fuzz_early_setup: 23| 2|void fuzz_early_setup(void) { 24| | /* Set stderr to point to normal stderr by default */ 25| | fuzz.fake_stderr = stderr; 26| 2|} fuzz_common_setup: 28| 1|void fuzz_common_setup(void) { 29| 1| disallow_core(); 30| 1| fuzz.fuzzing = 1; 31| 1| fuzz.wrapfds = 1; 32| 1| fuzz.do_jmp = 1; 33| 1| fuzz.input = m_malloc(sizeof(buffer)); 34| 1| _dropbear_log = fuzz_dropbear_log; 35| 1| crypto_init(); 36| 1| fuzz_seed("start", 5); 37| | /* let any messages get flushed */ 38| 1| setlinebuf(stdout); 39| |#if DEBUG_TRACE 40| | if (debug_trace) 41| | { 42| | fprintf(stderr, "Dropbear fuzzer: -v specified, not disabling stderr output\n"); 43| | } 44| | else 45| |#endif 46| 1| if (getenv("DROPBEAR_KEEP_STDERR")) { ------------------ | Branch (46:9): [True: 0, False: 1] ------------------ 47| 0| fprintf(stderr, "Dropbear fuzzer: DROPBEAR_KEEP_STDERR, not disabling stderr output\n"); 48| 0| } 49| 1| else 50| 1| { 51| 1| fprintf(stderr, "Dropbear fuzzer: Disabling stderr output\n"); 52| 1| fuzz.fake_stderr = fopen("/dev/null", "w"); 53| | assert(fuzz.fake_stderr); ------------------ | Branch (53:9): [True: 0, False: 1] | Branch (53:9): [True: 1, False: 0] ------------------ 54| 1| } 55| 1|} fuzz_set_input: 57| 3.33k|int fuzz_set_input(const uint8_t *Data, size_t Size) { 58| | 59| 3.33k| fuzz.input->data = (unsigned char*)Data; 60| 3.33k| fuzz.input->size = Size; 61| 3.33k| fuzz.input->len = Size; 62| 3.33k| fuzz.input->pos = 0; 63| | 64| 3.33k| memset(&ses, 0x0, sizeof(ses)); 65| 3.33k| memset(&svr_ses, 0x0, sizeof(svr_ses)); 66| 3.33k| memset(&cli_ses, 0x0, sizeof(cli_ses)); 67| 3.33k| wrapfd_setup(fuzz.input); 68| | // printhex("input", fuzz.input->data, fuzz.input->len); 69| | 70| 3.33k| fuzz_seed(fuzz.input->data, MIN(fuzz.input->len, 16)); ------------------ | Branch (70:33): [True: 295, False: 3.03k] ------------------ 71| | 72| 3.33k| return DROPBEAR_SUCCESS; ------------------ | | 111| 3.33k|#define DROPBEAR_SUCCESS 0 ------------------ 73| 3.33k|} fuzz_cli_setup: 112| 1|void fuzz_cli_setup(void) { 113| 1| fuzz_common_setup(); 114| | 115| 1| _dropbear_exit = cli_dropbear_exit; 116| 1| _dropbear_log = cli_dropbear_log; 117| | 118| 1| char *argv[] = { 119| 1| "dbclient", 120| 1| "-y", 121| 1| "localhost", 122| 1| "uptime" 123| 1| }; 124| | 125| 1| int argc = sizeof(argv) / sizeof(*argv); 126| 1| cli_getopts(argc, argv); 127| | 128| 1| load_fixed_client_key(); 129| | /* Avoid password prompt */ 130| 1| setenv(DROPBEAR_PASSWORD_ENV, "password", 1); ------------------ | | 114| 1|#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" ------------------ 131| 1|} fuzz_kex_fakealgos: 197| 2.33k|void fuzz_kex_fakealgos(void) { 198| 2.33k| ses.newkeys->recv.crypt_mode = &dropbear_mode_none; 199| 2.33k| ses.newkeys->recv.algo_mac = &dropbear_nohash; 200| 2.33k|} fuzz_run_client: 299| 3.33k|int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths) { 300| 3.33k| static int once = 0; 301| 3.33k| if (!once) { ------------------ | Branch (301:9): [True: 1, False: 3.33k] ------------------ 302| 1| fuzz_cli_setup(); 303| 1| fuzz.skip_kexmaths = skip_kexmaths; 304| 1| once = 1; 305| 1| } 306| | 307| 3.33k| if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { ------------------ | | 112| 3.33k|#define DROPBEAR_FAILURE -1 ------------------ | Branch (307:9): [True: 0, False: 3.33k] ------------------ 308| 0| return 0; 309| 0| } 310| | 311| | // Allow to proceed sooner 312| 3.33k| ses.kexstate.donefirstkex = 1; 313| | 314| 3.33k| uint32_t wrapseed; 315| 3.33k| genrandom((void*)&wrapseed, sizeof(wrapseed)); 316| 3.33k| wrapfd_setseed(wrapseed); 317| | 318| 3.33k| int fakesock = wrapfd_new_fuzzinput(); 319| | 320| 3.33k| m_malloc_set_epoch(1); 321| 3.33k| fuzz.do_jmp = 1; 322| 3.33k| if (setjmp(fuzz.jmp) == 0) { ------------------ | Branch (322:9): [True: 3.33k, False: 0] ------------------ 323| 3.33k| cli_session(fakesock, fakesock, NULL, 0); 324| 0| m_malloc_free_epoch(1, 0); 325| 0| } else { 326| 0| fuzz.do_jmp = 0; 327| 0| m_malloc_free_epoch(1, 1); 328| 0| TRACE(("dropbear_exit longjmped")) 329| | /* dropbear_exit jumped here */ 330| 0| } 331| | 332| 0| return 0; 333| 3.33k|} fuzz_dump: 345| 109k|void fuzz_dump(const unsigned char* data, size_t len) { 346| 109k| if (fuzz.dumping) { ------------------ | Branch (346:9): [True: 0, False: 109k] ------------------ 347| 0| TRACE(("dump %zu", len)) 348| | assert(atomicio(vwrite, fuzz.recv_dumpfd, (void*)data, len) == len); ------------------ | Branch (348:9): [True: 0, False: 0] | Branch (348:9): [True: 0, False: 0] ------------------ 349| 0| } 350| 109k|} fuzz_getpwuid: 386| 1|struct passwd* fuzz_getpwuid(uid_t uid) { 387| 1| if (!fuzz.fuzzing) { ------------------ | Branch (387:9): [True: 0, False: 1] ------------------ 388| 0| return getpwuid(uid); 389| 0| } 390| 1| if (uid == pwd_other.pw_uid) { ------------------ | Branch (390:9): [True: 0, False: 1] ------------------ 391| 0| return &pwd_other; 392| 0| } 393| 1| if (uid == pwd_root.pw_uid) { ------------------ | Branch (393:9): [True: 1, False: 0] ------------------ 394| 1| return &pwd_root; 395| 1| } 396| 0| return NULL; 397| 1|} fuzz-common.c:load_fixed_client_key: 135| 1|static void load_fixed_client_key(void) { 136| | 137| 1| buffer *b = buf_new(3000); 138| 1| sign_key *key; 139| 1| enum signkey_type keytype; 140| | 141| 1| key = new_sign_key(); 142| 1| keytype = DROPBEAR_SIGNKEY_ANY; 143| 1| buf_putbytes(b, keyed25519, keyed25519_len); 144| 1| buf_setpos(b, 0); 145| 1| if (buf_get_priv_key(b, key, &keytype) == DROPBEAR_FAILURE) { ------------------ | | 112| 1|#define DROPBEAR_FAILURE -1 ------------------ | Branch (145:9): [True: 0, False: 1] ------------------ 146| 0| dropbear_exit("failed fixed ed25519 hostkey"); 147| 0| } 148| 1| list_append(cli_opts.privkeys, key); 149| | 150| 1| buf_free(b); 151| 1|} fuzz-sshpacketmutator.c:alloc_static_buffers: 126| 2|static void alloc_static_buffers() { 127| | 128| 2| int i; 129| 2| oup = buf_new(MAX_OUT_SIZE); 130| 2| alloc_packetA = buf_new(RECV_MAX_PACKET_LEN); ------------------ | | 243| 2|#define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100))) ------------------ | Branch (130:29): [True: 2, Folded] ------------------ 131| 2| alloc_packetB = buf_new(RECV_MAX_PACKET_LEN); ------------------ | | 243| 2|#define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100))) ------------------ | Branch (131:29): [True: 2, Folded] ------------------ 132| | 133| 1.00k| for (i = 0; i < MAX_FUZZ_PACKETS; i++) { ------------------ | | 20| 1.00k|#define MAX_FUZZ_PACKETS 500 ------------------ | Branch (133:17): [True: 1.00k, False: 2] ------------------ 134| 1.00k| packets1[i] = buf_new(RECV_MAX_PACKET_LEN); ------------------ | | 243| 1.00k|#define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100))) ------------------ | Branch (134:31): [True: 1.00k, Folded] ------------------ 135| 1.00k| } 136| 1.00k| for (i = 0; i < MAX_FUZZ_PACKETS; i++) { ------------------ | | 20| 1.00k|#define MAX_FUZZ_PACKETS 500 ------------------ | Branch (136:17): [True: 1.00k, False: 2] ------------------ 137| | packets2[i] = buf_new(RECV_MAX_PACKET_LEN); ------------------ | | 243| 1.00k|#define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100))) ------------------ | Branch (137:31): [True: 1.00k, Folded] ------------------ 138| 1.00k| } 139| 2|} wrapfd_setup: 32| 3.33k|void wrapfd_setup(buffer *buf) { 33| 3.33k| TRACE(("wrapfd_setup")) 34| | 35| | // clean old ones 36| 3.33k| int i; 37| 26.6k| for (i = 0; i <= wrapfd_maxfd; i++) { ------------------ | Branch (37:14): [True: 23.3k, False: 3.33k] ------------------ 38| 23.3k| if (wrap_fds[i].mode != UNUSED) { ------------------ | Branch (38:7): [True: 2.50k, False: 20.8k] ------------------ 39| 2.50k| wrapfd_remove(i); 40| 2.50k| } 41| 23.3k| } 42| 3.33k| wrapfd_maxfd = -1; 43| | 44| 3.33k| memset(rand_state, 0x0, sizeof(rand_state)); 45| 3.33k| wrapfd_setseed(50); 46| 3.33k| input_buf = buf; 47| 3.33k|} wrapfd_setseed: 49| 6.66k|void wrapfd_setseed(uint32_t seed) { 50| 6.66k| memcpy(rand_state, &seed, sizeof(seed)); 51| 6.66k| nrand48(rand_state); 52| 6.66k|} wrapfd_new_fuzzinput: 54| 3.33k|int wrapfd_new_fuzzinput() { 55| 3.33k| if (devnull_fd == -1) { ------------------ | Branch (55:6): [True: 1, False: 3.33k] ------------------ 56| 1| devnull_fd = open("/dev/null", O_RDONLY); 57| 1| assert(devnull_fd != -1); ------------------ | Branch (57:3): [True: 0, False: 1] | Branch (57:3): [True: 1, False: 0] ------------------ 58| 1| } 59| | 60| 3.33k| int fd = dup(devnull_fd); 61| 3.33k| assert(fd != -1); ------------------ | Branch (61:2): [True: 0, False: 3.33k] | Branch (61:2): [True: 3.33k, False: 0] ------------------ 62| 3.33k| assert(wrap_fds[fd].mode == UNUSED); ------------------ | Branch (62:2): [True: 0, False: 3.33k] | Branch (62:2): [True: 3.33k, False: 0] ------------------ 63| 3.33k| wrap_fds[fd].mode = COMMONBUF; 64| 3.33k| wrap_fds[fd].closein = 0; 65| 3.33k| wrap_fds[fd].closeout = 0; 66| 3.33k| wrapfd_maxfd = MAX(fd, wrapfd_maxfd); ------------------ | Branch (66:17): [True: 3.33k, False: 0] ------------------ 67| | 68| 3.33k| return fd; 69| 3.33k|} wrapfd_close: 105| 11.6k|int wrapfd_close(int fd) { 106| 11.6k| if (fd >= 0 && fd <= IOWRAP_MAXFD && wrap_fds[fd].mode != UNUSED) { ------------------ | | 9| 23.2k|#define IOWRAP_MAXFD (FD_SETSIZE-1) ------------------ | Branch (106:6): [True: 11.6k, False: 0] | Branch (106:17): [True: 11.6k, False: 0] | Branch (106:39): [True: 824, False: 10.8k] ------------------ 107| 824| wrapfd_remove(fd); 108| 824| return 0; 109| 10.8k| } else { 110| 10.8k| return close(fd); 111| 10.8k| } 112| 11.6k|} wrapfd_read: 114| 181k|int wrapfd_read(int fd, void *out, size_t count) { 115| 181k| size_t maxread; 116| | 117| 181k| if (!fuzz.wrapfds) { ------------------ | Branch (117:6): [True: 0, False: 181k] ------------------ 118| 0| return read(fd, out, count); 119| 0| } 120| | 121| 181k| if (fd < 0 || fd > IOWRAP_MAXFD || wrap_fds[fd].mode == UNUSED) { ------------------ | | 9| 362k|#define IOWRAP_MAXFD (FD_SETSIZE-1) ------------------ | Branch (121:6): [True: 0, False: 181k] | Branch (121:16): [True: 0, False: 181k] | Branch (121:37): [True: 0, False: 181k] ------------------ 122| | /* XXX - assertion failure? */ 123| 0| TRACE(("Bad read descriptor %d\n", fd)) 124| 0| errno = EBADF; 125| 0| return -1; 126| 0| } 127| | 128| 181k| assert(count != 0); ------------------ | Branch (128:2): [True: 0, False: 181k] | Branch (128:2): [True: 181k, False: 0] ------------------ 129| | 130| 181k| if (wrap_fds[fd].closein || erand48(rand_state) < CHANCE_CLOSE) { ------------------ | Branch (130:6): [True: 0, False: 181k] | Branch (130:30): [True: 21, False: 181k] ------------------ 131| 21| wrap_fds[fd].closein = 1; 132| 21| errno = ECONNRESET; 133| 21| return -1; 134| 21| } 135| | 136| 181k| if (erand48(rand_state) < CHANCE_INTR) { ------------------ | Branch (136:6): [True: 266, False: 180k] ------------------ 137| 266| errno = EINTR; 138| 266| return -1; 139| 266| } 140| | 141| 180k| if (input_buf && wrap_fds[fd].mode == COMMONBUF) { ------------------ | Branch (141:6): [True: 180k, False: 0] | Branch (141:19): [True: 180k, False: 0] ------------------ 142| 180k| maxread = MIN(input_buf->len - input_buf->pos, count); ------------------ | Branch (142:13): [True: 4.01k, False: 176k] ------------------ 143| | /* returns 0 if buf is EOF, as intended */ 144| 180k| if (maxread > 0) { ------------------ | Branch (144:7): [True: 177k, False: 3.51k] ------------------ 145| 177k| maxread = nrand48(rand_state) % maxread + 1; 146| 177k| } 147| 180k| memcpy(out, buf_getptr(input_buf, maxread), maxread); 148| 180k| buf_incrpos(input_buf, maxread); 149| 180k| return maxread; 150| 180k| } 151| | 152| | // return fixed output, of random length 153| 0| maxread = MIN(MAX_RANDOM_IN, count); ------------------ | Branch (153:12): [True: 0, False: 0] ------------------ 154| 0| maxread = nrand48(rand_state) % maxread + 1; 155| 0| memset(out, 0xef, maxread); 156| 0| return maxread; 157| 180k|} wrapfd_select: 196| 190k| fd_set *exceptfds, struct timeval *timeout) { 197| 190k| int i, nset, sel; 198| 190k| int ret = 0; 199| 190k| int fdlist[IOWRAP_MAXFD+1]; 200| | 201| 190k| if (!fuzz.wrapfds) { ------------------ | Branch (201:6): [True: 0, False: 190k] ------------------ 202| 0| return select(nfds, readfds, writefds, exceptfds, timeout); 203| 0| } 204| | 205| 190k| assert(nfds <= IOWRAP_MAXFD+1); ------------------ | Branch (205:2): [True: 0, False: 190k] | Branch (205:2): [True: 190k, False: 0] ------------------ 206| | 207| 190k| if (erand48(rand_state) < CHANCE_INTR) { ------------------ | Branch (207:6): [True: 349, False: 189k] ------------------ 208| 349| errno = EINTR; 209| 349| return -1; 210| 349| } 211| | 212| | /* read */ 213| 189k| if (readfds != NULL && erand48(rand_state) < CHANCE_READ1) { ------------------ | Branch (213:6): [True: 189k, False: 0] | Branch (213:25): [True: 181k, False: 8.83k] ------------------ 214| 1.44M| for (i = 0, nset = 0; i < nfds; i++) { ------------------ | Branch (214:25): [True: 1.26M, False: 181k] ------------------ 215| 1.26M| if (FD_ISSET(i, readfds)) { ------------------ | Branch (215:8): [True: 171k, False: 1.09M] ------------------ 216| 171k| assert(wrap_fds[i].mode != UNUSED); ------------------ | Branch (216:5): [True: 0, False: 171k] | Branch (216:5): [True: 171k, False: 0] ------------------ 217| 171k| fdlist[nset] = i; 218| 171k| nset++; 219| 171k| } 220| 1.26M| } 221| 181k| DROPBEAR_FD_ZERO(readfds); ------------------ | | 106| 181k|#define DROPBEAR_FD_ZERO(fds) FD_ZERO(fds) ------------------ | Branch (221:3): [Folded, False: 181k] ------------------ 222| | 223| 181k| if (nset > 0) { ------------------ | Branch (223:7): [True: 171k, False: 9.77k] ------------------ 224| | /* set one */ 225| 171k| sel = fdlist[nrand48(rand_state) % nset]; 226| 171k| FD_SET(sel, readfds); 227| 171k| ret++; 228| | 229| 171k| if (erand48(rand_state) < CHANCE_READ2) { ------------------ | Branch (229:8): [True: 78.4k, False: 92.7k] ------------------ 230| 78.4k| sel = fdlist[nrand48(rand_state) % nset]; 231| 78.4k| if (!FD_ISSET(sel, readfds)) { ------------------ | Branch (231:9): [True: 0, False: 78.4k] ------------------ 232| 0| FD_SET(sel, readfds); 233| 0| ret++; 234| 0| } 235| 78.4k| } 236| 171k| } 237| 181k| } 238| | 239| | /* write */ 240| 189k| if (writefds != NULL && erand48(rand_state) < CHANCE_WRITE1) { ------------------ | Branch (240:6): [True: 96.8k, False: 93.0k] | Branch (240:26): [True: 93.4k, False: 3.38k] ------------------ 241| 747k| for (i = 0, nset = 0; i < nfds; i++) { ------------------ | Branch (241:25): [True: 654k, False: 93.4k] ------------------ 242| 654k| if (FD_ISSET(i, writefds)) { ------------------ | Branch (242:8): [True: 9.78k, False: 644k] ------------------ 243| 9.78k| assert(wrap_fds[i].mode != UNUSED); ------------------ | Branch (243:5): [True: 0, False: 9.78k] | Branch (243:5): [True: 9.78k, False: 0] ------------------ 244| 9.78k| fdlist[nset] = i; 245| 9.78k| nset++; 246| 9.78k| } 247| 654k| } 248| 93.4k| DROPBEAR_FD_ZERO(writefds); ------------------ | | 106| 93.4k|#define DROPBEAR_FD_ZERO(fds) FD_ZERO(fds) ------------------ | Branch (248:3): [Folded, False: 93.4k] ------------------ 249| | 250| | /* set one */ 251| 93.4k| if (nset > 0) { ------------------ | Branch (251:7): [True: 9.78k, False: 83.7k] ------------------ 252| 9.78k| sel = fdlist[nrand48(rand_state) % nset]; 253| 9.78k| FD_SET(sel, writefds); 254| 9.78k| ret++; 255| | 256| 9.78k| if (erand48(rand_state) < CHANCE_WRITE2) { ------------------ | Branch (256:8): [True: 4.06k, False: 5.71k] ------------------ 257| 4.06k| sel = fdlist[nrand48(rand_state) % nset]; 258| 4.06k| if (!FD_ISSET(sel, writefds)) { ------------------ | Branch (258:9): [True: 0, False: 4.06k] ------------------ 259| 0| FD_SET(sel, writefds); 260| 0| ret++; 261| 0| } 262| 4.06k| } 263| 9.78k| } 264| 93.4k| } 265| 189k| return ret; 266| 189k|} fuzz-wrapfd.c:wrapfd_remove: 96| 3.33k|static void wrapfd_remove(int fd) { 97| 3.33k| TRACE(("wrapfd_remove %d", fd)) 98| 3.33k| assert(fd >= 0); ------------------ | Branch (98:2): [True: 0, False: 3.33k] | Branch (98:2): [True: 3.33k, False: 0] ------------------ 99| 3.33k| assert(fd <= IOWRAP_MAXFD); ------------------ | Branch (99:2): [True: 0, False: 3.33k] | Branch (99:2): [True: 3.33k, False: 0] ------------------ 100| 3.33k| assert(wrap_fds[fd].mode != UNUSED); ------------------ | Branch (100:2): [True: 0, False: 3.33k] | Branch (100:2): [True: 3.33k, False: 0] ------------------ 101| 3.33k| wrap_fds[fd].mode = UNUSED; 102| 3.33k| close(fd); 103| 3.33k|} LLVMFuzzerTestOneInput: 3| 3.33k|int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 4| 3.33k| return fuzz_run_client(Data, Size, 0); 5| 3.33k|} sha1_init: 164| 672|{ 165| 672| LTC_ARGCHK(md != NULL); ------------------ | | 32| 672|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 672] | | | Branch (32:87): [Folded, False: 672] | | ------------------ ------------------ 166| 672| md->sha1.state[0] = 0x67452301UL; 167| 672| md->sha1.state[1] = 0xefcdab89UL; 168| 672| md->sha1.state[2] = 0x98badcfeUL; 169| 672| md->sha1.state[3] = 0x10325476UL; 170| 672| md->sha1.state[4] = 0xc3d2e1f0UL; 171| 672| md->sha1.curlen = 0; 172| 672| md->sha1.length = 0; 173| 672| return CRYPT_OK; 174| 672|} sha1_done: 192| 672|{ 193| 672| int i; 194| | 195| 672| LTC_ARGCHK(md != NULL); ------------------ | | 32| 672|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 672] | | | Branch (32:87): [Folded, False: 672] | | ------------------ ------------------ 196| 672| LTC_ARGCHK(out != NULL); ------------------ | | 32| 672|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 672] | | | Branch (32:87): [Folded, False: 672] | | ------------------ ------------------ 197| | 198| 672| if (md->sha1.curlen >= sizeof(md->sha1.buf)) { ------------------ | Branch (198:9): [True: 0, False: 672] ------------------ 199| 0| return CRYPT_INVALID_ARG; 200| 0| } 201| | 202| | /* increase the length of the message */ 203| 672| md->sha1.length += md->sha1.curlen * 8; 204| | 205| | /* append the '1' bit */ 206| 672| md->sha1.buf[md->sha1.curlen++] = (unsigned char)0x80; 207| | 208| | /* if the length is currently above 56 bytes we append zeros 209| | * then compress. Then we can fall back to padding zeros and length 210| | * encoding like normal. 211| | */ 212| 672| if (md->sha1.curlen > 56) { ------------------ | Branch (212:9): [True: 0, False: 672] ------------------ 213| 0| while (md->sha1.curlen < 64) { ------------------ | Branch (213:16): [True: 0, False: 0] ------------------ 214| 0| md->sha1.buf[md->sha1.curlen++] = (unsigned char)0; 215| 0| } 216| 0| sha1_compress(md, md->sha1.buf); 217| 0| md->sha1.curlen = 0; 218| 0| } 219| | 220| | /* pad upto 56 bytes of zeroes */ 221| 16.1k| while (md->sha1.curlen < 56) { ------------------ | Branch (221:12): [True: 15.4k, False: 672] ------------------ 222| 15.4k| md->sha1.buf[md->sha1.curlen++] = (unsigned char)0; 223| 15.4k| } 224| | 225| | /* store length */ 226| 672| STORE64H(md->sha1.length, md->sha1.buf+56); ------------------ | | 101| 672|#define STORE64H(x, y) \ | | 102| 672|do { ulong64 __t = __builtin_bswap64 ((x)); \ | | 103| 672| XMEMCPY ((y), &__t, 8); } while(0) | | ------------------ | | | | 39| 672|#define XMEMCPY memcpy | | ------------------ | | | Branch (103:39): [Folded, False: 672] | | ------------------ ------------------ 227| 672| sha1_compress(md, md->sha1.buf); 228| | 229| | /* copy output */ 230| 4.03k| for (i = 0; i < 5; i++) { ------------------ | Branch (230:17): [True: 3.36k, False: 672] ------------------ 231| 3.36k| STORE32H(md->sha1.state[i], out+(4*i)); ------------------ | | 62| 3.36k|#define STORE32H(x, y) \ | | 63| 3.36k|do { ulong32 __t = __builtin_bswap32 ((x)); \ | | 64| 3.36k| XMEMCPY ((y), &__t, 4); } while(0) | | ------------------ | | | | 39| 3.36k|#define XMEMCPY memcpy | | ------------------ | | | Branch (64:39): [Folded, False: 3.36k] | | ------------------ ------------------ 232| 3.36k| } 233| |#ifdef LTC_CLEAN_STACK 234| | zeromem(md, sizeof(hash_state)); 235| |#endif 236| 672| return CRYPT_OK; 237| 672|} sha1.c:sha1_compress: 47| 672|{ 48| 672| ulong32 a,b,c,d,e,W[80],i; 49| 672|#ifdef LTC_SMALL_CODE 50| 672| ulong32 t; 51| 672|#endif 52| | 53| | /* copy the state into 512-bits into W[0..15] */ 54| 11.4k| for (i = 0; i < 16; i++) { ------------------ | Branch (54:17): [True: 10.7k, False: 672] ------------------ 55| 10.7k| LOAD32H(W[i], buf + (4*i)); ------------------ | | 66| 10.7k|#define LOAD32H(x, y) \ | | 67| 10.7k|do { XMEMCPY (&(x), (y), 4); \ | | ------------------ | | | | 39| 10.7k|#define XMEMCPY memcpy | | ------------------ | | 68| 10.7k| (x) = __builtin_bswap32 ((x)); } while(0) | | ------------------ | | | Branch (68:46): [Folded, False: 10.7k] | | ------------------ ------------------ 56| 10.7k| } 57| | 58| | /* copy state */ 59| 672| a = md->sha1.state[0]; 60| 672| b = md->sha1.state[1]; 61| 672| c = md->sha1.state[2]; 62| 672| d = md->sha1.state[3]; 63| 672| e = md->sha1.state[4]; 64| | 65| | /* expand it */ 66| 43.6k| for (i = 16; i < 80; i++) { ------------------ | Branch (66:18): [True: 43.0k, False: 672] ------------------ 67| 43.0k| W[i] = ROL(W[i-3] ^ W[i-8] ^ W[i-14] ^ W[i-16], 1); 68| 43.0k| } 69| | 70| | /* compress */ 71| | /* round one */ 72| 672| #define FF0(a,b,c,d,e,i) e = (ROLc(a, 5) + F0(b,c,d) + e + W[i] + 0x5a827999UL); b = ROLc(b, 30); 73| 672| #define FF1(a,b,c,d,e,i) e = (ROLc(a, 5) + F1(b,c,d) + e + W[i] + 0x6ed9eba1UL); b = ROLc(b, 30); 74| 672| #define FF2(a,b,c,d,e,i) e = (ROLc(a, 5) + F2(b,c,d) + e + W[i] + 0x8f1bbcdcUL); b = ROLc(b, 30); 75| 672| #define FF3(a,b,c,d,e,i) e = (ROLc(a, 5) + F3(b,c,d) + e + W[i] + 0xca62c1d6UL); b = ROLc(b, 30); 76| | 77| 672|#ifdef LTC_SMALL_CODE 78| | 79| 14.1k| for (i = 0; i < 20; ) { ------------------ | Branch (79:17): [True: 13.4k, False: 672] ------------------ 80| 13.4k| FF0(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t; ------------------ | | 72| 13.4k| #define FF0(a,b,c,d,e,i) e = (ROLc(a, 5) + F0(b,c,d) + e + W[i] + 0x5a827999UL); b = ROLc(b, 30); | | ------------------ | | | | 275| 13.4k|#define ROLc(word,i) ({ \ | | | | 276| 13.4k| ulong32 __ROLc_tmp = (word); \ | | | | 277| 13.4k| __asm__ ("roll %2, %0" : \ | | | | 278| 13.4k| "=r" (__ROLc_tmp) : \ | | | | 279| 13.4k| "0" (__ROLc_tmp), \ | | | | 280| 13.4k| "I" (i)); \ | | | | 281| 13.4k| __ROLc_tmp; \ | | | | 282| 13.4k| }) | | ------------------ | | #define FF0(a,b,c,d,e,i) e = (ROLc(a, 5) + F0(b,c,d) + e + W[i] + 0x5a827999UL); b = ROLc(b, 30); | | ------------------ | | | | 37| 13.4k|#define F0(x,y,z) (z ^ (x & (y ^ z))) | | ------------------ | | #define FF0(a,b,c,d,e,i) e = (ROLc(a, 5) + F0(b,c,d) + e + W[i] + 0x5a827999UL); b = ROLc(b, 30); | | ------------------ | | | | 275| 13.4k|#define ROLc(word,i) ({ \ | | | | 276| 13.4k| ulong32 __ROLc_tmp = (word); \ | | | | 277| 13.4k| __asm__ ("roll %2, %0" : \ | | | | 278| 13.4k| "=r" (__ROLc_tmp) : \ | | | | 279| 13.4k| "0" (__ROLc_tmp), \ | | | | 280| 13.4k| "I" (i)); \ | | | | 281| 13.4k| __ROLc_tmp; \ | | | | 282| 13.4k| }) | | ------------------ ------------------ 81| 13.4k| } 82| | 83| 14.1k| for (; i < 40; ) { ------------------ | Branch (83:12): [True: 13.4k, False: 672] ------------------ 84| 13.4k| FF1(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t; ------------------ | | 73| 13.4k| #define FF1(a,b,c,d,e,i) e = (ROLc(a, 5) + F1(b,c,d) + e + W[i] + 0x6ed9eba1UL); b = ROLc(b, 30); | | ------------------ | | | | 275| 13.4k|#define ROLc(word,i) ({ \ | | | | 276| 13.4k| ulong32 __ROLc_tmp = (word); \ | | | | 277| 13.4k| __asm__ ("roll %2, %0" : \ | | | | 278| 13.4k| "=r" (__ROLc_tmp) : \ | | | | 279| 13.4k| "0" (__ROLc_tmp), \ | | | | 280| 13.4k| "I" (i)); \ | | | | 281| 13.4k| __ROLc_tmp; \ | | | | 282| 13.4k| }) | | ------------------ | | #define FF1(a,b,c,d,e,i) e = (ROLc(a, 5) + F1(b,c,d) + e + W[i] + 0x6ed9eba1UL); b = ROLc(b, 30); | | ------------------ | | | | 38| 13.4k|#define F1(x,y,z) (x ^ y ^ z) | | ------------------ | | #define FF1(a,b,c,d,e,i) e = (ROLc(a, 5) + F1(b,c,d) + e + W[i] + 0x6ed9eba1UL); b = ROLc(b, 30); | | ------------------ | | | | 275| 13.4k|#define ROLc(word,i) ({ \ | | | | 276| 13.4k| ulong32 __ROLc_tmp = (word); \ | | | | 277| 13.4k| __asm__ ("roll %2, %0" : \ | | | | 278| 13.4k| "=r" (__ROLc_tmp) : \ | | | | 279| 13.4k| "0" (__ROLc_tmp), \ | | | | 280| 13.4k| "I" (i)); \ | | | | 281| 13.4k| __ROLc_tmp; \ | | | | 282| 13.4k| }) | | ------------------ ------------------ 85| 13.4k| } 86| | 87| 14.1k| for (; i < 60; ) { ------------------ | Branch (87:12): [True: 13.4k, False: 672] ------------------ 88| 13.4k| FF2(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t; ------------------ | | 74| 13.4k| #define FF2(a,b,c,d,e,i) e = (ROLc(a, 5) + F2(b,c,d) + e + W[i] + 0x8f1bbcdcUL); b = ROLc(b, 30); | | ------------------ | | | | 275| 13.4k|#define ROLc(word,i) ({ \ | | | | 276| 13.4k| ulong32 __ROLc_tmp = (word); \ | | | | 277| 13.4k| __asm__ ("roll %2, %0" : \ | | | | 278| 13.4k| "=r" (__ROLc_tmp) : \ | | | | 279| 13.4k| "0" (__ROLc_tmp), \ | | | | 280| 13.4k| "I" (i)); \ | | | | 281| 13.4k| __ROLc_tmp; \ | | | | 282| 13.4k| }) | | ------------------ | | #define FF2(a,b,c,d,e,i) e = (ROLc(a, 5) + F2(b,c,d) + e + W[i] + 0x8f1bbcdcUL); b = ROLc(b, 30); | | ------------------ | | | | 39| 13.4k|#define F2(x,y,z) ((x & y) | (z & (x | y))) | | ------------------ | | #define FF2(a,b,c,d,e,i) e = (ROLc(a, 5) + F2(b,c,d) + e + W[i] + 0x8f1bbcdcUL); b = ROLc(b, 30); | | ------------------ | | | | 275| 13.4k|#define ROLc(word,i) ({ \ | | | | 276| 13.4k| ulong32 __ROLc_tmp = (word); \ | | | | 277| 13.4k| __asm__ ("roll %2, %0" : \ | | | | 278| 13.4k| "=r" (__ROLc_tmp) : \ | | | | 279| 13.4k| "0" (__ROLc_tmp), \ | | | | 280| 13.4k| "I" (i)); \ | | | | 281| 13.4k| __ROLc_tmp; \ | | | | 282| 13.4k| }) | | ------------------ ------------------ 89| 13.4k| } 90| | 91| 14.1k| for (; i < 80; ) { ------------------ | Branch (91:12): [True: 13.4k, False: 672] ------------------ 92| 13.4k| FF3(a,b,c,d,e,i++); t = e; e = d; d = c; c = b; b = a; a = t; ------------------ | | 75| 13.4k| #define FF3(a,b,c,d,e,i) e = (ROLc(a, 5) + F3(b,c,d) + e + W[i] + 0xca62c1d6UL); b = ROLc(b, 30); | | ------------------ | | | | 275| 13.4k|#define ROLc(word,i) ({ \ | | | | 276| 13.4k| ulong32 __ROLc_tmp = (word); \ | | | | 277| 13.4k| __asm__ ("roll %2, %0" : \ | | | | 278| 13.4k| "=r" (__ROLc_tmp) : \ | | | | 279| 13.4k| "0" (__ROLc_tmp), \ | | | | 280| 13.4k| "I" (i)); \ | | | | 281| 13.4k| __ROLc_tmp; \ | | | | 282| 13.4k| }) | | ------------------ | | #define FF3(a,b,c,d,e,i) e = (ROLc(a, 5) + F3(b,c,d) + e + W[i] + 0xca62c1d6UL); b = ROLc(b, 30); | | ------------------ | | | | 40| 13.4k|#define F3(x,y,z) (x ^ y ^ z) | | ------------------ | | #define FF3(a,b,c,d,e,i) e = (ROLc(a, 5) + F3(b,c,d) + e + W[i] + 0xca62c1d6UL); b = ROLc(b, 30); | | ------------------ | | | | 275| 13.4k|#define ROLc(word,i) ({ \ | | | | 276| 13.4k| ulong32 __ROLc_tmp = (word); \ | | | | 277| 13.4k| __asm__ ("roll %2, %0" : \ | | | | 278| 13.4k| "=r" (__ROLc_tmp) : \ | | | | 279| 13.4k| "0" (__ROLc_tmp), \ | | | | 280| 13.4k| "I" (i)); \ | | | | 281| 13.4k| __ROLc_tmp; \ | | | | 282| 13.4k| }) | | ------------------ ------------------ 93| 13.4k| } 94| | 95| |#else 96| | 97| | for (i = 0; i < 20; ) { 98| | FF0(a,b,c,d,e,i++); 99| | FF0(e,a,b,c,d,i++); 100| | FF0(d,e,a,b,c,i++); 101| | FF0(c,d,e,a,b,i++); 102| | FF0(b,c,d,e,a,i++); 103| | } 104| | 105| | /* round two */ 106| | for (; i < 40; ) { 107| | FF1(a,b,c,d,e,i++); 108| | FF1(e,a,b,c,d,i++); 109| | FF1(d,e,a,b,c,i++); 110| | FF1(c,d,e,a,b,i++); 111| | FF1(b,c,d,e,a,i++); 112| | } 113| | 114| | /* round three */ 115| | for (; i < 60; ) { 116| | FF2(a,b,c,d,e,i++); 117| | FF2(e,a,b,c,d,i++); 118| | FF2(d,e,a,b,c,i++); 119| | FF2(c,d,e,a,b,i++); 120| | FF2(b,c,d,e,a,i++); 121| | } 122| | 123| | /* round four */ 124| | for (; i < 80; ) { 125| | FF3(a,b,c,d,e,i++); 126| | FF3(e,a,b,c,d,i++); 127| | FF3(d,e,a,b,c,i++); 128| | FF3(c,d,e,a,b,i++); 129| | FF3(b,c,d,e,a,i++); 130| | } 131| |#endif 132| | 133| 672| #undef FF0 134| 672| #undef FF1 135| 672| #undef FF2 136| 672| #undef FF3 137| | 138| | /* store */ 139| 672| md->sha1.state[0] = md->sha1.state[0] + a; 140| 672| md->sha1.state[1] = md->sha1.state[1] + b; 141| 672| md->sha1.state[2] = md->sha1.state[2] + c; 142| 672| md->sha1.state[3] = md->sha1.state[3] + d; 143| 672| md->sha1.state[4] = md->sha1.state[4] + e; 144| | 145| 672| return CRYPT_OK; 146| 672|} sha256_init: 205| 5.21M|{ 206| 5.21M| LTC_ARGCHK(md != NULL); ------------------ | | 32| 5.21M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.21M] | | | Branch (32:87): [Folded, False: 5.21M] | | ------------------ ------------------ 207| | 208| 5.21M| md->sha256.curlen = 0; 209| 5.21M| md->sha256.length = 0; 210| 5.21M| md->sha256.state[0] = 0x6A09E667UL; 211| 5.21M| md->sha256.state[1] = 0xBB67AE85UL; 212| 5.21M| md->sha256.state[2] = 0x3C6EF372UL; 213| 5.21M| md->sha256.state[3] = 0xA54FF53AUL; 214| 5.21M| md->sha256.state[4] = 0x510E527FUL; 215| 5.21M| md->sha256.state[5] = 0x9B05688CUL; 216| 5.21M| md->sha256.state[6] = 0x1F83D9ABUL; 217| 5.21M| md->sha256.state[7] = 0x5BE0CD19UL; 218| 5.21M| return CRYPT_OK; 219| 5.21M|} sha256_done: 237| 5.21M|{ 238| 5.21M| int i; 239| | 240| 5.21M| LTC_ARGCHK(md != NULL); ------------------ | | 32| 5.21M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.21M] | | | Branch (32:87): [Folded, False: 5.21M] | | ------------------ ------------------ 241| 5.21M| LTC_ARGCHK(out != NULL); ------------------ | | 32| 5.21M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.21M] | | | Branch (32:87): [Folded, False: 5.21M] | | ------------------ ------------------ 242| | 243| 5.21M| if (md->sha256.curlen >= sizeof(md->sha256.buf)) { ------------------ | Branch (243:9): [True: 0, False: 5.21M] ------------------ 244| 0| return CRYPT_INVALID_ARG; 245| 0| } 246| | 247| | 248| | /* increase the length of the message */ 249| 5.21M| md->sha256.length += md->sha256.curlen * 8; 250| | 251| | /* append the '1' bit */ 252| 5.21M| md->sha256.buf[md->sha256.curlen++] = (unsigned char)0x80; 253| | 254| | /* if the length is currently above 56 bytes we append zeros 255| | * then compress. Then we can fall back to padding zeros and length 256| | * encoding like normal. 