| 1.57k| do { \ | | 78| 1.57k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.57k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 1.57k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 1.57k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 1.57k] | | ------------------ ------------------ 101| 1.57k| c = monty_exp_vartime(monty_p, c, BigInt::power_of_2(s - i - 1)).value(); 102| 1.57k| r = mod_p.multiply(r, c); 103| 1.57k| c = mod_p.square(c); 104| 1.57k| n = mod_p.multiply(n, c); 105| | 106| | // s decreases as the algorithm proceeds 107| 1.57k| BOTAN_ASSERT_NOMSG(s >= i); ------------------ | | 77| 1.57k| do { \ | | 78| 1.57k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.57k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 1.57k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 1.57k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 1.57k] | | ------------------ ------------------ 108| 1.57k| s = i; 109| 1.57k| } 110| | 111| 161| return r; 112| 161|} _ZN5Botan6jacobiENS_6BigIntES0_: 119| 4.37k|int32_t jacobi(BigInt a, BigInt n) { 120| 4.37k| BOTAN_ARG_CHECK(n.is_odd() && n >= 3, "Argument n must be an odd integer >= 3"); ------------------ | | 35| 4.37k| do { \ | | 36| 4.37k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 8.74k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 4.37k, False: 0] | | | Branch (37:12): [True: 4.37k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 4.37k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 4.37k] | | ------------------ ------------------ 121| | 122| 4.37k| if(a < 0 || a >= n) { ------------------ | Branch (122:7): [True: 1.59k, False: 2.77k] | Branch (122:16): [True: 0, False: 2.77k] ------------------ 123| 1.59k| a %= n; 124| 1.59k| } 125| | 126| 4.37k| if(a == 0) { ------------------ | Branch (126:7): [True: 0, False: 4.37k] ------------------ 127| 0| return 0; 128| 0| } 129| 4.37k| if(a == 1) { ------------------ | Branch (129:7): [True: 0, False: 4.37k] ------------------ 130| 0| return 1; 131| 0| } 132| | 133| 4.37k| int32_t s = 1; 134| | 135| 49.6k| for(;;) { 136| 49.6k| const size_t e = low_zero_bits(a); 137| 49.6k| a >>= e; 138| 49.6k| const word n_mod_8 = n.word_at(0) % 8; 139| 49.6k| const word n_mod_4 = n_mod_8 % 4; 140| | 141| 49.6k| if(e % 2 == 1 && (n_mod_8 == 3 || n_mod_8 == 5)) { ------------------ | Branch (141:10): [True: 17.3k, False: 32.2k] | Branch (141:25): [True: 4.39k, False: 12.9k] | Branch (141:41): [True: 4.19k, False: 8.77k] ------------------ 142| 8.58k| s = -s; 143| 8.58k| } 144| | 145| 49.6k| if(n_mod_4 == 3 && a % 4 == 3) { ------------------ | Branch (145:10): [True: 24.3k, False: 25.2k] | Branch (145:26): [True: 11.6k, False: 12.7k] ------------------ 146| 11.6k| s = -s; 147| 11.6k| } 148| | 149| | /* 150| | * The HAC presentation of the algorithm uses recursion, which is not 151| | * desirable or necessary. 152| | * 153| | * Instead we loop accumulating the product of the various jacobi() 154| | * subcomputations into s, until we reach algorithm termination, which 155| | * occurs in one of two ways. 156| | * 157| | * If a == 1 then the recursion has completed; we can return the value of s. 158| | * 159| | * Otherwise, after swapping and reducing, check for a == 0 [this value is 160| | * called `n1` in HAC's presentation]. This would imply that jacobi(n1,a1) 161| | * would have the value 0, due to Line 1 in HAC 2.149, in which case the 162| | * entire product is zero, and we can immediately return that result. 163| | */ 164| | 165| 49.6k| if(a == 1) { ------------------ | Branch (165:10): [True: 4.37k, False: 45.2k] ------------------ 166| 4.37k| return s; 167| 4.37k| } 168| | 169| 45.2k| std::swap(a, n); 170| | 171| 45.2k| BOTAN_ASSERT_NOMSG(n.is_odd()); ------------------ | | 77| 45.2k| do { \ | | 78| 45.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 45.2k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 45.2k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 45.2k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 45.2k] | | ------------------ ------------------ 172| | 173| 45.2k| a %= n; 174| | 175| 45.2k| if(a == 0) { ------------------ | Branch (175:10): [True: 0, False: 45.2k] ------------------ 176| 0| return 0; 177| 0| } 178| 45.2k| } 179| 4.37k|} _ZN5Botan13low_zero_bitsERKNS_6BigIntE: 194| 51.4k|size_t low_zero_bits(const BigInt& n) { 195| 51.4k| size_t low_zero = 0; 196| | 197| 51.4k| auto seen_nonempty_word = CT::Mask::cleared(); 198| | 199| 503k| for(size_t i = 0; i != n.size(); ++i) { ------------------ | Branch (199:22): [True: 451k, False: 51.4k] ------------------ 200| 451k| const word x = n.word_at(i); 201| | 202| | // ctz(0) will return sizeof(word) 203| 451k| const size_t tz_x = ctz(x); 204| | 205| | // if x > 0 we want to count tz_x in total but not any 206| | // further words, so set the mask after the addition 207| 451k| low_zero += seen_nonempty_word.if_not_set_return(tz_x); 208| | 209| 451k| seen_nonempty_word |= CT::Mask::expand(x); 210| 451k| } 211| | 212| | // if we saw no words with x > 0 then n == 0 and the value we have 213| | // computed is meaningless. Instead return BigInt::zero() in that case. 214| 51.4k| return static_cast(seen_nonempty_word.if_set_return(low_zero)); 215| 51.4k|} _ZN5Botan17is_perfect_squareERKNS_6BigIntE: 347| 128|BigInt is_perfect_square(const BigInt& C) { 348| 128| if(C < 1) { ------------------ | Branch (348:7): [True: 0, False: 128] ------------------ 349| 0| throw Invalid_Argument("is_perfect_square requires C >= 1"); 350| 0| } 351| 128| if(C == 1) { ------------------ | Branch (351:7): [True: 0, False: 128] ------------------ 352| 0| return BigInt::one(); 353| 0| } 354| | 355| 128| const size_t n = C.bits(); 356| 128| const size_t m = (n + 1) / 2; 357| 128| const BigInt B = C + BigInt::power_of_2(m); 358| | 359| 128| BigInt X = BigInt::power_of_2(m) - 1; 360| 128| BigInt X2 = (X * X); 361| | 362| 505| for(;;) { 363| 505| X = (X2 + C) / (2 * X); 364| 505| X2 = (X * X); 365| | 366| 505| if(X2 < B) { ------------------ | Branch (366:10): [True: 128, False: 377] ------------------ 367| 128| break; 368| 128| } 369| 505| } 370| | 371| 128| if(X2 == C) { ------------------ | Branch (371:7): [True: 0, False: 128] ------------------ 372| 0| return X; 373| 128| } else { 374| 128| return BigInt::zero(); 375| 128| } 376| 128|} _ZN5Botan23is_lucas_probable_primeERKNS_6BigIntERKNS_17Barrett_ReductionE: 18| 951|bool is_lucas_probable_prime(const BigInt& C, const Barrett_Reduction& mod_C) { 19| 951| BOTAN_ARG_CHECK(C.signum() >= 0, "Argument must be non-negative"); ------------------ | | 35| 951| do { \ | | 36| 951| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 951| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 951] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 951| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 951] | | ------------------ ------------------ 20| | 21| 951| if(C == 2 || C == 3 || C == 5 || C == 7 || C == 11 || C == 13) { ------------------ | Branch (21:7): [True: 0, False: 951] | Branch (21:17): [True: 1, False: 950] | Branch (21:27): [True: 1, False: 949] | Branch (21:37): [True: 1, False: 948] | Branch (21:47): [True: 1, False: 947] | Branch (21:58): [True: 1, False: 946] ------------------ 22| 5| return true; 23| 5| } 24| | 25| 946| if(C <= 1 || C.is_even()) { ------------------ | Branch (25:7): [True: 0, False: 946] | Branch (25:17): [True: 0, False: 946] ------------------ 26| 0| return false; 27| 0| } 28| | 29| 946| BigInt D = BigInt::from_word(5); 30| | 31| 3.44k| for(;;) { 32| 3.44k| const int32_t j = jacobi(D, C); 33| 3.44k| if(j == 0) { ------------------ | Branch (33:10): [True: 0, False: 3.44k] ------------------ 34| 0| return false; 35| 0| } 36| | 37| 3.44k| if(j == -1) { ------------------ | Branch (37:10): [True: 946, False: 2.50k] ------------------ 38| 946| break; 39| 946| } 40| | 41| | // Check 5, -7, 9, -11, 13, -15, 17, ... 42| 2.50k| if(D.signum() < 0) { ------------------ | Branch (42:10): [True: 902, False: 1.59k] ------------------ 43| 902| D.flip_sign(); 44| 902| D += 2; 45| 1.59k| } else { 46| 1.59k| D += 2; 47| 1.59k| D.flip_sign(); 48| 1.59k| } 49| | 50| 2.50k| if(D == 17 && is_perfect_square(C).signum() != 0) { ------------------ | Branch (50:10): [True: 128, False: 2.37k] | Branch (50:10): [True: 0, False: 2.50k] | Branch (50:21): [True: 0, False: 128] ------------------ 51| 0| return false; 52| 0| } 53| 2.50k| } 54| | 55| 946| if(D.signum() < 0) { ------------------ | Branch (55:7): [True: 697, False: 249] ------------------ 56| 697| D += C; 57| 697| } 58| | 59| 946| const BigInt K = C + 1; 60| 946| const size_t K_bits = K.bits() - 1; 61| | 62| 946| BigInt U = BigInt::one(); 63| 946| BigInt V = BigInt::one(); 64| | 65| 946| BigInt Ut; 66| 946| BigInt Vt; 67| 946| BigInt U2; 68| 946| BigInt V2; 69| | 70| 321k| for(size_t i = 0; i != K_bits; ++i) { ------------------ | Branch (70:22): [True: 320k, False: 946] ------------------ 71| 320k| const bool k_bit = K.get_bit(K_bits - 1 - i); 72| | 73| 320k| Ut = mod_C.multiply(U, V); 74| | 75| 320k| Vt = mod_C.reduce(mod_C.square(V) + mod_C.multiply(D, mod_C.square(U))); 76| 320k| Vt.ct_cond_add(Vt.is_odd(), C); 77| 320k| Vt >>= 1; 78| 320k| Vt = mod_C.reduce(Vt); 79| | 80| 320k| U = Ut; 81| 320k| V = Vt; 82| | 83| 320k| U2 = mod_C.reduce(Ut + Vt); 84| 320k| U2.ct_cond_add(U2.is_odd(), C); 85| 320k| U2 >>= 1; 86| | 87| 320k| V2 = mod_C.reduce(Vt + mod_C.multiply(Ut, D)); 88| 320k| V2.ct_cond_add(V2.is_odd(), C); 89| 320k| V2 >>= 1; 90| | 91| 320k| U.ct_cond_assign(k_bit, U2); 92| 320k| V.ct_cond_assign(k_bit, V2); 93| 320k| } 94| | 95| 946| return (U == 0); 96| 946|} _ZN5Botan28is_bailie_psw_probable_primeERKNS_6BigIntERKNS_17Barrett_ReductionE: 98| 1.66k|bool is_bailie_psw_probable_prime(const BigInt& n, const Barrett_Reduction& mod_n) { 99| 1.66k| if(n == 2) { ------------------ | Branch (99:7): [True: 1, False: 1.66k] ------------------ 100| 1| return true; 101| 1.66k| } else if(n <= 1 || n.is_even()) { ------------------ | Branch (101:14): [True: 1, False: 1.66k] | Branch (101:24): [True: 128, False: 1.53k] ------------------ 102| 129| return false; 103| 129| } 104| | 105| 1.53k| const Montgomery_Params monty_n(n, mod_n); 106| 1.53k| const auto base = BigInt::from_word(2); 107| 1.53k| return passes_miller_rabin_test(n, mod_n, monty_n, base) && is_lucas_probable_prime(n, mod_n); ------------------ | Branch (107:11): [True: 951, False: 587] | Branch (107:64): [True: 948, False: 3] ------------------ 108| 1.66k|} _ZN5Botan24passes_miller_rabin_testERKNS_6BigIntERKNS_17Barrett_ReductionERKNS_17Montgomery_ParamsES2_: 113| 1.53k| const BigInt& a) { 114| 1.53k| if(n < 3 || n.is_even()) { ------------------ | Branch (114:7): [True: 0, False: 1.53k] | Branch (114:16): [True: 0, False: 1.53k] ------------------ 115| 0| return false; 116| 0| } 117| | 118| 1.53k| BOTAN_ASSERT_NOMSG(n > 1); ------------------ | | 77| 1.53k| do { \ | | 78| 1.53k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 1.53k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 1.53k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 1.53k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 1.53k] | | ------------------ ------------------ 119| | 120| 1.53k| const BigInt n_minus_1 = n - 1; 121| | /* 122| | * This unpoison is not ideal but realistically there is no way to 123| | * hide the number of loop iterations (below). The main user of 124| | * secret primes is RSA and we always generate RSA primes such that 125| | * p == 3 (mod 4), which means s is always 1. 126| | */ 127| 1.53k| const size_t s = CT::driveby_unpoison(low_zero_bits(n_minus_1)); 128| 1.53k| const BigInt nm1_s = n_minus_1 >> s; 129| 1.53k| const size_t n_bits = n.bits(); 130| | 131| 1.53k| const size_t powm_window = 4; 132| | 133| 1.53k| auto powm_a_n = monty_precompute(monty_n, a, powm_window); 134| | 135| 1.53k| BigInt y = monty_execute(*powm_a_n, nm1_s, n_bits).value(); 136| | 137| 1.53k| if(y == 1 || y == n_minus_1) { ------------------ | Branch (137:7): [True: 478, False: 1.06k] | Branch (137:17): [True: 51, False: 1.00k] ------------------ 138| 529| return true; 139| 529| } 140| | 141| 22.6k| for(size_t i = 1; i != s; ++i) { ------------------ | Branch (141:22): [True: 22.0k, False: 586] ------------------ 142| 22.0k| y = mod_n.square(y); 143| | 144| 22.0k| if(y == 1) { // found a non-trivial square root ------------------ | Branch (144:10): [True: 1, False: 22.0k] ------------------ 145| 1| return false; 146| 1| } 147| | 148| | /* 149| | -1 is the trivial square root of unity, so ``a`` is not a 150| | witness for this number - give up 151| | */ 152| 22.0k| if(y == n_minus_1) { ------------------ | Branch (152:10): [True: 422, False: 21.6k] ------------------ 153| 422| return true; 154| 422| } 155| 22.0k| } 156| | 157| 586| return false; 158| 1.00k|} _ZN5Botan6PCurve15PrimeOrderCurve6Scalar8_zeroizeEv: 16| 2.26k|void PrimeOrderCurve::Scalar::_zeroize() { 17| 2.26k| secure_zeroize_buffer(m_value.data(), m_value.size() * sizeof(word)); 18| 2.26k|} _ZN5Botan6PCurve15PrimeOrderCurve11from_paramsERKNS_6BigIntES4_S4_S4_S4_S4_: 22| 1.18k| const BigInt& p, const BigInt& a, const BigInt& b, const BigInt& base_x, const BigInt& base_y, const BigInt& order) { 23| 1.18k|#if defined(BOTAN_HAS_PCURVES_GENERIC) 24| 1.18k| return PCurveInstance::from_params(p, a, b, base_x, base_y, order); 25| 0|#endif 26| | 27| 0| BOTAN_UNUSED(p, a, b, base_x, base_y, order); ------------------ | | 144| 0|#define BOTAN_UNUSED Botan::ignore_params ------------------ 28| 0| return {}; 29| 1.18k|} _ZN5Botan6PCurve15PrimeOrderCurve15for_named_curveENSt3__117basic_string_viewIcNS2_11char_traitsIcEEEE: 32| 3.05k|std::shared_ptr PrimeOrderCurve::for_named_curve(std::string_view name) { 33| 3.05k|#if defined(BOTAN_HAS_PCURVES_SECP256R1) 34| 3.05k| if(name == "secp256r1") { ------------------ | Branch (34:7): [True: 270, False: 2.78k] ------------------ 35| 270| return PCurveInstance::secp256r1(); 36| 270| } 37| 2.78k|#endif 38| | 39| 2.78k|#if defined(BOTAN_HAS_PCURVES_SECP384R1) 40| 2.78k| if(name == "secp384r1") { ------------------ | Branch (40:7): [True: 165, False: 2.61k] ------------------ 41| 165| return PCurveInstance::secp384r1(); 42| 165| } 43| 2.61k|#endif 44| | 45| 2.61k|#if defined(BOTAN_HAS_PCURVES_SECP521R1) 46| 2.61k| if(name == "secp521r1") { ------------------ | Branch (46:7): [True: 306, False: 2.31k] ------------------ 47| 306| return PCurveInstance::secp521r1(); 48| 306| } 49| 2.31k|#endif 50| | 51| 2.31k|#if defined(BOTAN_HAS_PCURVES_BRAINPOOL256R1) 52| 2.31k| if(name == "brainpool256r1") { ------------------ | Branch (52:7): [True: 176, False: 2.13k] ------------------ 53| 176| return PCurveInstance::brainpool256r1(); 54| 176| } 55| 2.13k|#endif 56| | 57| 2.13k|#if defined(BOTAN_HAS_PCURVES_BRAINPOOL384R1) 58| 2.13k| if(name == "brainpool384r1") { ------------------ | Branch (58:7): [True: 205, False: 1.93k] ------------------ 59| 205| return PCurveInstance::brainpool384r1(); 60| 205| } 61| 1.93k|#endif 62| | 63| 1.93k|#if defined(BOTAN_HAS_PCURVES_BRAINPOOL512R1) 64| 1.93k| if(name == "brainpool512r1") { ------------------ | Branch (64:7): [True: 157, False: 1.77k] ------------------ 65| 157| return PCurveInstance::brainpool512r1(); 66| 157| } 67| 1.77k|#endif 68| | 69| 1.77k|#if defined(BOTAN_HAS_PCURVES_FRP256V1) 70| 1.77k| if(name == "frp256v1") { ------------------ | Branch (70:7): [True: 0, False: 1.77k] ------------------ 71| 0| return PCurveInstance::frp256v1(); 72| 0| } 73| 1.77k|#endif 74| | 75| 1.77k|#if defined(BOTAN_HAS_PCURVES_SECP192R1) 76| 1.77k| if(name == "secp192r1") { ------------------ | Branch (76:7): [True: 195, False: 1.58k] ------------------ 77| 195| return PCurveInstance::secp192r1(); 78| 195| } 79| 1.58k|#endif 80| | 81| 1.58k|#if defined(BOTAN_HAS_PCURVES_SECP224R1) 82| 1.58k| if(name == "secp224r1") { ------------------ | Branch (82:7): [True: 284, False: 1.29k] ------------------ 83| 284| return PCurveInstance::secp224r1(); 84| 284| } 85| 1.29k|#endif 86| | 87| 1.29k|#if defined(BOTAN_HAS_PCURVES_SECP256K1) 88| 1.29k| if(name == "secp256k1") { ------------------ | Branch (88:7): [True: 175, False: 1.12k] ------------------ 89| 175| return PCurveInstance::secp256k1(); 90| 175| } 91| 1.12k|#endif 92| | 93| 1.12k|#if defined(BOTAN_HAS_PCURVES_SM2P256V1) 94| 1.12k| if(name == "sm2p256v1") { ------------------ | Branch (94:7): [True: 0, False: 1.12k] ------------------ 95| 0| return PCurveInstance::sm2p256v1(); 96| 0| } 97| 1.12k|#endif 98| | 99| 1.12k|#if defined(BOTAN_HAS_PCURVES_NUMSP512D1) 100| 1.12k| if(name == "numsp512d1") { ------------------ | Branch (100:7): [True: 0, False: 1.12k] ------------------ 101| 0| return PCurveInstance::numsp512d1(); 102| 0| } 103| 1.12k|#endif 104| | 105| 1.12k| BOTAN_UNUSED(name); ------------------ | | 144| 1.12k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 106| 1.12k| return {}; 107| 1.12k|} _ZN5Botan6PCurve14PCurveInstance14brainpool256r1Ev: 36| 176|std::shared_ptr PCurveInstance::brainpool256r1() { 37| 176| return PrimeOrderCurveImpl::instance(); 38| 176|} _ZN5Botan6PCurve14PCurveInstance14brainpool384r1Ev: 36| 205|std::shared_ptr PCurveInstance::brainpool384r1() { 37| 205| return PrimeOrderCurveImpl::instance(); 38| 205|} _ZN5Botan6PCurve14PCurveInstance14brainpool512r1Ev: 36| 157|std::shared_ptr PCurveInstance::brainpool512r1() { 37| 157| return PrimeOrderCurveImpl::instance(); 38| 157|} _ZN5Botan6PCurve22GenericPrimeOrderCurveC2ERKNS_6BigIntES4_S4_S4_S4_S4_: 1432| 524| m_params(std::make_unique(p, a, b, base_x, base_y, order)) {} _ZN5Botan6PCurve22GenericPrimeOrderCurve20_precompute_base_mulEv: 1434| 524|void GenericPrimeOrderCurve::_precompute_base_mul() { 1435| 524| BOTAN_STATE_CHECK(m_basemul == nullptr); ------------------ | | 51| 524| do { \ | | 52| 524| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 524| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 524] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 524| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 524] | | ------------------ ------------------ 1436| 524| m_basemul = std::make_unique(from_stash(generator())); 1437| 524|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve10order_bitsEv: 1439| 524|size_t GenericPrimeOrderCurve::order_bits() const { 1440| 524| return _params().order_bits(); 1441| 524|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve19field_element_bytesEv: 1447| 744|size_t GenericPrimeOrderCurve::field_element_bytes() const { 1448| 744| return _params().field_bytes(); 1449| 744|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve8mul_by_gERKNS0_15PrimeOrderCurve6ScalarERNS_21RandomNumberGeneratorE: 1452| 371| RandomNumberGenerator& rng) const { 1453| 371| BOTAN_STATE_CHECK(m_basemul != nullptr); ------------------ | | 51| 371| do { \ | | 52| 371| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 371| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 371] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 371| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 371] | | ------------------ ------------------ 1454| 371| return stash(m_basemul->mul(from_stash(scalar), rng)); 1455| 371|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve9generatorEv: 1546| 524|PrimeOrderCurve::AffinePoint GenericPrimeOrderCurve::generator() const { 1547| 524| return PrimeOrderCurve::AffinePoint::_create(shared_from_this(), _params().base_x(), _params().base_y()); 1548| 524|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve15point_to_affineERKNS0_15PrimeOrderCurve15ProjectivePointE: 1550| 371|PrimeOrderCurve::AffinePoint GenericPrimeOrderCurve::point_to_affine(const ProjectivePoint& pt) const { 1551| 371| auto affine = to_affine(from_stash(pt)); 1552| | 1553| 371| const auto y2 = affine.y().square(); 1554| 371| const auto x3_ax_b = GenericCurve::AffinePoint::x3_ax_b(affine.x()); 1555| 371| const auto valid_point = affine.is_identity() || (y2 == x3_ax_b); 1556| | 1557| 371| BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve"); ------------------ | | 64| 371| do { \ | | 65| 371| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 371| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 371] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 371| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 371] | | ------------------ ------------------ 1558| | 1559| 371| return stash(affine); 1560| 371|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve24affine_point_is_identityERKNS0_15PrimeOrderCurve11AffinePointE: 1570| 372|bool GenericPrimeOrderCurve::affine_point_is_identity(const AffinePoint& pt) const { 1571| 372| return from_stash(pt).is_identity().as_bool(); 1572| 372|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve15serialize_pointENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve11AffinePointE: 1574| 372|void GenericPrimeOrderCurve::serialize_point(std::span bytes, const AffinePoint& pt) const { 1575| 372| from_stash(pt).serialize_to(bytes); 1576| 372|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve16serialize_scalarENSt3__14spanIhLm18446744073709551615EEERKNS0_15PrimeOrderCurve6ScalarE: 1578| 501|void GenericPrimeOrderCurve::serialize_scalar(std::span bytes, const Scalar& scalar) const { 1579| 501| BOTAN_ARG_CHECK(bytes.size() == _params().order_bytes(), "Invalid length to serialize_scalar"); ------------------ | | 35| 501| do { \ | | 36| 501| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 501| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 501] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 501| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 501] | | ------------------ ------------------ 1580| 501| from_stash(scalar).serialize_to(bytes); 1581| 501|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve18deserialize_scalarENSt3__14spanIKhLm18446744073709551615EEE: 1584| 506| std::span bytes) const { 1585| 506| if(auto s = GenericScalar::deserialize(this, bytes)) { ------------------ | Branch (1585:12): [True: 503, False: 3] ------------------ 1586| 503| if(s->is_nonzero().as_bool()) { ------------------ | Branch (1586:10): [True: 501, False: 2] ------------------ 1587| 501| return stash(s.value()); 1588| 501| } 1589| 503| } 1590| | 1591| 5| return {}; 1592| 506|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve17deserialize_pointENSt3__14spanIKhLm18446744073709551615EEE: 1604| 130| std::span bytes) const { 1605| 130| if(auto pt = GenericAffinePoint::deserialize(this, bytes)) { ------------------ | Branch (1605:12): [True: 1, False: 129] ------------------ 1606| 1| return stash(pt.value()); 1607| 129| } else { 1608| 129| return {}; 1609| 129| } 1610| 130|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve14scalar_is_zeroERKNS0_15PrimeOrderCurve6ScalarE: 1640| 501|bool GenericPrimeOrderCurve::scalar_is_zero(const Scalar& s) const { 1641| 501| return from_stash(s).is_zero().as_bool(); 1642| 501|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve5stashERKNS0_13GenericScalarE: 1656| 501|PrimeOrderCurve::Scalar GenericPrimeOrderCurve::stash(const GenericScalar& s) const { 1657| 501| return Scalar::_create(shared_from_this(), s.stash_value()); 1658| 501|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve10from_stashERKNS0_15PrimeOrderCurve6ScalarE: 1660| 1.37k|GenericScalar GenericPrimeOrderCurve::from_stash(const PrimeOrderCurve::Scalar& s) const { 1661| 1.37k| BOTAN_ARG_CHECK(s._curve().get() == this, "Curve mismatch"); ------------------ | | 35| 1.37k| do { \ | | 36| 1.37k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.37k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.37k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.37k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.37k] | | ------------------ ------------------ 1662| 1.37k| return GenericScalar(this, s._value()); 1663| 1.37k|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve5stashERKNS0_18GenericAffinePointE: 1665| 372|PrimeOrderCurve::AffinePoint GenericPrimeOrderCurve::stash(const GenericAffinePoint& pt) const { 1666| 372| auto x_w = pt.x().stash_value(); 1667| 372| auto y_w = pt.y().stash_value(); 1668| 372| return AffinePoint::_create(shared_from_this(), x_w, y_w); 1669| 372|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve10from_stashERKNS0_15PrimeOrderCurve11AffinePointE: 1671| 1.26k|GenericAffinePoint GenericPrimeOrderCurve::from_stash(const PrimeOrderCurve::AffinePoint& pt) const { 1672| 1.26k| BOTAN_ARG_CHECK(pt._curve().get() == this, "Curve mismatch"); ------------------ | | 35| 1.26k| do { \ | | 36| 1.26k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.26k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.26k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.26k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.26k] | | ------------------ ------------------ 1673| 1.26k| auto x = GenericField(this, pt._x()); 1674| 1.26k| auto y = GenericField(this, pt._y()); 1675| 1.26k| return GenericAffinePoint(x, y); 1676| 1.26k|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve5stashERKNS0_22GenericProjectivePointE: 1678| 371|PrimeOrderCurve::ProjectivePoint GenericPrimeOrderCurve::stash(const GenericProjectivePoint& pt) const { 1679| 371| auto x_w = pt.x().stash_value(); 1680| 371| auto y_w = pt.y().stash_value(); 1681| 371| auto z_w = pt.z().stash_value(); 1682| 371| return ProjectivePoint::_create(shared_from_this(), x_w, y_w, z_w); 1683| 371|} _ZNK5Botan6PCurve22GenericPrimeOrderCurve10from_stashERKNS0_15PrimeOrderCurve15ProjectivePointE: 1685| 371|GenericProjectivePoint GenericPrimeOrderCurve::from_stash(const PrimeOrderCurve::ProjectivePoint& pt) const { 1686| 371| BOTAN_ARG_CHECK(pt._curve().get() == this, "Curve mismatch"); ------------------ | | 35| 371| do { \ | | 36| 371| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 371| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 371] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 371| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 371] | | ------------------ ------------------ 1687| 371| auto x = GenericField(this, pt._x()); 1688| 371| auto y = GenericField(this, pt._y()); 1689| 371| auto z = GenericField(this, pt._z()); 1690| 371| return GenericProjectivePoint(x, y, z); 1691| 371|} _ZN5Botan6PCurve14PCurveInstance11from_paramsERKNS_6BigIntES4_S4_S4_S4_S4_: 1706| 1.18k| const BigInt& p, const BigInt& a, const BigInt& b, const BigInt& base_x, const BigInt& base_y, const BigInt& order) { 1707| | // We don't check that p and order are prime here on the assumption this has 1708| | // been checked already by EC_Group 1709| | 1710| 1.18k| BOTAN_ARG_CHECK(a >= 0 && a < p, "a is invalid"); ------------------ | | 35| 1.18k| do { \ | | 36| 1.18k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 2.36k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 1.18k, False: 0] | | | Branch (37:12): [True: 1.18k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.18k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.18k] | | ------------------ ------------------ 1711| 1.18k| BOTAN_ARG_CHECK(b > 0 && b < p, "b is invalid"); ------------------ | | 35| 1.18k| do { \ | | 36| 1.18k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 2.36k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 1.18k, False: 0] | | | Branch (37:12): [True: 1.18k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.18k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.18k] | | ------------------ ------------------ 1712| 1.18k| BOTAN_ARG_CHECK(base_x >= 0 && base_x < p, "base_x is invalid"); ------------------ | | 35| 1.18k| do { \ | | 36| 1.18k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 2.36k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 1.18k, False: 0] | | | Branch (37:12): [True: 1.18k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.18k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.18k] | | ------------------ ------------------ 1713| 1.18k| BOTAN_ARG_CHECK(base_y >= 0 && base_y < p, "base_y is invalid"); ------------------ | | 35| 1.18k| do { \ | | 36| 1.18k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 2.36k| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 1.18k, False: 0] | | | Branch (37:12): [True: 1.18k, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.18k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.18k] | | ------------------ ------------------ 1714| | 1715| 1.18k| const size_t p_bits = p.bits(); 1716| | 1717| | // Same size restrictions as EC_Group however here we do not require 1718| | // exactly the primes for the 521 or 239 bit exceptions; this code 1719| | // should work fine with any such prime and we are relying on the higher 1720| | // levels to prevent creating such a group in the first place 1721| | // 1722| | // TODO(Botan4) increase the 128 here to 192 when the corresponding EC_Group constructor is changed 1723| | // 1724| 1.18k| if(p_bits != 521 && p_bits != 239 && (p_bits < 128 || p_bits > 512 || p_bits % 32 != 0)) { ------------------ | Branch (1724:7): [True: 1.13k, False: 53] | Branch (1724:24): [True: 954, False: 177] | Branch (1724:42): [True: 0, False: 954] | Branch (1724:58): [True: 0, False: 954] | Branch (1724:74): [True: 0, False: 954] ------------------ 1725| 0| return {}; 1726| 0| } 1727| | 1728| | // We don't want to deal with Shanks-Tonelli in the generic case 1729| 1.18k| if(p % 4 != 3) { ------------------ | Branch (1729:7): [True: 633, False: 551] ------------------ 1730| 633| return {}; 1731| 633| } 1732| | 1733| | // The bit length of the field and order being the same simplifies things 1734| 551| if(p_bits != order.bits()) { ------------------ | Branch (1734:7): [True: 27, False: 524] ------------------ 1735| 27| return {}; 1736| 27| } 1737| | 1738| | // Check that the (x,y) generator point is on the curve 1739| 524| auto mod_p = Barrett_Reduction::for_public_modulus(p); 1740| 524| const BigInt y2 = mod_p.square(base_y); 1741| 524| const BigInt x3_ax_b = mod_p.reduce(mod_p.cube(base_x) + mod_p.multiply(a, base_x) + b); 1742| 524| if(y2 != x3_ax_b) { ------------------ | Branch (1742:7): [True: 0, False: 524] ------------------ 1743| 0| return {}; 1744| 0| } 1745| | 1746| 524| auto gpoc = std::make_shared(p, a, b, base_x, base_y, order); 1747| | /* 1748| | The implementation of this needs to call shared_from_this which is not usable 1749| | until after the constructor has completed, so we have to do a two-stage 1750| | construction process. This is certainly not so clean but it is contained to 1751| | this single file so seems tolerable. 1752| | 1753| | Alternately we could lazily compute the base mul table but this brings in 1754| | locking issues which seem a worse alternative overall. 1755| | */ 1756| 524| gpoc->_precompute_base_mul(); 1757| 524| return gpoc; 1758| 524|} _ZNK5Botan6PCurve18GenericCurveParams10order_bitsEv: 146| 895| size_t order_bits() const { return m_order_bits; } _ZNK5Botan6PCurve18GenericCurveParams11order_bytesEv: 148| 2.25k| size_t order_bytes() const { return m_order_bytes; } _ZNK5Botan6PCurve18GenericCurveParams11field_bytesEv: 152| 2.23k| size_t field_bytes() const { return m_field_bytes; } _ZN5Botan6PCurve19GenericBaseMulTable3mulERKNS0_13GenericScalarERNS_21RandomNumberGeneratorE: 1340| 371| GenericProjectivePoint mul(const GenericScalar& s, RandomNumberGenerator& rng) { 1341| | // W+1 bit windows for Booth recoding overlap 1342| 371| const GenericBlindedScalarBits scalar(s, rng, WindowBits + 1); 1343| 371| return basemul_booth_exec(m_table, scalar, rng); 1344| 371| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_124GenericBlindedScalarBitsC2ERKNS0_13GenericScalarERNS_21RandomNumberGeneratorEm: 1230| 371| GenericBlindedScalarBits(const GenericScalar& scalar, RandomNumberGenerator& rng, size_t wb) { 1231| 371| BOTAN_ASSERT_NOMSG(wb == 1 || wb == 2 || wb == 3 || wb == 4 || wb == 5 || wb == 6 || wb == 7); ------------------ | | 77| 371| do { \ | | 78| 371| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 4.45k| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 0, False: 371] | | | Branch (79:12): [True: 0, False: 371] | | | Branch (79:12): [True: 0, False: 371] | | | Branch (79:12): [True: 0, False: 371] | | | Branch (79:12): [True: 0, False: 371] | | | Branch (79:12): [True: 0, False: 371] | | | Branch (79:12): [True: 371, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 371| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 371] | | ------------------ ------------------ 1232| | 1233| 371| const auto& params = scalar.curve()->_params(); 1234| | 1235| 371| const size_t order_bits = params.order_bits(); 1236| 371| m_window_bits = wb; 1237| | 1238| 371| const size_t blinder_bits = scalar_blinding_bits(order_bits); 1239| | 1240| 371| if(blinder_bits > 0 && rng.is_seeded()) { ------------------ | Branch (1240:13): [True: 371, False: 0] | Branch (1240:33): [True: 0, False: 371] ------------------ 1241| 0| const size_t mask_words = (blinder_bits + WordInfo::bits - 1) / WordInfo::bits; 1242| 0| const size_t mask_bytes = mask_words * WordInfo::bytes; 1243| | 1244| 0| const size_t words = params.words(); 1245| | 1246| 0| secure_vector maskb(mask_bytes); 1247| 0| rng.randomize(maskb); 1248| | 1249| 0| std::array mask{}; 1250| 0| load_le(mask.data(), maskb.data(), mask_words); 1251| | 1252| | // Mask to exactly blinder_bits and set MSB and LSB 1253| 0| const size_t excess = mask_words * WordInfo::bits - blinder_bits; 1254| 0| if(excess > 0) { ------------------ | Branch (1254:16): [True: 0, False: 0] ------------------ 1255| 0| mask[mask_words - 1] &= (static_cast(1) << (WordInfo::bits - excess)) - 1; 1256| 0| } 1257| 0| const size_t msb_pos = (blinder_bits - 1) % WordInfo::bits; 1258| 0| mask[(blinder_bits - 1) / WordInfo::bits] |= static_cast(1) << msb_pos; 1259| 0| mask[0] |= 1; 1260| | 1261| 0| std::array mask_n{}; 1262| | 1263| 0| const auto sw = scalar.to_words(); 1264| | 1265| | // Compute masked scalar s + k*n 1266| 0| params.mul(mask_n, mask, params.order()); 1267| 0| bigint_add2(mask_n.data(), 2 * words, sw.data(), words); 1268| | 1269| 0| std::reverse(mask_n.begin(), mask_n.end()); 1270| 0| m_bytes = store_be>(mask_n); 1271| 0| m_bits = order_bits + blinder_bits; 1272| 371| } else { 1273| | // No RNG available, skip blinding 1274| 371| m_bytes = scalar.serialize>(); 1275| 371| m_bits = order_bits; 1276| 371| } 1277| | 1278| 371| m_windows = (m_bits + wb - 1) / wb; 1279| 371| } _ZNK5Botan6PCurve13GenericScalar5curveEv: 549| 371| const GenericPrimeOrderCurve* curve() const { return m_curve; } _ZNK5Botan6PCurve18GenericCurveParams5wordsEv: 144| 23.7M| size_t words() const { return m_words; } _ZN5Botan6PCurve13GenericScalar8from_repEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 573| 872| static StorageUnit from_rep(const GenericPrimeOrderCurve* curve, StorageUnit z) { 574| 872| std::array ze{}; 575| 872| copy_mem(std::span{ze}.template first(), z); 576| 872| return redc(curve, ze); 577| 872| } _ZN5Botan6PCurve13GenericScalar4redcEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm18EEE: 563| 1.37k| static StorageUnit redc(const GenericPrimeOrderCurve* curve, std::array z) { 564| 1.37k| const auto& mod = curve->_params().order(); 565| 1.37k| const size_t words = curve->_params().words(); 566| 1.37k| StorageUnit r{}; 567| 1.37k| StorageUnit ws{}; 568| 1.37k| bigint_monty_redc( 569| 1.37k| r.data(), z.data(), mod.data(), words, curve->_params().order_p_dash(), ws.data(), ws.size()); 570| 1.37k| return r; 571| 1.37k| } _ZNK5Botan6PCurve18GenericCurveParams12order_p_dashEv: 184| 1.37k| word order_p_dash() const { return m_order_p_dash; } _ZNK5Botan6PCurve18GenericCurveParams3mulERNSt3__15arrayImLm18EEERKNS3_ImLm9EEES8_: 200| 11.3M| void mul(std::array& z, const std::array& x, const std::array& y) const { 201| 11.3M| clear_mem(z); 202| | 203| 11.3M| if(m_words == 4) { ------------------ | Branch (203:13): [True: 5.42M, False: 5.97M] ------------------ 204| 5.42M| bigint_comba_mul4(z.data(), x.data(), y.data()); 205| 5.97M| } else if(m_words == 6) { ------------------ | Branch (205:20): [True: 0, False: 5.97M] ------------------ 206| 0| bigint_comba_mul6(z.data(), x.data(), y.data()); 207| 5.97M| } else if(m_words == 8) { ------------------ | Branch (207:20): [True: 0, False: 5.97M] ------------------ 208| 0| bigint_comba_mul8(z.data(), x.data(), y.data()); 209| 5.97M| } else if(m_words == 9) { ------------------ | Branch (209:20): [True: 2.26M, False: 3.70M] ------------------ 210| 2.26M| bigint_comba_mul9(z.data(), x.data(), y.data()); 211| 3.70M| } else { 212| 3.70M| bigint_mul(z.data(), z.size(), x.data(), m_words, m_words, y.data(), m_words, m_words, nullptr, 0); 213| 3.70M| } 214| 11.3M| } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_124GenericBlindedScalarBits4bitsEv: 1283| 371| size_t bits() const { return m_bits; } _ZN5Botan6PCurve22GenericProjectivePoint18conditional_assignENS_2CT6ChoiceERKS1_: 1114| 371| void conditional_assign(CT::Choice cond, const Self& pt) { 1115| 371| GenericField::conditional_assign(m_x, m_y, m_z, cond, pt.x(), pt.y(), pt.z()); 1116| 371| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField18conditional_assignERS2_S3_S3_NS_2CT6ChoiceERKS2_S7_S7_: 862| 794k| const GenericField& nz) { 863| 794k| const W mask = cond.into_bitmask(); 864| | 865| 7.94M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (865:28): [True: 7.14M, False: 794k] ------------------ 866| 7.14M| x.m_val[i] = choose(mask, nx.m_val[i], x.m_val[i]); 867| 7.14M| y.m_val[i] = choose(mask, ny.m_val[i], y.m_val[i]); 868| 7.14M| z.m_val[i] = choose(mask, nz.m_val[i], z.m_val[i]); 869| 7.14M| } 870| 794k| } _ZNK5Botan6PCurve22GenericProjectivePoint6negateEv: 1165| 371| Self negate() const { return Self(x(), y().negate(), z()); } _ZNK5Botan6PCurve22GenericProjectivePoint18_const_time_poisonEv: 1206| 371| void _const_time_poison() const { CT::poison_all(m_x, m_y, m_z); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField18_const_time_poisonEv: 813| 1.11k| void _const_time_poison() const { CT::poison(m_val); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_124GenericBlindedScalarBits10get_windowEm: 1285| 14.2k| size_t get_window(size_t offset) const { 1286| 14.2k| if(m_window_bits == 1) { ------------------ | Branch (1286:13): [True: 0, False: 14.2k] ------------------ 1287| 0| return read_window_bits<1>(std::span{m_bytes}, offset); 1288| 14.2k| } else if(m_window_bits == 2) { ------------------ | Branch (1288:20): [True: 0, False: 14.2k] ------------------ 1289| 0| return read_window_bits<2>(std::span{m_bytes}, offset); 1290| 14.2k| } else if(m_window_bits == 3) { ------------------ | Branch (1290:20): [True: 0, False: 14.2k] ------------------ 1291| 0| return read_window_bits<3>(std::span{m_bytes}, offset); 1292| 14.2k| } else if(m_window_bits == 4) { ------------------ | Branch (1292:20): [True: 0, False: 14.2k] ------------------ 1293| 0| return read_window_bits<4>(std::span{m_bytes}, offset); 1294| 14.2k| } else if(m_window_bits == 5) { ------------------ | Branch (1294:20): [True: 0, False: 14.2k] ------------------ 1295| 0| return read_window_bits<5>(std::span{m_bytes}, offset); 1296| 14.2k| } else if(m_window_bits == 6) { ------------------ | Branch (1296:20): [True: 0, False: 14.2k] ------------------ 1297| 0| return read_window_bits<6>(std::span{m_bytes}, offset); 1298| 14.2k| } else if(m_window_bits == 7) { ------------------ | Branch (1298:20): [True: 14.2k, False: 0] ------------------ 1299| 14.2k| return read_window_bits<7>(std::span{m_bytes}, offset); 1300| 14.2k| } else { 1301| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 1302| 0| } 1303| 14.2k| } _ZN5Botan6PCurve22GenericProjectivePoint10add_or_subERKS1_RKNS0_18GenericAffinePointENS_2CT6ChoiceE: 1125| 13.9k| static Self add_or_sub(const Self& a, const GenericAffinePoint& b, CT::Choice sub) { 1126| 13.9k| return point_add_or_sub_mixed(a, b, sub, GenericField::one(a.curve())); 1127| 13.9k| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField18conditional_assignENS_2CT6ChoiceERKS2_: 828| 13.9k| void conditional_assign(CT::Choice cond, const GenericField& nx) { 829| 13.9k| const W mask = cond.into_bitmask(); 830| | 831| 139k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (831:28): [True: 125k, False: 13.9k] ------------------ 832| 125k| m_val[i] = choose(mask, nx.m_val[i], m_val[i]); 833| 125k| } 834| 13.9k| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_1miERKNS1_12GenericFieldES4_: 718| 3.96M| friend GenericField operator-(const GenericField& a, const GenericField& b) { return a + b.negate(); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField7is_zeroEv: 787| 2.42M| CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_curve->_params().words()).as_choice(); } _ZNK5Botan6PCurve22GenericProjectivePoint3dblEv: 1151| 434k| Self dbl() const { 1152| 434k| if(curve()->_params().a_is_minus_3()) { ------------------ | Branch (1152:13): [True: 278k, False: 155k] ------------------ 1153| 278k| return dbl_a_minus_3(*this); 1154| 278k| } else if(curve()->_params().a_is_zero()) { ------------------ | Branch (1154:20): [True: 3.77k, False: 151k] ------------------ 1155| 3.77k| return dbl_a_zero(*this); 1156| 151k| } else { 1157| 151k| const auto A = GenericField::curve_a(curve()); 1158| 151k| return dbl_generic(*this, A); 1159| 151k| } 1160| 434k| } _ZNK5Botan6PCurve18GenericCurveParams12a_is_minus_3Ev: 194| 434k| bool a_is_minus_3() const { return m_a_is_minus_3; } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField4mul3Ev: 698| 434k| GenericField mul3() const { return mul2() + (*this); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField4mul4Ev: 701| 434k| GenericField mul4() const { return mul2().mul2(); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField4mul2Ev: 688| 3.47M| GenericField mul2() const { 689| 3.47M| StorageUnit t = value(); 690| 3.47M| const W carry = shift_left<1>(t); 691| | 692| 3.47M| StorageUnit r; 693| 3.47M| bigint_monty_maybe_sub(r.data(), carry, t.data(), m_curve->_params().field().data()); 694| 3.47M| return GenericField(m_curve, r); 695| 3.47M| } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField5valueEv: 885| 30.9M| const StorageUnit& value() const { return m_val; } _ZNK5Botan6PCurve18GenericCurveParams5fieldEv: 158| 28.7M| const StorageUnit& field() const { return m_field; } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField4mul8Ev: 704| 434k| GenericField mul8() const { return mul2().mul2().mul2(); } _ZNK5Botan6PCurve18GenericCurveParams9a_is_zeroEv: 196| 155k| bool a_is_zero() const { return m_a_is_zero; } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField7curve_aEPKNS0_22GenericPrimeOrderCurveE: 639| 152k| static GenericField curve_a(const GenericPrimeOrderCurve* curve) { 640| 152k| return GenericField(curve, curve->_params().monty_curve_a()); 641| 152k| } _ZNK5Botan6PCurve18GenericCurveParams13monty_curve_aEv: 186| 152k| const StorageUnit& monty_curve_a() const { return m_monty_curve_a; } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField3oneEPKNS0_22GenericPrimeOrderCurveE: 635| 15.7k| static GenericField one(const GenericPrimeOrderCurve* curve) { 636| 15.7k| return GenericField(curve, curve->_params().field_monty_r1()); 637| 15.7k| } _ZNK5Botan6PCurve18GenericCurveParams14field_monty_r1Ev: 162| 15.7k| const StorageUnit& field_monty_r1() const { return m_field_monty_r1; } _ZNK5Botan6PCurve22GenericProjectivePoint5curveEv: 1204| 755k| const GenericPrimeOrderCurve* curve() const { return m_x.curve(); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField5curveEv: 801| 775k| const GenericPrimeOrderCurve* curve() const { return m_curve; } _ZN5Botan6PCurve18GenericAffinePoint9ct_selectENSt3__14spanIKS1_Lm18446744073709551615EEEm: 963| 14.2k| static auto ct_select(std::span pts, size_t idx) { 964| 14.2k| BOTAN_ARG_CHECK(!pts.empty(), "Cannot select from an empty set"); ------------------ | | 35| 14.2k| do { \ | | 36| 14.2k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 14.2k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 14.2k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 14.2k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 14.2k] | | ------------------ ------------------ 965| 14.2k| auto result = GenericAffinePoint::identity(pts[0].curve()); 966| | 967| | // Intentionally wrapping; set to maximum size_t if idx == 0 968| 14.2k| const size_t idx1 = static_cast(idx - 1); 969| 471k| for(size_t i = 0; i != pts.size(); ++i) { ------------------ | Branch (969:28): [True: 457k, False: 14.2k] ------------------ 970| 457k| const auto found = CT::Mask::is_equal(idx1, i).as_choice(); 971| 457k| result.conditional_assign(found, pts[i]); 972| 457k| } 973| | 974| 14.2k| return result; 975| 14.2k| } _ZN5Botan6PCurve18GenericAffinePoint8identityEPKNS0_22GenericPrimeOrderCurveE: 934| 14.2k| static GenericAffinePoint identity(const GenericPrimeOrderCurve* curve) { 935| 14.2k| return GenericAffinePoint(GenericField::zero(curve), GenericField::zero(curve)); 936| 14.2k| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField4zeroEPKNS0_22GenericPrimeOrderCurveE: 630| 28.5k| static GenericField zero(const GenericPrimeOrderCurve* curve) { 631| 28.5k| const StorageUnit zeros{}; 632| 28.5k| return GenericField(curve, zeros); 633| 28.5k| } _ZNK5Botan6PCurve18GenericAffinePoint5curveEv: 1041| 15.1k| const GenericPrimeOrderCurve* curve() const { return m_x.curve(); } _ZN5Botan6PCurve18GenericAffinePoint18conditional_assignENS_2CT6ChoiceERKS1_: 1037| 457k| void conditional_assign(CT::Choice cond, const GenericAffinePoint& pt) { 1038| 457k| GenericField::conditional_assign(m_x, m_y, cond, pt.x(), pt.y()); 1039| 457k| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField18conditional_assignERS2_S3_NS_2CT6ChoiceERKS2_S7_: 842| 457k| GenericField& x, GenericField& y, CT::Choice cond, const GenericField& nx, const GenericField& ny) { 843| 457k| const W mask = cond.into_bitmask(); 844| | 845| 4.57M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (845:28): [True: 4.11M, False: 457k] ------------------ 846| 4.11M| x.m_val[i] = choose(mask, nx.m_val[i], x.m_val[i]); 847| 4.11M| y.m_val[i] = choose(mask, ny.m_val[i], y.m_val[i]); 848| 4.11M| } 849| 457k| } _ZN5Botan6PCurve22GenericProjectivePoint13randomize_repERNS_21RandomNumberGeneratorE: 1173| 1.48k| void randomize_rep(RandomNumberGenerator& rng) { 1174| | // In certain contexts we may be called with a Null_RNG; in that case the 1175| | // caller is accepting that randomization will not occur 1176| | 1177| 1.48k| if(rng.is_seeded()) { ------------------ | Branch (1177:13): [True: 0, False: 1.48k] ------------------ 1178| 0| auto r = GenericField::random(curve(), rng); 1179| | 1180| 0| auto r2 = r.square(); 1181| 0| auto r3 = r2 * r; 1182| | 1183| 0| m_x *= r2; 1184| 0| m_y *= r3; 1185| 0| m_z *= r; 1186| 0| } 1187| 1.48k| } _ZNK5Botan6PCurve18GenericCurveParams10field_bitsEv: 150| 895| size_t field_bits() const { return m_field_bits; } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericFieldmLERKS2_: 728| 48.6k| GenericField& operator*=(const GenericField& other) { 729| 48.6k| const auto* curve = check_curve(*this, other); 730| | 731| 48.6k| std::array z; // NOLINT(*-member-init) 732| 48.6k| curve->_params().mul(z, value(), other.value()); 733| 48.6k| m_val = redc(curve, z); 734| 48.6k| return (*this); 735| 48.6k| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField11check_curveERKS2_S4_: 889| 16.6M| static const GenericPrimeOrderCurve* check_curve(const GenericField& a, const GenericField& b) { 890| 16.6M| BOTAN_STATE_CHECK(a.m_curve == b.m_curve); ------------------ | | 51| 16.6M| do { \ | | 52| 16.6M| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 16.6M| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 16.6M] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 16.6M| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 16.6M] | | ------------------ ------------------ 891| 16.6M| return a.m_curve; 892| 16.6M| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField4redcEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm18EEE: 894| 16.0M| static StorageUnit redc(const GenericPrimeOrderCurve* curve, std::array z) { 895| 16.0M| const auto& mod = curve->_params().field(); 896| 16.0M| const size_t words = curve->_params().words(); 897| 16.0M| StorageUnit r{}; 898| 16.0M| StorageUnit ws{}; 899| 16.0M| bigint_monty_redc( 900| 16.0M| r.data(), z.data(), mod.data(), words, curve->_params().field_p_dash(), ws.data(), ws.size()); 901| 16.0M| return r; 902| 16.0M| } _ZNK5Botan6PCurve18GenericCurveParams12field_p_dashEv: 170| 16.0M| word field_p_dash() const { return m_field_p_dash; } _ZNK5Botan6PCurve22GenericProjectivePoint20_const_time_unpoisonEv: 1208| 371| void _const_time_unpoison() const { CT::unpoison_all(m_x, m_y, m_z); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField20_const_time_unpoisonEv: 815| 1.11k| void _const_time_unpoison() const { CT::unpoison(m_val); } _ZNK5Botan6PCurve22GenericProjectivePoint11is_identityEv: 1112| 1.59M| CT::Choice is_identity() const { return z().is_zero(); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField6invertEv: 759| 895| GenericField invert() const { return pow_vartime(m_curve->_params().field_minus_2()); } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField11pow_vartimeERKNSt3__15arrayImLm9EEE: 743| 895| GenericField pow_vartime(const StorageUnit& exp) const { 744| 895| auto one = GenericField::one(curve()); 745| 895| auto bits = curve()->_params().field_bits(); 746| 895| auto words = curve()->_params().words(); 747| 895| return impl_pow_vartime(*this, one, bits, std::span{exp}.last(words)); 748| 895| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_116impl_pow_vartimeINS1_12GenericFieldEEET_RKS4_S6_mNSt3__14spanIKmLm18446744073709551615EEE: 56| 895|T impl_pow_vartime(const T& elem, const T& one, size_t bits, std::span exp) { 57| 895| constexpr size_t WindowBits = 4; 58| 895| constexpr size_t WindowElements = (1 << WindowBits) - 1; 59| | 60| 895| const size_t Windows = (bits + WindowBits - 1) / WindowBits; 61| | 62| 895| std::vector tbl; 63| 895| tbl.reserve(WindowElements); 64| | 65| 895| tbl.push_back(elem); 66| | 67| 13.4k| for(size_t i = 1; i != WindowElements; ++i) { ------------------ | Branch (67:22): [True: 12.5k, False: 895] ------------------ 68| 12.5k| if(i % 2 == 1) { ------------------ | Branch (68:10): [True: 6.26k, False: 6.26k] ------------------ 69| 6.26k| tbl.push_back(tbl[i / 2].square()); 70| 6.26k| } else { 71| 6.26k| tbl.push_back(tbl[i - 1] * tbl[0]); 72| 6.26k| } 73| 12.5k| } 74| | 75| 895| auto r = one; 76| | 77| 895| const size_t w0 = read_window_bits(exp, (Windows - 1) * WindowBits); 78| | 79| 895| if(w0 > 0) { ------------------ | Branch (79:7): [True: 895, False: 0] ------------------ 80| 895| r = tbl[w0 - 1]; 81| 895| } 82| | 83| 54.9k| for(size_t i = 1; i != Windows; ++i) { ------------------ | Branch (83:22): [True: 54.0k, False: 895] ------------------ 84| 270k| for(size_t j = 0; j != WindowBits; ++j) { ------------------ | Branch (84:25): [True: 216k, False: 54.0k] ------------------ 85| 216k| r = r.square(); 86| 216k| } 87| 54.0k| const size_t w = read_window_bits(exp, (Windows - i - 1) * WindowBits); 88| | 89| 54.0k| if(w > 0) { ------------------ | Branch (89:10): [True: 48.6k, False: 5.40k] ------------------ 90| 48.6k| r *= tbl[w - 1]; 91| 48.6k| } 92| 54.0k| } 93| | 94| 895| return r; 95| 895|} _ZNK5Botan6PCurve18GenericCurveParams13field_minus_2Ev: 160| 895| const StorageUnit& field_minus_2() const { return m_field_minus_2; } _ZN5Botan6PCurveplERKNS0_22GenericProjectivePointES3_: 1096| 382k| friend Self operator+(const Self& a, const Self& b) { return Self::add(a, b); } _ZN5Botan6PCurve22GenericProjectivePoint3addERKS1_S3_: 1132| 382k| static Self add(const Self& a, const Self& b) { return point_add(a, b); } pcurves_generic.cpp:_ZNK5Botan6PCurve22GenericProjectivePoint1zEv: 1202| 7.21M| const GenericField& z() const { return m_z; } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField6squareEv: 737| 4.65M| GenericField square() const { 738| 4.65M| std::array z; // NOLINT(*-member-init) 739| 4.65M| m_curve->_params().sqr(z, value()); 740| 4.65M| return GenericField(m_curve, redc(m_curve, z)); 741| 4.65M| } _ZNK5Botan6PCurve18GenericCurveParams3sqrERNSt3__15arrayImLm18EEERKNS3_ImLm9EEE: 216| 4.65M| void sqr(std::array& z, const std::array& x) const { 217| 4.65M| clear_mem(z); 218| | 219| 4.65M| if(m_words == 4) { ------------------ | Branch (219:13): [True: 2.20M, False: 2.45M] ------------------ 220| 2.20M| bigint_comba_sqr4(z.data(), x.data()); 221| 2.45M| } else if(m_words == 6) { ------------------ | Branch (221:20): [True: 0, False: 2.45M] ------------------ 222| 0| bigint_comba_sqr6(z.data(), x.data()); 223| 2.45M| } else if(m_words == 8) { ------------------ | Branch (223:20): [True: 0, False: 2.45M] ------------------ 224| 0| bigint_comba_sqr8(z.data(), x.data()); 225| 2.45M| } else if(m_words == 9) { ------------------ | Branch (225:20): [True: 850k, False: 1.59M] ------------------ 226| 