257| | */ 258| 5.21M| if (md->sha256.curlen > 56) { ------------------ | Branch (258:9): [True: 124, False: 5.21M] ------------------ 259| 605| while (md->sha256.curlen < 64) { ------------------ | Branch (259:16): [True: 481, False: 124] ------------------ 260| 481| md->sha256.buf[md->sha256.curlen++] = (unsigned char)0; 261| 481| } 262| 124| sha256_compress(md, md->sha256.buf); 263| 124| md->sha256.curlen = 0; 264| 124| } 265| | 266| | /* pad upto 56 bytes of zeroes */ 267| 104M| while (md->sha256.curlen < 56) { ------------------ | Branch (267:12): [True: 99.0M, False: 5.21M] ------------------ 268| 99.0M| md->sha256.buf[md->sha256.curlen++] = (unsigned char)0; 269| 99.0M| } 270| | 271| | /* store length */ 272| 5.21M| STORE64H(md->sha256.length, md->sha256.buf+56); ------------------ | | 101| 5.21M|#define STORE64H(x, y) \ | | 102| 5.21M|do { ulong64 __t = __builtin_bswap64 ((x)); \ | | 103| 5.21M| XMEMCPY ((y), &__t, 8); } while(0) | | ------------------ | | | | 39| 5.21M|#define XMEMCPY memcpy | | ------------------ | | | Branch (103:39): [Folded, False: 5.21M] | | ------------------ ------------------ 273| 5.21M| sha256_compress(md, md->sha256.buf); 274| | 275| | /* copy output */ 276| 46.9M| for (i = 0; i < 8; i++) { ------------------ | Branch (276:17): [True: 41.7M, False: 5.21M] ------------------ 277| 41.7M| STORE32H(md->sha256.state[i], out+(4*i)); ------------------ | | 62| 41.7M|#define STORE32H(x, y) \ | | 63| 41.7M|do { ulong32 __t = __builtin_bswap32 ((x)); \ | | 64| 41.7M| XMEMCPY ((y), &__t, 4); } while(0) | | ------------------ | | | | 39| 41.7M|#define XMEMCPY memcpy | | ------------------ | | | Branch (64:39): [Folded, False: 41.7M] | | ------------------ ------------------ 278| 41.7M| } 279| |#ifdef LTC_CLEAN_STACK 280| | zeromem(md, sizeof(hash_state)); 281| |#endif 282| 5.21M| return CRYPT_OK; 283| 5.21M|} sha256.c:sha256_compress: 71| 5.24M|{ 72| 5.24M| ulong32 S[8], W[64], t0, t1; 73| 5.24M|#ifdef LTC_SMALL_CODE 74| 5.24M| ulong32 t; 75| 5.24M|#endif 76| 5.24M| int i; 77| | 78| | /* copy state into S */ 79| 47.2M| for (i = 0; i < 8; i++) { ------------------ | Branch (79:17): [True: 41.9M, False: 5.24M] ------------------ 80| 41.9M| S[i] = md->sha256.state[i]; 81| 41.9M| } 82| | 83| | /* copy the state into 512-bits into W[0..15] */ 84| 89.2M| for (i = 0; i < 16; i++) { ------------------ | Branch (84:17): [True: 83.9M, False: 5.24M] ------------------ 85| 83.9M| LOAD32H(W[i], buf + (4*i)); ------------------ | | 66| 83.9M|#define LOAD32H(x, y) \ | | 67| 83.9M|do { XMEMCPY (&(x), (y), 4); \ | | ------------------ | | | | 39| 83.9M|#define XMEMCPY memcpy | | ------------------ | | 68| 83.9M| (x) = __builtin_bswap32 ((x)); } while(0) | | ------------------ | | | Branch (68:46): [Folded, False: 83.9M] | | ------------------ ------------------ 86| 83.9M| } 87| | 88| | /* fill W[16..63] */ 89| 257M| for (i = 16; i < 64; i++) { ------------------ | Branch (89:18): [True: 251M, False: 5.24M] ------------------ 90| 251M| W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16]; ------------------ | | 63| 251M|#define Gamma1(x) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) | | ------------------ | | | | 58| 251M|#define S(x, n) RORc((x),(n)) | | | | ------------------ | | | | | | 283| 251M|#define RORc(word,i) ({ \ | | | | | | 284| 251M| ulong32 __RORc_tmp = (word); \ | | | | | | 285| 251M| __asm__ ("rorl %2, %0" : \ | | | | | | 286| 251M| "=r" (__RORc_tmp) : \ | | | | | | 287| 251M| "0" (__RORc_tmp), \ | | | | | | 288| 251M| "I" (i)); \ | | | | | | 289| 251M| __RORc_tmp; \ | | | | | | 290| 251M| }) | | | | ------------------ | | ------------------ | | #define Gamma1(x) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) | | ------------------ | | | | 58| 251M|#define S(x, n) RORc((x),(n)) | | | | ------------------ | | | | | | 283| 251M|#define RORc(word,i) ({ \ | | | | | | 284| 251M| ulong32 __RORc_tmp = (word); \ | | | | | | 285| 251M| __asm__ ("rorl %2, %0" : \ | | | | | | 286| 251M| "=r" (__RORc_tmp) : \ | | | | | | 287| 251M| "0" (__RORc_tmp), \ | | | | | | 288| 251M| "I" (i)); \ | | | | | | 289| 251M| __RORc_tmp; \ | | | | | | 290| 251M| }) | | | | ------------------ | | ------------------ | | #define Gamma1(x) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) | | ------------------ | | | | 59| 251M|#define R(x, n) (((x)&0xFFFFFFFFUL)>>(n)) | | ------------------ ------------------ W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16]; ------------------ | | 62| 251M|#define Gamma0(x) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) | | ------------------ | | | | 58| 251M|#define S(x, n) RORc((x),(n)) | | | | ------------------ | | | | | | 283| 251M|#define RORc(word,i) ({ \ | | | | | | 284| 251M| ulong32 __RORc_tmp = (word); \ | | | | | | 285| 251M| __asm__ ("rorl %2, %0" : \ | | | | | | 286| 251M| "=r" (__RORc_tmp) : \ | | | | | | 287| 251M| "0" (__RORc_tmp), \ | | | | | | 288| 251M| "I" (i)); \ | | | | | | 289| 251M| __RORc_tmp; \ | | | | | | 290| 251M| }) | | | | ------------------ | | ------------------ | | #define Gamma0(x) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) | | ------------------ | | | | 58| 251M|#define S(x, n) RORc((x),(n)) | | | | ------------------ | | | | | | 283| 251M|#define RORc(word,i) ({ \ | | | | | | 284| 251M| ulong32 __RORc_tmp = (word); \ | | | | | | 285| 251M| __asm__ ("rorl %2, %0" : \ | | | | | | 286| 251M| "=r" (__RORc_tmp) : \ | | | | | | 287| 251M| "0" (__RORc_tmp), \ | | | | | | 288| 251M| "I" (i)); \ | | | | | | 289| 251M| __RORc_tmp; \ | | | | | | 290| 251M| }) | | | | ------------------ | | ------------------ | | #define Gamma0(x) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) | | ------------------ | | | | 59| 251M|#define R(x, n) (((x)&0xFFFFFFFFUL)>>(n)) | | ------------------ ------------------ 91| 251M| } 92| | 93| | /* Compress */ 94| 5.24M|#ifdef LTC_SMALL_CODE 95| 5.24M|#define RND(a,b,c,d,e,f,g,h,i) \ 96| 5.24M| t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ 97| 5.24M| t1 = Sigma0(a) + Maj(a, b, c); \ 98| 5.24M| d += t0; \ 99| 5.24M| h = t0 + t1; 100| | 101| 341M| for (i = 0; i < 64; ++i) { ------------------ | Branch (101:18): [True: 335M, False: 5.24M] ------------------ 102| 335M| RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],i); ------------------ | | 96| 335M| t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ | | ------------------ | | | | 61| 335M|#define Sigma1(x) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) | | | | ------------------ | | | | | | 58| 335M|#define S(x, n) RORc((x),(n)) | | | | | | ------------------ | | | | | | | | 283| 335M|#define RORc(word,i) ({ \ | | | | | | | | 284| 335M| ulong32 __RORc_tmp = (word); \ | | | | | | | | 285| 335M| __asm__ ("rorl %2, %0" : \ | | | | | | | | 286| 335M| "=r" (__RORc_tmp) : \ | | | | | | | | 287| 335M| "0" (__RORc_tmp), \ | | | | | | | | 288| 335M| "I" (i)); \ | | | | | | | | 289| 335M| __RORc_tmp; \ | | | | | | | | 290| 335M| }) | | | | | | ------------------ | | | | ------------------ | | | | #define Sigma1(x) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) | | | | ------------------ | | | | | | 58| 335M|#define S(x, n) RORc((x),(n)) | | | | | | ------------------ | | | | | | | | 283| 335M|#define RORc(word,i) ({ \ | | | | | | | | 284| 335M| ulong32 __RORc_tmp = (word); \ | | | | | | | | 285| 335M| __asm__ ("rorl %2, %0" : \ | | | | | | | | 286| 335M| "=r" (__RORc_tmp) : \ | | | | | | | | 287| 335M| "0" (__RORc_tmp), \ | | | | | | | | 288| 335M| "I" (i)); \ | | | | | | | | 289| 335M| __RORc_tmp; \ | | | | | | | | 290| 335M| }) | | | | | | ------------------ | | | | ------------------ | | | | #define Sigma1(x) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) | | | | ------------------ | | | | | | 58| 335M|#define S(x, n) RORc((x),(n)) | | | | | | ------------------ | | | | | | | | 283| 335M|#define RORc(word,i) ({ \ | | | | | | | | 284| 335M| ulong32 __RORc_tmp = (word); \ | | | | | | | | 285| 335M| __asm__ ("rorl %2, %0" : \ | | | | | | | | 286| 335M| "=r" (__RORc_tmp) : \ | | | | | | | | 287| 335M| "0" (__RORc_tmp), \ | | | | | | | | 288| 335M| "I" (i)); \ | | | | | | | | 289| 335M| __RORc_tmp; \ | | | | | | | | 290| 335M| }) | | | | | | ------------------ | | | | ------------------ | | ------------------ | | t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ | | ------------------ | | | | 56| 335M|#define Ch(x,y,z) (z ^ (x & (y ^ z))) | | ------------------ | | 97| 335M| t1 = Sigma0(a) + Maj(a, b, c); \ | | ------------------ | | | | 60| 335M|#define Sigma0(x) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) | | | | ------------------ | | | | | | 58| 335M|#define S(x, n) RORc((x),(n)) | | | | | | ------------------ | | | | | | | | 283| 335M|#define RORc(word,i) ({ \ | | | | | | | | 284| 335M| ulong32 __RORc_tmp = (word); \ | | | | | | | | 285| 335M| __asm__ ("rorl %2, %0" : \ | | | | | | | | 286| 335M| "=r" (__RORc_tmp) : \ | | | | | | | | 287| 335M| "0" (__RORc_tmp), \ | | | | | | | | 288| 335M| "I" (i)); \ | | | | | | | | 289| 335M| __RORc_tmp; \ | | | | | | | | 290| 335M| }) | | | | | | ------------------ | | | | ------------------ | | | | #define Sigma0(x) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) | | | | ------------------ | | | | | | 58| 335M|#define S(x, n) RORc((x),(n)) | | | | | | ------------------ | | | | | | | | 283| 335M|#define RORc(word,i) ({ \ | | | | | | | | 284| 335M| ulong32 __RORc_tmp = (word); \ | | | | | | | | 285| 335M| __asm__ ("rorl %2, %0" : \ | | | | | | | | 286| 335M| "=r" (__RORc_tmp) : \ | | | | | | | | 287| 335M| "0" (__RORc_tmp), \ | | | | | | | | 288| 335M| "I" (i)); \ | | | | | | | | 289| 335M| __RORc_tmp; \ | | | | | | | | 290| 335M| }) | | | | | | ------------------ | | | | ------------------ | | | | #define Sigma0(x) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) | | | | ------------------ | | | | | | 58| 335M|#define S(x, n) RORc((x),(n)) | | | | | | ------------------ | | | | | | | | 283| 335M|#define RORc(word,i) ({ \ | | | | | | | | 284| 335M| ulong32 __RORc_tmp = (word); \ | | | | | | | | 285| 335M| __asm__ ("rorl %2, %0" : \ | | | | | | | | 286| 335M| "=r" (__RORc_tmp) : \ | | | | | | | | 287| 335M| "0" (__RORc_tmp), \ | | | | | | | | 288| 335M| "I" (i)); \ | | | | | | | | 289| 335M| __RORc_tmp; \ | | | | | | | | 290| 335M| }) | | | | | | ------------------ | | | | ------------------ | | ------------------ | | t1 = Sigma0(a) + Maj(a, b, c); \ | | ------------------ | | | | 57| 335M|#define Maj(x,y,z) (((x | y) & z) | (x & y)) | | ------------------ | | 98| 335M| d += t0; \ | | 99| 335M| h = t0 + t1; ------------------ 103| 335M| t = S[7]; S[7] = S[6]; S[6] = S[5]; S[5] = S[4]; 104| 335M| S[4] = S[3]; S[3] = S[2]; S[2] = S[1]; S[1] = S[0]; S[0] = t; 105| 335M| } 106| |#else 107| |#define RND(a,b,c,d,e,f,g,h,i,ki) \ 108| | t0 = h + Sigma1(e) + Ch(e, f, g) + ki + W[i]; \ 109| | t1 = Sigma0(a) + Maj(a, b, c); \ 110| | d += t0; \ 111| | h = t0 + t1; 112| | 113| | RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],0,0x428a2f98); 114| | RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],1,0x71374491); 115| | RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],2,0xb5c0fbcf); 116| | RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],3,0xe9b5dba5); 117| | RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],4,0x3956c25b); 118| | RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],5,0x59f111f1); 119| | RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],6,0x923f82a4); 120| | RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],7,0xab1c5ed5); 121| | RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],8,0xd807aa98); 122| | RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],9,0x12835b01); 123| | RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],10,0x243185be); 124| | RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],11,0x550c7dc3); 125| | RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],12,0x72be5d74); 126| | RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],13,0x80deb1fe); 127| | RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],14,0x9bdc06a7); 128| | RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],15,0xc19bf174); 129| | RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],16,0xe49b69c1); 130| | RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],17,0xefbe4786); 131| | RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],18,0x0fc19dc6); 132| | RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],19,0x240ca1cc); 133| | RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],20,0x2de92c6f); 134| | RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],21,0x4a7484aa); 135| | RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],22,0x5cb0a9dc); 136| | RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],23,0x76f988da); 137| | RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],24,0x983e5152); 138| | RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],25,0xa831c66d); 139| | RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],26,0xb00327c8); 140| | RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],27,0xbf597fc7); 141| | RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],28,0xc6e00bf3); 142| | RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],29,0xd5a79147); 143| | RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],30,0x06ca6351); 144| | RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],31,0x14292967); 145| | RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],32,0x27b70a85); 146| | RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],33,0x2e1b2138); 147| | RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],34,0x4d2c6dfc); 148| | RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],35,0x53380d13); 149| | RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],36,0x650a7354); 150| | RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],37,0x766a0abb); 151| | RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],38,0x81c2c92e); 152| | RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],39,0x92722c85); 153| | RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],40,0xa2bfe8a1); 154| | RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],41,0xa81a664b); 155| | RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],42,0xc24b8b70); 156| | RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],43,0xc76c51a3); 157| | RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],44,0xd192e819); 158| | RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],45,0xd6990624); 159| | RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],46,0xf40e3585); 160| | RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],47,0x106aa070); 161| | RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],48,0x19a4c116); 162| | RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],49,0x1e376c08); 163| | RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],50,0x2748774c); 164| | RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],51,0x34b0bcb5); 165| | RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],52,0x391c0cb3); 166| | RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],53,0x4ed8aa4a); 167| | RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],54,0x5b9cca4f); 168| | RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],55,0x682e6ff3); 169| | RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],56,0x748f82ee); 170| | RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],57,0x78a5636f); 171| | RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],58,0x84c87814); 172| | RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],59,0x8cc70208); 173| | RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],60,0x90befffa); 174| | RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],61,0xa4506ceb); 175| | RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],62,0xbef9a3f7); 176| | RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],63,0xc67178f2); 177| | 178| |#undef RND 179| | 180| |#endif 181| | 182| | /* feedback */ 183| 47.2M| for (i = 0; i < 8; i++) { ------------------ | Branch (183:17): [True: 41.9M, False: 5.24M] ------------------ 184| 41.9M| md->sha256.state[i] = md->sha256.state[i] + S[i]; 185| 41.9M| } 186| 5.24M| return CRYPT_OK; 187| 5.24M|} sha512_init: 174| 3.75k|{ 175| 3.75k| LTC_ARGCHK(md != NULL); ------------------ | | 32| 3.75k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 3.75k] | | | Branch (32:87): [Folded, False: 3.75k] | | ------------------ ------------------ 176| 3.75k| md->sha512.curlen = 0; 177| 3.75k| md->sha512.length = 0; 178| 3.75k| md->sha512.state[0] = CONST64(0x6a09e667f3bcc908); ------------------ | | 200| 3.75k| #define CONST64(n) n ## ULL ------------------ 179| 3.75k| md->sha512.state[1] = CONST64(0xbb67ae8584caa73b); ------------------ | | 200| 3.75k| #define CONST64(n) n ## ULL ------------------ 180| 3.75k| md->sha512.state[2] = CONST64(0x3c6ef372fe94f82b); ------------------ | | 200| 3.75k| #define CONST64(n) n ## ULL ------------------ 181| 3.75k| md->sha512.state[3] = CONST64(0xa54ff53a5f1d36f1); ------------------ | | 200| 3.75k| #define CONST64(n) n ## ULL ------------------ 182| 3.75k| md->sha512.state[4] = CONST64(0x510e527fade682d1); ------------------ | | 200| 3.75k| #define CONST64(n) n ## ULL ------------------ 183| 3.75k| md->sha512.state[5] = CONST64(0x9b05688c2b3e6c1f); ------------------ | | 200| 3.75k| #define CONST64(n) n ## ULL ------------------ 184| 3.75k| md->sha512.state[6] = CONST64(0x1f83d9abfb41bd6b); ------------------ | | 200| 3.75k| #define CONST64(n) n ## ULL ------------------ 185| 3.75k| md->sha512.state[7] = CONST64(0x5be0cd19137e2179); ------------------ | | 200| 3.75k| #define CONST64(n) n ## ULL ------------------ 186| 3.75k| return CRYPT_OK; 187| 3.75k|} sha512_done: 205| 3.75k|{ 206| 3.75k| int i; 207| | 208| 3.75k| LTC_ARGCHK(md != NULL); ------------------ | | 32| 3.75k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 3.75k] | | | Branch (32:87): [Folded, False: 3.75k] | | ------------------ ------------------ 209| 3.75k| LTC_ARGCHK(out != NULL); ------------------ | | 32| 3.75k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 3.75k] | | | Branch (32:87): [Folded, False: 3.75k] | | ------------------ ------------------ 210| | 211| 3.75k| if (md->sha512.curlen >= sizeof(md->sha512.buf)) { ------------------ | Branch (211:9): [True: 0, False: 3.75k] ------------------ 212| 0| return CRYPT_INVALID_ARG; 213| 0| } 214| | 215| | /* increase the length of the message */ 216| 3.75k| md->sha512.length += md->sha512.curlen * CONST64(8); ------------------ | | 200| 3.75k| #define CONST64(n) n ## ULL ------------------ 217| | 218| | /* append the '1' bit */ 219| 3.75k| md->sha512.buf[md->sha512.curlen++] = (unsigned char)0x80; 220| | 221| | /* if the length is currently above 112 bytes we append zeros 222| | * then compress. Then we can fall back to padding zeros and length 223| | * encoding like normal. 224| | */ 225| 3.75k| if (md->sha512.curlen > 112) { ------------------ | Branch (225:9): [True: 35, False: 3.72k] ------------------ 226| 270| while (md->sha512.curlen < 128) { ------------------ | Branch (226:16): [True: 235, False: 35] ------------------ 227| 235| md->sha512.buf[md->sha512.curlen++] = (unsigned char)0; 228| 235| } 229| 35| sha512_compress(md, md->sha512.buf); 230| 35| md->sha512.curlen = 0; 231| 35| } 232| | 233| | /* pad upto 120 bytes of zeroes 234| | * note: that from 112 to 120 is the 64 MSB of the length. We assume that you won't hash 235| | * > 2^64 bits of data... :-) 236| | */ 237| 408k| while (md->sha512.curlen < 120) { ------------------ | Branch (237:12): [True: 404k, False: 3.75k] ------------------ 238| 404k| md->sha512.buf[md->sha512.curlen++] = (unsigned char)0; 239| 404k| } 240| | 241| | /* store length */ 242| 3.75k| STORE64H(md->sha512.length, md->sha512.buf+120); ------------------ | | 101| 3.75k|#define STORE64H(x, y) \ | | 102| 3.75k|do { ulong64 __t = __builtin_bswap64 ((x)); \ | | 103| 3.75k| XMEMCPY ((y), &__t, 8); } while(0) | | ------------------ | | | | 39| 3.75k|#define XMEMCPY memcpy | | ------------------ | | | Branch (103:39): [Folded, False: 3.75k] | | ------------------ ------------------ 243| 3.75k| sha512_compress(md, md->sha512.buf); 244| | 245| | /* copy output */ 246| 33.8k| for (i = 0; i < 8; i++) { ------------------ | Branch (246:17): [True: 30.0k, False: 3.75k] ------------------ 247| 30.0k| STORE64H(md->sha512.state[i], out+(8*i)); ------------------ | | 101| 30.0k|#define STORE64H(x, y) \ | | 102| 30.0k|do { ulong64 __t = __builtin_bswap64 ((x)); \ | | 103| 30.0k| XMEMCPY ((y), &__t, 8); } while(0) | | ------------------ | | | | 39| 30.0k|#define XMEMCPY memcpy | | ------------------ | | | Branch (103:39): [Folded, False: 30.0k] | | ------------------ ------------------ 248| 30.0k| } 249| |#ifdef LTC_CLEAN_STACK 250| | zeromem(md, sizeof(hash_state)); 251| |#endif 252| 3.75k| return CRYPT_OK; 253| 3.75k|} sha512.c:sha512_compress: 96| 42.9k|{ 97| 42.9k| ulong64 S[8], W[80], t0, t1; 98| 42.9k| int i; 99| | 100| | /* copy state into S */ 101| 386k| for (i = 0; i < 8; i++) { ------------------ | Branch (101:17): [True: 343k, False: 42.9k] ------------------ 102| 343k| S[i] = md->sha512.state[i]; 103| 343k| } 104| | 105| | /* copy the state into 1024-bits into W[0..15] */ 106| 729k| for (i = 0; i < 16; i++) { ------------------ | Branch (106:17): [True: 686k, False: 42.9k] ------------------ 107| 686k| LOAD64H(W[i], buf + (8*i)); ------------------ | | 105| 686k|#define LOAD64H(x, y) \ | | 106| 686k|do { XMEMCPY (&(x), (y), 8); \ | | ------------------ | | | | 39| 686k|#define XMEMCPY memcpy | | ------------------ | | 107| 686k| (x) = __builtin_bswap64 ((x)); } while(0) | | ------------------ | | | Branch (107:46): [Folded, False: 686k] | | ------------------ ------------------ 108| 686k| } 109| | 110| | /* fill W[16..79] */ 111| 2.78M| for (i = 16; i < 80; i++) { ------------------ | Branch (111:18): [True: 2.74M, False: 42.9k] ------------------ 112| 2.74M| W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16]; ------------------ | | 88| 2.74M|#define Gamma1(x) (S(x, 19) ^ S(x, 61) ^ R(x, 6)) | | ------------------ | | | | 83| 2.74M|#define S(x, n) ROR64c(x, n) | | | | ------------------ | | | | | | 384| 2.74M|#define ROR64c(word,i) ({ \ | | | | | | 385| 2.74M| ulong64 __ROR64c_tmp = word; \ | | | | | | 386| 2.74M| __asm__ ("rorq %2, %0" : \ | | | | | | 387| 2.74M| "=r" (__ROR64c_tmp) : \ | | | | | | 388| 2.74M| "0" (__ROR64c_tmp), \ | | | | | | 389| 2.74M| "J" (i)); \ | | | | | | 390| 2.74M| __ROR64c_tmp; \ | | | | | | 391| 2.74M| }) | | | | ------------------ | | ------------------ | | #define Gamma1(x) (S(x, 19) ^ S(x, 61) ^ R(x, 6)) | | ------------------ | | | | 83| 2.74M|#define S(x, n) ROR64c(x, n) | | | | ------------------ | | | | | | 384| 2.74M|#define ROR64c(word,i) ({ \ | | | | | | 385| 2.74M| ulong64 __ROR64c_tmp = word; \ | | | | | | 386| 2.74M| __asm__ ("rorq %2, %0" : \ | | | | | | 387| 2.74M| "=r" (__ROR64c_tmp) : \ | | | | | | 388| 2.74M| "0" (__ROR64c_tmp), \ | | | | | | 389| 2.74M| "J" (i)); \ | | | | | | 390| 2.74M| __ROR64c_tmp; \ | | | | | | 391| 2.74M| }) | | | | ------------------ | | ------------------ | | #define Gamma1(x) (S(x, 19) ^ S(x, 61) ^ R(x, 6)) | | ------------------ | | | | 84| 2.74M|#define R(x, n) (((x)&CONST64(0xFFFFFFFFFFFFFFFF))>>((ulong64)n)) | | | | ------------------ | | | | | | 200| 2.74M| #define CONST64(n) n ## ULL | | | | ------------------ | | ------------------ ------------------ W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16]; ------------------ | | 87| 2.74M|#define Gamma0(x) (S(x, 1) ^ S(x, 8) ^ R(x, 7)) | | ------------------ | | | | 83| 2.74M|#define S(x, n) ROR64c(x, n) | | | | ------------------ | | | | | | 384| 2.74M|#define ROR64c(word,i) ({ \ | | | | | | 385| 2.74M| ulong64 __ROR64c_tmp = word; \ | | | | | | 386| 2.74M| __asm__ ("rorq %2, %0" : \ | | | | | | 387| 2.74M| "=r" (__ROR64c_tmp) : \ | | | | | | 388| 2.74M| "0" (__ROR64c_tmp), \ | | | | | | 389| 2.74M| "J" (i)); \ | | | | | | 390| 2.74M| __ROR64c_tmp; \ | | | | | | 391| 2.74M| }) | | | | ------------------ | | ------------------ | | #define Gamma0(x) (S(x, 1) ^ S(x, 8) ^ R(x, 7)) | | ------------------ | | | | 83| 2.74M|#define S(x, n) ROR64c(x, n) | | | | ------------------ | | | | | | 384| 2.74M|#define ROR64c(word,i) ({ \ | | | | | | 385| 2.74M| ulong64 __ROR64c_tmp = word; \ | | | | | | 386| 2.74M| __asm__ ("rorq %2, %0" : \ | | | | | | 387| 2.74M| "=r" (__ROR64c_tmp) : \ | | | | | | 388| 2.74M| "0" (__ROR64c_tmp), \ | | | | | | 389| 2.74M| "J" (i)); \ | | | | | | 390| 2.74M| __ROR64c_tmp; \ | | | | | | 391| 2.74M| }) | | | | ------------------ | | ------------------ | | #define Gamma0(x) (S(x, 1) ^ S(x, 8) ^ R(x, 7)) | | ------------------ | | | | 84| 2.74M|#define R(x, n) (((x)&CONST64(0xFFFFFFFFFFFFFFFF))>>((ulong64)n)) | | | | ------------------ | | | | | | 200| 2.74M| #define CONST64(n) n ## ULL | | | | ------------------ | | ------------------ ------------------ 113| 2.74M| } 114| | 115| | /* Compress */ 116| 42.9k|#ifdef LTC_SMALL_CODE 117| 3.47M| for (i = 0; i < 80; i++) { ------------------ | Branch (117:17): [True: 3.43M, False: 42.9k] ------------------ 118| 3.43M| t0 = S[7] + Sigma1(S[4]) + Ch(S[4], S[5], S[6]) + K[i] + W[i]; ------------------ | | 86| 3.43M|#define Sigma1(x) (S(x, 14) ^ S(x, 18) ^ S(x, 41)) | | ------------------ | | | | 83| 3.43M|#define S(x, n) ROR64c(x, n) | | | | ------------------ | | | | | | 384| 3.43M|#define ROR64c(word,i) ({ \ | | | | | | 385| 3.43M| ulong64 __ROR64c_tmp = word; \ | | | | | | 386| 3.43M| __asm__ ("rorq %2, %0" : \ | | | | | | 387| 3.43M| "=r" (__ROR64c_tmp) : \ | | | | | | 388| 3.43M| "0" (__ROR64c_tmp), \ | | | | | | 389| 3.43M| "J" (i)); \ | | | | | | 390| 3.43M| __ROR64c_tmp; \ | | | | | | 391| 3.43M| }) | | | | ------------------ | | ------------------ | | #define Sigma1(x) (S(x, 14) ^ S(x, 18) ^ S(x, 41)) | | ------------------ | | | | 83| 3.43M|#define S(x, n) ROR64c(x, n) | | | | ------------------ | | | | | | 384| 3.43M|#define ROR64c(word,i) ({ \ | | | | | | 385| 3.43M| ulong64 __ROR64c_tmp = word; \ | | | | | | 386| 3.43M| __asm__ ("rorq %2, %0" : \ | | | | | | 387| 3.43M| "=r" (__ROR64c_tmp) : \ | | | | | | 388| 3.43M| "0" (__ROR64c_tmp), \ | | | | | | 389| 3.43M| "J" (i)); \ | | | | | | 390| 3.43M| __ROR64c_tmp; \ | | | | | | 391| 3.43M| }) | | | | ------------------ | | ------------------ | | #define Sigma1(x) (S(x, 14) ^ S(x, 18) ^ S(x, 41)) | | ------------------ | | | | 83| 3.43M|#define S(x, n) ROR64c(x, n) | | | | ------------------ | | | | | | 384| 3.43M|#define ROR64c(word,i) ({ \ | | | | | | 385| 3.43M| ulong64 __ROR64c_tmp = word; \ | | | | | | 386| 3.43M| __asm__ ("rorq %2, %0" : \ | | | | | | 387| 3.43M| "=r" (__ROR64c_tmp) : \ | | | | | | 388| 3.43M| "0" (__ROR64c_tmp), \ | | | | | | 389| 3.43M| "J" (i)); \ | | | | | | 390| 3.43M| __ROR64c_tmp; \ | | | | | | 391| 3.43M| }) | | | | ------------------ | | ------------------ ------------------ t0 = S[7] + Sigma1(S[4]) + Ch(S[4], S[5], S[6]) + K[i] + W[i]; ------------------ | | 81| 3.43M|#define Ch(x,y,z) (z ^ (x & (y ^ z))) ------------------ 119| 3.43M| t1 = Sigma0(S[0]) + Maj(S[0], S[1], S[2]); ------------------ | | 85| 3.43M|#define Sigma0(x) (S(x, 28) ^ S(x, 34) ^ S(x, 39)) | | ------------------ | | | | 83| 3.43M|#define S(x, n) ROR64c(x, n) | | | | ------------------ | | | | | | 384| 3.43M|#define ROR64c(word,i) ({ \ | | | | | | 385| 3.43M| ulong64 __ROR64c_tmp = word; \ | | | | | | 386| 3.43M| __asm__ ("rorq %2, %0" : \ | | | | | | 387| 3.43M| "=r" (__ROR64c_tmp) : \ | | | | | | 388| 3.43M| "0" (__ROR64c_tmp), \ | | | | | | 389| 3.43M| "J" (i)); \ | | | | | | 390| 3.43M| __ROR64c_tmp; \ | | | | | | 391| 3.43M| }) | | | | ------------------ | | ------------------ | | #define Sigma0(x) (S(x, 28) ^ S(x, 34) ^ S(x, 39)) | | ------------------ | | | | 83| 3.43M|#define S(x, n) ROR64c(x, n) | | | | ------------------ | | | | | | 384| 3.43M|#define ROR64c(word,i) ({ \ | | | | | | 385| 3.43M| ulong64 __ROR64c_tmp = word; \ | | | | | | 386| 3.43M| __asm__ ("rorq %2, %0" : \ | | | | | | 387| 3.43M| "=r" (__ROR64c_tmp) : \ | | | | | | 388| 3.43M| "0" (__ROR64c_tmp), \ | | | | | | 389| 3.43M| "J" (i)); \ | | | | | | 390| 3.43M| __ROR64c_tmp; \ | | | | | | 391| 3.43M| }) | | | | ------------------ | | ------------------ | | #define Sigma0(x) (S(x, 28) ^ S(x, 34) ^ S(x, 39)) | | ------------------ | | | | 83| 3.43M|#define S(x, n) ROR64c(x, n) | | | | ------------------ | | | | | | 384| 3.43M|#define ROR64c(word,i) ({ \ | | | | | | 385| 3.43M| ulong64 __ROR64c_tmp = word; \ | | | | | | 386| 3.43M| __asm__ ("rorq %2, %0" : \ | | | | | | 387| 3.43M| "=r" (__ROR64c_tmp) : \ | | | | | | 388| 3.43M| "0" (__ROR64c_tmp), \ | | | | | | 389| 3.43M| "J" (i)); \ | | | | | | 390| 3.43M| __ROR64c_tmp; \ | | | | | | 391| 3.43M| }) | | | | ------------------ | | ------------------ ------------------ t1 = Sigma0(S[0]) + Maj(S[0], S[1], S[2]); ------------------ | | 82| 3.43M|#define Maj(x,y,z) (((x | y) & z) | (x & y)) ------------------ 120| 3.43M| S[7] = S[6]; 121| 3.43M| S[6] = S[5]; 122| 3.43M| S[5] = S[4]; 123| 3.43M| S[4] = S[3] + t0; 124| 3.43M| S[3] = S[2]; 125| 3.43M| S[2] = S[1]; 126| 3.43M| S[1] = S[0]; 127| 3.43M| S[0] = t0 + t1; 128| 3.43M| } 129| |#else 130| |#define RND(a,b,c,d,e,f,g,h,i) \ 131| | t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ 132| | t1 = Sigma0(a) + Maj(a, b, c); \ 133| | d += t0; \ 134| | h = t0 + t1; 135| | 136| | for (i = 0; i < 80; i += 8) { 137| | RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],i+0); 138| | RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],i+1); 139| | RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],i+2); 140| | RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],i+3); 141| | RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],i+4); 142| | RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],i+5); 143| | RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],i+6); 144| | RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],i+7); 145| | } 146| |#endif 147| | 148| | 149| | /* feedback */ 150| 386k| for (i = 0; i < 8; i++) { ------------------ | Branch (150:17): [True: 343k, False: 42.9k] ------------------ 151| 343k| md->sha512.state[i] = md->sha512.state[i] + S[i]; 152| 343k| } 153| | 154| 42.9k| return CRYPT_OK; 155| 42.9k|} sha1_process: 491| 672|int func_name (hash_state * md, const unsigned char *in, unsigned long inlen) \ 492| 672|{ \ 493| 672| unsigned long n; \ 494| 672| int err; \ 495| 672| LTC_ARGCHK(md != NULL); \ ------------------ | | 32| 672|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 672] | | | Branch (32:87): [Folded, False: 672] | | ------------------ ------------------ 496| 672| LTC_ARGCHK(in != NULL); \ ------------------ | | 32| 672|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 672] | | | Branch (32:87): [Folded, False: 672] | | ------------------ ------------------ 497| 672| if (md-> state_var .curlen > sizeof(md-> state_var .buf)) { \ ------------------ | Branch (497:9): [True: 0, False: 672] ------------------ 498| 0| return CRYPT_INVALID_ARG; \ 499| 0| } \ 500| 672| if ((md-> state_var .length + inlen) < md-> state_var .length) { \ ------------------ | Branch (500:9): [True: 0, False: 672] ------------------ 501| 0| return CRYPT_HASH_OVERFLOW; \ 502| 0| } \ 503| 1.34k| while (inlen > 0) { \ ------------------ | Branch (503:12): [True: 672, False: 672] ------------------ 504| 672| if (md-> state_var .curlen == 0 && inlen >= block_size) { \ ------------------ | Branch (504:13): [True: 672, False: 0] | Branch (504:44): [True: 0, False: 672] ------------------ 505| 0| if ((err = compress_name (md, (unsigned char *)in)) != CRYPT_OK) { \ ------------------ | Branch (505:16): [True: 0, False: 0] ------------------ 506| 0| return err; \ 507| 0| } \ 508| 0| md-> state_var .length += block_size * 8; \ 509| 0| in += block_size; \ 510| 0| inlen -= block_size; \ 511| 672| } else { \ 512| 672| n = MIN(inlen, (block_size - md-> state_var .curlen)); \ ------------------ | | 425| 672| #define MIN(x, y) ( ((x)<(y))?(x):(y) ) | | ------------------ | | | Branch (425:24): [True: 672, False: 0] | | ------------------ ------------------ 513| 672| XMEMCPY(md-> state_var .buf + md-> state_var.curlen, in, (size_t)n); \ ------------------ | | 39| 672|#define XMEMCPY memcpy ------------------ 514| 672| md-> state_var .curlen += n; \ 515| 672| in += n; \ 516| 672| inlen -= n; \ 517| 672| if (md-> state_var .curlen == block_size) { \ ------------------ | Branch (517:16): [True: 0, False: 672] ------------------ 518| 0| if ((err = compress_name (md, md-> state_var .buf)) != CRYPT_OK) { \ ------------------ | Branch (518:19): [True: 0, False: 0] ------------------ 519| 0| return err; \ 520| 0| } \ 521| 0| md-> state_var .length += 8*block_size; \ 522| 0| md-> state_var .curlen = 0; \ 523| 0| } \ 524| 672| } \ 525| 672| } \ 526| 672| return CRYPT_OK; \ 527| 672|} sha256_process: 491| 10.4M|int func_name (hash_state * md, const unsigned char *in, unsigned long inlen) \ 492| 10.4M|{ \ 493| 10.4M| unsigned long n; \ 494| 10.4M| int err; \ 495| 10.4M| LTC_ARGCHK(md != NULL); \ ------------------ | | 32| 10.4M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 10.4M] | | | Branch (32:87): [Folded, False: 10.4M] | | ------------------ ------------------ 496| 10.4M| LTC_ARGCHK(in != NULL); \ ------------------ | | 32| 10.4M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 10.4M] | | | Branch (32:87): [Folded, False: 10.4M] | | ------------------ ------------------ 497| 10.4M| if (md-> state_var .curlen > sizeof(md-> state_var .buf)) { \ ------------------ | Branch (497:9): [True: 0, False: 10.4M] ------------------ 498| 0| return CRYPT_INVALID_ARG; \ 499| 0| } \ 500| 10.4M| if ((md-> state_var .length + inlen) < md-> state_var .length) { \ ------------------ | Branch (500:9): [True: 0, False: 10.4M] ------------------ 501| 0| return CRYPT_HASH_OVERFLOW; \ 502| 0| } \ 503| 20.8M| while (inlen > 0) { \ ------------------ | Branch (503:12): [True: 10.4M, False: 10.4M] ------------------ 504| 10.4M| if (md-> state_var .curlen == 0 && inlen >= block_size) { \ ------------------ | Branch (504:13): [True: 5.24M, False: 5.21M] | Branch (504:44): [True: 37.0k, False: 5.21M] ------------------ 505| 37.0k| if ((err = compress_name (md, (unsigned char *)in)) != CRYPT_OK) { \ ------------------ | Branch (505:16): [True: 0, False: 37.0k] ------------------ 506| 0| return err; \ 507| 0| } \ 508| 37.0k| md-> state_var .length += block_size * 8; \ 509| 37.0k| in += block_size; \ 510| 37.0k| inlen -= block_size; \ 511| 10.4M| } else { \ 512| 10.4M| n = MIN(inlen, (block_size - md-> state_var .curlen)); \ ------------------ | | 425| 10.4M| #define MIN(x, y) ( ((x)<(y))?(x):(y) ) | | ------------------ | | | Branch (425:24): [True: 10.4M, False: 0] | | ------------------ ------------------ 513| 10.4M| XMEMCPY(md-> state_var .buf + md-> state_var.curlen, in, (size_t)n); \ ------------------ | | 39| 10.4M|#define XMEMCPY memcpy ------------------ 514| 10.4M| md-> state_var .curlen += n; \ 515| 10.4M| in += n; \ 516| 10.4M| inlen -= n; \ 517| 10.4M| if (md-> state_var .curlen == block_size) { \ ------------------ | Branch (517:16): [True: 0, False: 10.4M] ------------------ 518| 0| if ((err = compress_name (md, md-> state_var .buf)) != CRYPT_OK) { \ ------------------ | Branch (518:19): [True: 0, False: 0] ------------------ 519| 0| return err; \ 520| 0| } \ 521| 0| md-> state_var .length += 8*block_size; \ 522| 0| md-> state_var .curlen = 0; \ 523| 0| } \ 524| 10.4M| } \ 525| 10.4M| } \ 526| 10.4M| return CRYPT_OK; \ 527| 10.4M|} sha512_process: 491| 3.78k|int func_name (hash_state * md, const unsigned char *in, unsigned long inlen) \ 492| 3.78k|{ \ 493| 3.78k| unsigned long n; \ 494| 3.78k| int err; \ 495| 3.78k| LTC_ARGCHK(md != NULL); \ ------------------ | | 32| 3.78k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 3.78k] | | | Branch (32:87): [Folded, False: 3.78k] | | ------------------ ------------------ 496| 3.78k| LTC_ARGCHK(in != NULL); \ ------------------ | | 32| 3.78k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 3.78k] | | | Branch (32:87): [Folded, False: 3.78k] | | ------------------ ------------------ 497| 3.78k| if (md-> state_var .curlen > sizeof(md-> state_var .buf)) { \ ------------------ | Branch (497:9): [True: 0, False: 3.78k] ------------------ 498| 0| return CRYPT_INVALID_ARG; \ 499| 0| } \ 500| 3.78k| if ((md-> state_var .length + inlen) < md-> state_var .length) { \ ------------------ | Branch (500:9): [True: 0, False: 3.78k] ------------------ 501| 0| return CRYPT_HASH_OVERFLOW; \ 502| 0| } \ 503| 46.6k| while (inlen > 0) { \ ------------------ | Branch (503:12): [True: 42.8k, False: 3.78k] ------------------ 504| 42.8k| if (md-> state_var .curlen == 0 && inlen >= block_size) { \ ------------------ | Branch (504:13): [True: 42.8k, False: 26] | Branch (504:44): [True: 39.1k, False: 3.74k] ------------------ 505| 39.1k| if ((err = compress_name (md, (unsigned char *)in)) != CRYPT_OK) { \ ------------------ | Branch (505:16): [True: 0, False: 39.1k] ------------------ 506| 0| return err; \ 507| 0| } \ 508| 39.1k| md-> state_var .length += block_size * 8; \ 509| 39.1k| in += block_size; \ 510| 39.1k| inlen -= block_size; \ 511| 39.1k| } else { \ 512| 3.77k| n = MIN(inlen, (block_size - md-> state_var .curlen)); \ ------------------ | | 425| 3.77k| #define MIN(x, y) ( ((x)<(y))?(x):(y) ) | | ------------------ | | | Branch (425:24): [True: 3.77k, False: 0] | | ------------------ ------------------ 513| 3.77k| XMEMCPY(md-> state_var .buf + md-> state_var.curlen, in, (size_t)n); \ ------------------ | | 39| 3.77k|#define XMEMCPY memcpy ------------------ 514| 3.77k| md-> state_var .curlen += n; \ 515| 3.77k| in += n; \ 516| 3.77k| inlen -= n; \ 517| 3.77k| if (md-> state_var .curlen == block_size) { \ ------------------ | Branch (517:16): [True: 0, False: 3.77k] ------------------ 518| 0| if ((err = compress_name (md, md-> state_var .buf)) != CRYPT_OK) { \ ------------------ | Branch (518:19): [True: 0, False: 0] ------------------ 519| 0| return err; \ 520| 0| } \ 521| 0| md-> state_var .length += 8*block_size; \ 522| 0| md-> state_var .curlen = 0; \ 523| 0| } \ 524| 3.77k| } \ 525| 42.8k| } \ 526| 3.78k| return CRYPT_OK; \ 527| 3.78k|} sha1.c:ROL: 258| 43.0k|{ 259| 43.0k| asm ("roll %%cl,%0" 260| 43.0k| :"=r" (word) 261| 43.0k| :"0" (word),"c" (i)); 262| 43.0k| return word; 263| 43.0k|} ltm_desc.c:init: 58| 2.50M|{ 59| 2.50M| int err; 60| | 61| 2.50M| LTC_ARGCHK(a != NULL); ------------------ | | 32| 2.50M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.50M] | | | Branch (32:87): [Folded, False: 2.50M] | | ------------------ ------------------ 62| | 63| 2.50M| if ((err = init_mpi(a)) != CRYPT_OK) { ------------------ | Branch (63:8): [True: 0, False: 2.50M] ------------------ 64| 0| return err; 65| 0| } 66| 2.50M| if ((err = mpi_to_ltc_error(mp_init(*a))) != CRYPT_OK) { ------------------ | Branch (66:8): [True: 0, False: 2.50M] ------------------ 67| 0| XFREE(*a); ------------------ | | 17| 0|#define XFREE m_free_direct ------------------ 68| 0| } 69| 2.50M| return err; 70| 2.50M|} ltm_desc.c:init_mpi: 46| 2.50M|{ 47| 2.50M| LTC_ARGCHK(a != NULL); ------------------ | | 32| 2.50M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.50M] | | | Branch (32:87): [Folded, False: 2.50M] | | ------------------ ------------------ 48| | 49| 2.50M| *a = XCALLOC(1, sizeof(mp_int)); ------------------ | | 19| 2.50M|#define XCALLOC m_calloc ------------------ 50| 2.50M| if (*a == NULL) { ------------------ | Branch (50:8): [True: 0, False: 2.50M] ------------------ 51| 0| return CRYPT_MEM; 52| 2.50M| } else { 53| 2.50M| return CRYPT_OK; 54| 2.50M| } 55| 2.50M|} ltm_desc.c:mpi_to_ltc_error: 34| 33.8M|{ 35| 33.8M| size_t x; 36| | 37| 33.8M| for (x = 0; x < sizeof(mpi_to_ltc_codes)/sizeof(mpi_to_ltc_codes[0]); x++) { ------------------ | Branch (37:16): [True: 33.8M, False: 0] ------------------ 38| 33.8M| if (err == mpi_to_ltc_codes[x].mpi_code) { ------------------ | Branch (38:12): [True: 33.8M, False: 0] ------------------ 39| 33.8M| return mpi_to_ltc_codes[x].ltc_code; 40| 33.8M| } 41| 33.8M| } 42| 0| return CRYPT_ERROR; 43| 33.8M|} ltm_desc.c:deinit: 73| 2.50M|{ 74| 2.50M| LTC_ARGCHKVD(a != NULL); ------------------ | | 33| 2.50M|#define LTC_ARGCHKVD(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (33:34): [True: 0, False: 2.50M] | | | Branch (33:89): [Folded, False: 2.50M] | | ------------------ ------------------ 75| 2.50M| mp_clear(a); 76| 2.50M| XFREE(a); ------------------ | | 17| 2.50M|#define XFREE m_free_direct ------------------ 77| 2.50M|} ltm_desc.c:copy: 87| 2.17M|{ 88| 2.17M| LTC_ARGCHK(a != NULL); ------------------ | | 32| 2.17M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.17M] | | | Branch (32:87): [Folded, False: 2.17M] | | ------------------ ------------------ 89| 2.17M| LTC_ARGCHK(b != NULL); ------------------ | | 32| 2.17M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.17M] | | | Branch (32:87): [Folded, False: 2.17M] | | ------------------ ------------------ 90| 2.17M| return mpi_to_ltc_error(mp_copy(a, b)); 91| 2.17M|} ltm_desc.c:set_int: 104| 1.41k|{ 105| 1.41k| LTC_ARGCHK(a != NULL); ------------------ | | 32| 1.41k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 1.41k] | | | Branch (32:87): [Folded, False: 1.41k] | | ------------------ ------------------ 106| 1.41k| mp_set_u32(a, b); 107| 1.41k| return CRYPT_OK; 108| 1.41k|} ltm_desc.c:get_digit: 117| 721k|{ 118| 721k| mp_int *A; 119| 721k| LTC_ARGCHK(a != NULL); ------------------ | | 32| 721k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 721k] | | | Branch (32:87): [Folded, False: 721k] | | ------------------ ------------------ 120| 721k| A = a; 121| 721k| return (n >= A->used || n < 0) ? 0 : A->dp[n]; ------------------ | Branch (121:12): [True: 0, False: 721k] | Branch (121:28): [True: 0, False: 721k] ------------------ 122| 721k|} ltm_desc.c:get_digit_count: 125| 716k|{ 126| 716k| mp_int *A; 127| 716k| LTC_ARGCHK(a != NULL); ------------------ | | 32| 716k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 716k] | | | Branch (32:87): [Folded, False: 716k] | | ------------------ ------------------ 128| 716k| A = a; 129| 716k| return A->used; 130| 716k|} ltm_desc.c:compare: 133| 3.58M|{ 134| 3.58M| LTC_ARGCHK(a != NULL); ------------------ | | 32| 3.58M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 3.58M] | | | Branch (32:87): [Folded, False: 3.58M] | | ------------------ ------------------ 135| 3.58M| LTC_ARGCHK(b != NULL); ------------------ | | 32| 3.58M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 3.58M] | | | Branch (32:87): [Folded, False: 3.58M] | | ------------------ ------------------ 136| 3.58M| switch (mp_cmp(a, b)) { 137| 1.81M| case MP_LT: return LTC_MP_LT; ------------------ | | 154| 1.81M|#define MP_LT -1 /* less than */ ------------------ case MP_LT: return LTC_MP_LT; ------------------ | | 12| 1.81M|#define LTC_MP_LT -1 ------------------ | Branch (137:7): [True: 1.81M, False: 1.76M] ------------------ 138| 0| case MP_EQ: return LTC_MP_EQ; ------------------ | | 155| 0|#define MP_EQ 0 /* equal to */ ------------------ case MP_EQ: return LTC_MP_EQ; ------------------ | | 13| 0|#define LTC_MP_EQ 0 ------------------ | Branch (138:7): [True: 0, False: 3.58M] ------------------ 139| 1.76M| case MP_GT: return LTC_MP_GT; ------------------ | | 156| 1.76M|#define MP_GT 1 /* greater than */ ------------------ case MP_GT: return LTC_MP_GT; ------------------ | | 14| 1.76M|#define LTC_MP_GT 1 ------------------ | Branch (139:7): [True: 1.76M, False: 1.81M] ------------------ 140| 0| default: return 0; ------------------ | Branch (140:7): [True: 0, False: 3.58M] ------------------ 141| 3.58M| } 142| 3.58M|} ltm_desc.c:compare_d: 145| 3.93M|{ 146| 3.93M| LTC_ARGCHK(a != NULL); ------------------ | | 32| 3.93M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 3.93M] | | | Branch (32:87): [Folded, False: 3.93M] | | ------------------ ------------------ 147| 3.93M| switch (mp_cmp_d(a, b)) { 148| 1.96M| case MP_LT: return LTC_MP_LT; ------------------ | | 154| 1.96M|#define MP_LT -1 /* less than */ ------------------ case MP_LT: return LTC_MP_LT; ------------------ | | 12| 1.96M|#define LTC_MP_LT -1 ------------------ | Branch (148:7): [True: 1.96M, False: 1.97M] ------------------ 149| 3| case MP_EQ: return LTC_MP_EQ; ------------------ | | 155| 3|#define MP_EQ 0 /* equal to */ ------------------ case MP_EQ: return LTC_MP_EQ; ------------------ | | 13| 3|#define LTC_MP_EQ 0 ------------------ | Branch (149:7): [True: 3, False: 3.93M] ------------------ 150| 1.97M| case MP_GT: return LTC_MP_GT; ------------------ | | 156| 1.97M|#define MP_GT 1 /* greater than */ ------------------ case MP_GT: return LTC_MP_GT; ------------------ | | 14| 1.97M|#define LTC_MP_GT 1 ------------------ | Branch (150:7): [True: 1.97M, False: 1.96M] ------------------ 151| 0| default: return 0; ------------------ | Branch (151:7): [True: 0, False: 3.93M] ------------------ 152| 3.93M| } 153| 3.93M|} ltm_desc.c:read_radix: 178| 2.71k|{ 179| 2.71k| LTC_ARGCHK(a != NULL); ------------------ | | 32| 2.71k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.71k] | | | Branch (32:87): [Folded, False: 2.71k] | | ------------------ ------------------ 180| 2.71k| LTC_ARGCHK(b != NULL); ------------------ | | 32| 2.71k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.71k] | | | Branch (32:87): [Folded, False: 2.71k] | | ------------------ ------------------ 181| 2.71k| return mpi_to_ltc_error(mp_read_radix(a, b, radix)); 182| 2.71k|} ltm_desc.c:unsigned_size: 194| 1.79k|{ 195| 1.79k| LTC_ARGCHK(a != NULL); ------------------ | | 32| 1.79k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 1.79k] | | | Branch (32:87): [Folded, False: 1.79k] | | ------------------ ------------------ 196| 1.79k| return (unsigned long)mp_ubin_size(a); 197| 1.79k|} ltm_desc.c:unsigned_write: 201| 1.79k|{ 202| 1.79k| LTC_ARGCHK(a != NULL); ------------------ | | 32| 1.79k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 1.79k] | | | Branch (32:87): [Folded, False: 1.79k] | | ------------------ ------------------ 203| 1.79k| LTC_ARGCHK(b != NULL); ------------------ | | 32| 1.79k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 1.79k] | | | Branch (32:87): [Folded, False: 1.79k] | | ------------------ ------------------ 204| 1.79k| return mpi_to_ltc_error(mp_to_ubin(a, b, SIZE_MAX, NULL)); 205| 1.79k|} ltm_desc.c:unsigned_read: 209| 682|{ 210| 682| LTC_ARGCHK(a != NULL); ------------------ | | 32| 682|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 682] | | | Branch (32:87): [Folded, False: 682] | | ------------------ ------------------ 211| 682| LTC_ARGCHK(b != NULL); ------------------ | | 32| 682|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 682] | | | Branch (32:87): [Folded, False: 682] | | ------------------ ------------------ 212| 682| return mpi_to_ltc_error(mp_from_ubin(a, b, (size_t)len)); 213| 682|} ltm_desc.c:add: 217| 5.53M|{ 218| 5.53M| LTC_ARGCHK(a != NULL); ------------------ | | 32| 5.53M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.53M] | | | Branch (32:87): [Folded, False: 5.53M] | | ------------------ ------------------ 219| 5.53M| LTC_ARGCHK(b != NULL); ------------------ | | 32| 5.53M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.53M] | | | Branch (32:87): [Folded, False: 5.53M] | | ------------------ ------------------ 220| 5.53M| LTC_ARGCHK(c != NULL); ------------------ | | 32| 5.53M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.53M] | | | Branch (32:87): [Folded, False: 5.53M] | | ------------------ ------------------ 221| 5.53M| return mpi_to_ltc_error(mp_add(a, b, c)); 222| 5.53M|} ltm_desc.c:sub: 233| 5.87M|{ 234| 5.87M| LTC_ARGCHK(a != NULL); ------------------ | | 32| 5.87M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.87M] | | | Branch (32:87): [Folded, False: 5.87M] | | ------------------ ------------------ 235| 5.87M| LTC_ARGCHK(b != NULL); ------------------ | | 32| 5.87M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.87M] | | | Branch (32:87): [Folded, False: 5.87M] | | ------------------ ------------------ 236| 5.87M| LTC_ARGCHK(c != NULL); ------------------ | | 32| 5.87M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.87M] | | | Branch (32:87): [Folded, False: 5.87M] | | ------------------ ------------------ 237| 5.87M| return mpi_to_ltc_error(mp_sub(a, b, c)); 238| 5.87M|} ltm_desc.c:mul: 249| 5.67M|{ 250| 5.67M| LTC_ARGCHK(a != NULL); ------------------ | | 32| 5.67M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.67M] | | | Branch (32:87): [Folded, False: 5.67M] | | ------------------ ------------------ 251| 5.67M| LTC_ARGCHK(b != NULL); ------------------ | | 32| 5.67M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.67M] | | | Branch (32:87): [Folded, False: 5.67M] | | ------------------ ------------------ 252| 5.67M| LTC_ARGCHK(c != NULL); ------------------ | | 32| 5.67M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 5.67M] | | | Branch (32:87): [Folded, False: 5.67M] | | ------------------ ------------------ 253| 5.67M| return mpi_to_ltc_error(mp_mul(a, b, c)); 254| 5.67M|} ltm_desc.c:sqr: 265| 2.86M|{ 266| 2.86M| LTC_ARGCHK(a != NULL); ------------------ | | 32| 2.86M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.86M] | | | Branch (32:87): [Folded, False: 2.86M] | | ------------------ ------------------ 267| 2.86M| LTC_ARGCHK(b != NULL); ------------------ | | 32| 2.86M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.86M] | | | Branch (32:87): [Folded, False: 2.86M] | | ------------------ ------------------ 268| 2.86M| return mpi_to_ltc_error(mp_sqr(a, b)); 269| 2.86M|} ltm_desc.c:divide: 273| 1.97k|{ 274| 1.97k| LTC_ARGCHK(a != NULL); ------------------ | | 32| 1.97k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 1.97k] | | | Branch (32:87): [Folded, False: 1.97k] | | ------------------ ------------------ 275| 1.97k| LTC_ARGCHK(b != NULL); ------------------ | | 32| 1.97k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 1.97k] | | | Branch (32:87): [Folded, False: 1.97k] | | ------------------ ------------------ 276| 1.97k| return mpi_to_ltc_error(mp_div(a, b, c, d)); 277| 1.97k|} ltm_desc.c:div_2: 280| 715k|{ 281| 715k| LTC_ARGCHK(a != NULL); ------------------ | | 32| 715k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 715k] | | | Branch (32:87): [Folded, False: 715k] | | ------------------ ------------------ 282| 715k| LTC_ARGCHK(b != NULL); ------------------ | | 32| 715k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 715k] | | | Branch (32:87): [Folded, False: 715k] | | ------------------ ------------------ 283| 715k| return mpi_to_ltc_error(mp_div_2(a, b)); 284| 715k|} ltm_desc.c:mulmod: 339| 2.44k|{ 340| 2.44k| LTC_ARGCHK(a != NULL); ------------------ | | 32| 2.44k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.44k] | | | Branch (32:87): [Folded, False: 2.44k] | | ------------------ ------------------ 341| 2.44k| LTC_ARGCHK(b != NULL); ------------------ | | 32| 2.44k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.44k] | | | Branch (32:87): [Folded, False: 2.44k] | | ------------------ ------------------ 342| 2.44k| LTC_ARGCHK(c != NULL); ------------------ | | 32| 2.44k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.44k] | | | Branch (32:87): [Folded, False: 2.44k] | | ------------------ ------------------ 343| 2.44k| LTC_ARGCHK(d != NULL); ------------------ | | 32| 2.44k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 2.44k] | | | Branch (32:87): [Folded, False: 2.44k] | | ------------------ ------------------ 344| 2.44k| return mpi_to_ltc_error(mp_mulmod(a,b,c,d)); 345| 2.44k|} ltm_desc.c:invmod: 357| 786|{ 358| 786| LTC_ARGCHK(a != NULL); ------------------ | | 32| 786|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 786] | | | Branch (32:87): [Folded, False: 786] | | ------------------ ------------------ 359| 786| LTC_ARGCHK(b != NULL); ------------------ | | 32| 786|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 786] | | | Branch (32:87): [Folded, False: 786] | | ------------------ ------------------ 360| 786| LTC_ARGCHK(c != NULL); ------------------ | | 32| 786|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 786] | | | Branch (32:87): [Folded, False: 786] | | ------------------ ------------------ 361| 786| return mpi_to_ltc_error(mp_invmod(a, b, c)); 362| 786|} ltm_desc.c:montgomery_setup: 366| 742|{ 367| 742| int err; 368| 742| LTC_ARGCHK(a != NULL); ------------------ | | 32| 742|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 742] | | | Branch (32:87): [Folded, False: 742] | | ------------------ ------------------ 369| 742| LTC_ARGCHK(b != NULL); ------------------ | | 32| 742|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 742] | | | Branch (32:87): [Folded, False: 742] | | ------------------ ------------------ 370| 742| *b = XCALLOC(1, sizeof(mp_digit)); ------------------ | | 19| 742|#define XCALLOC m_calloc ------------------ 371| 742| if (*b == NULL) { ------------------ | Branch (371:8): [True: 0, False: 742] ------------------ 372| 0| return CRYPT_MEM; 373| 0| } 374| 742| if ((err = mpi_to_ltc_error(mp_montgomery_setup(a, (mp_digit *)*b))) != CRYPT_OK) { ------------------ | Branch (374:8): [True: 0, False: 742] ------------------ 375| 0| XFREE(*b); ------------------ | | 17| 0|#define XFREE m_free_direct ------------------ 376| 0| } 377| 742| return err; 378| 742|} ltm_desc.c:montgomery_normalization: 382| 742|{ 383| 742| LTC_ARGCHK(a != NULL); ------------------ | | 32| 742|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 742] | | | Branch (32:87): [Folded, False: 742] | | ------------------ ------------------ 384| 742| LTC_ARGCHK(b != NULL); ------------------ | | 32| 742|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 742] | | | Branch (32:87): [Folded, False: 742] | | ------------------ ------------------ 385| 742| return mpi_to_ltc_error(mp_montgomery_calc_normalization(a, b)); 386| 742|} ltm_desc.c:montgomery_reduce: 390| 8.54M|{ 391| 8.54M| LTC_ARGCHK(a != NULL); ------------------ | | 32| 8.54M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 8.54M] | | | Branch (32:87): [Folded, False: 8.54M] | | ------------------ ------------------ 392| 8.54M| LTC_ARGCHK(b != NULL); ------------------ | | 32| 8.54M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 8.54M] | | | Branch (32:87): [Folded, False: 8.54M] | | ------------------ ------------------ 393| 8.54M| LTC_ARGCHK(c != NULL); ------------------ | | 32| 8.54M|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 8.54M] | | | Branch (32:87): [Folded, False: 8.54M] | | ------------------ ------------------ 394| 8.54M| return mpi_to_ltc_error(mp_montgomery_reduce(a, b, *((mp_digit *)c))); 395| 8.54M|} ltm_desc.c:montgomery_deinit: 399| 742|{ 400| 742| XFREE(a); ------------------ | | 17| 742|#define XFREE m_free_direct ------------------ 401| 742|} ltc_init_multi: 15| 721k|{ 16| 721k| void **cur = a; 17| 721k| int np = 0; 18| 721k| va_list args; 19| | 20| 721k| va_start(args, a); 21| 3.22M| while (cur != NULL) { ------------------ | Branch (21:11): [True: 2.50M, False: 721k] ------------------ 22| 2.50M| if (mp_init(cur) != CRYPT_OK) { ------------------ | | 516| 2.50M|#define mp_init(a) ltc_mp.init(a) ------------------ | Branch (22:12): [True: 0, False: 2.50M] ------------------ 23| | /* failed */ 24| 0| va_list clean_list; 25| | 26| 0| va_start(clean_list, a); 27| 0| cur = a; 28| 0| while (np--) { ------------------ | Branch (28:18): [True: 0, False: 0] ------------------ 29| 0| mp_clear(*cur); ------------------ | | 518| 0|#define mp_clear(a) ltc_mp.deinit(a) ------------------ 30| 0| cur = va_arg(clean_list, void**); 31| 0| } 32| 0| va_end(clean_list); 33| 0| va_end(args); 34| 0| return CRYPT_MEM; 35| 0| } 36| 2.50M| ++np; 37| 2.50M| cur = va_arg(args, void**); 38| 2.50M| } 39| 721k| va_end(args); 40| 721k| return CRYPT_OK; 41| 721k|} ltc_deinit_multi: 44| 721k|{ 45| 721k| void *cur = a; 46| 721k| va_list args; 47| | 48| 721k| va_start(args, a); 49| 3.22M| while (cur != NULL) { ------------------ | Branch (49:11): [True: 2.50M, False: 721k] ------------------ 50| 2.50M| mp_clear(cur); ------------------ | | 518| 2.50M|#define mp_clear(a) ltc_mp.deinit(a) ------------------ 51| 2.50M| cur = va_arg(args, void *); 52| 2.50M| } 53| | va_end(args); 54| 721k|} prng_is_valid: 22| 633|{ 23| 633| LTC_MUTEX_LOCK(<c_prng_mutex); 24| 633| if (idx < 0 || idx >= TAB_SIZE || prng_descriptor[idx].name == NULL) { ------------------ | | 14| 1.26k|#define TAB_SIZE 5 ------------------ | Branch (24:8): [True: 0, False: 633] | Branch (24:19): [True: 0, False: 633] | Branch (24:38): [True: 0, False: 633] ------------------ 25| 0| LTC_MUTEX_UNLOCK(<c_prng_mutex); 26| 0| return CRYPT_INVALID_PRNG; 27| 0| } 28| 633| LTC_MUTEX_UNLOCK(<c_prng_mutex); 29| 633| return CRYPT_OK; 30| 633|} register_cipher: 22| 1|{ 23| 1| int x; 24| | 25| 1| LTC_ARGCHK(cipher != NULL); ------------------ | | 32| 1|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 1] | | | Branch (32:87): [Folded, False: 1] | | ------------------ ------------------ 26| | 27| | /* is it already registered? */ 28| 1| LTC_MUTEX_LOCK(<c_cipher_mutex); 29| 6| for (x = 0; x < TAB_SIZE; x++) { ------------------ | | 14| 6|#define TAB_SIZE 5 ------------------ | Branch (29:16): [True: 5, False: 1] ------------------ 30| 5| if (cipher_descriptor[x].name != NULL && cipher_descriptor[x].ID == cipher->ID) { ------------------ | Branch (30:12): [True: 0, False: 5] | Branch (30:49): [True: 0, False: 0] ------------------ 31| 0| LTC_MUTEX_UNLOCK(<c_cipher_mutex); 32| 0| return x; 33| 0| } 34| 5| } 35| | 36| | /* find a blank spot */ 37| 1| for (x = 0; x < TAB_SIZE; x++) { ------------------ | | 14| 1|#define TAB_SIZE 5 ------------------ | Branch (37:16): [True: 1, False: 0] ------------------ 38| 1| if (cipher_descriptor[x].name == NULL) { ------------------ | Branch (38:12): [True: 1, False: 0] ------------------ 39| 1| XMEMCPY(&cipher_descriptor[x], cipher, sizeof(struct ltc_cipher_descriptor)); ------------------ | | 39| 1|#define XMEMCPY memcpy ------------------ 40| 1| LTC_MUTEX_UNLOCK(<c_cipher_mutex); 41| 1| return x; 42| 1| } 43| 1| } 44| | 45| | /* no spot */ 46| 0| LTC_MUTEX_UNLOCK(<c_cipher_mutex); 47| 0| return -1; 48| 1|} register_hash: 22| 3|{ 23| 3| int x; 24| | 25| 3| LTC_ARGCHK(hash != NULL); ------------------ | | 32| 3|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 3] | | | Branch (32:87): [Folded, False: 3] | | ------------------ ------------------ 26| | 27| | /* is it already registered? */ 28| 3| LTC_MUTEX_LOCK(<c_hash_mutex); 29| 18| for (x = 0; x < TAB_SIZE; x++) { ------------------ | | 14| 18|#define TAB_SIZE 5 ------------------ | Branch (29:16): [True: 15, False: 3] ------------------ 30| 15| if (XMEMCMP(&hash_descriptor[x], hash, sizeof(struct ltc_hash_descriptor)) == 0) { ------------------ | | 45| 15|#define XMEMCMP memcmp ------------------ | Branch (30:12): [True: 0, False: 15] ------------------ 31| 0| LTC_MUTEX_UNLOCK(<c_hash_mutex); 32| 0| return x; 33| 0| } 34| 15| } 35| | 36| | /* find a blank spot */ 37| 6| for (x = 0; x < TAB_SIZE; x++) { ------------------ | | 14| 6|#define TAB_SIZE 5 ------------------ | Branch (37:16): [True: 6, False: 0] ------------------ 38| 6| if (hash_descriptor[x].name == NULL) { ------------------ | Branch (38:12): [True: 3, False: 3] ------------------ 39| 3| XMEMCPY(&hash_descriptor[x], hash, sizeof(struct ltc_hash_descriptor)); ------------------ | | 39| 3|#define XMEMCPY memcpy ------------------ 40| 3| LTC_MUTEX_UNLOCK(<c_hash_mutex); 41| 3| return x; 42| 3| } 43| 6| } 44| | 45| | /* no spot */ 46| 0| LTC_MUTEX_UNLOCK(<c_hash_mutex); 47| 0| return -1; 48| 3|} register_prng: 22| 1|{ 23| 1| int x; 24| | 25| 1| LTC_ARGCHK(prng != NULL); ------------------ | | 32| 1|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 1] | | | Branch (32:87): [Folded, False: 1] | | ------------------ ------------------ 26| | 27| | /* is it already registered? */ 28| 1| LTC_MUTEX_LOCK(<c_prng_mutex); 29| 6| for (x = 0; x < TAB_SIZE; x++) { ------------------ | | 