850k| bigint_comba_sqr9(z.data(), x.data()); 227| 1.59M| } else { 228| 1.59M| bigint_sqr(z.data(), z.size(), x.data(), m_words, m_words, nullptr, 0); 229| 1.59M| } 230| 4.65M| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField11deserializeEPKNS0_22GenericPrimeOrderCurveENSt3__14spanIKhLm18446744073709551615EEE: 605| 248| std::span bytes) { 606| 248| const size_t len = curve->_params().field_bytes(); 607| | 608| 248| if(bytes.size() != len) { ------------------ | Branch (608:13): [True: 0, False: 248] ------------------ 609| 0| return {}; 610| 0| } 611| | 612| 248| const auto words = bytes_to_words(bytes); 613| | 614| 248| if(words) { ------------------ | Branch (614:13): [True: 248, False: 0] ------------------ 615| 248| if(!bigint_ct_is_lt(words->data(), N, curve->_params().field().data(), N).as_bool()) { ------------------ | Branch (615:16): [True: 22, False: 226] ------------------ 616| 22| return {}; 617| 22| } 618| | 619| | // Safe because we checked above that words is an integer < P 620| 226| return GenericField::from_words(curve, *words); 621| 248| } else { 622| 0| return {}; 623| 0| } 624| 248| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_114bytes_to_wordsILm9EEENSt3__18optionalINS3_5arrayImXT_EEEEENS3_4spanIKhLm18446744073709551615EEE: 28| 754|constexpr std::optional> bytes_to_words(std::span bytes) { 29| 754| if(bytes.size() > WordInfo::bytes * N) { ------------------ | Branch (29:7): [True: 0, False: 754] ------------------ 30| 0| return std::nullopt; 31| 0| } 32| | 33| 754| std::array r{}; 34| | 35| 754| const size_t full_words = bytes.size() / WordInfo::bytes; 36| 754| const size_t extra_bytes = bytes.size() % WordInfo::bytes; 37| | 38| 3.79k| for(size_t i = 0; i != full_words; ++i) { ------------------ | Branch (38:22): [True: 3.04k, False: 754] ------------------ 39| 3.04k| r[i] = load_be(bytes.data(), full_words - 1 - i); 40| 3.04k| } 41| | 42| 754| if(extra_bytes > 0) { ------------------ | Branch (42:7): [True: 611, False: 143] ------------------ 43| 611| const size_t shift = extra_bytes * 8; 44| 611| bigint_shl1(r.data(), r.size(), r.size(), shift); 45| | 46| 3.11k| for(size_t i = 0; i != extra_bytes; ++i) { ------------------ | Branch (46:25): [True: 2.50k, False: 611] ------------------ 47| 2.50k| const word b0 = bytes[WordInfo::bytes * full_words + i]; 48| 2.50k| r[0] |= (b0 << (8 * (extra_bytes - 1 - i))); 49| 2.50k| } 50| 611| } 51| | 52| 754| return r; 53| 754|} pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_1mlERKNS1_12GenericFieldES4_: 720| 11.3M| friend GenericField operator*(const GenericField& a, const GenericField& b) { 721| 11.3M| const auto* curve = check_curve(a, b); 722| | 723| 11.3M| std::array z; // NOLINT(*-member-init) 724| 11.3M| curve->_params().mul(z, a.value(), b.value()); 725| 11.3M| return GenericField(curve, redc(curve, z)); 726| 11.3M| } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericFieldeqERKS2_: 791| 475| CT::Choice operator==(const GenericField& other) const { 792| 475| if(this->m_curve != other.m_curve) { ------------------ | Branch (792:13): [True: 0, False: 475] ------------------ 793| 0| return CT::Choice::no(); 794| 0| } 795| | 796| 475| return CT::is_equal(m_val.data(), other.m_val.data(), m_curve->_params().words()).as_choice(); 797| 475| } pcurves_generic.cpp:_ZNK5Botan6PCurve22GenericProjectivePoint1xEv: 1192| 3.53M| const GenericField& x() const { return m_x; } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField10from_wordsEPKNS0_22GenericPrimeOrderCurveERKNSt3__15arrayImLm9EEE: 626| 226| static GenericField from_words(const GenericPrimeOrderCurve* curve, const std::array& words) { 627| 226| return GenericField(curve, to_rep(curve, words)); 628| 226| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField6to_repEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 910| 226| static StorageUnit to_rep(const GenericPrimeOrderCurve* curve, StorageUnit x) { 911| 226| std::array z{}; 912| 226| curve->_params().mul(z, x, curve->_params().field_monty_r2()); 913| 226| return redc(curve, z); 914| 226| } _ZNK5Botan6PCurve18GenericCurveParams14field_monty_r2Ev: 164| 226| const StorageUnit& field_monty_r2() const { return m_field_monty_r2; } _ZNK5Botan6PCurve18GenericCurveParams5orderEv: 172| 1.88k| const StorageUnit& order() const { return m_order; } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField6negateEv: 750| 3.97M| GenericField negate() const { 751| 3.97M| auto x_is_zero = CT::all_zeros(this->data(), N); 752| | 753| 3.97M| StorageUnit r; 754| 3.97M| bigint_sub3(r.data(), m_curve->_params().field().data(), N, this->data(), N); 755| 3.97M| x_is_zero.if_set_zero_out(r.data(), N); 756| 3.97M| return GenericField(m_curve, r); 757| 3.97M| } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField4dataEv: 887| 18.4M| const W* data() const { return m_val.data(); } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField8from_repEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 904| 744| static StorageUnit from_rep(const GenericPrimeOrderCurve* curve, StorageUnit z) { 905| 744| std::array ze{}; 906| 744| copy_mem(std::span{ze}.template first(), z); 907| 744| return redc(curve, ze); 908| 744| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_1plERKNS1_12GenericFieldES4_: 706| 5.22M| friend GenericField operator+(const GenericField& a, const GenericField& b) { 707| 5.22M| const auto* curve = check_curve(a, b); 708| 5.22M| const size_t words = curve->_params().words(); 709| | 710| 5.22M| StorageUnit t{}; 711| 5.22M| const W carry = bigint_add3(t.data(), a.data(), words, b.data(), words); 712| | 713| 5.22M| StorageUnit r{}; 714| 5.22M| bigint_monty_maybe_sub(words, r.data(), carry, t.data(), curve->_params().field().data()); 715| 5.22M| return GenericField(curve, r); 716| 5.22M| } _ZNK5Botan6PCurve18GenericCurveParams6base_xEv: 190| 524| const StorageUnit& base_x() const { return m_base_x; } _ZNK5Botan6PCurve18GenericCurveParams6base_yEv: 192| 524| const StorageUnit& base_y() const { return m_base_y; } pcurves_generic.cpp:_ZNK5Botan6PCurve18GenericAffinePoint1yEv: 1032| 489k| const GenericField& y() const { return m_y; } pcurves_generic.cpp:_ZN5Botan6PCurve18GenericAffinePoint7x3_ax_bERKNS0_12_GLOBAL__N_112GenericFieldE: 980| 475| static GenericField x3_ax_b(const GenericField& x) { 981| 475| return (x.square() + GenericField::curve_a(x.curve())) * x + GenericField::curve_b(x.curve()); 982| 475| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField7curve_bEPKNS0_22GenericPrimeOrderCurveE: 643| 475| static GenericField curve_b(const GenericPrimeOrderCurve* curve) { 644| 475| return GenericField(curve, curve->_params().monty_curve_b()); 645| 475| } _ZNK5Botan6PCurve18GenericCurveParams13monty_curve_bEv: 188| 475| const StorageUnit& monty_curve_b() const { return m_monty_curve_b; } pcurves_generic.cpp:_ZNK5Botan6PCurve18GenericAffinePoint1xEv: 1027| 503k| const GenericField& x() const { return m_x; } _ZNK5Botan6PCurve18GenericAffinePoint11is_identityEv: 940| 15.9k| CT::Choice is_identity() const { return x().is_zero() && y().is_zero(); } _ZN5Botan6PCurve22GenericProjectivePoint11from_affineERKNS0_18GenericAffinePointE: 1061| 895| static Self from_affine(const GenericAffinePoint& pt) { 1062| 895| auto x = pt.x(); 1063| 895| auto y = pt.y(); 1064| 895| auto z = GenericField::one(x.curve()); 1065| | 1066| | // If pt is identity (0,0) swap y/z to convert (0,0,1) into (0,1,0) 1067| 895| GenericField::conditional_swap(pt.is_identity(), y, z); 1068| 895| return GenericProjectivePoint(x, y, z); 1069| 895| } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericField16conditional_swapENS_2CT6ChoiceERS2_S5_: 817| 895| static void conditional_swap(CT::Choice cond, GenericField& x, GenericField& y) { 818| 895| const W mask = cond.into_bitmask(); 819| | 820| 8.95k| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (820:28): [True: 8.05k, False: 895] ------------------ 821| 8.05k| auto nx = choose(mask, y.m_val[i], x.m_val[i]); 822| 8.05k| auto ny = choose(mask, x.m_val[i], y.m_val[i]); 823| 8.05k| x.m_val[i] = nx; 824| 8.05k| y.m_val[i] = ny; 825| 8.05k| } 826| 895| } _ZNK5Botan6PCurve18GenericAffinePoint12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 947| 372| void serialize_to(std::span bytes) const { 948| 372| const size_t fe_bytes = curve()->_params().field_bytes(); 949| 372| BOTAN_ARG_CHECK(bytes.size() == 1 + 2 * fe_bytes, "Buffer size incorrect"); ------------------ | | 35| 372| do { \ | | 36| 372| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 372| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 372] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 372| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 372] | | ------------------ ------------------ 950| 372| BOTAN_STATE_CHECK(this->is_identity().as_bool() == false); ------------------ | | 51| 372| do { \ | | 52| 372| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 372| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 372] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 372| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 372] | | ------------------ ------------------ 951| 372| BufferStuffer pack(bytes); 952| 372| pack.append(0x04); 953| 372| x().serialize_to(pack.next(fe_bytes)); 954| 372| y().serialize_to(pack.next(fe_bytes)); 955| 372| BOTAN_DEBUG_ASSERT(pack.full()); ------------------ | | 130| 372| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 372| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 372] | | ------------------ ------------------ 956| 372| } pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 774| 744| void serialize_to(std::span bytes) const { 775| 744| auto v = from_rep(m_curve, m_val); 776| 744| std::reverse(v.begin(), v.end()); 777| | 778| 744| const size_t flen = m_curve->_params().field_bytes(); 779| 744| BOTAN_ARG_CHECK(bytes.size() == flen, "Expected output span provided"); ------------------ | | 35| 744| do { \ | | 36| 744| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 744| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 744] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 744| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 744] | | ------------------ ------------------ 780| | 781| | // Remove leading zero bytes 782| 744| const auto padded_bytes = store_be(v); 783| 744| const size_t extra = N * WordInfo::bytes - flen; 784| 744| copy_mem(bytes, std::span{padded_bytes}.subspan(extra, flen)); 785| 744| } _ZNK5Botan6PCurve13GenericScalar12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 517| 872| void serialize_to(std::span bytes) const { 518| 872| auto v = from_rep(m_curve, m_val); 519| 872| std::reverse(v.begin(), v.end()); 520| | 521| 872| const size_t flen = m_curve->_params().order_bytes(); 522| 872| BOTAN_ARG_CHECK(bytes.size() == flen, "Expected output span provided"); ------------------ | | 35| 872| do { \ | | 36| 872| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 872| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 872] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 872| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 872] | | ------------------ ------------------ 523| | 524| | // Remove leading zero bytes 525| 872| const auto padded_bytes = store_be(v); 526| 872| const size_t extra = N * WordInfo::bytes - flen; 527| 872| copy_mem(bytes, std::span{padded_bytes}.subspan(extra, flen)); 528| 872| } _ZN5Botan6PCurve13GenericScalar11deserializeEPKNS0_22GenericPrimeOrderCurveENSt3__14spanIKhLm18446744073709551615EEE: 312| 506| std::span bytes) { 313| 506| const size_t len = curve->_params().order_bytes(); 314| | 315| 506| if(bytes.size() != len) { ------------------ | Branch (315:13): [True: 0, False: 506] ------------------ 316| 0| return {}; 317| 0| } 318| | 319| 506| const auto words = bytes_to_words(bytes); 320| | 321| 506| if(words) { ------------------ | Branch (321:13): [True: 506, False: 0] ------------------ 322| 506| if(!bigint_ct_is_lt(words->data(), N, curve->_params().order().data(), N).as_bool()) { ------------------ | Branch (322:16): [True: 3, False: 503] ------------------ 323| 3| return {}; 324| 3| } 325| | 326| | // Safe because we checked above that words is an integer < P 327| 503| return GenericScalar(curve, to_rep(curve, *words)); 328| 506| } else { 329| 0| return {}; 330| 0| } 331| 506| } _ZN5Botan6PCurve13GenericScalar6to_repEPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 579| 503| static StorageUnit to_rep(const GenericPrimeOrderCurve* curve, StorageUnit x) { 580| 503| std::array z; // NOLINT(*-member-init) 581| 503| curve->_params().mul(z, x, curve->_params().order_monty_r2()); 582| 503| return redc(curve, z); 583| 503| } _ZNK5Botan6PCurve18GenericCurveParams14order_monty_r2Ev: 178| 503| const StorageUnit& order_monty_r2() const { return m_order_monty_r2; } _ZNK5Botan6PCurve13GenericScalar10is_nonzeroEv: 532| 503| CT::Choice is_nonzero() const { return !is_zero(); } _ZN5Botan6PCurve18GenericAffinePoint11deserializeEPKNS0_22GenericPrimeOrderCurveENSt3__14spanIKhLm18446744073709551615EEE: 990| 130| std::span bytes) { 991| 130| const size_t fe_bytes = curve->_params().field_bytes(); 992| | 993| 130| if(bytes.size() == 1 + 2 * fe_bytes && bytes[0] == 0x04) { ------------------ | Branch (993:13): [True: 129, False: 1] | Branch (993:49): [True: 124, False: 5] ------------------ 994| 124| auto x = GenericField::deserialize(curve, bytes.subspan(1, fe_bytes)); 995| 124| auto y = GenericField::deserialize(curve, bytes.subspan(1 + fe_bytes, fe_bytes)); 996| | 997| 124| if(x && y) { ------------------ | Branch (997:16): [True: 117, False: 7] | Branch (997:21): [True: 104, False: 13] ------------------ 998| 104| const auto lhs = (*y).square(); 999| 104| const auto rhs = GenericAffinePoint::x3_ax_b(*x); 1000| 104| if((lhs == rhs).as_bool()) { ------------------ | Branch (1000:19): [True: 1, False: 103] ------------------ 1001| 1| return GenericAffinePoint(*x, *y); 1002| 1| } 1003| 104| } 1004| 124| } else if(bytes.size() == 1 + fe_bytes && (bytes[0] == 0x02 || bytes[0] == 0x03)) { ------------------ | Branch (1004:20): [True: 0, False: 6] | Branch (1004:53): [True: 0, False: 0] | Branch (1004:73): [True: 0, False: 0] ------------------ 1005| 0| const CT::Choice y_is_even = CT::Mask::is_equal(bytes[0], 0x02).as_choice(); 1006| | 1007| 0| if(auto x = GenericField::deserialize(curve, bytes.subspan(1, fe_bytes))) { ------------------ | Branch (1007:21): [True: 0, False: 0] ------------------ 1008| 0| auto [y, is_square] = x3_ax_b(*x).sqrt(); 1009| | 1010| 0| if(is_square.as_bool()) { ------------------ | Branch (1010:19): [True: 0, False: 0] ------------------ 1011| 0| const auto flip_y = y_is_even != y.is_even(); 1012| 0| y.conditional_assign(flip_y, y.negate()); 1013| 0| return GenericAffinePoint(*x, y); 1014| 0| } 1015| 0| } 1016| 6| } else if(bytes.size() == 1 && bytes[0] == 0x00) { ------------------ | Branch (1016:20): [True: 0, False: 6] | Branch (1016:41): [True: 0, False: 0] ------------------ 1017| | // See SEC1 section 2.3.4 1018| 0| return GenericAffinePoint::identity(curve); 1019| 0| } 1020| | 1021| 129| return {}; 1022| 130| } _ZNK5Botan6PCurve13GenericScalar7is_zeroEv: 530| 1.00k| CT::Choice is_zero() const { return CT::all_zeros(m_val.data(), m_curve->_params().words()).as_choice(); } _ZNK5Botan6PCurve13GenericScalar11stash_valueEv: 547| 501| const StorageUnit& stash_value() const { return m_val; } _ZN5Botan6PCurve13GenericScalarC2EPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 551| 1.87k| GenericScalar(const GenericPrimeOrderCurve* curve, StorageUnit val) : m_curve(curve), m_val(val) {} pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField11stash_valueEv: 799| 1.85k| const StorageUnit& stash_value() const { return m_val; } pcurves_generic.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112GenericFieldC2EPKNS0_22GenericPrimeOrderCurveENSt3__15arrayImLm9EEE: 882| 28.8M| GenericField(const GenericPrimeOrderCurve* curve, StorageUnit val) : m_curve(curve), m_val(val) {} pcurves_generic.cpp:_ZN5Botan6PCurve18GenericAffinePointC2ERKNS0_12_GLOBAL__N_112GenericFieldES5_: 929| 832k| GenericAffinePoint(const GenericField& x, const GenericField& y) : m_x(x), m_y(y) {} pcurves_generic.cpp:_ZNK5Botan6PCurve22GenericProjectivePoint1yEv: 1197| 3.26M| const GenericField& y() const { return m_y; } pcurves_generic.cpp:_ZN5Botan6PCurve22GenericProjectivePointC2ERKNS0_12_GLOBAL__N_112GenericFieldES5_S5_: 1094| 832k| m_x(x), m_y(y), m_z(z) {} _ZNK5Botan6PCurve13GenericScalar9serializeITkNS_8concepts21resizable_byte_bufferENSt3__16vectorIhNS4_9allocatorIhEEEEEET_v: 511| 371| T serialize() const { 512| 371| T bytes(m_curve->_params().order_bytes()); 513| 371| this->serialize_to(bytes); 514| 371| return bytes; 515| 371| } _ZN5Botan6PCurve18GenericCurveParamsC2ERKNS_6BigIntES4_S4_S4_S4_S4_: 110| 524| m_words(p.sig_words()), 111| 524| m_order_bits(order.bits()), 112| 524| m_order_bytes(order.bytes()), 113| 524| m_field_bits(p.bits()), 114| 524| m_field_bytes(p.bytes()), 115| 524| m_monty_order(order), 116| 524| m_monty_field(p), 117| 524| m_field(bn_to_fixed(p)), 118| 524| m_field_minus_2(bn_to_fixed_rev(p - 2)), 119| 524| m_field_monty_r1(bn_to_fixed(m_monty_field.R1())), 120| 524| m_field_monty_r2(bn_to_fixed(m_monty_field.R2())), 121| 524| m_field_p_plus_1_over_4(bn_to_fixed_rev((p + 1) / 4)), 122| 524| m_field_inv_2(bn_to_fixed((p / 2) + 1)), 123| 524| m_field_p_dash(m_monty_field.p_dash()), 124| | 125| 524| m_order(bn_to_fixed(order)), 126| 524| m_order_minus_2(bn_to_fixed_rev(order - 2)), 127| 524| m_order_monty_r1(bn_to_fixed(m_monty_order.R1())), 128| 524| m_order_monty_r2(bn_to_fixed(m_monty_order.R2())), 129| 524| m_order_monty_r3(bn_to_fixed(m_monty_order.R3())), 130| 524| m_order_inv_2(bn_to_fixed((order / 2) + 1)), 131| 524| m_order_p_dash(m_monty_order.p_dash()), 132| | 133| 524| m_a_is_minus_3(a + 3 == p), 134| 524| m_a_is_zero(a.is_zero()), 135| 524| m_order_is_lt_field(order < p) { 136| 524| secure_vector ws; 137| 524| m_monty_curve_a = bn_to_fixed(m_monty_field.mul(a, m_monty_field.R2(), ws)); 138| 524| m_monty_curve_b = bn_to_fixed(m_monty_field.mul(b, m_monty_field.R2(), ws)); 139| | 140| 524| m_base_x = bn_to_fixed(m_monty_field.mul(base_x, m_monty_field.R2(), ws)); 141| 524| m_base_y = bn_to_fixed(m_monty_field.mul(base_y, m_monty_field.R2(), ws)); 142| 524| } _ZN5Botan6PCurve18GenericCurveParams11bn_to_fixedERKNS_6BigIntE: 233| 8.38k| static std::array bn_to_fixed(const BigInt& n) { 234| 8.38k| const size_t n_words = n.sig_words(); 235| 8.38k| BOTAN_ASSERT_NOMSG(n_words <= PrimeOrderCurve::StorageWords); ------------------ | | 77| 8.38k| do { \ | | 78| 8.38k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 8.38k| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 8.38k] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 8.38k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 8.38k] | | ------------------ ------------------ 236| | 237| 8.38k| std::array r{}; 238| 8.38k| copy_mem(std::span{r}.first(n_words), n._as_span().first(n_words)); 239| 8.38k| return r; 240| 8.38k| } _ZN5Botan6PCurve18GenericCurveParams15bn_to_fixed_revERKNS_6BigIntE: 242| 1.57k| static std::array bn_to_fixed_rev(const BigInt& n) { 243| 1.57k| auto v = bn_to_fixed(n); 244| 1.57k| std::reverse(v.begin(), v.end()); 245| 1.57k| return v; 246| 1.57k| } _ZN5Botan6PCurve19GenericBaseMulTableC2ERKNS0_18GenericAffinePointE: 1338| 524| m_table(basemul_booth_setup(pt, blinded_scalar_bits(*pt.curve()) + 1)) {} pcurves_generic.cpp:_ZNK5Botan6PCurve12_GLOBAL__N_112GenericField14invert_vartimeEv: 761| 524| GenericField invert_vartime() const { 762| | // TODO take advantage of variable time here using eg BEEA 763| | // see IntMod::invert_vartime in pcurves_impl.h 764| 524| return invert(); 765| 524| } _ZN5Botan6PCurve19GenericBaseMulTable19blinded_scalar_bitsERKNS0_22GenericPrimeOrderCurveE: 1347| 524| static size_t blinded_scalar_bits(const GenericPrimeOrderCurve& curve) { 1348| 524| const size_t order_bits = curve.order_bits(); 1349| 524| return order_bits + scalar_blinding_bits(order_bits); 1350| 524| } _ZN5Botan6PCurve14PCurveInstance9secp192r1Ev: 180| 195|std::shared_ptr PCurveInstance::secp192r1() { 181| 195| return PrimeOrderCurveImpl::instance(); 182| 195|} pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE3oneEv: 93| 6.23k| constexpr static std::array one() { return std::array{1}; } pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE4redcERKNSt3__15arrayImLm6EEE: 25| 128k| constexpr static std::array redc(const std::array& z) { 26| 128k| if constexpr(std::same_as && WordInfo::dword_is_native) { 27| 128k| using dword = typename WordInfo::dword; 28| | 29| 128k| const dword S01 = dword(z[0]) + z[3] + z[5]; 30| 128k| const dword S23 = dword(z[1]) + z[3] + z[4] + z[5]; 31| 128k| const dword S45 = dword(z[2]) + z[4] + z[5]; 32| | 33| 128k| std::array r = {}; 34| | 35| 128k| dword S = S01; 36| 128k| r[0] = static_cast(S); 37| 128k| S >>= 64; 38| | 39| 128k| S += S23; 40| 128k| r[1] = static_cast(S); 41| 128k| S >>= 64; 42| | 43| 128k| S += S45; 44| 128k| r[2] = static_cast(S); 45| 128k| S >>= 64; 46| | 47| 128k| BOTAN_DEBUG_ASSERT(S <= 3); ------------------ | | 130| 128k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 128k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 128k] | | ------------------ ------------------ 48| | 49| 128k| solinas_correct_redc(r, P, p192_mul_mod_192(static_cast(S))); 50| | 51| 128k| return r; 52| 128k| } 53| | 54| 0| const int64_t X00 = get_uint32(z.data(), 0); 55| 128k| const int64_t X01 = get_uint32(z.data(), 1); 56| 128k| const int64_t X02 = get_uint32(z.data(), 2); 57| 128k| const int64_t X03 = get_uint32(z.data(), 3); 58| 128k| const int64_t X04 = get_uint32(z.data(), 4); 59| 128k| const int64_t X05 = get_uint32(z.data(), 5); 60| 128k| const int64_t X06 = get_uint32(z.data(), 6); 61| 128k| const int64_t X07 = get_uint32(z.data(), 7); 62| 128k| const int64_t X08 = get_uint32(z.data(), 8); 63| 128k| const int64_t X09 = get_uint32(z.data(), 9); 64| 128k| const int64_t X10 = get_uint32(z.data(), 10); 65| 128k| const int64_t X11 = get_uint32(z.data(), 11); 66| | 67| 128k| const int64_t S0 = X00 + X06 + X10; 68| 128k| const int64_t S1 = X01 + X07 + X11; 69| 128k| const int64_t S2 = X02 + X06 + X08 + X10; 70| 128k| const int64_t S3 = X03 + X07 + X09 + X11; 71| 128k| const int64_t S4 = X04 + X08 + X10; 72| 128k| const int64_t S5 = X05 + X09 + X11; 73| | 74| 128k| std::array r = {}; 75| | 76| 128k| SolinasAccum sum(r); 77| | 78| 128k| sum.accum(S0); 79| 128k| sum.accum(S1); 80| 128k| sum.accum(S2); 81| 128k| sum.accum(S3); 82| 128k| sum.accum(S4); 83| 128k| sum.accum(S5); 84| 128k| const auto S = sum.final_carry(0); 85| | 86| 128k| BOTAN_DEBUG_ASSERT(S <= 3); ------------------ | | 130| 128k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 128k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 128k] | | ------------------ ------------------ 87| | 88| 128k| solinas_correct_redc(r, P, p192_mul_mod_192(S)); 89| | 90| 128k| return r; 91| 128k| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE16p192_mul_mod_192Em: 105| 128k| constexpr static std::array p192_mul_mod_192(W i) { 106| 128k| static_assert(WordInfo::bits == 32 || WordInfo::bits == 64); 107| | 108| | // For small i, multiples of P-192 have a simple structure so it's faster to 109| | // compute the value directly vs a (constant time) table lookup 110| | 111| 128k| auto r = P; 112| | 113| | if constexpr(WordInfo::bits == 32) { 114| | r[2] -= i; 115| | r[0] -= i; 116| 128k| } else { 117| 128k| r[1] -= i; 118| 128k| r[0] -= i; 119| 128k| } 120| 128k| return r; 121| 128k| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r15Curve10fe_invert2ERKNS_6IntModINS2_12Secp192r1RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 140| 189| static constexpr FieldElement fe_invert2(const FieldElement& x) { 141| | // Generated using https://github.com/mmcloughlin/addchain 142| 189| auto z = x.square(); 143| 189| z *= x; 144| 189| auto t0 = z.square(); 145| 189| t0 *= x; 146| 189| auto t2 = t0.square(); 147| 189| auto t1 = t2.square(); 148| 189| auto t3 = t1; 149| 189| t3.square_n(3); 150| 189| t1 *= t3; 151| 189| t3 = t1; 152| 189| t3.square_n(2); 153| 189| t2 *= t3; 154| 189| t2.square_n(7); 155| 189| t1 *= t2; 156| 189| t2 = t1; 157| 189| t2.square_n(15); 158| 189| t1 *= t2; 159| 189| t2 = t1; 160| 189| t2.square_n(30); 161| 189| t1 *= t2; 162| 189| z *= t1; 163| 189| t1 = z; 164| 189| t1.square_n(3); 165| 189| t2 = t1; 166| 189| t2.square_n(62); 167| 189| t1 *= t2; 168| 189| t0 *= t1; 169| 189| t0.square_n(63); 170| 189| z *= t0; 171| 189| z.square_n(2); 172| 189| return z; 173| 189| } pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE8from_repERKNSt3__15arrayImLm3EEE: 99| 379| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp192r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp192r112Secp192r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE6to_repERKNSt3__15arrayImLm3EEE: 95| 1| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan6PCurve14PCurveInstance9secp224r1Ev: 223| 284|std::shared_ptr PCurveInstance::secp224r1() { 224| 284| return PrimeOrderCurveImpl::instance(); 225| 284|} pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE3oneEv: 69| 6.38k| constexpr static std::array one() { return std::array{1}; } pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE4redcERKNSt3__15arrayImLm8EEE: 25| 135k| constexpr static std::array redc(const std::array& z) { 26| 135k| const int64_t X00 = get_uint32(z.data(), 0); 27| 135k| const int64_t X01 = get_uint32(z.data(), 1); 28| 135k| const int64_t X02 = get_uint32(z.data(), 2); 29| 135k| const int64_t X03 = get_uint32(z.data(), 3); 30| 135k| const int64_t X04 = get_uint32(z.data(), 4); 31| 135k| const int64_t X05 = get_uint32(z.data(), 5); 32| 135k| const int64_t X06 = get_uint32(z.data(), 6); 33| 135k| const int64_t X07 = get_uint32(z.data(), 7); 34| 135k| const int64_t X08 = get_uint32(z.data(), 8); 35| 135k| const int64_t X09 = get_uint32(z.data(), 9); 36| 135k| const int64_t X10 = get_uint32(z.data(), 10); 37| 135k| const int64_t X11 = get_uint32(z.data(), 11); 38| 135k| const int64_t X12 = get_uint32(z.data(), 12); 39| 135k| const int64_t X13 = get_uint32(z.data(), 13); 40| | 41| 135k| const int64_t S0 = 0x00000001 + X00 - X07 - X11; 42| 135k| const int64_t S1 = 0x00000000 + X01 - X08 - X12; 43| 135k| const int64_t S2 = 0x00000000 + X02 - X09 - X13; 44| 135k| const int64_t S3 = 0xFFFFFFFF + X03 + X07 + X11 - X10; 45| 135k| const int64_t S4 = 0xFFFFFFFF + X04 + X08 + X12 - X11; 46| 135k| const int64_t S5 = 0xFFFFFFFF + X05 + X09 + X13 - X12; 47| 135k| const int64_t S6 = 0xFFFFFFFF + X06 + X10 - X13; 48| | 49| 135k| std::array r = {}; 50| | 51| 135k| SolinasAccum sum(r); 52| | 53| 135k| sum.accum(S0); 54| 135k| sum.accum(S1); 55| 135k| sum.accum(S2); 56| 135k| sum.accum(S3); 57| 135k| sum.accum(S4); 58| 135k| sum.accum(S5); 59| 135k| sum.accum(S6); 60| 135k| const auto S = sum.final_carry(0); 61| | 62| 135k| BOTAN_DEBUG_ASSERT(S <= 2); ------------------ | | 130| 135k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 135k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 135k] | | ------------------ ------------------ 63| | 64| 135k| solinas_correct_redc(r, P, p224_mul_mod_224(S)); 65| | 66| 135k| return r; 67| 135k| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE16p224_mul_mod_224Em: 81| 135k| constexpr static std::array p224_mul_mod_224(W i) { 82| 135k| static_assert(WordInfo::bits == 32 || WordInfo::bits == 64); 83| | 84| | // For small i, multiples of P-224 have a simple structure so it's faster to 85| | // compute the value directly vs a (constant time) table lookup 86| | 87| 135k| auto r = P; 88| | 89| | if constexpr(WordInfo::bits == 32) { 90| | r[3] -= i; 91| | r[0] += i; 92| 135k| } else { 93| 135k| const W i32 = i << 32; 94| 135k| r[1] -= i32; 95| 135k| r[0] += i; 96| 135k| } 97| 135k| return r; 98| 135k| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r15Curve10fe_invert2ERKNS_6IntModINS2_12Secp224r1RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 117| 168| static constexpr FieldElement fe_invert2(const FieldElement& x) { 118| 168| auto z = x.square(); 119| 168| z *= x; 120| 168| z = z.square(); 121| 168| z *= x; 122| 168| auto t0 = z; 123| 168| t0.square_n(3); 124| 168| t0 *= z; 125| 168| auto t1 = t0; 126| 168| t1.square_n(6); 127| 168| t0 *= t1; 128| 168| t0.square_n(3); 129| 168| z *= t0; 130| 168| t0 = z.square(); 131| 168| t0 *= x; 132| 168| t1 = t0; 133| 168| t1.square_n(16); 134| 168| t0 *= t1; 135| 168| t1 = t0; 136| 168| t1.square_n(15); 137| 168| z *= t1; 138| 168| t1 = z; 139| 168| t1.square_n(47); 140| 168| z *= t1; 141| 168| z = z.square(); 142| 168| z *= x; 143| 168| t1 = z; 144| 168| t1.square_n(32); 145| 168| t0 *= t1; 146| 168| t0.square_n(96); 147| 168| z *= t0; 148| 168| return z.square(); 149| 168| } pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE8from_repERKNSt3__15arrayImLm4EEE: 75| 339| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp224r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp224r112Secp224r1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE6to_repERKNSt3__15arrayImLm4EEE: 71| 159| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan6PCurve14PCurveInstance9secp256k1Ev: 233| 175|std::shared_ptr PCurveInstance::secp256k1() { 234| 175| return PrimeOrderCurveImpl::instance(); 235| 175|} pcurves_secp256k1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE3oneEv: 28| 6.75k| constexpr static std::array one() { return std::array{1}; } pcurves_secp256k1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE4redcERKNSt3__15arrayImLm8EEE: 30| 144k| constexpr static std::array redc(const std::array& z) { 31| 144k| return redc_crandall(std::span{z}); 32| 144k| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256k15Curve10fe_invert2ERKNS_6IntModINS2_12Secp256k1RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 60| 157| static constexpr FieldElement fe_invert2(const FieldElement& x) { 61| 157| auto z = x.square(); 62| 157| z *= x; 63| 157| auto t0 = z; 64| 157| t0.square_n(2); 65| 157| t0 *= z; 66| 157| auto t1 = t0.square(); 67| 157| auto t2 = t1 * x; 68| 157| t1 = t2; 69| 157| t1.square_n(2); 70| 157| t1 *= z; 71| 157| auto t3 = t1; 72| 157| t3.square_n(4); 73| 157| t0 *= t3; 74| 157| t3 = t0; 75| 157| t3.square_n(11); 76| 157| t0 *= t3; 77| 157| t3 = t0; 78| 157| t3.square_n(5); 79| 157| t2 *= t3; 80| 157| t3 = t2; 81| 157| t3.square_n(27); 82| 157| t2 *= t3; 83| 157| t3 = t2; 84| 157| t3.square_n(54); 85| 157| t2 *= t3; 86| 157| t3 = t2; 87| 157| t3.square_n(108); 88| 157| t2 *= t3; 89| 157| t2.square_n(7); 90| 157| t1 *= t2; 91| 157| t1.square_n(23); 92| 157| t0 *= t1; 93| 157| t0.square_n(5); 94| 157| t0 *= x; 95| 157| t0.square_n(3); 96| 157| z *= t0; 97| 157| z.square_n(2); 98| 157| return z; 99| 157| } pcurves_secp256k1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE8from_repERKNSt3__15arrayImLm4EEE: 38| 315| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp256k1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256k112Secp256k1RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE6to_repERKNSt3__15arrayImLm4EEE: 34| 1| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan6PCurve14PCurveInstance9secp256r1Ev: 268| 270|std::shared_ptr PCurveInstance::secp256r1() { 269| 270| return PrimeOrderCurveImpl::instance(); 270| 270|} pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS1_9secp256r16ParamsES2_E11FieldParamsEE3oneEv: 77| 9.24k| constexpr static std::array one() { return std::array{1}; } pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS1_9secp256r16ParamsES2_E11FieldParamsEE4redcERKNSt3__15arrayImLm8EEE: 27| 187k| constexpr static std::array redc(const std::array& z) { 28| 187k| const int64_t X00 = get_uint32(z.data(), 0); 29| 187k| const int64_t X01 = get_uint32(z.data(), 1); 30| 187k| const int64_t X02 = get_uint32(z.data(), 2); 31| 187k| const int64_t X03 = get_uint32(z.data(), 3); 32| 187k| const int64_t X04 = get_uint32(z.data(), 4); 33| 187k| const int64_t X05 = get_uint32(z.data(), 5); 34| 187k| const int64_t X06 = get_uint32(z.data(), 6); 35| 187k| const int64_t X07 = get_uint32(z.data(), 7); 36| 187k| const int64_t X08 = get_uint32(z.data(), 8); 37| 187k| const int64_t X09 = get_uint32(z.data(), 9); 38| 187k| const int64_t X10 = get_uint32(z.data(), 10); 39| 187k| const int64_t X11 = get_uint32(z.data(), 11); 40| 187k| const int64_t X12 = get_uint32(z.data(), 12); 41| 187k| const int64_t X13 = get_uint32(z.data(), 13); 42| 187k| const int64_t X14 = get_uint32(z.data(), 14); 43| 187k| const int64_t X15 = get_uint32(z.data(), 15); 44| | 45| | // See SP 800-186 section G.1.2 46| 187k| const int64_t S0 = P256_4[0] + X00 + X08 + X09 - (X11 + X12 + X13 + X14); 47| 187k| const int64_t S1 = P256_4[1] + X01 + X09 + X10 - (X12 + X13 + X14 + X15); 48| 187k| const int64_t S2 = P256_4[2] + X02 + X10 + X11 - (X13 + X14 + X15); 49| 187k| const int64_t S3 = P256_4[3] + X03 + 2 * (X11 + X12) + X13 - (X15 + X08 + X09); 50| 187k| const int64_t S4 = P256_4[4] + X04 + 2 * (X12 + X13) + X14 - (X09 + X10); 51| 187k| const int64_t S5 = P256_4[5] + X05 + 2 * (X13 + X14) + X15 - (X10 + X11); 52| 187k| const int64_t S6 = P256_4[6] + X06 + X13 + X14 * 3 + X15 * 2 - (X08 + X09); 53| 187k| const int64_t S7 = P256_4[7] + X07 + X15 * 3 + X08 - (X10 + X11 + X12 + X13); 54| 187k| const int64_t S8 = P256_4[8]; 55| | 56| 187k| std::array r = {}; 57| | 58| 187k| SolinasAccum sum(r); 59| | 60| 187k| sum.accum(S0); 61| 187k| sum.accum(S1); 62| 187k| sum.accum(S2); 63| 187k| sum.accum(S3); 64| 187k| sum.accum(S4); 65| 187k| sum.accum(S5); 66| 187k| sum.accum(S6); 67| 187k| sum.accum(S7); 68| 187k| const auto S = sum.final_carry(S8); 69| | 70| 187k| BOTAN_DEBUG_ASSERT(S <= 8); ------------------ | | 130| 187k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 187k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 187k] | | ------------------ ------------------ 71| | 72| 187k| solinas_correct_redc(r, P, p256_mul_mod_256(S)); 73| | 74| 187k| return r; 75| 187k| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS1_9secp256r16ParamsES2_E11FieldParamsEE16p256_mul_mod_256Em: 89| 187k| constexpr static std::array p256_mul_mod_256(W i) { 90| 187k| static_assert(WordInfo::bits == 32 || WordInfo::bits == 64); 91| | 92| | // For small i, multiples of P-256 have a simple structure so it's faster to 93| | // compute the value directly vs a (constant time) table lookup 94| | 95| 187k| auto r = P; 96| | if constexpr(WordInfo::bits == 32) { 97| | r[7] -= i; 98| | r[6] += i; 99| | r[3] += i; 100| | r[0] -= i; 101| 187k| } else { 102| 187k| const uint64_t i32 = static_cast(i) << 32; 103| 187k| r[3] -= i32; 104| 187k| r[3] += i; 105| 187k| r[1] += i32; 106| 187k| r[0] -= i; 107| 187k| } 108| 187k| return r; 109| 187k| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp256r15Curve10fe_invert2ERKNS_6IntModINS1_12Secp256r1RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 131| 215| static constexpr FieldElement fe_invert2(const FieldElement& x) { 132| | // Generated using https://github.com/mmcloughlin/addchain 133| | 134| 215| auto z = x.square(); 135| 215| z *= x; 136| 215| z = z.square(); 137| 215| z *= x; 138| 215| auto t0 = z; 139| 215| t0.square_n(3); 140| 215| t0 *= z; 141| 215| auto t1 = t0; 142| 215| t1.square_n(6); 143| 215| t0 *= t1; 144| 215| t0.square_n(3); 145| 215| z *= t0; 146| 215| t0 = z.square(); 147| 215| t0 *= x; 148| 215| t1 = t0; 149| 215| t1.square_n(16); 150| 215| t0 *= t1; 151| 215| t0.square_n(15); 152| 215| z *= t0; 153| 215| t0.square_n(17); 154| 215| t0 *= x; 155| 215| t0.square_n(143); 156| 215| t0 *= z; 157| 215| t0.square_n(47); 158| 215| z *= t0; 159| 215| z.square_n(2); 160| | 161| 215| return z; 162| 215| } pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS1_9secp256r16ParamsES2_E11FieldParamsEE8from_repERKNSt3__15arrayImLm4EEE: 83| 431| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp256r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp256r1RepINS_13EllipticCurveINS1_9secp256r16ParamsES2_E11FieldParamsEE6to_repERKNSt3__15arrayImLm4EEE: 79| 1| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan6PCurve14PCurveInstance9secp384r1Ev: 343| 165|std::shared_ptr PCurveInstance::secp384r1() { 344| 165| return PrimeOrderCurveImpl::instance(); 345| 165|} pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS1_9secp384r16ParamsES2_E11FieldParamsEE3oneEv: 88| 9.81k| constexpr static std::array one() { return std::array{1}; } pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS1_9secp384r16ParamsES2_E11FieldParamsEE4redcERKNSt3__15arrayImLm12EEE: 23| 210k| constexpr static std::array redc(const std::array& z) { 24| 210k| const int64_t X00 = get_uint32(z.data(), 0); 25| 210k| const int64_t X01 = get_uint32(z.data(), 1); 26| 210k| const int64_t X02 = get_uint32(z.data(), 2); 27| 210k| const int64_t X03 = get_uint32(z.data(), 3); 28| 210k| const int64_t X04 = get_uint32(z.data(), 4); 29| 210k| const int64_t X05 = get_uint32(z.data(), 5); 30| 210k| const int64_t X06 = get_uint32(z.data(), 6); 31| 210k| const int64_t X07 = get_uint32(z.data(), 7); 32| 210k| const int64_t X08 = get_uint32(z.data(), 8); 33| 210k| const int64_t X09 = get_uint32(z.data(), 9); 34| 210k| const int64_t X10 = get_uint32(z.data(), 10); 35| 210k| const int64_t X11 = get_uint32(z.data(), 11); 36| 210k| const int64_t X12 = get_uint32(z.data(), 12); 37| 210k| const int64_t X13 = get_uint32(z.data(), 13); 38| 210k| const int64_t X14 = get_uint32(z.data(), 14); 39| 210k| const int64_t X15 = get_uint32(z.data(), 15); 40| 210k| const int64_t X16 = get_uint32(z.data(), 16); 41| 210k| const int64_t X17 = get_uint32(z.data(), 17); 42| 210k| const int64_t X18 = get_uint32(z.data(), 18); 43| 210k| const int64_t X19 = get_uint32(z.data(), 19); 44| 210k| const int64_t X20 = get_uint32(z.data(), 20); 45| 210k| const int64_t X21 = get_uint32(z.data(), 21); 46| 210k| const int64_t X22 = get_uint32(z.data(), 22); 47| 210k| const int64_t X23 = get_uint32(z.data(), 23); 48| | 49| | // One copy of P-384 is added to prevent underflow 50| 210k| const int64_t S0 = 0xFFFFFFFF + X00 + X12 + X20 + X21 - X23; 51| 210k| const int64_t S1 = 0x00000000 + X01 + X13 + X22 + X23 - X12 - X20; 52| 210k| const int64_t S2 = 0x00000000 + X02 + X14 + X23 - X13 - X21; 53| 210k| const int64_t S3 = 0xFFFFFFFF + X03 + X12 + X15 + X20 + X21 - X14 - X22 - X23; 54| 210k| const int64_t S4 = 0xFFFFFFFE + X04 + X12 + X13 + X16 + X20 + X21 * 2 + X22 - X15 - X23 * 2; 55| 210k| const int64_t S5 = 0xFFFFFFFF + X05 + X13 + X14 + X17 + X21 + X22 * 2 + X23 - X16; 56| 210k| const int64_t S6 = 0xFFFFFFFF + X06 + X14 + X15 + X18 + X22 + X23 * 2 - X17; 57| 210k| const int64_t S7 = 0xFFFFFFFF + X07 + X15 + X16 + X19 + X23 - X18; 58| 210k| const int64_t S8 = 0xFFFFFFFF + X08 + X16 + X17 + X20 - X19; 59| 210k| const int64_t S9 = 0xFFFFFFFF + X09 + X17 + X18 + X21 - X20; 60| 210k| const int64_t SA = 0xFFFFFFFF + X10 + X18 + X19 + X22 - X21; 61| 210k| const int64_t SB = 0xFFFFFFFF + X11 + X19 + X20 + X23 - X22; 62| | 63| 210k| std::array r = {}; 64| | 65| 210k| SolinasAccum sum(r); 66| | 67| 210k| sum.accum(S0); 68| 210k| sum.accum(S1); 69| 210k| sum.accum(S2); 70| 210k| sum.accum(S3); 71| 210k| sum.accum(S4); 72| 210k| sum.accum(S5); 73| 210k| sum.accum(S6); 74| 210k| sum.accum(S7); 75| 210k| sum.accum(S8); 76| 210k| sum.accum(S9); 77| 210k| sum.accum(SA); 78| 210k| sum.accum(SB); 79| 210k| const auto S = sum.final_carry(0); 80| | 81| 210k| BOTAN_DEBUG_ASSERT(S <= 4); ------------------ | | 130| 210k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 210k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 210k] | | ------------------ ------------------ 82| | 83| 210k| solinas_correct_redc(r, P, p384_mul_mod_384(S)); 84| | 85| 210k| return r; 86| 210k| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS1_9secp384r16ParamsES2_E11FieldParamsEE16p384_mul_mod_384Em: 100| 210k| constexpr static std::array p384_mul_mod_384(W i) { 101| 210k| static_assert(WordInfo::bits == 32 || WordInfo::bits == 64); 102| | 103| | // For small i, multiples of P-384 have a simple structure so it's faster to 104| | // compute the value directly vs a (constant time) table lookup 105| | 106| 210k| auto r = P; 107| | if constexpr(WordInfo::bits == 32) { 108| | r[4] -= i; 109| | r[3] -= i; 110| | r[1] += i; 111| | r[0] -= i; 112| 210k| } else { 113| 210k| const uint64_t i32 = static_cast(i) << 32; 114| 210k| r[2] -= i; 115| 210k| r[1] -= i32; 116| 210k| r[0] += i32; 117| 210k| r[0] -= i; 118| 210k| } 119| 210k| return r; 120| 210k| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp384r15Curve10fe_invert2ERKNS_6IntModINS1_12Secp384r1RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 142| 151| static constexpr FieldElement fe_invert2(const FieldElement& x) { 143| | // From https://briansmith.org/ecc-inversion-addition-chains-01 144| | 145| 151| FieldElement r = x.square(); 146| 151| r *= x; 147| 151| const auto x2 = r; 148| 151| r = r.square(); 149| 151| r *= x; 150| 151| const auto x3 = r; 151| 151| r.square_n(3); 152| 151| r *= x3; 153| 151| auto rl = r; 154| 151| r.square_n(6); 155| 151| r *= rl; 156| 151| r.square_n(3); 157| 151| r *= x3; 158| 151| const auto x15 = r; 159| 151| r.square_n(15); 160| 151| r *= x15; 161| 151| const auto x30 = r; 162| 151| r.square_n(30); 163| 151| r *= x30; 164| 151| rl = r; 165| 151| r.square_n(60); 166| 151| r *= rl; 167| 151| rl = r; 168| 151| r.square_n(120); 169| 151| r *= rl; 170| 151| r.square_n(15); 171| 151| r *= x15; 172| 151| r.square_n(31); 173| 151| r *= x30; 174| 151| r.square_n(2); 175| 151| r *= x2; 176| 151| r.square_n(94); 177| 151| r *= x30; 178| 151| r.square_n(2); 179| | 180| 151| return r; 181| 151| } pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS1_9secp384r16ParamsES2_E11FieldParamsEE8from_repERKNSt3__15arrayImLm6EEE: 94| 303| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp384r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_112Secp384r1RepINS_13EllipticCurveINS1_9secp384r16ParamsES2_E11FieldParamsEE6to_repERKNSt3__15arrayImLm6EEE: 90| 1| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan6PCurve14PCurveInstance9secp521r1Ev: 291| 306|std::shared_ptr PCurveInstance::secp521r1() { 292| 306| return PrimeOrderCurveImpl::instance(); 293| 306|} pcurves_secp521r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE3oneEv: 24| 11.8k| constexpr static std::array one() { return std::array{1}; } pcurves_secp521r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE4redcERKNSt3__15arrayImLm18EEE: 26| 260k| constexpr static std::array redc(const std::array& z) { 27| | // Regardless of word size (32 or 64) the top word is 9 bits long 28| 260k| constexpr W TOP_BITS = static_cast(0x1FF); 29| | // The 23 or 55 bits that should be cleared in the top word 30| 260k| constexpr W CLEARED_TOP_BITS = WordInfo::max ^ TOP_BITS; 31| | 32| | /* 33| | * Extract the high part of z (z >> 521) 34| | */ 35| 260k| std::array t; // NOLINT(*-member-init) 36| | 37| 2.60M| for(size_t i = 0; i != N; ++i) { ------------------ | Branch (37:28): [True: 2.34M, False: 260k] ------------------ 38| 2.34M| t[i] = z[(N - 1) + i] >> 9; 39| 2.34M| } 40| | 41| 2.34M| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (41:28): [True: 2.08M, False: 260k] ------------------ 42| 2.08M| t[i] |= z[(N - 1) + i + 1] << (WordInfo::bits - 9); 43| 2.08M| } 44| | 45| | // Now t += z & (2**521-1) 46| 260k| W carry = 0; 47| 2.34M| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (47:28): [True: 2.08M, False: 260k] ------------------ 48| 2.08M| t[i] = word_add(t[i], z[i], &carry); 49| 2.08M| } 50| | 51| | // Now add the (partial) top words; this can't carry out 52| | // since both inputs are at most 2**9-1 53| 260k| t[N - 1] += (z[N - 1] & TOP_BITS) + carry; 54| | 55| | /* 56| | Since the modulus P is exactly 2**521 - 1 the only way the computed 57| | result can be larger than P is if the top word is larger than TOP_BITS 58| | 59| | Since TOP_BITS has the low 9 bits set, we can check if t[N - 1] > TOP_BITS 60| | by checking if t[N - 1] >> 9 has any bits set. Doing it this way is 61| | faster than a standard comparison since CT::Mask::is_gt requires 62| | several bit operations. 63| | */ 64| | 65| 260k| const W is_over_p521 = ~CT::Mask::is_zero(t[N - 1] >> 9).value(); 66| | 67| | /* 68| | * Also must detect/handle x == P 69| | */ 70| 260k| const W is_eq_p521 = [&]() { 71| 260k| W sum = WordInfo::max; 72| 260k| for(size_t i = 0; i != N - 1; ++i) { 73| 260k| sum &= t[i]; 74| 260k| } 75| 260k| sum &= (CLEARED_TOP_BITS | t[N - 1]); 76| | 77| 260k| return CT::Mask::is_zero(sum ^ WordInfo::max).value(); 78| 260k| }(); 79| | 80| 260k| const W need_sub = is_over_p521 | is_eq_p521; 81| | 82| 260k| W borrow = 0; 83| 2.34M| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (83:28): [True: 2.08M, False: 260k] ------------------ 84| 2.08M| t[i] = word_sub(t[i], need_sub & WordInfo::max, &borrow); 85| 2.08M| } 86| 260k| t[N - 1] = word_sub(t[N - 1], need_sub & TOP_BITS, &borrow); 87| | 88| 260k| return t; 89| 260k| } pcurves_secp521r1.cpp:_ZZN5Botan6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE4redcERKNSt3__15arrayImLm18EEEENKUlvE_clEv: 70| 260k| const W is_eq_p521 = [&]() { 71| 260k| W sum = WordInfo::max; 72| 2.34M| for(size_t i = 0; i != N - 1; ++i) { ------------------ | Branch (72:31): [True: 2.08M, False: 260k] ------------------ 73| 2.08M| sum &= t[i]; 74| 2.08M| } 75| 260k| sum &= (CLEARED_TOP_BITS | t[N - 1]); 76| | 77| 260k| return CT::Mask::is_zero(sum ^ WordInfo::max).value(); 78| 260k| }(); pcurves_secp521r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp521r15Curve10fe_invert2ERKNS_6IntModINS2_7P521RepINS_13EllipticCurveINS2_6ParamsES5_E11FieldParamsEEEEE: 115| 136| static constexpr FieldElement fe_invert2(const FieldElement& x) { 116| | // Addition chain from https://eprint.iacr.org/2014/852.pdf page 6 117| | 118| 136| FieldElement r = x.square(); 119| 136| r *= x; 120| 136| r = r.square(); 121| 136| r *= x; 122| 136| FieldElement rl = r; 123| 136| r.square_n(3); 124| 136| r *= rl; 125| 136| r.square_n(1); 126| 136| r *= x; 127| 136| const auto a7 = r; 128| 136| r.square_n(1); 129| 136| r *= x; 130| 136| rl = r; 131| 136| r.square_n(8); 132| 136| r *= rl; 133| 136| rl = r; 134| 136| r.square_n(16); 135| 136| r *= rl; 136| 136| rl = r; 137| 136| r.square_n(32); 138| 136| r *= rl; 139| 136| rl = r; 140| 136| r.square_n(64); 141| 136| r *= rl; 142| 136| rl = r; 143| 136| r.square_n(128); 144| 136| r *= rl; 145| 136| rl = r; 146| 136| r.square_n(256); 147| 136| r *= rl; 148| 136| r.square_n(7); 149| 136| r *= a7; 150| 136| r.square_n(2); 151| | 152| 136| return r; 153| 136| } pcurves_secp521r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE8from_repERKNSt3__15arrayImLm9EEE: 95| 275| constexpr static std::array from_rep(const std::array& z) { return z; } pcurves_secp521r1.cpp:_ZN5Botan6PCurve12_GLOBAL__N_19secp521r17P521RepINS_13EllipticCurveINS2_6ParamsES3_E11FieldParamsEE6to_repERKNSt3__15arrayImLm9EEE: 91| 158| constexpr static std::array to_rep(const std::array& x) { return x; } _ZN5Botan18Keccak_Permutation5clearEv: 37| 544|void Keccak_Permutation::clear() { 38| 544| state() = {}; 39| 544| reset_cursor(); 40| 544|} _ZN5Botan18Keccak_Permutation6absorbENSt3__14spanIKhLm18446744073709551615EEE: 42| 9.07k|void Keccak_Permutation::absorb(std::span input) { 43| 9.07k| absorb_into_sponge(*this, input); 44| 9.07k|} _ZN5Botan18Keccak_Permutation7squeezeENSt3__14spanIhLm18446744073709551615EEE: 46| 973k|void Keccak_Permutation::squeeze(std::span output) { 47| 973k| squeeze_from_sponge(*this, output); 48| 973k|} _ZN5Botan18Keccak_Permutation6finishEv: 50| 4.59k|void Keccak_Permutation::finish() { 51| | // The padding for Keccak[c]-based functions spans the entire remaining 52| | // byterate until the next permute() call. At most that could be an entire 53| | // byterate. First are a few bits of "custom" padding defined by the using 54| | // function (e.g. SHA-3 uses "01"), then the remaining space is filled with 55| | // "pad10*1" (see NIST FIPS 202 Section 5.1) followed by a final permute(). 56| | 57| 4.59k| auto& S = state(); 58| | 59| | // Apply the custom padding + the left-most 1-bit of "pad10*1" to the current 60| | // (partial) word of the sponge state 61| | 62| 4.59k| const uint64_t start_of_padding = (m_padding.padding | uint64_t(1) << m_padding.bit_len); 63| 4.59k| S[cursor() / word_bytes] ^= start_of_padding << (8 * (cursor() % word_bytes)); 64| | 65| | // XOR'ing the 0-bits of "pad10*1" into the state is a NOOP 66| | 67| | // If the custom padding + the left-most 1-bit of "pad10*1" had resulted in a 68| | // byte-aligned "partial padding", the final 1-bit of of "pad10*1" could 69| | // potentially override parts of the already-appended "start_of_padding". 70| | // In case we ever introduce a Keccak-based function with such a need, we 71| | // have to modify this padding algorithm. 