14| 6|#define TAB_SIZE 5 ------------------ | Branch (29:16): [True: 5, False: 1] ------------------ 30| 5| if (XMEMCMP(&prng_descriptor[x], prng, sizeof(struct ltc_prng_descriptor)) == 0) { ------------------ | | 45| 5|#define XMEMCMP memcmp ------------------ | Branch (30:12): [True: 0, False: 5] ------------------ 31| 0| LTC_MUTEX_UNLOCK(<c_prng_mutex); 32| 0| return x; 33| 0| } 34| 5| } 35| | 36| | /* find a blank spot */ 37| 1| for (x = 0; x < TAB_SIZE; x++) { ------------------ | | 14| 1|#define TAB_SIZE 5 ------------------ | Branch (37:16): [True: 1, False: 0] ------------------ 38| 1| if (prng_descriptor[x].name == NULL) { ------------------ | Branch (38:12): [True: 1, False: 0] ------------------ 39| 1| XMEMCPY(&prng_descriptor[x], prng, sizeof(struct ltc_prng_descriptor)); ------------------ | | 39| 1|#define XMEMCPY memcpy ------------------ 40| 1| LTC_MUTEX_UNLOCK(<c_prng_mutex); 41| 1| return x; 42| 1| } 43| 1| } 44| | 45| | /* no spot */ 46| 0| LTC_MUTEX_UNLOCK(<c_prng_mutex); 47| 0| return -1; 48| 1|} zeromem: 23| 1.70k|{ 24| 1.70k| m_burn((void*)out, outlen); 25| 1.70k|} ecc_ansi_x963_export: 31| 852|{ 32| 852| unsigned char buf[ECC_BUF_SIZE]; 33| 852| unsigned long numlen, xlen, ylen; 34| | 35| 852| LTC_ARGCHK(key != NULL); ------------------ | | 32| 852|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 852] | | | Branch (32:87): [Folded, False: 852] | | ------------------ ------------------ 36| 852| LTC_ARGCHK(outlen != NULL); ------------------ | | 32| 852|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 852] | | | Branch (32:87): [Folded, False: 852] | | ------------------ ------------------ 37| | 38| 852| if (ltc_ecc_is_valid_idx(key->idx) == 0) { ------------------ | Branch (38:8): [True: 0, False: 852] ------------------ 39| 0| return CRYPT_INVALID_ARG; 40| 0| } 41| 852| numlen = key->dp->size; 42| 852| xlen = mp_unsigned_bin_size(key->pubkey.x); ------------------ | | 539| 852|#define mp_unsigned_bin_size(a) ltc_mp.unsigned_size(a) ------------------ 43| 852| ylen = mp_unsigned_bin_size(key->pubkey.y); ------------------ | | 539| 852|#define mp_unsigned_bin_size(a) ltc_mp.unsigned_size(a) ------------------ 44| | 45| 852| if (xlen > numlen || ylen > numlen || sizeof(buf) < numlen) { ------------------ | Branch (45:8): [True: 0, False: 852] | Branch (45:25): [True: 0, False: 852] | Branch (45:42): [True: 0, False: 852] ------------------ 46| 0| return CRYPT_BUFFER_OVERFLOW; 47| 0| } 48| | 49| 852| if (*outlen < (1 + 2*numlen)) { ------------------ | Branch (49:8): [True: 0, False: 852] ------------------ 50| 0| *outlen = 1 + 2*numlen; 51| 0| return CRYPT_BUFFER_OVERFLOW; 52| 0| } 53| | 54| 852| LTC_ARGCHK(out != NULL); ------------------ | | 32| 852|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 852] | | | Branch (32:87): [Folded, False: 852] | | ------------------ ------------------ 55| | 56| | /* store byte 0x04 */ 57| 852| out[0] = 0x04; 58| | 59| | /* pad and store x */ 60| 852| zeromem(buf, sizeof(buf)); 61| 852| mp_to_unsigned_bin(key->pubkey.x, buf + (numlen - xlen)); ------------------ | | 540| 852|#define mp_to_unsigned_bin(a, b) ltc_mp.unsigned_write(a, b) ------------------ 62| 852| XMEMCPY(out+1, buf, numlen); ------------------ | | 39| 852|#define XMEMCPY memcpy ------------------ 63| | 64| | /* pad and store y */ 65| 852| zeromem(buf, sizeof(buf)); 66| 852| mp_to_unsigned_bin(key->pubkey.y, buf + (numlen - ylen)); ------------------ | | 540| 852|#define mp_to_unsigned_bin(a, b) ltc_mp.unsigned_write(a, b) ------------------ 67| 852| XMEMCPY(out+1+numlen, buf, numlen); ------------------ | | 39| 852|#define XMEMCPY memcpy ------------------ 68| | 69| 852| *outlen = 1 + 2*numlen; 70| 852| return CRYPT_OK; 71| 852|} ecc_free: 29| 144|{ 30| 144| LTC_ARGCHKVD(key != NULL); ------------------ | | 33| 144|#define LTC_ARGCHKVD(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (33:34): [True: 0, False: 144] | | | Branch (33:89): [Folded, False: 144] | | ------------------ ------------------ 31| 144| mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL); ------------------ | | 519| 144|#define mp_clear_multi ltc_deinit_multi ------------------ 32| 144|} ecc_make_key_ex: 49| 633|{ 50| 633| int err; 51| 633| ecc_point *base; 52| 633| void *prime, *order; 53| 633| unsigned char *buf; 54| 633| int keysize; 55| | 56| 633| LTC_ARGCHK(key != NULL); ------------------ | | 32| 633|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 633] | | | Branch (32:87): [Folded, False: 633] | | ------------------ ------------------ 57| 633| LTC_ARGCHK(ltc_mp.name != NULL); ------------------ | | 32| 633|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 633] | | | Branch (32:87): [Folded, False: 633] | | ------------------ ------------------ 58| 633| LTC_ARGCHK(dp != NULL); ------------------ | | 32| 633|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 633] | | | Branch (32:87): [Folded, False: 633] | | ------------------ ------------------ 59| | 60| | /* good prng? */ 61| 633| if ((err = prng_is_valid(wprng)) != CRYPT_OK) { ------------------ | Branch (61:8): [True: 0, False: 633] ------------------ 62| 0| return err; 63| 0| } 64| | 65| 633| key->idx = -1; 66| 633| key->dp = dp; 67| 633| keysize = dp->size; 68| | 69| | /* allocate ram */ 70| 633| base = NULL; 71| 633| buf = XMALLOC(ECC_MAXSIZE); ------------------ | | 16| 633|#define XMALLOC m_malloc ------------------ buf = XMALLOC(ECC_MAXSIZE); ------------------ | | 249| 633|#define ECC_MAXSIZE 66 ------------------ 72| 633| if (buf == NULL) { ------------------ | Branch (72:8): [True: 0, False: 633] ------------------ 73| 0| return CRYPT_MEM; 74| 0| } 75| | 76| | /* make up random string */ 77| 633| if (prng_descriptor[wprng].read(buf, (unsigned long)keysize, prng) != (unsigned long)keysize) { ------------------ | Branch (77:8): [True: 0, False: 633] ------------------ 78| 0| err = CRYPT_ERROR_READPRNG; 79| 0| goto ERR_BUF; 80| 0| } 81| | 82| | /* setup the key variables */ 83| 633| if ((err = mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, &prime, &order, NULL)) != CRYPT_OK) { ------------------ | | 517| 633|#define mp_init_multi ltc_init_multi ------------------ | Branch (83:8): [True: 0, False: 633] ------------------ 84| 0| goto ERR_BUF; 85| 0| } 86| 633| base = ltc_ecc_new_point(); 87| 633| if (base == NULL) { ------------------ | Branch (87:8): [True: 0, False: 633] ------------------ 88| 0| err = CRYPT_MEM; 89| 0| goto errkey; 90| 0| } 91| | 92| | /* read in the specs for this key */ 93| 633| if ((err = mp_read_radix(prime, (char *)key->dp->prime, 16)) != CRYPT_OK) { goto errkey; } ------------------ | | 537| 633|#define mp_read_radix(a, b, c) ltc_mp.read_radix(a, b, c) ------------------ | Branch (93:8): [True: 0, False: 633] ------------------ 94| 633| if ((err = mp_read_radix(order, (char *)key->dp->order, 16)) != CRYPT_OK) { goto errkey; } ------------------ | | 537| 633|#define mp_read_radix(a, b, c) ltc_mp.read_radix(a, b, c) ------------------ | Branch (94:8): [True: 0, False: 633] ------------------ 95| 633| if ((err = mp_read_radix(base->x, (char *)key->dp->Gx, 16)) != CRYPT_OK) { goto errkey; } ------------------ | | 537| 633|#define mp_read_radix(a, b, c) ltc_mp.read_radix(a, b, c) ------------------ | Branch (95:8): [True: 0, False: 633] ------------------ 96| 633| if ((err = mp_read_radix(base->y, (char *)key->dp->Gy, 16)) != CRYPT_OK) { goto errkey; } ------------------ | | 537| 633|#define mp_read_radix(a, b, c) ltc_mp.read_radix(a, b, c) ------------------ | Branch (96:8): [True: 0, False: 633] ------------------ 97| 633| if ((err = mp_set(base->z, 1)) != CRYPT_OK) { goto errkey; } ------------------ | | 526| 633|#define mp_set(a, b) ltc_mp.set_int(a, b) ------------------ | Branch (97:8): [True: 0, False: 633] ------------------ 98| 633| if ((err = mp_read_unsigned_bin(key->k, (unsigned char *)buf, keysize)) != CRYPT_OK) { goto errkey; } ------------------ | | 541| 633|#define mp_read_unsigned_bin(a, b, c) ltc_mp.unsigned_read(a, b, c) ------------------ | Branch (98:8): [True: 0, False: 633] ------------------ 99| | 100| | /* the key should be smaller than the order of base point */ 101| 633| if (mp_cmp(key->k, order) != LTC_MP_LT) { ------------------ | | 531| 633|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ if (mp_cmp(key->k, order) != LTC_MP_LT) { ------------------ | | 12| 633|#define LTC_MP_LT -1 ------------------ | Branch (101:8): [True: 447, False: 186] ------------------ 102| 447| if((err = mp_mod(key->k, order, key->k)) != CRYPT_OK) { goto errkey; } ------------------ | | 552| 447|#define mp_mod(a, b, c) ltc_mp.mpdiv(a, b, NULL, c) ------------------ | Branch (102:11): [True: 0, False: 447] ------------------ 103| 447| } 104| | /* make the public key */ 105| 633| if ((err = ltc_mp.ecc_ptmul(key->k, base, &key->pubkey, prime, 1)) != CRYPT_OK) { goto errkey; } ------------------ | Branch (105:8): [True: 0, False: 633] ------------------ 106| 633| key->type = PK_PRIVATE; 107| | 108| | /* free up ram */ 109| 633| err = CRYPT_OK; 110| 633| goto cleanup; 111| 0|errkey: 112| 0| mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL); ------------------ | | 519| 0|#define mp_clear_multi ltc_deinit_multi ------------------ 113| 633|cleanup: 114| 633| ltc_ecc_del_point(base); 115| 633| mp_clear_multi(prime, order, NULL); ------------------ | | 519| 633|#define mp_clear_multi ltc_deinit_multi ------------------ 116| 633|ERR_BUF: 117| |#ifdef LTC_CLEAN_STACK 118| | zeromem(buf, ECC_MAXSIZE); 119| |#endif 120| 633| XFREE(buf); ------------------ | | 17| 633|#define XFREE m_free_direct ------------------ 121| 633| return err; 122| 633|} ltc_ecc_is_valid_idx: 29| 852|{ 30| 852| int x; 31| | 32| 3.40k| for (x = 0; ltc_ecc_sets[x].size != 0; x++); ------------------ | Branch (32:16): [True: 2.55k, False: 852] ------------------ 33| | /* -1 is a valid index --- indicating that the domain params were supplied by the user */ 34| 852| if ((n >= -1) && (n < x)) { ------------------ | Branch (34:8): [True: 852, False: 0] | Branch (34:21): [True: 852, False: 0] ------------------ 35| 852| return 1; 36| 852| } 37| 0| return 0; 38| 852|} ltc_ecc_map: 32| 742|{ 33| 742| void *t1, *t2; 34| 742| int err; 35| | 36| 742| LTC_ARGCHK(P != NULL); ------------------ | | 32| 742|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 742] | | | Branch (32:87): [Folded, False: 742] | | ------------------ ------------------ 37| 742| LTC_ARGCHK(modulus != NULL); ------------------ | | 32| 742|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 742] | | | Branch (32:87): [Folded, False: 742] | | ------------------ ------------------ 38| 742| LTC_ARGCHK(mp != NULL); ------------------ | | 32| 742|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 742] | | | Branch (32:87): [Folded, False: 742] | | ------------------ ------------------ 39| | 40| 742| if ((err = mp_init_multi(&t1, &t2, NULL)) != CRYPT_OK) { ------------------ | | 517| 742|#define mp_init_multi ltc_init_multi ------------------ | Branch (40:8): [True: 0, False: 742] ------------------ 41| 0| return err; 42| 0| } 43| | 44| | /* first map z back to normal */ 45| 742| if ((err = mp_montgomery_reduce(P->z, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 742|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (45:8): [True: 0, False: 742] ------------------ 46| | 47| | /* get 1/z */ 48| 742| if ((err = mp_invmod(P->z, modulus, t1)) != CRYPT_OK) { goto done; } ------------------ | | 561| 742|#define mp_invmod(a, b, c) ltc_mp.invmod(a, b, c) ------------------ | Branch (48:8): [True: 0, False: 742] ------------------ 49| | 50| | /* get 1/z^2 and 1/z^3 */ 51| 742| if ((err = mp_sqr(t1, t2)) != CRYPT_OK) { goto done; } ------------------ | | 549| 742|#define mp_sqr(a, b) ltc_mp.sqr(a, b) ------------------ | Branch (51:8): [True: 0, False: 742] ------------------ 52| 742| if ((err = mp_mod(t2, modulus, t2)) != CRYPT_OK) { goto done; } ------------------ | | 552| 742|#define mp_mod(a, b, c) ltc_mp.mpdiv(a, b, NULL, c) ------------------ | Branch (52:8): [True: 0, False: 742] ------------------ 53| 742| if ((err = mp_mul(t1, t2, t1)) != CRYPT_OK) { goto done; } ------------------ | | 547| 742|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (53:8): [True: 0, False: 742] ------------------ 54| 742| if ((err = mp_mod(t1, modulus, t1)) != CRYPT_OK) { goto done; } ------------------ | | 552| 742|#define mp_mod(a, b, c) ltc_mp.mpdiv(a, b, NULL, c) ------------------ | Branch (54:8): [True: 0, False: 742] ------------------ 55| | 56| | /* multiply against x/y */ 57| 742| if ((err = mp_mul(P->x, t2, P->x)) != CRYPT_OK) { goto done; } ------------------ | | 547| 742|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (57:8): [True: 0, False: 742] ------------------ 58| 742| if ((err = mp_montgomery_reduce(P->x, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 742|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (58:8): [True: 0, False: 742] ------------------ 59| 742| if ((err = mp_mul(P->y, t1, P->y)) != CRYPT_OK) { goto done; } ------------------ | | 547| 742|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (59:8): [True: 0, False: 742] ------------------ 60| 742| if ((err = mp_montgomery_reduce(P->y, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 742|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (60:8): [True: 0, False: 742] ------------------ 61| 742| if ((err = mp_set(P->z, 1)) != CRYPT_OK) { goto done; } ------------------ | | 526| 742|#define mp_set(a, b) ltc_mp.set_int(a, b) ------------------ | Branch (61:8): [True: 0, False: 742] ------------------ 62| | 63| 742| err = CRYPT_OK; 64| 742|done: 65| 742| mp_clear_multi(t1, t2, NULL); ------------------ | | 519| 742|#define mp_clear_multi ltc_deinit_multi ------------------ 66| 742| return err; 67| 742|} ltc_ecc_mul2add: 39| 44|{ 40| 44| ecc_point *precomp[16]; 41| 44| unsigned bitbufA, bitbufB, lenA, lenB, len, x, y, nA, nB, nibble; 42| 44| unsigned char *tA, *tB; 43| 44| int err, first; 44| 44| void *mp, *mu; 45| | 46| | /* argchks */ 47| 44| LTC_ARGCHK(A != NULL); ------------------ | | 32| 44|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 44] | | | Branch (32:87): [Folded, False: 44] | | ------------------ ------------------ 48| 44| LTC_ARGCHK(B != NULL); ------------------ | | 32| 44|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 44] | | | Branch (32:87): [Folded, False: 44] | | ------------------ ------------------ 49| 44| LTC_ARGCHK(C != NULL); ------------------ | | 32| 44|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 44] | | | Branch (32:87): [Folded, False: 44] | | ------------------ ------------------ 50| 44| LTC_ARGCHK(kA != NULL); ------------------ | | 32| 44|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 44] | | | Branch (32:87): [Folded, False: 44] | | ------------------ ------------------ 51| 44| LTC_ARGCHK(kB != NULL); ------------------ | | 32| 44|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 44] | | | Branch (32:87): [Folded, False: 44] | | ------------------ ------------------ 52| 44| LTC_ARGCHK(modulus != NULL); ------------------ | | 32| 44|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 44] | | | Branch (32:87): [Folded, False: 44] | | ------------------ ------------------ 53| | 54| | /* allocate memory */ 55| 44| tA = XCALLOC(1, ECC_BUF_SIZE); ------------------ | | 19| 44|#define XCALLOC m_calloc ------------------ tA = XCALLOC(1, ECC_BUF_SIZE); ------------------ | | 246| 44|#define ECC_BUF_SIZE 256 ------------------ 56| 44| if (tA == NULL) { ------------------ | Branch (56:7): [True: 0, False: 44] ------------------ 57| 0| return CRYPT_MEM; 58| 0| } 59| 44| tB = XCALLOC(1, ECC_BUF_SIZE); ------------------ | | 19| 44|#define XCALLOC m_calloc ------------------ tB = XCALLOC(1, ECC_BUF_SIZE); ------------------ | | 246| 44|#define ECC_BUF_SIZE 256 ------------------ 60| 44| if (tB == NULL) { ------------------ | Branch (60:7): [True: 0, False: 44] ------------------ 61| 0| XFREE(tA); ------------------ | | 17| 0|#define XFREE m_free_direct ------------------ 62| 0| return CRYPT_MEM; 63| 0| } 64| | 65| | /* get sizes */ 66| 44| lenA = mp_unsigned_bin_size(kA); ------------------ | | 539| 44|#define mp_unsigned_bin_size(a) ltc_mp.unsigned_size(a) ------------------ 67| 44| lenB = mp_unsigned_bin_size(kB); ------------------ | | 539| 44|#define mp_unsigned_bin_size(a) ltc_mp.unsigned_size(a) ------------------ 68| 44| len = MAX(lenA, lenB); ------------------ | | 421| 44| #define MAX(x, y) ( ((x)>(y))?(x):(y) ) | | ------------------ | | | Branch (421:24): [True: 29, False: 15] | | ------------------ ------------------ 69| | 70| | /* sanity check */ 71| 44| if ((lenA > ECC_BUF_SIZE) || (lenB > ECC_BUF_SIZE)) { ------------------ | | 246| 44|#define ECC_BUF_SIZE 256 ------------------ if ((lenA > ECC_BUF_SIZE) || (lenB > ECC_BUF_SIZE)) { ------------------ | | 246| 44|#define ECC_BUF_SIZE 256 ------------------ | Branch (71:7): [True: 0, False: 44] | Branch (71:32): [True: 0, False: 44] ------------------ 72| 0| err = CRYPT_INVALID_ARG; 73| 0| goto ERR_T; 74| 0| } 75| | 76| | /* extract and justify kA */ 77| 44| mp_to_unsigned_bin(kA, (len - lenA) + tA); ------------------ | | 540| 44|#define mp_to_unsigned_bin(a, b) ltc_mp.unsigned_write(a, b) ------------------ 78| | 79| | /* extract and justify kB */ 80| 44| mp_to_unsigned_bin(kB, (len - lenB) + tB); ------------------ | | 540| 44|#define mp_to_unsigned_bin(a, b) ltc_mp.unsigned_write(a, b) ------------------ 81| | 82| | /* allocate the table */ 83| 748| for (x = 0; x < 16; x++) { ------------------ | Branch (83:15): [True: 704, False: 44] ------------------ 84| 704| precomp[x] = ltc_ecc_new_point(); 85| 704| if (precomp[x] == NULL) { ------------------ | Branch (85:10): [True: 0, False: 704] ------------------ 86| 0| for (y = 0; y < x; ++y) { ------------------ | Branch (86:22): [True: 0, False: 0] ------------------ 87| 0| ltc_ecc_del_point(precomp[y]); 88| 0| } 89| 0| err = CRYPT_MEM; 90| 0| goto ERR_T; 91| 0| } 92| 704| } 93| | 94| | /* init montgomery reduction */ 95| 44| if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK) { ------------------ | | 563| 44|#define mp_montgomery_setup(a, b) ltc_mp.montgomery_setup(a, b) ------------------ | Branch (95:7): [True: 0, False: 44] ------------------ 96| 0| goto ERR_P; 97| 0| } 98| 44| if ((err = mp_init(&mu)) != CRYPT_OK) { ------------------ | | 516| 44|#define mp_init(a) ltc_mp.init(a) ------------------ | Branch (98:7): [True: 0, False: 44] ------------------ 99| 0| goto ERR_MP; 100| 0| } 101| 44| if ((err = mp_montgomery_normalization(mu, modulus)) != CRYPT_OK) { ------------------ | | 564| 44|#define mp_montgomery_normalization(a, b) ltc_mp.montgomery_normalization(a, b) ------------------ | Branch (101:7): [True: 0, False: 44] ------------------ 102| 0| goto ERR_MU; 103| 0| } 104| | 105| | /* copy ones ... */ 106| 44| if ((err = mp_mulmod(A->x, mu, modulus, precomp[1]->x)) != CRYPT_OK) { goto ERR_MU; } ------------------ | | 559| 44|#define mp_mulmod(a, b, c, d) ltc_mp.mulmod(a, b, c, d) ------------------ | Branch (106:7): [True: 0, False: 44] ------------------ 107| 44| if ((err = mp_mulmod(A->y, mu, modulus, precomp[1]->y)) != CRYPT_OK) { goto ERR_MU; } ------------------ | | 559| 44|#define mp_mulmod(a, b, c, d) ltc_mp.mulmod(a, b, c, d) ------------------ | Branch (107:7): [True: 0, False: 44] ------------------ 108| 44| if ((err = mp_mulmod(A->z, mu, modulus, precomp[1]->z)) != CRYPT_OK) { goto ERR_MU; } ------------------ | | 559| 44|#define mp_mulmod(a, b, c, d) ltc_mp.mulmod(a, b, c, d) ------------------ | Branch (108:7): [True: 0, False: 44] ------------------ 109| | 110| 44| if ((err = mp_mulmod(B->x, mu, modulus, precomp[1<<2]->x)) != CRYPT_OK) { goto ERR_MU; } ------------------ | | 559| 44|#define mp_mulmod(a, b, c, d) ltc_mp.mulmod(a, b, c, d) ------------------ | Branch (110:7): [True: 0, False: 44] ------------------ 111| 44| if ((err = mp_mulmod(B->y, mu, modulus, precomp[1<<2]->y)) != CRYPT_OK) { goto ERR_MU; } ------------------ | | 559| 44|#define mp_mulmod(a, b, c, d) ltc_mp.mulmod(a, b, c, d) ------------------ | Branch (111:7): [True: 0, False: 44] ------------------ 112| 44| if ((err = mp_mulmod(B->z, mu, modulus, precomp[1<<2]->z)) != CRYPT_OK) { goto ERR_MU; } ------------------ | | 559| 44|#define mp_mulmod(a, b, c, d) ltc_mp.mulmod(a, b, c, d) ------------------ | Branch (112:7): [True: 0, False: 44] ------------------ 113| | 114| | /* precomp [i,0](A + B) table */ 115| 44| if ((err = ltc_mp.ecc_ptdbl(precomp[1], precomp[2], modulus, mp)) != CRYPT_OK) { goto ERR_MU; } ------------------ | Branch (115:7): [True: 0, False: 44] ------------------ 116| 44| if ((err = ltc_mp.ecc_ptadd(precomp[1], precomp[2], precomp[3], modulus, mp)) != CRYPT_OK) { goto ERR_MU; } ------------------ | Branch (116:7): [True: 0, False: 44] ------------------ 117| | 118| | /* precomp [0,i](A + B) table */ 119| 44| if ((err = ltc_mp.ecc_ptdbl(precomp[1<<2], precomp[2<<2], modulus, mp)) != CRYPT_OK) { goto ERR_MU; } ------------------ | Branch (119:7): [True: 0, False: 44] ------------------ 120| 44| if ((err = ltc_mp.ecc_ptadd(precomp[1<<2], precomp[2<<2], precomp[3<<2], modulus, mp)) != CRYPT_OK) { goto ERR_MU; } ------------------ | Branch (120:7): [True: 0, False: 44] ------------------ 121| | 122| | /* precomp [i,j](A + B) table (i != 0, j != 0) */ 123| 176| for (x = 1; x < 4; x++) { ------------------ | Branch (123:15): [True: 132, False: 44] ------------------ 124| 528| for (y = 1; y < 4; y++) { ------------------ | Branch (124:18): [True: 396, False: 132] ------------------ 125| 396| if ((err = ltc_mp.ecc_ptadd(precomp[x], precomp[(y<<2)], precomp[x+(y<<2)], modulus, mp)) != CRYPT_OK) { goto ERR_MU; } ------------------ | Branch (125:13): [True: 0, False: 396] ------------------ 126| 396| } 127| 132| } 128| | 129| 44| nibble = 3; 130| 44| first = 1; 131| 44| bitbufA = tA[0]; 132| 44| bitbufB = tB[0]; 133| | 134| | /* for every byte of the multiplicands */ 135| 11.5k| for (x = 0;; ) { 136| | /* grab a nibble */ 137| 11.5k| if (++nibble == 4) { ------------------ | Branch (137:10): [True: 2.92k, False: 8.64k] ------------------ 138| 2.92k| if (x == len) break; ------------------ | Branch (138:13): [True: 44, False: 2.88k] ------------------ 139| 2.88k| bitbufA = tA[x]; 140| 2.88k| bitbufB = tB[x]; 141| 2.88k| nibble = 0; 142| 2.88k| ++x; 143| 2.88k| } 144| | 145| | /* extract two bits from both, shift/update */ 146| 11.5k| nA = (bitbufA >> 6) & 0x03; 147| 11.5k| nB = (bitbufB >> 6) & 0x03; 148| 11.5k| bitbufA = (bitbufA << 2) & 0xFF; 149| 11.5k| bitbufB = (bitbufB << 2) & 0xFF; 150| | 151| | /* if both zero, if first, continue */ 152| 11.5k| if ((nA == 0) && (nB == 0) && (first == 1)) { ------------------ | Branch (152:10): [True: 3.02k, False: 8.50k] | Branch (152:23): [True: 1.58k, False: 1.43k] | Branch (152:36): [True: 75, False: 1.51k] ------------------ 153| 75| continue; 154| 75| } 155| | 156| | /* double twice, only if this isn't the first */ 157| 11.4k| if (first == 0) { ------------------ | Branch (157:10): [True: 11.4k, False: 44] ------------------ 158| | /* double twice */ 159| 11.4k| if ((err = ltc_mp.ecc_ptdbl(C, C, modulus, mp)) != CRYPT_OK) { goto ERR_MU; } ------------------ | Branch (159:13): [True: 0, False: 11.4k] ------------------ 160| 11.4k| if ((err = ltc_mp.ecc_ptdbl(C, C, modulus, mp)) != CRYPT_OK) { goto ERR_MU; } ------------------ | Branch (160:13): [True: 0, False: 11.4k] ------------------ 161| 11.4k| } 162| | 163| | /* if not both zero */ 164| 11.4k| if ((nA != 0) || (nB != 0)) { ------------------ | Branch (164:10): [True: 8.50k, False: 2.94k] | Branch (164:23): [True: 1.43k, False: 1.51k] ------------------ 165| 9.93k| if (first == 1) { ------------------ | Branch (165:13): [True: 44, False: 9.88k] ------------------ 166| | /* if first, copy from table */ 167| 44| first = 0; 168| 44| if ((err = mp_copy(precomp[nA + (nB<<2)]->x, C->x)) != CRYPT_OK) { goto ERR_MU; } ------------------ | | 524| 44|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (168:16): [True: 0, False: 44] ------------------ 169| 44| if ((err = mp_copy(precomp[nA + (nB<<2)]->y, C->y)) != CRYPT_OK) { goto ERR_MU; } ------------------ | | 524| 44|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (169:16): [True: 0, False: 44] ------------------ 170| 44| if ((err = mp_copy(precomp[nA + (nB<<2)]->z, C->z)) != CRYPT_OK) { goto ERR_MU; } ------------------ | | 524| 44|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (170:16): [True: 0, False: 44] ------------------ 171| 9.88k| } else { 172| | /* if not first, add from table */ 173| 9.88k| if ((err = ltc_mp.ecc_ptadd(C, precomp[nA + (nB<<2)], C, modulus, mp)) != CRYPT_OK) { goto ERR_MU; } ------------------ | Branch (173:16): [True: 0, False: 9.88k] ------------------ 174| 9.88k| } 175| 9.93k| } 176| 11.4k| } 177| | 178| | /* reduce to affine */ 179| 44| err = ltc_ecc_map(C, modulus, mp); 180| | 181| | /* clean up */ 182| 44|ERR_MU: 183| 44| mp_clear(mu); ------------------ | | 518| 44|#define mp_clear(a) ltc_mp.deinit(a) ------------------ 184| 44|ERR_MP: 185| 44| mp_montgomery_free(mp); ------------------ | | 566| 44|#define mp_montgomery_free(a) ltc_mp.montgomery_deinit(a) ------------------ 186| 44|ERR_P: 187| 748| for (x = 0; x < 16; x++) { ------------------ | Branch (187:16): [True: 704, False: 44] ------------------ 188| 704| ltc_ecc_del_point(precomp[x]); 189| 704| } 190| 44|ERR_T: 191| |#ifdef LTC_CLEAN_STACK 192| | zeromem(tA, ECC_BUF_SIZE); 193| | zeromem(tB, ECC_BUF_SIZE); 194| |#endif 195| 44| XFREE(tA); ------------------ | | 17| 44|#define XFREE m_free_direct ------------------ 196| 44| XFREE(tB); ------------------ | | 17| 44|#define XFREE m_free_direct ------------------ 197| | 198| 44| return err; 199| 44|} ltc_ecc_mulmod: 36| 698|{ 37| 698| ecc_point *tG, *M[3]; 38| 698| int i, j, err; 39| 698| void *mu, *mp; 40| 698| ltc_mp_digit buf; 41| 698| int bitcnt, mode, digidx; 42| | 43| 698| LTC_ARGCHK(k != NULL); ------------------ | | 32| 698|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 698] | | | Branch (32:87): [Folded, False: 698] | | ------------------ ------------------ 44| 698| LTC_ARGCHK(G != NULL); ------------------ | | 32| 698|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 698] | | | Branch (32:87): [Folded, False: 698] | | ------------------ ------------------ 45| 698| LTC_ARGCHK(R != NULL); ------------------ | | 32| 698|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 698] | | | Branch (32:87): [Folded, False: 698] | | ------------------ ------------------ 46| 698| LTC_ARGCHK(modulus != NULL); ------------------ | | 32| 698|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 698] | | | Branch (32:87): [Folded, False: 698] | | ------------------ ------------------ 47| | 48| | /* init montgomery reduction */ 49| 698| if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK) { ------------------ | | 563| 698|#define mp_montgomery_setup(a, b) ltc_mp.montgomery_setup(a, b) ------------------ | Branch (49:8): [True: 0, False: 698] ------------------ 50| 0| return err; 51| 0| } 52| 698| if ((err = mp_init(&mu)) != CRYPT_OK) { ------------------ | | 516| 698|#define mp_init(a) ltc_mp.init(a) ------------------ | Branch (52:8): [True: 0, False: 698] ------------------ 53| 0| mp_montgomery_free(mp); ------------------ | | 566| 0|#define mp_montgomery_free(a) ltc_mp.montgomery_deinit(a) ------------------ 54| 0| return err; 55| 0| } 56| 698| if ((err = mp_montgomery_normalization(mu, modulus)) != CRYPT_OK) { ------------------ | | 564| 698|#define mp_montgomery_normalization(a, b) ltc_mp.montgomery_normalization(a, b) ------------------ | Branch (56:8): [True: 0, False: 698] ------------------ 57| 0| mp_clear(mu); ------------------ | | 518| 0|#define mp_clear(a) ltc_mp.deinit(a) ------------------ 58| 0| mp_montgomery_free(mp); ------------------ | | 566| 0|#define mp_montgomery_free(a) ltc_mp.montgomery_deinit(a) ------------------ 59| 0| return err; 60| 0| } 61| | 62| | /* alloc ram for window temps */ 63| 2.79k| for (i = 0; i < 3; i++) { ------------------ | Branch (63:16): [True: 2.09k, False: 698] ------------------ 64| 2.09k| M[i] = ltc_ecc_new_point(); 65| 2.09k| if (M[i] == NULL) { ------------------ | Branch (65:11): [True: 0, False: 2.09k] ------------------ 66| 0| for (j = 0; j < i; j++) { ------------------ | Branch (66:22): [True: 0, False: 0] ------------------ 67| 0| ltc_ecc_del_point(M[j]); 68| 0| } 69| 0| mp_clear(mu); ------------------ | | 518| 0|#define mp_clear(a) ltc_mp.deinit(a) ------------------ 70| 0| mp_montgomery_free(mp); ------------------ | | 566| 0|#define mp_montgomery_free(a) ltc_mp.montgomery_deinit(a) ------------------ 71| 0| return CRYPT_MEM; 72| 0| } 73| 2.09k| } 74| | 75| | /* make a copy of G incase R==G */ 76| 698| tG = ltc_ecc_new_point(); 77| 698| if (tG == NULL) { err = CRYPT_MEM; goto done; } ------------------ | Branch (77:8): [True: 0, False: 698] ------------------ 78| | 79| | /* tG = G and convert to montgomery */ 80| 698| if ((err = mp_mulmod(G->x, mu, modulus, tG->x)) != CRYPT_OK) { goto done; } ------------------ | | 559| 698|#define mp_mulmod(a, b, c, d) ltc_mp.mulmod(a, b, c, d) ------------------ | Branch (80:8): [True: 0, False: 698] ------------------ 81| 698| if ((err = mp_mulmod(G->y, mu, modulus, tG->y)) != CRYPT_OK) { goto done; } ------------------ | | 559| 698|#define mp_mulmod(a, b, c, d) ltc_mp.mulmod(a, b, c, d) ------------------ | Branch (81:8): [True: 0, False: 698] ------------------ 82| 698| if ((err = mp_mulmod(G->z, mu, modulus, tG->z)) != CRYPT_OK) { goto done; } ------------------ | | 559| 698|#define mp_mulmod(a, b, c, d) ltc_mp.mulmod(a, b, c, d) ------------------ | Branch (82:8): [True: 0, False: 698] ------------------ 83| 698| mp_clear(mu); ------------------ | | 518| 698|#define mp_clear(a) ltc_mp.deinit(a) ------------------ 84| 698| mu = NULL; 85| | 86| | /* calc the M tab */ 87| | /* M[0] == G */ 88| 698| if ((err = mp_copy(tG->x, M[0]->x)) != CRYPT_OK) { goto done; } ------------------ | | 524| 698|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (88:8): [True: 0, False: 698] ------------------ 89| 698| if ((err = mp_copy(tG->y, M[0]->y)) != CRYPT_OK) { goto