72| 4.59k| BOTAN_DEBUG_ASSERT(m_padding.bit_len % 8 != 7); ------------------ | | 130| 4.59k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 4.59k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 4.59k] | | ------------------ ------------------ 73| | 74| | // Append the final bit of "pad10*1" into the last word of the input range 75| 4.59k| S[(byte_rate() / word_bytes) - 1] ^= uint64_t(0x8000000000000000); 76| | 77| | // Perform the final permutation and reset the state cursor 78| 4.59k| permute(); 79| 4.59k| reset_cursor(); 80| | 81| 4.59k| BOTAN_DEBUG_ASSERT(cursor() == 0); ------------------ | | 130| 4.59k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 4.59k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 4.59k] | | ------------------ ------------------ 82| 4.59k|} _ZN5Botan18Keccak_Permutation7permuteEv: 84| 19.2k|void Keccak_Permutation::permute() { 85| 19.2k|#if defined(BOTAN_HAS_KECCAK_PERM_AVX512) 86| 19.2k| if(CPUID::has(CPUID::Feature::AVX512)) { ------------------ | Branch (86:7): [True: 0, False: 19.2k] ------------------ 87| 0| return permute_avx512(); 88| 0| } 89| 19.2k|#endif 90| | 91| 19.2k|#if defined(BOTAN_HAS_KECCAK_PERM_BMI2) 92| 19.2k| if(CPUID::has(CPUID::Feature::BMI)) { ------------------ | Branch (92:7): [True: 19.2k, False: 0] ------------------ 93| 19.2k| return permute_bmi2(); 94| 19.2k| } 95| 0|#endif 96| | 97| 0| static const uint64_t RC[24] = {0x0000000000000001, 0x0000000000008082, 0x800000000000808A, 0x8000000080008000, 98| 0| 0x000000000000808B, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009, 99| 0| 0x000000000000008A, 0x0000000000000088, 0x0000000080008009, 0x000000008000000A, 100| 0| 0x000000008000808B, 0x800000000000008B, 0x8000000000008089, 0x8000000000008003, 101| 0| 0x8000000000008002, 0x8000000000000080, 0x000000000000800A, 0x800000008000000A, 102| 0| 0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008}; 103| | 104| 0| uint64_t T[25]; 105| | 106| 0| for(size_t i = 0; i != 24; i += 2) { ------------------ | Branch (106:22): [True: 0, False: 0] ------------------ 107| 0| Keccak_Permutation_round(T, state().data(), RC[i + 0]); 108| 0| Keccak_Permutation_round(state().data(), T, RC[i + 1]); 109| 0| } 110| 0|} _ZN5Botan18Keccak_Permutation12permute_bmi2Ev: 15| 19.2k|void BOTAN_FN_ISA_BMI2 Keccak_Permutation::permute_bmi2() { 16| 19.2k| static const uint64_t RC[24] = {0x0000000000000001, 0x0000000000008082, 0x800000000000808A, 0x8000000080008000, 17| 19.2k| 0x000000000000808B, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009, 18| 19.2k| 0x000000000000008A, 0x0000000000000088, 0x0000000080008009, 0x000000008000000A, 19| 19.2k| 0x000000008000808B, 0x800000000000008B, 0x8000000000008089, 0x8000000000008003, 20| 19.2k| 0x8000000000008002, 0x8000000000000080, 0x000000000000800A, 0x800000008000000A, 21| 19.2k| 0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008}; 22| | 23| 19.2k| uint64_t T[25]; 24| | 25| 249k| for(size_t i = 0; i != 24; i += 2) { ------------------ | Branch (25:22): [True: 230k, False: 19.2k] ------------------ 26| 230k| Keccak_Permutation_round(T, state().data(), RC[i + 0]); 27| 230k| Keccak_Permutation_round(state().data(), T, RC[i + 1]); 28| 230k| } 29| 19.2k|} _ZN5Botan9Gf448ElemC2ENSt3__14spanIKhLm56EEE: 356| 2|Gf448Elem::Gf448Elem(std::span x) /* NOLINT(*-member-init) */ { 357| 2| load_le(m_x, x); 358| 2|} _ZN5Botan9Gf448ElemC2Em: 360| 8.06k|Gf448Elem::Gf448Elem(uint64_t least_sig_word) /* NOLINT(*-member-init) */ { 361| 8.06k| clear_mem(m_x); 362| 8.06k| m_x[0] = least_sig_word; 363| 8.06k|} _ZNK5Botan9Gf448Elem8to_bytesENSt3__14spanIhLm56EEE: 365| 1|void Gf448Elem::to_bytes(std::span out) const { 366| 1| store_le(out, to_canonical(m_x)); 367| 1|} _ZNK5Botan9Gf448Elem8to_bytesEv: 369| 1|std::array Gf448Elem::to_bytes() const { 370| 1| std::array bytes{}; 371| 1| to_bytes(bytes); 372| 1| return bytes; 373| 1|} _ZN5Botan9Gf448Elem12ct_cond_swapENS_2CT4MaskImEERS0_: 375| 898|void Gf448Elem::ct_cond_swap(CT::Mask mask, Gf448Elem& other) { 376| 7.18k| for(size_t i = 0; i < WORDS_448; ++i) { ------------------ | Branch (376:22): [True: 6.28k, False: 898] ------------------ 377| 6.28k| mask.conditional_swap(m_x[i], other.m_x[i]); 378| 6.28k| } 379| 898|} _ZNK5Botan9Gf448ElemplERKS0_: 385| 1.79k|Gf448Elem Gf448Elem::operator+(const Gf448Elem& other) const { 386| 1.79k| Gf448Elem res(0); 387| 1.79k| gf_add(res.m_x, m_x, other.m_x); 388| 1.79k| return res; 389| 1.79k|} _ZNK5Botan9Gf448ElemmiERKS0_: 391| 1.79k|Gf448Elem Gf448Elem::operator-(const Gf448Elem& other) const { 392| 1.79k| Gf448Elem res(0); 393| 1.79k| gf_sub(res.m_x, m_x, other.m_x); 394| 1.79k| return res; 395| 1.79k|} _ZNK5Botan9Gf448ElemmlERKS0_: 403| 2.24k|Gf448Elem Gf448Elem::operator*(const Gf448Elem& other) const { 404| 2.24k| Gf448Elem res(0); 405| 2.24k| gf_mul(res.m_x, m_x, other.m_x); 406| 2.24k| return res; 407| 2.24k|} _ZNK5Botan9Gf448ElemdvERKS0_: 409| 1|Gf448Elem Gf448Elem::operator/(const Gf448Elem& other) const { 410| 1| Gf448Elem res(0); 411| 1| gf_inv(res.m_x, other.m_x); 412| 1| gf_mul(res.m_x, m_x, res.m_x); 413| 1| return res; 414| 1|} _ZN5Botan7mul_a24ERKNS_9Gf448ElemE: 439| 448|Gf448Elem mul_a24(const Gf448Elem& a) { 440| 448| Gf448Elem res(0); 441| 448| gf_mul_a24(res.words(), a.words()); 442| 448| return res; 443| 448|} _ZN5Botan6squareERKNS_9Gf448ElemE: 445| 1.79k|Gf448Elem square(const Gf448Elem& elem) { 446| 1.79k| Gf448Elem res(0); 447| 1.79k| gf_square(res.words(), elem.words()); 448| 1.79k| return res; 449| 1.79k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_112to_canonicalENSt3__14spanIKmLm7EEE: 335| 1|std::array to_canonical(std::span in) { 336| 1| const std::array p = {0xffffffffffffffff, 337| 1| 0xffffffffffffffff, 338| 1| 0xffffffffffffffff, 339| 1| 0xfffffffeffffffff, 340| 1| 0xffffffffffffffff, 341| 1| 0xffffffffffffffff, 342| 1| 0xffffffffffffffff}; 343| | 344| 1| std::array in_minus_p; // NOLINT(*-member-init) 345| 1| uint64_t borrow = 0; 346| 8| for(size_t i = 0; i < WORDS_448; ++i) { ------------------ | Branch (346:22): [True: 7, False: 1] ------------------ 347| 7| in_minus_p[i] = word_sub(in[i], p[i], &borrow); 348| 7| } 349| 1| std::array out; // NOLINT(*-member-init) 350| 1| CT::Mask::expand(borrow).select_n(out.data(), in.data(), in_minus_p.data(), WORDS_448); 351| 1| return out; 352| 1|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_16gf_addENSt3__14spanImLm7EEENS2_IKmLm7EEES5_: 155| 1.79k| std::span b) { 156| 1.79k| std::array ws; // NOLINT(*-member-init) 157| | 158| 1.79k| uint64_t carry = 0; 159| 1.79k| ws[0] = word_add(a[0], b[0], &carry); 160| 1.79k| ws[1] = word_add(a[1], b[1], &carry); 161| 1.79k| ws[2] = word_add(a[2], b[2], &carry); 162| 1.79k| ws[3] = word_add(a[3], b[3], &carry); 163| 1.79k| ws[4] = word_add(a[4], b[4], &carry); 164| 1.79k| ws[5] = word_add(a[5], b[5], &carry); 165| 1.79k| ws[6] = word_add(a[6], b[6], &carry); 166| 1.79k| ws[7] = carry; 167| | 168| 1.79k| reduce_after_add(out, ws); 169| 1.79k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_116reduce_after_addENSt3__14spanImLm7EEENS2_IKmLm8EEE: 27| 6.73k|void reduce_after_add(std::span h_3, std::span h_1) { 28| 6.73k| std::array h_2; /* NOLINT(*-member-init) */ 29| 6.73k| uint64_t carry = 0; 30| | 31| 6.73k| constexpr uint64_t zero = 0; 32| | 33| | // Line 27+ (of the paper's algorithm 1) 34| 6.73k| h_2[0] = word_add(h_1[0], h_1[7], &carry); 35| 6.73k| h_2[1] = word_add(h_1[1], zero, &carry); 36| 6.73k| h_2[2] = word_add(h_1[2], zero, &carry); 37| | 38| | // Line 30 39| 6.73k| h_2[3] = word_add(h_1[3], h_1[7] << 32, &carry); 40| | 41| | // Line 31+ 42| 6.73k| h_2[4] = word_add(h_1[4], zero, &carry); 43| 6.73k| h_2[5] = word_add(h_1[5], zero, &carry); 44| 6.73k| h_2[6] = word_add(h_1[6], zero, &carry); 45| | 46| 6.73k| h_2[7] = carry; 47| | 48| 6.73k| carry = 0; 49| 6.73k| h_3[0] = word_add(h_2[0], h_2[7], &carry); 50| 6.73k| h_3[1] = word_add(h_2[1], zero, &carry); 51| 6.73k| h_3[2] = word_add(h_2[2], zero, &carry); 52| | // Line 37 53| 6.73k| h_3[3] = h_2[3] + (h_2[7] << 32) + carry; 54| | 55| | // Line 38 56| 6.73k| h_3[4] = h_2[4]; 57| 6.73k| h_3[5] = h_2[5]; 58| 6.73k| h_3[6] = h_2[6]; 59| 6.73k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_16gf_subENSt3__14spanImLm7EEENS2_IKmLm7EEES5_: 178| 1.79k| std::span b) { 179| 1.79k| std::array h_0; // NOLINT(*-member-init) 180| 1.79k| std::array h_1; // NOLINT(*-member-init) 181| | 182| 1.79k| uint64_t borrow = 0; 183| 1.79k| h_0[0] = word_sub(a[0], b[0], &borrow); 184| 1.79k| h_0[1] = word_sub(a[1], b[1], &borrow); 185| 1.79k| h_0[2] = word_sub(a[2], b[2], &borrow); 186| 1.79k| h_0[3] = word_sub(a[3], b[3], &borrow); 187| 1.79k| h_0[4] = word_sub(a[4], b[4], &borrow); 188| 1.79k| h_0[5] = word_sub(a[5], b[5], &borrow); 189| 1.79k| h_0[6] = word_sub(a[6], b[6], &borrow); 190| 1.79k| uint64_t delta = borrow; 191| 1.79k| uint64_t delta_p = delta << 32; 192| 1.79k| borrow = 0; 193| | 194| 1.79k| constexpr uint64_t zero = 0; 195| | 196| 1.79k| h_1[0] = word_sub(h_0[0], delta, &borrow); 197| 1.79k| h_1[1] = word_sub(h_0[1], zero, &borrow); 198| 1.79k| h_1[2] = word_sub(h_0[2], zero, &borrow); 199| 1.79k| h_1[3] = word_sub(h_0[3], delta_p, &borrow); 200| 1.79k| h_1[4] = word_sub(h_0[4], zero, &borrow); 201| 1.79k| h_1[5] = word_sub(h_0[5], zero, &borrow); 202| 1.79k| h_1[6] = word_sub(h_0[6], zero, &borrow); 203| | 204| 1.79k| delta = borrow; 205| 1.79k| delta_p = delta << 32; 206| 1.79k| borrow = 0; 207| | 208| 1.79k| out[0] = word_sub(h_1[0], delta, &borrow); 209| 1.79k| out[1] = word_sub(h_1[1], zero, &borrow); 210| 1.79k| out[2] = word_sub(h_1[2], zero, &borrow); 211| 1.79k| out[3] = word_sub(h_1[3], delta_p, &borrow); 212| 1.79k| out[4] = h_1[4]; 213| 1.79k| out[5] = h_1[5]; 214| 1.79k| out[6] = h_1[6]; 215| 1.79k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_16gf_mulENSt3__14spanImLm7EEENS2_IKmLm7EEES5_: 141| 2.25k| std::span b) { 142| 2.25k| std::array ws; // NOLINT(*-member-init) 143| 2.25k| comba_mul<7>(ws.data(), a.data(), b.data()); 144| 2.25k| reduce_after_mul(out, ws); 145| 2.25k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_116reduce_after_mulENSt3__14spanImLm7EEENS2_IKmLm14EEE: 66| 4.49k|void reduce_after_mul(std::span out, std::span in) { 67| 4.49k| std::array r; // NOLINT(*-member-init) 68| 4.49k| std::array s; // NOLINT(*-member-init) 69| 4.49k| std::array t_0; // NOLINT(*-member-init) 70| 4.49k| std::array h_1; // NOLINT(*-member-init) 71| | 72| 4.49k| uint64_t carry = 0; 73| | 74| | // Line 4 (of the paper's algorithm 1) 75| 4.49k| r[0] = word_add(in[0], in[7], &carry); 76| | 77| | // Line 5-7 78| 4.49k| r[1] = word_add(in[1], in[1 + 7], &carry); 79| 4.49k| r[2] = word_add(in[2], in[2 + 7], &carry); 80| 4.49k| r[3] = word_add(in[3], in[3 + 7], &carry); 81| 4.49k| r[4] = word_add(in[4], in[4 + 7], &carry); 82| 4.49k| r[5] = word_add(in[5], in[5 + 7], &carry); 83| 4.49k| r[6] = word_add(in[6], in[6 + 7], &carry); 84| 4.49k| r[7] = carry; 85| 4.49k| s[0] = r[0]; 86| 4.49k| s[1] = r[1]; 87| 4.49k| s[2] = r[2]; 88| | // Line 10 89| 4.49k| carry = 0; 90| 4.49k| s[3] = word_add(r[3], in[10] & 0xFFFFFFFF00000000, &carry); 91| | // Line 11-13 92| 4.49k| s[4] = word_add(r[4], in[4 + 7], &carry); 93| 4.49k| s[5] = word_add(r[5], in[5 + 7], &carry); 94| 4.49k| s[6] = word_add(r[6], in[6 + 7], &carry); 95| 4.49k| s[7] = r[7] + carry; 96| | 97| | // Line 15-17 98| 4.49k| t_0[0] = (in[0 + 11] << 32) | (in[0 + 10] >> 32); 99| 4.49k| t_0[1] = (in[1 + 11] << 32) | (in[1 + 10] >> 32); 100| 4.49k| t_0[2] = (in[2 + 11] << 32) | (in[2 + 10] >> 32); 101| | // Line 18 102| 4.49k| t_0[3] = (in[7] << 32) | (in[13] >> 32); 103| | // Line 19-21 104| 4.49k| t_0[4] = (in[4 + 4] << 32) | (in[4 + 3] >> 32); 105| 4.49k| t_0[5] = (in[5 + 4] << 32) | (in[5 + 3] >> 32); 106| 4.49k| t_0[6] = (in[6 + 4] << 32) | (in[6 + 3] >> 32); 107| 4.49k| carry = 0; 108| | // Line 23-25 109| 4.49k| h_1[0] = word_add(s[0], t_0[0], &carry); 110| 4.49k| h_1[1] = word_add(s[1], t_0[1], &carry); 111| 4.49k| h_1[2] = word_add(s[2], t_0[2], &carry); 112| 4.49k| h_1[3] = word_add(s[3], t_0[3], &carry); 113| 4.49k| h_1[4] = word_add(s[4], t_0[4], &carry); 114| 4.49k| h_1[5] = word_add(s[5], t_0[5], &carry); 115| 4.49k| h_1[6] = word_add(s[6], t_0[6], &carry); 116| 4.49k| h_1[7] = s[7] + carry; 117| | 118| 4.49k| reduce_after_add(out, h_1); 119| 4.49k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_16gf_invENSt3__14spanImLm7EEENS2_IKmLm7EEE: 316| 1|void gf_inv(std::span out, std::span a) { 317| 1| std::array x222; // NOLINT(*-member-init) 318| 1| std::array x223; // NOLINT(*-member-init) 319| 1| gf_pow_2_222m1(x222, x223, a); 320| | 321| | // (x223 << 223 + x222) << 2 + 1 322| 1| std::array t; // NOLINT(*-member-init) 323| 1| gf_sqr_n(t, x223, 223); 324| 1| gf_mul(t, t, x222); 325| 1| gf_sqr_n(t, t, 2); 326| 1| gf_mul(out, t, a); 327| 1|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_110gf_mul_a24ENSt3__14spanImLm7EEENS2_IKmLm7EEE: 124| 448|void gf_mul_a24(std::span out, std::span a) { 125| 448| constexpr uint64_t A24 = 39081; 126| 448| std::array ws; // NOLINT(*-member-init) 127| 448| uint64_t carry = 0; 128| 448| ws[0] = word_madd2(a[0], A24, &carry); 129| 448| ws[1] = word_madd2(a[1], A24, &carry); 130| 448| ws[2] = word_madd2(a[2], A24, &carry); 131| 448| ws[3] = word_madd2(a[3], A24, &carry); 132| 448| ws[4] = word_madd2(a[4], A24, &carry); 133| 448| ws[5] = word_madd2(a[5], A24, &carry); 134| 448| ws[6] = word_madd2(a[6], A24, &carry); 135| 448| ws[7] = carry; 136| 448| reduce_after_add(out, ws); 137| 448|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_19gf_squareENSt3__14spanImLm7EEENS2_IKmLm7EEE: 147| 2.23k|void gf_square(std::span out, std::span a) { 148| 2.23k| std::array ws; // NOLINT(*-member-init) 149| 2.23k| comba_sqr<7>(ws.data(), a.data()); 150| 2.23k| reduce_after_mul(out, ws); 151| 2.23k|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_114gf_pow_2_222m1ENSt3__14spanImLm7EEES3_NS2_IKmLm7EEE: 245| 1| std::span a) { 246| 1| std::array t; // NOLINT(*-member-init) 247| | 248| | // _10 = a^2 249| 1| std::array a2; // NOLINT(*-member-init) 250| 1| gf_square(a2, a); 251| | 252| | // _11 = a^3 253| 1| std::array a3; // NOLINT(*-member-init) 254| 1| gf_mul(a3, a, a2); 255| | 256| | // _111 = a^7 257| 1| std::array a7; // NOLINT(*-member-init) 258| 1| gf_square(t, a3); 259| 1| gf_mul(a7, a, t); 260| | 261| | // _111111 = a^63 262| 1| std::array a63; // NOLINT(*-member-init) 263| 1| gf_sqr_n(t, a7, 3); 264| 1| gf_mul(a63, a7, t); 265| | 266| | // x12 = a^(2^12 - 1) 267| 1| std::array x12; // NOLINT(*-member-init) 268| 1| gf_sqr_n(t, a63, 6); 269| 1| gf_mul(x12, a63, t); 270| | 271| | // x24 = a^(2^24 - 1) 272| 1| std::array x24; // NOLINT(*-member-init) 273| 1| gf_sqr_n(t, x12, 12); 274| 1| gf_mul(x24, x12, t); 275| | 276| | // i34 = x24 << 6 = a^((2^24 - 1) * 2^6) 277| 1| std::array i34; // NOLINT(*-member-init) 278| 1| gf_sqr_n(i34, x24, 6); 279| | 280| | // x30 = a^(2^30 - 1) 281| 1| std::array x30; // NOLINT(*-member-init) 282| 1| gf_mul(x30, a63, i34); 283| | 284| | // x48 = a^(2^48 - 1) 285| 1| std::array x48; // NOLINT(*-member-init) 286| 1| gf_sqr_n(t, i34, 18); 287| 1| gf_mul(x48, x24, t); 288| | 289| | // x96 = a^(2^96 - 1) 290| 1| std::array x96; // NOLINT(*-member-init) 291| 1| gf_sqr_n(t, x48, 48); 292| 1| gf_mul(x96, x48, t); 293| | 294| | // x192 = a^(2^192 - 1) 295| 1| std::array x192; // NOLINT(*-member-init) 296| 1| gf_sqr_n(t, x96, 96); 297| 1| gf_mul(x192, x96, t); 298| | 299| | // x222 = a^(2^222 - 1) 300| 1| gf_sqr_n(t, x192, 30); 301| 1| gf_mul(x222, x30, t); 302| | 303| | // x223 = a^(2^223 - 1) 304| 1| gf_square(t, x222); 305| 1| gf_mul(x223, a, t); 306| 1|} curve448_gf.cpp:_ZN5Botan12_GLOBAL__N_18gf_sqr_nENSt3__14spanImLm7EEENS2_IKmLm7EEEm: 218| 10|void gf_sqr_n(std::span out, std::span a, size_t n) { 219| 10| gf_square(out, a); 220| 444| for(size_t i = 1; i < n; ++i) { ------------------ | Branch (220:22): [True: 434, False: 10] ------------------ 221| 434| gf_square(out, out); 222| 434| } 223| 10|} _ZN5Botan16Ed448_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 58| 2|Ed448_PrivateKey::Ed448_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span key_bits) { 59| 2| secure_vector bits; 60| 2| BER_Decoder(key_bits, BER_Decoder::Limits::DER()).decode(bits, ASN1_Type::OctetString).verify_end(); 61| | 62| 2| if(bits.size() != ED448_LEN) { ------------------ | Branch (62:7): [True: 1, False: 1] ------------------ 63| 1| throw Decoding_Error("Invalid size for Ed448 private key"); 64| 1| } 65| 1| m_private = std::move(bits); 66| 1| m_public = create_pk_from_sk(std::span(m_private).first()); 67| 1|} _ZN5Botan15X448_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 68| 4| X448_PrivateKey(ber_decode_sk(key_bits)) {} _ZN5Botan15X448_PrivateKeyC1ENSt3__14spanIKhLm18446744073709551615EEE: 70| 1|X448_PrivateKey::X448_PrivateKey(std::span secret_key) { 71| 1| BOTAN_ARG_CHECK(secret_key.size() == X448_LEN, "Invalid size for X448 private key"); ------------------ | | 35| 1| do { \ | | 36| 1| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1] | | ------------------ ------------------ 72| 1| m_private.assign(secret_key.begin(), secret_key.end()); 73| 1| auto scope = CT::scoped_poison(m_private); 74| 1| x448_basepoint_from_data(m_public, std::span(m_private).first()); 75| 1| CT::unpoison(m_public); 76| 1|} x448.cpp:_ZN5Botan12_GLOBAL__N_113ber_decode_skENSt3__14spanIKhLm18446744073709551615EEE: 28| 4|secure_vector ber_decode_sk(std::span key_bits) { 29| 4| secure_vector decoded_bits; 30| 4| BER_Decoder(key_bits, BER_Decoder::Limits::DER()).decode(decoded_bits, ASN1_Type::OctetString).verify_end(); 31| 4| if(decoded_bits.size() != X448_LEN) { ------------------ | Branch (31:7): [True: 2, False: 2] ------------------ 32| 2| throw Decoding_Error("Invalid size for X448 private key"); 33| 2| } 34| 2| return decoded_bits; 35| 4|} x448.cpp:_ZN5Botan12_GLOBAL__N_124x448_basepoint_from_dataENSt3__14spanIhLm56EEENS2_IKhLm56EEE: 22| 1|void x448_basepoint_from_data(std::span mypublic, std::span secret) { 23| 1| auto bp = x448_basepoint(decode_scalar(secret)); 24| 1| auto bp_bytes = encode_point(bp); 25| 1| copy_mem(mypublic, bp_bytes); 26| 1|} _ZN5Botan12encode_pointERKNS_6StrongINSt3__15arrayIhLm56EEENS_9Point448_EJEEE: 21| 1|secure_vector encode_point(const Point448& p) { 22| 1| return {p.begin(), p.end()}; 23| 1|} _ZN5Botan13decode_scalarENSt3__14spanIKhLm18446744073709551615EEE: 30| 1|ScalarX448 decode_scalar(std::span scalar_bytes) { 31| 1| BOTAN_ARG_CHECK(scalar_bytes.size() == X448_LEN, "Invalid size for X448 scalar"); ------------------ | | 35| 1| do { \ | | 36| 1| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1] | | ------------------ ------------------ 32| 1| auto buf = typecast_copy(scalar_bytes); 33| | 34| 1| buf[0] &= 0xfc; 35| 1| buf[55] |= 0x80; 36| | 37| 1| return buf; 38| 1|} _ZN5Botan14x448_basepointERKNS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEE: 41| 1|Point448 x448_basepoint(const ScalarX448& k) { 42| 1| const Point448 u({5}); 43| 1| return x448(k, u); 44| 1|} _ZN5Botan4x448ERKNS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEERKNS0_IS3_NS_9Point448_EJEEE: 48| 1|Point448 x448(const ScalarX448& k, const Point448& u) { 49| 1| const Gf448Elem x_1 = Gf448Elem(u.get()); 50| 1| Gf448Elem x_2 = Gf448Elem::one(); 51| 1| Gf448Elem z_2 = Gf448Elem::zero(); 52| 1| Gf448Elem x_3 = Gf448Elem(u.get()); 53| 1| Gf448Elem z_3 = Gf448Elem::one(); 54| 1| auto swap = CT::Mask::cleared(); 55| | 56| 449| for(int16_t t = 448 - 1; t >= 0; --t) { ------------------ | Branch (56:29): [True: 448, False: 1] ------------------ 57| 448| auto k_t = CT::Mask::expand(get_bit(k, t)); 58| 448| swap ^= k_t; 59| | 60| 448| x_2.ct_cond_swap(swap, x_3); 61| 448| z_2.ct_cond_swap(swap, z_3); 62| 448| swap = k_t; 63| | 64| 448| const auto A = x_2 + z_2; 65| 448| const auto AA = square(A); 66| 448| const auto B = x_2 - z_2; 67| 448| const auto BB = square(B); 68| 448| const auto E = AA - BB; 69| 448| const auto C = x_3 + z_3; 70| 448| const auto D = x_3 - z_3; 71| 448| const auto DA = D * A; 72| 448| const auto CB = C * B; 73| 448| x_3 = square(DA + CB); 74| 448| z_3 = x_1 * square(DA - CB); 75| 448| x_2 = AA * BB; 76| 448| z_2 = E * (AA + mul_a24(E)); 77| 448| } 78| | 79| 1| x_2.ct_cond_swap(swap, x_3); 80| 1| z_2.ct_cond_swap(swap, z_3); 81| | 82| 1| const auto res = x_2 / z_2; 83| | 84| 1| return Point448(res.to_bytes()); 85| 1|} x448_internal.cpp:_ZN5Botan12_GLOBAL__N_17get_bitERKNS_6StrongINSt3__15arrayIhLm56EEENS_11ScalarX448_EJEEEm: 16| 448|uint64_t get_bit(const ScalarX448& scalar, size_t bit) { 17| 448| return (scalar[bit / 8] >> (bit % 8)) & 1; 18| 448|} _ZN5Botan13DH_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 70| 108|DH_PrivateKey::DH_PrivateKey(const AlgorithmIdentifier& alg_id, std::span key_bits) { 71| 108| m_private_key = std::make_shared(alg_id, key_bits, DL_Group_Format::ANSI_X9_42); 72| 108| m_public_key = m_private_key->public_key(); 73| 108|} _ZN5Botan13DilithiumModeC2ERKNS_3OIDE: 66| 86|DilithiumMode::DilithiumMode(const OID& oid) : m_mode(dilithium_mode_from_string(oid.to_formatted_string())) {} _ZNK5Botan13DilithiumMode6is_aesEv: 99| 338|bool DilithiumMode::is_aes() const { 100| 338| return m_mode == Dilithium4x4_AES || m_mode == Dilithium6x5_AES || m_mode == Dilithium8x7_AES; ------------------ | Branch (100:11): [True: 0, False: 338] | Branch (100:41): [True: 0, False: 338] | Branch (100:71): [True: 0, False: 338] ------------------ 101| 338|} _ZNK5Botan13DilithiumMode9is_modernEv: 103| 169|bool DilithiumMode::is_modern() const { 104| 169| return !is_aes(); 105| 169|} _ZNK5Botan13DilithiumMode9is_ml_dsaEv: 107| 676|bool DilithiumMode::is_ml_dsa() const { 108| 676| return m_mode == ML_DSA_4x4 || m_mode == ML_DSA_6x5 || m_mode == ML_DSA_8x7; ------------------ | Branch (108:11): [True: 116, False: 560] | Branch (108:35): [True: 364, False: 196] | Branch (108:59): [True: 196, False: 0] ------------------ 109| 676|} _ZN5Botan20Dilithium_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 421| 86| Dilithium_PrivateKey(sk, DilithiumMode(alg_id.oid())) {} _ZN5Botan20Dilithium_PrivateKeyC1ENSt3__14spanIKhLm18446744073709551615EEENS_13DilithiumModeE: 423| 86|Dilithium_PrivateKey::Dilithium_PrivateKey(std::span sk, DilithiumMode m) { 424| 86| DilithiumConstants mode(m); 425| 86| auto& codec = mode.keypair_codec(); 426| 86| std::tie(m_public, m_private) = codec.decode_keypair(sk, std::move(mode)); 427| 86|} dilithium.cpp:_ZN5Botan12_GLOBAL__N_126dilithium_mode_from_stringENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 32| 86|DilithiumMode::Mode dilithium_mode_from_string(std::string_view str) { 33| 86| if(str == "Dilithium-4x4-r3") { ------------------ | Branch (33:7): [True: 0, False: 86] ------------------ 34| 0| return DilithiumMode::Dilithium4x4; 35| 0| } 36| 86| if(str == "Dilithium-4x4-AES-r3") { ------------------ | Branch (36:7): [True: 0, False: 86] ------------------ 37| 0| return DilithiumMode::Dilithium4x4_AES; 38| 0| } 39| 86| if(str == "Dilithium-6x5-r3") { ------------------ | Branch (39:7): [True: 0, False: 86] ------------------ 40| 0| return DilithiumMode::Dilithium6x5; 41| 0| } 42| 86| if(str == "Dilithium-6x5-AES-r3") { ------------------ | Branch (42:7): [True: 0, False: 86] ------------------ 43| 0| return DilithiumMode::Dilithium6x5_AES; 44| 0| } 45| 86| if(str == "Dilithium-8x7-r3") { ------------------ | Branch (45:7): [True: 0, False: 86] ------------------ 46| 0| return DilithiumMode::Dilithium8x7; 47| 0| } 48| 86| if(str == "Dilithium-8x7-AES-r3") { ------------------ | Branch (48:7): [True: 0, False: 86] ------------------ 49| 0| return DilithiumMode::Dilithium8x7_AES; 50| 0| } 51| 86| if(str == "ML-DSA-4x4") { ------------------ | Branch (51:7): [True: 15, False: 71] ------------------ 52| 15| return DilithiumMode::ML_DSA_4x4; 53| 15| } 54| 71| if(str == "ML-DSA-6x5") { ------------------ | Branch (54:7): [True: 46, False: 25] ------------------ 55| 46| return DilithiumMode::ML_DSA_6x5; 56| 46| } 57| 25| if(str == "ML-DSA-8x7") { ------------------ | Branch (57:7): [True: 25, False: 0] ------------------ 58| 25| return DilithiumMode::ML_DSA_8x7; 59| 25| } 60| | 61| 0| throw Invalid_Argument(fmt("'{}' is not a valid Dilithium mode name", str)); 62| 25|} _ZN5Botan15Dilithium_Algos17encode_public_keyENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERKNS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNSC_6DomainE0EEERKNS_18DilithiumConstantsE: 332| 83| const DilithiumConstants& mode) { 333| 83| DilithiumSerializedPublicKey pk(mode.public_key_bytes()); 334| 83| BufferStuffer stuffer(pk); 335| | 336| 83| stuffer.append(rho); 337| 518| for(const auto& p : t1) { ------------------ | Branch (337:22): [True: 518, False: 83] ------------------ 338| 518| poly_pack_t1(p, stuffer); 339| 518| } 340| | 341| 83| BOTAN_ASSERT_NOMSG(stuffer.full()); ------------------ | | 77| 83| do { \ | | 78| 83| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 83| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 83] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 83| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 83] | | ------------------ ------------------ 342| 83| return pk; 343| 83|} _ZN5Botan15Dilithium_Algos14expand_keypairENS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24DilithiumSeedRandomness_EJEEENS_18DilithiumConstantsE: 668| 86|DilithiumInternalKeypair expand_keypair(DilithiumSeedRandomness xi, DilithiumConstants mode) { 669| 86| if(xi.size() != DilithiumConstants::SEED_RANDOMNESS_BYTES) { ------------------ | Branch (669:7): [True: 3, False: 83] ------------------ 670| 3| throw Decoding_Error("Invalid ML-DSA seed size"); 671| 3| } 672| 83| const auto& sympriv = mode.symmetric_primitives(); 673| 83| CT::poison(xi); 674| | 675| 83| auto [rho, rhoprime, K] = sympriv.H(xi); 676| 83| CT::unpoison(rho); // rho is public (seed for the public matrix A) 677| | 678| 83| const auto A = Dilithium_Algos::expand_A(rho, mode); 679| 83| auto [s1, s2] = Dilithium_Algos::expand_s(rhoprime, mode); 680| 83| auto [t1, t0] = Dilithium_Algos::compute_t1_and_t0(A, s1, s2); 681| | 682| 83| CT::unpoison(t1); // part of the public key 683| | 684| 83| DilithiumInternalKeypair keypair{ 685| 83| std::make_shared(mode, std::move(rho), std::move(t1)), 686| 83| std::make_shared( 687| 83| std::move(mode), std::move(xi), std::move(K), std::move(s1), std::move(s2), std::move(t0)), 688| 83| }; 689| | 690| 83| CT::unpoison(*keypair.second); 691| | 692| 83| return keypair; 693| 86|} _ZN5Botan15Dilithium_Algos8expand_AENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERKNS_18DilithiumConstantsE: 701| 83|DilithiumPolyMatNTT expand_A(StrongSpan rho, const DilithiumConstants& mode) { 702| 83| DilithiumPolyMatNTT A(mode.k(), mode.l()); 703| 601| for(uint8_t r = 0; r < mode.k(); ++r) { ------------------ | Branch (703:23): [True: 518, False: 83] ------------------ 704| 3.43k| for(uint8_t s = 0; s < mode.l(); ++s) { ------------------ | Branch (704:26): [True: 2.91k, False: 518] ------------------ 705| 2.91k| sample_ntt_uniform(rho, A[r][s], load_le(std::array{s, r}), mode); 706| 2.91k| } 707| 518| } 708| 83| return A; 709| 83|} _ZN5Botan15Dilithium_Algos8expand_sENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEEERKNS_18DilithiumConstantsE: 715| 83| const DilithiumConstants& mode) { 716| 83| auto result = std::make_pair(DilithiumPolyVec(mode.l()), DilithiumPolyVec(mode.k())); 717| 83| auto& [s1, s2] = result; 718| | 719| 83| uint16_t nonce = 0; 720| 449| for(auto& p : s1) { ------------------ | Branch (720:16): [True: 449, False: 83] ------------------ 721| 449| sample_uniform_eta(rhoprime, p, nonce++, mode); 722| 449| } 723| | 724| 518| for(auto& p : s2) { ------------------ | Branch (724:16): [True: 518, False: 83] ------------------ 725| 518| sample_uniform_eta(rhoprime, p, nonce++, mode); 726| 518| } 727| | 728| 83| return result; 729| 83|} _ZN5Botan15Dilithium_Algos11power2roundERKNS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS1_6DomainE0EEE: 752| 83|std::pair power2round(const DilithiumPolyVec& vec) { 753| | // This procedure is taken verbatim from Dilithium's reference implementation. 754| 83| auto power2round = [d = DilithiumConstants::D](int32_t r) -> std::pair { 755| 83| const int32_t r1 = (r + (1 << (d - 1)) - 1) >> d; 756| 83| const int32_t r0 = r - (r1 << d); 757| 83| return {r1, r0}; 758| 83| }; 759| | 760| 83| auto result = std::make_pair(DilithiumPolyVec(vec.size()), DilithiumPolyVec(vec.size())); 761| | 762| 601| for(size_t i = 0; i < vec.size(); ++i) { ------------------ | Branch (762:22): [True: 518, False: 83] ------------------ 763| 133k| for(size_t j = 0; j < vec[i].size(); ++j) { ------------------ | Branch (763:25): [True: 132k, False: 518] ------------------ 764| 132k| std::tie(result.first[i][j], result.second[i][j]) = power2round(vec[i][j]); 765| 132k| } 766| 518| } 767| | 768| 83| return result; 769| 83|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_112poly_pack_t1ERKNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS2_6DomainE0EEERNS_13BufferStufferE: 102| 518|void poly_pack_t1(const DilithiumPoly& p, BufferStuffer& stuffer) { 103| 518| constexpr auto b = (1 << (bitlen(DilithiumConstants::Q - 1) - DilithiumConstants::D)) - 1; 104| 518| poly_pack<0, b>(p, stuffer); 105| 518|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_19poly_packILi0ELi1023ETkNS_8CRYSTALS14crystals_traitENS_19DilithiumPolyTraitsELNS3_6DomainE0EEEvRKNS3_10PolynomialIT1_XT2_EEERNS_13BufferStufferE: 60| 518|constexpr void poly_pack(const CRYSTALS::Polynomial& p, BufferStuffer& stuffer) { 61| 518| if constexpr(a == 0) { 62| | // If `a` is 0, we assume SimpleBitPack (Algorithm 16) where the 63| | // coefficients are in the range [0, b]. 64| 518| CRYSTALS::pack(p, stuffer); 65| | } else { 66| | // Otherwise, for BitPack (Algorithm 17), we must map the coefficients to 67| | // positive values as they are in the range [-a, b]. 68| | CRYSTALS::pack(p, stuffer, map_range); 69| | } 70| 518|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_117compute_t1_and_t0ERKNS_8CRYSTALS16PolynomialMatrixINS_19DilithiumPolyTraitsEEERKNS2_16PolynomialVectorIS4_LNS2_6DomainE0EEESC_: 315| 83| const DilithiumPolyVec& s2) { 316| 83| auto t_hat = A * ntt(s1.clone()); 317| 83| t_hat.reduce(); 318| 83| auto t = inverse_ntt(std::move(t_hat)); 319| 83| t += s2; 320| 83| t.conditional_add_q(); 321| | 322| 83| return Dilithium_Algos::power2round(t); 323| 83|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_ntt_uniformENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNSD_6DomainE1EEEtRKNS_18DilithiumConstantsE: 563| 2.91k| const DilithiumConstants& mode) { 564| | /** 565| | * A generator that returns the next coefficient sampled from the XOF, 566| | * according to: NIST FIPS 204, Algorithm 14 (CoeffFromThreeBytes). 567| | */ 568| 2.91k| auto xof = mode.symmetric_primitives().H(rho, nonce); 569| 2.91k| auto bounded_xof = Bounded_XOF(*xof); 570| | 571| 747k| for(auto& coeff : p) { ------------------ | Branch (571:20): [True: 747k, False: 2.91k] ------------------ 572| 747k| coeff = 573| 747k| bounded_xof.next<3>([](const auto bytes) { return make_uint32(0, bytes[2], bytes[1], bytes[0]) & 0x7FFFFF; }, 574| 747k| [](const uint32_t z) { return z < DilithiumConstants::Q; }); 575| 747k| } 576| | 577| 2.91k| BOTAN_DEBUG_ASSERT(p.ct_validate_value_range(0, DilithiumConstants::Q - 1)); ------------------ | | 130| 2.91k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 2.91k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 2.91k] | | ------------------ ------------------ 578| 2.91k|} dilithium_algos.cpp:_ZZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_ntt_uniformENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNSD_6DomainE1EEEtRKNS_18DilithiumConstantsEENK3$_0clINS4_5arrayIhLm3EEEEEDaT_: 573| 747k| bounded_xof.next<3>([](const auto bytes) { return make_uint32(0, bytes[2], bytes[1], bytes[0]) & 0x7FFFFF; }, dilithium_algos.cpp:_ZZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_ntt_uniformENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS4_9allocatorIhEEEENS_20DilithiumPublicSeed_EJEEEEERNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNSD_6DomainE1EEEtRKNS_18DilithiumConstantsEENK3$_1clEj: 574| 747k| [](const uint32_t z) { return z < DilithiumConstants::Q; }); dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_uniform_etaENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_22DilithiumSeedRhoPrime_EJEEEEERNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNSD_6DomainE0EEEtRKNS_18DilithiumConstantsE: 641| 967| const DilithiumConstants& mode) { 642| 967| using Eta = DilithiumConstants::DilithiumEta; 643| | 644| 967| auto xof = mode.symmetric_primitives().H(rhoprime, nonce); 645| 967| switch(mode.eta()) { ------------------ | Branch (645:11): [True: 967, False: 0] ------------------ 646| 472| case Eta::_2: ------------------ | Branch (646:7): [True: 472, False: 495] ------------------ 647| 472| sample_uniform_eta(p, *xof); 648| 472| break; 649| 495| case Eta::_4: ------------------ | Branch (649:7): [True: 495, False: 472] ------------------ 650| 495| sample_uniform_eta(p, *xof); 651| 495| break; 652| 967| } 653| | 654| | // Rejection sampling is done. Secret polynomial can be repoisoned. 655| 967| CT::poison(p); 656| | 657| 967| BOTAN_DEBUG_ASSERT(p.ct_validate_value_range(-static_cast(mode.eta()), mode.eta())); ------------------ | | 130| 967| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 967| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 967] | | ------------------ ------------------ 658| 967|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_uniform_etaILNS_18DilithiumConstants12DilithiumEtaE2EEEvRNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS5_6DomainE0EEERNS_3XOFE: 604| 472|void sample_uniform_eta(DilithiumPoly& p, Botan::XOF& xof) { 605| | // A generator that returns the next coefficient sampled from the XOF. As the 606| | // sampling uses half-bytes, this keeps track of the additionally sampled 607| | // coefficient as needed. 608| 472| auto next_coeff = [bounded_xof = Bounded_XOF(xof), 609| 472| stashed_coeff = std::optional{}]() mutable -> int32_t { 610| 472| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { 611| 472| return *stashed; 612| 472| } 613| | 614| 472| BOTAN_DEBUG_ASSERT(!stashed_coeff.has_value()); 615| 472| while(true) { 616| 472| const auto b = bounded_xof.next_byte(); 617| 472| const auto z0 = coeff_from_halfbyte(b & 0x0F); 618| 472| const auto z1 = coeff_from_halfbyte(b >> 4); 619| | 620| 472| if(z0.has_value()) { 621| 472| stashed_coeff = z1; // keep candidate z1 for the next invocation 622| 472| return *z0; 623| 472| } else if(z1.has_value()) { 624| | // z0 was invalid, z1 is valid, nothing to stash 625| 472| return *z1; 626| 472| } 627| 472| } 628| 472| }; 629| | 630| 120k| for(auto& coeff : p) { ------------------ | Branch (630:20): [True: 120k, False: 472] ------------------ 631| 120k| coeff = next_coeff(); 632| 120k| } 633| 472|} dilithium_algos.cpp:_ZZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_uniform_etaILNS_18DilithiumConstants12DilithiumEtaE2EEEvRNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS5_6DomainE0EEERNS_3XOFEENUlvE_clEv: 609| 120k| stashed_coeff = std::optional{}]() mutable -> int32_t { 610| 120k| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { ------------------ | Branch (610:15): [True: 56.5k, False: 64.3k] ------------------ 611| 56.5k| return *stashed; 612| 56.5k| } 613| | 614| 64.3k| BOTAN_DEBUG_ASSERT(!stashed_coeff.has_value()); ------------------ | | 130| 64.3k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 64.3k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 64.3k] | | ------------------ ------------------ 615| 64.5k| while(true) { ------------------ | Branch (615:13): [True: 64.5k, Folded] ------------------ 616| 64.5k| const auto b = bounded_xof.next_byte(); 617| 64.5k| const auto z0 = coeff_from_halfbyte(b & 0x0F); 618| 64.5k| const auto z1 = coeff_from_halfbyte(b >> 4); 619| | 620| 64.5k| if(z0.has_value()) { ------------------ | Branch (620:13): [True: 60.5k, False: 3.99k] ------------------ 621| 60.5k| stashed_coeff = z1; // keep candidate z1 for the next invocation 622| 60.5k| return *z0; 623| 60.5k| } else if(z1.has_value()) { ------------------ | Branch (623:20): [True: 3.74k, False: 249] ------------------ 624| | // z0 was invalid, z1 is valid, nothing to stash 625| 3.74k| return *z1; 626| 3.74k| } 627| 64.5k| } 628| 64.3k| }; dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_119coeff_from_halfbyteILNS_18DilithiumConstants12DilithiumEtaE2EEENSt3__18optionalIiEEh: 586| 129k|std::optional coeff_from_halfbyte(uint8_t b) { 587| 129k| BOTAN_DEBUG_ASSERT(b < 16); ------------------ | | 130| 129k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 129k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 129k] | | ------------------ ------------------ 588| | 589| 129k| if constexpr(eta == DilithiumConstants::DilithiumEta::_2) { 590| 129k| if(CT::driveby_unpoison(b < 15)) { ------------------ | Branch (590:10): [True: 121k, False: 8.05k] ------------------ 591| 121k| b = b - (205U * b >> 10) * 5; // b = b mod 5 592| 121k| return 2 - b; 593| 121k| } 594| | } else if constexpr(eta == DilithiumConstants::DilithiumEta::_4) { 595| | if(CT::driveby_unpoison(b < 9)) { 596| | return 4 - b; 597| | } 598| | } 599| | 600| 8.05k| return std::nullopt; 601| 129k|} dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_uniform_etaILNS_18DilithiumConstants12DilithiumEtaE4EEEvRNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS5_6DomainE0EEERNS_3XOFE: 604| 495|void sample_uniform_eta(DilithiumPoly& p, Botan::XOF& xof) { 605| | // A generator that returns the next coefficient sampled from the XOF. As the 606| | // sampling uses half-bytes, this keeps track of the additionally sampled 607| | // coefficient as needed. 608| 495| auto next_coeff = [bounded_xof = Bounded_XOF(xof), 609| 495| stashed_coeff = std::optional{}]() mutable -> int32_t { 610| 495| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { 611| 495| return *stashed; 612| 495| } 613| | 614| 495| BOTAN_DEBUG_ASSERT(!stashed_coeff.has_value()); 615| 495| while(true) { 616| 495| const auto b = bounded_xof.next_byte(); 617| 495| const auto z0 = coeff_from_halfbyte(b & 0x0F); 618| 495| const auto z1 = coeff_from_halfbyte(b >> 4); 619| | 620| 495| if(z0.has_value()) { 621| 495| stashed_coeff = z1; // keep candidate z1 for the next invocation 622| 495| return *z0; 623| 495| } else if(z1.has_value()) { 624| | // z0 was invalid, z1 is valid, nothing to stash 625| 495| return *z1; 626| 495| } 627| 495| } 628| 495| }; 629| | 630| 126k| for(auto& coeff : p) { ------------------ | Branch (630:20): [True: 126k, False: 495] ------------------ 631| 126k| coeff = next_coeff(); 632| 126k| } 633| 495|} dilithium_algos.cpp:_ZZN5Botan15Dilithium_Algos12_GLOBAL__N_118sample_uniform_etaILNS_18DilithiumConstants12DilithiumEtaE4EEEvRNS_8CRYSTALS10PolynomialINS_19DilithiumPolyTraitsELNS5_6DomainE0EEERNS_3XOFEENUlvE_clEv: 609| 126k| stashed_coeff = std::optional{}]() mutable -> int32_t { 610| 126k| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { ------------------ | Branch (610:15): [True: 35.4k, False: 91.2k] ------------------ 611| 35.4k| return *stashed; 612| 35.4k| } 613| | 614| 91.2k| BOTAN_DEBUG_ASSERT(!stashed_coeff.has_value()); ------------------ | | 130| 91.2k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 91.2k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 91.2k] | | ------------------ ------------------ 615| 112k| while(true) { ------------------ | Branch (615:13): [True: 112k, Folded] ------------------ 616| 112k| const auto b = bounded_xof.next_byte(); 617| 112k| const auto z0 = coeff_from_halfbyte(b & 0x0F); 618| 112k| const auto z1 = coeff_from_halfbyte(b >> 4); 619| | 620| 112k| if(z0.has_value()) { ------------------ | Branch (620:13): [True: 63.8k, False: 49.1k] ------------------ 621| 63.8k| stashed_coeff = z1; // keep candidate z1 for the next invocation 622| 63.8k| return *z0; 623| 63.8k| } else if(z1.has_value()) { ------------------ | Branch (623:20): [True: 27.4k, False: 21.7k] ------------------ 624| | // z0 was invalid, z1 is valid, nothing to stash 625| 27.4k| return *z1; 626| 27.4k| } 627| 112k| } 628| 91.2k| }; dilithium_algos.cpp:_ZN5Botan15Dilithium_Algos12_GLOBAL__N_119coeff_from_halfbyteILNS_18DilithiumConstants12DilithiumEtaE4EEENSt3__18optionalIiEEh: 586| 225k|std::optional coeff_from_halfbyte(uint8_t b) { 587| 225k| BOTAN_DEBUG_ASSERT(b < 16); ------------------ | | 130| 225k| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 225k| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 225k] | | ------------------ ------------------ 588| | 589| | if constexpr(eta == DilithiumConstants::DilithiumEta::_2) { 590| | if(CT::driveby_unpoison(b < 15)) { 591| | b = b - (205U * b >> 10) * 5; // b = b mod 5 592| | return 2 - b; 593| | } 594| 225k| } else if constexpr(eta == DilithiumConstants::DilithiumEta::_4) { 595| 225k| if(CT::driveby_unpoison(b < 9)) { ------------------ | Branch (595:10): [True: 126k, False: 98.9k] ------------------ 596| 126k| return 4 - b; 597| 126k| } 598| 225k| } 599| | 600| 98.9k| return std::nullopt; 601| 225k|} dilithium_algos.cpp:_ZZN5Botan15Dilithium_Algos11power2roundERKNS_8CRYSTALS16PolynomialVectorINS_19DilithiumPolyTraitsELNS1_6DomainE0EEEENK3$_0clEi: 754| 132k| auto power2round = [d = DilithiumConstants::D](int32_t r) -> std::pair { 755| 132k| const int32_t r1 = (r + (1 << (d - 1)) - 1) >> d; 756| 132k| const int32_t r0 = r - (r1 << d); 757| 132k| return {r1, r0}; 758| 132k| }; _ZN5Botan18DilithiumConstantsD2Ev: 57| 590|DilithiumConstants::~DilithiumConstants() = default; _ZN5Botan18DilithiumConstantsC2ENS_13DilithiumModeE: 60| 169| m_mode(mode), 61| 169| m_public_key_hash_bytes(public_key_hash_size(m_mode)), 62| 169| m_commitment_hash_full_bytes(commitment_hash_full_size(m_mode)) { 63| 169| switch(m_mode.mode()) { 64| 0| case Botan::DilithiumMode::Dilithium4x4: ------------------ | Branch (64:7): [True: 0, False: 169] ------------------ 65| 0| case Botan::DilithiumMode::Dilithium4x4_AES: ------------------ | Branch (65:7): [True: 0, False: 169] ------------------ 66| 29| case Botan::DilithiumMode::ML_DSA_4x4: ------------------ | Branch (66:7): [True: 29, False: 140] ------------------ 67| 29| m_tau = DilithiumTau::_39; 68| 29| m_lambda = DilithiumLambda::_128; 69| 29| m_gamma1 = DilithiumGamma1::ToThe17th; 70| 29| m_gamma2 = DilithiumGamma2::Qminus1DividedBy88; 71| 29| m_k = 4; 72| 29| m_l = 4; 73| 29| m_eta = DilithiumEta::_2; 74| 29| m_beta = DilithiumBeta::_78; 75| 29| m_omega = DilithiumOmega::_80; 76| 29| break; 77| 0| case Botan::DilithiumMode::Dilithium6x5: ------------------ | Branch (77:7): [True: 0, False: 169] ------------------ 78| 0| case Botan::DilithiumMode::Dilithium6x5_AES: ------------------ | Branch (78:7): [True: 0, False: 169] ------------------ 79| 91| case Botan::DilithiumMode::ML_DSA_6x5: ------------------ | Branch (79:7): [True: 91, False: 78] ------------------ 80| 91| m_tau = DilithiumTau::_49; 81| 91| m_lambda = DilithiumLambda::_192; 82| 91| m_gamma1 = DilithiumGamma1::ToThe19th; 83| 91| m_gamma2 = DilithiumGamma2::Qminus1DividedBy32; 84| 91| m_k = 6; 85| 91| m_l = 5; 86| 91| m_eta = DilithiumEta::_4; 87| 91| m_beta = DilithiumBeta::_196; 88| 91| m_omega = DilithiumOmega::_55; 89| 91| break; 90| 0| case Botan::DilithiumMode::Dilithium8x7: ------------------ | Branch (90:7): [True: 0, False: 169] ------------------ 91| 0| case Botan::DilithiumMode::Dilithium8x7_AES: ------------------ | Branch (91:7): [True: 0, False: 169] ------------------ 92| 49| case Botan::DilithiumMode::ML_DSA_8x7: ------------------ | Branch (92:7): [True: 49, False: 120] ------------------ 93| 49| m_tau = DilithiumTau::_60; 94| 49| m_lambda = DilithiumLambda::_256; 95| 49| m_gamma1 = DilithiumGamma1::ToThe19th; 96| 49| m_gamma2 = DilithiumGamma2::Qminus1DividedBy32; 97| 49| m_k = 8; 98| 49| m_l = 7; 99| 49| m_eta = DilithiumEta::_2; 100| 49| m_beta = DilithiumBeta::_120; 101| 49| m_omega = DilithiumOmega::_75; 102| 49| break; 103| 0| default: ------------------ | Branch (103:7): [True: 0, False: 169] ------------------ 104| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 105| 169| } 106| | 107| 169| const auto s1_bytes = 32 * m_l * bitlen(2 * m_eta); 108| 169| const auto s2_bytes = 32 * m_k * bitlen(2 * m_eta); 109| 169| const auto t0_bytes = 32 * m_k * D; 110| 169| const auto t1_bytes = 32 * m_k * (bitlen(static_cast(Q) - 1) - D); 111| 169| const auto z_bytes = 32 * m_l * (1 + bitlen(m_gamma1 - 1)); 112| 169| const auto hint_bytes = m_omega + m_k; 113| | 114| 169| m_private_key_bytes = 115| 169| SEED_RHO_BYTES + SEED_SIGNING_KEY_BYTES + m_public_key_hash_bytes + s1_bytes + s2_bytes + t0_bytes; 116| 169| m_public_key_bytes = SEED_RHO_BYTES + t1_bytes; 117| 169| m_signature_bytes = m_commitment_hash_full_bytes + z_bytes + hint_bytes; 118| 169| m_serialized_commitment_bytes = 32 * m_k * bitlen(((Q - 1) / (2 * m_gamma2)) - 1); 119| | 120| 169| m_symmetric_primitives = Dilithium_Symmetric_Primitives_Base::create(*this); 121| 169| m_keypair_codec = Dilithium_Keypair_Codec::create(mode); 122| 169|} dilithium_constants.cpp:_ZN5Botan12_GLOBAL__N_120public_key_hash_sizeENS_13DilithiumModeE: 20| 169|uint32_t public_key_hash_size(DilithiumMode mode) { 21| 169| switch(mode.mode()) { ------------------ | Branch (21:11): [True: 169, False: 0] ------------------ 22| 29| case DilithiumMode::ML_DSA_4x4: ------------------ | Branch (22:7): [True: 29, False: 140] ------------------ 23| 120| case DilithiumMode::ML_DSA_6x5: ------------------ | Branch (23:7): [True: 91, False: 78] ------------------ 24| 169| case DilithiumMode::ML_DSA_8x7: ------------------ | Branch (24:7): [True: 49, False: 120] ------------------ 25| 169| return 64; 26| 0| case DilithiumMode::Dilithium4x4: ------------------ | Branch (26:7): [True: 0, False: 169] ------------------ 27| 0| case DilithiumMode::Dilithium4x4_AES: ------------------ | Branch (27:7): [True: 0, False: 169] ------------------ 28| 0| case DilithiumMode::Dilithium6x5: ------------------ | Branch (28:7): [True: 0, False: 169] ------------------ 29| 0| case DilithiumMode::Dilithium6x5_AES: ------------------ | Branch (29:7): [True: 0, False: 169] ------------------ 30| 0| case DilithiumMode::Dilithium8x7: ------------------ | Branch (30:7): [True: 0, False: 169] ------------------ 31| 0| case DilithiumMode::Dilithium8x7_AES: ------------------ | Branch (31:7): [True: 0, False: 169] ------------------ 32| 0| return 32; 33| 169| } 34| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 35| 0|} dilithium_constants.cpp:_ZN5Botan12_GLOBAL__N_125commitment_hash_full_sizeENS_13DilithiumModeE: 37| 169|uint32_t commitment_hash_full_size(DilithiumMode mode) { 38| 169| switch(mode.mode()) { ------------------ | Branch (38:11): [True: 169, False: 0] ------------------ 39| 0| case DilithiumMode::Dilithium4x4: ------------------ | Branch (39:7): [True: 0, False: 169] ------------------ 40| 0| case DilithiumMode::Dilithium4x4_AES: ------------------ | Branch (40:7): [True: 0, False: 169] ------------------ 41| 0| case DilithiumMode::Dilithium6x5: ------------------ | Branch (41:7): [True: 0, False: 169] ------------------ 42| 0| case DilithiumMode::Dilithium6x5_AES: ------------------ | Branch (42:7): [True: 0, False: 169] ------------------ 43| 0| case DilithiumMode::Dilithium8x7: ------------------ | Branch (43:7): [True: 0, False: 169] ------------------ 44| 0| case DilithiumMode::Dilithium8x7_AES: ------------------ | Branch (44:7): [True: 0, False: 169] ------------------ 45| 29| case DilithiumMode::ML_DSA_4x4: ------------------ | Branch (45:7): [True: 29, False: 140] ------------------ 46| 29| return 32; 47| 91| case DilithiumMode::ML_DSA_6x5: ------------------ | Branch (47:7): [True: 91, False: 78] ------------------ 48| 91| return 48; 49| 49| case DilithiumMode::ML_DSA_8x7: ------------------ | Branch (49:7): [True: 49, False: 120] ------------------ 50| 49| return 64; 51| 169| } 52| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 53| 0|} _ZN5Botan23Dilithium_Keypair_Codec6createENS_13DilithiumModeE: 22| 169|std::unique_ptr Dilithium_Keypair_Codec::create(DilithiumMode mode) { 23| 169|#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES) 24| 169| if(mode.is_dilithium_round3()) { ------------------ | Branch (24:7): [True: 0, False: 169] ------------------ 25| 0| return std::make_unique(); 26| 0| } 27| 169|#endif 28| | 29| 169|#if defined(BOTAN_HAS_ML_DSA) 30| 169| if(mode.is_ml_dsa()) { ------------------ | Branch (30:7): [True: 169, False: 0] ------------------ 31| 169| return std::make_unique(); 32| 169| } 33| 0|#endif 34| | 35| 0| throw Not_Implemented("requested ML-DSA/Dilithium mode is not implemented in this build"); 36| 169|} _ZN5Botan17DilithiumShakeXOFD2Ev: 13| 169|DilithiumShakeXOF::~DilithiumShakeXOF() = default; _ZN5Botan17DilithiumShakeXOF9createXOFENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEENS1_4spanIKhLm18446744073709551615EEEt: 18| 3.88k| uint16_t nonce) { 19| 3.88k| auto xof = Botan::XOF::create_or_throw(name); 20| 3.88k| xof->update(seed); 21| 3.88k| xof->update(store_le(nonce)); 22| 3.88k| return xof; 23| 3.88k|} _ZN5Botan35Dilithium_Symmetric_Primitives_BaseC2ERKNS_18DilithiumConstantsENSt3__110unique_ptrINS_12DilithiumXOFENS4_14default_deleteIS6_EEEE: 41| 169| m_commitment_hash_length_bytes(mode.commitment_hash_full_bytes()), 42| 169| m_public_key_hash_bytes(mode.public_key_hash_bytes()), 43| 169| m_mode(mode.mode()), 44| 169| m_xof_adapter(std::move(xof_adapter)) {} _ZN5Botan35Dilithium_Symmetric_Primitives_Base6createERKNS_18DilithiumConstantsE: 47| 169| const DilithiumConstants& mode) { 48| 169|#if defined(BOTAN_HAS_DILITHIUM) 49| 169| if(mode.is_modern() && !mode.is_ml_dsa()) { ------------------ | Branch (49:7): [True: 169, False: 0] | Branch (49:27): [True: 0, False: 169] ------------------ 50| 0| return std::make_unique(mode); 51| 0| } 52| 169|#endif 53| | 54| 169|#if defined(BOTAN_HAS_DILITHIUM_AES) 55| 169| if(mode.is_aes()) { ------------------ | Branch (55:7): [True: 0, False: 169] ------------------ 56| 0| return std::make_unique(mode); 57| 0| } 58| 169|#endif 59| | 60| 169|#if defined(BOTAN_HAS_ML_DSA) 61| 169| if(mode.is_ml_dsa()) { ------------------ | Branch (61:7): [True: 169, False: 0] ------------------ 62| 169| return std::make_unique(mode); 63| 169| } 64| 0|#endif 65| | 66| 0| throw Not_Implemented("requested ML-DSA/Dilithium mode is not implemented in this build"); 67| 169|} _ZNK5Botan30ML_DSA_Expanding_Keypair_Codec14decode_keypairENSt3__14spanIKhLm18446744073709551615EEENS_18DilithiumConstantsE: 23| 86| DilithiumConstants mode) const { 24| 86| return Dilithium_Algos::expand_keypair(DilithiumSeedRandomness(private_key_seed), std::move(mode)); 25| 86|} _ZN5Botan12DL_PublicKeyC2ERKNS_8DL_GroupERKNS_6BigIntE: 38| 44|DL_PublicKey::DL_PublicKey(const DL_Group& group, const BigInt& public_key) : m_group(group), m_public_key(public_key) { 39| | // The subgroup check (y^q == 1 mod p) is deferred to check_key() since it can be expensive 40| 44| BOTAN_ARG_CHECK(m_public_key > 1 && m_public_key < m_group.get_p(), "Invalid DL public key"); ------------------ | | 35| 44| do { \ | | 36| 44| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 88| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 44, False: 0] | | | Branch (37:12): [True: 44, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 44| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 44] | | ------------------ ------------------ 41| 44|} _ZN5Botan13DL_PrivateKeyC2ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEENS_15DL_Group_FormatE: 85| 219| m_group(alg_id.parameters(), format), 86| 219| m_private_key(check_dl_private_key_input(decode_single_bigint(key_bits), m_group)), 87| 219| m_public_key(m_group.power_g_p(m_private_key, m_private_key.bits())) {} _ZNK5Botan13DL_PrivateKey10public_keyEv: 101| 44|std::shared_ptr DL_PrivateKey::public_key() const { 102| 44| return std::make_shared(m_group, m_public_key); 103| 44|} dl_scheme.cpp:_ZN5Botan12_GLOBAL__N_120decode_single_bigintENSt3__14spanIKhLm18446744073709551615EEE: 17| 100|BigInt decode_single_bigint(std::span key_bits) { 18| 100| BigInt x; 19| 100| BER_Decoder(key_bits, BER_Decoder::Limits::DER()).decode(x).verify_end(); 20| 100| return x; 21| 100|} dl_scheme.cpp:_ZN5Botan12_GLOBAL__N_126check_dl_private_key_inputERKNS_6BigIntERKNS_8DL_GroupE: 31| 54|BigInt check_dl_private_key_input(const BigInt& x, const DL_Group& group) { 32| 54| BOTAN_ARG_CHECK(group.verify_private_element(x), "Invalid discrete logarithm private key value"); ------------------ | | 35| 54| do { \ | | 36| 54| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 54| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 10, False: 44] | | ------------------ | | 38| 10| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 10| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 10| } \ | | 41| 54| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 54] | | ------------------ ------------------ 33| 54| return x; 34| 54|} _ZN5Botan8DL_Group19DER_decode_DL_groupENSt3__14spanIKhLm18446744073709551615EEENS_15DL_Group_FormatENS_15DL_Group_SourceE: 170| 219| DL_Group_Source source) { 171| 219| BER_Decoder decoder(data, BER_Decoder::Limits::DER()); 172| 219| BER_Decoder inner = decoder.start_sequence(); 173| | 174| 219| if(format == DL_Group_Format::ANSI_X9_57) { ------------------ | Branch (174:7): [True: 101, False: 118] ------------------ 175| | /* 176| | This format is p, q, g with no additional data following 177| | */ 178| 101| BigInt p; 179| 101| BigInt q; 180| 101| BigInt g; 181| 101| inner.decode(p).decode(q).decode(g).verify_end(); 182| 101| return DL_Group_Data::create(p, q, g, source); 183| 118| } else if(format == DL_Group_Format::ANSI_X9_42) { ------------------ | Branch (183:14): [True: 107, False: 11] ------------------ 184| | /* 185| | This format is p, g, q with optional cofactor and seed following 186| | */ 187| 107| BigInt p; 188| 107| BigInt g; 189| 107| BigInt q; 190| 107| inner.decode(p).decode(g).decode(q).discard_remaining(); 191| 107| return DL_Group_Data::create(p, q, g, source); 192| 107| } else if(format == DL_Group_Format::PKCS_3) { ------------------ | Branch (192:14): [True: 0, False: 11] ------------------ 193| | /* 194| | This format is p, g followed by optional privateValueLength (recommended exponent size) 195| | */ 196| 0| BigInt p; 197| 0| BigInt g; 198| 0| inner.decode(p).decode(g).discard_remaining(); 199| 0| return DL_Group_Data::create(p, g, source); 200| 11| } else { 201| 11| throw Invalid_Argument("Unknown DL_Group encoding"); 202| 11| } 203| 219|} _ZNK5Botan8DL_Group4dataEv: 412| 322|const DL_Group_Data& DL_Group::data() const { 413| 322| if(m_data) { ------------------ | Branch (413:7): [True: 322, False: 0] ------------------ 414| 322| return *m_data; 415| 322| } 416| | 417| 0| throw Invalid_State("DL_Group uninitialized"); 418| 322|} _ZNK5Botan8DL_Group22verify_private_elementERKNS_6BigIntE: 437| 54|bool DL_Group::verify_private_element(const BigInt& x) const { 438| 54| const BigInt& p = get_p(); 439| 54| const BigInt& q = get_q(); 440| | 441| 54| if(x <= 1 || x >= p) { ------------------ | Branch (441:7): [True: 8, False: 46] | Branch (441:17): [True: 0, False: 46] ------------------ 442| 8| return false; 443| 8| } 444| | 445| 46| if(q > 0 && x > q) { ------------------ | Branch (445:7): [True: 46, False: 0] | Branch (445:16): [True: 2, False: 44] ------------------ 446| 2| return false; 447| 2| } 448| | 449| 44| return true; 450| 46|} _ZNK5Botan8DL_Group5get_pEv: 522| 98|const BigInt& DL_Group::get_p() const { 523| 98| return data().p(); 524| 98|} _ZNK5Botan8DL_Group5get_qEv: 536| 54|const BigInt& DL_Group::get_q() const { 537| 54| return data().q(); 538| 54|} _ZNK5Botan8DL_Group5has_qEv: 544| 42|bool DL_Group::has_q() const { 545| 42| return data().q_is_set(); 546| 42|} _ZNK5Botan8DL_Group6q_bitsEv: 556| 42|size_t DL_Group::q_bits() const { 557| 42| data().assert_q_is_set("q_bits"); 558| 42| return data().q_bits(); 559| 42|} _ZNK5Botan8DL_Group9power_g_pERKNS_6BigIntEm: 621| 44|BigInt DL_Group::power_g_p(const BigInt& x, size_t max_x_bits) const { 622| 44| return data().power_g_p(x, max_x_bits); 623| 44|} _ZN5Botan8DL_GroupC2ENSt3__14spanIKhLm18446744073709551615EEENS_15DL_Group_FormatE: 680| 219|DL_Group::DL_Group(std::span der, DL_Group_Format format) { 681| 219| m_data = DER_decode_DL_group(der, format, DL_Group_Source::ExternalSource); 682| 219|} _ZN5Botan13DL_Group_Data6createERKNS_6BigIntES3_S3_NS_15DL_Group_SourceE: 52| 207| DL_Group_Source source) { 53| 207| check_dl_group_params(p, q, g); 54| 207| return std::make_shared(p, q, g, source); 55| 207| } dl_group.cpp:_ZN5Botan12_GLOBAL__N_121check_dl_group_paramsERKNS_6BigIntES3_S3_: 38| 207|void check_dl_group_params(const BigInt& p, const BigInt& q, const BigInt& g) { 39| 207| check_dl_group_params(p, g); 40| 207| if(q.signum() <= 0 || q.is_even() || q.bits() >= p.bits()) { ------------------ | Branch (40:7): [True: 105, False: 102] | Branch (40:26): [True: 1, False: 101] | Branch (40:41): [True: 1, False: 100] ------------------ 41| 6| throw Decoding_Error("Invalid DL group subgroup order"); 42| 6| } 43| 207|} dl_group.cpp:_ZN5Botan12_GLOBAL__N_121check_dl_group_paramsERKNS_6BigIntES3_: 29| 207|void check_dl_group_params(const BigInt& p, const BigInt& g) { 30| 207| if(p.signum() <= 0 || p.is_even() || p.bits() < 3 || p.bits() > 16384) { ------------------ | Branch (30:7): [True: 2, False: 205] | Branch (30:26): [True: 1, False: 204] | Branch (30:41): [True: 1, False: 203] | Branch (30:57): [True: 0, False: 203] ------------------ 31| 4| throw Decoding_Error("Invalid DL group prime"); 32| 4| } 33| 203| if(g.signum() <= 0 || g < 2 || g >= p) { ------------------ | Branch (33:7): [True: 2, False: 201] | Branch (33:26): [True: 1, False: 200] | Branch (33:35): [True: 94, False: 106] ------------------ 34| 97| throw Decoding_Error("Invalid DL group generator"); 35| 97| } 36| 203|} _ZN5Botan13DL_Group_DataC2ERKNS_6BigIntES3_S3_NS_15DL_Group_SourceE: 65| 100| m_p(p), 66| 100| m_q(q), 67| 100| m_g(g), 68| 100| m_mod_p(Barrett_Reduction::for_public_modulus(p)), 69| 100| m_mod_q(Barrett_Reduction::for_public_modulus(q)), 70| 100| m_monty_params(m_p, m_mod_p), 71| 100| m_monty(monty_precompute(m_monty_params, m_g, /*window bits=*/4)), 72| 100| m_p_bits(p.bits()), 73| 100| m_q_bits(q.bits()), 74| | // For DL crypto in a prime-order subgroup, security is bounded by 75| | // both the NFS cost in Z_p* and Pollard rho in the q-order subgroup. 