done; } ------------------ | | 524| 698|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (89:8): [True: 0, False: 698] ------------------ 90| 698| if ((err = mp_copy(tG->z, M[0]->z)) != CRYPT_OK) { goto done; } ------------------ | | 524| 698|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (90:8): [True: 0, False: 698] ------------------ 91| | /* M[1] == 2G */ 92| 698| if ((err = ltc_mp.ecc_ptdbl(tG, M[1], modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | Branch (92:8): [True: 0, False: 698] ------------------ 93| | 94| | /* setup sliding window */ 95| 698| mode = 0; 96| 698| bitcnt = 1; 97| 698| buf = 0; 98| 698| digidx = mp_get_digit_count(k) - 1; ------------------ | | 530| 698|#define mp_get_digit_count(a) ltc_mp.get_digit_count(a) ------------------ 99| | 100| | /* perform ops */ 101| 341k| for (;;) { 102| | /* grab next digit as required */ 103| 341k| if (--bitcnt == 0) { ------------------ | Branch (103:11): [True: 6.38k, False: 335k] ------------------ 104| 6.38k| if (digidx == -1) { ------------------ | Branch (104:14): [True: 698, False: 5.68k] ------------------ 105| 698| break; 106| 698| } 107| 5.68k| buf = mp_get_digit(k, digidx); ------------------ | | 529| 5.68k|#define mp_get_digit(a, n) ltc_mp.get_digit(a, n) ------------------ 108| 5.68k| bitcnt = (int) MP_DIGIT_BIT; ------------------ | | 513| 5.68k|#define MP_DIGIT_BIT ltc_mp.bits_per_digit ------------------ 109| 5.68k| --digidx; 110| 5.68k| } 111| | 112| | /* grab the next msb from the ltiplicand */ 113| 340k| i = (buf >> (MP_DIGIT_BIT - 1)) & 1; ------------------ | | 513| 340k|#define MP_DIGIT_BIT ltc_mp.bits_per_digit ------------------ 114| 340k| buf <<= 1; 115| | 116| 340k| if (mode == 0 && i == 0) { ------------------ | Branch (116:11): [True: 18.3k, False: 322k] | Branch (116:24): [True: 17.6k, False: 698] ------------------ 117| | /* dummy operations */ 118| 17.6k| if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | Branch (118:14): [True: 0, False: 17.6k] ------------------ 119| 17.6k| if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | Branch (119:14): [True: 0, False: 17.6k] ------------------ 120| 17.6k| continue; 121| 17.6k| } 122| | 123| 323k| if (mode == 0 && i == 1) { ------------------ | Branch (123:11): [True: 698, False: 322k] | Branch (123:24): [True: 698, False: 0] ------------------ 124| 698| mode = 1; 125| | /* dummy operations */ 126| 698| if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | Branch (126:14): [True: 0, False: 698] ------------------ 127| 698| if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | Branch (127:14): [True: 0, False: 698] ------------------ 128| 698| continue; 129| 698| } 130| | 131| 322k| if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[i^1], modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | Branch (131:11): [True: 0, False: 322k] ------------------ 132| 322k| if ((err = ltc_mp.ecc_ptdbl(M[i], M[i], modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | Branch (132:11): [True: 0, False: 322k] ------------------ 133| 322k| } 134| | 135| | /* copy result out */ 136| 698| if ((err = mp_copy(M[0]->x, R->x)) != CRYPT_OK) { goto done; } ------------------ | | 524| 698|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (136:8): [True: 0, False: 698] ------------------ 137| 698| if ((err = mp_copy(M[0]->y, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 524| 698|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (137:8): [True: 0, False: 698] ------------------ 138| 698| if ((err = mp_copy(M[0]->z, R->z)) != CRYPT_OK) { goto done; } ------------------ | | 524| 698|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (138:8): [True: 0, False: 698] ------------------ 139| | 140| | /* map R back from projective space */ 141| 698| if (map) { ------------------ | Branch (141:8): [True: 698, False: 0] ------------------ 142| 698| err = ltc_ecc_map(R, modulus, mp); 143| 698| } else { 144| 0| err = CRYPT_OK; 145| 0| } 146| 698|done: 147| 698| if (mu != NULL) { ------------------ | Branch (147:8): [True: 0, False: 698] ------------------ 148| 0| mp_clear(mu); ------------------ | | 518| 0|#define mp_clear(a) ltc_mp.deinit(a) ------------------ 149| 0| } 150| 698| mp_montgomery_free(mp); ------------------ | | 566| 698|#define mp_montgomery_free(a) ltc_mp.montgomery_deinit(a) ------------------ 151| 698| ltc_ecc_del_point(tG); 152| 2.79k| for (i = 0; i < 3; i++) { ------------------ | Branch (152:16): [True: 2.09k, False: 698] ------------------ 153| 2.09k| ltc_ecc_del_point(M[i]); 154| 2.09k| } 155| 698| return err; 156| 698|} ltc_ecc_new_point: 29| 4.37k|{ 30| 4.37k| ecc_point *p; 31| 4.37k| p = XCALLOC(1, sizeof(*p)); ------------------ | | 19| 4.37k|#define XCALLOC m_calloc ------------------ 32| 4.37k| if (p == NULL) { ------------------ | Branch (32:8): [True: 0, False: 4.37k] ------------------ 33| 0| return NULL; 34| 0| } 35| 4.37k| if (mp_init_multi(&p->x, &p->y, &p->z, NULL) != CRYPT_OK) { ------------------ | | 517| 4.37k|#define mp_init_multi ltc_init_multi ------------------ | Branch (35:8): [True: 0, False: 4.37k] ------------------ 36| 0| XFREE(p); ------------------ | | 17| 0|#define XFREE m_free_direct ------------------ 37| 0| return NULL; 38| 0| } 39| 4.37k| return p; 40| 4.37k|} ltc_ecc_del_point: 46| 4.36k|{ 47| | /* prevents free'ing null arguments */ 48| 4.36k| if (p != NULL) { ------------------ | Branch (48:8): [True: 4.36k, False: 0] ------------------ 49| 4.36k| mp_clear_multi(p->x, p->y, p->z, NULL); /* note: p->z may be NULL but that's ok with this function anyways */ ------------------ | | 519| 4.36k|#define mp_clear_multi ltc_deinit_multi ------------------ 50| 4.36k| XFREE(p); ------------------ | | 17| 4.36k|#define XFREE m_free_direct ------------------ 51| 4.36k| } 52| 4.36k|} ltc_ecc_projective_add_point: 34| 351k|{ 35| 351k| void *t1, *t2, *x, *y, *z; 36| 351k| int err; 37| | 38| 351k| LTC_ARGCHK(P != NULL); ------------------ | | 32| 351k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 351k] | | | Branch (32:87): [Folded, False: 351k] | | ------------------ ------------------ 39| 351k| LTC_ARGCHK(Q != NULL); ------------------ | | 32| 351k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 351k] | | | Branch (32:87): [Folded, False: 351k] | | ------------------ ------------------ 40| 351k| LTC_ARGCHK(R != NULL); ------------------ | | 32| 351k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 351k] | | | Branch (32:87): [Folded, False: 351k] | | ------------------ ------------------ 41| 351k| LTC_ARGCHK(modulus != NULL); ------------------ | | 32| 351k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 351k] | | | Branch (32:87): [Folded, False: 351k] | | ------------------ ------------------ 42| 351k| LTC_ARGCHK(mp != NULL); ------------------ | | 32| 351k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 351k] | | | Branch (32:87): [Folded, False: 351k] | | ------------------ ------------------ 43| | 44| 351k| if ((err = mp_init_multi(&t1, &t2, &x, &y, &z, NULL)) != CRYPT_OK) { ------------------ | | 517| 351k|#define mp_init_multi ltc_init_multi ------------------ | Branch (44:8): [True: 0, False: 351k] ------------------ 45| 0| return err; 46| 0| } 47| | 48| | /* should we dbl instead? */ 49| 351k| if ((err = mp_sub(modulus, Q->y, t1)) != CRYPT_OK) { goto done; } ------------------ | | 545| 351k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (49:8): [True: 0, False: 351k] ------------------ 50| | 51| 351k| if ( (mp_cmp(P->x, Q->x) == LTC_MP_EQ) && ------------------ | | 531| 351k|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ if ( (mp_cmp(P->x, Q->x) == LTC_MP_EQ) && ------------------ | | 13| 351k|#define LTC_MP_EQ 0 ------------------ | Branch (51:9): [True: 0, False: 351k] ------------------ 52| 0| (Q->z != NULL && mp_cmp(P->z, Q->z) == LTC_MP_EQ) && ------------------ | | 531| 0|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ (Q->z != NULL && mp_cmp(P->z, Q->z) == LTC_MP_EQ) && ------------------ | | 13| 0|#define LTC_MP_EQ 0 ------------------ | Branch (52:10): [True: 0, False: 0] | Branch (52:26): [True: 0, False: 0] ------------------ 53| 0| (mp_cmp(P->y, Q->y) == LTC_MP_EQ || mp_cmp(P->y, t1) == LTC_MP_EQ)) { ------------------ | | 531| 0|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ (mp_cmp(P->y, Q->y) == LTC_MP_EQ || mp_cmp(P->y, t1) == LTC_MP_EQ)) { ------------------ | | 13| 0|#define LTC_MP_EQ 0 ------------------ (mp_cmp(P->y, Q->y) == LTC_MP_EQ || mp_cmp(P->y, t1) == LTC_MP_EQ)) { ------------------ | | 531| 0|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ (mp_cmp(P->y, Q->y) == LTC_MP_EQ || mp_cmp(P->y, t1) == LTC_MP_EQ)) { ------------------ | | 13| 0|#define LTC_MP_EQ 0 ------------------ | Branch (53:10): [True: 0, False: 0] | Branch (53:45): [True: 0, False: 0] ------------------ 54| 0| mp_clear_multi(t1, t2, x, y, z, NULL); ------------------ | | 519| 0|#define mp_clear_multi ltc_deinit_multi ------------------ 55| 0| return ltc_ecc_projective_dbl_point(P, R, modulus, mp); 56| 0| } 57| | 58| 351k| if ((err = mp_copy(P->x, x)) != CRYPT_OK) { goto done; } ------------------ | | 524| 351k|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (58:8): [True: 0, False: 351k] ------------------ 59| 351k| if ((err = mp_copy(P->y, y)) != CRYPT_OK) { goto done; } ------------------ | | 524| 351k|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (59:8): [True: 0, False: 351k] ------------------ 60| 351k| if ((err = mp_copy(P->z, z)) != CRYPT_OK) { goto done; } ------------------ | | 524| 351k|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (60:8): [True: 0, False: 351k] ------------------ 61| | 62| | /* if Z is one then these are no-operations */ 63| 351k| if (Q->z != NULL) { ------------------ | Branch (63:8): [True: 351k, False: 0] ------------------ 64| | /* T1 = Z' * Z' */ 65| 351k| if ((err = mp_sqr(Q->z, t1)) != CRYPT_OK) { goto done; } ------------------ | | 549| 351k|#define mp_sqr(a, b) ltc_mp.sqr(a, b) ------------------ | Branch (65:11): [True: 0, False: 351k] ------------------ 66| 351k| if ((err = mp_montgomery_reduce(t1, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (66:11): [True: 0, False: 351k] ------------------ 67| | /* X = X * T1 */ 68| 351k| if ((err = mp_mul(t1, x, x)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (68:11): [True: 0, False: 351k] ------------------ 69| 351k| if ((err = mp_montgomery_reduce(x, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (69:11): [True: 0, False: 351k] ------------------ 70| | /* T1 = Z' * T1 */ 71| 351k| if ((err = mp_mul(Q->z, t1, t1)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (71:11): [True: 0, False: 351k] ------------------ 72| 351k| if ((err = mp_montgomery_reduce(t1, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (72:11): [True: 0, False: 351k] ------------------ 73| | /* Y = Y * T1 */ 74| 351k| if ((err = mp_mul(t1, y, y)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (74:11): [True: 0, False: 351k] ------------------ 75| 351k| if ((err = mp_montgomery_reduce(y, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (75:11): [True: 0, False: 351k] ------------------ 76| 351k| } 77| | 78| | /* T1 = Z*Z */ 79| 351k| if ((err = mp_sqr(z, t1)) != CRYPT_OK) { goto done; } ------------------ | | 549| 351k|#define mp_sqr(a, b) ltc_mp.sqr(a, b) ------------------ | Branch (79:8): [True: 0, False: 351k] ------------------ 80| 351k| if ((err = mp_montgomery_reduce(t1, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (80:8): [True: 0, False: 351k] ------------------ 81| | /* T2 = X' * T1 */ 82| 351k| if ((err = mp_mul(Q->x, t1, t2)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (82:8): [True: 0, False: 351k] ------------------ 83| 351k| if ((err = mp_montgomery_reduce(t2, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (83:8): [True: 0, False: 351k] ------------------ 84| | /* T1 = Z * T1 */ 85| 351k| if ((err = mp_mul(z, t1, t1)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (85:8): [True: 0, False: 351k] ------------------ 86| 351k| if ((err = mp_montgomery_reduce(t1, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (86:8): [True: 0, False: 351k] ------------------ 87| | /* T1 = Y' * T1 */ 88| 351k| if ((err = mp_mul(Q->y, t1, t1)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (88:8): [True: 0, False: 351k] ------------------ 89| 351k| if ((err = mp_montgomery_reduce(t1, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (89:8): [True: 0, False: 351k] ------------------ 90| | 91| | /* Y = Y - T1 */ 92| 351k| if ((err = mp_sub(y, t1, y)) != CRYPT_OK) { goto done; } ------------------ | | 545| 351k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (92:8): [True: 0, False: 351k] ------------------ 93| 351k| if (mp_cmp_d(y, 0) == LTC_MP_LT) { ------------------ | | 532| 351k|#define mp_cmp_d(a, b) ltc_mp.compare_d(a, b) ------------------ if (mp_cmp_d(y, 0) == LTC_MP_LT) { ------------------ | | 12| 351k|#define LTC_MP_LT -1 ------------------ | Branch (93:8): [True: 164k, False: 187k] ------------------ 94| 164k| if ((err = mp_add(y, modulus, y)) != CRYPT_OK) { goto done; } ------------------ | | 543| 164k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (94:11): [True: 0, False: 164k] ------------------ 95| 164k| } 96| | /* T1 = 2T1 */ 97| 351k| if ((err = mp_add(t1, t1, t1)) != CRYPT_OK) { goto done; } ------------------ | | 543| 351k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (97:8): [True: 0, False: 351k] ------------------ 98| 351k| if (mp_cmp(t1, modulus) != LTC_MP_LT) { ------------------ | | 531| 351k|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ if (mp_cmp(t1, modulus) != LTC_MP_LT) { ------------------ | | 12| 351k|#define LTC_MP_LT -1 ------------------ | Branch (98:8): [True: 173k, False: 177k] ------------------ 99| 173k| if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK) { goto done; } ------------------ | | 545| 173k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (99:11): [True: 0, False: 173k] ------------------ 100| 173k| } 101| | /* T1 = Y + T1 */ 102| 351k| if ((err = mp_add(t1, y, t1)) != CRYPT_OK) { goto done; } ------------------ | | 543| 351k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (102:8): [True: 0, False: 351k] ------------------ 103| 351k| if (mp_cmp(t1, modulus) != LTC_MP_LT) { ------------------ | | 531| 351k|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ if (mp_cmp(t1, modulus) != LTC_MP_LT) { ------------------ | | 12| 351k|#define LTC_MP_LT -1 ------------------ | Branch (103:8): [True: 170k, False: 180k] ------------------ 104| 170k| if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK) { goto done; } ------------------ | | 545| 170k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (104:11): [True: 0, False: 170k] ------------------ 105| 170k| } 106| | /* X = X - T2 */ 107| 351k| if ((err = mp_sub(x, t2, x)) != CRYPT_OK) { goto done; } ------------------ | | 545| 351k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (107:8): [True: 0, False: 351k] ------------------ 108| 351k| if (mp_cmp_d(x, 0) == LTC_MP_LT) { ------------------ | | 532| 351k|#define mp_cmp_d(a, b) ltc_mp.compare_d(a, b) ------------------ if (mp_cmp_d(x, 0) == LTC_MP_LT) { ------------------ | | 12| 351k|#define LTC_MP_LT -1 ------------------ | Branch (108:8): [True: 181k, False: 169k] ------------------ 109| 181k| if ((err = mp_add(x, modulus, x)) != CRYPT_OK) { goto done; } ------------------ | | 543| 181k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (109:11): [True: 0, False: 181k] ------------------ 110| 181k| } 111| | /* T2 = 2T2 */ 112| 351k| if ((err = mp_add(t2, t2, t2)) != CRYPT_OK) { goto done; } ------------------ | | 543| 351k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (112:8): [True: 0, False: 351k] ------------------ 113| 351k| if (mp_cmp(t2, modulus) != LTC_MP_LT) { ------------------ | | 531| 351k|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ if (mp_cmp(t2, modulus) != LTC_MP_LT) { ------------------ | | 12| 351k|#define LTC_MP_LT -1 ------------------ | Branch (113:8): [True: 169k, False: 182k] ------------------ 114| 169k| if ((err = mp_sub(t2, modulus, t2)) != CRYPT_OK) { goto done; } ------------------ | | 545| 169k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (114:11): [True: 0, False: 169k] ------------------ 115| 169k| } 116| | /* T2 = X + T2 */ 117| 351k| if ((err = mp_add(t2, x, t2)) != CRYPT_OK) { goto done; } ------------------ | | 543| 351k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (117:8): [True: 0, False: 351k] ------------------ 118| 351k| if (mp_cmp(t2, modulus) != LTC_MP_LT) { ------------------ | | 531| 351k|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ if (mp_cmp(t2, modulus) != LTC_MP_LT) { ------------------ | | 12| 351k|#define LTC_MP_LT -1 ------------------ | Branch (118:8): [True: 180k, False: 171k] ------------------ 119| 180k| if ((err = mp_sub(t2, modulus, t2)) != CRYPT_OK) { goto done; } ------------------ | | 545| 180k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (119:11): [True: 0, False: 180k] ------------------ 120| 180k| } 121| | 122| | /* if Z' != 1 */ 123| 351k| if (Q->z != NULL) { ------------------ | Branch (123:8): [True: 351k, False: 0] ------------------ 124| | /* Z = Z * Z' */ 125| 351k| if ((err = mp_mul(z, Q->z, z)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (125:11): [True: 0, False: 351k] ------------------ 126| 351k| if ((err = mp_montgomery_reduce(z, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (126:11): [True: 0, False: 351k] ------------------ 127| 351k| } 128| | 129| | /* Z = Z * X */ 130| 351k| if ((err = mp_mul(z, x, z)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (130:8): [True: 0, False: 351k] ------------------ 131| 351k| if ((err = mp_montgomery_reduce(z, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (131:8): [True: 0, False: 351k] ------------------ 132| | 133| | /* T1 = T1 * X */ 134| 351k| if ((err = mp_mul(t1, x, t1)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (134:8): [True: 0, False: 351k] ------------------ 135| 351k| if ((err = mp_montgomery_reduce(t1, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (135:8): [True: 0, False: 351k] ------------------ 136| | /* X = X * X */ 137| 351k| if ((err = mp_sqr(x, x)) != CRYPT_OK) { goto done; } ------------------ | | 549| 351k|#define mp_sqr(a, b) ltc_mp.sqr(a, b) ------------------ | Branch (137:8): [True: 0, False: 351k] ------------------ 138| 351k| if ((err = mp_montgomery_reduce(x, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (138:8): [True: 0, False: 351k] ------------------ 139| | /* T2 = T2 * x */ 140| 351k| if ((err = mp_mul(t2, x, t2)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (140:8): [True: 0, False: 351k] ------------------ 141| 351k| if ((err = mp_montgomery_reduce(t2, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (141:8): [True: 0, False: 351k] ------------------ 142| | /* T1 = T1 * X */ 143| 351k| if ((err = mp_mul(t1, x, t1)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (143:8): [True: 0, False: 351k] ------------------ 144| 351k| if ((err = mp_montgomery_reduce(t1, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (144:8): [True: 0, False: 351k] ------------------ 145| | 146| | /* X = Y*Y */ 147| 351k| if ((err = mp_sqr(y, x)) != CRYPT_OK) { goto done; } ------------------ | | 549| 351k|#define mp_sqr(a, b) ltc_mp.sqr(a, b) ------------------ | Branch (147:8): [True: 0, False: 351k] ------------------ 148| 351k| if ((err = mp_montgomery_reduce(x, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (148:8): [True: 0, False: 351k] ------------------ 149| | /* X = X - T2 */ 150| 351k| if ((err = mp_sub(x, t2, x)) != CRYPT_OK) { goto done; } ------------------ | | 545| 351k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (150:8): [True: 0, False: 351k] ------------------ 151| 351k| if (mp_cmp_d(x, 0) == LTC_MP_LT) { ------------------ | | 532| 351k|#define mp_cmp_d(a, b) ltc_mp.compare_d(a, b) ------------------ if (mp_cmp_d(x, 0) == LTC_MP_LT) { ------------------ | | 12| 351k|#define LTC_MP_LT -1 ------------------ | Branch (151:8): [True: 176k, False: 174k] ------------------ 152| 176k| if ((err = mp_add(x, modulus, x)) != CRYPT_OK) { goto done; } ------------------ | | 543| 176k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (152:11): [True: 0, False: 176k] ------------------ 153| 176k| } 154| | 155| | /* T2 = T2 - X */ 156| 351k| if ((err = mp_sub(t2, x, t2)) != CRYPT_OK) { goto done; } ------------------ | | 545| 351k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (156:8): [True: 0, False: 351k] ------------------ 157| 351k| if (mp_cmp_d(t2, 0) == LTC_MP_LT) { ------------------ | | 532| 351k|#define mp_cmp_d(a, b) ltc_mp.compare_d(a, b) ------------------ if (mp_cmp_d(t2, 0) == LTC_MP_LT) { ------------------ | | 12| 351k|#define LTC_MP_LT -1 ------------------ | Branch (157:8): [True: 184k, False: 166k] ------------------ 158| 184k| if ((err = mp_add(t2, modulus, t2)) != CRYPT_OK) { goto done; } ------------------ | | 543| 184k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (158:11): [True: 0, False: 184k] ------------------ 159| 184k| } 160| | /* T2 = T2 - X */ 161| 351k| if ((err = mp_sub(t2, x, t2)) != CRYPT_OK) { goto done; } ------------------ | | 545| 351k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (161:8): [True: 0, False: 351k] ------------------ 162| 351k| if (mp_cmp_d(t2, 0) == LTC_MP_LT) { ------------------ | | 532| 351k|#define mp_cmp_d(a, b) ltc_mp.compare_d(a, b) ------------------ if (mp_cmp_d(t2, 0) == LTC_MP_LT) { ------------------ | | 12| 351k|#define LTC_MP_LT -1 ------------------ | Branch (162:8): [True: 178k, False: 172k] ------------------ 163| 178k| if ((err = mp_add(t2, modulus, t2)) != CRYPT_OK) { goto done; } ------------------ | | 543| 178k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (163:11): [True: 0, False: 178k] ------------------ 164| 178k| } 165| | /* T2 = T2 * Y */ 166| 351k| if ((err = mp_mul(t2, y, t2)) != CRYPT_OK) { goto done; } ------------------ | | 547| 351k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (166:8): [True: 0, False: 351k] ------------------ 167| 351k| if ((err = mp_montgomery_reduce(t2, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 351k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (167:8): [True: 0, False: 351k] ------------------ 168| | /* Y = T2 - T1 */ 169| 351k| if ((err = mp_sub(t2, t1, y)) != CRYPT_OK) { goto done; } ------------------ | | 545| 351k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (169:8): [True: 0, False: 351k] ------------------ 170| 351k| if (mp_cmp_d(y, 0) == LTC_MP_LT) { ------------------ | | 532| 351k|#define mp_cmp_d(a, b) ltc_mp.compare_d(a, b) ------------------ if (mp_cmp_d(y, 0) == LTC_MP_LT) { ------------------ | | 12| 351k|#define LTC_MP_LT -1 ------------------ | Branch (170:8): [True: 184k, False: 167k] ------------------ 171| 184k| if ((err = mp_add(y, modulus, y)) != CRYPT_OK) { goto done; } ------------------ | | 543| 184k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (171:11): [True: 0, False: 184k] ------------------ 172| 184k| } 173| | /* Y = Y/2 */ 174| 351k| if (mp_isodd(y)) { ------------------ | | 572| 351k|#define mp_isodd(a) (mp_get_digit_count(a) > 0 ? (mp_get_digit(a, 0) & 1 ? LTC_MP_YES : LTC_MP_NO) : LTC_MP_NO) | | ------------------ | | | | 530| 351k|#define mp_get_digit_count(a) ltc_mp.get_digit_count(a) | | ------------------ | | #define mp_isodd(a) (mp_get_digit_count(a) > 0 ? (mp_get_digit(a, 0) & 1 ? LTC_MP_YES : LTC_MP_NO) : LTC_MP_NO) | | ------------------ | | | | 529| 351k|#define mp_get_digit(a, n) ltc_mp.get_digit(a, n) | | ------------------ | | #define mp_isodd(a) (mp_get_digit_count(a) > 0 ? (mp_get_digit(a, 0) & 1 ? LTC_MP_YES : LTC_MP_NO) : LTC_MP_NO) | | ------------------ | | | | 17| 174k|#define LTC_MP_YES 1 | | ------------------ | | #define mp_isodd(a) (mp_get_digit_count(a) > 0 ? (mp_get_digit(a, 0) & 1 ? LTC_MP_YES : LTC_MP_NO) : LTC_MP_NO) | | ------------------ | | | | 16| 177k|#define LTC_MP_NO 0 | | ------------------ | | #define mp_isodd(a) (mp_get_digit_count(a) > 0 ? (mp_get_digit(a, 0) & 1 ? LTC_MP_YES : LTC_MP_NO) : LTC_MP_NO) | | ------------------ | | | | 16| 0|#define LTC_MP_NO 0 | | ------------------ | | | Branch (572:38): [True: 174k, False: 177k] | | | Branch (572:39): [True: 351k, False: 0] | | | Branch (572:68): [True: 174k, False: 177k] | | ------------------ ------------------ 175| 174k| if ((err = mp_add(y, modulus, y)) != CRYPT_OK) { goto done; } ------------------ | | 543| 174k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (175:11): [True: 0, False: 174k] ------------------ 176| 174k| } 177| 351k| if ((err = mp_div_2(y, y)) != CRYPT_OK) { goto done; } ------------------ | | 551| 351k|#define mp_div_2(a, b) ltc_mp.div_2(a, b) ------------------ | Branch (177:8): [True: 0, False: 351k] ------------------ 178| | 179| 351k| if ((err = mp_copy(x, R->x)) != CRYPT_OK) { goto done; } ------------------ | | 524| 351k|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (179:8): [True: 0, False: 351k] ------------------ 180| 351k| if ((err = mp_copy(y, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 524| 351k|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (180:8): [True: 0, False: 351k] ------------------ 181| 351k| if ((err = mp_copy(z, R->z)) != CRYPT_OK) { goto done; } ------------------ | | 524| 351k|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (181:8): [True: 0, False: 351k] ------------------ 182| | 183| 351k| err = CRYPT_OK; 184| 351k|done: 185| 351k| mp_clear_multi(t1, t2, x, y, z, NULL); ------------------ | | 519| 351k|#define mp_clear_multi ltc_deinit_multi ------------------ 186| 351k| return err; 187| 351k|} ltc_ecc_projective_dbl_point: 33| 364k|{ 34| 364k| void *t1, *t2; 35| 364k| int err; 36| | 37| 364k| LTC_ARGCHK(P != NULL); ------------------ | | 32| 364k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 364k] | | | Branch (32:87): [Folded, False: 364k] | | ------------------ ------------------ 38| 364k| LTC_ARGCHK(R != NULL); ------------------ | | 32| 364k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 364k] | | | Branch (32:87): [Folded, False: 364k] | | ------------------ ------------------ 39| 364k| LTC_ARGCHK(modulus != NULL); ------------------ | | 32| 364k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 364k] | | | Branch (32:87): [Folded, False: 364k] | | ------------------ ------------------ 40| 364k| LTC_ARGCHK(mp != NULL); ------------------ | | 32| 364k|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 364k] | | | Branch (32:87): [Folded, False: 364k] | | ------------------ ------------------ 41| | 42| 364k| if ((err = mp_init_multi(&t1, &t2, NULL)) != CRYPT_OK) { ------------------ | | 517| 364k|#define mp_init_multi ltc_init_multi ------------------ | Branch (42:8): [True: 0, False: 364k] ------------------ 43| 0| return err; 44| 0| } 45| | 46| 364k| if (P != R) { ------------------ | Branch (46:8): [True: 19.1k, False: 345k] ------------------ 47| 19.1k| if ((err = mp_copy(P->x, R->x)) != CRYPT_OK) { goto done; } ------------------ | | 524| 19.1k|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (47:11): [True: 0, False: 19.1k] ------------------ 48| 19.1k| if ((err = mp_copy(P->y, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 524| 19.1k|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (48:11): [True: 0, False: 19.1k] ------------------ 49| 19.1k| if ((err = mp_copy(P->z, R->z)) != CRYPT_OK) { goto done; } ------------------ | | 524| 19.1k|#define mp_copy(a, b) ltc_mp.copy(a, b) ------------------ | Branch (49:11): [True: 0, False: 19.1k] ------------------ 50| 19.1k| } 51| | 52| | /* t1 = Z * Z */ 53| 364k| if ((err = mp_sqr(R->z, t1)) != CRYPT_OK) { goto done; } ------------------ | | 549| 364k|#define mp_sqr(a, b) ltc_mp.sqr(a, b) ------------------ | Branch (53:8): [True: 0, False: 364k] ------------------ 54| 364k| if ((err = mp_montgomery_reduce(t1, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 364k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (54:8): [True: 0, False: 364k] ------------------ 55| | /* Z = Y * Z */ 56| 364k| if ((err = mp_mul(R->z, R->y, R->z)) != CRYPT_OK) { goto done; } ------------------ | | 547| 364k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (56:8): [True: 0, False: 364k] ------------------ 57| 364k| if ((err = mp_montgomery_reduce(R->z, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 364k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (57:8): [True: 0, False: 364k] ------------------ 58| | /* Z = 2Z */ 59| 364k| if ((err = mp_add(R->z, R->z, R->z)) != CRYPT_OK) { goto done; } ------------------ | | 543| 364k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (59:8): [True: 0, False: 364k] ------------------ 60| 364k| if (mp_cmp(R->z, modulus) != LTC_MP_LT) { ------------------ | | 531| 364k|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ if (mp_cmp(R->z, modulus) != LTC_MP_LT) { ------------------ | | 12| 364k|#define LTC_MP_LT -1 ------------------ | Branch (60:8): [True: 181k, False: 183k] ------------------ 61| 181k| if ((err = mp_sub(R->z, modulus, R->z)) != CRYPT_OK) { goto done; } ------------------ | | 545| 181k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (61:11): [True: 0, False: 181k] ------------------ 62| 181k| } 63| | 64| | /* T2 = X - T1 */ 65| 364k| if ((err = mp_sub(R->x, t1, t2)) != CRYPT_OK) { goto done; } ------------------ | | 545| 364k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (65:8): [True: 0, False: 364k] ------------------ 66| 364k| if (mp_cmp_d(t2, 0) == LTC_MP_LT) { ------------------ | | 532| 364k|#define mp_cmp_d(a, b) ltc_mp.compare_d(a, b) ------------------ if (mp_cmp_d(t2, 0) == LTC_MP_LT) { ------------------ | | 12| 364k|#define LTC_MP_LT -1 ------------------ | Branch (66:8): [True: 175k, False: 188k] ------------------ 67| 175k| if ((err = mp_add(t2, modulus, t2)) != CRYPT_OK) { goto done; } ------------------ | | 543| 175k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (67:11): [True: 0, False: 175k] ------------------ 68| 175k| } 69| | /* T1 = X + T1 */ 70| 364k| if ((err = mp_add(t1, R->x, t1)) != CRYPT_OK) { goto