76| 100| m_estimated_strength(std::min(dl_work_factor(m_p_bits), m_q_bits / 2)), 77| 100| m_exponent_bits(dl_exponent_size(m_p_bits)), 78| 100| m_source(source) {} _ZN5Botan13DL_Group_DataD2Ev: 94| 100| ~DL_Group_Data() = default; _ZNK5Botan13DL_Group_Data1pEv: 101| 98| const BigInt& p() const { return m_p; } _ZNK5Botan13DL_Group_Data1qEv: 103| 54| const BigInt& q() const { return m_q; } _ZNK5Botan13DL_Group_Data8q_is_setEv: 142| 84| bool q_is_set() const { return m_q_bits > 0; } _ZNK5Botan13DL_Group_Data15assert_q_is_setENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 144| 42| void assert_q_is_set(std::string_view function) const { 145| 42| if(!q_is_set()) { ------------------ | Branch (145:13): [True: 0, False: 42] ------------------ 146| 0| throw Invalid_State(fmt("DL_Group::{}: q is not set for this group", function)); 147| 0| } 148| 42| } _ZNK5Botan13DL_Group_Data6q_bitsEv: 118| 42| size_t q_bits() const { return m_q_bits; } _ZNK5Botan13DL_Group_Data9power_g_pERKNS_6BigIntEm: 128| 44| BigInt power_g_p(const BigInt& k, size_t max_k_bits) const { 129| 44| return monty_execute(*m_monty, k, max_k_bits).value(); 130| 44| } _ZN5Botan14DSA_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 96| 111|DSA_PrivateKey::DSA_PrivateKey(const AlgorithmIdentifier& alg_id, std::span key_bits) { 97| 111| m_private_key = std::make_shared(alg_id, key_bits, DL_Group_Format::ANSI_X9_57); 98| 111| m_public_key = m_private_key->public_key(); 99| | 100| 111| check_dsa_group(m_private_key->group()); 101| 111|} dsa.cpp:_ZN5Botan12_GLOBAL__N_115check_dsa_groupERKNS_8DL_GroupE: 26| 42|void check_dsa_group(const DL_Group& group) { 27| 42| BOTAN_ARG_CHECK(group.has_q(), "Q parameter must be set for DSA"); ------------------ | | 35| 42| do { \ | | 36| 42| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 42| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 42] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 42| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 42] | | ------------------ ------------------ 28| | // All versions of FIPS 186 have required that Q be at least 160 bits 29| 42| BOTAN_ARG_CHECK(group.q_bits() >= 160, "DSA Q parameter must be at least 160 bits"); ------------------ | | 35| 42| do { \ | | 36| 42| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 42| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 42, False: 0] | | ------------------ | | 38| 42| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 42| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 42| } \ | | 41| 42| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 42] | | ------------------ ------------------ 30| 42|} _ZN5Botan14EC_AffinePointC2ENSt3__110unique_ptrINS_19EC_AffinePoint_DataENS1_14default_deleteIS3_EEEE: 16| 1.97k|EC_AffinePoint::EC_AffinePoint(std::unique_ptr point) : m_point(std::move(point)) { 17| 1.97k| BOTAN_ASSERT_NONNULL(m_point); ------------------ | | 116| 1.97k| do { \ | | 117| 1.97k| if((ptr) == nullptr) { \ | | ------------------ | | | Branch (117:10): [True: 0, False: 1.97k] | | ------------------ | | 118| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 119| 0| Botan::assertion_failure(#ptr " is not null", "", __func__, __FILE__, __LINE__); \ | | 120| 0| } \ | | 121| 1.97k| } while(0) | | ------------------ | | | Branch (121:12): [Folded, False: 1.97k] | | ------------------ ------------------ 18| 1.97k|} _ZN5Botan14EC_AffinePointC2EOS0_: 22| 3.95k|EC_AffinePoint::EC_AffinePoint(EC_AffinePoint&& other) noexcept : m_point(std::move(other.m_point)) {} _ZN5Botan14EC_AffinePointC2ERKNS_8EC_GroupENSt3__14spanIKhLm18446744073709551615EEE: 36| 983|EC_AffinePoint::EC_AffinePoint(const EC_Group& group, std::span bytes) { 37| 983| m_point = group._data()->point_deserialize(bytes); 38| 983| if(!m_point) { ------------------ | Branch (38:7): [True: 979, False: 4] ------------------ 39| 979| throw Decoding_Error("Failed to deserialize elliptic curve point"); 40| 979| } 41| 983|} _ZNK5Botan14EC_AffinePoint15to_legacy_pointEv: 45| 1.97k|EC_Point EC_AffinePoint::to_legacy_point() const { 46| 1.97k| return m_point->to_legacy_point(); 47| 1.97k|} _ZNK5Botan14EC_AffinePoint11is_identityEv: 114| 1.97k|bool EC_AffinePoint::is_identity() const { 115| 1.97k| return inner().is_identity(); 116| 1.97k|} _ZN5Botan14EC_AffinePointD2Ev: 148| 5.93k|EC_AffinePoint::~EC_AffinePoint() = default; _ZN5Botan14EC_AffinePoint5g_mulERKNS_9EC_ScalarERNS_21RandomNumberGeneratorE: 158| 1.97k|EC_AffinePoint EC_AffinePoint::g_mul(const EC_Scalar& scalar, RandomNumberGenerator& rng) { 159| 1.97k| auto pt = scalar._inner().group()->point_g_mul(scalar.inner(), rng); 160| 1.97k| return EC_AffinePoint(std::move(pt)); 161| 1.97k|} _ZN5Botan8EC_Group13ec_group_dataEv: 231| 11.6k|EC_Group_Data_Map& EC_Group::ec_group_data() { 232| | /* 233| | * This exists purely to ensure the allocator is constructed before g_ec_data, 234| | * which ensures that its destructor runs after ~g_ec_data is complete. 235| | */ 236| | 237| 11.6k| static const Allocator_Initializer g_init_allocator; 238| 11.6k| static EC_Group_Data_Map g_ec_data; 239| 11.6k| return g_ec_data; 240| 11.6k|} _ZN5Botan8EC_Group27clear_registered_curve_dataEv: 243| 7.55k|size_t EC_Group::clear_registered_curve_data() { 244| 7.55k| return ec_group_data().clear(); 245| 7.55k|} _ZN5Botan8EC_Group18load_EC_group_infoEPKcS2_S2_S2_S2_S2_RKNS_3OIDE: 254| 3.05k| const OID& oid) { 255| 3.05k| BOTAN_ARG_CHECK(oid.has_value(), "EC_Group::load_EC_group_info OID must be set"); ------------------ | | 35| 3.05k| do { \ | | 36| 3.05k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 3.05k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 3.05k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 3.05k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 3.05k] | | ------------------ ------------------ 256| | 257| 3.05k| const BigInt p(p_str); 258| 3.05k| const BigInt a(a_str); 259| 3.05k| const BigInt b(b_str); 260| 3.05k| const BigInt g_x(g_x_str); 261| 3.05k| const BigInt g_y(g_y_str); 262| 3.05k| const BigInt order(order_str); 263| 3.05k| const BigInt cofactor(1); // implicit 264| | 265| 3.05k| return EC_Group_Data::create(p, a, b, g_x, g_y, order, cofactor, oid, EC_Group_Source::Builtin); 266| 3.05k|} _ZN5Botan8EC_Group19DER_decode_EC_groupENSt3__14spanIKhLm18446744073709551615EEENS_15EC_Group_SourceE: 270| 4.24k| EC_Group_Source source) { 271| 4.24k| BER_Decoder dec(der, BER_Decoder::Limits::DER()); 272| | 273| 4.24k| auto next_obj_type = dec.peek_next_object().type_tag(); 274| | 275| 4.24k| if(next_obj_type == ASN1_Type::ObjectId) { ------------------ | Branch (275:7): [True: 2.98k, False: 1.26k] ------------------ 276| 2.98k| OID oid; 277| 2.98k| dec.decode(oid); 278| | 279| 2.98k| auto data = ec_group_data().lookup(oid); 280| 2.98k| if(!data) { ------------------ | Branch (280:10): [True: 117, False: 2.86k] ------------------ 281| 117| throw Decoding_Error(fmt("Unknown namedCurve OID '{}'", oid.to_string())); 282| 117| } 283| | 284| 2.86k| return std::make_pair(data, false); 285| 2.98k| } else if(next_obj_type == ASN1_Type::Sequence) { ------------------ | Branch (285:14): [True: 1.21k, False: 46] ------------------ 286| 1.21k| BigInt p; 287| 1.21k| BigInt a; 288| 1.21k| BigInt b; 289| 1.21k| BigInt order; 290| 1.21k| BigInt cofactor; 291| 1.21k| std::vector base_pt; 292| 1.21k| std::vector seed; 293| | 294| 1.21k| dec.start_sequence() 295| 1.21k| .decode_and_check(1, "Unknown ECC param version code") 296| 1.21k| .start_sequence() 297| 1.21k| .decode_and_check(OID({1, 2, 840, 10045, 1, 1}), "Only prime ECC fields supported") 298| 1.21k| .decode(p) 299| 1.21k| .end_cons() 300| 1.21k| .start_sequence() 301| 1.21k| .decode_octet_string_bigint(a) 302| 1.21k| .decode_octet_string_bigint(b) 303| 1.21k| .decode_optional_string(seed, ASN1_Type::BitString, ASN1_Type::BitString, ASN1_Class::Universal) 304| 1.21k| .end_cons() 305| 1.21k| .decode(base_pt, ASN1_Type::OctetString) 306| 1.21k| .decode(order) 307| 1.21k| .decode(cofactor) 308| 1.21k| .end_cons() 309| 1.21k| .verify_end(); 310| | 311| | // TODO(Botan4) Require cofactor == 1 312| 1.21k| if(cofactor <= 0 || cofactor >= 16) { ------------------ | Branch (312:10): [True: 59, False: 1.15k] | Branch (312:27): [True: 2, False: 1.15k] ------------------ 313| 4| throw Decoding_Error("Invalid ECC cofactor parameter"); 314| 4| } 315| | 316| 1.21k| if(p.bits() < 112 || p.bits() > 521 || p.signum() < 0) { ------------------ | Branch (316:10): [True: 57, False: 1.15k] | Branch (316:28): [True: 1, False: 1.15k] | Branch (316:46): [True: 2, False: 1.15k] ------------------ 317| 3| throw Decoding_Error("ECC p parameter is invalid size"); 318| 3| } 319| | 320| | // A can be zero 321| 1.21k| if(a.signum() < 0 || a >= p) { ------------------ | Branch (321:10): [True: 57, False: 1.15k] | Branch (321:28): [True: 1, False: 1.15k] ------------------ 322| 1| throw Decoding_Error("Invalid ECC a parameter"); 323| 1| } 324| | 325| | // B must be > 0 326| 1.21k| if(b.signum() <= 0 || b >= p) { ------------------ | Branch (326:10): [True: 58, False: 1.15k] | Branch (326:29): [True: 2, False: 1.15k] ------------------ 327| 3| throw Decoding_Error("Invalid ECC b parameter"); 328| 3| } 329| | 330| 1.20k| if(order.signum() <= 0 || order >= 2 * p) { ------------------ | Branch (330:10): [True: 61, False: 1.14k] | Branch (330:10): [True: 6, False: 1.20k] | Branch (330:33): [True: 2, False: 1.14k] ------------------ 331| 6| throw Decoding_Error("Invalid ECC group order"); 332| 6| } 333| | 334| 1.20k| if(auto data = ec_group_data().lookup_from_params(p, a, b, base_pt, order, cofactor)) { ------------------ | Branch (334:15): [True: 85, False: 1.11k] ------------------ 335| 85| return std::make_pair(data, true); 336| 85| } 337| | 338| | /* 339| | TODO(Botan4) the remaining code is used only to handle the case of decoding an EC_Group 340| | which is neither a builtin group nor a group that was registered by the application. 341| | It can all be removed and replaced with a throw 342| | */ 343| | 344| 1.11k| auto mod_p = Barrett_Reduction::for_public_modulus(p); 345| 1.11k| if(!is_bailie_psw_probable_prime(p, mod_p)) { ------------------ | Branch (345:10): [True: 438, False: 678] ------------------ 346| 438| throw Decoding_Error("ECC p parameter is not a prime"); 347| 438| } 348| | 349| 678| auto mod_order = Barrett_Reduction::for_public_modulus(order); 350| 678| if(!is_bailie_psw_probable_prime(order, mod_order)) { ------------------ | Branch (350:10): [True: 281, False: 397] ------------------ 351| 281| throw Decoding_Error("Invalid ECC order parameter"); 352| 281| } 353| | 354| 397| const size_t p_bytes = p.bytes(); 355| 397| if(base_pt.size() != 1 + p_bytes && base_pt.size() != 1 + 2 * p_bytes) { ------------------ | Branch (355:10): [True: 334, False: 63] | Branch (355:43): [True: 69, False: 265] ------------------ 356| 69| throw Decoding_Error("Invalid ECC base point encoding"); 357| 69| } 358| | 359| 328| auto [g_x, g_y] = [&]() { 360| 328| const uint8_t hdr = base_pt[0]; 361| | 362| 328| if(hdr == 0x04 && base_pt.size() == 1 + 2 * p_bytes) { 363| 328| const BigInt x = BigInt::from_bytes(std::span{base_pt}.subspan(1, p_bytes)); 364| 328| const BigInt y = BigInt::from_bytes(std::span{base_pt}.subspan(1 + p_bytes, p_bytes)); 365| | 366| 328| if(x < p && y < p) { 367| 328| return std::make_pair(x, y); 368| 328| } 369| 328| } else if((hdr == 0x02 || hdr == 0x03) && base_pt.size() == 1 + p_bytes) { 370| | // TODO(Botan4) remove this branch; we won't support compressed points 371| 328| const BigInt x = BigInt::from_bytes(std::span{base_pt}.subspan(1, p_bytes)); 372| 328| BigInt y = sqrt_modulo_prime(((x * x + a) * x + b) % p, p); 373| | 374| 328| if(x < p && y >= 0) { 375| 328| const bool y_mod_2 = (hdr & 0x01) == 1; 376| 328| if(y.get_bit(0) != y_mod_2) { 377| 328| y = p - y; 378| 328| } 379| | 380| 328| return std::make_pair(x, y); 381| 328| } 382| 328| } 383| | 384| 328| throw Decoding_Error("Invalid ECC base point encoding"); 385| 328| }(); 386| | 387| | // TODO(Botan4) we can remove this check since we'll only accept pre-registered groups 388| 328| auto y2 = mod_p.square(g_y); 389| 328| auto x3_ax_b = mod_p.reduce(mod_p.cube(g_x) + mod_p.multiply(a, g_x) + b); 390| 328| if(y2 != x3_ax_b) { ------------------ | Branch (390:10): [True: 94, False: 234] ------------------ 391| 94| throw Decoding_Error("Invalid ECC base point"); 392| 94| } 393| | 394| | /* 395| | * Create the group data without registering it in the global map. 396| | * 397| | * Applications that need persistent custom groups should register them 398| | * via the relevant EC_Group constructor 399| | */ 400| 234| auto data = EC_Group_Data::create(p, a, b, g_x, g_y, order, cofactor, OID(), source); 401| 234| return std::make_pair(data, true); 402| 328| } else if(next_obj_type == ASN1_Type::Null) { ------------------ | Branch (402:14): [True: 1, False: 45] ------------------ 403| 1| throw Decoding_Error("Decoding ImplicitCA ECC parameters is not supported"); 404| 45| } else { 405| 45| throw Decoding_Error( 406| 45| fmt("Unexpected tag {} while decoding ECC domain params", asn1_tag_to_string(next_obj_type))); 407| 45| } 408| 4.24k|} _ZN5Botan8EC_GroupD2Ev: 412| 13.9k|EC_Group::~EC_Group() = default; _ZN5Botan8EC_GroupC2ERKS0_: 414| 5.94k|EC_Group::EC_Group(const EC_Group&) = default; _ZN5Botan8EC_GroupC2ENSt3__14spanIKhLm18446744073709551615EEE: 636| 4.24k|EC_Group::EC_Group(std::span der) { 637| 4.24k| auto data = DER_decode_EC_group(der, EC_Group_Source::ExternalSource); 638| 4.24k| m_data = data.first; 639| 4.24k| m_explicit_encoding = data.second; 640| 4.24k|} _ZNK5Botan8EC_Group4dataEv: 647| 7.40k|const EC_Group_Data& EC_Group::data() const { 648| 7.40k| if(m_data == nullptr) { ------------------ | Branch (648:7): [True: 0, False: 7.40k] ------------------ 649| 0| throw Invalid_State("EC_Group uninitialized"); 650| 0| } 651| 7.40k| return *m_data; 652| 7.40k|} _ZNK5Botan8EC_Group15get_order_bytesEv: 666| 5.43k|size_t EC_Group::get_order_bytes() const { 667| 5.43k| return data().order_bytes(); 668| 5.43k|} _ZNK5Botan8EC_Group13get_curve_oidEv: 738| 1.97k|const OID& EC_Group::get_curve_oid() const { 739| 1.97k| return data().oid(); 740| 1.97k|} _ZN5Botan17EC_Group_Data_Map5clearEv: 31| 7.55k| size_t clear() { 32| 7.55k| const lock_guard_type lock(m_mutex); 33| 7.55k| const size_t count = m_registered_curves.size(); 34| 7.55k| m_registered_curves.clear(); 35| 7.55k| return count; 36| 7.55k| } _ZN5Botan17EC_Group_Data_Map6lookupERKNS_3OIDE: 54| 2.98k| std::shared_ptr lookup(const OID& oid) { 55| 2.98k| const lock_guard_type lock(m_mutex); 56| | 57| 2.98k| for(auto i : m_registered_curves) { ------------------ | Branch (57:21): [True: 0, False: 2.98k] ------------------ 58| 0| if(i->oid() == oid) { ------------------ | Branch (58:16): [True: 0, False: 0] ------------------ 59| 0| return i; 60| 0| } 61| 0| } 62| | 63| | // Not found, check hardcoded data 64| 2.98k| std::shared_ptr data = EC_Group::EC_group_info(oid); 65| | 66| 2.98k| if(data) { ------------------ | Branch (66:13): [True: 2.86k, False: 117] ------------------ 67| | // The requested OID may be an alias for a curve whose canonical OID differs 68| | // TODO(Botan4) remove this once we require exactly one canonical OID per curve 69| 2.86k| if(data->oid() != oid) { ------------------ | Branch (69:16): [True: 0, False: 2.86k] ------------------ 70| 0| for(const auto& i : m_registered_curves) { ------------------ | Branch (70:34): [True: 0, False: 0] ------------------ 71| 0| if(i->oid() == data->oid()) { ------------------ | Branch (71:22): [True: 0, False: 0] ------------------ 72| 0| return i; 73| 0| } 74| 0| } 75| 0| } 76| | 77| 2.86k| m_registered_curves.push_back(data); 78| 2.86k| return data; 79| 2.86k| } 80| | 81| | // Nope, unknown curve 82| 117| return std::shared_ptr(); 83| 2.98k| } _ZN5Botan17EC_Group_Data_Map18lookup_from_paramsERKNS_6BigIntES3_S3_NSt3__14spanIKhLm18446744073709551615EEES3_S3_: 159| 1.14k| const BigInt& cofactor) { 160| 1.14k| const lock_guard_type lock(m_mutex); 161| | 162| 1.14k| for(auto i : m_registered_curves) { ------------------ | Branch (162:21): [True: 0, False: 1.14k] ------------------ 163| 0| if(i->params_match(p, a, b, base_pt, order, cofactor)) { ------------------ | Branch (163:16): [True: 0, False: 0] ------------------ 164| 0| return i; 165| 0| } 166| 0| } 167| | 168| | // Try to use the order as a hint to look up the group id 169| 1.14k| const OID oid_from_order = EC_Group::EC_group_identity_from_order(order); 170| 1.14k| if(oid_from_order.has_value()) { ------------------ | Branch (170:13): [True: 189, False: 955] ------------------ 171| 189| auto new_group = EC_Group::EC_group_info(oid_from_order); 172| | 173| | // Have to check all params in the (unlikely/malicious) event of an order collision 174| 189| if(new_group && new_group->params_match(p, a, b, base_pt, order, cofactor)) { ------------------ | Branch (174:16): [True: 189, False: 0] | Branch (174:29): [True: 85, False: 104] ------------------ 175| 85| m_registered_curves.push_back(new_group); 176| 85| return new_group; 177| 85| } 178| 189| } 179| | 180| 1.05k| return {}; 181| 1.14k| } ec_group.cpp:_ZZN5Botan8EC_Group19DER_decode_EC_groupENSt3__14spanIKhLm18446744073709551615EEENS_15EC_Group_SourceEENK3$_0clEv: 359| 265| auto [g_x, g_y] = [&]() { 360| 265| const uint8_t hdr = base_pt[0]; 361| | 362| 265| if(hdr == 0x04 && base_pt.size() == 1 + 2 * p_bytes) { ------------------ | Branch (362:13): [True: 250, False: 15] | Branch (362:28): [True: 250, False: 0] ------------------ 363| 250| const BigInt x = BigInt::from_bytes(std::span{base_pt}.subspan(1, p_bytes)); 364| 250| const BigInt y = BigInt::from_bytes(std::span{base_pt}.subspan(1 + p_bytes, p_bytes)); 365| | 366| 250| if(x < p && y < p) { ------------------ | Branch (366:16): [True: 246, False: 4] | Branch (366:25): [True: 233, False: 13] ------------------ 367| 233| return std::make_pair(x, y); 368| 233| } 369| 250| } else if((hdr == 0x02 || hdr == 0x03) && base_pt.size() == 1 + p_bytes) { ------------------ | Branch (369:21): [True: 1, False: 14] | Branch (369:36): [True: 2, False: 12] | Branch (369:52): [True: 0, False: 3] ------------------ 370| | // TODO(Botan4) remove this branch; we won't support compressed points 371| 0| const BigInt x = BigInt::from_bytes(std::span{base_pt}.subspan(1, p_bytes)); 372| 0| BigInt y = sqrt_modulo_prime(((x * x + a) * x + b) % p, p); 373| | 374| 0| if(x < p && y >= 0) { ------------------ | Branch (374:16): [True: 0, False: 0] | Branch (374:25): [True: 0, False: 0] ------------------ 375| 0| const bool y_mod_2 = (hdr & 0x01) == 1; 376| 0| if(y.get_bit(0) != y_mod_2) { ------------------ | Branch (376:19): [True: 0, False: 0] ------------------ 377| 0| y = p - y; 378| 0| } 379| | 380| 0| return std::make_pair(x, y); 381| 0| } 382| 0| } 383| | 384| 32| throw Decoding_Error("Invalid ECC base point encoding"); 385| 265| }(); _ZN5Botan13EC_Group_DataD2Ev: 27| 3.19k|EC_Group_Data::~EC_Group_Data() = default; _ZN5Botan13EC_Group_DataC2ERKNS_6BigIntES3_S3_S3_S3_S3_S3_RKNS_3OIDENS_15EC_Group_SourceE: 39| 3.19k| m_p(p), 40| 3.19k| m_a(a), 41| 3.19k| m_b(b), 42| 3.19k| m_g_x(g_x), 43| 3.19k| m_g_y(g_y), 44| 3.19k| m_order(order), 45| 3.19k| m_cofactor(cofactor), 46| |#if defined(BOTAN_HAS_LEGACY_EC_POINT) 47| 3.19k| m_mod_field(Barrett_Reduction::for_public_modulus(p)), 48| 3.19k| m_mod_order(Barrett_Reduction::for_public_modulus(order)), 49| 3.19k| m_monty(m_p, m_mod_field), 50| |#endif 51| 3.19k| m_oid(oid), 52| 3.19k| m_p_words(p.sig_words()), 53| 3.19k| m_p_bits(p.bits()), 54| 3.19k| m_order_bits(order.bits()), 55| 3.19k| m_order_bytes((m_order_bits + 7) / 8), 56| 3.19k| m_a_is_minus_3(a == p - 3), 57| 3.19k| m_a_is_zero(a.is_zero()), 58| 3.19k| m_has_cofactor(m_cofactor != 1), 59| 3.19k| m_order_is_less_than_p(m_order < p), 60| 3.19k| m_source(source) { 61| | // Verify the generator (x, y) satisfies y^2 = x^3 + a*x + b (mod p) 62| 3.19k| auto mod_p = Barrett_Reduction::for_public_modulus(p); 63| 3.19k| const BigInt y2 = mod_p.square(g_y); 64| 3.19k| const BigInt x3_ax_b = mod_p.reduce(mod_p.cube(g_x) + mod_p.multiply(a, g_x) + b); 65| 3.19k| if(y2 != x3_ax_b) { ------------------ | Branch (65:7): [True: 0, False: 3.19k] ------------------ 66| 0| throw Invalid_Argument("EC_Group generator is not on the curve"); 67| 0| } 68| | 69| | // TODO(Botan4) we can assume/assert the OID is set 70| 3.19k| if(!m_oid.empty()) { ------------------ | Branch (70:7): [True: 3.05k, False: 139] ------------------ 71| 3.05k| DER_Encoder der(m_der_named_curve); 72| 3.05k| der.encode(m_oid); 73| | 74| 3.05k| const std::string name = m_oid.human_name_or_empty(); 75| 3.05k| if(!name.empty()) { ------------------ | Branch (75:10): [True: 3.05k, False: 0] ------------------ 76| | // returns nullptr if unknown or not supported 77| 3.05k| m_pcurve = PCurve::PrimeOrderCurve::for_named_curve(name); 78| 3.05k| } 79| 3.05k| if(m_pcurve) { ------------------ | Branch (79:10): [True: 1.93k, False: 1.12k] ------------------ 80| 1.93k| m_engine = EC_Group_Engine::Optimized; 81| 1.93k| } 82| 3.05k| } 83| | 84| | // Try a generic pcurves instance 85| 3.19k| if(!m_pcurve && !m_has_cofactor) { ------------------ | Branch (85:7): [True: 1.26k, False: 1.93k] | Branch (85:20): [True: 1.18k, False: 76] ------------------ 86| 1.18k| m_pcurve = PCurve::PrimeOrderCurve::from_params(p, a, b, g_x, g_y, order); 87| 1.18k| if(m_pcurve) { ------------------ | Branch (87:10): [True: 524, False: 660] ------------------ 88| 524| m_engine = EC_Group_Engine::Generic; 89| 524| } 90| | // possibly still null here, if parameters unsuitable or if the 91| | // pcurves_generic module wasn't included in the build 92| 1.18k| } 93| | 94| 3.19k|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 95| 3.19k| secure_vector ws; 96| 3.19k| m_a_r = m_monty.mul(a, m_monty.R2(), ws); 97| 3.19k| m_b_r = m_monty.mul(b, m_monty.R2(), ws); 98| 3.19k| if(!m_pcurve) { ------------------ | Branch (98:7): [True: 736, False: 2.45k] ------------------ 99| 736| m_engine = EC_Group_Engine::Legacy; 100| 736| } 101| |#else 102| | if(!m_pcurve) { 103| | if(m_oid.empty()) { 104| | throw Not_Implemented("EC_Group this group is not supported in this build configuration"); 105| | } else { 106| | throw Not_Implemented( 107| | fmt("EC_Group the group {} is not supported in this build configuration", oid.to_string())); 108| | } 109| | } 110| |#endif 111| 3.19k|} _ZN5Botan13EC_Group_Data6createERKNS_6BigIntES3_S3_S3_S3_S3_S3_RKNS_3OIDENS_15EC_Group_SourceE: 121| 3.19k| EC_Group_Source source) { 122| 3.19k| auto group = std::make_shared(p, a, b, g_x, g_y, order, cofactor, oid, source); 123| | 124| 3.19k|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 125| 3.19k| group->m_curve = CurveGFp(group.get()); 126| 3.19k| group->m_base_point = EC_Point(group->m_curve, g_x, g_y); 127| 3.19k| if(!group->m_pcurve) { ------------------ | Branch (127:7): [True: 736, False: 2.45k] ------------------ 128| 736| group->m_base_mult = std::make_unique(group->m_base_point, group->m_mod_order); 129| 736| } 130| 3.19k|#endif 131| | 132| 3.19k| return group; 133| 3.19k|} _ZNK5Botan13EC_Group_Data12params_matchERKNS_6BigIntES3_S3_NSt3__14spanIKhLm18446744073709551615EEES3_S3_: 172| 189| const BigInt& cofactor) const { 173| 189| if(p != this->p()) { ------------------ | Branch (173:7): [True: 6, False: 183] ------------------ 174| 6| return false; 175| 6| } 176| 183| if(a != this->a()) { ------------------ | Branch (176:7): [True: 3, False: 180] ------------------ 177| 3| return false; 178| 3| } 179| 180| if(b != this->b()) { ------------------ | Branch (179:7): [True: 2, False: 178] ------------------ 180| 2| return false; 181| 2| } 182| 178| if(order != this->order()) { ------------------ | Branch (182:7): [True: 0, False: 178] ------------------ 183| 0| return false; 184| 0| } 185| 178| if(cofactor != this->cofactor()) { ------------------ | Branch (185:7): [True: 24, False: 154] ------------------ 186| 24| return false; 187| 24| } 188| | 189| 154| const size_t field_len = this->p_bytes(); 190| | 191| 154| if(base_pt.size() == 1 + field_len && (base_pt[0] == 0x02 || base_pt[0] == 0x03)) { ------------------ | Branch (191:7): [True: 0, False: 154] | Branch (191:43): [True: 0, False: 0] | Branch (191:65): [True: 0, False: 0] ------------------ 192| | // compressed 193| | 194| 0| const auto g_x = m_g_x.serialize(field_len); 195| 0| const auto g_y = m_g_y.is_odd(); 196| | 197| 0| const auto sec1_x = base_pt.subspan(1, field_len); 198| 0| const bool sec1_y = (base_pt[0] == 0x03); 199| | 200| 0| if(!std::ranges::equal(sec1_x, g_x)) { ------------------ | Branch (200:10): [True: 0, False: 0] ------------------ 201| 0| return false; 202| 0| } 203| | 204| 0| if(sec1_y != g_y) { ------------------ | Branch (204:10): [True: 0, False: 0] ------------------ 205| 0| return false; 206| 0| } 207| | 208| 0| return true; 209| 154| } else if(base_pt.size() == 1 + 2 * field_len && base_pt[0] == 0x04) { ------------------ | Branch (209:14): [True: 154, False: 0] | Branch (209:53): [True: 148, False: 6] ------------------ 210| 148| const auto g_x = m_g_x.serialize(field_len); 211| 148| const auto g_y = m_g_y.serialize(field_len); 212| | 213| 148| const auto sec1_x = base_pt.subspan(1, field_len); 214| 148| const auto sec1_y = base_pt.subspan(1 + field_len, field_len); 215| | 216| 148| if(!std::ranges::equal(sec1_x, g_x)) { ------------------ | Branch (216:10): [True: 40, False: 108] ------------------ 217| 40| return false; 218| 40| } 219| | 220| 108| if(!std::ranges::equal(sec1_y, g_y)) { ------------------ | Branch (220:10): [True: 23, False: 85] ------------------ 221| 23| return false; 222| 23| } 223| | 224| 85| return true; 225| 108| } else { 226| 6| throw Decoding_Error("Invalid base point encoding in explicit group"); 227| 6| } 228| 154|} _ZNK5Botan13EC_Group_Data18scalar_deserializeENSt3__14spanIKhLm18446744073709551615EEE: 358| 2.98k|std::unique_ptr EC_Group_Data::scalar_deserialize(std::span bytes) const { 359| 2.98k| if(bytes.size() != m_order_bytes) { ------------------ | Branch (359:7): [True: 6, False: 2.97k] ------------------ 360| 6| return nullptr; 361| 6| } 362| | 363| 2.97k| if(m_pcurve) { ------------------ | Branch (363:7): [True: 2.28k, False: 691] ------------------ 364| 2.28k| if(auto s = m_pcurve->deserialize_scalar(bytes)) { ------------------ | Branch (364:15): [True: 2.26k, False: 18] ------------------ 365| 2.26k| return std::make_unique(shared_from_this(), *s); 366| 2.26k| } else { 367| 18| return nullptr; 368| 18| } 369| 2.28k| } else { 370| 691|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 371| 691| BigInt r(bytes); 372| | 373| 691| if(r.is_zero() || r >= m_order) { ------------------ | Branch (373:10): [True: 1, False: 690] | Branch (373:25): [True: 1, False: 689] ------------------ 374| 2| return nullptr; 375| 2| } 376| | 377| 689| return std::make_unique(shared_from_this(), std::move(r)); 378| |#else 379| | throw Not_Implemented("Legacy EC interfaces disabled in this build configuration"); 380| |#endif 381| 691| } 382| 2.97k|} _ZNK5Botan13EC_Group_Data17point_deserializeENSt3__14spanIKhLm18446744073709551615EEE: 384| 1.14k|std::unique_ptr EC_Group_Data::point_deserialize(std::span bytes) const { 385| | // The deprecated "hybrid" point format 386| | // TODO(Botan4) remove this 387| 1.14k| if(bytes.size() >= 1 + 2 * 4 && (bytes[0] == 0x06 || bytes[0] == 0x07)) { ------------------ | Branch (387:7): [True: 1.14k, False: 0] | Branch (387:37): [True: 135, False: 1.01k] | Branch (387:57): [True: 551, False: 461] ------------------ 388| 686| const bool hdr_y_is_even = bytes[0] == 0x06; 389| 686| const bool y_is_even = (bytes.back() & 0x01) == 0; 390| | 391| 686| if(hdr_y_is_even == y_is_even) { ------------------ | Branch (391:10): [True: 164, False: 522] ------------------ 392| 164| std::vector sec1(bytes.begin(), bytes.end()); 393| 164| sec1[0] = 0x04; 394| 164| return this->point_deserialize(sec1); 395| 164| } 396| 686| } 397| | 398| 983| try { 399| 983| if(m_pcurve) { ------------------ | Branch (399:10): [True: 393, False: 590] ------------------ 400| 393| if(auto pt = m_pcurve->deserialize_point(bytes)) { ------------------ | Branch (400:18): [True: 3, False: 390] ------------------ 401| 3| return std::make_unique(shared_from_this(), std::move(*pt)); 402| 390| } else { 403| 390| return {}; 404| 390| } 405| 590| } else { 406| 590|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 407| 590| auto pt = Botan::OS2ECP(bytes, m_curve); 408| 590| return std::make_unique(shared_from_this(), std::move(pt)); 409| |#else 410| | throw Not_Implemented("Legacy EC interfaces disabled in this build configuration"); 411| |#endif 412| 590| } 413| 983| } catch(...) { 414| 589| return {}; 415| 589| } 416| 983|} _ZNK5Botan13EC_Group_Data11point_g_mulERKNS_14EC_Scalar_DataERNS_21RandomNumberGeneratorE: 466| 1.97k| RandomNumberGenerator& rng) const { 467| 1.97k| if(m_pcurve) { ------------------ | Branch (467:7): [True: 1.87k, False: 99] ------------------ 468| 1.87k| const auto& k = EC_Scalar_Data_PC::checked_ref(scalar); 469| 1.87k| auto pt = m_pcurve->point_to_affine(m_pcurve->mul_by_g(k.value(), rng)); 470| 1.87k| return std::make_unique(shared_from_this(), std::move(pt)); 471| 1.87k| } else { 472| 99|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 473| 99| const auto& group = scalar.group(); 474| 99| const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar); 475| | 476| 99| BOTAN_STATE_CHECK(group->m_base_mult != nullptr); ------------------ | | 51| 99| do { \ | | 52| 99| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 99| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 99] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 99| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 99] | | ------------------ ------------------ 477| 99| std::vector ws; 478| 99| auto pt = group->m_base_mult->mul(bn.value(), rng, m_order, ws); 479| 99| return std::make_unique(shared_from_this(), std::move(pt)); 480| |#else 481| | throw Not_Implemented("Legacy EC interfaces disabled in this build configuration"); 482| |#endif 483| 99| } 484| 1.97k|} _ZN5Botan17EC_Scalar_Data_PC11checked_refERKNS_14EC_Scalar_DataE: 14| 1.87k|const EC_Scalar_Data_PC& EC_Scalar_Data_PC::checked_ref(const EC_Scalar_Data& data) { 15| 1.87k| const auto* p = dynamic_cast(&data); 16| 1.87k| if(p == nullptr) { ------------------ | Branch (16:7): [True: 0, False: 1.87k] ------------------ 17| 0| throw Invalid_State("Failed conversion to EC_Scalar_Data_PC"); 18| 0| } 19| 1.87k| return *p; 20| 1.87k|} _ZNK5Botan17EC_Scalar_Data_PC5groupEv: 22| 8.67k|const std::shared_ptr& EC_Scalar_Data_PC::group() const { 23| 8.67k| return m_group; 24| 8.67k|} _ZNK5Botan17EC_Scalar_Data_PC5bytesEv: 26| 2.26k|size_t EC_Scalar_Data_PC::bytes() const { 27| 2.26k| return this->group()->order_bytes(); 28| 2.26k|} _ZNK5Botan17EC_Scalar_Data_PC5cloneEv: 30| 2.26k|std::unique_ptr EC_Scalar_Data_PC::clone() const { 31| 2.26k| return std::make_unique(this->group(), this->value()); 32| 2.26k|} _ZNK5Botan17EC_Scalar_Data_PC7is_zeroEv: 34| 2.26k|bool EC_Scalar_Data_PC::is_zero() const { 35| 2.26k| const auto& pcurve = this->group()->pcurve(); 36| 2.26k| return pcurve.scalar_is_zero(m_v); 37| 2.26k|} _ZN5Botan17EC_Scalar_Data_PC7zeroizeEv: 48| 2.26k|void EC_Scalar_Data_PC::zeroize() { 49| 2.26k| m_v._zeroize(); 50| 2.26k|} _ZNK5Botan17EC_Scalar_Data_PC12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 81| 2.26k|void EC_Scalar_Data_PC::serialize_to(std::span bytes) const { 82| 2.26k| BOTAN_ARG_CHECK(bytes.size() == m_group->order_bytes(), "Invalid output length"); ------------------ | | 35| 2.26k| do { \ | | 36| 2.26k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 2.26k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 2.26k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 2.26k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 2.26k] | | ------------------ ------------------ 83| 2.26k| m_group->pcurve().serialize_scalar(bytes, m_v); 84| 2.26k|} _ZN5Botan22EC_AffinePoint_Data_PCC2ENSt3__110shared_ptrIKNS_13EC_Group_DataEEENS_6PCurve15PrimeOrderCurve11AffinePointE: 88| 1.87k| m_group(std::move(group)), m_pt(std::move(pt)) { 89| 1.87k| const auto& pcurve = m_group->pcurve(); 90| | 91| 1.87k| if(!pcurve.affine_point_is_identity(m_pt)) { ------------------ | Branch (91:7): [True: 1.87k, False: 0] ------------------ 92| 1.87k| m_xy.resize(1 + 2 * field_element_bytes()); 93| 1.87k| pcurve.serialize_point(m_xy, m_pt); 94| 1.87k| } 95| 1.87k|} _ZNK5Botan22EC_AffinePoint_Data_PC19field_element_bytesEv: 129| 3.75k|size_t EC_AffinePoint_Data_PC::field_element_bytes() const { 130| 3.75k| return m_group->pcurve().field_element_bytes(); 131| 3.75k|} _ZNK5Botan22EC_AffinePoint_Data_PC11is_identityEv: 133| 3.75k|bool EC_AffinePoint_Data_PC::is_identity() const { 134| 3.75k| return m_xy.empty(); 135| 3.75k|} _ZNK5Botan22EC_AffinePoint_Data_PC15to_legacy_pointEv: 177| 1.87k|EC_Point EC_AffinePoint_Data_PC::to_legacy_point() const { 178| 1.87k| if(this->is_identity()) { ------------------ | Branch (178:7): [True: 0, False: 1.87k] ------------------ 179| 0| return EC_Point(m_group->curve()); 180| 1.87k| } else { 181| 1.87k| const size_t fe_bytes = this->field_element_bytes(); 182| 1.87k| return EC_Point(m_group->curve(), 183| 1.87k| BigInt::from_bytes(std::span{m_xy}.subspan(1, fe_bytes)), 184| 1.87k| BigInt::from_bytes(std::span{m_xy}.last(fe_bytes))); 185| 1.87k| } 186| 1.87k|} _ZN5Botan8EC_Group13EC_group_infoERKNS_3OIDE: 16| 3.17k|std::shared_ptr EC_Group::EC_group_info(const OID& oid) { 17| | // secp256r1 18| 3.17k| if(oid == OID{1, 2, 840, 10045, 3, 1, 7}) { ------------------ | Branch (18:7): [True: 270, False: 2.90k] ------------------ 19| 270| return load_EC_group_info( 20| 270| "0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", 21| 270| "0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC", 22| 270| "0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B", 23| 270| "0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296", 24| 270| "0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5", 25| 270| "0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", 26| 270| oid); 27| 270| } 28| | 29| | // secp384r1 30| 2.90k| if(oid == OID{1, 3, 132, 0, 34}) { ------------------ | Branch (30:7): [True: 165, False: 2.73k] ------------------ 31| 165| return load_EC_group_info( 32| 165| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF", 33| 165| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC", 34| 165| "0xB3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF", 35| 165| "0xAA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7", 36| 165| "0x3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F", 37| 165| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973", 38| 165| oid); 39| 165| } 40| | 41| | // secp521r1 42| 2.73k| if(oid == OID{1, 3, 132, 0, 35}) { ------------------ | Branch (42:7): [True: 306, False: 2.43k] ------------------ 43| 306| return load_EC_group_info( 44| 306| "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 45| 306| "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", 46| 306| "0x51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", 47| 306| "0xC6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66", 48| 306| "0x11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650", 49| 306| "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", 50| 306| oid); 51| 306| } 52| | 53| | // brainpool160r1 54| 2.43k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 1}) { ------------------ | Branch (54:7): [True: 53, False: 2.37k] ------------------ 55| 53| return load_EC_group_info( 56| 53| "0xE95E4A5F737059DC60DFC7AD95B3D8139515620F", 57| 53| "0x340E7BE2A280EB74E2BE61BADA745D97E8F7C300", 58| 53| "0x1E589A8595423412134FAA2DBDEC95C8D8675E58", 59| 53| "0xBED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3", 60| 53| "0x1667CB477A1A8EC338F94741669C976316DA6321", 61| 53| "0xE95E4A5F737059DC60DF5991D45029409E60FC09", 62| 53| oid); 63| 53| } 64| | 65| | // brainpool192r1 66| 2.37k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 3}) { ------------------ | Branch (66:7): [True: 8, False: 2.36k] ------------------ 67| 8| return load_EC_group_info( 68| 8| "0xC302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297", 69| 8| "0x6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF", 70| 8| "0x469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9", 71| 8| "0xC0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6", 72| 8| "0x14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F", 73| 8| "0xC302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1", 74| 8| oid); 75| 8| } 76| | 77| | // brainpool224r1 78| 2.36k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 5}) { ------------------ | Branch (78:7): [True: 89, False: 2.28k] ------------------ 79| 89| return load_EC_group_info( 80| 89| "0xD7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF", 81| 89| "0x68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43", 82| 89| "0x2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B", 83| 89| "0xD9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D", 84| 89| "0x58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD", 85| 89| "0xD7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F", 86| 89| oid); 87| 89| } 88| | 89| | // brainpool256r1 90| 2.28k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 7}) { ------------------ | Branch (90:7): [True: 176, False: 2.10k] ------------------ 91| 176| return load_EC_group_info( 92| 176| "0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", 93| 176| "0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9", 94| 176| "0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6", 95| 176| "0x8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262", 96| 176| "0x547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997", 97| 176| "0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 98| 176| oid); 99| 176| } 100| | 101| | // brainpool320r1 102| 2.10k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 9}) { ------------------ | Branch (102:7): [True: 52, False: 2.05k] ------------------ 103| 52| return load_EC_group_info( 104| 52| "0xD35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27", 105| 52| "0x3EE30B568FBAB0F883CCEBD46D3F3BB8A2A73513F5EB79DA66190EB085FFA9F492F375A97D860EB4", 106| 52| "0x520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539816F5EB4AC8FB1F1A6", 107| 52| "0x43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599C710AF8D0D39E20611", 108| 52| "0x14FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6AC7D35245D1692E8EE1", 109| 52| "0xD35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311", 110| 52| oid); 111| 52| } 112| | 113| | // brainpool384r1 114| 2.05k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 11}) { ------------------ | Branch (114:7): [True: 205, False: 1.84k] ------------------ 115| 205| return load_EC_group_info( 116| 205| "0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53", 117| 205| "0x7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503AD4EB04A8C7DD22CE2826", 118| 205| "0x4A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11", 119| 205| "0x1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E", 120| 205| "0x8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315", 121| 205| "0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565", 122| 205| oid); 123| 205| } 124| | 125| | // brainpool512r1 126| 1.84k| if(oid == OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 13}) { ------------------ | Branch (126:7): [True: 157, False: 1.69k] ------------------ 127| 157| return load_EC_group_info( 128| 157| "0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3", 129| 157| "0x7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA", 130| 157| "0x3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723", 131| 157| "0x81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822", 132| 157| "0x7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892", 133| 157| "0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069", 134| 157| oid); 135| 157| } 136| | 137| | // frp256v1 138| 1.69k| if(oid == OID{1, 2, 250, 1, 223, 101, 256, 1}) { ------------------ | Branch (138:7): [True: 0, False: 1.69k] ------------------ 139| 0| return load_EC_group_info( 140| 0| "0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C03", 141| 0| "0xF1FD178C0B3AD58F10126DE8CE42435B3961ADBCABC8CA6DE8FCF353D86E9C00", 142| 0| "0xEE353FCA5428A9300D4ABA754A44C00FDFEC0C9AE4B1A1803075ED967B7BB73F", 143| 0| "0xB6B3D4C356C139EB31183D4749D423958C27D2DCAF98B70164C97A2DD98F5CFF", 144| 0| "0x6142E0F7C8B204911F9271F0F3ECEF8C2701C307E8E4C9E183115A1554062CFB", 145| 0| "0xF1FD178C0B3AD58F10126DE8CE42435B53DC67E140D2BF941FFDD459C6D655E1", 146| 0| oid); 147| 0| } 148| | 149| | // gost_256A 150| 1.69k| if(oid == OID{1, 2, 643, 7, 1, 2, 1, 1, 1} || oid == OID{1, 2, 643, 2, 2, 35, 1} || oid == OID{1, 2, 643, 2, 2, 36, 0}) { ------------------ | Branch (150:7): [True: 0, False: 1.69k] | Branch (150:7): [True: 0, False: 1.69k] | Branch (150:50): [True: 0, False: 1.69k] | Branch (150:88): [True: 0, False: 1.69k] ------------------ 151| 0| return load_EC_group_info( 152| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97", 153| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94", 154| 0| "0xA6", 155| 0| "0x1", 156| 0| "0x8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14", 157| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893", 158| 0| OID{1, 2, 643, 7, 1, 2, 1, 1, 1}); 159| 0| } 160| | 161| | // gost_512A 162| 1.69k| if(oid == OID{1, 2, 643, 7, 1, 2, 1, 2, 1}) { ------------------ | Branch (162:7): [True: 0, False: 1.69k] ------------------ 163| 0| return load_EC_group_info( 164| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC7", 165| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC4", 166| 0| "0xE8C2505DEDFC86DDC1BD0B2B6667F1DA34B82574761CB0E879BD081CFD0B6265EE3CB090F30D27614CB4574010DA90DD862EF9D4EBEE4761503190785A71C760", 167| 0| "0x3", 168| 0| "0x7503CFE87A836AE3A61B8816E25450E6CE5E1C93ACF1ABC1778064FDCBEFA921DF1626BE4FD036E93D75E6A50E3A41E98028FE5FC235F5B889A589CB5215F2A4", 169| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2B85DCACDB1411F10B275", 170| 0| oid); 171| 0| } 172| | 173| | // secp160k1 174| 1.69k| if(oid == OID{1, 3, 132, 0, 9}) { ------------------ | Branch (174:7): [True: 7, False: 1.68k] ------------------ 175| 7| return load_EC_group_info( 176| 7| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73", 177| 7| "0x0", 178| 7| "0x7", 179| 7| "0x3B4C382CE37AA192A4019E763036F4F5DD4D7EBB", 180| 7| "0x938CF935318FDCED6BC28286531733C3F03C4FEE", 181| 7| "0x100000000000000000001B8FA16DFAB9ACA16B6B3", 182| 7| oid); 183| 7| } 184| | 185| | // secp160r1 186| 1.68k| if(oid == OID{1, 3, 132, 0, 8}) { ------------------ | Branch (186:7): [True: 8, False: 1.67k] ------------------ 187| 8| return load_EC_group_info( 188| 8| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF", 189| 8| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC", 190| 8| "0x1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45", 191| 8| "0x4A96B5688EF573284664698968C38BB913CBFC82", 192| 8| "0x23A628553168947D59DCC912042351377AC5FB32", 193| 8| "0x100000000000000000001F4C8F927AED3CA752257", 194| 8| oid); 195| 8| } 196| | 197| | // secp160r2 198| 1.67k| if(oid == OID{1, 3, 132, 0, 30}) { ------------------ | Branch (198:7): [True: 9, False: 1.66k] ------------------ 199| 9| return load_EC_group_info( 200| 9| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73", 201| 9| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70", 202| 9| "0xB4E134D3FB59EB8BAB57274904664D5AF50388BA", 203| 9| "0x52DCB034293A117E1F4FF11B30F7199D3144CE6D", 204| 9| "0xFEAFFEF2E331F296E071FA0DF9982CFEA7D43F2E", 205| 9| "0x100000000000000000000351EE786A818F3A1A16B", 206| 9| oid); 207| 9| } 208| | 209| | // secp192k1 210| 1.66k| if(oid == OID{1, 3, 132, 0, 31}) { ------------------ | Branch (210:7): [True: 6, False: 1.66k] ------------------ 211| 6| return load_EC_group_info( 212| 6| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37", 213| 6| "0x0", 214| 6| "0x3", 215| 6| "0xDB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D", 216| 6| "0x9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D", 217| 6| "0xFFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D", 218| 6| oid); 219| 6| } 220| | 221| | // secp192r1 222| 1.66k| if(oid == OID{1, 2, 840, 10045, 3, 1, 1}) { ------------------ | Branch (222:7): [True: 195, False: 1.46k] ------------------ 223| 195| return load_EC_group_info( 224| 195| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", 225| 195| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", 226| 195| "0x64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1", 227| 195| "0x188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012", 228| 195| "0x7192B95FFC8DA78631011ED6B24CDD573F977A11E794811", 229| 195| "0xFFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831", 230| 195| oid); 231| 195| } 232| | 233| | // secp224k1 234| 1.46k| if(oid == OID{1, 3, 132, 0, 32}) { ------------------ | Branch (234:7): [True: 633, False: 832] ------------------ 235| 633| return load_EC_group_info( 236| 633| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D", 237| 633| "0x0", 238| 633| "0x5", 239| 633| "0xA1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C", 240| 633| "0x7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5", 241| 633| "0x10000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7", 242| 633| oid); 243| 633| } 244| | 245| | // secp224r1 246| 832| if(oid == OID{1, 3, 132, 0, 33}) { ------------------ | Branch (246:7): [True: 284, False: 548] ------------------ 247| 284| return load_EC_group_info( 248| 284| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", 249| 284| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", 250| 284| "0xB4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", 251| 284| "0xB70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", 252| 284| "0xBD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", 253| 284| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", 254| 284| oid); 255| 284| } 256| | 257| | // secp256k1 258| 548| if(oid == OID{1, 3, 132, 0, 10}) { ------------------ | Branch (258:7): [True: 175, False: 373] ------------------ 259| 175| return load_EC_group_info( 260| 175| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F", 261| 175| "0x0", 262| 175| "0x7", 263| 175| "0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", 264| 175| "0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8", 265| 175| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", 266| 175| oid); 267| 175| } 268| | 269| | // sm2p256v1 270| 373| if(oid == OID{1, 2, 156, 10197, 1, 301}) { ------------------ | Branch (270:7): [True: 0, False: 373] ------------------ 271| 0| return load_EC_group_info( 272| 0| "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF", 273| 0| "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC", 274| 0| "0x28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93", 275| 0| "0x32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7", 276| 0| "0xBC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0", 277| 0| "0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123", 278| 0| oid); 279| 0| } 280| | 281| | // x962_p192v2 282| 373| if(oid == OID{1, 2, 840, 10045, 3, 1, 2}) { ------------------ | Branch (282:7): [True: 41, False: 332] ------------------ 283| 41| return load_EC_group_info( 284| 41| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", 285| 41| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", 286| 41| "0xCC22D6DFB95C6B25E49C0D6364A4E5980C393AA21668D953", 287| 41| "0xEEA2BAE7E1497842F2DE7769CFE9C989C072AD696F48034A", 288| 41| "0x6574D11D69B6EC7A672BB82A083DF2F2B0847DE970B2DE15", 289| 41| "0xFFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31", 290| 41| oid); 291| 41| } 292| | 293| | // x962_p192v3 294| 332| if(oid == OID{1, 2, 840, 10045, 3, 1, 3}) { ------------------ | Branch (294:7): [True: 38, False: 294] ------------------ 295| 38| return load_EC_group_info( 296| 38| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", 297| 38| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", 298| 38| "0x22123DC2395A05CAA7423DAECCC94760A7D462256BD56916", 299| 38| "0x7D29778100C65A1DA1783716588DCE2B8B4AEE8E228F1896", 300| 38| "0x38A90F22637337334B49DCB66A6DC8F9978ACA7648A943B0", 301| 38| "0xFFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13", 302| 38| oid); 303| 38| } 304| | 305| | // x962_p239v1 306| 294| if(oid == OID{1, 2, 840, 10045, 3, 1, 4}) { ------------------ | Branch (306:7): [True: 64, False: 230] ------------------ 307| 64| return load_EC_group_info( 308| 64| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", 309| 64| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", 310| 64| "0x6B016C3BDCF18941D0D654921475CA71A9DB2FB27D1D37796185C2942C0A", 311| 64| "0xFFA963CDCA8816CCC33B8642BEDF905C3D358573D3F27FBBD3B3CB9AAAF", 312| 64| "0x7DEBE8E4E90A5DAE6E4054CA530BA04654B36818CE226B39FCCB7B02F1AE", 313| 64| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B", 314| 64| oid); 315| 64| } 316| | 317| | // x962_p239v2 318| 230| if(oid == OID{1, 2, 840, 10045, 3, 1, 5}) { ------------------ | Branch (318:7): [True: 73, False: 157] ------------------ 319| 73| return load_EC_group_info( 320| 73| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", 321| 73| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", 322| 73| "0x617FAB6832576CBBFED50D99F0249C3FEE58B94BA0038C7AE84C8C832F2C", 323| 73| "0x38AF09D98727705120C921BB5E9E26296A3CDCF2F35757A0EAFD87B830E7", 324| 73| "0x5B0125E4DBEA0EC7206DA0FC01D9B081329FB555DE6EF460237DFF8BE4BA", 325| 73| "0x7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063", 326| 73| oid); 327| 73| } 328| | 329| | // x962_p239v3 330| 157| if(oid == OID{1, 2, 840, 10045, 3, 1, 6}) { ------------------ | Branch (330:7): [True: 40, False: 117] ------------------ 331| 40| return load_EC_group_info( 332| 40| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", 333| 40| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", 334| 40| "0x255705FA2A306654B1F4CB03D6A750A30C250102D4988717D9BA15AB6D3E", 335| 40| "0x6768AE8E18BB92CFCF005C949AA2C6D94853D0E660BBF854B1C9505FE95A", 336| 40| "0x1607E6898F390C06BC1D552BAD226F3B6FCFE48B6E818499AF18E3ED6CF3", 337| 40| "0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551", 338| 40| oid); 339| 40| } 340| | 341| | // numsp512d1 342| 117| if(oid == OID{1, 3, 6, 1, 4, 1, 25258, 4, 3}) { ------------------ | Branch (342:7): [True: 0, False: 117] ------------------ 343| 0| return load_EC_group_info( 344| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC7", 345| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDC4", 346| 0| "0x1D99B", 347| 0| "0x2", 348| 0| "0x1C282EB23327F9711952C250EA61AD53FCC13031CF6DD336E0B9328433AFBDD8CC5A1C1F0C716FDC724DDE537C2B0ADB00BB3D08DC83755B205CC30D7F83CF28", 349| 0| "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5B3CA4FB94E7831B4FC258ED97D0BDC63B568B36607CD243CE153F390433555D", 350| 0| oid); 351| 0| } 352| | 353| 117| return std::shared_ptr(); 354| 117|} _ZN5Botan8EC_Group28EC_group_identity_from_orderERKNS_6BigIntE: 358| 1.14k| { 359| 1.14k| const uint32_t low_bits = static_cast(order.word_at(0)); 360| | 361| 1.14k| if(low_bits == 0xFC632551 && order == BigInt("0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551")) { ------------------ | Branch (361:7): [True: 59, False: 1.08k] | Branch (361:7): [True: 30, False: 1.11k] | Branch (361:33): [True: 30, False: 29] ------------------ 362| 30| return OID{1, 2, 840, 10045, 3, 1, 7}; 363| 30| } 364| | 365| 1.11k| if(low_bits == 0xCCC52973 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) { ------------------ | Branch (365:7): [True: 1, False: 1.11k] | Branch (365:7): [True: 0, False: 1.11k] | Branch (365:33): [True: 0, False: 1] ------------------ 366| 0| return OID{1, 3, 132, 0, 34}; 367| 0| } 368| | 369| 1.11k| if(low_bits == 0x91386409 && order == BigInt("0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409")) { ------------------ | Branch (369:7): [True: 185, False: 929] | Branch (369:7): [True: 153, False: 961] | Branch (369:33): [True: 153, False: 32] ------------------ 370| 153| return OID{1, 3, 132, 0, 35}; 371| 153| } 372| | 373| 961| if(low_bits == 0x9E60FC09 && order == BigInt("0xE95E4A5F737059DC60DF5991D45029409E60FC09")) { ------------------ | Branch (373:7): [True: 0, False: 961] | Branch (373:7): [True: 0, False: 961] | Branch (373:33): [True: 0, False: 0] ------------------ 374| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 1}; 375| 0| } 376| | 377| 961| if(low_bits == 0x9AC4ACC1 && order == BigInt("0xC302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1")) { ------------------ | Branch (377:7): [True: 0, False: 961] | Branch (377:7): [True: 0, False: 961] | Branch (377:33): [True: 0, False: 0] ------------------ 378| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 3}; 379| 0| } 380| | 381| 961| if(low_bits == 0xA5A7939F && order == BigInt("0xD7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F")) { ------------------ | Branch (381:7): [True: 2, False: 959] | Branch (381:7): [True: 0, False: 961] | Branch (381:33): [True: 0, False: 2] ------------------ 382| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 5}; 383| 0| } 384| | 385| 961| if(low_bits == 0x974856A7 && order == BigInt("0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7")) { ------------------ | Branch (385:7): [True: 3, False: 958] | Branch (385:7): [True: 0, False: 961] | Branch (385:33): [True: 0, False: 3] ------------------ 386| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 7}; 387| 0| } 388| | 389| 961| if(low_bits == 0x44C59311 && order == BigInt("0xD35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311")) { ------------------ | Branch (389:7): [True: 0, False: 961] | Branch (389:7): [True: 0, False: 961] | Branch (389:33): [True: 0, False: 0] ------------------ 390| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 9}; 391| 0| } 392| | 393| 961| if(low_bits == 0xE9046565 && order == BigInt("0x8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565")) { ------------------ | Branch (393:7): [True: 2, False: 959] | Branch (393:7): [True: 0, False: 961] | Branch (393:33): [True: 0, False: 2] ------------------ 394| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 11}; 395| 0| } 396| | 397| 961| if(low_bits == 0x9CA90069 && order == BigInt("0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069")) { ------------------ | Branch (397:7): [True: 9, False: 952] | Branch (397:7): [True: 0, False: 961] | Branch (397:33): [True: 0, False: 9] ------------------ 398| 0| return OID{1, 3, 36, 3, 3, 2, 8, 1, 1, 13}; 399| 0| } 400| | 401| 961| if(low_bits == 0xC6D655E1 && order == BigInt("0xF1FD178C0B3AD58F10126DE8CE42435B53DC67E140D2BF941FFDD459C6D655E1")) { ------------------ | Branch (401:7): [True: 6, False: 955] | Branch (401:7): [True: 0, False: 961] | Branch (401:33): [True: 0, False: 6] ------------------ 402| 0| return OID{1, 2, 250, 1, 223, 101, 256, 1}; 403| 0| } 404| | 405| 961| if(low_bits == 0xB761B893 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893")) { ------------------ | Branch (405:7): [True: 0, False: 961] | Branch (405:7): [True: 0, False: 961] | Branch (405:33): [True: 0, False: 0] ------------------ 406| 0| return OID{1, 2, 643, 7, 1, 2, 1, 1, 1}; 407| 0| } 408| | 409| 961| if(low_bits == 0x1F10B275 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2B85DCACDB1411F10B275")) { ------------------ | Branch (409:7): [True: 5, False: 956] | Branch (409:7): [True: 0, False: 961] | Branch (409:33): [True: 0, False: 5] ------------------ 410| 0| return OID{1, 2, 643, 7, 1, 2, 1, 2, 1}; 411| 0| } 412| | 413| 961| if(low_bits == 0xCA16B6B3 && order == BigInt("0x100000000000000000001B8FA16DFAB9ACA16B6B3")) { ------------------ | Branch (413:7): [True: 1, False: 960] | Branch (413:7): [True: 0, False: 961] | Branch (413:33): [True: 0, False: 1] ------------------ 414| 0| return OID{1, 3, 132, 0, 9}; 415| 0| } 416| | 417| 961| if(low_bits == 0xCA752257 && order == BigInt("0x100000000000000000001F4C8F927AED3CA752257")) { ------------------ | Branch (417:7): [True: 0, False: 961] | Branch (417:7): [True: 0, False: 961] | Branch (417:33): [True: 0, False: 0] ------------------ 418| 0| return OID{1, 3, 132, 0, 8}; 419| 0| } 420| | 421| 961| if(low_bits == 0xF3A1A16B && order == BigInt("0x100000000000000000000351EE786A818F3A1A16B")) { ------------------ | Branch (421:7): [True: 1, False: 960] | Branch (421:7): [True: 0, False: 961] | Branch (421:33): [True: 0, False: 1] ------------------ 422| 0| return OID{1, 3, 132, 0, 30}; 423| 0| } 424| | 425| 961| if(low_bits == 0x74DEFD8D && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D")) { ------------------ | Branch (425:7): [True: 1, False: 960] | Branch (425:7): [True: 0, False: 961] | Branch (425:33): [True: 0, False: 1] ------------------ 426| 0| return OID{1, 3, 132, 0, 31}; 427| 0| } 428| | 429| 961| if(low_bits == 0xB4D22831 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) { ------------------ | Branch (429:7): [True: 1, False: 960] | Branch (429:7): [True: 0, False: 961] | Branch (429:33): [True: 0, False: 1] ------------------ 430| 0| return OID{1, 2, 840, 10045, 3, 1, 1}; 431| 0| } 432| | 433| 961| if(low_bits == 0x769FB1F7 && order == BigInt("0x10000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7")) { ------------------ | Branch (433:7): [True: 2, False: 959] | Branch (433:7): [True: 0, False: 961] | Branch (433:33): [True: 0, False: 2] ------------------ 434| 0| return OID{1, 3, 132, 0, 32}; 435| 0| } 436| | 437| 961| if(low_bits == 0x5C5C2A3D && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) { ------------------ | Branch (437:7): [True: 8, False: 953] | Branch (437:7): [True: 6, False: 955] | Branch (437:33): [True: 6, False: 2] ------------------ 438| 6| return OID{1, 3, 132, 0, 33}; 439| 6| } 440| | 441| 955| if(low_bits == 0xD0364141 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141")) { ------------------ | Branch (441:7): [True: 2, False: 953] | Branch (441:7): [True: 0, False: 955] | Branch (441:33): [True: 0, False: 2] ------------------ 442| 0| return OID{1, 3, 132, 0, 10}; 443| 0| } 444| | 445| 955| if(low_bits == 0x39D54123 && order == BigInt("0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123")) { ------------------ | Branch (445:7): [True: 0, False: 955] | Branch (445:7): [True: 0, False: 955] | Branch (445:33): [True: 0, False: 0] ------------------ 446| 0| return OID{1, 2, 156, 10197, 1, 301}; 447| 0| } 448| | 449| 955| if(low_bits == 0x48D8DD31 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31")) { ------------------ | Branch (449:7): [True: 0, False: 955] | Branch (449:7): [True: 0, False: 955] | Branch (449:33): [True: 0, False: 0] ------------------ 450| 0| return OID{1, 2, 840, 10045, 3, 1, 2}; 451| 0| } 452| | 453| 955| if(low_bits == 0xF640EC13 && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13")) { ------------------ | Branch (453:7): [True: 1, False: 954] | Branch (453:7): [True: 0, False: 955] | Branch (453:33): [True: 0, False: 1] ------------------ 454| 0| return OID{1, 2, 840, 10045, 3, 1, 3}; 455| 0| } 456| | 457| 955| if(low_bits == 0x88909D0B && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B")) { ------------------ | Branch (457:7): [True: 1, False: 954] | Branch (457:7): [True: 0, False: 955] | Branch (457:33): [True: 0, False: 1] ------------------ 458| 0| return OID{1, 2, 840, 10045, 3, 1, 4}; 459| 0| } 460| | 461| 955| if(low_bits == 0xBC582063 && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063")) { ------------------ | Branch (461:7): [True: 4, False: 951] | Branch (461:7): [True: 0, False: 955] | Branch (461:33): [True: 0, False: 4] ------------------ 462| 0| return OID{1, 2, 840, 10045, 3, 1, 5}; 463| 0| } 464| | 465| 955| if(low_bits == 0x46526551 && order == BigInt("0x7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551")) { ------------------ | Branch (465:7): [True: 2, False: 953] | Branch (465:7): [True: 0, False: 955] | Branch (465:33): [True: 0, False: 2] ------------------ 466| 0| return OID{1, 2, 840, 10045, 3, 1, 6}; 467| 0| } 468| | 469| 955| if(low_bits == 0x0433555D && order == BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5B3CA4FB94E7831B4FC258ED97D0BDC63B568B36607CD243CE153F390433555D")) { ------------------ | Branch (469:7): [True: 11, False: 944] | Branch (469:7): [True: 0, False: 955] | Branch (469:33): [True: 0, False: 11] ------------------ 470| 0| return OID{1, 3, 6, 1, 4, 1, 25258, 4, 3}; 471| 0| } 472| | 473| 955| return OID(); 474| 955|} _ZN5Botan9EC_ScalarC2ENSt3__110unique_ptrINS_14EC_Scalar_DataENS1_14default_deleteIS3_EEEE: 22| 2.95k|EC_Scalar::EC_Scalar(std::unique_ptr scalar) : m_scalar(std::move(scalar)) { 23| 2.95k| BOTAN_ASSERT_NONNULL(m_scalar); ------------------ | | 116| 2.95k| do { \ | | 117| 2.95k| if((ptr) == nullptr) { \ | | ------------------ | | | Branch (117:10): [True: 0, False: 2.95k] | | ------------------ | | 118| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 119| 0| Botan::assertion_failure(#ptr " is not null", "", __func__, __FILE__, __LINE__); \ | | 120| 0| } \ | | 121| 2.95k| } while(0) | | ------------------ | | | Branch (121:12): [Folded, False: 2.95k] | | ------------------ ------------------ 24| 2.95k|} _ZN5Botan9EC_ScalarC2ERKS0_: 26| 2.95k|EC_Scalar::EC_Scalar(const EC_Scalar& other) : m_scalar(other.inner().clone()) {} _ZN5Botan9EC_ScalarC2EOS0_: 28| 5.91k|EC_Scalar::EC_Scalar(EC_Scalar&& other) noexcept : m_scalar(std::move(other.m_scalar)) {} _ZN5Botan9EC_ScalarD2Ev: 43| 11.8k|EC_Scalar::~EC_Scalar() = default; _ZNK5Botan9EC_Scalar9to_bigintEv: 77| 2.95k|BigInt EC_Scalar::to_bigint() const { 78| 2.95k| secure_vector bytes(m_scalar->bytes()); 79| 2.95k| m_scalar->serialize_to(bytes); 80| 2.95k| return BigInt::from_bytes(bytes); 81| 2.95k|} _ZN5Botan9EC_Scalar11deserializeERKNS_8EC_GroupENSt3__14spanIKhLm18446744073709551615EEE: 118| 2.98k|std::optional EC_Scalar::deserialize(const EC_Group& group, std::span bytes) { 119| 2.98k| if(auto v = group._data()->scalar_deserialize(bytes)) { ------------------ | Branch (119:12): [True: 2.95k, False: 26] ------------------ 120| 2.95k| return EC_Scalar(std::move(v)); 121| 2.95k| } else { 122| 26| return {}; 123| 26| } 124| 2.98k|} _ZNK5Botan9EC_Scalar7is_zeroEv: 133| 2.95k|bool EC_Scalar::is_zero() const { 134| 2.95k| return inner().is_zero(); 135| 2.95k|} _ZN5Botan9EC_Scalar7zeroizeEv: 169| 2.95k|void EC_Scalar::zeroize() { 170| 2.95k| m_scalar->zeroize(); 171| 2.95k|} _ZN5Botan17EC_Scalar_Data_BN11checked_refERKNS_14EC_Scalar_DataE: 15| 99|const EC_Scalar_Data_BN& EC_Scalar_Data_BN::checked_ref(const EC_Scalar_Data& data) { 16| 99| const auto* p = dynamic_cast(&data); 17| 99| if(p == nullptr) { ------------------ | Branch (17:7): [True: 0, False: 99] ------------------ 18| 0| throw Invalid_State("Failed conversion to EC_Scalar_Data_BN"); 19| 0| } 20| 99| return *p; 21| 99|} _ZNK5Botan17EC_Scalar_Data_BN5groupEv: 23| 1.57k|const std::shared_ptr& EC_Scalar_Data_BN::group() const { 24| 1.57k| return m_group; 25| 1.57k|} _ZNK5Botan17EC_Scalar_Data_BN5bytesEv: 27| 689|size_t EC_Scalar_Data_BN::bytes() const { 28| 689| return this->group()->order_bytes(); 29| 689|} _ZNK5Botan17EC_Scalar_Data_BN5cloneEv: 31| 689|std::unique_ptr EC_Scalar_Data_BN::clone() const { 32| 689| return std::make_unique(this->group(), this->value()); 33| 689|} _ZNK5Botan17EC_Scalar_Data_BN7is_zeroEv: 35| 689|bool EC_Scalar_Data_BN::is_zero() const { 36| 689| return this->value().is_zero(); 37| 689|} _ZN5Botan17EC_Scalar_Data_BN7zeroizeEv: 47| 689|void EC_Scalar_Data_BN::zeroize() { 48| | // BigInt stores its value in a secure_vector, after swapping the existing 49| | // value will go out of scope (inside `zero`) and be wiped properly. 50| 689| BigInt zero; 51| 689| std::swap(m_v, zero); 52| 689|} _ZNK5Botan17EC_Scalar_Data_BN12serialize_toENSt3__14spanIhLm18446744073709551615EEE: 91| 689|void EC_Scalar_Data_BN::serialize_to(std::span bytes) const { 92| 689| BOTAN_ARG_CHECK(bytes.size() == m_group->order_bytes(), "Invalid output length"); ------------------ | | 35| 689| do { \ | | 36| 689| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 689| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 689] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 689| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 689] | | ------------------ ------------------ 93| 689| m_v.serialize_to(bytes); 94| 689|} _ZN5Botan22EC_AffinePoint_Data_BNC2ENSt3__110shared_ptrIKNS_13EC_Group_DataEEENS_8EC_PointE: 97| 100| m_group(std::move(group)), m_pt(std::move(pt)) { 98| 100| if(!m_pt.is_zero()) { ------------------ | Branch (98:7): [True: 100, False: 0] ------------------ 99| 100| m_pt.force_affine(); 100| 100| m_xy = m_pt.xy_bytes(); 101| 100| } 102| 100|} _ZNK5Botan22EC_AffinePoint_Data_BN11is_identityEv: 152| 100|bool EC_AffinePoint_Data_BN::is_identity() const { 153| 100| return m_xy.empty(); 154| 100|} _ZN5Botan8CurveGFpC2EPKNS_13EC_Group_DataE: 28| 3.19k|CurveGFp::CurveGFp(const EC_Group_Data* group) : m_group(group) { 29| 3.19k| BOTAN_ASSERT_NONNULL(m_group); ------------------ | | 116| 3.19k| do { \ | | 117| 3.19k| if((ptr) == nullptr) { \ | | ------------------ | | | Branch (117:10): [True: 0, False: 3.19k] | | ------------------ | | 118| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 119| 0| Botan::assertion_failure(#ptr " is not null", "", __func__, __FILE__, __LINE__); \ | | 120| 0| } \ | | 121| 3.19k| } while(0) | | ------------------ | | | Branch (121:12): [Folded, False: 3.19k] | | ------------------ ------------------ 30| 3.19k|} _ZNK5Botan8CurveGFp5groupEv: 32| 977k|const EC_Group_Data& CurveGFp::group() const { 33| 977k| BOTAN_ASSERT_NONNULL(m_group); ------------------ | | 116| 977k| do { \ | | 117| 977k| if((ptr) == nullptr) { \ | | ------------------ | | | Branch (117:10): [True: 0, False: 977k] | | ------------------ | | 118| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 119| 0| Botan::assertion_failure(#ptr " is not null", "", __func__, __FILE__, __LINE__); \ | | 120| 0| } \ | | 121| 977k| } while(0) | | ------------------ | | | Branch (121:12): [Folded, False: 977k] | | ------------------ ------------------ 34| 977k| return *m_group; 35| 977k|} _ZNK5Botan8CurveGFp5get_aEv: 37| 590|const BigInt& CurveGFp::get_a() const { 38| 590| return this->group().a(); 39| 590|} _ZNK5Botan8CurveGFp5get_bEv: 41| 590|const BigInt& CurveGFp::get_b() const { 42| 590| return this->group().b(); 43| 590|} _ZNK5Botan8CurveGFp5get_pEv: 45| 590|const BigInt& CurveGFp::get_p() const { 46| 590| return this->group().p(); 47| 590|} _ZNK5Botan8CurveGFp11get_p_wordsEv: 49| 348k|size_t CurveGFp::get_p_words() const { 50| 348k| return this->group().p_words(); 51| 348k|} _ZN5Botan8EC_PointC2ERKNS_8CurveGFpE: 108| 99|EC_Point::EC_Point(const CurveGFp& curve) : m_curve(curve), m_x(0), m_y(curve.group().monty().R1()), m_z(0) {} _ZNK5Botan8EC_Point4zeroEv: 110| 99|EC_Point EC_Point::zero() const { 111| 99| return EC_Point(m_curve); 112| 99|} _ZN5Botan8EC_PointC2ERKNS_8CurveGFpENS_6BigIntES4_: 115| 5.15k| m_curve(curve), m_x(std::move(x)), m_y(std::move(y)), m_z(m_curve.group().monty().R1()) { 116| 5.15k| const auto& group = m_curve.group(); 117| | 118| 5.15k| if(m_x < 0 || m_x >= group.p()) { ------------------ | Branch (118:7): [True: 0, False: 5.15k] | Branch (118:18): [True: 0, False: 5.15k] ------------------ 119| 0| throw Invalid_Argument("Invalid EC_Point affine x"); 120| 0| } 121| 5.15k| if(m_y < 0 || m_y >= group.p()) { ------------------ | Branch (121:7): [True: 0, False: 5.15k] | Branch (121:18): [True: 0, False: 5.15k] ------------------ 122| 0| throw Invalid_Argument("Invalid EC_Point affine y"); 123| 0| } 124| | 125| 5.15k| secure_vector monty_ws(monty_ws_size(group)); 126| | 127| 5.15k| to_rep(group, m_x, monty_ws); 128| 5.15k| to_rep(group, m_y, monty_ws); 129| 5.15k|} _ZN5Botan8EC_Point10add_affineEPKmmS2_mRNSt3__16vectorINS_6BigIntENS3_9allocatorIS5_EEEE: 188| 7.14k| const word x_words[], size_t x_size, const word y_words[], size_t y_size, std::vector& ws_bn) { 189| 7.14k| if((CT::all_zeros(x_words, x_size) & CT::all_zeros(y_words, y_size)).as_bool()) { ------------------ | Branch (189:7): [True: 1.95k, False: 5.18k] ------------------ 190| 1.95k| return; 191| 1.95k| } 192| | 193| 5.18k| const auto& group = m_curve.group(); 194| | 195| 5.18k| if(is_zero()) { ------------------ | Branch (195:7): [True: 99, False: 5.08k] ------------------ 196| 99| m_x.set_words(x_words, x_size); 197| 99| m_y.set_words(y_words, y_size); 198| 99| m_z = group.monty().R1(); 199| 99| return; 200| 99| } 201| | 202| 5.08k| resize_ws(ws_bn, monty_ws_size(group)); 203| | 204| 5.08k| secure_vector& ws = ws_bn[0].get_word_vector(); 205| 5.08k| secure_vector& sub_ws = ws_bn[1].get_word_vector(); 206| | 207| 5.08k| BigInt& T0 = ws_bn[2]; 208| 5.08k| BigInt& T1 = ws_bn[3]; 209| 5.08k| BigInt& T2 = ws_bn[4]; 210| 5.08k| BigInt& T3 = ws_bn[5]; 211| 5.08k| BigInt& T4 = ws_bn[6]; 212| | 213| | /* 214| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 215| | simplified with Z2 = 1 216| | */ 217| | 218| 5.08k| const BigInt& p = group.p(); 219| | 220| 5.08k| fe_sqr(group, T3, m_z, ws); // z1^2 221| 5.08k| fe_mul(group, T4, x_words, x_size, T3, ws); // x2*z1^2 222| | 223| 5.08k| fe_mul(group, T2, m_z, T3, ws); // z1^3 224| 5.08k| fe_mul(group, T0, y_words, y_size, T2, ws); // y2*z1^3 225| | 226| 5.08k| T4.mod_sub(m_x, p, sub_ws); // x2*z1^2 - x1*z2^2 227| | 228| 5.08k| T0.mod_sub(m_y, p, sub_ws); 229| | 230| 5.08k| if(T4.is_zero()) { ------------------ | Branch (230:7): [True: 3, False: 5.08k] ------------------ 231| 3| if(T0.is_zero()) { ------------------ | Branch (231:10): [True: 3, False: 0] ------------------ 232| 3| mult2(ws_bn); 233| 3| return; 234| 3| } 235| | 236| | // setting to zero: 237| 0| m_x.clear(); 238| 0| m_y = group.monty().R1(); 239| 0| m_z.clear(); 240| 0| return; 241| 3| } 242| | 243| 5.08k| fe_sqr(group, T2, T4, ws); 244| | 245| 5.08k| fe_mul(group, T3, m_x, T2, ws); 246| | 247| 5.08k| fe_mul(group, T1, T2, T4, ws); 248| | 249| 5.08k| fe_sqr(group, m_x, T0, ws); 250| 5.08k| m_x.mod_sub(T1, p, sub_ws); 251| | 252| 5.08k| m_x.mod_sub(T3, p, sub_ws); 253| 5.08k| m_x.mod_sub(T3, p, sub_ws); 254| | 255| 5.08k| T3.mod_sub(m_x, p, sub_ws); 256| | 257| 5.08k| fe_mul(group, T2, T0, T3, ws); 258| 5.08k| fe_mul(group, T0, m_y, T1, ws); 259| 5.08k| T2.mod_sub(T0, p, sub_ws); 260| 5.08k| m_y.swap(T2); 261| | 262| 5.08k| fe_mul(group, T0, m_z, T4, ws); 263| 5.08k| m_z.swap(T0); 264| 5.08k|} _ZN5Botan8EC_Point3addERKS0_RNSt3__16vectorINS_6BigIntENS3_9allocatorIS5_EEEE: 266| 348k|void EC_Point::add(const EC_Point& other, std::vector& workspace) { 267| 348k| BOTAN_ARG_CHECK(m_curve == other.m_curve, "cannot add points on different curves"); ------------------ | | 35| 348k| do { \ | | 36| 348k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 348k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 348k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 348k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 348k] | | ------------------ ------------------ 268| | 269| 348k| const size_t p_words = m_curve.get_p_words(); 270| | 271| 348k| add(other.m_x._data(), 272| 348k| std::min(p_words, other.m_x.size()), 273| 348k| other.m_y._data(), 274| 348k| std::min(p_words, other.m_y.size()), 275| 348k| other.m_z._data(), 276| 348k| std::min(p_words, other.m_z.size()), 277| 348k| workspace); 278| 348k|} _ZN5Botan8EC_Point3addEPKmmS2_mS2_mRNSt3__16vectorINS_6BigIntENS3_9allocatorIS5_EEEE: 286| 348k| std::vector& ws_bn) { 287| 348k| if((CT::all_zeros(x_words, x_size) & CT::all_zeros(z_words, z_size)).as_bool()) { ------------------ | Branch (287:7): [True: 0, False: 348k] ------------------ 288| 0| return; 289| 0| } 290| | 291| 348k| const auto& group = m_curve.group(); 292| | 293| 348k| if(is_zero()) { ------------------ | Branch (293:7): [True: 0, False: 348k] ------------------ 294| 0| m_x.set_words(x_words, x_size); 295| 0| m_y.set_words(y_words, y_size); 296| 0| m_z.set_words(z_words, z_size); 297| 0| return; 298| 0| } 299| | 300| 348k| resize_ws(ws_bn, monty_ws_size(group)); 301| | 302| 348k| secure_vector& ws = ws_bn[0].get_word_vector(); 303| 348k| secure_vector& sub_ws = ws_bn[1].get_word_vector(); 304| | 305| 348k| BigInt& T0 = ws_bn[2]; 306| 348k| BigInt& T1 = ws_bn[3]; 307| 348k| BigInt& T2 = ws_bn[4]; 308| 348k| BigInt& T3 = ws_bn[5]; 309| 348k| BigInt& T4 = ws_bn[6]; 310| 348k| BigInt& T5 = ws_bn[7]; 311| | 312| | /* 313| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 314| | */ 315| | 316| 348k| const BigInt& p = group.p(); 317| | 318| 348k| fe_sqr(group, T0, z_words, z_size, ws); // z2^2 319| 348k| fe_mul(group, T1, m_x, T0, ws); // x1*z2^2 320| 348k| fe_mul(group, T3, z_words, z_size, T0, ws); // z2^3 321| 348k| fe_mul(group, T2, m_y, T3, ws); // y1*z2^3 322| | 323| 348k| fe_sqr(group, T3, m_z, ws); // z1^2 324| 348k| fe_mul(group, T4, x_words, x_size, T3, ws); // x2*z1^2 325| | 326| 348k| fe_mul(group, T5, m_z, T3, ws); // z1^3 327| 348k| fe_mul(group, T0, y_words, y_size, T5, ws); // y2*z1^3 328| | 329| 348k| T4.mod_sub(T1, p, sub_ws); // x2*z1^2 - x1*z2^2 330| | 331| 348k| T0.mod_sub(T2, p, sub_ws); 332| | 333| 348k| if(T4.is_zero()) { ------------------ | Branch (333:7): [True: 0, False: 348k] ------------------ 334| 0| if(T0.is_zero()) { ------------------ | Branch (334:10): [True: 0, False: 0] ------------------ 335| 0| mult2(ws_bn); 336| 0| return; 337| 0| } 338| | 339| | // setting to zero: 340| 0| m_x.clear(); 341| 0| m_y = group.monty().R1(); 342| 0| m_z.clear(); 343| 0| return; 344| 0| } 345| | 346| 348k| fe_sqr(group, T5, T4, ws); 347| | 348| 348k| fe_mul(group, T3, T1, T5, ws); 349| | 350| 348k| fe_mul(group, T1, T5, T4, ws); 351| | 352| 348k| fe_sqr(group, m_x, T0, ws); 353| 348k| m_x.mod_sub(T1, p, sub_ws); 354| 348k| m_x.mod_sub(T3, p, sub_ws); 355| 348k| m_x.mod_sub(T3, p, sub_ws); 356| | 357| 348k| T3.mod_sub(m_x, p, sub_ws); 358| | 359| 348k| fe_mul(group, m_y, T0, T3, ws); 360| 348k| fe_mul(group, T3, T2, T1, ws); 361| | 362| 348k| m_y.mod_sub(T3, p, sub_ws); 363| | 364| 348k| fe_mul(group, T3, z_words, z_size, m_z, ws); 365| 348k| fe_mul(group, m_z, T3, T4, ws); 366| 348k|} _ZN5Botan8EC_Point5mult2ERNSt3__16vectorINS_6BigIntENS1_9allocatorIS3_EEEE: 388| 261k|void EC_Point::mult2(std::vector& ws_bn) { 389| 261k| if(is_zero()) { ------------------ | Branch (389:7): [True: 0, False: 261k] ------------------ 390| 0| return; 391| 0| } 392| | 393| 261k| const auto& group = m_curve.group(); 394| | 395| 261k| if(m_y.is_zero()) { ------------------ | Branch (395:7): [True: 0, False: 261k] ------------------ 396| 0| *this = EC_Point(m_curve); // setting myself to zero 397| 0| return; 398| 0| } 399| | 400| 261k| resize_ws(ws_bn, monty_ws_size(group)); 401| | 402| 261k| secure_vector& ws = ws_bn[0].get_word_vector(); 403| 261k| secure_vector& sub_ws = ws_bn[1].get_word_vector(); 404| | 405| 261k| BigInt& T0 = ws_bn[2]; 406| 261k| BigInt& T1 = ws_bn[3]; 407| 261k| BigInt& T2 = ws_bn[4]; 408| 261k| BigInt& T3 = ws_bn[5]; 409| 261k| BigInt& T4 = ws_bn[6]; 410| | 411| | /* 412| | https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-1986-cc 413| | */ 414| 261k| const BigInt& p = group.p(); 415| | 416| 261k| fe_sqr(group, T0, m_y, ws); 417| | 418| 261k| fe_mul(group, T1, m_x, T0, ws); 419| 261k| fe_smul<4>(T1, p, sub_ws); 420| | 421| 261k| if(group.a_is_zero()) { ------------------ | Branch (421:7): [True: 216k, False: 44.8k] ------------------ 422| | // if a == 0 then 3*x^2 + a*z^4 is just 3*x^2 423| 216k| fe_sqr(group, T4, m_x, ws); // x^2 424| 216k| fe_smul<3>(T4, p, sub_ws); // 3*x^2 425| 216k| } else if(group.a_is_minus_3()) { ------------------ | Branch (425:14): [True: 44.8k, False: 0] ------------------ 426| | /* 427| | if a == -3 then 428| | 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2) 429| | */ 430| 44.8k| fe_sqr(group, T3, m_z, ws); // z^2 431| | 432| | // (x-z^2) 433| 44.8k| T2 = m_x; 434| 44.8k| T2.mod_sub(T3, p, sub_ws); 435| | 436| | // (x+z^2) 437| 44.8k| T3.mod_add(m_x, p, sub_ws); 438| | 439| 44.8k| fe_mul(group, T4, T2, T3, ws); // (x-z^2)*(x+z^2) 440| | 441| 44.8k| fe_smul<3>(T4, p, sub_ws); // 3*(x-z^2)*(x+z^2) 442| 44.8k| } else { 443| 0| fe_sqr(group, T3, m_z, ws); // z^2 444| 0| fe_sqr(group, T4, T3, ws); // z^4 445| 0| fe_mul(group, T3, group.monty_a(), T4, ws); // a*z^4 446| | 447| 0| fe_sqr(group, T4, m_x, ws); // x^2 448| 0| fe_smul<3>(T4, p, sub_ws); 449| 0| T4.mod_add(T3, p, sub_ws); // 3*x^2 + a*z^4 450| 0| } 451| | 452| 261k| fe_sqr(group, T2, T4, ws); 453| 261k| T2.mod_sub(T1, p, sub_ws); 454| 261k| T2.mod_sub(T1, p, sub_ws); 455| | 456| 261k| fe_sqr(group, T3, T0, ws); 457| 261k| fe_smul<8>(T3, p, sub_ws); 458| | 459| 261k| T1.mod_sub(T2, p, sub_ws); 460| | 461| 261k| fe_mul(group, T0, T4, T1, ws); 462| 261k| T0.mod_sub(T3, p, sub_ws); 463| | 464| 261k| m_x.swap(T2); 465| | 466| 261k| fe_mul(group, T2, m_y, m_z, ws); 467| 261k| fe_smul<2>(T2, p, sub_ws); 468| | 469| 261k| m_y.swap(T0); 470| 261k| m_z.swap(T2); 471| 261k|} _ZN5Botan8EC_Point16force_all_affineENSt3__14spanIS0_Lm18446744073709551615EEERNS1_6vectorImNS_16secure_allocatorImEEEE: 520| 736|void EC_Point::force_all_affine(std::span points, secure_vector& ws) { 521| 736| if(points.size() <= 1) { ------------------ | Branch (521:7): [True: 0, False: 736] ------------------ 522| 0| for(auto& point : points) { ------------------ | Branch (522:23): [True: 0, False: 0] ------------------ 523| 0| point.force_affine(); 524| 0| } 525| 0| return; 526| 0| } 527| | 528| 609k| for(auto& point : points) { ------------------ | Branch (528:20): [True: 609k, False: 736] ------------------ 529| 609k| if(point.is_zero()) { ------------------ | Branch (529:10): [True: 0, False: 609k] ------------------ 530| 0| throw Invalid_State("Cannot convert zero ECC point to affine"); 531| 0| } 532| 609k| } 533| | 534| | /* 535| | For >= 2 points use Montgomery's trick 536| | 537| | See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography" 538| | (Hankerson, Menezes, Vanstone) 539| | 540| | TODO is it really necessary to save all k points in c? 541| | */ 542| | 543| 736| const auto& group = points[0].m_curve.group(); 544| 736| const BigInt& rep_1 = group.monty().R1(); 545| | 546| 736| if(ws.size() < monty_ws_size(group)) { ------------------ | Branch (546:7): [True: 0, False: 736] ------------------ 547| 0| ws.resize(monty_ws_size(group)); 548| 0| } 549| | 550| 736| std::vector c(points.size()); 551| 736| c[0] = points[0].m_z; 552| | 553| 609k| for(size_t i = 1; i != points.size(); ++i) { ------------------ | Branch (553:22): [True: 608k, False: 736] ------------------ 554| 608k| fe_mul(group, c[i], c[i - 1], points[i].m_z, ws); 555| 608k| } 556| | 557| 736| BigInt s_inv = invert_element(group, c[c.size() - 1], ws); 558| | 559| 736| BigInt z_inv; 560| 736| BigInt z2_inv; 561| 736| BigInt z3_inv; 562| | 563| 609k| for(size_t i = points.size() - 1; i != 0; i--) { ------------------ | Branch (563:38): [True: 608k, False: 736] ------------------ 564| 608k| EC_Point& point = points[i]; 565| | 566| 608k| fe_mul(group, z_inv, s_inv, c[i - 1], ws); 567| | 568| 608k| s_inv = fe_mul(group, s_inv, point.m_z, ws); 569| | 570| 608k| fe_sqr(group, z2_inv, z_inv, ws); 571| 608k| fe_mul(group, z3_inv, z2_inv, z_inv, ws); 572| 608k| point.m_x = fe_mul(group, point.m_x, z2_inv, ws); 573| 608k| point.m_y = fe_mul(group, point.m_y, z3_inv, ws); 574| 608k| point.m_z = rep_1; 575| 608k| } 576| | 577| 736| fe_sqr(group, z2_inv, s_inv, ws); 578| 736| fe_mul(group, z3_inv, z2_inv, s_inv, ws); 579| 736| points[0].m_x = fe_mul(group, points[0].m_x, z2_inv, ws); 580| 736| points[0].m_y = fe_mul(group, points[0].m_y, z3_inv, ws); 581| 736| points[0].m_z = rep_1; 582| 736|} _ZN5Botan8EC_Point12force_affineEv: 584| 100|void EC_Point::force_affine() { 585| 100| if(is_zero()) { ------------------ | Branch (585:7): [True: 0, False: 100] ------------------ 586| 0| throw Invalid_State("Cannot convert zero ECC point to affine"); 587| 0| } 588| | 589| 100| secure_vector ws; 590| | 591| 100| const auto& group = m_curve.group(); 592| | 593| 100| const BigInt z_inv = invert_element(group, m_z, ws); 594| 100| const BigInt z2_inv = fe_sqr(group, z_inv, ws); 595| 100| const BigInt z3_inv = fe_mul(group, z_inv, z2_inv, ws); 596| 100| m_x = fe_mul(group, m_x, z2_inv, ws); 597| 100| m_y = fe_mul(group, m_y, z3_inv, ws); 598| 100| m_z = group.monty().R1(); 599| 100|} _ZNK5Botan8EC_Point9is_affineEv: 601| 200|bool EC_Point::is_affine() const { 602| 200| const auto& group = m_curve.group(); 603| 200| return m_z == group.monty().R1(); 604| 200|} _ZNK5Botan8EC_Point8xy_bytesEv: 622| 100|secure_vector EC_Point::xy_bytes() const { 623| 100| const auto& group = m_curve.group(); 624| 100| const size_t p_bytes = group.p_bytes(); 625| 100| secure_vector b(2 * p_bytes); 626| 100| BigInt::encode_1363(&b[0], p_bytes, this->get_affine_x()); // NOLINT(*container-data-pointer) 627| 100| BigInt::encode_1363(&b[p_bytes], p_bytes, this->get_affine_y()); 628| 100| return b; 629| 100|} _ZNK5Botan8EC_Point12get_affine_xEv: 631| 100|BigInt EC_Point::get_affine_x() const { 632| 100| if(is_zero()) { ------------------ | Branch (632:7): [True: 0, False: 100] ------------------ 633| 0| throw Invalid_State("Cannot convert zero point to affine"); 634| 0| } 635| | 636| 100| secure_vector monty_ws; 637| | 638| 100| const auto& group = m_curve.group(); 639| | 640| 100| if(is_affine()) { ------------------ | Branch (640:7): [True: 100, False: 0] ------------------ 641| 100| return from_rep_to_tmp(group, m_x, monty_ws); 642| 100| } 643| | 644| 0| BigInt z2 = fe_sqr(group, m_z, monty_ws); 645| 0| z2 = invert_element(group, z2, monty_ws); 646| | 647| 0| BigInt r; 648| 0| fe_mul(group, r, m_x, z2, monty_ws); 649| 0| from_rep(group, r, monty_ws); 650| 0| return r; 651| 100|} _ZNK5Botan8EC_Point12get_affine_yEv: 653| 100|BigInt EC_Point::get_affine_y() const { 654| 100| if(is_zero()) { ------------------ | Branch (654:7): [True: 0, False: 100] ------------------ 655| 0| throw Invalid_State("Cannot convert zero point to affine"); 656| 0| } 657| | 658| 100| const auto& group = m_curve.group(); 659| 100| secure_vector monty_ws; 660| | 661| 100| if(is_affine()) { ------------------ | Branch (661:7): [True: 100, False: 0] ------------------ 662| 100| return from_rep_to_tmp(group, m_y, monty_ws); 663| 100| } 664| | 665| 0| const BigInt z2 = fe_sqr(group, m_z, monty_ws); 666| 0| const BigInt z3 = fe_mul(group, m_z, z2, monty_ws); 667| 0| const BigInt z3_inv = invert_element(group, z3, monty_ws); 668| | 669| 0| BigInt r; 670| 0| fe_mul(group, r, m_y, z3_inv, monty_ws); 671| 0| from_rep(group, r, monty_ws); 672| 0| return r; 673| 100|} _ZNK5Botan8EC_Point12on_the_curveEv: 675| 83|bool EC_Point::on_the_curve() const { 676| | /* 677| | Is the point still on the curve?? (If everything is correct, the 678| | point is always on its curve; then the function will return true. 679| | If somehow the state is corrupted, which suggests a fault attack 680| | (or internal computational error), then return false. 681| | */ 682| 83| if(is_zero()) { ------------------ | Branch (682:7): [True: 0, False: 83] ------------------ 683| 0| return true; 684| 0| } 685| | 686| 83| const auto& group = m_curve.group(); 687| 83| secure_vector monty_ws; 688| | 689| 83| const BigInt y2 = from_rep_to_tmp(group, fe_sqr(group, m_y, monty_ws), monty_ws); 690| 83| const BigInt x3 = fe_mul(group, m_x, fe_sqr(group, m_x, monty_ws), monty_ws); 691| 83| const BigInt ax = fe_mul(group, m_x, group.monty_a(), monty_ws); 692| 83| const BigInt z2 = fe_sqr(group, m_z, monty_ws); 693| | 694| 83| const BigInt& monty_b = group.monty_b(); 695| | 696| | // Is z equal to 1 (in Montgomery form)? 697| 83| if(m_z == z2) { ------------------ | Branch (697:7): [True: 83, False: 0] ------------------ 698| 83| if(y2 != from_rep_to_tmp(group, x3 + ax + monty_b, monty_ws)) { ------------------ | Branch (698:10): [True: 82, False: 1] ------------------ 699| 82| return false; 700| 82| } 701| 83| } 702| | 703| 1| const BigInt z3 = fe_mul(group, m_z, z2, monty_ws); 704| 1| const BigInt ax_z4 = fe_mul(group, ax, fe_sqr(group, z2, monty_ws), monty_ws); 705| 1| const BigInt b_z6 = fe_mul(group, monty_b, fe_sqr(group, z3, monty_ws), monty_ws); 706| | 707| 1| if(y2 != from_rep_to_tmp(group, x3 + ax_z4 + b_z6, monty_ws)) { ------------------ | Branch (707:7): [True: 0, False: 1] ------------------ 708| 0| return false; 709| 0| } 710| | 711| 1| return true; 712| 1|} _ZN5Botan8EC_Point4swapERS0_: 792| 527k|void EC_Point::swap(EC_Point& other) noexcept { 793| 527k| m_curve.swap(other.m_curve); 794| 527k| m_x.swap(other.m_x); 795| 527k| m_y.swap(other.m_y); 796| 527k| m_z.swap(other.m_z); 797| 527k|} _ZN5Botan6OS2ECPENSt3__14spanIKhLm18446744073709551615EEERKNS_8CurveGFpE: 866| 590|EC_Point OS2ECP(std::span data, const CurveGFp& curve) { 867| 590| return OS2ECP(data.data(), data.size(), curve); 868| 590|} _ZN5Botan6OS2ECPEPKhmRKNS_8CurveGFpE: 870| 590|EC_Point OS2ECP(const uint8_t data[], size_t data_len, const CurveGFp& curve) { 871| 590| if(data_len == 1 && data[0] == 0) { ------------------ | Branch (871:7): [True: 0, False: 590] | Branch (871:24): [True: 0, False: 0] ------------------ 872| | // SEC1 standard representation of the point at infinity 873| 0| return EC_Point(curve); 874| 0| } 875| | 876| 590| const auto [g_x, g_y] = OS2ECP(data, data_len, curve.get_p(), curve.get_a(), curve.get_b()); 877| | 878| 590| EC_Point point(curve, g_x, g_y); 879| | 880| 590| if(!point.on_the_curve()) { ------------------ | Branch (880:7): [True: 82, False: 508] ------------------ 881| 82| throw Decoding_Error("OS2ECP: Decoded point was not on the curve"); 882| 82| } 883| | 884| 508| return point; 885| 590|} _ZN5Botan6OS2ECPEPKhmRKNS_6BigIntES4_S4_: 887| 590|std::pair OS2ECP(const uint8_t pt[], size_t pt_len, const BigInt& p, const BigInt& a, const BigInt& b) { 888| 590| if(pt_len <= 1) { ------------------ | Branch (888:7): [True: 0, False: 590] ------------------ 889| 0| throw Decoding_Error("OS2ECP invalid point encoding"); 890| 0| } 891| | 892| 590| const uint8_t pc = pt[0]; 893| 590| const size_t p_bytes = p.bytes(); 894| | 895| 590| BigInt x; 896| 590| BigInt y; 897| | 898| 590| if(pc == 2 || pc == 3) { ------------------ | Branch (898:7): [True: 1, False: 589] | Branch (898:18): [True: 1, False: 588] ------------------ 899| 2| if(pt_len != 1 + p_bytes) { ------------------ | Branch (899:10): [True: 2, False: 0] ------------------ 900| 2| throw Decoding_Error("OS2ECP invalid point encoding"); 901| 2| } 902| 0| x = BigInt::decode(&pt[1], pt_len - 1); 903| | 904| 0| const bool y_mod_2 = ((pc & 0x01) == 1); 905| 0| y = decompress_point(y_mod_2, x, p, a, b); 906| 588| } else if(pc == 4) { ------------------ | Branch (906:14): [True: 85, False: 503] ------------------ 907| 85| if(pt_len != 1 + 2 * p_bytes) { ------------------ | Branch (907:10): [True: 0, False: 85] ------------------ 908| 0| throw Decoding_Error("OS2ECP invalid point encoding"); 909| 0| } 910| | 911| 85| x = BigInt::decode(&pt[1], p_bytes); 912| 85| y = BigInt::decode(&pt[p_bytes + 1], p_bytes); 913| 503| } else if(pc == 6 || pc == 7) { ------------------ | Branch (913:14): [True: 87, False: 416] | Branch (913:25): [True: 405, False: 11] ------------------ 914| 492| if(pt_len != 1 + 2 * p_bytes) { ------------------ | Branch (914:10): [True: 0, False: 492] ------------------ 915| 0| throw Decoding_Error("OS2ECP invalid point encoding"); 916| 0| } 917| | 918| 492| x = BigInt::decode(&pt[1], p_bytes); 919| 492| y = BigInt::decode(&pt[p_bytes + 1], p_bytes); 920| | 921| 492| const bool y_mod_2 = ((pc & 0x01) == 1); 922| | 923| 492| if(decompress_point(y_mod_2, x, p, a, b) != y) { ------------------ | Branch (923:10): [True: 286, False: 206] ------------------ 924| 286| throw Decoding_Error("OS2ECP: Decoding error in hybrid format"); 925| 286| } 926| 492| } else { 927| 11| throw Decoding_Error("OS2ECP: Unknown format type " + std::to_string(static_cast(pc))); 928| 11| } 929| | 930| 291| if(x >= p || y >= p) { ------------------ | Branch (930:7): [True: 207, False: 84] | Branch (930:17): [True: 1, False: 83] ------------------ 931| 2| throw Decoding_Error("OS2ECP invalid point encoding"); 932| 2| } 933| | 934| 289| return std::make_pair(x, y); 935| 291|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_113monty_ws_sizeERKNS_13EC_Group_DataE: 102| 620k|size_t monty_ws_size(const EC_Group_Data& group) { 103| 620k| return 2 * group.p_words(); 104| 620k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16to_repERKNS_13EC_Group_DataERNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 55| 10.3k|void to_rep(const EC_Group_Data& group, BigInt& x, secure_vector& ws) { 56| 10.3k| group.monty().mul_by(x, group.monty().R2(), ws); 57| 10.3k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_sqrERKNS_13EC_Group_DataERKNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 94| 351|BigInt fe_sqr(const EC_Group_Data& group, const BigInt& x, secure_vector& ws) { 95| 351| return group.monty().sqr(x, ws); 96| 351|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_mulERKNS_13EC_Group_DataERKNS_6BigIntES6_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 82| 1.82M|inline BigInt fe_mul(const EC_Group_Data& group, const BigInt& x, const BigInt& y, secure_vector& ws) { 83| 1.82M| return group.monty().mul(x, y, ws); 84| 1.82M|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_19resize_wsERNSt3__16vectorINS_6BigIntENS1_9allocatorIS3_EEEEm: 163| 614k|inline void resize_ws(std::vector& ws_bn, size_t cap_size) { 164| 614k| BOTAN_ASSERT(ws_bn.size() >= EC_Point::WORKSPACE_SIZE, "Expected size for EC_Point workspace"); ------------------ | | 64| 614k| do { \ | | 65| 614k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 614k| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 614k] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 614k| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 614k] | | ------------------ ------------------ 165| | 166| 4.91M| for(auto& ws : ws_bn) { ------------------ | Branch (166:17): [True: 4.91M, False: 614k] ------------------ 167| 4.91M| if(ws.size() < cap_size) { ------------------ | Branch (167:10): [True: 6.77k, False: 4.90M] ------------------ 168| 6.77k| ws.get_word_vector().resize(cap_size); 169| 6.77k| } 170| 4.91M| } 171| 614k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_sqrERKNS_13EC_Group_DataERNS_6BigIntERKS4_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 86| 2.71M|void fe_sqr(const EC_Group_Data& group, BigInt& z, const BigInt& x, secure_vector& ws) { 87| 2.71M| group.monty().sqr(z, x, ws); 88| 2.71M|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_mulERKNS_13EC_Group_DataERNS_6BigIntEPKmmRKS4_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 72| 1.40M| const EC_Group_Data& group, BigInt& z, const word x_w[], size_t x_size, const BigInt& y, secure_vector& ws) { 73| 1.40M| group.monty().mul(z, y, std::span{x_w, x_size}, ws); 74| 1.40M|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_mulERKNS_13EC_Group_DataERNS_6BigIntERKS4_S7_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 67| 5.47M|inline void fe_mul(const EC_Group_Data& group, BigInt& z, const BigInt& x, const BigInt& y, secure_vector& ws) { 68| 5.47M| group.monty().mul(z, x, y, ws); 69| 5.47M|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_16fe_sqrERKNS_13EC_Group_DataERNS_6BigIntEPKmmRNSt3__16vectorImNS_16secure_allocatorImEEEE: 90| 348k|void fe_sqr(const EC_Group_Data& group, BigInt& z, const word x_w[], size_t x_size, secure_vector& ws) { 91| 348k| group.monty().sqr(z, std::span{x_w, x_size}, ws); 92| 348k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_114invert_elementERKNS_13EC_Group_DataERKNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 98| 836|BigInt invert_element(const EC_Group_Data& group, const BigInt& x, secure_vector& ws) { 99| 836| return group.monty().mul(inverse_mod_public_prime(x, group.p()), group.monty().R3(), ws); 100| 836|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_115from_rep_to_tmpERKNS_13EC_Group_DataERKNS_6BigIntERNSt3__16vectorImNS_16secure_allocatorImEEEE: 63| 367|BigInt from_rep_to_tmp(const EC_Group_Data& group, const BigInt& x, secure_vector& ws) { 64| 367| return group.monty().redc(x, ws); 65| 367|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_116decompress_pointEbRKNS_6BigIntES3_S3_S3_: 848| 492|BigInt decompress_point(bool y_mod_2, const BigInt& x, const BigInt& p, const BigInt& a, const BigInt& b) { 849| 492| const BigInt g = ((x * x + a) * x + b) % p; 850| | 851| 492| BigInt z = sqrt_modulo_prime(g, p); 852| | 853| 492| if(z < 0) { ------------------ | Branch (853:7): [True: 206, False: 286] ------------------ 854| 206| throw Decoding_Error("Error during EC point decompression"); 855| 206| } 856| | 857| 286| if(z.get_bit(0) != y_mod_2) { ------------------ | Branch (857:7): [True: 140, False: 146] ------------------ 858| 140| z = p - z; 859| 140| } 860| | 861| 286| return z; 862| 492|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_17fe_smulILm4EEEvRNS_6BigIntERKS2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 77| 261k|inline void fe_smul(BigInt& z, const BigInt& p, secure_vector& ws) { 78| 261k| static_assert(M == 2 || M == 3 || M == 4 || M == 8); 79| 261k| z.mod_mul(M, p, ws); 80| 261k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_17fe_smulILm3EEEvRNS_6BigIntERKS2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 77| 261k|inline void fe_smul(BigInt& z, const BigInt& p, secure_vector& ws) { 78| 261k| static_assert(M == 2 || M == 3 || M == 4 || M == 8); 79| 261k| z.mod_mul(M, p, ws); 80| 261k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_17fe_smulILm8EEEvRNS_6BigIntERKS2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 77| 261k|inline void fe_smul(BigInt& z, const BigInt& p, secure_vector& ws) { 78| 261k| static_assert(M == 2 || M == 3 || M == 4 || M == 8); 79| 261k| z.mod_mul(M, p, ws); 80| 261k|} ec_point.cpp:_ZN5Botan12_GLOBAL__N_17fe_smulILm2EEEvRNS_6BigIntERKS2_RNSt3__16vectorImNS_16secure_allocatorImEEEE: 77| 261k|inline void fe_smul(BigInt& z, const BigInt& p, secure_vector& ws) { 78| 261k| static_assert(M == 2 || M == 3 || M == 4 || M == 8); 79| 261k| z.mod_mul(M, p, ws); 80| 261k|} _ZN5Botan30EC_Point_Base_Point_PrecomputeC2ERKNS_8EC_PointERKNS_17Barrett_ReductionE: 43| 736| m_base_point(base), m_mod_order(mod_order), m_p_words(base.get_curve().get_p_words()) { 44| 736| std::vector ws(EC_Point::WORKSPACE_SIZE); 45| | 46| 736| const size_t order_bits = mod_order.modulus_bits(); 47| | 48| 736| const size_t T_bits = round_up(order_bits + blinding_size(order_bits), WindowBits) / WindowBits; 49| | 50| 736| std::vector T(WindowSize * T_bits); 51| | 52| 736| EC_Point g = base; 53| 736| EC_Point g2; 54| 736| EC_Point g4; 55| | 56| 87.7k| for(size_t i = 0; i != T_bits; i++) { ------------------ | Branch (56:22): [True: 87.0k, False: 736] ------------------ 57| 87.0k| g2 = g; 58| 87.0k| g2.mult2(ws); 59| 87.0k| g4 = g2; 60| 87.0k| g4.mult2(ws); 61| | 62| 87.0k| T[7 * i + 0] = g; 63| 87.0k| T[7 * i + 1] = std::move(g2); 64| 87.0k| T[7 * i + 2] = T[7 * i + 1].plus(T[7 * i + 0], ws); // g2+g 65| 87.0k| T[7 * i + 3] = g4; 66| 87.0k| T[7 * i + 4] = T[7 * i + 3].plus(T[7 * i + 0], ws); // g4+g 67| 87.0k| T[7 * i + 5] = T[7 * i + 3].plus(T[7 * i + 1], ws); // g4+g2 68| 87.0k| T[7 * i + 6] = T[7 * i + 3].plus(T[7 * i + 2], ws); // g4+g2+g 69| | 70| 87.0k| g.swap(g4); 71| 87.0k| g.mult2(ws); 72| 87.0k| } 73| | 74| 736| EC_Point::force_all_affine(T, ws[0].get_word_vector()); 75| | 76| 736| m_W.resize(T.size() * 2 * m_p_words); 77| | 78| 736| word* p = m_W.data(); 79| 609k| for(const auto& pt : T) { ------------------ | Branch (79:23): [True: 609k, False: 736] ------------------ 80| 609k| pt.get_x().encode_words(p, m_p_words); 81| 609k| p += m_p_words; 82| 609k| pt.get_y().encode_words(p, m_p_words); 83| 609k| p += m_p_words; 84| 609k| } 85| 736|} _ZNK5Botan30EC_Point_Base_Point_Precompute3mulERKNS_6BigIntERNS_21RandomNumberGeneratorES3_RNSt3__16vectorIS1_NS6_9allocatorIS1_EEEE: 90| 99| std::vector& ws) const { 91| 99| if(k.signum() < 0) { ------------------ | Branch (91:7): [True: 0, False: 99] ------------------ 92| 0| throw Invalid_Argument("EC_Point_Base_Point_Precompute scalar must be positive"); 93| 0| } 94| | 95| | // Instead of reducing k mod group order should we alter the mask size?? 96| 99| BigInt scalar = m_mod_order.reduce(k); 97| | 98| 99| if(rng.is_seeded()) { ------------------ | Branch (98:7): [True: 0, False: 99] ------------------ 99| | // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure) 100| 0| scalar += group_order * blinding_mask(group_order, rng); 101| 99| } else { 102| | /* 103| | When we don't have an RNG we cannot do scalar blinding. Instead use the 104| | same trick as OpenSSL and add one or two copies of the order to normalize 105| | the length of the scalar at order.bits()+1. This at least ensures the loop 106| | bound does not leak information about the high bits of the scalar. 107| | */ 108| 99| scalar += group_order; 109| 99| if(scalar.bits() == group_order.bits()) { ------------------ | Branch (109:10): [True: 90, False: 9] ------------------ 110| 90| scalar += group_order; 111| 90| } 112| 99| BOTAN_DEBUG_ASSERT(scalar.bits() == group_order.bits() + 1); ------------------ | | 130| 99| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 99| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 99] | | ------------------ ------------------ 113| 99| } 114| | 115| 99| const size_t windows = round_up(scalar.bits(), WindowBits) / WindowBits; 116| | 117| 99| const size_t elem_size = 2 * m_p_words; 118| | 119| 99| BOTAN_ASSERT(windows <= m_W.size() / (3 * elem_size), "Precomputed sufficient values for scalar mult"); ------------------ | | 64| 99| do { \ | | 65| 99| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 99| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 99] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 99| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 99] | | ------------------ ------------------ 120| | 121| 99| EC_Point R = m_base_point.zero(); 122| | 123| 99| if(ws.size() < EC_Point::WORKSPACE_SIZE) { ------------------ | Branch (123:7): [True: 99, False: 0] ------------------ 124| 99| ws.resize(EC_Point::WORKSPACE_SIZE); 125| 99| } 126| | 127| | // the precomputed multiples are not secret so use std::vector 128| 99| std::vector Wt(elem_size); 129| | 130| 7.23k| for(size_t i = 0; i != windows; ++i) { ------------------ | Branch (130:22): [True: 7.14k, False: 99] ------------------ 131| 7.14k| const size_t window = windows - i - 1; 132| 7.14k| const size_t base_addr = (WindowSize * window) * elem_size; 133| | 134| 7.14k| const word w = scalar.get_substring(WindowBits * window, WindowBits); 135| | 136| 7.14k| const auto w_is_1 = CT::Mask::is_equal(w, 1); 137| 7.14k| const auto w_is_2 = CT::Mask::is_equal(w, 2); 138| 7.14k| const auto w_is_3 = CT::Mask::is_equal(w, 3); 139| 7.14k| const auto w_is_4 = CT::Mask::is_equal(w, 4); 140| 7.14k| const auto w_is_5 = CT::Mask::is_equal(w, 5); 141| 7.14k| const auto w_is_6 = CT::Mask::is_equal(w, 6); 142| 7.14k| const auto w_is_7 = CT::Mask::is_equal(w, 7); 143| | 144| 62.2k| for(size_t j = 0; j != elem_size; ++j) { ------------------ | Branch (144:25): [True: 55.0k, False: 7.14k] ------------------ 145| 55.0k| const word w1 = w_is_1.if_set_return(m_W[base_addr + 0 * elem_size + j]); 146| 55.0k| const word w2 = w_is_2.if_set_return(m_W[base_addr + 1 * elem_size + j]); 147| 55.0k| const word w3 = w_is_3.if_set_return(m_W[base_addr + 2 * elem_size + j]); 148| 55.0k| const word w4 = w_is_4.if_set_return(m_W[base_addr + 3 * elem_size + j]); 149| 55.0k| const word w5 = w_is_5.if_set_return(m_W[base_addr + 4 * elem_size + j]); 150| 55.0k| const word w6 = w_is_6.if_set_return(m_W[base_addr + 5 * elem_size + j]); 151| 55.0k| const word w7 = w_is_7.if_set_return(m_W[base_addr + 6 * elem_size + j]); 152| | 153| 55.0k| Wt[j] = w1 | w2 | w3 | w4 | w5 | w6 | w7; 154| 55.0k| } 155| | 156| 7.14k| R.add_affine(Wt.data(), m_p_words, &Wt[m_p_words], m_p_words, ws); 157| | 158| 7.14k| if(i == 0 && rng.is_seeded()) { ------------------ | Branch (158:10): [True: 99, False: 7.04k] | Branch (158:20): [True: 0, False: 99] ------------------ 159| | /* 160| | * Since we start with the top bit of the exponent we know the 161| | * first window must have a non-zero element, and thus R is 162| | * now a point other than the point at infinity. 163| | */ 164| 0| BOTAN_DEBUG_ASSERT(w != 0); ------------------ | | 130| 0| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 0| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 0] | | ------------------ ------------------ 165| 0| R.randomize_repr(rng, ws[0].get_word_vector()); 166| 0| } 167| 7.14k| } 168| | 169| 99| BOTAN_DEBUG_ASSERT(R.on_the_curve()); ------------------ | | 130| 99| do { /* NOLINT(*-avoid-do-while) */ \ | | 131| 99| } while(0) | | ------------------ | | | Branch (131:15): [Folded, False: 99] | | ------------------ ------------------ 170| | 171| 99| return R; 172| 99|} point_mul.cpp:_ZN5Botan12_GLOBAL__N_113blinding_sizeEm: 20| 736|size_t blinding_size(size_t order_bits) { 21| 736| return (order_bits + 1) / 2; 22| 736|} _ZN5Botan17EC_PublicKey_DataC2ENS_8EC_GroupENS_14EC_AffinePointE: 15| 1.97k| m_group(std::move(group)), m_point(std::move(pt)) { 16| 1.97k|#if defined(BOTAN_HAS_LEGACY_EC_POINT) 17| 1.97k| m_legacy_point = m_point.to_legacy_point(); 18| 1.97k|#endif 19| | 20| | // Checking that the point lies on the curve is done in the deserialization 21| | // of EC_AffinePoint. 22| 1.97k| BOTAN_ARG_CHECK(!m_point.is_identity(), "ECC public key cannot be point at infinity"); ------------------ | | 35| 1.97k| do { \ | | 36| 1.97k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 1.97k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 1.97k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 1.97k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 1.97k] | | ------------------ ------------------ 23| 1.97k|} _ZN5Botan18EC_PrivateKey_DataC2ENS_8EC_GroupENS_9EC_ScalarE: 26| 2.95k| m_group(std::move(group)), m_scalar(std::move(x)), m_legacy_x(m_scalar.to_bigint()) { 27| | // Checking that the scalar is lower than the group order is ensured in the 28| | // deserialization of the EC_Scalar or during the random generation respectively. 29| 2.95k| BOTAN_ARG_CHECK(m_scalar.is_nonzero(), "ECC private key cannot be zero"); ------------------ | | 35| 2.95k| do { \ | | 36| 2.95k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 2.95k| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 2.95k] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 2.95k| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 2.95k] | | ------------------ ------------------ 30| 2.95k|} _ZN5Botan18EC_PrivateKey_DataC2ERKNS_8EC_GroupENSt3__14spanIKhLm18446744073709551615EEE: 62| 2.98k| Botan::EC_PrivateKey_Data(group, decode_ec_secret_key_scalar(group, bytes)) {} _ZN5Botan18EC_PrivateKey_DataD2Ev: 64| 2.95k|EC_PrivateKey_Data::~EC_PrivateKey_Data() { 65| 2.95k| m_scalar.zeroize(); 66| 2.95k|} _ZNK5Botan18EC_PrivateKey_Data10public_keyERNS_21RandomNumberGeneratorEb: 69| 1.97k| bool with_modular_inverse) const { 70| 1.97k| auto public_point = [&] { 71| 1.97k| if(with_modular_inverse) { 72| 1.97k| return EC_AffinePoint::g_mul(m_scalar.invert(), rng); 73| 1.97k| } else { 74| 1.97k| return EC_AffinePoint::g_mul(m_scalar, rng); 75| 1.97k| } 76| 1.97k| }; 77| | 78| 1.97k| return std::make_shared(m_group, public_point()); 79| 1.97k|} _ZNK5Botan18EC_PrivateKey_Data10public_keyEb: 81| 1.97k|std::shared_ptr EC_PrivateKey_Data::public_key(bool with_modular_inverse) const { 82| 1.97k| Null_RNG null_rng; 83| 1.97k| return this->public_key(null_rng, with_modular_inverse); 84| 1.97k|} ec_key_data.cpp:_ZN5Botan12_GLOBAL__N_127decode_ec_secret_key_scalarERKNS_8EC_GroupENSt3__14spanIKhLm18446744073709551615EEE: 34| 5.43k|EC_Scalar decode_ec_secret_key_scalar(const EC_Group& group, std::span bytes) { 35| 5.43k| const size_t order_bytes = group.get_order_bytes(); 36| | 37| 5.43k| if(bytes.size() < order_bytes) { ------------------ | Branch (37:7): [True: 2.44k, False: 2.98k] ------------------ 38| | /* 39| | * Older versions had a bug which caused secret keys to not be encoded to 40| | * the full byte length of the order if there were leading zero bytes. This 41| | * was particularly a problem for P-521, where on average half of keys do 42| | * not have their high bit set and so can be encoded in 65 bytes, vs 66 43| | * bytes for the full order. 