done; } ------------------ | | 543| 364k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (70:8): [True: 0, False: 364k] ------------------ 71| 364k| if (mp_cmp(t1, modulus) != LTC_MP_LT) { ------------------ | | 531| 364k|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ if (mp_cmp(t1, modulus) != LTC_MP_LT) { ------------------ | | 12| 364k|#define LTC_MP_LT -1 ------------------ | Branch (71:8): [True: 174k, False: 189k] ------------------ 72| 174k| if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK) { goto done; } ------------------ | | 545| 174k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (72:11): [True: 0, False: 174k] ------------------ 73| 174k| } 74| | /* T2 = T1 * T2 */ 75| 364k| if ((err = mp_mul(t1, t2, t2)) != CRYPT_OK) { goto done; } ------------------ | | 547| 364k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (75:8): [True: 0, False: 364k] ------------------ 76| 364k| if ((err = mp_montgomery_reduce(t2, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 364k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (76:8): [True: 0, False: 364k] ------------------ 77| | /* T1 = 2T2 */ 78| 364k| if ((err = mp_add(t2, t2, t1)) != CRYPT_OK) { goto done; } ------------------ | | 543| 364k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (78:8): [True: 0, False: 364k] ------------------ 79| 364k| if (mp_cmp(t1, modulus) != LTC_MP_LT) { ------------------ | | 531| 364k|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ if (mp_cmp(t1, modulus) != LTC_MP_LT) { ------------------ | | 12| 364k|#define LTC_MP_LT -1 ------------------ | Branch (79:8): [True: 182k, False: 182k] ------------------ 80| 182k| if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK) { goto done; } ------------------ | | 545| 182k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (80:11): [True: 0, False: 182k] ------------------ 81| 182k| } 82| | /* T1 = T1 + T2 */ 83| 364k| if ((err = mp_add(t1, t2, t1)) != CRYPT_OK) { goto done; } ------------------ | | 543| 364k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (83:8): [True: 0, False: 364k] ------------------ 84| 364k| if (mp_cmp(t1, modulus) != LTC_MP_LT) { ------------------ | | 531| 364k|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ if (mp_cmp(t1, modulus) != LTC_MP_LT) { ------------------ | | 12| 364k|#define LTC_MP_LT -1 ------------------ | Branch (84:8): [True: 172k, False: 192k] ------------------ 85| 172k| if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK) { goto done; } ------------------ | | 545| 172k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (85:11): [True: 0, False: 172k] ------------------ 86| 172k| } 87| | 88| | /* Y = 2Y */ 89| 364k| if ((err = mp_add(R->y, R->y, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 543| 364k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (89:8): [True: 0, False: 364k] ------------------ 90| 364k| if (mp_cmp(R->y, modulus) != LTC_MP_LT) { ------------------ | | 531| 364k|#define mp_cmp(a, b) ltc_mp.compare(a, b) ------------------ if (mp_cmp(R->y, modulus) != LTC_MP_LT) { ------------------ | | 12| 364k|#define LTC_MP_LT -1 ------------------ | Branch (90:8): [True: 182k, False: 181k] ------------------ 91| 182k| if ((err = mp_sub(R->y, modulus, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 545| 182k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (91:11): [True: 0, False: 182k] ------------------ 92| 182k| } 93| | /* Y = Y * Y */ 94| 364k| if ((err = mp_sqr(R->y, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 549| 364k|#define mp_sqr(a, b) ltc_mp.sqr(a, b) ------------------ | Branch (94:8): [True: 0, False: 364k] ------------------ 95| 364k| if ((err = mp_montgomery_reduce(R->y, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 364k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (95:8): [True: 0, False: 364k] ------------------ 96| | /* T2 = Y * Y */ 97| 364k| if ((err = mp_sqr(R->y, t2)) != CRYPT_OK) { goto done; } ------------------ | | 549| 364k|#define mp_sqr(a, b) ltc_mp.sqr(a, b) ------------------ | Branch (97:8): [True: 0, False: 364k] ------------------ 98| 364k| if ((err = mp_montgomery_reduce(t2, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 364k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (98:8): [True: 0, False: 364k] ------------------ 99| | /* T2 = T2/2 */ 100| 364k| if (mp_isodd(t2)) { ------------------ | | 572| 364k|#define mp_isodd(a) (mp_get_digit_count(a) > 0 ? (mp_get_digit(a, 0) & 1 ? LTC_MP_YES : LTC_MP_NO) : LTC_MP_NO) | | ------------------ | | | | 530| 364k|#define mp_get_digit_count(a) ltc_mp.get_digit_count(a) | | ------------------ | | #define mp_isodd(a) (mp_get_digit_count(a) > 0 ? (mp_get_digit(a, 0) & 1 ? LTC_MP_YES : LTC_MP_NO) : LTC_MP_NO) | | ------------------ | | | | 529| 364k|#define mp_get_digit(a, n) ltc_mp.get_digit(a, n) | | ------------------ | | #define mp_isodd(a) (mp_get_digit_count(a) > 0 ? (mp_get_digit(a, 0) & 1 ? LTC_MP_YES : LTC_MP_NO) : LTC_MP_NO) | | ------------------ | | | | 17| 170k|#define LTC_MP_YES 1 | | ------------------ | | #define mp_isodd(a) (mp_get_digit_count(a) > 0 ? (mp_get_digit(a, 0) & 1 ? LTC_MP_YES : LTC_MP_NO) : LTC_MP_NO) | | ------------------ | | | | 16| 194k|#define LTC_MP_NO 0 | | ------------------ | | #define mp_isodd(a) (mp_get_digit_count(a) > 0 ? (mp_get_digit(a, 0) & 1 ? LTC_MP_YES : LTC_MP_NO) : LTC_MP_NO) | | ------------------ | | | | 16| 0|#define LTC_MP_NO 0 | | ------------------ | | | Branch (572:38): [True: 170k, False: 194k] | | | Branch (572:39): [True: 364k, False: 0] | | | Branch (572:68): [True: 170k, False: 194k] | | ------------------ ------------------ 101| 170k| if ((err = mp_add(t2, modulus, t2)) != CRYPT_OK) { goto done; } ------------------ | | 543| 170k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (101:11): [True: 0, False: 170k] ------------------ 102| 170k| } 103| 364k| if ((err = mp_div_2(t2, t2)) != CRYPT_OK) { goto done; } ------------------ | | 551| 364k|#define mp_div_2(a, b) ltc_mp.div_2(a, b) ------------------ | Branch (103:8): [True: 0, False: 364k] ------------------ 104| | /* Y = Y * X */ 105| 364k| if ((err = mp_mul(R->y, R->x, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 547| 364k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (105:8): [True: 0, False: 364k] ------------------ 106| 364k| if ((err = mp_montgomery_reduce(R->y, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 364k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (106:8): [True: 0, False: 364k] ------------------ 107| | 108| | /* X = T1 * T1 */ 109| 364k| if ((err = mp_sqr(t1, R->x)) != CRYPT_OK) { goto done; } ------------------ | | 549| 364k|#define mp_sqr(a, b) ltc_mp.sqr(a, b) ------------------ | Branch (109:8): [True: 0, False: 364k] ------------------ 110| 364k| if ((err = mp_montgomery_reduce(R->x, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 364k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (110:8): [True: 0, False: 364k] ------------------ 111| | /* X = X - Y */ 112| 364k| if ((err = mp_sub(R->x, R->y, R->x)) != CRYPT_OK) { goto done; } ------------------ | | 545| 364k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (112:8): [True: 0, False: 364k] ------------------ 113| 364k| if (mp_cmp_d(R->x, 0) == LTC_MP_LT) { ------------------ | | 532| 364k|#define mp_cmp_d(a, b) ltc_mp.compare_d(a, b) ------------------ if (mp_cmp_d(R->x, 0) == LTC_MP_LT) { ------------------ | | 12| 364k|#define LTC_MP_LT -1 ------------------ | Branch (113:8): [True: 173k, False: 191k] ------------------ 114| 173k| if ((err = mp_add(R->x, modulus, R->x)) != CRYPT_OK) { goto done; } ------------------ | | 543| 173k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (114:11): [True: 0, False: 173k] ------------------ 115| 173k| } 116| | /* X = X - Y */ 117| 364k| if ((err = mp_sub(R->x, R->y, R->x)) != CRYPT_OK) { goto done; } ------------------ | | 545| 364k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (117:8): [True: 0, False: 364k] ------------------ 118| 364k| if (mp_cmp_d(R->x, 0) == LTC_MP_LT) { ------------------ | | 532| 364k|#define mp_cmp_d(a, b) ltc_mp.compare_d(a, b) ------------------ if (mp_cmp_d(R->x, 0) == LTC_MP_LT) { ------------------ | | 12| 364k|#define LTC_MP_LT -1 ------------------ | Branch (118:8): [True: 175k, False: 189k] ------------------ 119| 175k| if ((err = mp_add(R->x, modulus, R->x)) != CRYPT_OK) { goto done; } ------------------ | | 543| 175k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (119:11): [True: 0, False: 175k] ------------------ 120| 175k| } 121| | 122| | /* Y = Y - X */ 123| 364k| if ((err = mp_sub(R->y, R->x, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 545| 364k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (123:8): [True: 0, False: 364k] ------------------ 124| 364k| if (mp_cmp_d(R->y, 0) == LTC_MP_LT) { ------------------ | | 532| 364k|#define mp_cmp_d(a, b) ltc_mp.compare_d(a, b) ------------------ if (mp_cmp_d(R->y, 0) == LTC_MP_LT) { ------------------ | | 12| 364k|#define LTC_MP_LT -1 ------------------ | Branch (124:8): [True: 187k, False: 176k] ------------------ 125| 187k| if ((err = mp_add(R->y, modulus, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 543| 187k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (125:11): [True: 0, False: 187k] ------------------ 126| 187k| } 127| | /* Y = Y * T1 */ 128| 364k| if ((err = mp_mul(R->y, t1, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 547| 364k|#define mp_mul(a, b, c) ltc_mp.mul(a, b, c) ------------------ | Branch (128:8): [True: 0, False: 364k] ------------------ 129| 364k| if ((err = mp_montgomery_reduce(R->y, modulus, mp)) != CRYPT_OK) { goto done; } ------------------ | | 565| 364k|#define mp_montgomery_reduce(a, b, c) ltc_mp.montgomery_reduce(a, b, c) ------------------ | Branch (129:8): [True: 0, False: 364k] ------------------ 130| | /* Y = Y - T2 */ 131| 364k| if ((err = mp_sub(R->y, t2, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 545| 364k|#define mp_sub(a, b, c) ltc_mp.sub(a, b, c) ------------------ | Branch (131:8): [True: 0, False: 364k] ------------------ 132| 364k| if (mp_cmp_d(R->y, 0) == LTC_MP_LT) { ------------------ | | 532| 364k|#define mp_cmp_d(a, b) ltc_mp.compare_d(a, b) ------------------ if (mp_cmp_d(R->y, 0) == LTC_MP_LT) { ------------------ | | 12| 364k|#define LTC_MP_LT -1 ------------------ | Branch (132:8): [True: 177k, False: 187k] ------------------ 133| 177k| if ((err = mp_add(R->y, modulus, R->y)) != CRYPT_OK) { goto done; } ------------------ | | 543| 177k|#define mp_add(a, b, c) ltc_mp.add(a, b, c) ------------------ | Branch (133:11): [True: 0, False: 177k] ------------------ 134| 177k| } 135| | 136| 364k| err = CRYPT_OK; 137| 364k|done: 138| 364k| mp_clear_multi(t1, t2, NULL); ------------------ | | 519| 364k|#define mp_clear_multi ltc_deinit_multi ------------------ 139| 364k| return err; 140| 364k|} mp_2expt: 12| 3.57k|{ 13| 3.57k| mp_err err; 14| | 15| 3.57k| if (b < 0) { ------------------ | Branch (15:8): [True: 0, False: 3.57k] ------------------ 16| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 17| 0| } 18| | 19| | /* zero a as per default */ 20| 3.57k| mp_zero(a); 21| | 22| | /* grow a to accomodate the single bit */ 23| 3.57k| if ((err = mp_grow(a, (b / MP_DIGIT_BIT) + 1)) != MP_OKAY) { ------------------ | | 82| 3.57k|# define MP_DIGIT_BIT 60 ------------------ if ((err = mp_grow(a, (b / MP_DIGIT_BIT) + 1)) != MP_OKAY) { ------------------ | | 161| 3.57k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (23:8): [True: 0, False: 3.57k] ------------------ 24| 0| return err; 25| 0| } 26| | 27| | /* set the used count of where the bit will go */ 28| 3.57k| a->used = (b / MP_DIGIT_BIT) + 1; ------------------ | | 82| 3.57k|# define MP_DIGIT_BIT 60 ------------------ 29| | 30| | /* put the single bit in its place */ 31| 3.57k| a->dp[b / MP_DIGIT_BIT] = (mp_digit)1 << (mp_digit)(b % MP_DIGIT_BIT); ------------------ | | 82| 3.57k|# define MP_DIGIT_BIT 60 ------------------ a->dp[b / MP_DIGIT_BIT] = (mp_digit)1 << (mp_digit)(b % MP_DIGIT_BIT); ------------------ | | 82| 3.57k|# define MP_DIGIT_BIT 60 ------------------ 32| | 33| 3.57k| return MP_OKAY; ------------------ | | 161| 3.57k|#define MP_OKAY 0 /* no error */ ------------------ 34| 3.57k|} mp_add: 8| 5.54M|{ 9| 5.54M| mp_sign sa, sb; 10| 5.54M| mp_err err; 11| | 12| | /* get sign of both inputs */ 13| 5.54M| sa = a->sign; 14| 5.54M| sb = b->sign; 15| | 16| | /* handle two cases, not four */ 17| 5.54M| if (sa == sb) { ------------------ | Branch (17:8): [True: 3.57M, False: 1.96M] ------------------ 18| | /* both positive or both negative */ 19| | /* add their magnitudes, copy the sign */ 20| 3.57M| c->sign = sa; 21| 3.57M| err = s_mp_add(a, b, c); 22| 3.57M| } else { 23| | /* one positive, the other negative */ 24| | /* subtract the one with the greater magnitude from */ 25| | /* the one of the lesser magnitude. The result gets */ 26| | /* the sign of the one with the greater magnitude. */ 27| 1.96M| if (mp_cmp_mag(a, b) == MP_LT) { ------------------ | | 154| 1.96M|#define MP_LT -1 /* less than */ ------------------ | Branch (27:11): [True: 1.96M, False: 334] ------------------ 28| 1.96M| c->sign = sb; 29| 1.96M| err = s_mp_sub(b, a, c); 30| 1.96M| } else { 31| 334| c->sign = sa; 32| 334| err = s_mp_sub(a, b, c); 33| 334| } 34| 1.96M| } 35| 5.54M| return err; 36| 5.54M|} mp_add_d: 8| 367k|{ 9| 367k| mp_err err; 10| 367k| int ix, oldused; 11| 367k| mp_digit *tmpa, *tmpc; 12| | 13| | /* grow c as required */ 14| 367k| if (c->alloc < (a->used + 1)) { ------------------ | Branch (14:8): [True: 0, False: 367k] ------------------ 15| 0| if ((err = mp_grow(c, a->used + 1)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (15:11): [True: 0, False: 0] ------------------ 16| 0| return err; 17| 0| } 18| 0| } 19| | 20| | /* if a is negative and |a| >= b, call c = |a| - b */ 21| 367k| if ((a->sign == MP_NEG) && ((a->used > 1) || (a->dp[0] >= b))) { ------------------ | | 152| 367k|#define MP_NEG 1 /* negative */ ------------------ | Branch (21:8): [True: 0, False: 367k] | Branch (21:32): [True: 0, False: 0] | Branch (21:49): [True: 0, False: 0] ------------------ 22| 0| mp_int a_ = *a; 23| | /* temporarily fix sign of a */ 24| 0| a_.sign = MP_ZPOS; ------------------ | | 151| 0|#define MP_ZPOS 0 /* positive integer */ ------------------ 25| | 26| | /* c = |a| - b */ 27| 0| err = mp_sub_d(&a_, b, c); 28| | 29| | /* fix sign */ 30| 0| c->sign = MP_NEG; ------------------ | | 152| 0|#define MP_NEG 1 /* negative */ ------------------ 31| | 32| | /* clamp */ 33| 0| mp_clamp(c); 34| | 35| 0| return err; 36| 0| } 37| | 38| | /* old number of used digits in c */ 39| 367k| oldused = c->used; 40| | 41| | /* source alias */ 42| 367k| tmpa = a->dp; 43| | 44| | /* destination alias */ 45| 367k| tmpc = c->dp; 46| | 47| | /* if a is positive */ 48| 367k| if (a->sign == MP_ZPOS) { ------------------ | | 151| 367k|#define MP_ZPOS 0 /* positive integer */ ------------------ | Branch (48:8): [True: 367k, False: 0] ------------------ 49| | /* add digits, mu is carry */ 50| 367k| mp_digit mu = b; 51| 2.05M| for (ix = 0; ix < a->used; ix++) { ------------------ | Branch (51:20): [True: 1.68M, False: 367k] ------------------ 52| 1.68M| *tmpc = *tmpa++ + mu; 53| 1.68M| mu = *tmpc >> MP_DIGIT_BIT; ------------------ | | 82| 1.68M|# define MP_DIGIT_BIT 60 ------------------ 54| 1.68M| *tmpc++ &= MP_MASK; ------------------ | | 106| 1.68M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 1.68M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 55| 1.68M| } 56| | /* set final carry */ 57| 367k| ix++; 58| 367k| *tmpc++ = mu; 59| | 60| | /* setup size */ 61| 367k| c->used = a->used + 1; 62| 367k| } else { 63| | /* a was negative and |a| < b */ 64| 0| c->used = 1; 65| | 66| | /* the result is a single digit */ 67| 0| if (a->used == 1) { ------------------ | Branch (67:11): [True: 0, False: 0] ------------------ 68| 0| *tmpc++ = b - a->dp[0]; 69| 0| } else { 70| 0| *tmpc++ = b; 71| 0| } 72| | 73| | /* setup count so the clearing of oldused 74| | * can fall through correctly 75| | */ 76| 0| ix = 1; 77| 0| } 78| | 79| | /* sign always positive */ 80| 367k| c->sign = MP_ZPOS; ------------------ | | 151| 367k|#define MP_ZPOS 0 /* positive integer */ ------------------ 81| | 82| | /* now zero to oldused */ 83| 367k| MP_ZERO_DIGITS(tmpc, oldused - ix); ------------------ | | 89| 367k|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 367k|do { \ | | 91| 367k| int zd_ = (digits); \ | | 92| 367k| mp_digit* zm_ = (mem); \ | | 93| 367k| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 0, False: 367k] | | ------------------ | | 94| 0| *zm_++ = 0; \ | | 95| 0| } \ | | 96| 367k|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 367k] | | ------------------ ------------------ 84| 367k| mp_clamp(c); 85| | 86| 367k| return MP_OKAY; ------------------ | | 161| 367k|#define MP_OKAY 0 /* no error */ ------------------ 87| 367k|} mp_clamp: 14| 72.8M|{ 15| | /* decrease used while the most significant digit is 16| | * zero. 17| | */ 18| 157M| while ((a->used > 0) && (a->dp[a->used - 1] == 0u)) { ------------------ | Branch (18:11): [True: 157M, False: 136k] | Branch (18:28): [True: 84.7M, False: 72.7M] ------------------ 19| 84.7M| --(a->used); 20| 84.7M| } 21| | 22| | /* reset the sign flag if used == 0 */ 23| 72.8M| if (a->used == 0) { ------------------ | Branch (23:8): [True: 136k, False: 72.7M] ------------------ 24| 136k| a->sign = MP_ZPOS; ------------------ | | 151| 136k|#define MP_ZPOS 0 /* positive integer */ ------------------ 25| 136k| } 26| 72.8M|} mp_clear: 8| 2.75M|{ 9| | /* only do anything if a hasn't been freed previously */ 10| 2.75M| if (a->dp != NULL) { ------------------ | Branch (10:8): [True: 2.75M, False: 0] ------------------ 11| | /* free ram */ 12| 2.75M| MP_FREE_DIGITS(a->dp, a->alloc); ------------------ | | 58| 2.75M|# define MP_FREE_DIGITS(mem, digits) \ | | 59| 2.75M|do { \ | | 60| 2.75M| int fd_ = (digits); \ | | 61| 2.75M| void* fm_ = (mem); \ | | 62| 2.75M| if (fm_ != NULL) { \ | | ------------------ | | | Branch (62:8): [True: 2.75M, False: 0] | | ------------------ | | 63| 2.75M| size_t fs_ = sizeof (mp_digit) * (size_t)fd_; \ | | 64| 2.75M| MP_ZERO_BUFFER(fm_, fs_); \ | | ------------------ | | | | 81| 2.75M|# define MP_ZERO_BUFFER(mem, size) \ | | | | 82| 2.75M|do { \ | | | | 83| 2.75M| size_t zs_ = (size); \ | | | | 84| 2.75M| char* zm_ = (char*)(mem); \ | | | | 85| 745M| while (zs_-- > 0u) { \ | | | | ------------------ | | | | | Branch (85:11): [True: 742M, False: 2.75M] | | | | ------------------ | | | | 86| 742M| *zm_++ = '\0'; \ | | | | 87| 742M| } \ | | | | 88| 2.75M|} while (0) | | | | ------------------ | | | | | Branch (88:10): [Folded, False: 2.75M] | | | | ------------------ | | ------------------ | | 65| 2.75M| MP_FREE(fm_, fs_); \ | | ------------------ | | | | 1324| 2.75M|#define MP_FREE m_free_ltm | | ------------------ | | 66| 2.75M| } \ | | 67| 2.75M|} while (0) | | ------------------ | | | Branch (67:10): [Folded, False: 2.75M] | | ------------------ ------------------ 13| | 14| | /* reset members to make debugging easier */ 15| 2.75M| a->dp = NULL; 16| 2.75M| a->alloc = a->used = 0; 17| 2.75M| a->sign = MP_ZPOS; ------------------ | | 151| 2.75M|#define MP_ZPOS 0 /* positive integer */ ------------------ 18| 2.75M| } 19| 2.75M|} mp_clear_multi: 9| 4.90k|{ 10| 4.90k| mp_int *next_mp = mp; 11| 4.90k| va_list args; 12| 4.90k| va_start(args, mp); 13| 20.7k| while (next_mp != NULL) { ------------------ | Branch (13:11): [True: 15.8k, False: 4.90k] ------------------ 14| 15.8k| mp_clear(next_mp); 15| 15.8k| next_mp = va_arg(args, mp_int *); 16| 15.8k| } 17| | va_end(args); 18| 4.90k|} mp_cmp: 8| 3.94M|{ 9| | /* compare based on sign */ 10| 3.94M| if (a->sign != b->sign) { ------------------ | Branch (10:8): [True: 0, False: 3.94M] ------------------ 11| 0| if (a->sign == MP_NEG) { ------------------ | | 152| 0|#define MP_NEG 1 /* negative */ ------------------ | Branch (11:11): [True: 0, False: 0] ------------------ 12| 0| return MP_LT; ------------------ | | 154| 0|#define MP_LT -1 /* less than */ ------------------ 13| 0| } else { 14| 0| return MP_GT; ------------------ | | 156| 0|#define MP_GT 1 /* greater than */ ------------------ 15| 0| } 16| 0| } 17| | 18| | /* compare digits */ 19| 3.94M| if (a->sign == MP_NEG) { ------------------ | | 152| 3.94M|#define MP_NEG 1 /* negative */ ------------------ | Branch (19:8): [True: 0, False: 3.94M] ------------------ 20| | /* if negative compare opposite direction */ 21| 0| return mp_cmp_mag(b, a); 22| 3.94M| } else { 23| 3.94M| return mp_cmp_mag(a, b); 24| 3.94M| } 25| 3.94M|} mp_cmp_d: 8| 3.96M|{ 9| | /* compare based on sign */ 10| 3.96M| if (a->sign == MP_NEG) { ------------------ | | 152| 3.96M|#define MP_NEG 1 /* negative */ ------------------ | Branch (10:8): [True: 1.96M, False: 2.00M] ------------------ 11| 1.96M| return MP_LT; ------------------ | | 154| 1.96M|#define MP_LT -1 /* less than */ ------------------ 12| 1.96M| } 13| | 14| | /* compare based on magnitude */ 15| 2.00M| if (a->used > 1) { ------------------ | Branch (15:8): [True: 1.98M, False: 13.6k] ------------------ 16| 1.98M| return MP_GT; ------------------ | | 156| 1.98M|#define MP_GT 1 /* greater than */ ------------------ 17| 1.98M| } 18| | 19| | /* compare the only digit of a to b */ 20| 13.6k| if (a->dp[0] > b) { ------------------ | Branch (20:8): [True: 2.57k, False: 11.0k] ------------------ 21| 2.57k| return MP_GT; ------------------ | | 156| 2.57k|#define MP_GT 1 /* greater than */ ------------------ 22| 11.0k| } else if (a->dp[0] < b) { ------------------ | Branch (22:15): [True: 5, False: 11.0k] ------------------ 23| 5| return MP_LT; ------------------ | | 154| 5|#define MP_LT -1 /* less than */ ------------------ 24| 11.0k| } else { 25| 11.0k| return MP_EQ; ------------------ | | 155| 11.0k|#define MP_EQ 0 /* equal to */ ------------------ 26| 11.0k| } 27| 13.6k|} mp_cmp_mag: 8| 31.7M|{ 9| 31.7M| int n; 10| 31.7M| const mp_digit *tmpa, *tmpb; 11| | 12| | /* compare based on # of non-zero digits */ 13| 31.7M| if (a->used > b->used) { ------------------ | Branch (13:8): [True: 5.43M, False: 26.3M] ------------------ 14| 5.43M| return MP_GT; ------------------ | | 156| 5.43M|#define MP_GT 1 /* greater than */ ------------------ 15| 5.43M| } 16| | 17| 26.3M| if (a->used < b->used) { ------------------ | Branch (17:8): [True: 291k, False: 26.0M] ------------------ 18| 291k| return MP_LT; ------------------ | | 154| 291k|#define MP_LT -1 /* less than */ ------------------ 19| 291k| } 20| | 21| | /* alias for a */ 22| 26.0M| tmpa = a->dp + (a->used - 1); 23| | 24| | /* alias for b */ 25| 26.0M| tmpb = b->dp + (a->used - 1); 26| | 27| | /* compare based on digits */ 28| 26.2M| for (n = 0; n < a->used; ++n, --tmpa, --tmpb) { ------------------ | Branch (28:16): [True: 26.2M, False: 12.6k] ------------------ 29| 26.2M| if (*tmpa > *tmpb) { ------------------ | Branch (29:11): [True: 6.52M, False: 19.7M] ------------------ 30| 6.52M| return MP_GT; ------------------ | | 156| 6.52M|#define MP_GT 1 /* greater than */ ------------------ 31| 6.52M| } 32| | 33| 19.7M| if (*tmpa < *tmpb) { ------------------ | Branch (33:11): [True: 19.5M, False: 186k] ------------------ 34| 19.5M| return MP_LT; ------------------ | | 154| 19.5M|#define MP_LT -1 /* less than */ ------------------ 35| 19.5M| } 36| 19.7M| } 37| 12.6k| return MP_EQ; ------------------ | | 155| 12.6k|#define MP_EQ 0 /* equal to */ ------------------ 38| 26.0M|} mp_copy: 8| 14.5M|{ 9| 14.5M| int n; 10| 14.5M| mp_digit *tmpa, *tmpb; 11| 14.5M| mp_err err; 12| | 13| | /* if dst == src do nothing */ 14| 14.5M| if (a == b) { ------------------ | Branch (14:8): [True: 6.70M, False: 7.85M] ------------------ 15| 6.70M| return MP_OKAY; ------------------ | | 161| 6.70M|#define MP_OKAY 0 /* no error */ ------------------ 16| 6.70M| } 17| | 18| | /* grow dest */ 19| 7.85M| if (b->alloc < a->used) { ------------------ | Branch (19:8): [True: 6.39k, False: 7.84M] ------------------ 20| 6.39k| if ((err = mp_grow(b, a->used)) != MP_OKAY) { ------------------ | | 161| 6.39k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (20:11): [True: 0, False: 6.39k] ------------------ 21| 0| return err; 22| 0| } 23| 6.39k| } 24| | 25| | /* zero b and copy the parameters over */ 26| | /* pointer aliases */ 27| | 28| | /* source */ 29| 7.85M| tmpa = a->dp; 30| | 31| | /* destination */ 32| 7.85M| tmpb = b->dp; 33| | 34| | /* copy all the digits */ 35| 174M| for (n = 0; n < a->used; n++) { ------------------ | Branch (35:16): [True: 166M, False: 7.85M] ------------------ 36| 166M| *tmpb++ = *tmpa++; 37| 166M| } 38| | 39| | /* clear high digits */ 40| 7.85M| MP_ZERO_DIGITS(tmpb, b->used - n); ------------------ | | 89| 7.85M|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 7.85M|do { \ | | 91| 7.85M| int zd_ = (digits); \ | | 92| 7.85M| mp_digit* zm_ = (mem); \ | | 93| 7.85M| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 1.18k, False: 7.85M] | | ------------------ | | 94| 1.18k| *zm_++ = 0; \ | | 95| 1.18k| } \ | | 96| 7.85M|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 7.85M] | | ------------------ ------------------ 41| | 42| | /* copy used count and sign */ 43| 7.85M| b->used = a->used; 44| 7.85M| b->sign = a->sign; 45| 7.85M| return MP_OKAY; ------------------ | | 161| 7.85M|#define MP_OKAY 0 /* no error */ ------------------ 46| 7.85M|} mp_count_bits: 8| 44.7k|{ 9| 44.7k| int r; 10| 44.7k| mp_digit q; 11| | 12| | /* shortcut */ 13| 44.7k| if (MP_IS_ZERO(a)) { ------------------ | | 163| 44.7k|#define MP_IS_ZERO(a) ((a)->used == 0) | | ------------------ | | | Branch (163:23): [True: 746, False: 43.9k] | | ------------------ ------------------ 14| 746| return 0; 15| 746| } 16| | 17| | /* get number of digits and add that */ 18| 43.9k| r = (a->used - 1) * MP_DIGIT_BIT; ------------------ | | 82| 43.9k|# define MP_DIGIT_BIT 60 ------------------ 19| | 20| | /* take the last digit and count the bits in it */ 21| 43.9k| q = a->dp[a->used - 1]; 22| 840k| while (q > 0u) { ------------------ | Branch (22:11): [True: 796k, False: 43.9k] ------------------ 23| 796k| ++r; 24| 796k| q >>= 1u; 25| 796k| } 26| 43.9k| return r; 27| 44.7k|} mp_div: 87| 9.21k|{ 88| 9.21k| mp_int q, x, y, t1, t2; 89| 9.21k| int n, t, i, norm; 90| 9.21k| mp_sign neg; 91| 9.21k| mp_err err; 92| | 93| | /* is divisor zero ? */ 94| 9.21k| if (MP_IS_ZERO(b)) { ------------------ | | 163| 9.21k|#define MP_IS_ZERO(a) ((a)->used == 0) | | ------------------ | | | Branch (163:23): [True: 0, False: 9.21k] | | ------------------ ------------------ 95| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 96| 0| } 97| | 98| | /* if a < b then q=0, r = a */ 99| 9.21k| if (mp_cmp_mag(a, b) == MP_LT) { ------------------ | | 154| 9.21k|#define MP_LT -1 /* less than */ ------------------ | Branch (99:8): [True: 3.84k, False: 5.37k] ------------------ 100| 3.84k| if (d != NULL) { ------------------ | Branch (100:11): [True: 3.84k, False: 0] ------------------ 101| 3.84k| err = mp_copy(a, d); 102| 3.84k| } else { 103| 0| err = MP_OKAY; ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ 104| 0| } 105| 3.84k| if (c != NULL) { ------------------ | Branch (105:11): [True: 0, False: 3.84k] ------------------ 106| 0| mp_zero(c); 107| 0| } 108| 3.84k| return err; 109| 3.84k| } 110| | 111| 5.37k| if ((err = mp_init_size(&q, a->used + 2)) != MP_OKAY) { ------------------ | | 161| 5.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (111:8): [True: 0, False: 5.37k] ------------------ 112| 0| return err; 113| 0| } 114| 5.37k| q.used = a->used + 2; 115| | 116| 5.37k| if ((err = mp_init(&t1)) != MP_OKAY) goto LBL_Q; ------------------ | | 161| 5.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (116:8): [True: 0, False: 5.37k] ------------------ 117| | 118| 5.37k| if ((err = mp_init(&t2)) != MP_OKAY) goto LBL_T1; ------------------ | | 161| 5.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (118:8): [True: 0, False: 5.37k] ------------------ 119| | 120| 5.37k| if ((err = mp_init_copy(&x, a)) != MP_OKAY) goto LBL_T2; ------------------ | | 161| 5.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (120:8): [True: 0, False: 5.37k] ------------------ 121| | 122| 5.37k| if ((err = mp_init_copy(&y, b)) != MP_OKAY) goto LBL_X; ------------------ | | 161| 5.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (122:8): [True: 0, False: 5.37k] ------------------ 123| | 124| | /* fix the sign */ 125| 5.37k| neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG; ------------------ | | 151| 5.36k|#define MP_ZPOS 0 /* positive integer */ ------------------ neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG; ------------------ | | 152| 5.37k|#define MP_NEG 1 /* negative */ ------------------ | Branch (125:10): [True: 5.36k, False: 6] ------------------ 126| 5.37k| x.sign = y.sign = MP_ZPOS; ------------------ | | 151| 5.37k|#define MP_ZPOS 0 /* positive integer */ ------------------ 127| | 128| | /* normalize both x and y, ensure that y >= b/2, [b == 2**MP_DIGIT_BIT] */ 129| 5.37k| norm = mp_count_bits(&y) % MP_DIGIT_BIT; ------------------ | | 82| 5.37k|# define MP_DIGIT_BIT 60 ------------------ 130| 5.37k| if (norm < (MP_DIGIT_BIT - 1)) { ------------------ | | 82| 5.37k|# define MP_DIGIT_BIT 60 ------------------ | Branch (130:8): [True: 5.36k, False: 4] ------------------ 131| 5.36k| norm = (MP_DIGIT_BIT - 1) - norm; ------------------ | | 82| 5.36k|# define MP_DIGIT_BIT 60 ------------------ 132| 5.36k| if ((err = mp_mul_2d(&x, norm, &x)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 5.36k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (132:11): [True: 0, False: 5.36k] ------------------ 133| 5.36k| if ((err = mp_mul_2d(&y, norm, &y)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 5.36k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (133:11): [True: 0, False: 5.36k] ------------------ 134| 5.36k| } else { 135| 4| norm = 0; 136| 4| } 137| | 138| | /* note hac does 0 based, so if used==5 then its 0,1,2,3,4, e.g. use 4 */ 139| 5.37k| n = x.used - 1; 140| 5.37k| t = y.used - 1; 141| | 142| | /* while (x >= y*b**n-t) do { q[n-t] += 1; x -= y*b**{n-t} } */ 143| | /* y = y*b**{n-t} */ 144| 5.37k| if ((err = mp_lshd(&y, n - t)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 5.