44| | * 45| | * To accommodate this, zero prefix the key if we see such a short input 46| | */ 47| 2.44k| secure_vector padded_sk(order_bytes); 48| 2.44k| copy_mem(std::span{padded_sk}.last(bytes.size()), bytes); 49| 2.44k| return decode_ec_secret_key_scalar(group, padded_sk); 50| 2.44k| } 51| | 52| 2.98k| if(auto s = EC_Scalar::deserialize(group, bytes)) { ------------------ | Branch (52:12): [True: 2.95k, False: 26] ------------------ 53| 2.95k| return s.value(); 54| 2.95k| } else { 55| 26| throw Decoding_Error("EC private key is invalid for this group"); 56| 26| } 57| 2.98k|} ec_key_data.cpp:_ZZNK5Botan18EC_PrivateKey_Data10public_keyERNS_21RandomNumberGeneratorEbENK3$_0clEv: 70| 1.97k| auto public_point = [&] { 71| 1.97k| if(with_modular_inverse) { ------------------ | Branch (71:10): [True: 0, False: 1.97k] ------------------ 72| 0| return EC_AffinePoint::g_mul(m_scalar.invert(), rng); 73| 1.97k| } else { 74| 1.97k| return EC_AffinePoint::g_mul(m_scalar, rng); 75| 1.97k| } 76| 1.97k| }; _ZNK5Botan12EC_PublicKey6domainEv: 64| 1.97k|const EC_Group& EC_PublicKey::domain() const { 65| 1.97k| BOTAN_STATE_CHECK(m_public_key != nullptr); ------------------ | | 51| 1.97k| do { \ | | 52| 1.97k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 1.97k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 1.97k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 1.97k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 1.97k] | | ------------------ ------------------ 66| 1.97k| return m_public_key->group(); 67| 1.97k|} _ZN5Botan13EC_PrivateKeyC2ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEEb: 179| 4.24k| m_with_modular_inverse(with_modular_inverse) { 180| 4.24k| const EC_Group group(alg_id.parameters()); 181| | 182| 4.24k| OID key_parameters; 183| 4.24k| secure_vector private_key_bits; 184| 4.24k| secure_vector public_key_bits; 185| | 186| 4.24k| BER_Decoder(key_bits, BER_Decoder::Limits::DER()) 187| 4.24k| .start_sequence() 188| 4.24k| .decode_and_check(1, "Unknown version code for ECC key") 189| 4.24k| .decode(private_key_bits, ASN1_Type::OctetString) 190| 4.24k| .decode_optional(key_parameters, ASN1_Type(0), ASN1_Class::ExplicitContextSpecific) 191| 4.24k| .decode_optional_string(public_key_bits, ASN1_Type::BitString, 1, ASN1_Class::ExplicitContextSpecific) 192| 4.24k| .end_cons() 193| 4.24k| .verify_end(); 194| | 195| 4.24k| m_private_key = std::make_shared(group, private_key_bits); 196| | 197| 4.24k| if(public_key_bits.empty()) { ------------------ | Branch (197:7): [True: 1.97k, False: 2.27k] ------------------ 198| 1.97k| m_public_key = m_private_key->public_key(with_modular_inverse); 199| 2.27k| } else { 200| 2.27k| m_public_key = std::make_shared(group, public_key_bits); 201| 2.27k| } 202| | 203| 4.24k| m_domain_encoding = default_encoding_for(domain()); 204| 4.24k|} ecc_key.cpp:_ZN5Botan12_GLOBAL__N_120default_encoding_forERKNS_8EC_GroupE: 36| 1.97k|EC_Group_Encoding default_encoding_for(const EC_Group& group) { 37| 1.97k| if(group.get_curve_oid().empty()) { ------------------ | Branch (37:7): [True: 19, False: 1.95k] ------------------ 38| 19| return EC_Group_Encoding::Explicit; 39| 1.95k| } else { 40| 1.95k| return EC_Group_Encoding::NamedCurve; 41| 1.95k| } 42| 1.97k|} _ZN5Botan19ed25519_gen_keypairEPhS0_PKh: 19| 2|void ed25519_gen_keypair(uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32]) { 20| 2| uint8_t az[64]; 21| | 22| 2| auto sha512 = HashFunction::create_or_throw("SHA-512"); 23| 2| sha512->update(seed, 32); 24| 2| sha512->final(az); 25| 2| az[0] &= 248; 26| 2| az[31] &= 63; 27| 2| az[31] |= 64; 28| | 29| 2| ed25519_basepoint_mul(std::span{pk, 32}, az); 30| | 31| 2| copy_mem(sk, seed, 32); 32| 2| copy_mem(sk + 32, pk, 32); 33| 2|} _ZNK5Botan20Ed25519_FieldElement6invertEv: 18| 2|Ed25519_FieldElement Ed25519_FieldElement::invert() const { 19| 2| auto t0 = this->sqr(); 20| 2| auto t1 = t0.sqr_iter(2); 21| 2| t1 = *this * t1; 22| 2| t0 = t0 * t1; 23| 2| auto t2 = t0.sqr(); 24| 2| t1 = t1 * t2; 25| 2| t2 = t1.sqr_iter(5); 26| 2| t1 = t2 * t1; 27| 2| t2 = t1.sqr_iter(10); 28| 2| t2 = t2 * t1; 29| 2| auto t3 = t2.sqr_iter(20); 30| 2| t2 = t3 * t2; 31| 2| t2 = t2.sqr_iter(10); 32| 2| t1 = t2 * t1; 33| 2| t2 = t1.sqr_iter(50); 34| 2| t2 = t2 * t1; 35| 2| t3 = t2.sqr_iter(100); 36| 2| t2 = t3 * t2; 37| 2| t2 = t2.sqr_iter(50); 38| 2| t1 = t2 * t1; 39| 2| t1 = t1.sqr_iter(5); 40| | 41| 2| t0 = t1 * t0; 42| 2| return t0; 43| 2|} _ZN5Botan20Ed25519_FieldElement3mulERKS0_S2_: 105| 948|Ed25519_FieldElement Ed25519_FieldElement::mul(const Ed25519_FieldElement& f, const Ed25519_FieldElement& g) { 106| 948| const int32_t f0 = f.m_fe[0]; 107| 948| const int32_t f1 = f.m_fe[1]; 108| 948| const int32_t f2 = f.m_fe[2]; 109| 948| const int32_t f3 = f.m_fe[3]; 110| 948| const int32_t f4 = f.m_fe[4]; 111| 948| const int32_t f5 = f.m_fe[5]; 112| 948| const int32_t f6 = f.m_fe[6]; 113| 948| const int32_t f7 = f.m_fe[7]; 114| 948| const int32_t f8 = f.m_fe[8]; 115| 948| const int32_t f9 = f.m_fe[9]; 116| | 117| 948| const int32_t g0 = g.m_fe[0]; 118| 948| const int32_t g1 = g.m_fe[1]; 119| 948| const int32_t g2 = g.m_fe[2]; 120| 948| const int32_t g3 = g.m_fe[3]; 121| 948| const int32_t g4 = g.m_fe[4]; 122| 948| const int32_t g5 = g.m_fe[5]; 123| 948| const int32_t g6 = g.m_fe[6]; 124| 948| const int32_t g7 = g.m_fe[7]; 125| 948| const int32_t g8 = g.m_fe[8]; 126| 948| const int32_t g9 = g.m_fe[9]; 127| | 128| 948| const int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */ 129| 948| const int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ 130| 948| const int32_t g3_19 = 19 * g3; 131| 948| const int32_t g4_19 = 19 * g4; 132| 948| const int32_t g5_19 = 19 * g5; 133| 948| const int32_t g6_19 = 19 * g6; 134| 948| const int32_t g7_19 = 19 * g7; 135| 948| const int32_t g8_19 = 19 * g8; 136| 948| const int32_t g9_19 = 19 * g9; 137| 948| const int32_t f1_2 = 2 * f1; 138| 948| const int32_t f3_2 = 2 * f3; 139| 948| const int32_t f5_2 = 2 * f5; 140| 948| const int32_t f7_2 = 2 * f7; 141| 948| const int32_t f9_2 = 2 * f9; 142| | 143| 948| const int64_t f0g0 = f0 * static_cast(g0); 144| 948| const int64_t f0g1 = f0 * static_cast(g1); 145| 948| const int64_t f0g2 = f0 * static_cast(g2); 146| 948| const int64_t f0g3 = f0 * static_cast(g3); 147| 948| const int64_t f0g4 = f0 * static_cast(g4); 148| 948| const int64_t f0g5 = f0 * static_cast(g5); 149| 948| const int64_t f0g6 = f0 * static_cast(g6); 150| 948| const int64_t f0g7 = f0 * static_cast(g7); 151| 948| const int64_t f0g8 = f0 * static_cast(g8); 152| 948| const int64_t f0g9 = f0 * static_cast(g9); 153| 948| const int64_t f1g0 = f1 * static_cast(g0); 154| 948| const int64_t f1g1_2 = f1_2 * static_cast(g1); 155| 948| const int64_t f1g2 = f1 * static_cast(g2); 156| 948| const int64_t f1g3_2 = f1_2 * static_cast(g3); 157| 948| const int64_t f1g4 = f1 * static_cast(g4); 158| 948| const int64_t f1g5_2 = f1_2 * static_cast(g5); 159| 948| const int64_t f1g6 = f1 * static_cast(g6); 160| 948| const int64_t f1g7_2 = f1_2 * static_cast(g7); 161| 948| const int64_t f1g8 = f1 * static_cast(g8); 162| 948| const int64_t f1g9_38 = f1_2 * static_cast(g9_19); 163| 948| const int64_t f2g0 = f2 * static_cast(g0); 164| 948| const int64_t f2g1 = f2 * static_cast(g1); 165| 948| const int64_t f2g2 = f2 * static_cast(g2); 166| 948| const int64_t f2g3 = f2 * static_cast(g3); 167| 948| const int64_t f2g4 = f2 * static_cast(g4); 168| 948| const int64_t f2g5 = f2 * static_cast(g5); 169| 948| const int64_t f2g6 = f2 * static_cast(g6); 170| 948| const int64_t f2g7 = f2 * static_cast(g7); 171| 948| const int64_t f2g8_19 = f2 * static_cast(g8_19); 172| 948| const int64_t f2g9_19 = f2 * static_cast(g9_19); 173| 948| const int64_t f3g0 = f3 * static_cast(g0); 174| 948| const int64_t f3g1_2 = f3_2 * static_cast(g1); 175| 948| const int64_t f3g2 = f3 * static_cast(g2); 176| 948| const int64_t f3g3_2 = f3_2 * static_cast(g3); 177| 948| const int64_t f3g4 = f3 * static_cast(g4); 178| 948| const int64_t f3g5_2 = f3_2 * static_cast(g5); 179| 948| const int64_t f3g6 = f3 * static_cast(g6); 180| 948| const int64_t f3g7_38 = f3_2 * static_cast(g7_19); 181| 948| const int64_t f3g8_19 = f3 * static_cast(g8_19); 182| 948| const int64_t f3g9_38 = f3_2 * static_cast(g9_19); 183| 948| const int64_t f4g0 = f4 * static_cast(g0); 184| 948| const int64_t f4g1 = f4 * static_cast(g1); 185| 948| const int64_t f4g2 = f4 * static_cast(g2); 186| 948| const int64_t f4g3 = f4 * static_cast(g3); 187| 948| const int64_t f4g4 = f4 * static_cast(g4); 188| 948| const int64_t f4g5 = f4 * static_cast(g5); 189| 948| const int64_t f4g6_19 = f4 * static_cast(g6_19); 190| 948| const int64_t f4g7_19 = f4 * static_cast(g7_19); 191| 948| const int64_t f4g8_19 = f4 * static_cast(g8_19); 192| 948| const int64_t f4g9_19 = f4 * static_cast(g9_19); 193| 948| const int64_t f5g0 = f5 * static_cast(g0); 194| 948| const int64_t f5g1_2 = f5_2 * static_cast(g1); 195| 948| const int64_t f5g2 = f5 * static_cast(g2); 196| 948| const int64_t f5g3_2 = f5_2 * static_cast(g3); 197| 948| const int64_t f5g4 = f5 * static_cast(g4); 198| 948| const int64_t f5g5_38 = f5_2 * static_cast(g5_19); 199| 948| const int64_t f5g6_19 = f5 * static_cast(g6_19); 200| 948| const int64_t f5g7_38 = f5_2 * static_cast(g7_19); 201| 948| const int64_t f5g8_19 = f5 * static_cast(g8_19); 202| 948| const int64_t f5g9_38 = f5_2 * static_cast(g9_19); 203| 948| const int64_t f6g0 = f6 * static_cast(g0); 204| 948| const int64_t f6g1 = f6 * static_cast(g1); 205| 948| const int64_t f6g2 = f6 * static_cast(g2); 206| 948| const int64_t f6g3 = f6 * static_cast(g3); 207| 948| const int64_t f6g4_19 = f6 * static_cast(g4_19); 208| 948| const int64_t f6g5_19 = f6 * static_cast(g5_19); 209| 948| const int64_t f6g6_19 = f6 * static_cast(g6_19); 210| 948| const int64_t f6g7_19 = f6 * static_cast(g7_19); 211| 948| const int64_t f6g8_19 = f6 * static_cast(g8_19); 212| 948| const int64_t f6g9_19 = f6 * static_cast(g9_19); 213| 948| const int64_t f7g0 = f7 * static_cast(g0); 214| 948| const int64_t f7g1_2 = f7_2 * static_cast(g1); 215| 948| const int64_t f7g2 = f7 * static_cast(g2); 216| 948| const int64_t f7g3_38 = f7_2 * static_cast(g3_19); 217| 948| const int64_t f7g4_19 = f7 * static_cast(g4_19); 218| 948| const int64_t f7g5_38 = f7_2 * static_cast(g5_19); 219| 948| const int64_t f7g6_19 = f7 * static_cast(g6_19); 220| 948| const int64_t f7g7_38 = f7_2 * static_cast(g7_19); 221| 948| const int64_t f7g8_19 = f7 * static_cast(g8_19); 222| 948| const int64_t f7g9_38 = f7_2 * static_cast(g9_19); 223| 948| const int64_t f8g0 = f8 * static_cast(g0); 224| 948| const int64_t f8g1 = f8 * static_cast(g1); 225| 948| const int64_t f8g2_19 = f8 * static_cast(g2_19); 226| 948| const int64_t f8g3_19 = f8 * static_cast(g3_19); 227| 948| const int64_t f8g4_19 = f8 * static_cast(g4_19); 228| 948| const int64_t f8g5_19 = f8 * static_cast(g5_19); 229| 948| const int64_t f8g6_19 = f8 * static_cast(g6_19); 230| 948| const int64_t f8g7_19 = f8 * static_cast(g7_19); 231| 948| const int64_t f8g8_19 = f8 * static_cast(g8_19); 232| 948| const int64_t f8g9_19 = f8 * static_cast(g9_19); 233| 948| const int64_t f9g0 = f9 * static_cast(g0); 234| 948| const int64_t f9g1_38 = f9_2 * static_cast(g1_19); 235| 948| const int64_t f9g2_19 = f9 * static_cast(g2_19); 236| 948| const int64_t f9g3_38 = f9_2 * static_cast(g3_19); 237| 948| const int64_t f9g4_19 = f9 * static_cast(g4_19); 238| 948| const int64_t f9g5_38 = f9_2 * static_cast(g5_19); 239| 948| const int64_t f9g6_19 = f9 * static_cast(g6_19); 240| 948| const int64_t f9g7_38 = f9_2 * static_cast(g7_19); 241| 948| const int64_t f9g8_19 = f9 * static_cast(g8_19); 242| 948| const int64_t f9g9_38 = f9_2 * static_cast(g9_19); 243| | 244| 948| int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38; 245| 948| int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19; 246| 948| int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38; 247| 948| int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19; 248| 948| int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38; 249| 948| int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19; 250| 948| int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38; 251| 948| int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19; 252| 948| int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38; 253| 948| int64_t h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0; 254| | 255| | /* 256| | |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38)) 257| | i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8 258| | |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19)) 259| | i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 260| | */ 261| 948| carry<26>(h0, h1); 262| 948| carry<26>(h4, h5); 263| | 264| | /* |h0| <= 2^25 */ 265| | /* |h4| <= 2^25 */ 266| | /* |h1| <= 1.71*2^59 */ 267| | /* |h5| <= 1.71*2^59 */ 268| | 269| 948| carry<25>(h1, h2); 270| 948| carry<25>(h5, h6); 271| | 272| | /* |h1| <= 2^24; from now on fits into int32 */ 273| | /* |h5| <= 2^24; from now on fits into int32 */ 274| | /* |h2| <= 1.41*2^60 */ 275| | /* |h6| <= 1.41*2^60 */ 276| | 277| 948| carry<26>(h2, h3); 278| 948| carry<26>(h6, h7); 279| | /* |h2| <= 2^25; from now on fits into int32 unchanged */ 280| | /* |h6| <= 2^25; from now on fits into int32 unchanged */ 281| | /* |h3| <= 1.71*2^59 */ 282| | /* |h7| <= 1.71*2^59 */ 283| | 284| 948| carry<25>(h3, h4); 285| 948| carry<25>(h7, h8); 286| | /* |h3| <= 2^24; from now on fits into int32 unchanged */ 287| | /* |h7| <= 2^24; from now on fits into int32 unchanged */ 288| | /* |h4| <= 1.72*2^34 */ 289| | /* |h8| <= 1.41*2^60 */ 290| | 291| 948| carry<26>(h4, h5); 292| 948| carry<26>(h8, h9); 293| | /* |h4| <= 2^25; from now on fits into int32 unchanged */ 294| | /* |h8| <= 2^25; from now on fits into int32 unchanged */ 295| | /* |h5| <= 1.01*2^24 */ 296| | /* |h9| <= 1.71*2^59 */ 297| | 298| 948| carry<25, 19>(h9, h0); 299| | 300| | /* |h9| <= 2^24; from now on fits into int32 unchanged */ 301| | /* |h0| <= 1.1*2^39 */ 302| | 303| 948| carry<26>(h0, h1); 304| | /* |h0| <= 2^25; from now on fits into int32 unchanged */ 305| | /* |h1| <= 1.01*2^24 */ 306| | 307| 948| return Ed25519_FieldElement(h0, h1, h2, h3, h4, h5, h6, h7, h8, h9); 308| 948|} _ZNK5Botan20Ed25519_FieldElement8sqr_iterEm: 326| 46|Ed25519_FieldElement Ed25519_FieldElement::sqr_iter(size_t iter) const { 327| 46| int32_t f0 = m_fe[0]; 328| 46| int32_t f1 = m_fe[1]; 329| 46| int32_t f2 = m_fe[2]; 330| 46| int32_t f3 = m_fe[3]; 331| 46| int32_t f4 = m_fe[4]; 332| 46| int32_t f5 = m_fe[5]; 333| 46| int32_t f6 = m_fe[6]; 334| 46| int32_t f7 = m_fe[7]; 335| 46| int32_t f8 = m_fe[8]; 336| 46| int32_t f9 = m_fe[9]; 337| | 338| 578| for(size_t i = 0; i != iter; ++i) { ------------------ | Branch (338:22): [True: 532, False: 46] ------------------ 339| 532| const int32_t f0_2 = 2 * f0; 340| 532| const int32_t f1_2 = 2 * f1; 341| 532| const int32_t f2_2 = 2 * f2; 342| 532| const int32_t f3_2 = 2 * f3; 343| 532| const int32_t f4_2 = 2 * f4; 344| 532| const int32_t f5_2 = 2 * f5; 345| 532| const int32_t f6_2 = 2 * f6; 346| 532| const int32_t f7_2 = 2 * f7; 347| 532| const int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ 348| 532| const int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ 349| 532| const int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ 350| 532| const int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ 351| 532| const int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ 352| | 353| 532| const int64_t f0f0 = f0 * static_cast(f0); 354| 532| const int64_t f0f1_2 = f0_2 * static_cast(f1); 355| 532| const int64_t f0f2_2 = f0_2 * static_cast(f2); 356| 532| const int64_t f0f3_2 = f0_2 * static_cast(f3); 357| 532| const int64_t f0f4_2 = f0_2 * static_cast(f4); 358| 532| const int64_t f0f5_2 = f0_2 * static_cast(f5); 359| 532| const int64_t f0f6_2 = f0_2 * static_cast(f6); 360| 532| const int64_t f0f7_2 = f0_2 * static_cast(f7); 361| 532| const int64_t f0f8_2 = f0_2 * static_cast(f8); 362| 532| const int64_t f0f9_2 = f0_2 * static_cast(f9); 363| 532| const int64_t f1f1_2 = f1_2 * static_cast(f1); 364| 532| const int64_t f1f2_2 = f1_2 * static_cast(f2); 365| 532| const int64_t f1f3_4 = f1_2 * static_cast(f3_2); 366| 532| const int64_t f1f4_2 = f1_2 * static_cast(f4); 367| 532| const int64_t f1f5_4 = f1_2 * static_cast(f5_2); 368| 532| const int64_t f1f6_2 = f1_2 * static_cast(f6); 369| 532| const int64_t f1f7_4 = f1_2 * static_cast(f7_2); 370| 532| const int64_t f1f8_2 = f1_2 * static_cast(f8); 371| 532| const int64_t f1f9_76 = f1_2 * static_cast(f9_38); 372| 532| const int64_t f2f2 = f2 * static_cast(f2); 373| 532| const int64_t f2f3_2 = f2_2 * static_cast(f3); 374| 532| const int64_t f2f4_2 = f2_2 * static_cast(f4); 375| 532| const int64_t f2f5_2 = f2_2 * static_cast(f5); 376| 532| const int64_t f2f6_2 = f2_2 * static_cast(f6); 377| 532| const int64_t f2f7_2 = f2_2 * static_cast(f7); 378| 532| const int64_t f2f8_38 = f2_2 * static_cast(f8_19); 379| 532| const int64_t f2f9_38 = f2 * static_cast(f9_38); 380| 532| const int64_t f3f3_2 = f3_2 * static_cast(f3); 381| 532| const int64_t f3f4_2 = f3_2 * static_cast(f4); 382| 532| const int64_t f3f5_4 = f3_2 * static_cast(f5_2); 383| 532| const int64_t f3f6_2 = f3_2 * static_cast(f6); 384| 532| const int64_t f3f7_76 = f3_2 * static_cast(f7_38); 385| 532| const int64_t f3f8_38 = f3_2 * static_cast(f8_19); 386| 532| const int64_t f3f9_76 = f3_2 * static_cast(f9_38); 387| 532| const int64_t f4f4 = f4 * static_cast(f4); 388| 532| const int64_t f4f5_2 = f4_2 * static_cast(f5); 389| 532| const int64_t f4f6_38 = f4_2 * static_cast(f6_19); 390| 532| const int64_t f4f7_38 = f4 * static_cast(f7_38); 391| 532| const int64_t f4f8_38 = f4_2 * static_cast(f8_19); 392| 532| const int64_t f4f9_38 = f4 * static_cast(f9_38); 393| 532| const int64_t f5f5_38 = f5 * static_cast(f5_38); 394| 532| const int64_t f5f6_38 = f5_2 * static_cast(f6_19); 395| 532| const int64_t f5f7_76 = f5_2 * static_cast(f7_38); 396| 532| const int64_t f5f8_38 = f5_2 * static_cast(f8_19); 397| 532| const int64_t f5f9_76 = f5_2 * static_cast(f9_38); 398| 532| const int64_t f6f6_19 = f6 * static_cast(f6_19); 399| 532| const int64_t f6f7_38 = f6 * static_cast(f7_38); 400| 532| const int64_t f6f8_38 = f6_2 * static_cast(f8_19); 401| 532| const int64_t f6f9_38 = f6 * static_cast(f9_38); 402| 532| const int64_t f7f7_38 = f7 * static_cast(f7_38); 403| 532| const int64_t f7f8_38 = f7_2 * static_cast(f8_19); 404| 532| const int64_t f7f9_76 = f7_2 * static_cast(f9_38); 405| 532| const int64_t f8f8_19 = f8 * static_cast(f8_19); 406| 532| const int64_t f8f9_38 = f8 * static_cast(f9_38); 407| 532| const int64_t f9f9_38 = f9 * static_cast(f9_38); 408| | 409| 532| int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; 410| 532| int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; 411| 532| int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; 412| 532| int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; 413| 532| int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; 414| 532| int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; 415| 532| int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; 416| 532| int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; 417| 532| int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; 418| 532| int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; 419| | 420| 532| carry<26>(h0, h1); 421| 532| carry<26>(h4, h5); 422| 532| carry<25>(h1, h2); 423| 532| carry<25>(h5, h6); 424| 532| carry<26>(h2, h3); 425| 532| carry<26>(h6, h7); 426| | 427| 532| carry<25>(h3, h4); 428| 532| carry<25>(h7, h8); 429| | 430| 532| carry<26>(h4, h5); 431| 532| carry<26>(h8, h9); 432| 532| carry<25, 19>(h9, h0); 433| 532| carry<26>(h0, h1); 434| | 435| 532| f0 = static_cast(h0); 436| 532| f1 = static_cast(h1); 437| 532| f2 = static_cast(h2); 438| 532| f3 = static_cast(h3); 439| 532| f4 = static_cast(h4); 440| 532| f5 = static_cast(h5); 441| 532| f6 = static_cast(h6); 442| 532| f7 = static_cast(h7); 443| 532| f8 = static_cast(h8); 444| 532| f9 = static_cast(h9); 445| 532| } 446| | 447| 46| return Ed25519_FieldElement(f0, f1, f2, f3, f4, f5, f6, f7, f8, f9); 448| 46|} _ZNK5Botan20Ed25519_FieldElement4sqr2Ev: 466| 8|Ed25519_FieldElement Ed25519_FieldElement::sqr2() const { 467| 8| const int32_t f0 = m_fe[0]; 468| 8| const int32_t f1 = m_fe[1]; 469| 8| const int32_t f2 = m_fe[2]; 470| 8| const int32_t f3 = m_fe[3]; 471| 8| const int32_t f4 = m_fe[4]; 472| 8| const int32_t f5 = m_fe[5]; 473| 8| const int32_t f6 = m_fe[6]; 474| 8| const int32_t f7 = m_fe[7]; 475| 8| const int32_t f8 = m_fe[8]; 476| 8| const int32_t f9 = m_fe[9]; 477| | 478| 8| const int32_t f0_2 = 2 * f0; 479| 8| const int32_t f1_2 = 2 * f1; 480| 8| const int32_t f2_2 = 2 * f2; 481| 8| const int32_t f3_2 = 2 * f3; 482| 8| const int32_t f4_2 = 2 * f4; 483| 8| const int32_t f5_2 = 2 * f5; 484| 8| const int32_t f6_2 = 2 * f6; 485| 8| const int32_t f7_2 = 2 * f7; 486| 8| const int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ 487| 8| const int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ 488| 8| const int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ 489| 8| const int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ 490| 8| const int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ 491| 8| const int64_t f0f0 = f0 * static_cast(f0); 492| 8| const int64_t f0f1_2 = f0_2 * static_cast(f1); 493| 8| const int64_t f0f2_2 = f0_2 * static_cast(f2); 494| 8| const int64_t f0f3_2 = f0_2 * static_cast(f3); 495| 8| const int64_t f0f4_2 = f0_2 * static_cast(f4); 496| 8| const int64_t f0f5_2 = f0_2 * static_cast(f5); 497| 8| const int64_t f0f6_2 = f0_2 * static_cast(f6); 498| 8| const int64_t f0f7_2 = f0_2 * static_cast(f7); 499| 8| const int64_t f0f8_2 = f0_2 * static_cast(f8); 500| 8| const int64_t f0f9_2 = f0_2 * static_cast(f9); 501| 8| const int64_t f1f1_2 = f1_2 * static_cast(f1); 502| 8| const int64_t f1f2_2 = f1_2 * static_cast(f2); 503| 8| const int64_t f1f3_4 = f1_2 * static_cast(f3_2); 504| 8| const int64_t f1f4_2 = f1_2 * static_cast(f4); 505| 8| const int64_t f1f5_4 = f1_2 * static_cast(f5_2); 506| 8| const int64_t f1f6_2 = f1_2 * static_cast(f6); 507| 8| const int64_t f1f7_4 = f1_2 * static_cast(f7_2); 508| 8| const int64_t f1f8_2 = f1_2 * static_cast(f8); 509| 8| const int64_t f1f9_76 = f1_2 * static_cast(f9_38); 510| 8| const int64_t f2f2 = f2 * static_cast(f2); 511| 8| const int64_t f2f3_2 = f2_2 * static_cast(f3); 512| 8| const int64_t f2f4_2 = f2_2 * static_cast(f4); 513| 8| const int64_t f2f5_2 = f2_2 * static_cast(f5); 514| 8| const int64_t f2f6_2 = f2_2 * static_cast(f6); 515| 8| const int64_t f2f7_2 = f2_2 * static_cast(f7); 516| 8| const int64_t f2f8_38 = f2_2 * static_cast(f8_19); 517| 8| const int64_t f2f9_38 = f2 * static_cast(f9_38); 518| 8| const int64_t f3f3_2 = f3_2 * static_cast(f3); 519| 8| const int64_t f3f4_2 = f3_2 * static_cast(f4); 520| 8| const int64_t f3f5_4 = f3_2 * static_cast(f5_2); 521| 8| const int64_t f3f6_2 = f3_2 * static_cast(f6); 522| 8| const int64_t f3f7_76 = f3_2 * static_cast(f7_38); 523| 8| const int64_t f3f8_38 = f3_2 * static_cast(f8_19); 524| 8| const int64_t f3f9_76 = f3_2 * static_cast(f9_38); 525| 8| const int64_t f4f4 = f4 * static_cast(f4); 526| 8| const int64_t f4f5_2 = f4_2 * static_cast(f5); 527| 8| const int64_t f4f6_38 = f4_2 * static_cast(f6_19); 528| 8| const int64_t f4f7_38 = f4 * static_cast(f7_38); 529| 8| const int64_t f4f8_38 = f4_2 * static_cast(f8_19); 530| 8| const int64_t f4f9_38 = f4 * static_cast(f9_38); 531| 8| const int64_t f5f5_38 = f5 * static_cast(f5_38); 532| 8| const int64_t f5f6_38 = f5_2 * static_cast(f6_19); 533| 8| const int64_t f5f7_76 = f5_2 * static_cast(f7_38); 534| 8| const int64_t f5f8_38 = f5_2 * static_cast(f8_19); 535| 8| const int64_t f5f9_76 = f5_2 * static_cast(f9_38); 536| 8| const int64_t f6f6_19 = f6 * static_cast(f6_19); 537| 8| const int64_t f6f7_38 = f6 * static_cast(f7_38); 538| 8| const int64_t f6f8_38 = f6_2 * static_cast(f8_19); 539| 8| const int64_t f6f9_38 = f6 * static_cast(f9_38); 540| 8| const int64_t f7f7_38 = f7 * static_cast(f7_38); 541| 8| const int64_t f7f8_38 = f7_2 * static_cast(f8_19); 542| 8| const int64_t f7f9_76 = f7_2 * static_cast(f9_38); 543| 8| const int64_t f8f8_19 = f8 * static_cast(f8_19); 544| 8| const int64_t f8f9_38 = f8 * static_cast(f9_38); 545| 8| const int64_t f9f9_38 = f9 * static_cast(f9_38); 546| | 547| 8| int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; 548| 8| int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; 549| 8| int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; 550| 8| int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; 551| 8| int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; 552| 8| int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; 553| 8| int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; 554| 8| int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; 555| 8| int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; 556| 8| int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; 557| | 558| 8| h0 += h0; 559| 8| h1 += h1; 560| 8| h2 += h2; 561| 8| h3 += h3; 562| 8| h4 += h4; 563| 8| h5 += h5; 564| 8| h6 += h6; 565| 8| h7 += h7; 566| 8| h8 += h8; 567| 8| h9 += h9; 568| | 569| 8| carry<26>(h0, h1); 570| 8| carry<26>(h4, h5); 571| | 572| 8| carry<25>(h1, h2); 573| 8| carry<25>(h5, h6); 574| | 575| 8| carry<26>(h2, h3); 576| 8| carry<26>(h6, h7); 577| | 578| 8| carry<25>(h3, h4); 579| 8| carry<25>(h7, h8); 580| 8| carry<26>(h4, h5); 581| 8| carry<26>(h8, h9); 582| 8| carry<25, 19>(h9, h0); 583| 8| carry<26>(h0, h1); 584| | 585| 8| return Ed25519_FieldElement(h0, h1, h2, h3, h4, h5, h6, h7, h8, h9); 586| 8|} _ZNK5Botan20Ed25519_FieldElement12serialize_toENSt3__14spanIhLm32EEE: 643| 4|void Ed25519_FieldElement::serialize_to(std::span s) const { 644| 4| const int32_t X25 = (1 << 25); 645| | 646| 4| int32_t h0 = m_fe[0]; 647| 4| int32_t h1 = m_fe[1]; 648| 4| int32_t h2 = m_fe[2]; 649| 4| int32_t h3 = m_fe[3]; 650| 4| int32_t h4 = m_fe[4]; 651| 4| int32_t h5 = m_fe[5]; 652| 4| int32_t h6 = m_fe[6]; 653| 4| int32_t h7 = m_fe[7]; 654| 4| int32_t h8 = m_fe[8]; 655| 4| int32_t h9 = m_fe[9]; 656| | 657| 4| int32_t q = (19 * h9 + ((static_cast(1) << 24))) >> 25; 658| 4| q = (h0 + q) >> 26; 659| 4| q = (h1 + q) >> 25; 660| 4| q = (h2 + q) >> 26; 661| 4| q = (h3 + q) >> 25; 662| 4| q = (h4 + q) >> 26; 663| 4| q = (h5 + q) >> 25; 664| 4| q = (h6 + q) >> 26; 665| 4| q = (h7 + q) >> 25; 666| 4| q = (h8 + q) >> 26; 667| 4| q = (h9 + q) >> 25; 668| | 669| | /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */ 670| 4| h0 += 19 * q; 671| | /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */ 672| | 673| 4| carry0<26>(h0, h1); 674| 4| carry0<25>(h1, h2); 675| 4| carry0<26>(h2, h3); 676| 4| carry0<25>(h3, h4); 677| 4| carry0<26>(h4, h5); 678| 4| carry0<25>(h5, h6); 679| 4| carry0<26>(h6, h7); 680| 4| carry0<25>(h7, h8); 681| 4| carry0<26>(h8, h9); 682| | 683| 4| const int32_t carry9 = h9 >> 25; 684| 4| h9 -= carry9 * X25; 685| | /* h10 = carry9 */ 686| | 687| | /* 688| | Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. 689| | Have h0+...+2^230 h9 between 0 and 2^255-1; 690| | evidently 2^255 h10-2^255 q = 0. 691| | Goal: Output h0+...+2^230 h9. 692| | */ 693| | 694| 4| s[0] = static_cast(h0 >> 0); 695| 4| s[1] = static_cast(h0 >> 8); 696| 4| s[2] = static_cast(h0 >> 16); 697| 4| s[3] = static_cast((h0 >> 24) | (h1 << 2)); 698| 4| s[4] = static_cast(h1 >> 6); 699| 4| s[5] = static_cast(h1 >> 14); 700| 4| s[6] = static_cast((h1 >> 22) | (h2 << 3)); 701| 4| s[7] = static_cast(h2 >> 5); 702| 4| s[8] = static_cast(h2 >> 13); 703| 4| s[9] = static_cast((h2 >> 21) | (h3 << 5)); 704| 4| s[10] = static_cast(h3 >> 3); 705| 4| s[11] = static_cast(h3 >> 11); 706| 4| s[12] = static_cast((h3 >> 19) | (h4 << 6)); 707| 4| s[13] = static_cast(h4 >> 2); 708| 4| s[14] = static_cast(h4 >> 10); 709| 4| s[15] = static_cast(h4 >> 18); 710| 4| s[16] = static_cast(h5 >> 0); 711| 4| s[17] = static_cast(h5 >> 8); 712| 4| s[18] = static_cast(h5 >> 16); 713| 4| s[19] = static_cast((h5 >> 24) | (h6 << 1)); 714| 4| s[20] = static_cast(h6 >> 7); 715| 4| s[21] = static_cast(h6 >> 15); 716| 4| s[22] = static_cast((h6 >> 23) | (h7 << 3)); 717| 4| s[23] = static_cast(h7 >> 5); 718| 4| s[24] = static_cast(h7 >> 13); 719| 4| s[25] = static_cast((h7 >> 21) | (h8 << 4)); 720| 4| s[26] = static_cast(h8 >> 4); 721| 4| s[27] = static_cast(h8 >> 12); 722| 4| s[28] = static_cast((h8 >> 20) | (h9 << 6)); 723| 4| s[29] = static_cast(h9 >> 2); 724| 4| s[30] = static_cast(h9 >> 10); 725| 4| s[31] = static_cast(h9 >> 18); 726| 4|} _ZN5Botan18Ed25519_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 113| 10|Ed25519_PrivateKey::Ed25519_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span key_bits) { 114| 10| secure_vector bits; 115| 10| BER_Decoder(key_bits, BER_Decoder::Limits::DER()).decode(bits, ASN1_Type::OctetString).discard_remaining(); 116| | 117| 10| if(bits.size() != 32) { ------------------ | Branch (117:7): [True: 7, False: 3] ------------------ 118| 7| throw Decoding_Error("Invalid size for Ed25519 private key"); 119| 7| } 120| 3| m_public.resize(32); 121| 3| m_private.resize(64); 122| 3| ed25519_gen_keypair(m_public.data(), m_private.data(), bits.data()); 123| 3|} _ZN5Botan21ed25519_basepoint_mulENSt3__14spanIhLm32EEEPKh: 1863| 2|void ed25519_basepoint_mul(std::span out, const uint8_t a[32]) { 1864| 2| std::array e{}; 1865| | 1866| 2| CT::poison(a, 32); 1867| | 1868| | // each e[i] is between 0 and 15 except e[63] which is between 0 and 7 1869| 66| for(size_t i = 0; i != 32; ++i) { ------------------ | Branch (1869:22): [True: 64, False: 2] ------------------ 1870| 64| e[2 * i + 0] = (a[i] >> 0) & 0x0F; 1871| 64| e[2 * i + 1] = (a[i] >> 4) & 0x0F; 1872| 64| } 1873| | 1874| 2| int8_t carry = 0; 1875| 128| for(size_t i = 0; i < 63; ++i) { ------------------ | Branch (1875:22): [True: 126, False: 2] ------------------ 1876| 126| e[i] += carry; 1877| 126| carry = e[i] + 8; 1878| 126| carry >>= 4; 1879| 126| e[i] -= carry << 4; 1880| 126| } 1881| 2| e[63] += carry; 1882| | /* each e[i] is between -8 and 8 */ 1883| | 1884| 2| auto h = Ed25519_Point_Extended::identity(); 1885| 66| for(size_t i = 1; i < 64; i += 2) { ------------------ | Branch (1885:22): [True: 64, False: 2] ------------------ 1886| 64| h = Ed25519_Point_Extended::from(h + select(B_precomp[i / 2], e[i])); 1887| 64| } 1888| | 1889| 2| auto s = Ed25519_Point_Projective::from(h.dbl()); 1890| 2| s = Ed25519_Point_Projective::from(s.dbl()); 1891| 2| s = Ed25519_Point_Projective::from(s.dbl()); 1892| 2| h = Ed25519_Point_Extended::from(s.dbl()); 1893| | 1894| 66| for(size_t i = 0; i != 64; i += 2) { ------------------ | Branch (1894:22): [True: 64, False: 2] ------------------ 1895| 64| h = Ed25519_Point_Extended::from(h + select(B_precomp[i / 2], e[i])); 1896| 64| } 1897| | 1898| 2| h.serialize_to(out); 1899| | 1900| 2| CT::unpoison(a, 32); 1901| 2| CT::unpoison(out); 1902| 2|} ge.cpp:_ZN5Botan12_GLOBAL__N_122Ed25519_Point_Extended8identityEv: 109| 2| static constexpr Ed25519_Point_Extended identity() { 110| 2| Ed25519_Point_Extended h; 111| 2| h.X = Ed25519_FieldElement::zero(); 112| 2| h.Y = Ed25519_FieldElement::one(); 113| 2| h.Z = Ed25519_FieldElement::one(); 114| 2| h.T = Ed25519_FieldElement::zero(); 115| 2| return h; 116| 2| } ge.cpp:_ZN5Botan12_GLOBAL__N_122Ed25519_Point_Extended4fromERKNS0_23Ed25519_Point_CompletedE: 129| 130| static Ed25519_Point_Extended from(const Ed25519_Point_Completed& p) { 130| 130| Ed25519_Point_Extended r; 131| 130| r.X = p.X * p.T; 132| 130| r.Y = p.Y * p.Z; 133| 130| r.Z = p.Z * p.T; 134| 130| r.T = p.X * p.Y; 135| 130| return r; 136| 130| } ge.cpp:_ZN5Botan12_GLOBAL__N_1plERKNS0_22Ed25519_Point_ExtendedERKNS0_19Ed25519_Point_NielsE: 220| 128|inline Ed25519_Point_Completed operator+(const Ed25519_Point_Extended& p, const Ed25519_Point_Niels& q) { 221| 128| Ed25519_Point_Completed r; 222| 128| r.X = p.Y + p.X; // YpX1 = Y1+X1 223| 128| r.Y = p.Y - p.X; // YmX1 = Y1-X1 224| 128| r.Z = r.X * q.yplusx; // A = YpX1*ypx2 225| 128| r.Y = r.Y * q.yminusx; // B = YmX1*ymx2 226| 128| r.T = q.xy2d * p.T; // C = xy2d2*T1 227| 128| auto t0 = p.Z + p.Z; // D = 2*Z1 228| 128| r.X = r.Z - r.Y; // X3 = A-B 229| 128| r.Y = r.Z + r.Y; // Y3 = A+B 230| 128| r.Z = t0 + r.T; // Z3 = D+C 231| 128| r.T = t0 - r.T; // T3 = D-C 232| 128| return r; 233| 128|} ge.cpp:_ZN5Botan12_GLOBAL__N_16selectEPKNS0_19Ed25519_Point_NielsEa: 455| 128|Ed25519_Point_Niels select(const Ed25519_Point_Niels base[8], int8_t b) { 456| 128| const uint8_t bnegative = negative(b); 457| 128| const uint8_t babs = b - ((-static_cast(bnegative) & b) * 2); 458| 128| const uint32_t neg_mask = equal32(bnegative, 1); 459| | 460| 128| const uint32_t mask1 = equal32(babs, 1); 461| 128| const uint32_t mask2 = equal32(babs, 2); 462| 128| const uint32_t mask3 = equal32(babs, 3); 463| 128| const uint32_t mask4 = equal32(babs, 4); 464| 128| const uint32_t mask5 = equal32(babs, 5); 465| 128| const uint32_t mask6 = equal32(babs, 6); 466| 128| const uint32_t mask7 = equal32(babs, 7); 467| 128| const uint32_t mask8 = equal32(babs, 8); 468| | 469| 128| auto t = Ed25519_Point_Niels::identity(); 470| | 471| 1.40k| for(size_t i = 0; i != 10; ++i) { ------------------ | Branch (471:22): [True: 1.28k, False: 128] ------------------ 472| 1.28k| t.yplusx[i] = t.yplusx[i] ^ ((t.yplusx[i] ^ base[0].yplusx[i]) & mask1) ^ 473| 1.28k| ((t.yplusx[i] ^ base[1].yplusx[i]) & mask2) ^ ((t.yplusx[i] ^ base[2].yplusx[i]) & mask3) ^ 474| 1.28k| ((t.yplusx[i] ^ base[3].yplusx[i]) & mask4) ^ ((t.yplusx[i] ^ base[4].yplusx[i]) & mask5) ^ 475| 1.28k| ((t.yplusx[i] ^ base[5].yplusx[i]) & mask6) ^ ((t.yplusx[i] ^ base[6].yplusx[i]) & mask7) ^ 476| 1.28k| ((t.yplusx[i] ^ base[7].yplusx[i]) & mask8); 477| | 478| 1.28k| t.yminusx[i] = t.yminusx[i] ^ ((t.yminusx[i] ^ base[0].yminusx[i]) & mask1) ^ 479| 1.28k| ((t.yminusx[i] ^ base[1].yminusx[i]) & mask2) ^ ((t.yminusx[i] ^ base[2].yminusx[i]) & mask3) ^ 480| 1.28k| ((t.yminusx[i] ^ base[3].yminusx[i]) & mask4) ^ ((t.yminusx[i] ^ base[4].yminusx[i]) & mask5) ^ 481| 1.28k| ((t.yminusx[i] ^ base[5].yminusx[i]) & mask6) ^ ((t.yminusx[i] ^ base[6].yminusx[i]) & mask7) ^ 482| 1.28k| ((t.yminusx[i] ^ base[7].yminusx[i]) & mask8); 483| | 484| 1.28k| t.xy2d[i] = t.xy2d[i] ^ ((t.xy2d[i] ^ base[0].xy2d[i]) & mask1) ^ ((t.xy2d[i] ^ base[1].xy2d[i]) & mask2) ^ 485| 1.28k| ((t.xy2d[i] ^ base[2].xy2d[i]) & mask3) ^ ((t.xy2d[i] ^ base[3].xy2d[i]) & mask4) ^ 486| 1.28k| ((t.xy2d[i] ^ base[4].xy2d[i]) & mask5) ^ ((t.xy2d[i] ^ base[5].xy2d[i]) & mask6) ^ 487| 1.28k| ((t.xy2d[i] ^ base[6].xy2d[i]) & mask7) ^ ((t.xy2d[i] ^ base[7].xy2d[i]) & mask8); 488| 1.28k| } 489| | 490| 128| auto minus_xy2d = -t.xy2d; 491| | 492| | // If negative have to swap yminusx and yplusx 493| 1.40k| for(size_t i = 0; i != 10; ++i) { ------------------ | Branch (493:22): [True: 1.28k, False: 128] ------------------ 494| 1.28k| const int32_t t_yplusx = t.yplusx[i] ^ ((t.yplusx[i] ^ t.yminusx[i]) & neg_mask); 495| 1.28k| const int32_t t_yminusx = t.yminusx[i] ^ ((t.yminusx[i] ^ t.yplusx[i]) & neg_mask); 496| | 497| 1.28k| t.yplusx[i] = t_yplusx; 498| 1.28k| t.yminusx[i] = t_yminusx; 499| 1.28k| t.xy2d[i] = t.xy2d[i] ^ ((t.xy2d[i] ^ minus_xy2d[i]) & neg_mask); 500| 1.28k| } 501| | 502| 128| return t; 503| 128|} ge.cpp:_ZN5Botan12_GLOBAL__N_18negativeEa: 451| 128|inline uint8_t negative(int8_t b) { 452| 128| return static_cast(b) >> 7; 453| 128|} ge.cpp:_ZN5Botan12_GLOBAL__N_17equal32Ehh: 447| 1.15k|inline uint32_t equal32(uint8_t b, uint8_t c) { 448| 1.15k| return CT::Mask::is_equal(b, c).value(); 449| 1.15k|} ge.cpp:_ZN5Botan12_GLOBAL__N_119Ed25519_Point_Niels8identityEv: 160| 128| static constexpr Ed25519_Point_Niels identity() { 161| 128| Ed25519_Point_Niels h; 162| 128| h.yplusx = Ed25519_FieldElement::one(); 163| 128| h.yminusx = Ed25519_FieldElement::one(); 164| 128| h.xy2d = Ed25519_FieldElement::zero(); 165| 128| return h; 166| 128| } ge.cpp:_ZN5Botan12_GLOBAL__N_124Ed25519_Point_Projective4fromERKNS0_23Ed25519_Point_CompletedE: 56| 6| static Ed25519_Point_Projective from(const Ed25519_Point_Completed& p) { 57| 6| Ed25519_Point_Projective r; 58| 6| r.X = p.X * p.T; 59| 6| r.Y = p.Y * p.Z; 60| 6| r.Z = p.Z * p.T; 61| 6| return r; 62| 6| } ge.cpp:_ZNK5Botan12_GLOBAL__N_122Ed25519_Point_Extended3dblEv: 118| 2| Ed25519_Point_Completed dbl() const { 119| 2| Ed25519_Point_Projective q; 120| 2| q.X = X; 121| 2| q.Y = Y; 122| 2| q.Z = Z; 123| 2| return q.dbl(); 124| 2| } ge.cpp:_ZNK5Botan12_GLOBAL__N_124Ed25519_Point_Projective3dblEv: 83| 8|Ed25519_Point_Completed Ed25519_Point_Projective::dbl() const { 84| 8| Ed25519_Point_Completed r; 85| 8| r.X = X.sqr(); // XX=X1^2 86| 8| r.Z = Y.sqr(); // YY=Y1^2 87| 8| r.T = Z.sqr2(); // B=2*Z1^2 88| 8| r.Y = X + Y; // A=X1+Y1 89| 8| auto t0 = r.Y.sqr(); // AA=A^2 90| 8| r.Y = r.Z + r.X; // Y3=YY+XX 91| 8| r.Z = r.Z - r.X; // Z3=YY-XX 92| 8| r.X = t0 - r.Y; // X3=AA-Y3 93| 8| r.T = r.T - r.Z; // T3=B-Z3 94| 8| return r; 95| 8|} ge.cpp:_ZNK5Botan12_GLOBAL__N_122Ed25519_Point_Extended12serialize_toENSt3__14spanIhLm32EEE: 138| 2| void serialize_to(std::span out) const { 139| 2| auto recip = this->Z.invert(); 140| 2| auto x = this->X * recip; 141| 2| auto y = this->Y * recip; 142| 2| y.serialize_to(out); 143| 2| out[31] ^= x.is_negative() ? 0x80 : 0x00; ------------------ | Branch (143:21): [True: 2, False: 0] ------------------ 144| 2| } _ZN5Botan9KyberModeC2ERKNS_3OIDE: 78| 38|KyberMode::KyberMode(const OID& oid) : m_mode(kyber_mode_from_string(oid.to_formatted_string())) {} _ZNK5Botan9KyberMode9is_ml_kemEv: 119| 114|bool KyberMode::is_ml_kem() const { 120| 114| return m_mode == KyberMode::ML_KEM_512 || m_mode == KyberMode::ML_KEM_768 || m_mode == KyberMode::ML_KEM_1024; ------------------ | Branch (120:11): [True: 27, False: 87] | Branch (120:46): [True: 45, False: 42] | Branch (120:81): [True: 42, False: 0] ------------------ 121| 114|} _ZNK5Botan9KyberMode15is_kyber_round3Ev: 123| 136|bool KyberMode::is_kyber_round3() const { 124| 136| return m_mode == KyberMode::Kyber512_R3 || m_mode == KyberMode::Kyber768_R3 || m_mode == KyberMode::Kyber1024_R3 || ------------------ | Branch (124:11): [True: 0, False: 136] | Branch (124:47): [True: 0, False: 136] | Branch (124:83): [True: 0, False: 136] ------------------ 125| 136| m_mode == KyberMode::Kyber512_90s || m_mode == KyberMode::Kyber768_90s || m_mode == KyberMode::Kyber1024_90s; ------------------ | Branch (125:11): [True: 0, False: 136] | Branch (125:48): [True: 0, False: 136] | Branch (125:85): [True: 0, False: 136] ------------------ 126| 136|} _ZN5Botan16Kyber_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 227| 38| Kyber_PrivateKey(key_bits, KyberMode(alg_id.oid())) {} _ZN5Botan16Kyber_PrivateKeyC1ENSt3__14spanIKhLm18446744073709551615EEENS_9KyberModeE: 229| 38|Kyber_PrivateKey::Kyber_PrivateKey(std::span sk, KyberMode m) { 230| 38| KyberConstants mode(m); 231| | 232| 38| if(mode.mode().is_ml_kem() && sk.size() == mode.seed_private_key_bytes()) { ------------------ | Branch (232:7): [True: 38, False: 0] | Branch (232:7): [True: 30, False: 8] | Branch (232:34): [True: 30, False: 8] ------------------ 233| 30| std::tie(m_public, m_private) = Seed_Expanding_Keypair_Codec().decode_keypair(sk, std::move(mode)); 234| 30| } else if(sk.size() == mode.expanded_private_key_bytes()) { ------------------ | Branch (234:14): [True: 0, False: 8] ------------------ 235| 0| std::tie(m_public, m_private) = Expanded_Keypair_Codec().decode_keypair(sk, std::move(mode)); 236| 8| } else if(!mode.mode().is_ml_kem() && sk.size() == mode.seed_private_key_bytes()) { ------------------ | Branch (236:14): [True: 0, False: 8] | Branch (236:14): [True: 0, False: 8] | Branch (236:42): [True: 0, False: 0] ------------------ 237| 0| throw Invalid_Argument("Kyber round 3 private keys do not support the seed format"); 238| 8| } else { 239| 8| throw Invalid_Argument("Private key does not have the correct byte count"); 240| 8| } 241| 38|} kyber.cpp:_ZN5Botan12_GLOBAL__N_122kyber_mode_from_stringENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 42| 38|KyberMode::Mode kyber_mode_from_string(std::string_view str) { 43| 38| if(str == "Kyber-512-90s-r3") { ------------------ | Branch (43:7): [True: 0, False: 38] ------------------ 44| 0| return KyberMode::Kyber512_90s; 45| 0| } 46| 38| if(str == "Kyber-768-90s-r3") { ------------------ | Branch (46:7): [True: 0, False: 38] ------------------ 47| 0| return KyberMode::Kyber768_90s; 48| 0| } 49| 38| if(str == "Kyber-1024-90s-r3") { ------------------ | Branch (49:7): [True: 0, False: 38] ------------------ 50| 0| return KyberMode::Kyber1024_90s; 51| 0| } 52| 38| if(str == "Kyber-512-r3") { ------------------ | Branch (52:7): [True: 0, False: 38] ------------------ 53| 0| return KyberMode::Kyber512_R3; 54| 0| } 55| 38| if(str == "Kyber-768-r3") { ------------------ | Branch (55:7): [True: 0, False: 38] ------------------ 56| 0| return KyberMode::Kyber768_R3; 57| 0| } 58| 38| if(str == "Kyber-1024-r3") { ------------------ | Branch (58:7): [True: 0, False: 38] ------------------ 59| 0| return KyberMode::Kyber1024_R3; 60| 0| } 61| 38| if(str == "ML-KEM-512") { ------------------ | Branch (61:7): [True: 9, False: 29] ------------------ 62| 9| return KyberMode::ML_KEM_512; 63| 9| } 64| 29| if(str == "ML-KEM-768") { ------------------ | Branch (64:7): [True: 15, False: 14] ------------------ 65| 15| return KyberMode::ML_KEM_768; 66| 15| } 67| 14| if(str == "ML-KEM-1024") { ------------------ | Branch (67:7): [True: 14, False: 0] ------------------ 68| 14| return KyberMode::ML_KEM_1024; 69| 14| } 70| | 71| 0| throw Invalid_Argument(fmt("'{}' is not a valid Kyber mode name", str)); 72| 14|} _ZN5Botan11Kyber_Algos24encode_polynomial_vectorENSt3__14spanIhLm18446744073709551615EEERKNS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS4_6DomainE1EEE: 186| 30|void encode_polynomial_vector(std::span out, const KyberPolyVecNTT& vec) { 187| 30| BufferStuffer bs(out); 188| 92| for(const auto& v : vec) { ------------------ | Branch (188:22): [True: 92, False: 30] ------------------ 189| 92| byte_encode(bs, v); 190| 92| } 191| 30| BOTAN_ASSERT_NOMSG(bs.full()); ------------------ | | 77| 30| do { \ | | 78| 30| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 30| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 30] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 30| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 30] | | ------------------ ------------------ 192| 30|} _ZN5Botan11Kyber_Algos14expand_keypairENS_19KyberPrivateKeySeedENS_14KyberConstantsE: 323| 30|KyberInternalKeypair expand_keypair(KyberPrivateKeySeed seed, KyberConstants mode) { 324| 30| BOTAN_ARG_CHECK(seed.d.has_value(), "Cannot expand keypair without the full private seed"); ------------------ | | 35| 30| do { \ | | 36| 30| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 30| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 30] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 30| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 30] | | ------------------ ------------------ 325| 30| const auto& d = seed.d.value(); 326| | 327| 30| CT::poison(d); 328| 30| auto [rho, sigma] = mode.symmetric_primitives().G(d, mode); 329| 30| CT::unpoison(rho); // rho is public (seed for the public matrix A) 330| | 331| | // Algorithm 13 (K-PKE.KeyGen) ---------------- 332| | 333| 30| auto A = Kyber_Algos::sample_matrix(rho, false /* not transposed */, mode); 334| | 335| | // The nonce N is handled internally by the PolynomialSampler 336| 30| Kyber_Algos::PolynomialSampler ps(sigma, mode); 337| 30| auto s = ntt(ps.sample_polynomial_vector_cbd_eta1()); 338| 30| const auto e = ntt(ps.sample_polynomial_vector_cbd_eta1()); 339| | 340| 30| auto t = montgomery(A * s); 341| 30| t += e; 342| 30| t.reduce(); 343| | 344| | // End Algorithm 13 --------------------------- 345| | 346| 30| CT::unpoison_all(d, t, s); 347| | 348| 30| return { 349| 30| std::make_shared(mode, std::move(t), std::move(rho)), 350| 30| std::make_shared(std::move(mode), std::move(s), std::move(seed)), 351| 30| }; 352| 30|} _ZN5Botan11Kyber_Algos13sample_matrixENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS3_9allocatorIhEEEENS_13KyberSeedRho_EJEEEEEbRKNS_14KyberConstantsE: 382| 30|KyberPolyMat sample_matrix(StrongSpan seed, bool transposed, const KyberConstants& mode) { 383| 30| BOTAN_ASSERT(seed.size() == KyberConstants::SEED_BYTES, "unexpected seed size"); ------------------ | | 64| 30| do { \ | | 65| 30| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 66| 30| if(!(expr)) { \ | | ------------------ | | | Branch (66:10): [True: 0, False: 30] | | ------------------ | | 67| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 68| 0| Botan::assertion_failure(#expr, assertion_made, __func__, __FILE__, __LINE__); \ | | 69| 0| } \ | | 70| 30| } while(0) | | ------------------ | | | Branch (70:12): [Folded, False: 30] | | ------------------ ------------------ 384| | 385| 30| KyberPolyMat mat(mode.k(), mode.k()); 386| | 387| 30| const auto& sym = mode.symmetric_primitives(); 388| 30| std::unique_ptr xof; 389| | 390| 122| for(uint8_t i = 0; i < mode.k(); ++i) { ------------------ | Branch (390:23): [True: 92, False: 30] ------------------ 391| 392| for(uint8_t j = 0; j < mode.k(); ++j) { ------------------ | Branch (391:26): [True: 300, False: 92] ------------------ 392| 300| const auto pos = (transposed) ? std::tuple(i, j) : std::tuple(j, i); ------------------ | Branch (392:27): [True: 0, False: 300] ------------------ 393| 300| sym.setup_XOF(xof, seed, pos); 394| 300| sample_ntt_uniform(mat[i][j], *xof); 395| 300| } 396| 92| } 397| | 398| 30| return mat; 399| 30|} _ZN5Botan11Kyber_Algos26sample_polynomial_from_cbdERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS1_6DomainE0EEENS_14KyberConstants8KyberEtaERKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEE: 409| 184| const KyberSamplingRandomness& randomness) { 410| 184| switch(eta) { ------------------ | Branch (410:11): [True: 184, False: 0] ------------------ 411| 152| case KyberConstants::KyberEta::_2: ------------------ | Branch (411:7): [True: 152, False: 32] ------------------ 412| 152| return sample_poly_cbd(poly, randomness); 413| 32| case KyberConstants::KyberEta::_3: ------------------ | Branch (413:7): [True: 32, False: 152] ------------------ 414| 32| return sample_poly_cbd(poly, randomness); 415| 184| } 416| | 417| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 418| 0|} kyber_algos.cpp:_ZN5Botan11Kyber_Algos12_GLOBAL__N_111byte_encodeERNS_13BufferStufferERKNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS4_6DomainE1EEE: 44| 92|void byte_encode(BufferStuffer& bs, const KyberPolyNTT& p) { 45| 92| CRYSTALS::pack(p, bs); 46| 92|} kyber_algos.cpp:_ZN5Botan11Kyber_Algos12_GLOBAL__N_118sample_ntt_uniformERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS2_6DomainE1EEERNS_3XOFE: 76| 300|void sample_ntt_uniform(KyberPolyNTT& p, XOF& xof) { 77| | // A generator that returns the next coefficient sampled from the XOF. As the 78| | // sampling uses half-bytes, this keeps track of the additionally sampled 79| | // coefficient as needed. 80| 300| auto sample = [stashed_coeff = std::optional{}, 81| 300| bounded_xof = 82| 300| Bounded_XOF(xof)]() mutable -> uint16_t { 83| 300| auto lowerthan_q = [](uint32_t d) -> std::optional { 84| 300| if(d < KyberConstants::Q) { 85| 300| return static_cast(d); 86| 300| } else { 87| 300| return std::nullopt; 88| 300| } 89| 300| }; 90| | 91| 300| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { 92| 300| return *stashed; // value retained from a previous invocation 93| 300| } 94| | 95| 300| while(true) { 96| 300| const auto [d1, d2] = bounded_xof.next<3>([&](const auto bytes) { 97| 300| const auto x = load_le3(bytes); 98| 300| return std::pair{lowerthan_q(x & 0x0FFF), lowerthan_q(x >> 12)}; 99| 300| }); 100| | 101| 300| if(d1.has_value()) { 102| 300| stashed_coeff = d2; // keep candidate d2 for the next invocation 103| 300| return *d1; 104| 300| } else if(d2.has_value()) { 105| | // d1 was invalid, d2 is valid, nothing to stash 106| 300| return *d2; 107| 300| } 108| 300| } 109| 300| }; 110| | 111| 76.8k| for(auto& coeff : p) { ------------------ | Branch (111:20): [True: 76.8k, False: 300] ------------------ 112| 76.8k| coeff = sample(); 113| 76.8k| } 114| 300|} kyber_algos.cpp:_ZZN5Botan11Kyber_Algos12_GLOBAL__N_118sample_ntt_uniformERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS2_6DomainE1EEERNS_3XOFEEN3$_0clEv: 82| 76.8k| Bounded_XOF(xof)]() mutable -> uint16_t { 83| 76.8k| auto lowerthan_q = [](uint32_t d) -> std::optional { 84| 76.8k| if(d < KyberConstants::Q) { 85| 76.8k| return static_cast(d); 86| 76.8k| } else { 87| 76.8k| return std::nullopt; 88| 76.8k| } 89| 76.8k| }; 90| | 91| 76.8k| if(auto stashed = std::exchange(stashed_coeff, std::nullopt)) { ------------------ | Branch (91:15): [True: 30.8k, False: 45.9k] ------------------ 92| 30.8k| return *stashed; // value retained from a previous invocation 93| 30.8k| } 94| | 95| 47.7k| while(true) { ------------------ | Branch (95:13): [True: 47.7k, Folded] ------------------ 96| 47.7k| const auto [d1, d2] = bounded_xof.next<3>([&](const auto bytes) { 97| 47.7k| const auto x = load_le3(bytes); 98| 47.7k| return std::pair{lowerthan_q(x & 0x0FFF), lowerthan_q(x >> 12)}; 99| 47.7k| }); 100| | 101| 47.7k| if(d1.has_value()) { ------------------ | Branch (101:13): [True: 38.2k, False: 9.46k] ------------------ 102| 38.2k| stashed_coeff = d2; // keep candidate d2 for the next invocation 103| 38.2k| return *d1; 104| 38.2k| } else if(d2.has_value()) { ------------------ | Branch (104:20): [True: 7.68k, False: 1.77k] ------------------ 105| | // d1 was invalid, d2 is valid, nothing to stash 106| 7.68k| return *d2; 107| 7.68k| } 108| 47.7k| } 109| 45.9k| }; kyber_algos.cpp:_ZZZN5Botan11Kyber_Algos12_GLOBAL__N_118sample_ntt_uniformERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS2_6DomainE1EEERNS_3XOFEEN3$_0clEvENKUlT_E_clINSt3__15arrayIhLm3EEEEEDaSB_: 96| 47.7k| const auto [d1, d2] = bounded_xof.next<3>([&](const auto bytes) { 97| 47.7k| const auto x = load_le3(bytes); 98| 47.7k| return std::pair{lowerthan_q(x & 0x0FFF), lowerthan_q(x >> 12)}; 99| 47.7k| }); kyber_algos.cpp:_ZZZN5Botan11Kyber_Algos12_GLOBAL__N_118sample_ntt_uniformERNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS2_6DomainE1EEERNS_3XOFEEN3$_0clEvENKUljE_clEj: 83| 95.4k| auto lowerthan_q = [](uint32_t d) -> std::optional { 84| 95.4k| if(d < KyberConstants::Q) { ------------------ | Branch (84:13): [True: 76.9k, False: 18.5k] ------------------ 85| 76.9k| return static_cast(d); 86| 76.9k| } else { 87| 18.5k| return std::nullopt; 88| 18.5k| } 89| 95.4k| }; kyber_algos.cpp:_ZN5Botan11Kyber_Algos12_GLOBAL__N_115sample_poly_cbdILNS_14KyberConstants8KyberEtaE2EEEvRNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS5_6DomainE0EEENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEEE: 130| 152| StrongSpan randomness) { 131| 152| BufferSlicer bs(randomness); 132| | 133| 5.01k| for(size_t i = 0; i < poly.size() / 8; ++i) { ------------------ | Branch (133:22): [True: 4.86k, False: 152] ------------------ 134| 4.86k| const uint32_t t = Botan::load_le(bs.take<4>()); 135| | 136| | // SWAR (SIMD within a Register) trick: calculate 16 2-bit-sums in parallel 137| 4.86k| constexpr uint32_t operand_bitmask = 0b01010101010101010101010101010101; 138| | 139| | // clang-format off 140| 4.86k| const uint32_t d = ((t >> 0) & operand_bitmask) + 141| 4.86k| ((t >> 1) & operand_bitmask); 142| | // clang-format on 143| | 144| 43.7k| for(size_t j = 0; j < 8; ++j) { ------------------ | Branch (144:25): [True: 38.9k, False: 4.86k] ------------------ 145| 38.9k| const int16_t a = (d >> (4 * j + 0)) & 0x3; 146| 38.9k| const int16_t b = (d >> (4 * j + 2)) & 0x3; 147| 38.9k| poly[8 * i + j] = a - b; 148| 38.9k| } 149| 4.86k| } 150| | 151| 152| BOTAN_ASSERT_NOMSG(bs.empty()); ------------------ | | 77| 152| do { \ | | 78| 152| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 152| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 152] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 152| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 152] | | ------------------ ------------------ 152| 152|} kyber_algos.cpp:_ZN5Botan11Kyber_Algos12_GLOBAL__N_115sample_poly_cbdILNS_14KyberConstants8KyberEtaE3EEEvRNS_8CRYSTALS10PolynomialINS_15KyberPolyTraitsELNS5_6DomainE0EEENS_10StrongSpanIKNS_6StrongINSt3__16vectorIhNS_16secure_allocatorIhEEEENS_24KyberSamplingRandomness_EJEEEEE: 159| 32| StrongSpan randomness) { 160| 32| BufferSlicer bs(randomness); 161| | 162| 2.08k| for(size_t i = 0; i < poly.size() / 4; ++i) { ------------------ | Branch (162:22): [True: 2.04k, False: 32] ------------------ 163| 2.04k| const uint32_t t = load_le3(bs.take<3>()); 164| | 165| | // SWAR (SIMD within a Register) trick: calculate 8 3-bit-sums in parallel 166| 2.04k| constexpr uint32_t operand_bitmask = 0b00000000001001001001001001001001; 167| | 168| | // clang-format off 169| 2.04k| const uint32_t d = ((t >> 0) & operand_bitmask) + 170| 2.04k| ((t >> 1) & operand_bitmask) + 171| 2.04k| ((t >> 2) & operand_bitmask); 172| | // clang-format on 173| | 174| 10.2k| for(size_t j = 0; j < 4; ++j) { ------------------ | Branch (174:25): [True: 8.19k, False: 2.04k] ------------------ 175| 8.19k| const int16_t a = (d >> (6 * j + 0)) & 0x7; 176| 8.19k| const int16_t b = (d >> (6 * j + 3)) & 0x7; 177| 8.19k| poly[4 * i + j] = a - b; 178| 8.19k| } 179| 2.04k| } 180| | 181| 32| BOTAN_ASSERT_NOMSG(bs.empty()); ------------------ | | 77| 32| do { \ | | 78| 32| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 32| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 32] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 32| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 32] | | ------------------ ------------------ 182| 32|} _ZN5Botan14KyberConstantsC2ENS_9KyberModeE: 30| 68|KyberConstants::KyberConstants(KyberMode mode) : m_mode(mode) { 31| 68| switch(mode.mode()) { 32| 0| case KyberMode::Kyber512_R3: ------------------ | Branch (32:7): [True: 0, False: 68] ------------------ 33| 0| case KyberMode::Kyber512_90s: ------------------ | Branch (33:7): [True: 0, False: 68] ------------------ 34| 17| case KyberMode::ML_KEM_512: ------------------ | Branch (34:7): [True: 17, False: 51] ------------------ 35| 17| m_nist_strength = KyberStrength::_128; 36| 17| m_k = 2; 37| 17| m_eta1 = KyberEta::_3; 38| 17| m_du = KyberDu::_10; 39| 17| m_dv = KyberDv::_4; 40| 17| break; 41| | 42| 0| case KyberMode::Kyber768_R3: ------------------ | Branch (42:7): [True: 0, False: 68] ------------------ 43| 0| case KyberMode::Kyber768_90s: ------------------ | Branch (43:7): [True: 0, False: 68] ------------------ 44| 27| case KyberMode::ML_KEM_768: ------------------ | Branch (44:7): [True: 27, False: 41] ------------------ 45| 27| m_nist_strength = KyberStrength::_192; 46| 27| m_k = 3; 47| 27| m_eta1 = KyberEta::_2; 48| 27| m_du = KyberDu::_10; 49| 27| m_dv = KyberDv::_4; 50| 27| break; 51| | 52| 0| case KyberMode::Kyber1024_R3: ------------------ | Branch (52:7): [True: 0, False: 68] ------------------ 53| 0| case KyberMode::Kyber1024_90s: ------------------ | Branch (53:7): [True: 0, False: 68] ------------------ 54| 24| case KyberMode::ML_KEM_1024: ------------------ | Branch (54:7): [True: 24, False: 44] ------------------ 55| 24| m_nist_strength = KyberStrength::_256; 56| 24| m_k = 4; 57| 24| m_eta1 = KyberEta::_2; 58| 24| m_du = KyberDu::_11; 59| 24| m_dv = KyberDv::_5; 60| 24| break; 61| | 62| 0| default: ------------------ | Branch (62:7): [True: 0, False: 68] ------------------ 63| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 64| 68| } 65| | 66| 68|#ifdef BOTAN_HAS_KYBER_90S 67| 68| if(mode.is_kyber_round3() && mode.is_90s()) { ------------------ | Branch (67:7): [True: 0, False: 68] | Branch (67:33): [True: 0, False: 0] ------------------ 68| 0| m_symmetric_primitives = std::make_unique(); 69| 0| } 70| 68|#endif 71| | 72| 68|#ifdef BOTAN_HAS_KYBER 73| 68| if(mode.is_kyber_round3() && mode.is_modern()) { ------------------ | Branch (73:7): [True: 0, False: 68] | Branch (73:33): [True: 0, False: 0] ------------------ 74| 0| m_symmetric_primitives = std::make_unique(); 75| 0| } 76| 68|#endif 77| | 78| 68|#ifdef BOTAN_HAS_ML_KEM 79| 68| if(mode.is_ml_kem()) { ------------------ | Branch (79:7): [True: 68, False: 0] ------------------ 80| 68| m_symmetric_primitives = std::make_unique(); 81| 68| } 82| 68|#endif 83| | 84| 68| static_assert(N % 8 == 0); 85| 68| m_polynomial_vector_bytes = (bitlen(Q) * (N / 8)) * k(); 86| 68| m_polynomial_vector_compressed_bytes = d_u() * k() * (N / 8); 87| 68| m_polynomial_compressed_bytes = d_v() * (N / 8); 88| 68| m_expanded_private_key_bytes = 89| 68| static_cast(m_polynomial_vector_bytes + public_key_bytes() + PUBLIC_KEY_HASH_BYTES + SEED_BYTES); 90| 68| m_seed_private_key_bytes = 2 * SEED_BYTES; 91| | 92| 68| if(!m_symmetric_primitives) { ------------------ | Branch (92:7): [True: 0, False: 68] ------------------ 93| 0| throw Not_Implemented("requested Kyber mode is not enabled in this build"); 94| 0| } 95| 68|} _ZN5Botan14KyberConstantsD2Ev: 97| 218|KyberConstants::~KyberConstants() = default; _ZNK5Botan28Seed_Expanding_Keypair_Codec14decode_keypairENSt3__14spanIKhLm18446744073709551615EEENS_14KyberConstantsE: 88| 30| KyberConstants mode) const { 89| 30| BufferSlicer s(private_key); 90| 30| auto seed = KyberPrivateKeySeed{ 91| 30| s.copy(KyberConstants::SEED_BYTES), 92| 30| s.copy(KyberConstants::SEED_BYTES), 93| 30| }; 94| 30| BOTAN_ASSERT_NOMSG(s.empty()); ------------------ | | 77| 30| do { \ | | 78| 30| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 30| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 30] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 30| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 30] | | ------------------ ------------------ 95| 30| return Kyber_Algos::expand_keypair(std::move(seed), std::move(mode)); 96| 30|} _ZN5Botan23Kyber_PublicKeyInternalC2ENS_14KyberConstantsENS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS2_6DomainE1EEENS_6StrongINSt3__16vectorIhNS8_9allocatorIhEEEENS_13KyberSeedRho_EJEEE: 114| 30| m_mode(std::move(mode)), 115| 30| m_public_key_bits_raw(concat(Kyber_Algos::encode_polynomial_vector>(t, m_mode), rho)), 116| 30| m_H_public_key_bits_raw(m_mode.symmetric_primitives().H(m_public_key_bits_raw)), 117| 30| m_t(std::move(t)), 118| 30| m_rho(std::move(rho)) {} _ZN5Botan8PEM_Code6decodeERNS_10DataSourceERNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEE: 62| 276|secure_vector decode(DataSource& source, std::string& label) { 63| 276| const size_t RANDOM_CHAR_LIMIT = 8; 64| | 65| 276| label.clear(); 66| | 67| 276| const std::string PEM_HEADER1 = "-----BEGIN "; 68| 276| const std::string PEM_HEADER2 = "-----"; 69| 276| size_t position = 0; 70| | 71| 4.23k| while(position != PEM_HEADER1.length()) { ------------------ | Branch (71:10): [True: 4.00k, False: 231] ------------------ 72| 4.00k| auto b = source.read_byte(); 73| | 74| 4.00k| if(!b) { ------------------ | Branch (74:10): [True: 44, False: 3.96k] ------------------ 75| 44| throw Decoding_Error("PEM: No PEM header found"); 76| 44| } 77| 3.96k| if(static_cast(*b) == PEM_HEADER1[position]) { ------------------ | Branch (77:10): [True: 2.78k, False: 1.17k] ------------------ 78| 2.78k| ++position; 79| 2.78k| } else if(position >= RANDOM_CHAR_LIMIT) { ------------------ | Branch (79:17): [True: 1, False: 1.17k] ------------------ 80| 1| throw Decoding_Error("PEM: Malformed PEM header"); 81| 1.17k| } else { 82| 1.17k| position = 0; 83| 1.17k| } 84| 3.96k| } 85| 231| position = 0; 86| 2.79k| while(position != PEM_HEADER2.length()) { ------------------ | Branch (86:10): [True: 2.60k, False: 190] ------------------ 87| 2.60k| auto b = source.read_byte(); 88| | 89| 2.60k| if(!b) { ------------------ | Branch (89:10): [True: 38, False: 2.56k] ------------------ 90| 38| throw Decoding_Error("PEM: No PEM header found"); 91| 38| } 92| 2.56k| if(static_cast(*b) == PEM_HEADER2[position]) { ------------------ | Branch (92:10): [True: 971, False: 1.59k] ------------------ 93| 971| ++position; 94| 1.59k| } else if(position > 0) { ------------------ | Branch (94:17): [True: 2, False: 1.59k] ------------------ 95| 2| throw Decoding_Error("PEM: Malformed PEM header"); 96| 2| } 97| | 98| 2.56k| if(position == 0) { ------------------ | Branch (98:10): [True: 1.59k, False: 971] ------------------ 99| 1.59k| if(label.size() >= 128) { ------------------ | Branch (99:13): [True: 1, False: 1.59k] ------------------ 100| 1| throw Decoding_Error("PEM: Label too long"); 101| 1| } 102| 1.59k| label += static_cast(*b); 103| 1.59k| } 104| 2.56k| } 105| | 106| 190| std::vector b64; 107| | 108| 190| const std::string PEM_TRAILER = fmt("-----END {}-----", label); 109| 190| position = 0; 110| 63.7k| while(position != PEM_TRAILER.length()) { ------------------ | Branch (110:10): [True: 63.6k, False: 124] ------------------ 111| 63.6k| auto b = source.read_byte(); 112| | 113| 63.6k| if(!b) { ------------------ | Branch (113:10): [True: 60, False: 63.5k] ------------------ 114| 60| throw Decoding_Error("PEM: No PEM trailer found"); 115| 60| } 116| 63.5k| if(static_cast(*b) == PEM_TRAILER[position]) { ------------------ | Branch (116:10): [True: 2.27k, False: 61.3k] ------------------ 117| 2.27k| ++position; 118| 61.3k| } else if(position > 0) { ------------------ | Branch (118:17): [True: 6, False: 61.2k] ------------------ 119| 6| throw Decoding_Error("PEM: Malformed PEM trailer"); 120| 6| } 121| | 122| 63.5k| if(position == 0) { ------------------ | Branch (122:10): [True: 61.2k, False: 2.27k] ------------------ 123| 61.2k| b64.push_back(*b); 124| 61.2k| } 125| 63.5k| } 126| | 127| 124| return base64_decode(b64.data(), b64.size()); 128| 190|} _ZN5Botan8PEM_Code7matchesERNS_10DataSourceENSt3__117basic_string_viewIcNS3_11char_traitsIcEEEEm: 143| 7.28k|bool matches(DataSource& source, std::string_view extra, size_t search_range) { 144| 7.28k| const std::string PEM_HEADER = fmt("-----BEGIN {}", extra); 145| | 146| 7.28k| secure_vector search_buf(search_range); 147| 7.28k| const size_t got = source.peek(search_buf.data(), search_buf.size(), 0); 148| | 149| 7.28k| if(got < PEM_HEADER.length()) { ------------------ | Branch (149:7): [True: 444, False: 6.83k] ------------------ 150| 444| return false; 151| 444| } 152| | 153| 6.83k| size_t index = 0; 154| | 155| 1.20M| for(size_t j = 0; j != got; ++j) { ------------------ | Branch (155:22): [True: 1.20M, False: 6.83k] ------------------ 156| 1.20M| if(static_cast(search_buf[j]) == PEM_HEADER[index]) { ------------------ | Branch (156:10): [True: 4.76k, False: 1.19M] ------------------ 157| 4.76k| ++index; 158| 1.19M| } else { 159| 1.19M| index = 0; 160| 1.19M| } 161| | 162| 1.20M| if(index == PEM_HEADER.size()) { ------------------ | Branch (162:10): [True: 3, False: 1.20M] ------------------ 163| 3| return true; 164| 3| } 165| 1.20M| } 166| | 167| 6.83k| return false; 168| 6.83k|} _ZN5Botan16load_private_keyERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 290| 4.77k| [[maybe_unused]] std::span key_bits) { 291| 4.77k| const std::string oid_str = alg_id.oid().to_formatted_string(); 292| 4.77k| const std::vector alg_info = split_on(oid_str, '/'); 293| 4.77k| const std::string_view alg_name = alg_info[0]; 294| | 295| 4.77k|#if defined(BOTAN_HAS_RSA) 296| 4.77k| if(alg_name == "RSA") { ------------------ | Branch (296:7): [True: 41, False: 4.73k] ------------------ 297| 41| return std::make_unique(alg_id, key_bits); 298| 41| } 299| 4.73k|#endif 300| | 301| 4.73k|#if defined(BOTAN_HAS_X25519) 302| 4.73k| if(alg_name == "X25519" || alg_name == "Curve25519") { ------------------ | Branch (302:7): [True: 8, False: 4.72k] | Branch (302:31): [True: 0, False: 4.72k] ------------------ 303| 8| return std::make_unique(alg_id, key_bits); 304| 8| } 305| 4.72k|#endif 306| | 307| 4.72k|#if defined(BOTAN_HAS_X448) 308| 4.72k| if(alg_name == "X448") { ------------------ | Branch (308:7): [True: 4, False: 4.72k] ------------------ 309| 4| return std::make_unique(alg_id, key_bits); 310| 4| } 311| 4.72k|#endif 312| | 313| 4.72k|#if defined(BOTAN_HAS_ECDSA) 314| 4.72k| if(alg_name == "ECDSA") { ------------------ | Branch (314:7): [True: 2.67k, False: 2.05k] ------------------ 315| 2.67k| return std::make_unique(alg_id, key_bits); 316| 2.67k| } 317| 2.05k|#endif 318| | 319| 2.05k|#if defined(BOTAN_HAS_ECDH) 320| 2.05k| if(alg_name == "ECDH") { ------------------ | Branch (320:7): [True: 1.57k, False: 480] ------------------ 321| 1.57k| return std::make_unique(alg_id, key_bits); 322| 1.57k| } 323| 480|#endif 324| | 325| 480|#if defined(BOTAN_HAS_DIFFIE_HELLMAN) 326| 480| if(alg_name == "DH") { ------------------ | Branch (326:7): [True: 108, False: 372] ------------------ 327| 108| return std::make_unique(alg_id, key_bits); 328| 108| } 329| 372|#endif 330| | 331| 372|#if defined(BOTAN_HAS_DSA) 332| 372| if(alg_name == "DSA") { ------------------ | Branch (332:7): [True: 111, False: 261] ------------------ 333| 111| return std::make_unique(alg_id, key_bits); 334| 111| } 335| 261|#endif 336| | 337| 261|#if defined(BOTAN_HAS_FRODOKEM) 338| 261| if(alg_name == "FrodoKEM" || alg_name.starts_with("FrodoKEM-") || alg_name.starts_with("eFrodoKEM-")) { ------------------ | Branch (338:7): [True: 0, False: 261] | Branch (338:33): [True: 0, False: 261] | Branch (338:70): [True: 0, False: 261] ------------------ 339| 0| return std::make_unique(alg_id, key_bits); 340| 0| } 341| 261|#endif 342| | 343| 261|#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S) 344| 261| if(alg_name == "Kyber" || alg_name.starts_with("Kyber-")) { ------------------ | Branch (344:7): [True: 0, False: 261] | Branch (344:30): [True: 0, False: 261] ------------------ 345| 0| return std::make_unique(alg_id, key_bits); 346| 0| } 347| 261|#endif 348| | 349| 261|#if defined(BOTAN_HAS_ML_KEM) 350| 261| if(alg_name.starts_with("ML-KEM-")) { ------------------ | Branch (350:7): [True: 38, False: 223] ------------------ 351| 38| return std::make_unique(alg_id, key_bits); 352| 38| } 353| 223|#endif 354| | 355| 223|#if defined(BOTAN_HAS_MCELIECE) 356| 223| if(alg_name == "McEliece") { ------------------ | Branch (356:7): [True: 0, False: 223] ------------------ 357| 0| return std::make_unique(key_bits); 358| 0| } 359| 223|#endif 360| | 361| 223|#if defined(BOTAN_HAS_ECGDSA) 362| 223| if(alg_name == "ECGDSA") { ------------------ | Branch (362:7): [True: 0, False: 223] ------------------ 363| 0| return std::make_unique(alg_id, key_bits); 364| 0| } 365| 223|#endif 366| | 367| 223|#if defined(BOTAN_HAS_ECKCDSA) 368| 223| if(alg_name == "ECKCDSA") { ------------------ | Branch (368:7): [True: 0, False: 223] ------------------ 369| 0| return std::make_unique(alg_id, key_bits); 370| 0| } 371| 223|#endif 372| | 373| 223|#if defined(BOTAN_HAS_ED25519) 374| 223| if(alg_name == "Ed25519") { ------------------ | Branch (374:7): [True: 10, False: 213] ------------------ 375| 10| return std::make_unique(alg_id, key_bits); 376| 10| } 377| 213|#endif 378| | 379| 213|#if defined(BOTAN_HAS_ED448) 380| 213| if(alg_name == "Ed448") { ------------------ | Branch (380:7): [True: 2, False: 211] ------------------ 381| 2| return std::make_unique(alg_id, key_bits); 382| 2| } 383| 211|#endif 384| | 385| 211|#if defined(BOTAN_HAS_GOST_34_10_2001) 386| 211| if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") { ------------------ | Branch (386:7): [True: 2, False: 209] | Branch (386:35): [True: 0, False: 209] | Branch (386:72): [True: 0, False: 209] ------------------ 387| 2| return std::make_unique(alg_id, key_bits); 388| 2| } 389| 209|#endif 390| | 391| 209|#if defined(BOTAN_HAS_SM2) 392| 209| if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") { ------------------ | Branch (392:7): [True: 0, False: 209] | Branch (392:28): [True: 0, False: 209] | Branch (392:53): [True: 0, False: 209] ------------------ 393| 0| return std::make_unique(alg_id, key_bits); 394| 0| } 395| 209|#endif 396| | 397| 209|#if defined(BOTAN_HAS_ELGAMAL) 398| 209| if(alg_name == "ElGamal") { ------------------ | Branch (398:7): [True: 0, False: 209] ------------------ 399| 0| return std::make_unique(alg_id, key_bits); 400| 0| } 401| 209|#endif 402| | 403| 209|#if defined(BOTAN_HAS_XMSS_RFC8391) 404| 209| if(alg_name == "XMSS") { ------------------ | Branch (404:7): [True: 0, False: 209] ------------------ 405| 0| return std::make_unique(key_bits); 406| 0| } 407| 209|#endif 408| | 409| 209|#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES) 410| 209| if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) { ------------------ | Branch (410:7): [True: 0, False: 209] | Branch (410:34): [True: 0, False: 209] ------------------ 411| 0| return std::make_unique(alg_id, key_bits); 412| 0| } 413| 209|#endif 414| | 415| 209|#if defined(BOTAN_HAS_ML_DSA) 416| 209| if(alg_name.starts_with("ML-DSA-")) { ------------------ | Branch (416:7): [True: 86, False: 123] ------------------ 417| 86| return std::make_unique(alg_id, key_bits); 418| 86| } 419| 123|#endif 420| | 421| 123|#if defined(BOTAN_HAS_HSS_LMS) 422| 123| if(alg_name == "HSS-LMS-Private-Key") { ------------------ | Branch (422:7): [True: 0, False: 123] ------------------ 423| 0| return std::make_unique(key_bits); 424| 0| } 425| 123|#endif 426| | 427| 123|#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE) 428| 123| if(alg_name == "SPHINCS+" || alg_name.starts_with("SphincsPlus-")) { ------------------ | Branch (428:7): [True: 0, False: 123] | Branch (428:33): [True: 0, False: 123] ------------------ 429| 0| return std::make_unique(alg_id, key_bits); 430| 0| } 431| 123|#endif 432| | 433| 123|#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE) 434| 123| if(alg_name.starts_with("SLH-DSA-") || alg_name.starts_with("Hash-SLH-DSA-")) { ------------------ | Branch (434:7): [True: 15, False: 108] | Branch (434:43): [True: 0, False: 108] ------------------ 435| 15| return std::make_unique(alg_id, key_bits); 436| 15| } 437| 108|#endif 438| | 439| 108|#if defined(BOTAN_HAS_CLASSICMCELIECE) 440| 108| if(alg_name.starts_with("ClassicMcEliece")) { ------------------ | Branch (440:7): [True: 0, False: 108] ------------------ 441| 0| return std::make_unique(alg_id, key_bits); 442| 0| } 443| 108|#endif 444| | 445| 108| throw Decoding_Error(fmt("Unknown or unavailable public key algorithm '{}'", alg_name)); 446| 108|} _ZN5Botan5PKCS88load_keyERNS_10DataSourceE: 350| 7.55k|std::unique_ptr load_key(DataSource& source) { 351| 7.55k| auto fail_fn = []() -> std::string { 352| 7.55k| throw PKCS8_Exception("Internal error: Attempt to read password for unencrypted key"); 353| 7.55k| }; 354| | 355| 7.55k| return load_key(source, fail_fn, false); 356| 7.55k|} pkcs8.cpp:_ZN5Botan5PKCS812_GLOBAL__N_18load_keyERNS_10DataSourceERKNSt3__18functionIFNS4_12basic_stringIcNS4_11char_traitsIcEENS4_9allocatorIcEEEEvEEEb: 302| 7.55k| bool is_encrypted) { 303| 7.55k| AlgorithmIdentifier alg_id; 304| 7.55k| secure_vector pkcs8_key = PKCS8_decode(source, get_pass, alg_id, is_encrypted); 305| | 306| 7.55k| const std::string alg_name = alg_id.oid().human_name_or_empty(); 307| 7.55k| if(alg_name.empty()) { ------------------ | Branch (307:7): [True: 1.74k, False: 5.81k] ------------------ 308| 1.74k| throw PKCS8_Exception(fmt("Unknown algorithm OID {}", alg_id.oid())); 309| 1.74k| } 310| | 311| 5.81k| return load_private_key(alg_id, pkcs8_key); 312| 7.55k|} pkcs8.cpp:_ZN5Botan5PKCS812_GLOBAL__N_112PKCS8_decodeERNS_10DataSourceERKNSt3__18functionIFNS4_12basic_stringIcNS4_11char_traitsIcEENS4_9allocatorIcEEEEvEEERNS_19AlgorithmIdentifierEb: 49| 7.55k| bool is_encrypted) { 50| 7.55k| AlgorithmIdentifier pbe_alg_id; 51| 7.55k| secure_vector key_data; 52| 7.55k| secure_vector key; 53| | 54| 7.55k| try { 55| 7.55k| if(ASN1::maybe_BER(source) && !PEM_Code::matches(source)) { ------------------ | Branch (55:10): [True: 7.28k, False: 273] | Branch (55:37): [True: 7.27k, False: 3] ------------------ 56| 7.27k| if(is_encrypted) { ------------------ | Branch (56:13): [True: 0, False: 7.27k] ------------------ 57| 0| key_data = PKCS8_extract(source, pbe_alg_id); 58| 7.27k| } else { 59| | // todo read more efficiently 60| 1.22M| while(auto b = source.read_byte()) { ------------------ | Branch (60:24): [True: 1.21M, False: 7.27k] ------------------ 61| 1.21M| key_data.push_back(*b); 62| 1.21M| } 63| 7.27k| } 64| 7.27k| } else { 65| 276| std::string label; 66| 276| key_data = PEM_Code::decode(source, label); 67| | 68| | // todo remove autodetect for pem as well? 69| 276| if(label == "PRIVATE KEY") { ------------------ | Branch (69:13): [True: 2, False: 274] ------------------ 70| 2| is_encrypted = false; 71| 274| } else if(label == "ENCRYPTED PRIVATE KEY") { ------------------ | Branch (71:20): [True: 5, False: 269] ------------------ 72| 5| DataSource_Memory key_source(key_data); 73| 5| key_data = PKCS8_extract(key_source, pbe_alg_id); 74| 269| } else { 75| 269| throw PKCS8_Exception(fmt("Unknown PEM label '{}'", label)); 76| 269| } 77| 276| } 78| | 79| 7.28k| if(key_data.empty()) { ------------------ | Branch (79:10): [True: 1, False: 7.28k] ------------------ 80| 1| throw PKCS8_Exception("No key data found"); 81| 1| } 82| 7.28k| } catch(Decoding_Error& e) { 83| 220| throw Decoding_Error("PKCS #8 private key decoding", e); 84| 220| } 85| | 86| 7.27k| try { 87| 7.27k| if(is_encrypted) { ------------------ | Branch (87:10): [True: 0, False: 7.27k] ------------------ 88| 0| if(pbe_alg_id.oid().to_formatted_string() != "PBE-PKCS5v20") { ------------------ | Branch (88:13): [True: 0, False: 0] ------------------ 89| 0| throw PKCS8_Exception(fmt("Unknown PBE type {}", pbe_alg_id.oid())); 90| 0| } 91| | 92| 0|#if defined(BOTAN_HAS_PKCS5_PBES2) 93| 0| key = pbes2_decrypt(key_data, get_passphrase(), pbe_alg_id.parameters()); 94| |#else 95| | BOTAN_UNUSED(get_passphrase); 96| | throw Decoding_Error("Private key is encrypted but PBES2 was disabled in build"); 97| |#endif 98| 7.27k| } else { 99| 7.27k| key = key_data; 100| 7.27k| } 101| | 102| 7.27k| BER_Decoder(key, BER_Decoder::Limits::DER()) 103| 7.27k| .start_sequence() 104| 7.27k| .decode_and_check(0, "Unknown PKCS #8 version number") 105| 7.27k| .decode(pk_alg_id) 106| 7.27k| .decode(key, ASN1_Type::OctetString) 107| 7.27k| .discard_remaining() 108| 7.27k| .end_cons() 109| 7.27k| .verify_end(); 110| 7.27k| } catch(std::exception& e) { 111| 759| throw Decoding_Error("PKCS #8 private key decoding", e); 112| 759| } 113| 6.52k| return key; 114| 7.27k|} pkcs8.cpp:_ZN5Botan5PKCS812_GLOBAL__N_113PKCS8_extractERNS_10DataSourceERNS_19AlgorithmIdentifierE: 31| 5|secure_vector PKCS8_extract(DataSource& source, AlgorithmIdentifier& pbe_alg_id) { 32| 5| secure_vector key_data; 33| | 34| 5| BER_Decoder(source, BER_Decoder::Limits::DER()) 35| 5| .start_sequence() 36| 5| .decode(pbe_alg_id) 37| 5| .decode(key_data, ASN1_Type::OctetString) 38| 5| .verify_end(); 39| | 40| 5| return key_data; 41| 5|} _ZN5Botan13RSA_PublicKey4initEONS_6BigIntES2_: 156| 4|void RSA_PublicKey::init(BigInt&& n, BigInt&& e) { 157| 4| if(n.signum() <= 0 || n.is_even() || n.bits() < 384 || n.bits() > 16384) { ------------------ | Branch (157:7): [True: 1, False: 3] | Branch (157:26): [True: 1, False: 2] | Branch (157:41): [True: 2, False: 0] | Branch (157:59): [True: 0, False: 0] ------------------ 158| 4| throw Decoding_Error("Invalid RSA public key modulus"); 159| 4| } 160| 0| if(e.is_even() || e <= 1 || e >= n || e.bits() > 256) { ------------------ | Branch (160:7): [True: 0, False: 0] | Branch (160:22): [True: 0, False: 0] | Branch (160:32): [True: 0, False: 0] | Branch (160:42): [True: 0, False: 0] ------------------ 161| 0| throw Decoding_Error("Invalid RSA public key exponent"); 162| 0| } 163| 0| m_public = std::make_shared(std::move(n), std::move(e)); 164| 0|} _ZN5Botan14RSA_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 274| 41|RSA_PrivateKey::RSA_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span key_bits) { 275| 41| BigInt n; 276| 41| BigInt e; 277| 41| BigInt d; 278| 41| BigInt p; 279| 41| BigInt q; 280| 41| BigInt d1; 281| 41| BigInt d2; 282| 41| BigInt c; 283| | 284| 41| BER_Decoder(key_bits, BER_Decoder::Limits::DER()) 285| 41| .start_sequence() 286| 41| .decode_and_check(0, "Unknown PKCS #1 key format version") 287| 41| .decode(n) 288| 41| .decode(e) 289| 41| .decode(d) 290| 41| .decode(p) 291| 41| .decode(q) 292| 41| .decode(d1) 293| 41| .decode(d2) 294| 41| .decode(c) 295| 41| .end_cons() 296| 41| .verify_end(); 297| | 298| 41| RSA_PublicKey::init(std::move(n), std::move(e)); 299| | 300| 41| RSA_PrivateKey::init(std::move(d), std::move(p), std::move(q), std::move(d1), std::move(d2), std::move(c)); 301| 41|} _ZN5Botan18Sphincs_ParametersC2ENS_21Sphincs_Parameter_SetENS_17Sphincs_Hash_TypeEjjjjjjj: 279| 30| m_set(set), m_hash_type(hash_type), m_n(n), m_h(h), m_d(d), m_a(a), m_k(k), m_w(w), m_bitsec(bitsec) { 280| 30| BOTAN_ARG_CHECK(!(hash_type == Sphincs_Hash_Type::Haraka && is_slh_dsa_set(set)), ------------------ | | 35| 30| do { \ | | 36| 30| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 30| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 0, False: 30] | | | Branch (37:12): [True: 0, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 30| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 30] | | ------------------ ------------------ 281| 30| "Haraka is not available for SLH-DSA"); 282| 30| BOTAN_ARG_CHECK(w == 4 || w == 16 || w == 256, "Winternitz parameter must be one of 4, 16, 256"); ------------------ | | 35| 30| do { \ | | 36| 30| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 90| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 0, False: 30] | | | Branch (37:12): [True: 30, False: 0] | | | Branch (37:12): [True: 0, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 30| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 30] | | ------------------ ------------------ 283| 30| BOTAN_ARG_CHECK(n == 16 || n == 24 || n == 32, "n must be one of 16, 24, 32"); ------------------ | | 35| 30| do { \ | | 36| 30| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 86| if(!(expr)) { \ | | ------------------ | | | Branch (37:12): [True: 12, False: 18] | | | Branch (37:12): [True: 10, False: 8] | | | Branch (37:12): [True: 8, False: 0] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 30| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 30] | | ------------------ ------------------ 284| 30| BOTAN_ARG_CHECK(m_d > 0, "d must be greater than zero"); ------------------ | | 35| 30| do { \ | | 36| 30| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 30| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 30] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 30| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 30] | | ------------------ ------------------ 285| | 286| 30| m_xmss_tree_height = m_h / m_d; 287| 30| m_lg_w = ceil_log2(m_w); 288| | 289| | // base_2^b algorithm (Fips 205, Algorithm 4) only works 290| | // when m_log_w is a divisor of 8. 291| 30| BOTAN_ASSERT_NOMSG(m_lg_w <= 8 && 8 % m_lg_w == 0); ------------------ | | 77| 30| do { \ | | 78| 30| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 60| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 30, False: 0] | | | Branch (79:12): [True: 30, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 30| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 30] | | ------------------ ------------------ 292| | 293| | // # Winternitz blocks of the message (len_1 of FIPS 205, Algorithm 1) 294| 30| m_wots_len1 = (m_n * 8) / m_lg_w; 295| | 296| | // # Winternitz blocks of the checksum (output of FIPS 205 Algorithm 1) 297| 30| m_wots_len2 = ceil_log2(m_wots_len1 * (m_w - 1)) / m_lg_w + 1; 298| | 299| | // # Winternitz blocks in the signature (len of FIPS 205, Equation 5.4) 300| 30| m_wots_len = m_wots_len1 + m_wots_len2; 301| | 302| | // byte length of WOTS+ signature as well as public key 303| 30| m_wots_bytes = m_wots_len * m_n; 304| | 305| | // # of bytes the WOTS+ checksum consists of 306| 30| m_wots_checksum_bytes = ceil_tobytes(m_wots_len2 * m_lg_w); 307| | 308| 30| m_fors_sig_bytes = (m_a + 1) * m_k * m_n; 309| | 310| | // byte length of the FORS input message 311| 30| m_fors_message_bytes = ceil_tobytes(m_k * m_a); 312| | 313| 30| m_xmss_sig_bytes = m_wots_bytes + m_xmss_tree_height * m_n; 314| 30| m_ht_sig_bytes = m_d * m_xmss_sig_bytes; 315| 30| m_sp_sig_bytes = m_n /* random */ + m_fors_sig_bytes + m_ht_sig_bytes; 316| | 317| 30| m_tree_digest_bytes = ceil_tobytes(m_h - m_xmss_tree_height); 318| 30| m_leaf_digest_bytes = ceil_tobytes(m_xmss_tree_height); 319| 30| m_h_msg_digest_bytes = m_fors_message_bytes + m_tree_digest_bytes + m_leaf_digest_bytes; 320| 30|} _ZNK5Botan18Sphincs_Parameters12is_availableEv: 322| 4|bool Sphincs_Parameters::is_available() const { 323| 4| [[maybe_unused]] const bool is_slh_dsa = is_slh_dsa_set(m_set); 324| 4|#ifdef BOTAN_HAS_SLH_DSA_WITH_SHA2 325| 4| if(is_slh_dsa && m_hash_type == Sphincs_Hash_Type::Sha256) { ------------------ | Branch (325:7): [True: 4, False: 0] | Branch (325:21): [True: 2, False: 2] ------------------ 326| 2| return true; 327| 2| } 328| 2|#endif 329| 2|#ifdef BOTAN_HAS_SLH_DSA_WITH_SHAKE 330| 2| if(is_slh_dsa && m_hash_type == Sphincs_Hash_Type::Shake256) { ------------------ | Branch (330:7): [True: 2, False: 0] | Branch (330:21): [True: 2, False: 0] ------------------ 331| 2| return true; 332| 2| } 333| 0|#endif 334| 0|#ifdef BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2 335| 0| if(!is_slh_dsa && m_hash_type == Sphincs_Hash_Type::Sha256) { ------------------ | Branch (335:7): [True: 0, False: 0] | Branch (335:22): [True: 0, False: 0] ------------------ 336| 0| return true; 337| 0| } 338| 0|#endif 339| 0|#ifdef BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE 340| 0| if(!is_slh_dsa && m_hash_type == Sphincs_Hash_Type::Shake256) { ------------------ | Branch (340:7): [True: 0, False: 0] | Branch (340:22): [True: 0, False: 0] ------------------ 341| 0| return true; 342| 0| } 343| 0|#endif 344| 0| return false; 345| 0|} _ZN5Botan18Sphincs_Parameters6createENS_21Sphincs_Parameter_SetENS_17Sphincs_Hash_TypeE: 348| 30| Sphincs_Parameter_Set set, Sphincs_Hash_Type hash /*, SlhDsaInputMode input_mode [TODO: prehash mode]*/) { 349| | // See FIPS 205, Table 2 350| 30| switch(set) { ------------------ | Branch (350:11): [True: 30, False: 0] ------------------ 351| 0| case Sphincs_Parameter_Set::Sphincs128Small: ------------------ | Branch (351:7): [True: 0, False: 30] ------------------ 352| 4| case Sphincs_Parameter_Set::SLHDSA128Small: ------------------ | Branch (352:7): [True: 4, False: 26] ------------------ 353| 4| return Sphincs_Parameters(set, hash, 16, 63, 7, 12, 14, 16, 133); 354| 0| case Sphincs_Parameter_Set::Sphincs128Fast: ------------------ | Branch (354:7): [True: 0, False: 30] ------------------ 355| 8| case Sphincs_Parameter_Set::SLHDSA128Fast: ------------------ | Branch (355:7): [True: 8, False: 22] ------------------ 356| 8| return Sphincs_Parameters(set, hash, 16, 66, 22, 6, 33, 16, 128); 357| | 358| 0| case Sphincs_Parameter_Set::Sphincs192Small: ------------------ | Branch (358:7): [True: 0, False: 30] ------------------ 359| 4| case Sphincs_Parameter_Set::SLHDSA192Small: ------------------ | Branch (359:7): [True: 4, False: 26] ------------------ 360| 4| return Sphincs_Parameters(set, hash, 24, 63, 7, 14, 17, 16, 193); 361| 0| case Sphincs_Parameter_Set::Sphincs192Fast: ------------------ | Branch (361:7): [True: 0, False: 30] ------------------ 362| 6| case Sphincs_Parameter_Set::SLHDSA192Fast: ------------------ | Branch (362:7): [True: 6, False: 24] ------------------ 363| 6| return Sphincs_Parameters(set, hash, 24, 66, 22, 8, 33, 16, 194); 364| | 365| 0| case Sphincs_Parameter_Set::Sphincs256Small: ------------------ | Branch (365:7): [True: 0, False: 30] ------------------ 366| 4| case Sphincs_Parameter_Set::SLHDSA256Small: ------------------ | Branch (366:7): [True: 4, False: 26] ------------------ 367| 4| return Sphincs_Parameters(set, hash, 32, 64, 8, 14, 22, 16, 255); 368| 0| case Sphincs_Parameter_Set::Sphincs256Fast: ------------------ | Branch (368:7): [True: 0, False: 30] ------------------ 369| 4| case Sphincs_Parameter_Set::SLHDSA256Fast: ------------------ | Branch (369:7): [True: 4, False: 26] ------------------ 370| 4| return Sphincs_Parameters(set, hash, 32, 68, 17, 9, 35, 16, 255); 371| 30| } 372| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 373| 0|} _ZN5Botan18Sphincs_Parameters6createENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 375| 30|Sphincs_Parameters Sphincs_Parameters::create(std::string_view name) { 376| 30| auto [param_set, hash_type] = set_and_hash_from_name(name); 377| 30| return Sphincs_Parameters::create(param_set, hash_type); 378| 30|} _ZNK5Botan18Sphincs_Parameters9to_stringEv: 396| 15|std::string Sphincs_Parameters::to_string() const { 397| 15| return name_from_set_and_hash(parameter_set(), hash_type()); 398| 15|} _ZN5Botan18Sphincs_Parameters6createERKNS_3OIDE: 400| 30|Sphincs_Parameters Sphincs_Parameters::create(const OID& oid) { 401| 30| return Sphincs_Parameters::create(oid.to_formatted_string()); 402| 30|} _ZNK5Botan18Sphincs_Parameters17object_identifierEv: 404| 15|OID Sphincs_Parameters::object_identifier() const { 405| 15| return OID::from_string(to_string()); 406| 15|} sp_parameters.cpp:_ZN5Botan12_GLOBAL__N_114is_slh_dsa_setENS_21Sphincs_Parameter_SetE: 248| 4|constexpr bool is_slh_dsa_set(Sphincs_Parameter_Set set) { 249| 4| switch(set) { ------------------ | Branch (249:11): [True: 4, False: 0] ------------------ 250| 0| case Sphincs_Parameter_Set::SLHDSA128Small: ------------------ | Branch (250:7): [True: 0, False: 4] ------------------ 251| 4| case Sphincs_Parameter_Set::SLHDSA128Fast: ------------------ | Branch (251:7): [True: 4, False: 0] ------------------ 252| 4| case Sphincs_Parameter_Set::SLHDSA192Small: ------------------ | Branch (252:7): [True: 0, False: 4] ------------------ 253| 4| case Sphincs_Parameter_Set::SLHDSA192Fast: ------------------ | Branch (253:7): [True: 0, False: 4] ------------------ 254| 4| case Sphincs_Parameter_Set::SLHDSA256Small: ------------------ | Branch (254:7): [True: 0, False: 4] ------------------ 255| 4| case Sphincs_Parameter_Set::SLHDSA256Fast: ------------------ | Branch (255:7): [True: 0, False: 4] ------------------ 256| 4| return true; 257| 0| case Sphincs_Parameter_Set::Sphincs128Small: ------------------ | Branch (257:7): [True: 0, False: 4] ------------------ 258| 0| case Sphincs_Parameter_Set::Sphincs128Fast: ------------------ | Branch (258:7): [True: 0, False: 4] ------------------ 259| 0| case Sphincs_Parameter_Set::Sphincs192Small: ------------------ | Branch (259:7): [True: 0, False: 4] ------------------ 260| 0| case Sphincs_Parameter_Set::Sphincs192Fast: ------------------ | Branch (260:7): [True: 0, False: 4] ------------------ 261| 0| case Sphincs_Parameter_Set::Sphincs256Small: ------------------ | Branch (261:7): [True: 0, False: 4] ------------------ 262| 0| case Sphincs_Parameter_Set::Sphincs256Fast: ------------------ | Branch (262:7): [True: 0, False: 4] ------------------ 263| 0| return false; 264| 4| } 265| 0| BOTAN_ASSERT_UNREACHABLE(); ------------------ | | 163| 0|#define BOTAN_ASSERT_UNREACHABLE() Botan::assert_unreachable(__FILE__, __LINE__) ------------------ 266| 0|} sp_parameters.cpp:_ZN5Botan12_GLOBAL__N_122set_and_hash_from_nameENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 20| 30|std::pair set_and_hash_from_name(std::string_view name) { 21| | // SPHINCS+ Round 3.1 instances 22| 30| if(name == "SphincsPlus-sha2-128s-r3.1") { ------------------ | Branch (22:7): [True: 0, False: 30] ------------------ 23| 0| return {Sphincs_Parameter_Set::Sphincs128Small, Sphincs_Hash_Type::Sha256}; 24| 0| } 25| 30| if(name == "SphincsPlus-sha2-128f-r3.1") { ------------------ | Branch (25:7): [True: 0, False: 30] ------------------ 26| 0| return {Sphincs_Parameter_Set::Sphincs128Fast, Sphincs_Hash_Type::Sha256}; 27| 0| } 28| 30| if(name == "SphincsPlus-sha2-192s-r3.1") { ------------------ | Branch (28:7): [True: 0, False: 30] ------------------ 29| 0| return {Sphincs_Parameter_Set::Sphincs192Small, Sphincs_Hash_Type::Sha256}; 30| 0| } 31| 30| if(name == "SphincsPlus-sha2-192f-r3.1") { ------------------ | Branch (31:7): [True: 0, False: 30] ------------------ 32| 0| return {Sphincs_Parameter_Set::Sphincs192Fast, Sphincs_Hash_Type::Sha256}; 33| 0| } 34| 30| if(name == "SphincsPlus-sha2-256s-r3.1") { ------------------ | Branch (34:7): [True: 0, False: 30] ------------------ 35| 0| return {Sphincs_Parameter_Set::Sphincs256Small, Sphincs_Hash_Type::Sha256}; 36| 0| } 37| 30| if(name == "SphincsPlus-sha2-256f-r3.1") { ------------------ | Branch (37:7): [True: 0, False: 30] ------------------ 38| 0| return {Sphincs_Parameter_Set::Sphincs256Fast, Sphincs_Hash_Type::Sha256}; 39| 0| } 40| | 41| 30| if(name == "SphincsPlus-shake-128s-r3.1") { ------------------ | Branch (41:7): [True: 0, False: 30] ------------------ 42| 0| return {Sphincs_Parameter_Set::Sphincs128Small, Sphincs_Hash_Type::Shake256}; 43| 0| } 44| 30| if(name == "SphincsPlus-shake-128f-r3.1") { ------------------ | Branch (44:7): [True: 0, False: 30] ------------------ 45| 0| return {Sphincs_Parameter_Set::Sphincs128Fast, Sphincs_Hash_Type::Shake256}; 46| 0| } 47| 30| if(name == "SphincsPlus-shake-192s-r3.1") { ------------------ | Branch (47:7): [True: 0, False: 30] ------------------ 48| 0| return {Sphincs_Parameter_Set::Sphincs192Small, Sphincs_Hash_Type::Shake256}; 49| 0| } 50| 30| if(name == "SphincsPlus-shake-192f-r3.1") { ------------------ | Branch (50:7): [True: 0, False: 30] ------------------ 51| 0| return {Sphincs_Parameter_Set::Sphincs192Fast, Sphincs_Hash_Type::Shake256}; 52| 0| } 53| 30| if(name == "SphincsPlus-shake-256s-r3.1") { ------------------ | Branch (53:7): [True: 0, False: 30] ------------------ 54| 0| return {Sphincs_Parameter_Set::Sphincs256Small, Sphincs_Hash_Type::Shake256}; 55| 0| } 56| 30| if(name == "SphincsPlus-shake-256f-r3.1") { ------------------ | Branch (56:7): [True: 0, False: 30] ------------------ 57| 0| return {Sphincs_Parameter_Set::Sphincs256Fast, Sphincs_Hash_Type::Shake256}; 58| 0| } 59| | 60| 30| if(name == "SphincsPlus-haraka-128s-r3.1") { ------------------ | Branch (60:7): [True: 0, False: 30] ------------------ 61| 0| return {Sphincs_Parameter_Set::Sphincs128Small, Sphincs_Hash_Type::Haraka}; 62| 0| } 63| 30| if(name == "SphincsPlus-haraka-128f-r3.1") { ------------------ | Branch (63:7): [True: 0, False: 30] ------------------ 64| 0| return {Sphincs_Parameter_Set::Sphincs128Fast, Sphincs_Hash_Type::Haraka}; 65| 0| } 66| 30| if(name == "SphincsPlus-haraka-192s-r3.1") { ------------------ | Branch (66:7): [True: 0, False: 30] ------------------ 67| 0| return {Sphincs_Parameter_Set::Sphincs192Small, Sphincs_Hash_Type::Haraka}; 68| 0| } 69| 30| if(name == "SphincsPlus-haraka-192f-r3.1") { ------------------ | Branch (69:7): [True: 0, False: 30] ------------------ 70| 0| return {Sphincs_Parameter_Set::Sphincs192Fast, Sphincs_Hash_Type::Haraka}; 71| 0| } 72| 30| if(name == "SphincsPlus-haraka-256s-r3.1") { ------------------ | Branch (72:7): [True: 0, False: 30] ------------------ 73| 0| return {Sphincs_Parameter_Set::Sphincs256Small, Sphincs_Hash_Type::Haraka}; 74| 0| } 75| 30| if(name == "SphincsPlus-haraka-256f-r3.1") { ------------------ | Branch (75:7): [True: 0, False: 30] ------------------ 76| 0| return {Sphincs_Parameter_Set::Sphincs256Fast, Sphincs_Hash_Type::Haraka}; 77| 0| } 78| | 79| | // SLH-DSA instances WITHOUT prehash mode 80| 30| if(name == "SLH-DSA-SHA2-128s") { ------------------ | Branch (80:7): [True: 2, False: 28] ------------------ 81| 2| return {Sphincs_Parameter_Set::SLHDSA128Small, Sphincs_Hash_Type::Sha256}; 82| 2| } 83| 28| if(name == "SLH-DSA-SHA2-128f") { ------------------ | Branch (83:7): [True: 4, False: 24] ------------------ 84| 4| return {Sphincs_Parameter_Set::SLHDSA128Fast, Sphincs_Hash_Type::Sha256}; 85| 4| } 86| 24| if(name == "SLH-DSA-SHA2-192s") { ------------------ | Branch (86:7): [True: 2, False: 22] ------------------ 87| 2| return {Sphincs_Parameter_Set::SLHDSA192Small, Sphincs_Hash_Type::Sha256}; 88| 2| } 89| 22| if(name == "SLH-DSA-SHA2-192f") { ------------------ | Branch (89:7): [True: 4, False: 18] ------------------ 90| 4| return {Sphincs_Parameter_Set::SLHDSA192Fast, Sphincs_Hash_Type::Sha256}; 91| 4| } 92| 18| if(name == "SLH-DSA-SHA2-256s") { ------------------ | Branch (92:7): [True: 2, False: 16] ------------------ 93| 2| return {Sphincs_Parameter_Set::SLHDSA256Small, Sphincs_Hash_Type::Sha256}; 94| 2| } 95| 16| if(name == "SLH-DSA-SHA2-256f") { ------------------ | Branch (95:7): [True: 2, False: 14] ------------------ 96| 2| return {Sphincs_Parameter_Set::SLHDSA256Fast, Sphincs_Hash_Type::Sha256}; 97| 2| } 98| | 99| 14| if(name == "SLH-DSA-SHAKE-128s") { ------------------ | Branch (99:7): [True: 2, False: 12] ------------------ 100| 2| return {Sphincs_Parameter_Set::SLHDSA128Small, Sphincs_Hash_Type::Shake256}; 101| 2| } 102| 12| if(name == "SLH-DSA-SHAKE-128f") { ------------------ | Branch (102:7): [True: 4, False: 8] ------------------ 103| 4| return {Sphincs_Parameter_Set::SLHDSA128Fast, Sphincs_Hash_Type::Shake256}; 104| 4| } 105| 8| if(name == "SLH-DSA-SHAKE-192s") { ------------------ | Branch (105:7): [True: 2, False: 6] ------------------ 106| 2| return {Sphincs_Parameter_Set::SLHDSA192Small, Sphincs_Hash_Type::Shake256}; 107| 2| } 108| 6| if(name == "SLH-DSA-SHAKE-192f") { ------------------ | Branch (108:7): [True: 2, False: 4] ------------------ 109| 2| return {Sphincs_Parameter_Set::SLHDSA192Fast, Sphincs_Hash_Type::Shake256}; 110| 2| } 111| 4| if(name == "SLH-DSA-SHAKE-256s") { ------------------ | Branch (111:7): [True: 2, False: 2] ------------------ 112| 2| return {Sphincs_Parameter_Set::SLHDSA256Small, Sphincs_Hash_Type::Shake256}; 113| 2| } 114| 2| if(name == "SLH-DSA-SHAKE-256f") { ------------------ | Branch (114:7): [True: 2, False: 0] ------------------ 115| 2| return {Sphincs_Parameter_Set::SLHDSA256Fast, Sphincs_Hash_Type::Shake256}; 116| 2| } 117| | 118| | // SLH-DSA instances WITH prehash mode 119| 0| if(name == "Hash-SLH-DSA-SHA2-128s-with-SHA256") { ------------------ | Branch (119:7): [True: 0, False: 0] ------------------ 120| 0| return {Sphincs_Parameter_Set::SLHDSA128Small, Sphincs_Hash_Type::Sha256}; 121| 0| } 122| 0| if(name == "Hash-SLH-DSA-SHA2-128f-with-SHA256") { ------------------ | Branch (122:7): [True: 0, False: 0] ------------------ 123| 0| return {Sphincs_Parameter_Set::SLHDSA128Fast, Sphincs_Hash_Type::Sha256}; 124| 0| } 125| 0| if(name == "Hash-SLH-DSA-SHA2-192s-with-SHA512") { ------------------ | Branch (125:7): [True: 0, False: 0] ------------------ 126| 0| return {Sphincs_Parameter_Set::SLHDSA192Small, Sphincs_Hash_Type::Sha256}; 127| 0| } 128| 0| if(name == "Hash-SLH-DSA-SHA2-192f-with-SHA512") { ------------------ | Branch (128:7): [True: 0, False: 0] ------------------ 129| 0| return {Sphincs_Parameter_Set::SLHDSA192Fast, Sphincs_Hash_Type::Sha256}; 130| 0| } 131| 0| if(name == "Hash-SLH-DSA-SHA2-256s-with-SHA512") { ------------------ | Branch (131:7): [True: 0, False: 0] ------------------ 132| 0| return {Sphincs_Parameter_Set::SLHDSA256Small, Sphincs_Hash_Type::Sha256}; 133| 0| } 134| 0| if(name == "Hash-SLH-DSA-SHA2-256f-with-SHA512") { ------------------ | Branch (134:7): [True: 0, False: 0] ------------------ 135| 0| return {Sphincs_Parameter_Set::SLHDSA256Fast, Sphincs_Hash_Type::Sha256}; 136| 0| } 137| | 138| 0| if(name == "Hash-SLH-DSA-SHAKE-128s-with-SHAKE128") { ------------------ | Branch (138:7): [True: 0, False: 0] ------------------ 139| 0| return {Sphincs_Parameter_Set::SLHDSA128Small, Sphincs_Hash_Type::Shake256}; 140| 0| } 141| 0| if(name == "Hash-SLH-DSA-SHAKE-128f-with-SHAKE128") { ------------------ | Branch (141:7): [True: 0, False: 0] ------------------ 142| 0| return {Sphincs_Parameter_Set::SLHDSA128Fast, Sphincs_Hash_Type::Shake256}; 143| 0| } 144| 0| if(name == "Hash-SLH-DSA-SHAKE-192s-with-SHAKE256") { ------------------ | Branch (144:7): [True: 0, False: 0] ------------------ 145| 0| return {Sphincs_Parameter_Set::SLHDSA192Small, Sphincs_Hash_Type::Shake256}; 146| 0| } 147| 0| if(name == "Hash-SLH-DSA-SHAKE-192f-with-SHAKE256") { ------------------ | Branch (147:7): [True: 0, False: 0] ------------------ 148| 0| return {Sphincs_Parameter_Set::SLHDSA192Fast, Sphincs_Hash_Type::Shake256}; 149| 0| } 150| 0| if(name == "Hash-SLH-DSA-SHAKE-256s-with-SHAKE256") { ------------------ | Branch (150:7): [True: 0, False: 0] ------------------ 151| 0| return {Sphincs_Parameter_Set::SLHDSA256Small, Sphincs_Hash_Type::Shake256}; 152| 0| } 153| 0| if(name == "Hash-SLH-DSA-SHAKE-256f-with-SHAKE256") { ------------------ | Branch (153:7): [True: 0, False: 0] ------------------ 154| 0| return {Sphincs_Parameter_Set::SLHDSA256Fast, Sphincs_Hash_Type::Shake256}; 155| 0| } 156| | 157| 0| throw Lookup_Error(fmt("No SLH-DSA (or SPHINCS+) parameter supported for: {}", name)); 158| 0|} sp_parameters.cpp:_ZN5Botan12_GLOBAL__N_122name_from_set_and_hashENS_21Sphincs_Parameter_SetENS_17Sphincs_Hash_TypeE: 160| 15|std::string name_from_set_and_hash(Sphincs_Parameter_Set set, Sphincs_Hash_Type hash) { 161| 15| if(hash == Sphincs_Hash_Type::Sha256) { ------------------ | Branch (161:7): [True: 8, False: 7] ------------------ 162| 8| switch(set) { ------------------ | Branch (162:14): [True: 8, False: 0] ------------------ 163| 0| case Sphincs_Parameter_Set::Sphincs128Small: ------------------ | Branch (163:10): [True: 0, False: 8] ------------------ 164| 0| return "SphincsPlus-sha2-128s-r3.1"; 165| 0| case Sphincs_Parameter_Set::Sphincs128Fast: ------------------ | Branch (165:10): [True: 0, False: 8] ------------------ 166| 0| return "SphincsPlus-sha2-128f-r3.1"; 167| 0| case Sphincs_Parameter_Set::Sphincs192Small: ------------------ | Branch (167:10): [True: 0, False: 8] ------------------ 168| 0| return "SphincsPlus-sha2-192s-r3.1"; 169| 0| case Sphincs_Parameter_Set::Sphincs192Fast: ------------------ | Branch (169:10): [True: 0, False: 8] ------------------ 170| 0| return "SphincsPlus-sha2-192f-r3.1"; 171| 0| case Sphincs_Parameter_Set::Sphincs256Small: ------------------ | Branch (171:10): [True: 0, False: 8] ------------------ 172| 0| return "SphincsPlus-sha2-256s-r3.1"; 173| 0| case Sphincs_Parameter_Set::Sphincs256Fast: ------------------ | Branch (173:10): [True: 0, False: 8] ------------------ 174| 0| return "SphincsPlus-sha2-256f-r3.1"; 175| | 176| 1| case Sphincs_Parameter_Set::SLHDSA128Small: ------------------ | Branch (176:10): [True: 1, False: 7] ------------------ 177| 1| return "SLH-DSA-SHA2-128s"; 178| 2| case Sphincs_Parameter_Set::SLHDSA128Fast: ------------------ | Branch (178:10): [True: 2, False: 6] ------------------ 179| 2| return "SLH-DSA-SHA2-128f"; 180| 1| case Sphincs_Parameter_Set::SLHDSA192Small: ------------------ | Branch (180:10): [True: 1, False: 7] ------------------ 181| 1| return "SLH-DSA-SHA2-192s"; 182| 2| case Sphincs_Parameter_Set::SLHDSA192Fast: ------------------ | Branch (182:10): [True: 2, False: 6] ------------------ 183| 2| return "SLH-DSA-SHA2-192f"; 184| 1| case Sphincs_Parameter_Set::SLHDSA256Small: ------------------ | Branch (184:10): [True: 1, False: 7] ------------------ 185| 1| return "SLH-DSA-SHA2-256s"; 186| 1| case Sphincs_Parameter_Set::SLHDSA256Fast: ------------------ | Branch (186:10): [True: 1, False: 7] ------------------ 187| 1| return "SLH-DSA-SHA2-256f"; 188| 8| } 189| 8| } 190| | 191| 7| if(hash == Sphincs_Hash_Type::Shake256) { ------------------ | Branch (191:7): [True: 7, False: 0] ------------------ 192| 7| switch(set) { ------------------ | Branch (192:14): [True: 7, False: 0] ------------------ 193| 0| case Sphincs_Parameter_Set::Sphincs128Small: ------------------ | Branch (193:10): [True: 0, False: 7] ------------------ 194| 0| return "SphincsPlus-shake-128s-r3.1"; 195| 0| case Sphincs_Parameter_Set::Sphincs128Fast: ------------------ | Branch (195:10): [True: 0, False: 7] ------------------ 196| 0| return "SphincsPlus-shake-128f-r3.1"; 197| 0| case Sphincs_Parameter_Set::Sphincs192Small: ------------------ | Branch (197:10): [True: 0, False: 7] ------------------ 198| 0| return "SphincsPlus-shake-192s-r3.1"; 199| 0| case Sphincs_Parameter_Set::Sphincs192Fast: ------------------ | Branch (199:10): [True: 0, False: 7] ------------------ 200| 0| return "SphincsPlus-shake-192f-r3.1"; 201| 0| case Sphincs_Parameter_Set::Sphincs256Small: ------------------ | Branch (201:10): [True: 0, False: 7] ------------------ 202| 0| return "SphincsPlus-shake-256s-r3.1"; 203| 0| case Sphincs_Parameter_Set::Sphincs256Fast: ------------------ | Branch (203:10): [True: 0, False: 7] ------------------ 204| 0| return "SphincsPlus-shake-256f-r3.1"; 205| | 206| 1| case Sphincs_Parameter_Set::SLHDSA128Small: ------------------ | Branch (206:10): [True: 1, False: 6] ------------------ 207| 1| return "SLH-DSA-SHAKE-128s"; 208| 2| case Sphincs_Parameter_Set::SLHDSA128Fast: ------------------ | Branch (208:10): [True: 2, False: 5] ------------------ 209| 2| return "SLH-DSA-SHAKE-128f"; 210| 1| case Sphincs_Parameter_Set::SLHDSA192Small: ------------------ | Branch (210:10): [True: 1, False: 6] ------------------ 211| 1| return "SLH-DSA-SHAKE-192s"; 212| 1| case Sphincs_Parameter_Set::SLHDSA192Fast: ------------------ | Branch (212:10): [True: 1, False: 6] ------------------ 213| 1| return "SLH-DSA-SHAKE-192f"; 214| 1| case Sphincs_Parameter_Set::SLHDSA256Small: ------------------ | Branch (214:10): [True: 1, False: 6] ------------------ 215| 1| return "SLH-DSA-SHAKE-256s"; 216| 1| case Sphincs_Parameter_Set::SLHDSA256Fast: ------------------ | Branch (216:10): [True: 1, False: 6] ------------------ 217| 1| return "SLH-DSA-SHAKE-256f"; 218| 7| } 219| 7| } 220| | 221| 0| if(hash == Sphincs_Hash_Type::Haraka) { ------------------ | Branch (221:7): [True: 0, False: 0] ------------------ 222| 0| switch(set) { ------------------ | Branch (222:14): [True: 0, False: 0] ------------------ 223| 0| case Sphincs_Parameter_Set::Sphincs128Small: ------------------ | Branch (223:10): [True: 0, False: 0] ------------------ 224| 0| return "SphincsPlus-haraka-128s-r3.1"; 225| 0| case Sphincs_Parameter_Set::Sphincs128Fast: ------------------ | Branch (225:10): [True: 0, False: 0] ------------------ 226| 0| return "SphincsPlus-haraka-128f-r3.1"; 227| 0| case Sphincs_Parameter_Set::Sphincs192Small: ------------------ | Branch (227:10): [True: 0, False: 0] ------------------ 228| 0| return "SphincsPlus-haraka-192s-r3.1"; 229| 0| case Sphincs_Parameter_Set::Sphincs192Fast: ------------------ | Branch (229:10): [True: 0, False: 0] ------------------ 230| 0| return "SphincsPlus-haraka-192f-r3.1"; 231| 0| case Sphincs_Parameter_Set::Sphincs256Small: ------------------ | Branch (231:10): [True: 0, False: 0] ------------------ 232| 0| return "SphincsPlus-haraka-256s-r3.1"; 233| 0| case Sphincs_Parameter_Set::Sphincs256Fast: ------------------ | Branch (233:10): [True: 0, False: 0] ------------------ 234| 0| return "SphincsPlus-haraka-256f-r3.1"; 235| | 236| 0| case Sphincs_Parameter_Set::SLHDSA128Small: ------------------ | Branch (236:10): [True: 0, False: 0] ------------------ 237| 0| case Sphincs_Parameter_Set::SLHDSA128Fast: ------------------ | Branch (237:10): [True: 0, False: 0] ------------------ 238| 0| case Sphincs_Parameter_Set::SLHDSA192Small: ------------------ | Branch (238:10): [True: 0, False: 0] ------------------ 239| 0| case Sphincs_Parameter_Set::SLHDSA192Fast: ------------------ | Branch (239:10): [True: 0, False: 0] ------------------ 240| 0| case Sphincs_Parameter_Set::SLHDSA256Small: ------------------ | Branch (240:10): [True: 0, False: 0] ------------------ 241| 0| case Sphincs_Parameter_Set::SLHDSA256Fast: ------------------ | Branch (241:10): [True: 0, False: 0] ------------------ 242| 0| throw Invalid_Argument("SLH-DSA does not support Haraka"); 243| 0| } 244| 0| } 245| 0| throw Invalid_Argument("Cannot serialize invalid parameter combination"); 246| 0|} _ZN5Botan21SphincsPlus_PublicKeyC2ENSt3__14spanIKhLm18446744073709551615EEENS_18Sphincs_ParametersE: 133| 2| m_public(std::make_shared(params, pub_key)) { 134| 2| if(!params.is_available()) { ------------------ | Branch (134:7): [True: 0, False: 2] ------------------ 135| 0| throw Not_Implemented("This SPHINCS+ parameter set is not available in this configuration"); 136| 0| } 137| 2|} _ZN5Botan21SphincsPlus_PublicKeyD2Ev: 142| 2|SphincsPlus_PublicKey::~SphincsPlus_PublicKey() = default; _ZN5Botan22SphincsPlus_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 299| 15| SphincsPlus_PrivateKey(key_bits, Sphincs_Parameters::create(alg_id.oid())) {} _ZN5Botan22SphincsPlus_PrivateKeyC1ENSt3__14spanIKhLm18446744073709551615EEENS_18Sphincs_ParametersE: 302| 15| SphincsPlus_PublicKey(slice_off_public_key(params.object_identifier(), private_key), params) { 303| 15| if(!params.is_available()) { ------------------ | Branch (303:7): [True: 0, False: 15] ------------------ 304| 0| throw Not_Implemented("This SPHINCS+ parameter set is not available in this configuration"); 305| 0| } 306| | 307| 15| const auto private_portion_bytes = params.private_key_bytes() - params.public_key_bytes(); 308| 15| BOTAN_ASSERT_NOMSG(private_key.size() >= private_portion_bytes); ------------------ | | 77| 15| do { \ | | 78| 15| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 15| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 15] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 15| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 15] | | ------------------ ------------------ 309| | 310| 15| m_private = std::make_shared(params, private_key.first(private_portion_bytes)); 311| 15|} _ZN5Botan22SphincsPlus_PrivateKeyD2Ev: 335| 2|SphincsPlus_PrivateKey::~SphincsPlus_PrivateKey() = default; sphincsplus.cpp:_ZN5Botan12_GLOBAL__N_120slice_off_public_keyERKNS_3OIDENSt3__14spanIKhLm18446744073709551615EEE: 277| 15|std::span slice_off_public_key(const OID& oid, std::span key_bits) { 278| 15| const auto params = Sphincs_Parameters::create(oid); 279| | // Note: We need to transiently instantiate the `Sphincs_Parameters` object 280| | // to know the size of the public/private key. That's slightly 281| | // inefficient but was the best we could do. Once we get rid of the 282| | // PublicKey-PrivateKey inheritance, we might want to reconsider this 283| | // control flow. 284| 15| if(key_bits.size() != params.private_key_bytes()) { ------------------ | Branch (284:7): [True: 13, False: 2] ------------------ 285| 13| throw Decoding_Error("Sphincs Private Key doesn't have the expected length"); 286| 13| } 287| | 288| 2| return key_bits.subspan(params.private_key_bytes() - params.public_key_bytes()); 289| 15|} _ZN5Botan29SphincsPlus_PublicKeyInternalC2ENS_18Sphincs_ParametersENSt3__14spanIKhLm18446744073709551615EEE: 73| 2| SphincsPlus_PublicKeyInternal(Sphincs_Parameters params, std::span key_bits) : m_params(params) { 74| 2| if(key_bits.size() != m_params.public_key_bytes()) { ------------------ | Branch (74:13): [True: 0, False: 2] ------------------ 75| 0| throw Decoding_Error("SLH-DSA (or SPHINCS+) Public Key doesn't have the expected length"); 76| 0| } 77| | 78| 2| BufferSlicer s(key_bits); 79| 2| m_public_seed = s.copy(params.n()); 80| 2| m_sphincs_root = s.copy(params.n()); 81| | 82| 2| BOTAN_ASSERT_NOMSG(s.empty()); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 83| 2| } _ZN5Botan30SphincsPlus_PrivateKeyInternalC2ERKNS_18Sphincs_ParametersENSt3__14spanIKhLm18446744073709551615EEE: 104| 2| SphincsPlus_PrivateKeyInternal(const Sphincs_Parameters& params, std::span key_bits) { 105| 2| if(key_bits.size() != params.private_key_bytes() - params.public_key_bytes()) { ------------------ | Branch (105:13): [True: 0, False: 2] ------------------ 106| 0| throw Decoding_Error("SLH-DSA (or SPHINCS+) Private Key doesn't have the expected length"); 107| 0| } 108| | 109| 2| BufferSlicer s(key_bits); 110| 2| m_secret_seed = s.copy(params.n()); 111| 2| m_prf = s.copy(params.n()); 112| | 113| 2| BOTAN_ASSERT_NOMSG(s.empty()); ------------------ | | 77| 2| do { \ | | 78| 2| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 2| if(!