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (144:8): [True: 0, False: 5.37k] ------------------ 145| | 146| 5.48k| while (mp_cmp(&x, &y) != MP_LT) { ------------------ | | 154| 5.48k|#define MP_LT -1 /* less than */ ------------------ | Branch (146:11): [True: 110, False: 5.37k] ------------------ 147| 110| ++(q.dp[n - t]); 148| 110| if ((err = mp_sub(&x, &y, &x)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 110|#define MP_OKAY 0 /* no error */ ------------------ | Branch (148:11): [True: 0, False: 110] ------------------ 149| 110| } 150| | 151| | /* reset y by shifting it back down */ 152| 5.37k| mp_rshd(&y, n - t); 153| | 154| | /* step 3. for i from n down to (t + 1) */ 155| 32.7k| for (i = n; i >= (t + 1); i--) { ------------------ | Branch (155:16): [True: 27.3k, False: 5.37k] ------------------ 156| 27.3k| if (i > x.used) { ------------------ | Branch (156:11): [True: 186, False: 27.2k] ------------------ 157| 186| continue; 158| 186| } 159| | 160| | /* step 3.1 if xi == yt then set q{i-t-1} to b-1, 161| | * otherwise set q{i-t-1} to (xi*b + x{i-1})/yt */ 162| 27.2k| if (x.dp[i] == y.dp[t]) { ------------------ | Branch (162:11): [True: 43, False: 27.1k] ------------------ 163| 43| q.dp[(i - t) - 1] = ((mp_digit)1 << (mp_digit)MP_DIGIT_BIT) - (mp_digit)1; ------------------ | | 82| 43|# define MP_DIGIT_BIT 60 ------------------ 164| 27.1k| } else { 165| 27.1k| mp_word tmp; 166| 27.1k| tmp = (mp_word)x.dp[i] << (mp_word)MP_DIGIT_BIT; ------------------ | | 82| 27.1k|# define MP_DIGIT_BIT 60 ------------------ 167| 27.1k| tmp |= (mp_word)x.dp[i - 1]; 168| 27.1k| tmp /= (mp_word)y.dp[t]; 169| 27.1k| if (tmp > (mp_word)MP_MASK) { ------------------ | | 106| 27.1k|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 27.1k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ | Branch (169:14): [True: 0, False: 27.1k] ------------------ 170| 0| tmp = MP_MASK; ------------------ | | 106| 0|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 0|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 171| 0| } 172| 27.1k| q.dp[(i - t) - 1] = (mp_digit)(tmp & (mp_word)MP_MASK); ------------------ | | 106| 27.1k|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 27.1k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 173| 27.1k| } 174| | 175| | /* while (q{i-t-1} * (yt * b + y{t-1})) > 176| | xi * b**2 + xi-1 * b + xi-2 177| | 178| | do q{i-t-1} -= 1; 179| | */ 180| 27.2k| q.dp[(i - t) - 1] = (q.dp[(i - t) - 1] + 1uL) & (mp_digit)MP_MASK; ------------------ | | 106| 27.2k|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 27.2k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 181| 43.9k| do { 182| 43.9k| q.dp[(i - t) - 1] = (q.dp[(i - t) - 1] - 1uL) & (mp_digit)MP_MASK; ------------------ | | 106| 43.9k|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 43.9k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 183| | 184| | /* find left hand */ 185| 43.9k| mp_zero(&t1); 186| 43.9k| t1.dp[0] = ((t - 1) < 0) ? 0u : y.dp[t - 1]; ------------------ | Branch (186:21): [True: 0, False: 43.9k] ------------------ 187| 43.9k| t1.dp[1] = y.dp[t]; 188| 43.9k| t1.used = 2; 189| 43.9k| if ((err = mp_mul_d(&t1, q.dp[(i - t) - 1], &t1)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 43.9k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (189:14): [True: 0, False: 43.9k] ------------------ 190| | 191| | /* find right hand */ 192| 43.9k| t2.dp[0] = ((i - 2) < 0) ? 0u : x.dp[i - 2]; ------------------ | Branch (192:21): [True: 0, False: 43.9k] ------------------ 193| 43.9k| t2.dp[1] = x.dp[i - 1]; /* i >= 1 always holds */ 194| 43.9k| t2.dp[2] = x.dp[i]; 195| 43.9k| t2.used = 3; 196| 43.9k| } while (mp_cmp_mag(&t1, &t2) == MP_GT); ------------------ | | 156| 43.9k|#define MP_GT 1 /* greater than */ ------------------ | Branch (196:16): [True: 16.7k, False: 27.2k] ------------------ 197| | 198| | /* step 3.3 x = x - q{i-t-1} * y * b**{i-t-1} */ 199| 27.2k| if ((err = mp_mul_d(&y, q.dp[(i - t) - 1], &t1)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 27.2k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (199:11): [True: 0, False: 27.2k] ------------------ 200| | 201| 27.2k| if ((err = mp_lshd(&t1, (i - t) - 1)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 27.2k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (201:11): [True: 0, False: 27.2k] ------------------ 202| | 203| 27.2k| if ((err = mp_sub(&x, &t1, &x)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 27.2k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (203:11): [True: 0, False: 27.2k] ------------------ 204| | 205| | /* if x < 0 then { x = x + y*b**{i-t-1}; q{i-t-1} -= 1; } */ 206| 27.2k| if (x.sign == MP_NEG) { ------------------ | | 152| 27.2k|#define MP_NEG 1 /* negative */ ------------------ | Branch (206:11): [True: 76, False: 27.1k] ------------------ 207| 76| if ((err = mp_copy(&y, &t1)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 76|#define MP_OKAY 0 /* no error */ ------------------ | Branch (207:14): [True: 0, False: 76] ------------------ 208| 76| if ((err = mp_lshd(&t1, (i - t) - 1)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 76|#define MP_OKAY 0 /* no error */ ------------------ | Branch (208:14): [True: 0, False: 76] ------------------ 209| 76| if ((err = mp_add(&x, &t1, &x)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 76|#define MP_OKAY 0 /* no error */ ------------------ | Branch (209:14): [True: 0, False: 76] ------------------ 210| | 211| 76| q.dp[(i - t) - 1] = (q.dp[(i - t) - 1] - 1uL) & MP_MASK; ------------------ | | 106| 76|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 76|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 212| 76| } 213| 27.2k| } 214| | 215| | /* now q is the quotient and x is the remainder 216| | * [which we have to normalize] 217| | */ 218| | 219| | /* get sign before writing to c */ 220| 5.37k| x.sign = (x.used == 0) ? MP_ZPOS : a->sign; ------------------ | | 151| 3|#define MP_ZPOS 0 /* positive integer */ ------------------ | Branch (220:13): [True: 3, False: 5.36k] ------------------ 221| | 222| 5.37k| if (c != NULL) { ------------------ | Branch (222:8): [True: 313, False: 5.05k] ------------------ 223| 313| mp_clamp(&q); 224| 313| mp_exch(&q, c); 225| 313| c->sign = neg; 226| 313| } 227| | 228| 5.37k| if (d != NULL) { ------------------ | Branch (228:8): [True: 5.05k, False: 313] ------------------ 229| 5.05k| if ((err = mp_div_2d(&x, norm, &x, NULL)) != MP_OKAY) goto LBL_Y; ------------------ | | 161| 5.05k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (229:11): [True: 0, False: 5.05k] ------------------ 230| 5.05k| mp_exch(&x, d); 231| 5.05k| } 232| | 233| 5.37k| err = MP_OKAY; ------------------ | | 161| 5.37k|#define MP_OKAY 0 /* no error */ ------------------ 234| | 235| 5.37k|LBL_Y: 236| 5.37k| mp_clear(&y); 237| 5.37k|LBL_X: 238| 5.37k| mp_clear(&x); 239| 5.37k|LBL_T2: 240| 5.37k| mp_clear(&t2); 241| 5.37k|LBL_T1: 242| 5.37k| mp_clear(&t1); 243| 5.37k|LBL_Q: 244| 5.37k| mp_clear(&q); 245| 5.37k| return err; 246| 5.37k|} mp_div_2: 8| 1.80M|{ 9| 1.80M| int x, oldused; 10| 1.80M| mp_digit r, rr, *tmpa, *tmpb; 11| 1.80M| mp_err err; 12| | 13| | /* copy */ 14| 1.80M| if (b->alloc < a->used) { ------------------ | Branch (14:8): [True: 1.09k, False: 1.80M] ------------------ 15| 1.09k| if ((err = mp_grow(b, a->used)) != MP_OKAY) { ------------------ | | 161| 1.09k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (15:11): [True: 0, False: 1.09k] ------------------ 16| 0| return err; 17| 0| } 18| 1.09k| } 19| | 20| 1.80M| oldused = b->used; 21| 1.80M| b->used = a->used; 22| | 23| | /* source alias */ 24| 1.80M| tmpa = a->dp + b->used - 1; 25| | 26| | /* dest alias */ 27| 1.80M| tmpb = b->dp + b->used - 1; 28| | 29| | /* carry */ 30| 1.80M| r = 0; 31| 14.6M| for (x = b->used - 1; x >= 0; x--) { ------------------ | Branch (31:26): [True: 12.8M, False: 1.80M] ------------------ 32| | /* get the carry for the next iteration */ 33| 12.8M| rr = *tmpa & 1u; 34| | 35| | /* shift the current digit, add in carry and store */ 36| 12.8M| *tmpb-- = (*tmpa-- >> 1) | (r << (MP_DIGIT_BIT - 1)); ------------------ | | 82| 12.8M|# define MP_DIGIT_BIT 60 ------------------ 37| | 38| | /* forward carry to next iteration */ 39| 12.8M| r = rr; 40| 12.8M| } 41| | 42| | /* zero excess digits */ 43| 1.80M| MP_ZERO_DIGITS(b->dp + b->used, oldused - b->used); ------------------ | | 89| 1.80M|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 1.80M|do { \ | | 91| 1.80M| int zd_ = (digits); \ | | 92| 1.80M| mp_digit* zm_ = (mem); \ | | 93| 1.80M| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 0, False: 1.80M] | | ------------------ | | 94| 0| *zm_++ = 0; \ | | 95| 0| } \ | | 96| 1.80M|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 1.80M] | | ------------------ ------------------ 44| | 45| 1.80M| b->sign = a->sign; 46| 1.80M| mp_clamp(b); 47| 1.80M| return MP_OKAY; ------------------ | | 161| 1.80M|#define MP_OKAY 0 /* no error */ ------------------ 48| 1.80M|} mp_div_2d: 8| 6.68M|{ 9| 6.68M| mp_digit D, r, rr; 10| 6.68M| int x; 11| 6.68M| mp_err err; 12| | 13| | /* if the shift count is <= 0 then we do no work */ 14| 6.68M| if (b <= 0) { ------------------ | Branch (14:8): [True: 3, False: 6.68M] ------------------ 15| 3| err = mp_copy(a, c); 16| 3| if (d != NULL) { ------------------ | Branch (16:11): [True: 0, False: 3] ------------------ 17| 0| mp_zero(d); 18| 0| } 19| 3| return err; 20| 3| } 21| | 22| | /* copy */ 23| 6.68M| if ((err = mp_copy(a, c)) != MP_OKAY) { ------------------ | | 161| 6.68M|#define MP_OKAY 0 /* no error */ ------------------ | Branch (23:8): [True: 0, False: 6.68M] ------------------ 24| 0| return err; 25| 0| } 26| | /* 'a' should not be used after here - it might be the same as d */ 27| | 28| | /* get the remainder */ 29| 6.68M| if (d != NULL) { ------------------ | Branch (29:8): [True: 5.63M, False: 1.05M] ------------------ 30| 5.63M| if ((err = mp_mod_2d(a, b, d)) != MP_OKAY) { ------------------ | | 161| 5.63M|#define MP_OKAY 0 /* no error */ ------------------ | Branch (30:11): [True: 0, False: 5.63M] ------------------ 31| 0| return err; 32| 0| } 33| 5.63M| } 34| | 35| | /* shift by as many digits in the bit count */ 36| 6.68M| if (b >= MP_DIGIT_BIT) { ------------------ | | 82| 6.68M|# define MP_DIGIT_BIT 60 ------------------ | Branch (36:8): [True: 5.63M, False: 1.05M] ------------------ 37| 5.63M| mp_rshd(c, b / MP_DIGIT_BIT); ------------------ | | 82| 5.63M|# define MP_DIGIT_BIT 60 ------------------ 38| 5.63M| } 39| | 40| | /* shift any bit count < MP_DIGIT_BIT */ 41| 6.68M| D = (mp_digit)(b % MP_DIGIT_BIT); ------------------ | | 82| 6.68M|# define MP_DIGIT_BIT 60 ------------------ 42| 6.68M| if (D != 0u) { ------------------ | Branch (42:8): [True: 6.51M, False: 172k] ------------------ 43| 6.51M| mp_digit *tmpc, mask, shift; 44| | 45| | /* mask */ 46| 6.51M| mask = ((mp_digit)1 << D) - 1uL; 47| | 48| | /* shift for lsb */ 49| 6.51M| shift = (mp_digit)MP_DIGIT_BIT - D; ------------------ | | 82| 6.51M|# define MP_DIGIT_BIT 60 ------------------ 50| | 51| | /* alias */ 52| 6.51M| tmpc = c->dp + (c->used - 1); 53| | 54| | /* carry */ 55| 6.51M| r = 0; 56| 72.0M| for (x = c->used - 1; x >= 0; x--) { ------------------ | Branch (56:29): [True: 65.5M, False: 6.51M] ------------------ 57| | /* get the lower bits of this word in a temp */ 58| 65.5M| rr = *tmpc & mask; 59| | 60| | /* shift the current word and mix in the carry bits from the previous word */ 61| 65.5M| *tmpc = (*tmpc >> D) | (r << shift); 62| 65.5M| --tmpc; 63| | 64| | /* set the carry to the carry bits of the current word found above */ 65| 65.5M| r = rr; 66| 65.5M| } 67| 6.51M| } 68| 6.68M| mp_clamp(c); 69| 6.68M| return MP_OKAY; ------------------ | | 161| 6.68M|#define MP_OKAY 0 /* no error */ ------------------ 70| 6.68M|} mp_dr_is_modulus: 8| 2.69k|{ 9| 2.69k| int ix; 10| | 11| | /* must be at least two digits */ 12| 2.69k| if (a->used < 2) { ------------------ | Branch (12:8): [True: 0, False: 2.69k] ------------------ 13| 0| return MP_NO; ------------------ | | 159| 0|#define MP_NO 0 ------------------ 14| 0| } 15| | 16| | /* must be of the form b**k - a [a <= b] so all 17| | * but the first digit must be equal to -1 (mod b). 18| | */ 19| 2.79k| for (ix = 1; ix < a->used; ix++) { ------------------ | Branch (19:17): [True: 2.79k, False: 0] ------------------ 20| 2.79k| if (a->dp[ix] != MP_MASK) { ------------------ | | 106| 2.79k|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 2.79k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ | Branch (20:11): [True: 2.69k, False: 102] ------------------ 21| 2.69k| return MP_NO; ------------------ | | 159| 2.69k|#define MP_NO 0 ------------------ 22| 2.69k| } 23| 2.79k| } 24| 0| return MP_YES; ------------------ | | 158| 0|#define MP_YES 1 ------------------ 25| 2.69k|} mp_exch: 10| 16.0k|{ 11| 16.0k| mp_int t; 12| | 13| 16.0k| t = *a; 14| 16.0k| *a = *b; 15| 16.0k| *b = t; 16| 16.0k|} mp_exptmod: 12| 2.83k|{ 13| 2.83k| int dr; 14| | 15| | /* modulus P must be positive */ 16| 2.83k| if (P->sign == MP_NEG) { ------------------ | | 152| 2.83k|#define MP_NEG 1 /* negative */ ------------------ | Branch (16:8): [True: 0, False: 2.83k] ------------------ 17| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 18| 0| } 19| | 20| | /* if exponent X is negative we have to recurse */ 21| 2.83k| if (X->sign == MP_NEG) { ------------------ | | 152| 2.83k|#define MP_NEG 1 /* negative */ ------------------ | Branch (21:8): [True: 0, False: 2.83k] ------------------ 22| 0| mp_int tmpG, tmpX; 23| 0| mp_err err; 24| | 25| 0| if (!MP_HAS(MP_INVMOD)) { ------------------ | | 150| 0|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 0|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 0|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ ------------------ | Branch (25:11): [Folded, False: 0] ------------------ 26| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 27| 0| } 28| | 29| 0| if ((err = mp_init_multi(&tmpG, &tmpX, NULL)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (29:11): [True: 0, False: 0] ------------------ 30| 0| return err; 31| 0| } 32| | 33| | /* first compute 1/G mod P */ 34| 0| if ((err = mp_invmod(G, P, &tmpG)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (34:11): [True: 0, False: 0] ------------------ 35| 0| goto LBL_ERR; 36| 0| } 37| | 38| | /* now get |X| */ 39| 0| if ((err = mp_abs(X, &tmpX)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (39:11): [True: 0, False: 0] ------------------ 40| 0| goto LBL_ERR; 41| 0| } 42| | 43| | /* and now compute (1/G)**|X| instead of G**X [X < 0] */ 44| 0| err = mp_exptmod(&tmpG, &tmpX, P, Y); 45| 0|LBL_ERR: 46| 0| mp_clear_multi(&tmpG, &tmpX, NULL); 47| 0| return err; 48| 0| } 49| | 50| | /* modified diminished radix reduction */ 51| 2.83k| if (MP_HAS(MP_REDUCE_IS_2K_L) && MP_HAS(MP_REDUCE_2K_L) && MP_HAS(S_MP_EXPTMOD) && ------------------ | | 150| 5.66k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 2.83k|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 2.83k|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 0, Folded] | | ------------------ ------------------ if (MP_HAS(MP_REDUCE_IS_2K_L) && MP_HAS(MP_REDUCE_2K_L) && MP_HAS(S_MP_EXPTMOD) && ------------------ | | 150| 2.83k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 0|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 0|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 0, Folded] | | ------------------ ------------------ if (MP_HAS(MP_REDUCE_IS_2K_L) && MP_HAS(MP_REDUCE_2K_L) && MP_HAS(S_MP_EXPTMOD) && ------------------ | | 150| 2.83k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 0|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 0|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 0, Folded] | | ------------------ ------------------ 52| 2.83k| (mp_reduce_is_2k_l(P) == MP_YES)) { ------------------ | | 158| 2.83k|#define MP_YES 1 ------------------ | Branch (52:8): [True: 141, False: 2.69k] ------------------ 53| 141| return s_mp_exptmod(G, X, P, Y, 1); 54| 141| } 55| | 56| | /* is it a DR modulus? default to no */ 57| 2.69k| dr = (MP_HAS(MP_DR_IS_MODULUS) && (mp_dr_is_modulus(P) == MP_YES)) ? 1 : 0; ------------------ | | 150| 5.38k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 2.69k|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 2.69k|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 2.69k, Folded] | | ------------------ ------------------ dr = (MP_HAS(MP_DR_IS_MODULUS) && (mp_dr_is_modulus(P) == MP_YES)) ? 1 : 0; ------------------ | | 158| 2.69k|#define MP_YES 1 ------------------ | Branch (57:38): [True: 0, False: 2.69k] ------------------ 58| | 59| | /* if not, is it a unrestricted DR modulus? */ 60| 2.69k| if (MP_HAS(MP_REDUCE_IS_2K) && (dr == 0)) { ------------------ | | 150| 5.38k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 2.69k|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 2.69k|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 2.69k, Folded] | | ------------------ ------------------ | Branch (60:35): [True: 2.69k, False: 0] ------------------ 61| 2.69k| dr = (mp_reduce_is_2k(P) == MP_YES) ? 2 : 0; ------------------ | | 158| 2.69k|#define MP_YES 1 ------------------ | Branch (61:12): [True: 0, False: 2.69k] ------------------ 62| 2.69k| } 63| | 64| | /* if the modulus is odd or dr != 0 use the montgomery method */ 65| 2.69k| if (MP_HAS(S_MP_EXPTMOD_FAST) && (MP_IS_ODD(P) || (dr != 0))) { ------------------ | | 150| 5.38k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 2.69k|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 2.69k|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 2.69k, Folded] | | ------------------ ------------------ if (MP_HAS(S_MP_EXPTMOD_FAST) && (MP_IS_ODD(P) || (dr != 0))) { ------------------ | | 165| 5.38k|#define MP_IS_ODD(a) (((a)->used > 0) && (((a)->dp[0] & 1u) == 1u)) | | ------------------ | | | Branch (165:24): [True: 2.69k, False: 0] | | | Branch (165:43): [True: 2.37k, False: 313] | | ------------------ ------------------ | Branch (65:54): [True: 0, False: 313] ------------------ 66| 2.37k| return s_mp_exptmod_fast(G, X, P, Y, dr); 67| 2.37k| } else if (MP_HAS(S_MP_EXPTMOD)) { ------------------ | | 150| 313|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 313|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 313|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 313, Folded] | | ------------------ ------------------ 68| | /* otherwise use the generic Barrett reduction technique */ 69| 313| return s_mp_exptmod(G, X, P, Y, 0); 70| 313| } else { 71| | /* no exptmod for evens */ 72| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 73| 0| } 74| 2.69k|} mp_from_ubin: 8| 8.92k|{ 9| 8.92k| mp_err err; 10| | 11| | /* make sure there are at least two digits */ 12| 8.92k| if (a->alloc < 2) { ------------------ | Branch (12:8): [True: 0, False: 8.92k] ------------------ 13| 0| if ((err = mp_grow(a, 2)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (13:11): [True: 0, False: 0] ------------------ 14| 0| return err; 15| 0| } 16| 0| } 17| | 18| | /* zero the int */ 19| 8.92k| mp_zero(a); 20| | 21| | /* read the bytes in */ 22| 1.53M| while (size-- > 0u) { ------------------ | Branch (22:11): [True: 1.52M, False: 8.92k] ------------------ 23| 1.52M| if ((err = mp_mul_2d(a, 8, a)) != MP_OKAY) { ------------------ | | 161| 1.52M|#define MP_OKAY 0 /* no error */ ------------------ | Branch (23:11): [True: 0, False: 1.52M] ------------------ 24| 0| return err; 25| 0| } 26| | 27| 1.52M|#ifndef MP_8BIT 28| 1.52M| a->dp[0] |= *buf++; 29| 1.52M| a->used += 1; 30| |#else 31| | a->dp[0] = (*buf & MP_MASK); 32| | a->dp[1] |= ((*buf++ >> 7) & 1u); 33| | a->used += 2; 34| |#endif 35| 1.52M| } 36| 8.92k| mp_clamp(a); 37| 8.92k| return MP_OKAY; ------------------ | | 161| 8.92k|#define MP_OKAY 0 /* no error */ ------------------ 38| 8.92k|} mp_grow: 8| 265k|{ 9| 265k| int i; 10| 265k| mp_digit *tmp; 11| | 12| 265k| if (size < 0) { ------------------ | Branch (12:8): [True: 0, False: 265k] ------------------ 13| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 14| 0| } 15| | 16| | /* if the alloc size is smaller alloc more ram */ 17| 265k| if (a->alloc < size) { ------------------ | Branch (17:8): [True: 261k, False: 3.26k] ------------------ 18| | /* reallocate the array a->dp 19| | * 20| | * We store the return in a temporary variable 21| | * in case the operation failed we don't want 22| | * to overwrite the dp member of a. 23| | */ 24| 261k| tmp = (mp_digit *) MP_REALLOC(a->dp, ------------------ | | 1325| 261k|#define MP_REALLOC m_realloc_ltm ------------------ 25| 261k| (size_t)a->alloc * sizeof(mp_digit), 26| 261k| (size_t)size * sizeof(mp_digit)); 27| 261k| if (tmp == NULL) { ------------------ | Branch (27:11): [True: 0, False: 261k] ------------------ 28| | /* reallocation failed but "a" is still valid [can be freed] */ 29| 0| return MP_MEM; ------------------ | | 163| 0|#define MP_MEM -2 /* out of mem */ ------------------ 30| 0| } 31| | 32| | /* reallocation succeeded so set a->dp */ 33| 261k| a->dp = tmp; 34| | 35| | /* zero excess digits */ 36| 261k| i = a->alloc; 37| 261k| a->alloc = size; 38| 261k| MP_ZERO_DIGITS(a->dp + i, a->alloc - i); ------------------ | | 89| 261k|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 261k|do { \ | | 91| 261k| int zd_ = (digits); \ | | 92| 261k| mp_digit* zm_ = (mem); \ | | 93| 5.34M| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 5.07M, False: 261k] | | ------------------ | | 94| 5.07M| *zm_++ = 0; \ | | 95| 5.07M| } \ | | 96| 261k|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 261k] | | ------------------ ------------------ 39| 261k| } 40| 265k| return MP_OKAY; ------------------ | | 161| 265k|#define MP_OKAY 0 /* no error */ ------------------ 41| 265k|} mp_init: 8| 2.55M|{ 9| | /* allocate memory required and clear it */ 10| 2.55M| a->dp = (mp_digit *) MP_CALLOC((size_t)MP_PREC, sizeof(mp_digit)); ------------------ | | 1326| 2.55M|#define MP_CALLOC m_calloc ------------------ a->dp = (mp_digit *) MP_CALLOC((size_t)MP_PREC, sizeof(mp_digit)); ------------------ | | 177| 2.55M|# define MP_PREC PRIVATE_MP_PREC | | ------------------ | | | | 193| 2.55M|# define PRIVATE_MP_PREC 32 /* default digits of precision */ | | ------------------ ------------------ 11| 2.55M| if (a->dp == NULL) { ------------------ | Branch (11:8): [True: 0, False: 2.55M] ------------------ 12| 0| return MP_MEM; ------------------ | | 163| 0|#define MP_MEM -2 /* out of mem */ ------------------ 13| 0| } 14| | 15| | /* set the used to zero, allocated digits to the default precision 16| | * and sign to positive */ 17| 2.55M| a->used = 0; 18| 2.55M| a->alloc = MP_PREC; ------------------ | | 177| 2.55M|# define MP_PREC PRIVATE_MP_PREC | | ------------------ | | | | 193| 2.55M|# define PRIVATE_MP_PREC 32 /* default digits of precision */ | | ------------------ ------------------ 19| 2.55M| a->sign = MP_ZPOS; ------------------ | | 151| 2.55M|#define MP_ZPOS 0 /* positive integer */ ------------------ 20| | 21| 2.55M| return MP_OKAY; ------------------ | | 161| 2.55M|#define MP_OKAY 0 /* no error */ ------------------ 22| 2.55M|} mp_init_copy: 8| 45.6k|{ 9| 45.6k| mp_err err; 10| | 11| 45.6k| if ((err = mp_init_size(a, b->used)) != MP_OKAY) { ------------------ | | 161| 45.6k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (11:8): [True: 0, False: 45.6k] ------------------ 12| 0| return err; 13| 0| } 14| | 15| 45.6k| if ((err = mp_copy(b, a)) != MP_OKAY) { ------------------ | | 161| 45.6k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (15:8): [True: 0, False: 45.6k] ------------------ 16| 0| mp_clear(a); 17| 0| } 18| | 19| 45.6k| return err; 20| 45.6k|} mp_init_multi: 9| 908|{ 10| 908| mp_err err = MP_OKAY; /* Assume ok until proven otherwise */ ------------------ | | 161| 908|#define MP_OKAY 0 /* no error */ ------------------ 11| 908| int n = 0; /* Number of ok inits */ 12| 908| mp_int *cur_arg = mp; 13| 908| va_list args; 14| | 15| 908| va_start(args, mp); /* init args to next argument from caller */ 16| 6.46k| while (cur_arg != NULL) { ------------------ | Branch (16:11): [True: 5.56k, False: 908] ------------------ 17| 5.56k| if (mp_init(cur_arg) != MP_OKAY) { ------------------ | | 161| 5.56k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (17:11): [True: 0, False: 5.56k] ------------------ 18| | /* Oops - error! Back-track and mp_clear what we already 19| | succeeded in init-ing, then return error. 20| | */ 21| 0| va_list clean_args; 22| | 23| | /* now start cleaning up */ 24| 0| cur_arg = mp; 25| 0| va_start(clean_args, mp); 26| 0| while (n-- != 0) { ------------------ | Branch (26:17): [True: 0, False: 0] ------------------ 27| 0| mp_clear(cur_arg); 28| 0| cur_arg = va_arg(clean_args, mp_int *); 29| 0| } 30| 0| va_end(clean_args); 31| 0| err = MP_MEM; ------------------ | | 163| 0|#define MP_MEM -2 /* out of mem */ ------------------ 32| 0| break; 33| 0| } 34| 5.56k| n++; 35| 5.56k| cur_arg = va_arg(args, mp_int *); 36| 5.56k| } 37| | va_end(args); 38| 908| return err; /* Assumed ok, if error flagged above. */ 39| 908|} mp_init_size: 8| 202k|{ 9| | 10| 202k| if (size < 0) { ------------------ | Branch (10:8): [True: 0, False: 202k] ------------------ 11| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 12| 0| } 13| | 14| 202k| size = MP_MAX(MP_MIN_PREC, size); ------------------ | | 157| 202k|#define MP_MAX(x, y) (((x) > (y)) ? (x) : (y)) | | ------------------ | | | Branch (157:23): [True: 12.9k, False: 189k] | | ------------------ ------------------ 15| | 16| | /* alloc mem */ 17| 202k| a->dp = (mp_digit *) MP_CALLOC((size_t)size, sizeof(mp_digit)); ------------------ | | 1326| 202k|#define MP_CALLOC m_calloc ------------------ 18| 202k| if (a->dp == NULL) { ------------------ | Branch (18:8): [True: 0, False: 202k] ------------------ 19| 0| return MP_MEM; ------------------ | | 163| 0|#define MP_MEM -2 /* out of mem */ ------------------ 20| 0| } 21| | 22| | /* set the members */ 23| 202k| a->used = 0; 24| 202k| a->alloc = size; 25| 202k| a->sign = MP_ZPOS; ------------------ | | 151| 202k|#define MP_ZPOS 0 /* positive integer */ ------------------ 26| | 27| 202k| return MP_OKAY; ------------------ | | 161| 202k|#define MP_OKAY 0 /* no error */ ------------------ 28| 202k|} mp_invmod: 8| 908|{ 9| | /* b cannot be negative and has to be >1 */ 10| 908| if ((b->sign == MP_NEG) || (mp_cmp_d(b, 1uL) != MP_GT)) { ------------------ | | 152| 908|#define MP_NEG 1 /* negative */ ------------------ if ((b->sign == MP_NEG) || (mp_cmp_d(b, 1uL) != MP_GT)) { ------------------ | | 156| 908|#define MP_GT 1 /* greater than */ ------------------ | Branch (10:8): [True: 0, False: 908] | Branch (10:31): [True: 0, False: 908] ------------------ 11| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 12| 0| } 13| | 14| | /* if the modulus is odd we can use a faster routine instead */ 15| 908| if (MP_HAS(S_MP_INVMOD_FAST) && MP_IS_ODD(b)) { ------------------ | | 150| 1.81k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 908|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 908|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 908, Folded] | | ------------------ ------------------ if (MP_HAS(S_MP_INVMOD_FAST) && MP_IS_ODD(b)) { ------------------ | | 165| 908|#define MP_IS_ODD(a) (((a)->used > 0) && (((a)->dp[0] & 1u) == 1u)) | | ------------------ | | | Branch (165:24): [True: 908, False: 0] | | | Branch (165:43): [True: 852, False: 56] | | ------------------ ------------------ 16| 852| return s_mp_invmod_fast(a, b, c); 17| 852| } 18| | 19| 56| return MP_HAS(S_MP_INVMOD_SLOW) ------------------ | | 150| 56|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 56|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 56|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 56, Folded] | | ------------------ ------------------ 20| 56| ? s_mp_invmod_slow(a, b, c) 21| 56| : MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 22| 908|} mp_lshd: 8| 33.3k|{ 9| 33.3k| int x; 10| 33.3k| mp_err err; 11| 33.3k| mp_digit *top, *bottom; 12| | 13| | /* if its less than zero return */ 14| 33.3k| if (b <= 0) { ------------------ | Branch (14:8): [True: 5.36k, False: 28.0k] ------------------ 15| 5.36k| return MP_OKAY; ------------------ | | 161| 5.36k|#define MP_OKAY 0 /* no error */ ------------------ 16| 5.36k| } 17| | /* no need to shift 0 around */ 18| 28.0k| if (MP_IS_ZERO(a)) { ------------------ | | 163| 28.0k|#define MP_IS_ZERO(a) ((a)->used == 0) | | ------------------ | | | Branch (163:23): [True: 119, False: 27.8k] | | ------------------ ------------------ 19| 119| return MP_OKAY; ------------------ | | 161| 119|#define MP_OKAY 0 /* no error */ ------------------ 20| 119| } 21| | 22| | /* grow to fit the new digits */ 23| 27.8k| if (a->alloc < (a->used + b)) { ------------------ | Branch (23:8): [True: 3.37k, False: 24.5k] ------------------ 24| 3.37k| if ((err = mp_grow(a, a->used + b)) != MP_OKAY) { ------------------ | | 161| 3.