(expr)) { \ | | ------------------ | | | Branch (79:10): [True: 0, False: 2] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 2| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 2] | | ------------------ ------------------ 114| 2| } _ZN5Botan14if_work_factorEm: 37| 100|size_t if_work_factor(size_t bits) { 38| 100| if(bits < 512) { ------------------ | Branch (38:7): [True: 5, False: 95] ------------------ 39| 5| return 0; 40| 5| } 41| | 42| | // RFC 3766 estimates k at .02 and o(1) to be effectively zero for sizes of interest 43| | 44| 95| const double log2_k = -5.6438; // log2(.02) 45| 95| return nfs_workfactor(bits, log2_k); 46| 100|} _ZN5Botan14dl_work_factorEm: 48| 100|size_t dl_work_factor(size_t bits) { 49| | // Lacking better estimates... 50| 100| return if_work_factor(bits); 51| 100|} _ZN5Botan16dl_exponent_sizeEm: 53| 100|size_t dl_exponent_size(size_t p_bits) { 54| 100| BOTAN_ARG_CHECK(p_bits > 1, "Invalid prime length"); ------------------ | | 35| 100| do { \ | | 36| 100| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 37| 100| if(!(expr)) { \ | | ------------------ | | | Branch (37:10): [True: 0, False: 100] | | ------------------ | | 38| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 39| 0| Botan::throw_invalid_argument(msg, __func__, __FILE__); \ | | 40| 0| } \ | | 41| 100| } while(0) | | ------------------ | | | Branch (41:12): [Folded, False: 100] | | ------------------ ------------------ 55| | 56| | /* 57| | For relevant sizes we follow the suggestions in 58| | NIST SP 800-56B Rev 2 Appendix D 59| | "Maximum Security Strength Estimates for IFC Modulus Lengths" 60| | 61| | For sizes outside the range considered in the SP we use some sensible values 62| | 63| | Note that we return twice the value given in Table 4 since we are choosing 64| | the exponent size as twice the estimated security strength. 65| | 66| | See also NIST SP 800-56A Rev 3 Appendix D, Tables 25 and 26 67| | */ 68| | 69| 100| if(p_bits <= 256) { ------------------ | Branch (69:7): [True: 4, False: 96] ------------------ 70| | /* 71| | * For stupidly small groups we might return a value larger than the group 72| | * size if we fell into the conditionals below. Just use the maximum 73| | * possible exponent size - for all the good it will do you with a group 74| | * this weak. 75| | */ 76| 4| return p_bits - 1; 77| 96| } else if(p_bits <= 1024) { ------------------ | Branch (77:14): [True: 1, False: 95] ------------------ 78| | /* 79| | Not in the SP, but general estimates are that a 1024 bit group provides at 80| | most 80 bits security, so using an exponent appropriate for 96 bit security 81| | is more than sufficient. 82| | */ 83| 1| return 192; 84| 95| } else if(p_bits <= 2048) { ------------------ | Branch (84:14): [True: 95, False: 0] ------------------ 85| 95| return 224; // SP 800-56B 86| 95| } else if(p_bits <= 3072) { ------------------ | Branch (86:14): [True: 0, False: 0] ------------------ 87| 0| return 256; // SP 800-56B 88| 0| } else if(p_bits <= 4096) { ------------------ | Branch (88:14): [True: 0, False: 0] ------------------ 89| 0| return 304; // SP 800-56B 90| 0| } else if(p_bits <= 6144) { ------------------ | Branch (90:14): [True: 0, False: 0] ------------------ 91| 0| return 352; // SP 800-56B 92| 0| } else if(p_bits <= 8192) { ------------------ | Branch (92:14): [True: 0, False: 0] ------------------ 93| 0| return 400; // SP 800-56B 94| 0| } else { 95| | // For values larger than we know about, just saturate to 256 bit security 96| | // which is Good Enough for FFDH 97| | // 98| | // NIST puts 15360 bit groups at exactly 256 bits security 99| 0| return 512; 100| 0| } 101| 100|} workfactor.cpp:_ZN5Botan12_GLOBAL__N_114nfs_workfactorEmd: 22| 95|size_t nfs_workfactor(size_t bits, double log2_k) { 23| | // approximates natural logarithm of an integer of given bitsize 24| 95| const double log_p = static_cast(bits) / std::numbers::log2e; 25| | 26| 95| const double log_log_p = std::log(log_p); 27| | 28| | // RFC 3766: k * e^((1.92 + o(1)) * cubrt(ln(n) * (ln(ln(n)))^2)) 29| 95| const double est = 1.92 * std::pow(log_p * log_log_p * log_log_p, 1.0 / 3.0); 30| | 31| | // return log2 of the workfactor 32| 95| return static_cast(log2_k + std::numbers::log2e * est); 33| 95|} _ZN5Botan16curve25519_donnaEPhPKhS2_: 453| 2|void curve25519_donna(uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32]) { 454| 2| CT::poison(secret, 32); 455| 2| CT::poison(basepoint, 32); 456| | 457| 2| uint64_t bp[5]; 458| 2| uint64_t x[5]; 459| 2| uint64_t z[5]; 460| 2| uint64_t zmone[5]; 461| 2| uint8_t e[32]; 462| | 463| 2| copy_mem(e, secret, 32); 464| 2| e[0] &= 248; 465| 2| e[31] &= 127; 466| 2| e[31] |= 64; 467| | 468| 2| fexpand(bp, basepoint); 469| 2| cmult(x, z, e, bp); 470| 2| crecip(zmone, z); 471| 2| fmul(z, x, zmone); 472| 2| fcontract(mypublic, z); 473| | 474| 2| CT::unpoison(secret, 32); 475| 2| CT::unpoison(basepoint, 32); 476| 2| CT::unpoison(mypublic, 32); 477| 2|} donna.cpp:_ZN5Botan12_GLOBAL__N_17fexpandEPmPKh: 217| 2|inline void fexpand(uint64_t* out, const uint8_t* in) { 218| 2| out[0] = load_le(in, 0) & MASK_63; 219| 2| out[1] = (load_le(in + 6, 0) >> 3) & MASK_63; 220| 2| out[2] = (load_le(in + 12, 0) >> 6) & MASK_63; 221| 2| out[3] = (load_le(in + 19, 0) >> 1) & MASK_63; 222| 2| out[4] = (load_le(in + 24, 0) >> 12) & MASK_63; 223| 2|} donna.cpp:_ZN5Botan12_GLOBAL__N_15cmultEPmS1_PKhPKm: 364| 2|void cmult(uint64_t resultx[5], uint64_t resultz[5], const uint8_t n[32], const uint64_t q[5]) { 365| 2| uint64_t a[5] = {0}; // nqpqx 366| 2| uint64_t b[5] = {1}; // npqpz 367| 2| uint64_t c[5] = {1}; // nqx 368| 2| uint64_t d[5] = {0}; // nqz 369| 2| uint64_t e[5] = {0}; // npqqx2 370| 2| uint64_t f[5] = {1}; // npqqz2 371| 2| uint64_t g[5] = {0}; // nqx2 372| 2| uint64_t h[5] = {1}; // nqz2 373| | 374| 2| copy_mem(a, q, 5); 375| | 376| 66| for(size_t i = 0; i < 32; ++i) { ------------------ | Branch (376:22): [True: 64, False: 2] ------------------ 377| 64| const uint64_t si = n[31 - i]; 378| 64| const auto bit0 = CT::Mask::expand_bit(si, 7); 379| 64| const auto bit1 = CT::Mask::expand_bit(si, 6); 380| 64| const auto bit2 = CT::Mask::expand_bit(si, 5); 381| 64| const auto bit3 = CT::Mask::expand_bit(si, 4); 382| 64| const auto bit4 = CT::Mask::expand_bit(si, 3); 383| 64| const auto bit5 = CT::Mask::expand_bit(si, 2); 384| 64| const auto bit6 = CT::Mask::expand_bit(si, 1); 385| 64| const auto bit7 = CT::Mask::expand_bit(si, 0); 386| | 387| 64| swap_conditional(c, a, d, b, bit0); 388| 64| fmonty(g, h, e, f, c, d, a, b, q); 389| | 390| 64| swap_conditional(g, e, h, f, bit0 ^ bit1); 391| 64| fmonty(c, d, a, b, g, h, e, f, q); 392| | 393| 64| swap_conditional(c, a, d, b, bit1 ^ bit2); 394| 64| fmonty(g, h, e, f, c, d, a, b, q); 395| | 396| 64| swap_conditional(g, e, h, f, bit2 ^ bit3); 397| 64| fmonty(c, d, a, b, g, h, e, f, q); 398| | 399| 64| swap_conditional(c, a, d, b, bit3 ^ bit4); 400| 64| fmonty(g, h, e, f, c, d, a, b, q); 401| | 402| 64| swap_conditional(g, e, h, f, bit4 ^ bit5); 403| 64| fmonty(c, d, a, b, g, h, e, f, q); 404| | 405| 64| swap_conditional(c, a, d, b, bit5 ^ bit6); 406| 64| fmonty(g, h, e, f, c, d, a, b, q); 407| | 408| 64| swap_conditional(g, e, h, f, bit6 ^ bit7); 409| 64| fmonty(c, d, a, b, g, h, e, f, q); 410| | 411| 64| swap_conditional(c, a, d, b, bit7); 412| 64| } 413| | 414| 2| copy_mem(resultx, c, 5); 415| 2| copy_mem(resultz, d, 5); 416| 2|} donna.cpp:_ZN5Botan12_GLOBAL__N_116swap_conditionalEPmS1_S1_S1_NS_2CT4MaskImEE: 346| 576|inline void swap_conditional(uint64_t a[5], uint64_t b[5], uint64_t c[5], uint64_t d[5], CT::Mask swap) { 347| 3.45k| for(size_t i = 0; i < 5; ++i) { ------------------ | Branch (347:22): [True: 2.88k, False: 576] ------------------ 348| 2.88k| const uint64_t x0 = swap.if_set_return(a[i] ^ b[i]); 349| 2.88k| a[i] ^= x0; 350| 2.88k| b[i] ^= x0; 351| | 352| 2.88k| const uint64_t x1 = swap.if_set_return(c[i] ^ d[i]); 353| 2.88k| c[i] ^= x1; 354| 2.88k| d[i] ^= x1; 355| 2.88k| } 356| 576|} donna.cpp:_ZN5Botan12_GLOBAL__N_16fmontyEPmS1_S1_S1_S1_S1_S1_S1_PKm: 308| 512| const uint64_t q_minus_q_dash[5]) { 309| 512| uint64_t zzz[5]; 310| 512| uint64_t xx[5]; 311| 512| uint64_t zz[5]; 312| 512| uint64_t xxprime[5]; 313| 512| uint64_t zzprime[5]; 314| 512| uint64_t zzzprime[5]; 315| | 316| 512| fadd_sub(in_q_z, in_q_x); 317| 512| fadd_sub(in_q_dash_z, in_q_dash_x); 318| | 319| 512| fmul(xxprime, in_q_dash_x, in_q_z); 320| 512| fmul(zzprime, in_q_dash_z, in_q_x); 321| | 322| 512| fadd_sub(zzprime, xxprime); 323| | 324| 512| fsquare(result_q_plus_q_dash_x, xxprime); 325| 512| fsquare(zzzprime, zzprime); 326| 512| fmul(result_q_plus_q_dash_z, zzzprime, q_minus_q_dash); 327| | 328| 512| fsquare(xx, in_q_x); 329| 512| fsquare(zz, in_q_z); 330| 512| fmul(result_two_q_x, xx, zz); 331| | 332| 512| fdifference_backwards(zz, xx); // does zz = xx - zz 333| 512| fscalar_product(zzz, zz, 121665); 334| 512| fsum(zzz, xx); 335| | 336| 512| fmul(result_two_q_z, zz, zzz); 337| 512|} donna.cpp:_ZN5Botan12_GLOBAL__N_18fadd_subEPmS1_: 76| 1.53k|inline void fadd_sub(uint64_t x[5], uint64_t y[5]) { 77| | // TODO merge these and avoid the tmp array 78| 1.53k| uint64_t tmp[5]; 79| 1.53k| copy_mem(tmp, y, 5); 80| 1.53k| fsum(y, x); 81| 1.53k| fdifference_backwards(x, tmp); // does x - z 82| 1.53k|} donna.cpp:_ZN5Botan12_GLOBAL__N_17fsquareEPmPKmm: 169| 2.07k|inline void fsquare(uint64_t out[5], const uint64_t in[5], size_t count = 1) { 170| 2.07k| uint64_t r0 = in[0]; 171| 2.07k| uint64_t r1 = in[1]; 172| 2.07k| uint64_t r2 = in[2]; 173| 2.07k| uint64_t r3 = in[3]; 174| 2.07k| uint64_t r4 = in[4]; 175| | 176| 4.62k| for(size_t i = 0; i != count; ++i) { ------------------ | Branch (176:22): [True: 2.55k, False: 2.07k] ------------------ 177| 2.55k| const uint64_t d0 = r0 * 2; 178| 2.55k| const uint64_t d1 = r1 * 2; 179| 2.55k| const uint64_t d2 = r2 * 2 * 19; 180| 2.55k| const uint64_t d419 = r4 * 19; 181| 2.55k| const uint64_t d4 = d419 * 2; 182| | 183| 2.55k| const uint128_t t0 = uint128_t(r0) * r0 + uint128_t(d4) * r1 + uint128_t(d2) * (r3); 184| 2.55k| uint128_t t1 = uint128_t(d0) * r1 + uint128_t(d4) * r2 + uint128_t(r3) * (r3 * 19); 185| 2.55k| uint128_t t2 = uint128_t(d0) * r2 + uint128_t(r1) * r1 + uint128_t(d4) * (r3); 186| 2.55k| uint128_t t3 = uint128_t(d0) * r3 + uint128_t(d1) * r2 + uint128_t(r4) * (d419); 187| 2.55k| uint128_t t4 = uint128_t(d0) * r4 + uint128_t(d1) * r3 + uint128_t(r2) * (r2); 188| | 189| 2.55k| r0 = t0 & MASK_63; 190| 2.55k| t1 += carry_shift(t0, 51); 191| 2.55k| r1 = t1 & MASK_63; 192| 2.55k| t2 += carry_shift(t1, 51); 193| 2.55k| r2 = t2 & MASK_63; 194| 2.55k| t3 += carry_shift(t2, 51); 195| 2.55k| r3 = t3 & MASK_63; 196| 2.55k| t4 += carry_shift(t3, 51); 197| 2.55k| r4 = t4 & MASK_63; 198| 2.55k| uint64_t c = carry_shift(t4, 51); 199| | 200| 2.55k| r0 += c * 19; 201| 2.55k| c = r0 >> 51U; 202| 2.55k| r0 = r0 & MASK_63; 203| 2.55k| r1 += c; 204| 2.55k| c = r1 >> 51U; 205| 2.55k| r1 = r1 & MASK_63; 206| 2.55k| r2 += c; 207| 2.55k| } 208| | 209| 2.07k| out[0] = r0; 210| 2.07k| out[1] = r1; 211| 2.07k| out[2] = r2; 212| 2.07k| out[3] = r3; 213| 2.07k| out[4] = r4; 214| 2.07k|} donna.cpp:_ZN5Botan12_GLOBAL__N_121fdifference_backwardsEPmPKm: 64| 2.04k|inline void fdifference_backwards(uint64_t out[5], const uint64_t in[5]) { 65| | /* 152 is 19 << 3 */ 66| 2.04k| const uint64_t two54m152 = (static_cast(1) << 54) - 152; 67| 2.04k| const uint64_t two54m8 = (static_cast(1) << 54) - 8; 68| | 69| 2.04k| out[0] = in[0] + two54m152 - out[0]; 70| 2.04k| out[1] = in[1] + two54m8 - out[1]; 71| 2.04k| out[2] = in[2] + two54m8 - out[2]; 72| 2.04k| out[3] = in[3] + two54m8 - out[3]; 73| 2.04k| out[4] = in[4] + two54m8 - out[4]; 74| 2.04k|} donna.cpp:_ZN5Botan12_GLOBAL__N_115fscalar_productEPmPKmm: 87| 512|inline void fscalar_product(uint64_t out[5], const uint64_t in[5], const uint64_t scalar) { 88| 512| uint128_t a = uint128_t(in[0]) * scalar; 89| 512| out[0] = a & MASK_63; 90| | 91| 512| a = uint128_t(in[1]) * scalar + carry_shift(a, 51); 92| 512| out[1] = a & MASK_63; 93| | 94| 512| a = uint128_t(in[2]) * scalar + carry_shift(a, 51); 95| 512| out[2] = a & MASK_63; 96| | 97| 512| a = uint128_t(in[3]) * scalar + carry_shift(a, 51); 98| 512| out[3] = a & MASK_63; 99| | 100| 512| a = uint128_t(in[4]) * scalar + carry_shift(a, 51); 101| 512| out[4] = a & MASK_63; 102| | 103| 512| out[0] += carry_shift(a, 51) * 19; 104| 512|} donna.cpp:_ZN5Botan12_GLOBAL__N_14fsumEPmPKm: 50| 2.04k|inline void fsum(uint64_t out[5], const uint64_t in[5]) { 51| 2.04k| out[0] += in[0]; 52| 2.04k| out[1] += in[1]; 53| 2.04k| out[2] += in[2]; 54| 2.04k| out[3] += in[3]; 55| 2.04k| out[4] += in[4]; 56| 2.04k|} donna.cpp:_ZN5Botan12_GLOBAL__N_16crecipEPmPKm: 421| 2|void crecip(uint64_t out[5], const uint64_t z[5]) { 422| 2| uint64_t a[5]; 423| 2| uint64_t b[5]; 424| 2| uint64_t c[5]; 425| 2| uint64_t t0[5]; 426| | 427| 2| fsquare(a, z); // 2 428| 2| fsquare(t0, a, 2); // 8 429| 2| fmul(b, t0, z); // 9 430| 2| fmul(a, b, a); // 11 431| 2| fsquare(t0, a); // 22 432| 2| fmul(b, t0, b); // 2^5 - 2^0 = 31 433| 2| fsquare(t0, b, 5); // 2^10 - 2^5 434| 2| fmul(b, t0, b); // 2^10 - 2^0 435| 2| fsquare(t0, b, 10); // 2^20 - 2^10 436| 2| fmul(c, t0, b); // 2^20 - 2^0 437| 2| fsquare(t0, c, 20); // 2^40 - 2^20 438| 2| fmul(t0, t0, c); // 2^40 - 2^0 439| 2| fsquare(t0, t0, 10); // 2^50 - 2^10 440| 2| fmul(b, t0, b); // 2^50 - 2^0 441| 2| fsquare(t0, b, 50); // 2^100 - 2^50 442| 2| fmul(c, t0, b); // 2^100 - 2^0 443| 2| fsquare(t0, c, 100); // 2^200 - 2^100 444| 2| fmul(t0, t0, c); // 2^200 - 2^0 445| 2| fsquare(t0, t0, 50); // 2^250 - 2^50 446| 2| fmul(t0, t0, b); // 2^250 - 2^0 447| 2| fsquare(t0, t0, 5); // 2^255 - 2^5 448| 2| fmul(out, t0, a); // 2^255 - 21 449| 2|} donna.cpp:_ZN5Botan12_GLOBAL__N_14fmulEPmPKmS3_: 114| 2.58k|inline void fmul(uint64_t out[5], const uint64_t in[5], const uint64_t in2[5]) { 115| 2.58k| const auto s0 = uint128_t(in2[0]); 116| 2.58k| const auto s1 = uint128_t(in2[1]); 117| 2.58k| const auto s2 = uint128_t(in2[2]); 118| 2.58k| const auto s3 = uint128_t(in2[3]); 119| 2.58k| const auto s4 = uint128_t(in2[4]); 120| | 121| 2.58k| uint64_t r0 = in[0]; 122| 2.58k| uint64_t r1 = in[1]; 123| 2.58k| uint64_t r2 = in[2]; 124| 2.58k| uint64_t r3 = in[3]; 125| 2.58k| uint64_t r4 = in[4]; 126| | 127| 2.58k| uint128_t t0 = r0 * s0; 128| 2.58k| uint128_t t1 = r0 * s1 + r1 * s0; 129| 2.58k| uint128_t t2 = r0 * s2 + r2 * s0 + r1 * s1; 130| 2.58k| uint128_t t3 = r0 * s3 + r3 * s0 + r1 * s2 + r2 * s1; 131| 2.58k| uint128_t t4 = r0 * s4 + r4 * s0 + r3 * s1 + r1 * s3 + r2 * s2; 132| | 133| 2.58k| r4 *= 19; 134| 2.58k| r1 *= 19; 135| 2.58k| r2 *= 19; 136| 2.58k| r3 *= 19; 137| | 138| 2.58k| t0 += r4 * s1 + r1 * s4 + r2 * s3 + r3 * s2; 139| 2.58k| t1 += r4 * s2 + r2 * s4 + r3 * s3; 140| 2.58k| t2 += r4 * s3 + r3 * s4; 141| 2.58k| t3 += r4 * s4; 142| | 143| 2.58k| r0 = t0 & MASK_63; 144| 2.58k| t1 += carry_shift(t0, 51); 145| 2.58k| r1 = t1 & MASK_63; 146| 2.58k| t2 += carry_shift(t1, 51); 147| 2.58k| r2 = t2 & MASK_63; 148| 2.58k| t3 += carry_shift(t2, 51); 149| 2.58k| r3 = t3 & MASK_63; 150| 2.58k| t4 += carry_shift(t3, 51); 151| 2.58k| r4 = t4 & MASK_63; 152| 2.58k| uint64_t c = carry_shift(t4, 51); 153| | 154| 2.58k| r0 += c * 19; 155| 2.58k| c = r0 >> 51U; 156| 2.58k| r0 = r0 & MASK_63; 157| 2.58k| r1 += c; 158| 2.58k| c = r1 >> 51U; 159| 2.58k| r1 = r1 & MASK_63; 160| 2.58k| r2 += c; 161| | 162| 2.58k| out[0] = r0; 163| 2.58k| out[1] = r1; 164| 2.58k| out[2] = r2; 165| 2.58k| out[3] = r3; 166| 2.58k| out[4] = r4; 167| 2.58k|} donna.cpp:_ZN5Botan12_GLOBAL__N_19fcontractEPhPKm: 228| 2|inline void fcontract(uint8_t* out, const uint64_t input[5]) { 229| 2| auto t0 = uint128_t(input[0]); 230| 2| auto t1 = uint128_t(input[1]); 231| 2| auto t2 = uint128_t(input[2]); 232| 2| auto t3 = uint128_t(input[3]); 233| 2| auto t4 = uint128_t(input[4]); 234| | 235| 6| for(size_t i = 0; i != 2; ++i) { ------------------ | Branch (235:22): [True: 4, False: 2] ------------------ 236| 4| t1 += t0 >> 51U; 237| 4| t0 &= MASK_63; 238| 4| t2 += t1 >> 51U; 239| 4| t1 &= MASK_63; 240| 4| t3 += t2 >> 51U; 241| 4| t2 &= MASK_63; 242| 4| t4 += t3 >> 51U; 243| 4| t3 &= MASK_63; 244| 4| t0 += (t4 >> 51U) * 19; 245| 4| t4 &= MASK_63; 246| 4| } 247| | 248| | /* now t is between 0 and 2^255-1, properly carried. */ 249| | /* case 1: between 0 and 2^255-20. case 2: between 2^255-19 and 2^255-1. */ 250| | 251| 2| t0 += 19; 252| | 253| 2| t1 += t0 >> 51U; 254| 2| t0 &= MASK_63; 255| 2| t2 += t1 >> 51U; 256| 2| t1 &= MASK_63; 257| 2| t3 += t2 >> 51U; 258| 2| t2 &= MASK_63; 259| 2| t4 += t3 >> 51U; 260| 2| t3 &= MASK_63; 261| 2| t0 += (t4 >> 51U) * 19; 262| 2| t4 &= MASK_63; 263| | 264| | /* now between 19 and 2^255-1 in both cases, and offset by 19. */ 265| | 266| 2| t0 += 0x8000000000000 - 19; 267| 2| t1 += 0x8000000000000 - 1; 268| 2| t2 += 0x8000000000000 - 1; 269| 2| t3 += 0x8000000000000 - 1; 270| 2| t4 += 0x8000000000000 - 1; 271| | 272| | /* now between 2^255 and 2^256-20, and offset by 2^255. */ 273| | 274| 2| t1 += t0 >> 51U; 275| 2| t0 &= MASK_63; 276| 2| t2 += t1 >> 51U; 277| 2| t1 &= MASK_63; 278| 2| t3 += t2 >> 51U; 279| 2| t2 &= MASK_63; 280| 2| t4 += t3 >> 51U; 281| 2| t3 &= MASK_63; 282| 2| t4 &= MASK_63; 283| | 284| 2| store_le(out, 285| 2| combine_lower(t0, 0, t1, 51), 286| 2| combine_lower(t1, 13, t2, 38), 287| 2| combine_lower(t2, 26, t3, 25), 288| 2| combine_lower(t3, 39, t4, 12)); 289| 2|} _ZN5Botan20curve25519_basepointEPhPKh: 19| 2|void curve25519_basepoint(uint8_t mypublic[32], const uint8_t secret[32]) { 20| 2| const uint8_t basepoint[32] = {9}; 21| 2| curve25519_donna(mypublic, secret, basepoint); 22| 2|} _ZN5Botan17X25519_PrivateKeyC1ERKNS_19AlgorithmIdentifierENSt3__14spanIKhLm18446744073709551615EEE: 85| 8|X25519_PrivateKey::X25519_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span key_bits) { 86| 8| BER_Decoder(key_bits, BER_Decoder::Limits::DER()).decode(m_private, ASN1_Type::OctetString).discard_remaining(); 87| | 88| 8| size_check(m_private.size(), "private key"); 89| 8| m_public.resize(32); 90| 8| curve25519_basepoint(m_public.data(), m_private.data()); 91| 8|} x25519.cpp:_ZN5Botan12_GLOBAL__N_110size_checkEmPKc: 26| 7|void size_check(size_t size, const char* thing) { 27| 7| if(size != 32) { ------------------ | Branch (27:7): [True: 5, False: 2] ------------------ 28| 5| throw Decoding_Error(fmt("Invalid size {} for X25519 {}", size, thing)); 29| 5| } 30| 7|} _ZN5Botan15allocate_memoryEmm: 21| 18.9M|BOTAN_MALLOC_FN void* allocate_memory(size_t elems, size_t elem_size) { 22| 18.9M| if(elems == 0 || elem_size == 0) { ------------------ | Branch (22:7): [True: 0, False: 18.9M] | Branch (22:21): [True: 0, False: 18.9M] ------------------ 23| 0| return nullptr; 24| 0| } 25| | 26| | // Some calloc implementations do not check for overflow (?!?) 27| 18.9M| if(!checked_mul(elems, elem_size).has_value()) { ------------------ | Branch (27:7): [True: 0, False: 18.9M] ------------------ 28| 0| throw std::bad_alloc(); 29| 0| } 30| | 31| |#if defined(BOTAN_HAS_LOCKING_ALLOCATOR) 32| | // NOLINTNEXTLINE(*-const-correctness) bug in clang-tidy 33| | if(void* p = mlock_allocator::instance().allocate(elems, elem_size)) { 34| | return p; 35| | } 36| |#endif 37| | 38| |#if defined(BOTAN_TARGET_OS_HAS_ALLOC_CONCEAL) 39| | void* ptr = ::calloc_conceal(elems, elem_size); 40| |#else 41| | // NOLINTNEXTLINE(*-const-correctness) bug in clang-tidy 42| 18.9M| void* ptr = std::calloc(elems, elem_size); // NOLINT(*-no-malloc,*-owning-memory) 43| 18.9M|#endif 44| 18.9M| if(ptr == nullptr) { ------------------ | Branch (44:7): [True: 0, False: 18.9M] ------------------ 45| 0| [[unlikely]] throw std::bad_alloc(); 46| 0| } 47| 18.9M| return ptr; 48| 18.9M|} _ZN5Botan17deallocate_memoryEPvmm: 50| 18.9M|void deallocate_memory(void* p, size_t elems, size_t elem_size) { 51| 18.9M| if(p == nullptr) { ------------------ | Branch (51:7): [True: 0, False: 18.9M] ------------------ 52| 0| [[unlikely]] return; 53| 0| } 54| | 55| 18.9M| secure_scrub_memory(p, elems * elem_size); 56| | 57| |#if defined(BOTAN_HAS_LOCKING_ALLOCATOR) 58| | if(mlock_allocator::instance().deallocate(p, elems, elem_size)) { 59| | return; 60| | } 61| |#endif 62| | 63| 18.9M| std::free(p); // NOLINT(*-no-malloc,*-owning-memory) 64| 18.9M|} _ZN5Botan20initialize_allocatorEv: 66| 1|void initialize_allocator() { 67| |#if defined(BOTAN_HAS_LOCKING_ALLOCATOR) 68| | mlock_allocator::instance(); 69| |#endif 70| 1|} _ZN5Botan22throw_invalid_argumentEPKcS1_S1_: 23| 52|void throw_invalid_argument(const char* message, const char* func, const char* file) { 24| 52| throw Invalid_Argument(fmt("{} in {}:{}", message, func, file)); 25| 52|} _ZN5Botan23format_char_for_displayEc: 196| 34|std::string format_char_for_display(char c) { 197| 34| std::ostringstream oss; 198| | 199| 34| oss << "'"; 200| | 201| 34| if(c == '\t') { ------------------ | Branch (201:7): [True: 0, False: 34] ------------------ 202| 0| oss << "\\t"; 203| 34| } else if(c == '\n') { ------------------ | Branch (203:14): [True: 0, False: 34] ------------------ 204| 0| oss << "\\n"; 205| 34| } else if(c == '\r') { ------------------ | Branch (205:14): [True: 0, False: 34] ------------------ 206| 0| oss << "\\r"; 207| 34| } else if(static_cast(c) >= 128) { ------------------ | Branch (207:14): [True: 16, False: 18] ------------------ 208| 16| const unsigned char z = static_cast(c); 209| 16| oss << "\\x" << std::hex << std::uppercase << static_cast(z); 210| 18| } else { 211| 18| oss << c; 212| 18| } 213| | 214| 34| oss << "'"; 215| | 216| 34| return oss.str(); 217| 34|} _ZN5Botan5CPUID10CPUID_DataC2Ev: 80| 1|CPUID::CPUID_Data::CPUID_Data() { 81| | // NOLINTBEGIN(*-prefer-member-initializer) 82| 1|#if defined(BOTAN_HAS_CPUID_DETECTION) 83| 1| m_processor_features = detect_cpu_features(~cleared_cpuid_bits()); 84| |#else 85| | m_processor_features = 0; 86| |#endif 87| | // NOLINTEND(*-prefer-member-initializer) 88| 1|} cpuid.cpp:_ZN5Botan12_GLOBAL__N_118cleared_cpuid_bitsEv: 59| 1|uint32_t cleared_cpuid_bits() { 60| 1| uint32_t cleared = 0; 61| | 62| 1| #if defined(BOTAN_HAS_OS_UTILS) 63| 1| std::string clear_cpuid_env; 64| 1| if(OS::read_env_variable(clear_cpuid_env, "BOTAN_CLEAR_CPUID")) { ------------------ | Branch (64:7): [True: 0, False: 1] ------------------ 65| 0| for(const auto& cpuid : split_on(clear_cpuid_env, ',')) { ------------------ | Branch (65:29): [True: 0, False: 0] ------------------ 66| 0| if(auto bit = CPUID::bit_from_string(cpuid)) { ------------------ | Branch (66:18): [True: 0, False: 0] ------------------ 67| 0| cleared |= bit->as_u32(); 68| 0| } 69| 0| } 70| 0| } 71| 1| #endif 72| | 73| 1| return cleared; 74| 1|} _ZN5Botan5CPUID10CPUID_Data19detect_cpu_featuresEj: 62| 1|uint32_t CPUID::CPUID_Data::detect_cpu_features(uint32_t allowed) { 63| 1| enum class x86_CPUID_1_bits : uint64_t { 64| 1| RDTSC = (1ULL << 4), 65| 1| SSE2 = (1ULL << 26), 66| 1| CLMUL = (1ULL << 33), 67| 1| SSSE3 = (1ULL << 41), 68| 1| SSE41 = (1ULL << 51), 69| 1| AESNI = (1ULL << 57), 70| | // AVX + OSXSAVE 71| 1| OSXSAVE = (1ULL << 59) | (1ULL << 60), 72| 1| RDRAND = (1ULL << 62) 73| 1| }; 74| | 75| 1| enum class x86_CPUID_7_bits : uint64_t { 76| 1| BMI1 = (1ULL << 3), 77| 1| AVX2 = (1ULL << 5), 78| 1| BMI2 = (1ULL << 8), 79| 1| BMI_1_AND_2 = BMI1 | BMI2, 80| 1| AVX512_F = (1ULL << 16), 81| 1| AVX512_DQ = (1ULL << 17), 82| 1| RDSEED = (1ULL << 18), 83| 1| ADX = (1ULL << 19), 84| 1| AVX512_IFMA = (1ULL << 21), 85| 1| SHA = (1ULL << 29), 86| 1| AVX512_BW = (1ULL << 30), 87| 1| AVX512_VL = (1ULL << 31), 88| 1| AVX512_VBMI = (1ULL << 33), 89| 1| AVX512_VBMI2 = (1ULL << 38), 90| 1| GFNI = (1ULL << 40), 91| 1| AVX512_VAES = (1ULL << 41), 92| 1| AVX512_VCLMUL = (1ULL << 42), 93| 1| AVX512_VBITALG = (1ULL << 44), 94| | 95| | /* 96| | We only enable AVX512 support if all of the below flags are available 97| | 98| | This is more than we strictly need for most uses, however it also has 99| | the effect of preventing execution of AVX512 codepaths on cores that 100| | have serious downclocking problems when AVX512 code executes, 101| | especially Intel Skylake. 102| | 103| | VBMI2/VBITALG are the key flags here as they restrict us to Intel Ice 104| | Lake/Rocket Lake, or AMD Zen4, all of which do not have penalties for 105| | executing AVX512. 106| | 107| | There is nothing stopping some future processor from supporting the 108| | above flags and having AVX512 penalties, but maybe you should not have 109| | bought such a processor. 110| | */ 111| 1| AVX512_PROFILE = 112| 1| AVX512_F | AVX512_DQ | AVX512_IFMA | AVX512_BW | AVX512_VL | AVX512_VBMI | AVX512_VBMI2 | AVX512_VBITALG, 113| 1| }; 114| | 115| | // NOLINTNEXTLINE(performance-enum-size) 116| 1| enum class x86_CPUID_7_1_bits : uint64_t { 117| 1| SHA512 = (1 << 0), 118| 1| SM3 = (1 << 1), 119| 1| SM4 = (1 << 2), 120| 1| }; 121| | 122| 1| uint32_t feat = 0; 123| 1| uint32_t cpuid[4] = {0}; 124| 1| bool has_os_ymm_support = false; 125| 1| bool has_os_zmm_support = false; 126| | 127| | // CPUID 0: vendor identification, max sublevel 128| 1| invoke_cpuid(0, cpuid); 129| | 130| 1| const uint32_t max_supported_sublevel = cpuid[0]; 131| | 132| 1| if(max_supported_sublevel >= 1) { ------------------ | Branch (132:7): [True: 1, False: 0] ------------------ 133| | // CPUID 1: feature bits 134| 1| invoke_cpuid(1, cpuid); 135| 1| const uint64_t flags0 = (static_cast(cpuid[2]) << 32) | cpuid[3]; 136| | 137| 1| feat |= if_set(flags0, x86_CPUID_1_bits::RDTSC, CPUFeature::Bit::RDTSC, allowed); 138| | 139| 1| feat |= if_set(flags0, x86_CPUID_1_bits::RDRAND, CPUFeature::Bit::RDRAND, allowed); 140| | 141| 1| feat |= if_set(flags0, x86_CPUID_1_bits::SSE2, CPUFeature::Bit::SSE2, allowed); 142| | 143| 1| if(is_set(feat, CPUFeature::Bit::SSE2)) { ------------------ | Branch (143:10): [True: 1, False: 0] ------------------ 144| 1| feat |= if_set(flags0, x86_CPUID_1_bits::SSSE3, CPUFeature::Bit::SSSE3, allowed); 145| | 146| 1| if(is_set(feat, CPUFeature::Bit::SSSE3)) { ------------------ | Branch (146:13): [True: 1, False: 0] ------------------ 147| 1| feat |= if_set(flags0, x86_CPUID_1_bits::CLMUL, CPUFeature::Bit::CLMUL, allowed); 148| 1| feat |= if_set(flags0, x86_CPUID_1_bits::AESNI, CPUFeature::Bit::AESNI, allowed); 149| 1| } 150| | 151| 1| const uint64_t osxsave64 = static_cast(x86_CPUID_1_bits::OSXSAVE); 152| 1| if((flags0 & osxsave64) == osxsave64) { ------------------ | Branch (152:13): [True: 1, False: 0] ------------------ 153| 1| const uint64_t xcr_flags = xgetbv(); 154| 1| if((xcr_flags & 0x6) == 0x6) { ------------------ | Branch (154:16): [True: 1, False: 0] ------------------ 155| 1| has_os_ymm_support = true; 156| 1| has_os_zmm_support = (xcr_flags & 0xE0) == 0xE0; 157| 1| } 158| 1| } 159| 1| } 160| 1| } 161| | 162| 1| if(max_supported_sublevel >= 7) { ------------------ | Branch (162:7): [True: 1, False: 0] ------------------ 163| 1| clear_mem(cpuid, 4); 164| 1| invoke_cpuid_sublevel(7, 0, cpuid); 165| | 166| 1| const uint64_t flags7 = (static_cast(cpuid[2]) << 32) | cpuid[1]; 167| | 168| 1| clear_mem(cpuid, 4); 169| 1| invoke_cpuid_sublevel(7, 1, cpuid); 170| 1| const uint32_t flags7_1 = cpuid[0]; 171| | 172| 1| feat |= if_set(flags7, x86_CPUID_7_bits::RDSEED, CPUFeature::Bit::RDSEED, allowed); 173| 1| feat |= if_set(flags7, x86_CPUID_7_bits::ADX, CPUFeature::Bit::ADX, allowed); 174| | 175| | /* 176| | We only set the BMI bit if both BMI1 and BMI2 are supported, since 177| | typically we want to use both extensions in the same code. 178| | */ 179| 1| feat |= if_set(flags7, x86_CPUID_7_bits::BMI_1_AND_2, CPUFeature::Bit::BMI, allowed); 180| | 181| 1| if(is_set(feat, CPUFeature::Bit::SSSE3)) { ------------------ | Branch (181:10): [True: 1, False: 0] ------------------ 182| 1| feat |= if_set(flags7, x86_CPUID_7_bits::SHA, CPUFeature::Bit::SHA, allowed); 183| 1| feat |= if_set(flags7_1, x86_CPUID_7_1_bits::SM3, CPUFeature::Bit::SM3, allowed); 184| | 185| | // We only consider AVX2 if SSSE3 is supported 186| 1| if(has_os_ymm_support) { ------------------ | Branch (186:13): [True: 1, False: 0] ------------------ 187| 1| feat |= if_set(flags7, x86_CPUID_7_bits::AVX2, CPUFeature::Bit::AVX2, allowed); 188| | 189| 1| if(is_set(feat, CPUFeature::Bit::AVX2)) { ------------------ | Branch (189:16): [True: 1, False: 0] ------------------ 190| 1| feat |= if_set(flags7, x86_CPUID_7_bits::GFNI, CPUFeature::Bit::GFNI, allowed); 191| 1| feat |= if_set(flags7, x86_CPUID_7_bits::AVX512_VAES, CPUFeature::Bit::AVX2_AES, allowed); 192| 1| feat |= if_set(flags7, x86_CPUID_7_bits::AVX512_VCLMUL, CPUFeature::Bit::AVX2_CLMUL, allowed); 193| 1| feat |= if_set(flags7_1, x86_CPUID_7_1_bits::SHA512, CPUFeature::Bit::SHA512, allowed); 194| 1| feat |= if_set(flags7_1, x86_CPUID_7_1_bits::SM4, CPUFeature::Bit::SM4, allowed); 195| | 196| | // Likewise we only consider AVX-512 if AVX2 is supported 197| 1| if(has_os_zmm_support) { ------------------ | Branch (197:19): [True: 0, False: 1] ------------------ 198| 0| feat |= if_set(flags7, x86_CPUID_7_bits::AVX512_PROFILE, CPUFeature::Bit::AVX512, allowed); 199| | 200| 0| if(is_set(feat, CPUFeature::Bit::AVX512)) { ------------------ | Branch (200:22): [True: 0, False: 0] ------------------ 201| 0| feat |= if_set(flags7, x86_CPUID_7_bits::AVX512_VAES, CPUFeature::Bit::AVX512_AES, allowed); 202| 0| feat |= if_set(flags7, x86_CPUID_7_bits::AVX512_VCLMUL, CPUFeature::Bit::AVX512_CLMUL, allowed); 203| 0| } 204| 0| } 205| 1| } 206| 1| } 207| 1| } 208| 1| } 209| | 210| |/* 211| | * If we don't have access to CPUID, we can still safely assume that 212| | * any x86-64 processor has SSE2 and RDTSC 213| | */ 214| 1|#if defined(BOTAN_TARGET_ARCH_IS_X86_64) 215| 1| if(feat == 0) { ------------------ | Branch (215:7): [True: 0, False: 1] ------------------ 216| 0| feat |= CPUFeature::Bit::SSE2 & allowed; 217| 0| feat |= CPUFeature::Bit::RDTSC & allowed; 218| 0| } 219| 1|#endif 220| | 221| 1| return feat; 222| 1|} cpuid_x86.cpp:_ZN5Botan12_GLOBAL__N_112invoke_cpuidEjPj: 24| 2|void invoke_cpuid(uint32_t type, uint32_t out[4]) { 25| 2| clear_mem(out, 4); 26| | 27| 2|#if defined(BOTAN_USE_GCC_INLINE_ASM) 28| | // NOLINTNEXTLINE(*-no-assembler) 29| 2| asm volatile("cpuid\n\t" : "=a"(out[0]), "=b"(out[1]), "=c"(out[2]), "=d"(out[3]) : "0"(type)); 30| | 31| |#elif defined(BOTAN_BUILD_COMPILER_IS_MSVC) 32| | __cpuid((int*)out, type); 33| | 34| |#else 35| | BOTAN_UNUSED(type); 36| | #warning "No way of calling x86 cpuid instruction for this compiler" 37| |#endif 38| 2|} cpuid_x86.cpp:_ZN5Botan12_GLOBAL__N_16xgetbvEv: 56| 1|BOTAN_FUNC_ISA("xsave") uint64_t xgetbv() { 57| | return _xgetbv(0); 58| 1|} cpuid_x86.cpp:_ZN5Botan12_GLOBAL__N_121invoke_cpuid_sublevelEjjPj: 40| 2|void invoke_cpuid_sublevel(uint32_t type, uint32_t level, uint32_t out[4]) { 41| 2| clear_mem(out, 4); 42| | 43| 2|#if defined(BOTAN_USE_GCC_INLINE_ASM) 44| | // NOLINTNEXTLINE(*-no-assembler) 45| 2| asm volatile("cpuid\n\t" : "=a"(out[0]), "=b"(out[1]), "=c"(out[2]), "=d"(out[3]) : "0"(type), "2"(level)); 46| | 47| |#elif defined(BOTAN_BUILD_COMPILER_IS_MSVC) 48| | __cpuidex((int*)out, type, level); 49| | 50| |#else 51| | BOTAN_UNUSED(type, level); 52| | #warning "No way of calling x86 cpuid instruction for this compiler" 53| |#endif 54| 2|} _ZN5Botan10DataSource9read_byteERh: 27| 773k|size_t DataSource::read_byte(uint8_t& out) { 28| 773k| return read(&out, 1); 29| 773k|} _ZN5Botan10DataSource9read_byteEv: 34| 1.36M|std::optional DataSource::read_byte() { 35| 1.36M| uint8_t b = 0; 36| 1.36M| if(this->read(&b, 1) == 1) { ------------------ | Branch (36:7): [True: 1.35M, False: 10.7k] ------------------ 37| 1.35M| return b; 38| 1.35M| } else { 39| 10.7k| return {}; 40| 10.7k| } 41| 1.36M|} _ZNK5Botan10DataSource9peek_byteERh: 46| 7.55k|size_t DataSource::peek_byte(uint8_t& out) const { 47| 7.55k| return peek(&out, 1, 0); 48| 7.55k|} _ZN5Botan17DataSource_Memory4readEPhm: 73| 1.35M|size_t DataSource_Memory::read(uint8_t out[], size_t length) { 74| 1.35M| const size_t got = std::min(m_source.size() - m_offset, length); 75| 1.35M| copy_mem(out, m_source.data() + m_offset, got); 76| 1.35M| m_offset += got; 77| 1.35M| return got; 78| 1.35M|} _ZN5Botan17DataSource_Memory15check_availableEm: 80| 16.6k|bool DataSource_Memory::check_available(size_t n) { 81| 16.6k| return (n <= (m_source.size() - m_offset)); 82| 16.6k|} _ZNK5Botan17DataSource_Memory4peekEPhmm: 87| 14.8k|size_t DataSource_Memory::peek(uint8_t out[], size_t length, size_t peek_offset) const { 88| 14.8k| const size_t bytes_left = m_source.size() - m_offset; 89| 14.8k| if(peek_offset >= bytes_left) { ------------------ | Branch (89:7): [True: 0, False: 14.8k] ------------------ 90| 0| return 0; 91| 0| } 92| | 93| 14.8k| const size_t got = std::min(bytes_left - peek_offset, length); 94| 14.8k| copy_mem(out, &m_source[m_offset + peek_offset], got); 95| 14.8k| return got; 96| 14.8k|} _ZNK5Botan17DataSource_Memory11end_of_dataEv: 101| 12.4k|bool DataSource_Memory::end_of_data() const { 102| 12.4k| return (m_offset == m_source.size()); 103| 12.4k|} _ZN5Botan9ExceptionC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 71| 6.04k|Exception::Exception(std::string_view msg) : m_msg(msg) {} _ZN5Botan9ExceptionC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEERKSt9exception: 73| 979|Exception::Exception(std::string_view msg, const std::exception& e) : m_msg(fmt("{} failed with {}", msg, e.what())) {} _ZN5Botan16Invalid_ArgumentC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 77| 115|Invalid_Argument::Invalid_Argument(std::string_view msg) : Exception(msg) {} _ZN5Botan14Decoding_ErrorC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 125| 4.12k|Decoding_Error::Decoding_Error(std::string_view name) : Exception(name) {} _ZN5Botan14Decoding_ErrorC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_: 128| 1.80k| Exception(fmt("{}: {}", category, err)) {} _ZN5Botan14Decoding_ErrorC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEERKSt9exception: 130| 979|Decoding_Error::Decoding_Error(std::string_view msg, const std::exception& e) : Exception(msg, e) {} _ZN5Botan19secure_scrub_memoryEPvm: 25| 19.1M|void secure_scrub_memory(void* ptr, size_t n) { 26| 19.1M| return secure_zeroize_buffer(ptr, n); 27| 19.1M|} _ZN5Botan21secure_zeroize_bufferEPvm: 29| 19.1M|void secure_zeroize_buffer(void* ptr, size_t n) { 30| 19.1M| if(n == 0) { ------------------ | Branch (30:7): [True: 82.8k, False: 19.0M] ------------------ 31| 82.8k| return; 32| 82.8k| } 33| | 34| |#if defined(BOTAN_TARGET_OS_HAS_RTLSECUREZEROMEMORY) 35| | ::RtlSecureZeroMemory(ptr, n); 36| | 37| |#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_BZERO) 38| 19.0M| ::explicit_bzero(ptr, n); 39| | 40| |#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_MEMSET) 41| | (void)::explicit_memset(ptr, 0, n); 42| | 43| |#else 44| | /* 45| | * Call memset through a static volatile pointer, which the compiler should 46| | * not elide. This construct should be safe in conforming compilers, but who 47| | * knows. This has been checked to generate the expected code, which saves the 48| | * memset address in the data segment and unconditionally loads and jumps to 49| | * that address, with the following targets: 50| | * 51| | * x86-64: Clang 19, GCC 6, 11, 13, 14 52| | * riscv64: GCC 14 53| | * aarch64: GCC 14 54| | * armv7: GCC 14 55| | * 56| | * Actually all of them generated the expected jump even without marking the 57| | * function pointer as volatile. However this seems worth including as an 58| | * additional precaution. 59| | */ 60| | static void* (*const volatile memset_ptr)(void*, int, size_t) = std::memset; 61| | (memset_ptr)(ptr, 0, n); 62| |#endif 63| 19.0M|} _ZN5Botan2OS17read_env_variableERNSt3__112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEENS1_17basic_string_viewIcS4_EE: 448| 1|bool OS::read_env_variable(std::string& value_out, std::string_view name_view) { 449| 1| value_out = ""; 450| | 451| 1| if(running_in_privileged_state()) { ------------------ | Branch (451:7): [True: 0, False: 1] ------------------ 452| 0| return false; 453| 0| } 454| | 455| |#if defined(BOTAN_TARGET_OS_HAS_WIN32) && \ 456| | (defined(BOTAN_BUILD_COMPILER_IS_MSVC) || defined(BOTAN_BUILD_COMPILER_IS_CLANGCL)) 457| | const std::string name(name_view); 458| | char val[128] = {0}; 459| | size_t req_size = 0; 460| | if(getenv_s(&req_size, val, sizeof(val), name.c_str()) == 0) { 461| | // Microsoft's implementation always writes a terminating \0, 462| | // and includes it in the reported length of the environment variable 463| | // if a value exists. 464| | if(req_size > 0 && val[req_size - 1] == '\0') { 465| | value_out = std::string(val); 466| | } else { 467| | value_out = std::string(val, req_size); 468| | } 469| | return true; 470| | } 471| |#else 472| 1| const std::string name(name_view); 473| 1| if(const char* val = std::getenv(name.c_str())) { ------------------ | Branch (473:19): [True: 0, False: 1] ------------------ 474| 0| value_out = val; 475| 0| return true; 476| 0| } 477| 1|#endif 478| | 479| 1| return false; 480| 1|} os_utils.cpp:_ZN5Botan12_GLOBAL__N_110get_auxvalENSt3__18optionalImEE: 118| 1|std::optional get_auxval(std::optional id) { 119| 1| if(id) { ------------------ | Branch (119:7): [True: 1, False: 0] ------------------ 120| 1|#if defined(BOTAN_TARGET_OS_HAS_GETAUXVAL) 121| 1| return ::getauxval(*id); 122| |#elif defined(BOTAN_TARGET_OS_HAS_ELF_AUX_INFO) 123| | unsigned long auxinfo = 0; 124| | if(::elf_aux_info(static_cast(*id), &auxinfo, sizeof(auxinfo)) == 0) { 125| | return auxinfo; 126| | } 127| |#endif 128| 1| } 129| | 130| 0| return {}; 131| 1|} os_utils.cpp:_ZN5Botan12_GLOBAL__N_127running_in_privileged_stateEv: 152| 1|bool running_in_privileged_state() { 153| 1|#if defined(AT_SECURE) 154| 1| if(auto at_secure = get_auxval(AT_SECURE)) { ------------------ | Branch (154:12): [True: 1, False: 0] ------------------ 155| 1| return at_secure != 0; 156| 1| } 157| 0|#endif 158| | 159| 0|#if defined(BOTAN_TARGET_OS_HAS_POSIX1) 160| 0| return (::getuid() != ::geteuid()) || (::getgid() != ::getegid()); ------------------ | Branch (160:11): [True: 0, False: 0] | Branch (160:42): [True: 0, False: 0] ------------------ 161| |#else 162| | return false; 163| |#endif 164| 1|} _ZN5Botan9to_u32bitENSt3__117basic_string_viewIcNS0_11char_traitsIcEEEE: 30| 60|uint32_t to_u32bit(std::string_view str_view) { 31| 60| const std::string str(str_view); 32| | 33| | // std::stoul is not strict enough. Ensure that str is digit only [0-9]* 34| 180| for(const char chr : str) { ------------------ | Branch (34:23): [True: 180, False: 60] ------------------ 35| 180| if(chr < '0' || chr > '9') { ------------------ | Branch (35:10): [True: 0, False: 180] | Branch (35:23): [True: 0, False: 180] ------------------ 36| 0| throw Invalid_Argument("to_u32bit invalid decimal string '" + str + "'"); 37| 0| } 38| 180| } 39| | 40| 60| const unsigned long int x = std::stoul(str); 41| | 42| 60| if constexpr(sizeof(unsigned long int) > 4) { 43| | // x might be uint64 44| 60| if(x > std::numeric_limits::max()) { ------------------ | Branch (44:10): [True: 0, False: 60] ------------------ 45| 0| throw Invalid_Argument("Integer value of " + str + " exceeds 32 bit range"); 46| 0| } 47| 60| } 48| | 49| 60| return static_cast(x); 50| 60|} _ZN5Botan8split_onENSt3__117basic_string_viewIcNS0_11char_traitsIcEEEEc: 109| 4.77k|std::vector split_on(std::string_view str, char delim) { 110| 4.77k| std::vector elems; 111| 4.77k| if(str.empty()) { ------------------ | Branch (111:7): [True: 0, False: 4.77k] ------------------ 112| 0| return elems; 113| 0| } 114| | 115| 4.77k| std::string substr; 116| 25.1k| for(const char c : str) { ------------------ | Branch (116:21): [True: 25.1k, False: 4.77k] ------------------ 117| 25.1k| if(c == delim) { ------------------ | Branch (117:10): [True: 177, False: 25.0k] ------------------ 118| 177| if(!substr.empty()) { ------------------ | Branch (118:13): [True: 177, False: 0] ------------------ 119| 177| elems.push_back(substr); 120| 177| } 121| 177| substr.clear(); 122| 25.0k| } else { 123| 25.0k| substr += c; 124| 25.0k| } 125| 25.1k| } 126| | 127| 4.77k| if(substr.empty()) { ------------------ | Branch (127:7): [True: 0, False: 4.77k] ------------------ 128| 0| throw Invalid_Argument(fmt("Unable to split string '{}", str)); 129| 0| } 130| 4.77k| elems.push_back(substr); 131| | 132| 4.77k| return elems; 133| 4.77k|} _ZN5Botan9SCAN_NameC2ENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEE: 58| 4.17k|SCAN_Name::SCAN_Name(std::string_view algo_spec) : m_orig_algo_spec(algo_spec) { 59| 4.17k| if(algo_spec.empty()) { ------------------ | Branch (59:7): [True: 0, False: 4.17k] ------------------ 60| 0| throw Invalid_Argument("Expected algorithm name, got empty string"); 61| 0| } 62| | 63| 4.17k| std::vector> name; 64| 4.17k| size_t level = 0; 65| 4.17k| std::pair accum = std::make_pair(level, ""); 66| | 67| 4.17k| const std::string decoding_error = "Bad SCAN name '" + m_orig_algo_spec + "': "; 68| | 69| 37.5k| for(const char c : algo_spec) { ------------------ | Branch (69:21): [True: 37.5k, False: 4.17k] ------------------ 70| 37.5k| if(c == '/' || c == ',' || c == '(' || c == ')') { ------------------ | Branch (70:10): [True: 0, False: 37.5k] | Branch (70:22): [True: 0, False: 37.5k] | Branch (70:34): [True: 60, False: 37.5k] | Branch (70:46): [True: 60, False: 37.4k] ------------------ 71| 120| if(c == '(') { ------------------ | Branch (71:13): [True: 60, False: 60] ------------------ 72| 60| ++level; 73| 60| } else if(c == ')') { ------------------ | Branch (73:20): [True: 60, False: 0] ------------------ 74| 60| if(level == 0) { ------------------ | Branch (74:16): [True: 0, False: 60] ------------------ 75| 0| throw Decoding_Error(decoding_error + "Mismatched parens"); 76| 0| } 77| 60| --level; 78| 60| } 79| | 80| 120| if(c == '/' && level > 0) { ------------------ | Branch (80:13): [True: 0, False: 120] | Branch (80:25): [True: 0, False: 0] ------------------ 81| 0| accum.second.push_back(c); 82| 120| } else { 83| 120| if(!accum.second.empty()) { ------------------ | Branch (83:16): [True: 120, False: 0] ------------------ 84| 120| name.push_back(accum); 85| 120| } 86| 120| accum = std::make_pair(level, ""); 87| 120| } 88| 37.4k| } else { 89| 37.4k| accum.second.push_back(c); 90| 37.4k| } 91| 37.5k| } 92| | 93| 4.17k| if(!accum.second.empty()) { ------------------ | Branch (93:7): [True: 4.11k, False: 60] ------------------ 94| 4.11k| name.push_back(accum); 95| 4.11k| } 96| | 97| 4.17k| if(level != 0) { ------------------ | Branch (97:7): [True: 0, False: 4.17k] ------------------ 98| 0| throw Decoding_Error(decoding_error + "Missing close paren"); 99| 0| } 100| | 101| 4.17k| if(name.empty()) { ------------------ | Branch (101:7): [True: 0, False: 4.17k] ------------------ 102| 0| throw Decoding_Error(decoding_error + "Empty name"); 103| 0| } 104| | 105| 4.17k| m_alg_name = name[0].second; 106| | 107| 4.17k| bool in_modes = false; 108| | 109| 4.23k| for(size_t i = 1; i != name.size(); ++i) { ------------------ | Branch (109:22): [True: 60, False: 4.17k] ------------------ 110| 60| if(name[i].first == 0) { ------------------ | Branch (110:10): [True: 0, False: 60] ------------------ 111| 0| m_mode_info.push_back(make_arg(name, i)); 112| 0| in_modes = true; 113| 60| } else if(name[i].first == 1 && !in_modes) { ------------------ | Branch (113:17): [True: 60, False: 0] | Branch (113:39): [True: 60, False: 0] ------------------ 114| 60| m_args.push_back(make_arg(name, i)); 115| 60| } 116| 60| } 117| 4.17k|} _ZNK5Botan9SCAN_Name14arg_as_integerEmm: 133| 60|size_t SCAN_Name::arg_as_integer(size_t i, size_t def_value) const { 134| 60| if(i >= arg_count()) { ------------------ | Branch (134:7): [True: 0, False: 60] ------------------ 135| 0| return def_value; 136| 0| } 137| 60| return to_u32bit(m_args[i]); 138| 60|} scan_name.cpp:_ZN5Botan12_GLOBAL__N_18make_argERKNSt3__16vectorINS1_4pairImNS1_12basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEEEENS7_ISA_EEEEm: 17| 60|std::string make_arg(const std::vector>& name, size_t start) { 18| 60| std::string output = name[start].second; 19| 60| size_t level = name[start].first; 20| | 21| 60| size_t paren_depth = 0; 22| | 23| 60| for(size_t i = start + 1; i != name.size(); ++i) { ------------------ | Branch (23:30): [True: 0, False: 60] ------------------ 24| 0| if(name[i].first <= name[start].first) { ------------------ | Branch (24:10): [True: 0, False: 0] ------------------ 25| 0| break; 26| 0| } 27| | 28| 0| if(name[i].first > level) { ------------------ | Branch (28:10): [True: 0, False: 0] ------------------ 29| 0| output += "(" + name[i].second; 30| 0| ++paren_depth; 31| 0| } else if(name[i].first < level) { ------------------ | Branch (31:17): [True: 0, False: 0] ------------------ 32| 0| for(size_t j = name[i].first; j < level; j++) { ------------------ | Branch (32:40): [True: 0, False: 0] ------------------ 33| 0| output += ")"; 34| 0| --paren_depth; 35| 0| } 36| 0| output += "," + name[i].second; 37| 0| } else { 38| 0| if(output[output.size() - 1] != '(') { ------------------ | Branch (38:13): [True: 0, False: 0] ------------------ 39| 0| output += ","; 40| 0| } 41| 0| output += name[i].second; 42| 0| } 43| | 44| 0| level = name[i].first; 45| 0| } 46| | 47| 60| for(size_t i = 0; i != paren_depth; ++i) { ------------------ | Branch (47:22): [True: 0, False: 60] ------------------ 48| 0| output += ")"; 49| 0| } 50| | 51| 60| return output; 52| 60|} _ZN5Botan9SHAKE_XOFC2Em: 17| 4.11k| m_keccak({.capacity_bits = capacity, .padding = KeccakPadding::shake()}), m_output_generated(false) { 18| 4.11k| BOTAN_ASSERT_NOMSG(capacity == 256 || capacity == 512); ------------------ | | 77| 4.11k| do { \ | | 78| 4.11k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 79| 5.27k| if(!(expr)) { \ | | ------------------ | | | Branch (79:12): [True: 2.94k, False: 1.16k] | | | Branch (79:12): [True: 1.16k, False: 0] | | ------------------ | | 80| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 81| 0| Botan::assertion_failure(#expr, "", __func__, __FILE__, __LINE__); \ | | 82| 0| } \ | | 83| 4.11k| } while(0) | | ------------------ | | | Branch (83:12): [Folded, False: 4.11k] | | ------------------ ------------------ 19| 4.11k|} _ZN5Botan9SHAKE_XOF5resetEv: 21| 484|void SHAKE_XOF::reset() { 22| 484| m_keccak.clear(); 23| 484| m_output_generated = false; 24| 484|} _ZN5Botan9SHAKE_XOF8add_dataENSt3__14spanIKhLm18446744073709551615EEE: 26| 8.98k|void SHAKE_XOF::add_data(std::span input) { 27| 8.98k| BOTAN_STATE_CHECK(!m_output_generated); ------------------ | | 51| 8.98k| do { \ | | 52| 8.98k| /* NOLINTNEXTLINE(*-simplify-boolean-expr) */ \ | | 53| 8.98k| if(!(expr)) { \ | | ------------------ | | | Branch (53:10): [True: 0, False: 8.98k] | | ------------------ | | 54| 0| /* NOLINTNEXTLINE(bugprone-lambda-function-name) */ \ | | 55| 0| Botan::throw_invalid_state(#expr, __func__, __FILE__); \ | | 56| 0| } \ | | 57| 8.98k| } while(0) | | ------------------ | | | Branch (57:12): [Folded, False: 8.98k] | | ------------------ ------------------ 28| 8.98k| m_keccak.absorb(input); 29| 8.98k|} _ZN5Botan9SHAKE_XOF14generate_bytesENSt3__14spanIhLm18446744073709551615EEE: 31| 973k|void SHAKE_XOF::generate_bytes(std::span output) { 32| 973k| if(!m_output_generated) { ------------------ | Branch (32:7): [True: 4.53k, False: 968k] ------------------ 33| 4.53k| m_output_generated = true; 34| 4.53k| m_keccak.finish(); 35| 4.53k| } 36| | 37| 973k| m_keccak.squeeze(output); 38| 973k|} _ZN5Botan3XOF6createENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_: 28| 4.11k|std::unique_ptr XOF::create(std::string_view algo_spec, std::string_view provider) { 29| 4.11k| const SCAN_Name req(algo_spec); 30| | 31| 4.11k| if(!provider.empty() && provider != "base") { ------------------ | Branch (31:7): [True: 0, False: 4.11k] | Branch (31:28): [True: 0, False: 0] ------------------ 32| 0| return nullptr; // unknown provider 33| 0| } 34| | 35| 4.11k|#if defined(BOTAN_HAS_SHAKE_XOF) 36| 4.11k| if(req.algo_name() == "SHAKE-128" && req.arg_count() == 0) { ------------------ | Branch (36:7): [True: 2.94k, False: 1.16k] | Branch (36:41): [True: 2.94k, False: 0] ------------------ 37| 2.94k| return std::make_unique(); 38| 2.94k| } 39| 1.16k| if(req.algo_name() == "SHAKE-256" && req.arg_count() == 0) { ------------------ | Branch (39:7): [True: 1.16k, False: 0] | Branch (39:41): [True: 1.16k, False: 0] ------------------ 40| 1.16k| return std::make_unique(); 41| 1.16k| } 42| 0|#endif 43| | 44| 0|#if defined(BOTAN_HAS_ASCON_XOF128) 45| 0| if(req.algo_name() == "Ascon-XOF128" && req.arg_count() == 0) { ------------------ | Branch (45:7): [True: 0, False: 0] | Branch (45:44): [True: 0, False: 0] ------------------ 46| 0| return std::make_unique(); 47| 0| } 48| 0|#endif 49| | 50| 0| return nullptr; 51| 0|} _ZN5Botan3XOF15create_or_throwENSt3__117basic_string_viewIcNS1_11char_traitsIcEEEES5_: 54| 4.11k|std::unique_ptr XOF::create_or_throw(std::string_view algo_spec, std::string_view provider) { 55| 4.11k| if(auto xof = XOF::create(algo_spec, provider)) { ------------------ | Branch (55:12): [True: 4.11k, False: 0] ------------------ 56| 4.11k| return xof; 57| 4.11k| } 58| 0| throw Lookup_Error("XOF", algo_spec, provider); 59| 4.11k|} _ZN5Botan3XOF5startENSt3__14spanIKhLm18446744073709551615EEES4_: 70| 4.53k|void XOF::start(std::span salt, std::span key) { 71| 4.53k| if(!key_spec().valid_keylength(key.size())) { ------------------ | Branch (71:7): [True: 0, False: 4.53k] ------------------ 72| 0| throw Invalid_Key_Length(name(), key.size()); 73| 0| } 74| | 75| 4.53k| if(!valid_salt_length(salt.size())) { ------------------ | Branch (75:7): [True: 0, False: 4.53k] ------------------ 76| 0| throw Invalid_Argument(fmt("{} cannot accept a salt length of {}", name(), salt.size())); 77| 0| } 78| | 79| 4.53k| m_xof_started = true; 80| 4.53k| start_msg(salt, key); 81| 4.53k|} _ZN5Botan3XOF9start_msgENSt3__14spanIKhLm18446744073709551615EEES4_: 83| 4.53k|void XOF::start_msg(std::span salt, std::span key) { 84| 4.53k| BOTAN_UNUSED(salt, key); ------------------ | | 144| 4.53k|#define BOTAN_UNUSED Botan::ignore_params ------------------ 85| 4.53k|}