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (24:11): [True: 0, False: 3.37k] ------------------ 25| 0| return err; 26| 0| } 27| 3.37k| } 28| | 29| | /* increment the used by the shift amount then copy upwards */ 30| 27.8k| a->used += b; 31| | 32| | /* top */ 33| 27.8k| top = a->dp + a->used - 1; 34| | 35| | /* base */ 36| 27.8k| bottom = (a->dp + a->used - 1) - b; 37| | 38| | /* much like mp_rshd this is implemented using a sliding window 39| | * except the window goes the otherway around. Copying from 40| | * the bottom to the top. see bn_mp_rshd.c for more info. 41| | */ 42| 377k| for (x = a->used - 1; x >= b; x--) { ------------------ | Branch (42:26): [True: 349k, False: 27.8k] ------------------ 43| 349k| *top-- = *bottom--; 44| 349k| } 45| | 46| | /* zero the lower digits */ 47| 27.8k| MP_ZERO_DIGITS(a->dp, b); ------------------ | | 89| 27.8k|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 27.8k|do { \ | | 91| 27.8k| int zd_ = (digits); \ | | 92| 27.8k| mp_digit* zm_ = (mem); \ | | 93| 191k| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 164k, False: 27.8k] | | ------------------ | | 94| 164k| *zm_++ = 0; \ | | 95| 164k| } \ | | 96| 27.8k|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 27.8k] | | ------------------ ------------------ 48| | 49| 27.8k| return MP_OKAY; ------------------ | | 161| 27.8k|#define MP_OKAY 0 /* no error */ ------------------ 50| 27.8k|} mp_mod: 8| 6.92k|{ 9| 6.92k| mp_int t; 10| 6.92k| mp_err err; 11| | 12| 6.92k| if ((err = mp_init_size(&t, b->used)) != MP_OKAY) { ------------------ | | 161| 6.92k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (12:8): [True: 0, False: 6.92k] ------------------ 13| 0| return err; 14| 0| } 15| | 16| 6.92k| if ((err = mp_div(a, b, NULL, &t)) != MP_OKAY) { ------------------ | | 161| 6.92k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (16:8): [True: 0, False: 6.92k] ------------------ 17| 0| goto LBL_ERR; 18| 0| } 19| | 20| 6.92k| if (MP_IS_ZERO(&t) || (t.sign == b->sign)) { ------------------ | | 163| 13.8k|#define MP_IS_ZERO(a) ((a)->used == 0) | | ------------------ | | | Branch (163:23): [True: 555, False: 6.37k] | | ------------------ ------------------ | Branch (20:26): [True: 6.36k, False: 7] ------------------ 21| 6.92k| err = MP_OKAY; ------------------ | | 161| 6.92k|#define MP_OKAY 0 /* no error */ ------------------ 22| 6.92k| mp_exch(&t, c); 23| 6.92k| } else { 24| 7| err = mp_add(b, &t, c); 25| 7| } 26| | 27| 6.92k|LBL_ERR: 28| 6.92k| mp_clear(&t); 29| 6.92k| return err; 30| 6.92k|} mp_mod_2d: 8| 5.65M|{ 9| 5.65M| int x; 10| 5.65M| mp_err err; 11| | 12| | /* if b is <= 0 then zero the int */ 13| 5.65M| if (b <= 0) { ------------------ | Branch (13:8): [True: 0, False: 5.65M] ------------------ 14| 0| mp_zero(c); 15| 0| return MP_OKAY; ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ 16| 0| } 17| | 18| | /* if the modulus is larger than the value than return */ 19| 5.65M| if (b >= (a->used * MP_DIGIT_BIT)) { ------------------ | | 82| 5.65M|# define MP_DIGIT_BIT 60 ------------------ | Branch (19:8): [True: 18.3k, False: 5.63M] ------------------ 20| 18.3k| return mp_copy(a, c); 21| 18.3k| } 22| | 23| | /* copy */ 24| 5.63M| if ((err = mp_copy(a, c)) != MP_OKAY) { ------------------ | | 161| 5.63M|#define MP_OKAY 0 /* no error */ ------------------ | Branch (24:8): [True: 0, False: 5.63M] ------------------ 25| 0| return err; 26| 0| } 27| | 28| | /* zero digits above the last digit of the modulus */ 29| 5.63M| x = (b / MP_DIGIT_BIT) + (((b % MP_DIGIT_BIT) == 0) ? 0 : 1); ------------------ | | 82| 5.63M|# define MP_DIGIT_BIT 60 ------------------ x = (b / MP_DIGIT_BIT) + (((b % MP_DIGIT_BIT) == 0) ? 0 : 1); ------------------ | | 82| 5.63M|# define MP_DIGIT_BIT 60 ------------------ | Branch (29:30): [True: 184k, False: 5.45M] ------------------ 30| 5.63M| MP_ZERO_DIGITS(c->dp + x, c->used - x); ------------------ | | 89| 5.63M|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 5.63M|do { \ | | 91| 5.63M| int zd_ = (digits); \ | | 92| 5.63M| mp_digit* zm_ = (mem); \ | | 93| 51.7M| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 46.1M, False: 5.63M] | | ------------------ | | 94| 46.1M| *zm_++ = 0; \ | | 95| 46.1M| } \ | | 96| 5.63M|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 5.63M] | | ------------------ ------------------ 31| | 32| | /* clear the digit that is not completely outside/inside the modulus */ 33| 5.63M| c->dp[b / MP_DIGIT_BIT] &= ------------------ | | 82| 5.63M|# define MP_DIGIT_BIT 60 ------------------ 34| 5.63M| ((mp_digit)1 << (mp_digit)(b % MP_DIGIT_BIT)) - (mp_digit)1; ------------------ | | 82| 5.63M|# define MP_DIGIT_BIT 60 ------------------ 35| 5.63M| mp_clamp(c); 36| 5.63M| return MP_OKAY; ------------------ | | 161| 5.63M|#define MP_OKAY 0 /* no error */ ------------------ 37| 5.63M|} mp_montgomery_calc_normalization: 13| 3.11k|{ 14| 3.11k| int x, bits; 15| 3.11k| mp_err err; 16| | 17| | /* how many bits of last digit does b use */ 18| 3.11k| bits = mp_count_bits(b) % MP_DIGIT_BIT; ------------------ | | 82| 3.11k|# define MP_DIGIT_BIT 60 ------------------ 19| | 20| 3.11k| if (b->used > 1) { ------------------ | Branch (20:8): [True: 3.11k, False: 0] ------------------ 21| 3.11k| if ((err = mp_2expt(a, ((b->used - 1) * MP_DIGIT_BIT) + bits - 1)) != MP_OKAY) { ------------------ | | 82| 3.11k|# define MP_DIGIT_BIT 60 ------------------ if ((err = mp_2expt(a, ((b->used - 1) * MP_DIGIT_BIT) + bits - 1)) != MP_OKAY) { ------------------ | | 161| 3.11k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (21:11): [True: 0, False: 3.11k] ------------------ 22| 0| return err; 23| 0| } 24| 3.11k| } else { 25| 0| mp_set(a, 1uL); 26| 0| bits = 1; 27| 0| } 28| | 29| | 30| | /* now compute C = A * B mod b */ 31| 147k| for (x = bits - 1; x < (int)MP_DIGIT_BIT; x++) { ------------------ | | 82| 147k|# define MP_DIGIT_BIT 60 ------------------ | Branch (31:23): [True: 143k, False: 3.11k] ------------------ 32| 143k| if ((err = mp_mul_2(a, a)) != MP_OKAY) { ------------------ | | 161| 143k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (32:11): [True: 0, False: 143k] ------------------ 33| 0| return err; 34| 0| } 35| 143k| if (mp_cmp_mag(a, b) != MP_LT) { ------------------ | | 154| 143k|#define MP_LT -1 /* less than */ ------------------ | Branch (35:11): [True: 10.0k, False: 133k] ------------------ 36| 10.0k| if ((err = s_mp_sub(a, b, a)) != MP_OKAY) { ------------------ | | 161| 10.0k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (36:14): [True: 0, False: 10.0k] ------------------ 37| 0| return err; 38| 0| } 39| 10.0k| } 40| 143k| } 41| | 42| 3.11k| return MP_OKAY; ------------------ | | 161| 3.11k|#define MP_OKAY 0 /* no error */ ------------------ 43| 3.11k|} mp_montgomery_reduce: 8| 8.54M|{ 9| 8.54M| int ix, digs; 10| 8.54M| mp_err err; 11| 8.54M| mp_digit mu; 12| | 13| | /* can the fast reduction [comba] method be used? 14| | * 15| | * Note that unlike in mul you're safely allowed *less* 16| | * than the available columns [255 per default] since carries 17| | * are fixed up in the inner loop. 18| | */ 19| 8.54M| digs = (n->used * 2) + 1; 20| 8.54M| if ((digs < MP_WARRAY) && ------------------ | | 172| 8.54M|#define MP_WARRAY PRIVATE_MP_WARRAY | | ------------------ | | | | 203| 8.54M|#define PRIVATE_MP_WARRAY (int)(1uLL << (((CHAR_BIT * sizeof(private_mp_word)) - (2 * MP_DIGIT_BIT)) + 1)) | | | | ------------------ | | | | | | 82| 8.54M|# define MP_DIGIT_BIT 60 | | | | ------------------ | | ------------------ ------------------ | Branch (20:8): [True: 8.54M, False: 0] ------------------ 21| 8.54M| (x->used <= MP_WARRAY) && ------------------ | | 172| 8.54M|#define MP_WARRAY PRIVATE_MP_WARRAY | | ------------------ | | | | 203| 8.54M|#define PRIVATE_MP_WARRAY (int)(1uLL << (((CHAR_BIT * sizeof(private_mp_word)) - (2 * MP_DIGIT_BIT)) + 1)) | | | | ------------------ | | | | | | 82| 8.54M|# define MP_DIGIT_BIT 60 | | | | ------------------ | | ------------------ ------------------ | Branch (21:8): [True: 8.54M, False: 0] ------------------ 22| 8.54M| (n->used < MP_MAXFAST)) { ------------------ | | 168| 8.54M|#define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 167| 8.54M|#define MP_SIZEOF_BITS(type) ((size_t)CHAR_BIT * sizeof(type)) | | ------------------ | | #define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 82| 8.54M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ | Branch (22:8): [True: 8.54M, False: 0] ------------------ 23| 8.54M| return s_mp_montgomery_reduce_fast(x, n, rho); 24| 8.54M| } 25| | 26| | /* grow the input as required */ 27| 0| if (x->alloc < digs) { ------------------ | Branch (27:8): [True: 0, False: 0] ------------------ 28| 0| if ((err = mp_grow(x, digs)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (28:11): [True: 0, False: 0] ------------------ 29| 0| return err; 30| 0| } 31| 0| } 32| 0| x->used = digs; 33| | 34| 0| for (ix = 0; ix < n->used; ix++) { ------------------ | Branch (34:17): [True: 0, False: 0] ------------------ 35| | /* mu = ai * rho mod b 36| | * 37| | * The value of rho must be precalculated via 38| | * montgomery_setup() such that 39| | * it equals -1/n0 mod b this allows the 40| | * following inner loop to reduce the 41| | * input one digit at a time 42| | */ 43| 0| mu = (mp_digit)(((mp_word)x->dp[ix] * (mp_word)rho) & MP_MASK); ------------------ | | 106| 0|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 0|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 44| | 45| | /* a = a + mu * m * b**i */ 46| 0| { 47| 0| int iy; 48| 0| mp_digit *tmpn, *tmpx, u; 49| 0| mp_word r; 50| | 51| | /* alias for digits of the modulus */ 52| 0| tmpn = n->dp; 53| | 54| | /* alias for the digits of x [the input] */ 55| 0| tmpx = x->dp + ix; 56| | 57| | /* set the carry to zero */ 58| 0| u = 0; 59| | 60| | /* Multiply and add in place */ 61| 0| for (iy = 0; iy < n->used; iy++) { ------------------ | Branch (61:23): [True: 0, False: 0] ------------------ 62| | /* compute product and sum */ 63| 0| r = ((mp_word)mu * (mp_word)*tmpn++) + 64| 0| (mp_word)u + (mp_word)*tmpx; 65| | 66| | /* get carry */ 67| 0| u = (mp_digit)(r >> (mp_word)MP_DIGIT_BIT); ------------------ | | 82| 0|# define MP_DIGIT_BIT 60 ------------------ 68| | 69| | /* fix digit */ 70| 0| *tmpx++ = (mp_digit)(r & (mp_word)MP_MASK); ------------------ | | 106| 0|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 0|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 71| 0| } 72| | /* At this point the ix'th digit of x should be zero */ 73| | 74| | 75| | /* propagate carries upwards as required*/ 76| 0| while (u != 0u) { ------------------ | Branch (76:17): [True: 0, False: 0] ------------------ 77| 0| *tmpx += u; 78| 0| u = *tmpx >> MP_DIGIT_BIT; ------------------ | | 82| 0|# define MP_DIGIT_BIT 60 ------------------ 79| 0| *tmpx++ &= MP_MASK; ------------------ | | 106| 0|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 0|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 80| 0| } 81| 0| } 82| 0| } 83| | 84| | /* at this point the n.used'th least 85| | * significant digits of x are all zero 86| | * which means we can shift x to the 87| | * right by n.used digits and the 88| | * residue is unchanged. 89| | */ 90| | 91| | /* x = x/b**n.used */ 92| 0| mp_clamp(x); 93| 0| mp_rshd(x, n->used); 94| | 95| | /* if x >= n then x = x - n */ 96| 0| if (mp_cmp_mag(x, n) != MP_LT) { ------------------ | | 154| 0|#define MP_LT -1 /* less than */ ------------------ | Branch (96:8): [True: 0, False: 0] ------------------ 97| 0| return s_mp_sub(x, n, x); 98| 0| } 99| | 100| 0| return MP_OKAY; ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ 101| 0|} mp_montgomery_setup: 8| 3.11k|{ 9| 3.11k| mp_digit x, b; 10| | 11| | /* fast inversion mod 2**k 12| | * 13| | * Based on the fact that 14| | * 15| | * XA = 1 (mod 2**n) => (X(2-XA)) A = 1 (mod 2**2n) 16| | * => 2*X*A - X*X*A*A = 1 17| | * => 2*(1) - (1) = 1 18| | */ 19| 3.11k| b = n->dp[0]; 20| | 21| 3.11k| if ((b & 1u) == 0u) { ------------------ | Branch (21:8): [True: 0, False: 3.11k] ------------------ 22| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 23| 0| } 24| | 25| 3.11k| x = (((b + 2u) & 4u) << 1) + b; /* here x*a==1 mod 2**4 */ 26| 3.11k| x *= 2u - (b * x); /* here x*a==1 mod 2**8 */ 27| 3.11k|#if !defined(MP_8BIT) 28| 3.11k| x *= 2u - (b * x); /* here x*a==1 mod 2**16 */ 29| 3.11k|#endif 30| 3.11k|#if defined(MP_64BIT) || !(defined(MP_8BIT) || defined(MP_16BIT)) 31| 3.11k| x *= 2u - (b * x); /* here x*a==1 mod 2**32 */ 32| 3.11k|#endif 33| 3.11k|#ifdef MP_64BIT 34| 3.11k| x *= 2u - (b * x); /* here x*a==1 mod 2**64 */ 35| 3.11k|#endif 36| | 37| | /* rho = -1/m mod b */ 38| 3.11k| *rho = (mp_digit)(((mp_word)1 << (mp_word)MP_DIGIT_BIT) - x) & MP_MASK; ------------------ | | 82| 3.11k|# define MP_DIGIT_BIT 60 ------------------ *rho = (mp_digit)(((mp_word)1 << (mp_word)MP_DIGIT_BIT) - x) & MP_MASK; ------------------ | | 106| 3.11k|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 3.11k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 39| | 40| 3.11k| return MP_OKAY; ------------------ | | 161| 3.11k|#define MP_OKAY 0 /* no error */ ------------------ 41| 3.11k|} mp_mul: 8| 11.9M|{ 9| 11.9M| mp_err err; 10| 11.9M| int min_len = MP_MIN(a->used, b->used), ------------------ | | 156| 11.9M|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 5.61M, False: 6.37M] | | ------------------ ------------------ 11| 11.9M| max_len = MP_MAX(a->used, b->used), ------------------ | | 157| 11.9M|#define MP_MAX(x, y) (((x) > (y)) ? (x) : (y)) | | ------------------ | | | Branch (157:23): [True: 111k, False: 11.8M] | | ------------------ ------------------ 12| 11.9M| digs = a->used + b->used + 1; 13| 11.9M| mp_sign neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG; ------------------ | | 151| 11.9M|#define MP_ZPOS 0 /* positive integer */ ------------------ mp_sign neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG; ------------------ | | 152| 0|#define MP_NEG 1 /* negative */ ------------------ | Branch (13:18): [True: 11.9M, False: 0] ------------------ 14| | 15| 11.9M| if (MP_HAS(S_MP_BALANCE_MUL) && ------------------ | | 150| 23.9M|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 11.9M|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 11.9M|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 11.9M, Folded] | | ------------------ ------------------ 16| | /* Check sizes. The smaller one needs to be larger than the Karatsuba cut-off. 17| | * The bigger one needs to be at least about one MP_KARATSUBA_MUL_CUTOFF bigger 18| | * to make some sense, but it depends on architecture, OS, position of the 19| | * stars... so YMMV. 20| | * Using it to cut the input into slices small enough for fast_s_mp_mul_digs 21| | * was actually slower on the author's machine, but YMMV. 22| | */ 23| 11.9M| (min_len >= MP_KARATSUBA_MUL_CUTOFF) && ------------------ | | 121| 11.9M|# define MP_KARATSUBA_MUL_CUTOFF KARATSUBA_MUL_CUTOFF ------------------ | Branch (23:8): [True: 0, False: 11.9M] ------------------ 24| 0| ((max_len / 2) >= MP_KARATSUBA_MUL_CUTOFF) && ------------------ | | 121| 0|# define MP_KARATSUBA_MUL_CUTOFF KARATSUBA_MUL_CUTOFF ------------------ | Branch (24:8): [True: 0, False: 0] ------------------ 25| | /* Not much effect was observed below a ratio of 1:2, but again: YMMV. */ 26| 0| (max_len >= (2 * min_len))) { ------------------ | Branch (26:8): [True: 0, False: 0] ------------------ 27| 0| err = s_mp_balance_mul(a,b,c); 28| 11.9M| } else if (MP_HAS(S_MP_TOOM_MUL) && ------------------ | | 150| 23.9M|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 11.9M|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 11.9M|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [Folded, False: 11.9M] | | ------------------ ------------------ 29| 0| (min_len >= MP_TOOM_MUL_CUTOFF)) { ------------------ | | 123| 0|# define MP_TOOM_MUL_CUTOFF TOOM_MUL_CUTOFF ------------------ | Branch (29:15): [True: 0, False: 0] ------------------ 30| 0| err = s_mp_toom_mul(a, b, c); 31| 11.9M| } else if (MP_HAS(S_MP_KARATSUBA_MUL) && ------------------ | | 150| 23.9M|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 11.9M|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 11.9M|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [Folded, False: 11.9M] | | ------------------ ------------------ 32| 0| (min_len >= MP_KARATSUBA_MUL_CUTOFF)) { ------------------ | | 121| 0|# define MP_KARATSUBA_MUL_CUTOFF KARATSUBA_MUL_CUTOFF ------------------ | Branch (32:15): [True: 0, False: 0] ------------------ 33| 0| err = s_mp_karatsuba_mul(a, b, c); 34| 11.9M| } else if (MP_HAS(S_MP_MUL_DIGS_FAST) && ------------------ | | 150| 23.9M|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 11.9M|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 11.9M|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 11.9M, Folded] | | ------------------ ------------------ 35| | /* can we use the fast multiplier? 36| | * 37| | * The fast multiplier can be used if the output will 38| | * have less than MP_WARRAY digits and the number of 39| | * digits won't affect carry propagation 40| | */ 41| 11.9M| (digs < MP_WARRAY) && ------------------ | | 172| 11.9M|#define MP_WARRAY PRIVATE_MP_WARRAY | | ------------------ | | | | 203| 11.9M|#define PRIVATE_MP_WARRAY (int)(1uLL << (((CHAR_BIT * sizeof(private_mp_word)) - (2 * MP_DIGIT_BIT)) + 1)) | | | | ------------------ | | | | | | 82| 11.9M|# define MP_DIGIT_BIT 60 | | | | ------------------ | | ------------------ ------------------ | Branch (41:15): [True: 11.9M, False: 0] ------------------ 42| 11.9M| (min_len <= MP_MAXFAST)) { ------------------ | | 168| 11.9M|#define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 167| 11.9M|#define MP_SIZEOF_BITS(type) ((size_t)CHAR_BIT * sizeof(type)) | | ------------------ | | #define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 82| 11.9M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ | Branch (42:15): [True: 11.9M, False: 0] ------------------ 43| 11.9M| err = s_mp_mul_digs_fast(a, b, c, digs); 44| 11.9M| } else if (MP_HAS(S_MP_MUL_DIGS)) { ------------------ | | 150| 0|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 0|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 0|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 0, Folded] | | ------------------ ------------------ 45| 0| err = s_mp_mul_digs(a, b, c, digs); 46| 0| } else { 47| 0| err = MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 48| 0| } 49| 11.9M| c->sign = (c->used > 0) ? neg : MP_ZPOS; ------------------ | | 151| 12.0M|#define MP_ZPOS 0 /* positive integer */ ------------------ | Branch (49:14): [True: 11.9M, False: 16.8k] ------------------ 50| 11.9M| return err; 51| 11.9M|} mp_mul_2: 8| 143k|{ 9| 143k| int x, oldused; 10| 143k| mp_err err; 11| | 12| | /* grow to accomodate result */ 13| 143k| if (b->alloc < (a->used + 1)) { ------------------ | Branch (13:8): [True: 0, False: 143k] ------------------ 14| 0| if ((err = mp_grow(b, a->used + 1)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (14:11): [True: 0, False: 0] ------------------ 15| 0| return err; 16| 0| } 17| 0| } 18| | 19| 143k| oldused = b->used; 20| 143k| b->used = a->used; 21| | 22| 143k| { 23| 143k| mp_digit r, rr, *tmpa, *tmpb; 24| | 25| | /* alias for source */ 26| 143k| tmpa = a->dp; 27| | 28| | /* alias for dest */ 29| 143k| tmpb = b->dp; 30| | 31| | /* carry */ 32| 143k| r = 0; 33| 4.20M| for (x = 0; x < a->used; x++) { ------------------ | Branch (33:19): [True: 4.05M, False: 143k] ------------------ 34| | 35| | /* get what will be the *next* carry bit from the 36| | * MSB of the current digit 37| | */ 38| 4.05M| rr = *tmpa >> (mp_digit)(MP_DIGIT_BIT - 1); ------------------ | | 82| 4.05M|# define MP_DIGIT_BIT 60 ------------------ 39| | 40| | /* now shift up this digit, add in the carry [from the previous] */ 41| 4.05M| *tmpb++ = ((*tmpa++ << 1uL) | r) & MP_MASK; ------------------ | | 106| 4.05M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 4.05M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 42| | 43| | /* copy the carry that would be from the source 44| | * digit into the next iteration 45| | */ 46| 4.05M| r = rr; 47| 4.05M| } 48| | 49| | /* new leading digit? */ 50| 143k| if (r != 0u) { ------------------ | Branch (50:11): [True: 1.09k, False: 142k] ------------------ 51| | /* add a MSB which is always 1 at this point */ 52| 1.09k| *tmpb = 1; 53| 1.09k| ++(b->used); 54| 1.09k| } 55| | 56| | /* now zero any excess digits on the destination 57| | * that we didn't write to 58| | */ 59| 143k| MP_ZERO_DIGITS(b->dp + b->used, oldused - b->used); ------------------ | | 89| 143k|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 143k|do { \ | | 91| 143k| int zd_ = (digits); \ | | 92| 143k| mp_digit* zm_ = (mem); \ | | 93| 143k| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 0, False: 143k] | | ------------------ | | 94| 0| *zm_++ = 0; \ | | 95| 0| } \ | | 96| 143k|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 143k] | | ------------------ ------------------ 60| 143k| } 61| 143k| b->sign = a->sign; 62| 143k| return MP_OKAY; ------------------ | | 161| 143k|#define MP_OKAY 0 /* no error */ ------------------ 63| 143k|} mp_mul_2d: 8| 1.54M|{ 9| 1.54M| mp_digit d; 10| 1.54M| mp_err err; 11| | 12| 1.54M| if (b < 0) { ------------------ | Branch (12:8): [True: 0, False: 1.54M] ------------------ 13| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 14| 0| } 15| | 16| | /* copy */ 17| 1.54M| if (a != c) { ------------------ | Branch (17:8): [True: 0, False: 1.54M] ------------------ 18| 0| if ((err = mp_copy(a, c)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (18:11): [True: 0, False: 0] ------------------ 19| 0| return err; 20| 0| } 21| 0| } 22| | 23| 1.54M| if (c->alloc < (c->used + (b / MP_DIGIT_BIT) + 1)) { ------------------ | | 82| 1.54M|# define MP_DIGIT_BIT 60 ------------------ | Branch (23:8): [True: 67.7k, False: 1.47M] ------------------ 24| 67.7k| if ((err = mp_grow(c, c->used + (b / MP_DIGIT_BIT) + 1)) != MP_OKAY) { ------------------ | | 82| 67.7k|# define MP_DIGIT_BIT 60 ------------------ if ((err = mp_grow(c, c->used + (b / MP_DIGIT_BIT) + 1)) != MP_OKAY) { ------------------ | | 161| 67.7k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (24:11): [True: 0, False: 67.7k] ------------------ 25| 0| return err; 26| 0| } 27| 67.7k| } 28| | 29| | /* shift by as many digits in the bit count */ 30| 1.54M| if (b >= MP_DIGIT_BIT) { ------------------ | | 82| 1.54M|# define MP_DIGIT_BIT 60 ------------------ | Branch (30:8): [True: 0, False: 1.54M] ------------------ 31| 0| if ((err = mp_lshd(c, b / MP_DIGIT_BIT)) != MP_OKAY) { ------------------ | | 82| 0|# define MP_DIGIT_BIT 60 ------------------ if ((err = mp_lshd(c, b / MP_DIGIT_BIT)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (31:11): [True: 0, False: 0] ------------------ 32| 0| return err; 33| 0| } 34| 0| } 35| | 36| | /* shift any bit count < MP_DIGIT_BIT */ 37| 1.54M| d = (mp_digit)(b % MP_DIGIT_BIT); ------------------ | | 82| 1.54M|# define MP_DIGIT_BIT 60 ------------------ 38| 1.54M| if (d != 0u) { ------------------ | Branch (38:8): [True: 1.54M, False: 0] ------------------ 39| 1.54M| mp_digit *tmpc, shift, mask, r, rr; 40| 1.54M| int x; 41| | 42| | /* bitmask for carries */ 43| 1.54M| mask = ((mp_digit)1 << d) - (mp_digit)1; 44| | 45| | /* shift for msbs */ 46| 1.54M| shift = (mp_digit)MP_DIGIT_BIT - d; ------------------ | | 82| 1.54M|# define MP_DIGIT_BIT 60 ------------------ 47| | 48| | /* alias */ 49| 1.54M| tmpc = c->dp; 50| | 51| | /* carry */ 52| 1.54M| r = 0; 53| 525M| for (x = 0; x < c->used; x++) { ------------------ | Branch (53:19): [True: 524M, False: 1.54M] ------------------ 54| | /* get the higher bits of the current word */ 55| 524M| rr = (*tmpc >> shift) & mask; 56| | 57| | /* shift the current word and OR in the carry */ 58| 524M| *tmpc = ((*tmpc << d) | r) & MP_MASK; ------------------ | | 106| 524M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 524M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 59| 524M| ++tmpc; 60| | 61| | /* set the carry to the carry bits of the current word */ 62| 524M| r = rr; 63| 524M| } 64| | 65| | /* set final carry */ 66| 1.54M| if (r != 0u) { ------------------ | Branch (66:11): [True: 3.15k, False: 1.53M] ------------------ 67| 3.15k| c->dp[(c->used)++] = r; 68| 3.15k| } 69| 1.54M| } 70| 1.54M| mp_clamp(c); 71| 1.54M| return MP_OKAY; ------------------ | | 161| 1.54M|#define MP_OKAY 0 /* no error */ ------------------ 72| 1.54M|} mp_mul_d: 8| 438k|{ 9| 438k| mp_digit u, *tmpa, *tmpc; 10| 438k| mp_word r; 11| 438k| mp_err err; 12| 438k| int ix, olduse; 13| | 14| | /* make sure c is big enough to hold a*b */ 15| 438k| if (c->alloc < (a->used + 1)) { ------------------ | Branch (15:8): [True: 824, False: 437k] ------------------ 16| 824| if ((err = mp_grow(c, a->used + 1)) != MP_OKAY) { ------------------ | | 161| 824|#define MP_OKAY 0 /* no error */ ------------------ | Branch (16:11): [True: 0, False: 824] ------------------ 17| 0| return err; 18| 0| } 19| 824| } 20| | 21| | /* get the original destinations used count */ 22| 438k| olduse = c->used; 23| | 24| | /* set the sign */ 25| 438k| c->sign = a->sign; 26| | 27| | /* alias for a->dp [source] */ 28| 438k| tmpa = a->dp; 29| | 30| | /* alias for c->dp [dest] */ 31| 438k| tmpc = c->dp; 32| | 33| | /* zero carry */ 34| 438k| u = 0; 35| | 36| | /* compute columns */ 37| 2.52M| for (ix = 0; ix < a->used; ix++) { ------------------ | Branch (37:17): [True: 2.08M, False: 438k] ------------------ 38| | /* compute product and carry sum for this term */ 39| 2.08M| r = (mp_word)u + ((mp_word)*tmpa++ * (mp_word)b); 40| | 41| | /* mask off higher bits to get a single digit */ 42| 2.08M| *tmpc++ = (mp_digit)(r & (mp_word)MP_MASK); ------------------ | | 106| 2.08M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 2.08M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 43| | 44| | /* send carry into next iteration */ 45| 2.08M| u = (mp_digit)(r >> (mp_word)MP_DIGIT_BIT); ------------------ | | 82| 2.08M|# define MP_DIGIT_BIT 60 ------------------ 46| 2.08M| } 47| | 48| | /* store final carry [if any] and increment ix offset */ 49| 438k| *tmpc++ = u; 50| 438k| ++ix; 51| | 52| | /* now zero digits above the top */ 53| 438k| MP_ZERO_DIGITS(tmpc, olduse - ix); ------------------ | | 89| 438k|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 438k|do { \ | | 91| 438k| int zd_ = (digits); \ | | 92| 438k| mp_digit* zm_ = (mem); \ | | 93| 438k| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 0, False: 438k] | | ------------------ | | 94| 0| *zm_++ = 0; \ | | 95| 0| } \ | | 96| 438k|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 438k] | | ------------------ ------------------ 54| | 55| | /* set used count */ 56| 438k| c->used = a->used + 1; 57| 438k| mp_clamp(c); 58| | 59| 438k| return MP_OKAY; ------------------ | | 161| 438k|#define MP_OKAY 0 /* no error */ ------------------ 60| 438k|} mp_mulmod: 8| 5.12k|{ 9| 5.12k| mp_err err; 10| 5.12k| mp_int t; 11| | 12| 5.12k| if ((err = mp_init_size(&t, c->used)) != MP_OKAY) { ------------------ | | 161| 5.12k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (12:8): [True: 0, False: 5.12k] ------------------ 13| 0| return err; 14| 0| } 15| | 16| 5.12k| if ((err = mp_mul(a, b, &t)) != MP_OKAY) { ------------------ | | 161| 5.12k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (16:8): [True: 0, False: 5.12k] ------------------ 17| 0| goto LBL_ERR; 18| 0| } 19| 5.12k| err = mp_mod(&t, c, d); 20| | 21| 5.12k|LBL_ERR: 22| 5.12k| mp_clear(&t); 23| 5.12k| return err; 24| 5.12k|} mp_rand_source: 10| 1|{ 11| | /* Dropbear, don't reset to platform if source==NULL */ 12| 1| s_mp_rand_source = source; 13| 1|} mp_read_radix: 10| 3.12k|{ 11| 3.12k| mp_err err; 12| 3.12k| int y; 13| 3.12k| mp_sign neg; 14| 3.12k| unsigned pos; 15| 3.12k| char ch; 16| | 17| | /* zero the digit bignum */ 18| 3.12k| mp_zero(a); 19| | 20| | /* make sure the radix is ok */ 21| 3.12k| if ((radix < 2) || (radix > 64)) { ------------------ | Branch (21:8): [True: 0, False: 3.12k] | Branch (21:23): [True: 0, False: 3.12k] ------------------ 22| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 23| 0| } 24| | 25| | /* if the leading digit is a 26| | * minus set the sign to negative. 27| | */ 28| 3.12k| if (*str == '-') { ------------------ | Branch (28:8): [True: 0, False: 3.12k] ------------------ 29| 0| ++str; 30| 0| neg = MP_NEG; ------------------ | | 152| 0|#define MP_NEG 1 /* negative */ ------------------ 31| 3.12k| } else { 32| 3.12k| neg = MP_ZPOS; ------------------ | | 151| 3.12k|#define MP_ZPOS 0 /* positive integer */ ------------------ 33| 3.12k| } 34| | 35| | /* set the integer to the default of zero */ 36| 3.12k| mp_zero(a); 37| | 38| | /* process each digit of the string */ 39| 370k| while (*str != '\0') { ------------------ | Branch (39:11): [True: 367k, False: 3.12k] ------------------ 40| | /* if the radix <= 36 the conversion is case insensitive 41| | * this allows numbers like 1AB and 1ab to represent the same value 42| | * [e.g. in hex] 43| | */ 44| 367k| ch = (radix <= 36) ? (char)MP_TOUPPER((int)*str) : *str; ------------------ | | 6| 367k|#define MP_TOUPPER(c) ((((c) >= 'a') && ((c) <= 'z')) ? (((c) + 'A') - 'a') : (c)) | | ------------------ | | | Branch (6:25): [True: 0, False: 367k] | | | Branch (6:41): [True: 0, False: 0] | | ------------------ ------------------ | Branch (44:12): [True: 367k, False: 0] ------------------ 45| 367k| pos = (unsigned)(ch - '('); 46| 367k| if (mp_s_rmap_reverse_sz < pos) { ------------------ | Branch (46:11): [True: 0, False: 367k] ------------------ 47| 0| break; 48| 0| } 49| 367k| y = (int)mp_s_rmap_reverse[pos]; 50| | 51| | /* if the char was found in the map 52| | * and is less than the given radix add it 53| | * to the number, otherwise exit the loop. 54| | */ 55| 367k| if ((y == 0xff) || (y >= radix)) { ------------------ | Branch (55:11): [True: 0, False: 367k] | Branch (55:26): [True: 0, False: 367k] ------------------ 56| 0| break; 57| 0| } 58| 367k| if ((err = mp_mul_d(a, (mp_digit)radix, a)) != MP_OKAY) { ------------------ | | 161| 367k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (58:11): [True: 0, False: 367k] ------------------ 59| 0| return err; 60| 0| } 61| 367k| if ((err = mp_add_d(a, (mp_digit)y, a)) != MP_OKAY) { ------------------ | | 161| 367k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (61:11): [True: 0, False: 367k] ------------------ 62| 0| return err; 63| 0| } 64| 367k| ++str; 65| 367k| } 66| | 67| | /* if an illegal character was found, fail. */ 68| 3.12k| if (!((*str == '\0') || (*str == '\r') || (*str == '\n'))) { ------------------ | Branch (68:10): [True: 3.12k, False: 0] | Branch (68:28): [True: 0, False: 0] | Branch (68:46): [True: 0, False: 0] ------------------ 69| 0| mp_zero(a); 70| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 71| 0| } 72| | 73| | /* set the sign only if a != 0 */ 74| 3.12k| if (!MP_IS_ZERO(a)) { ------------------ | | 163| 3.12k|#define MP_IS_ZERO(a) ((a)->used == 0) ------------------ | Branch (74:8): [True: 3.12k, False: 0] ------------------ 75| 3.12k| a->sign = neg; 76| 3.12k| } 77| 3.12k| return MP_OKAY; ------------------ | | 161| 3.12k|#define MP_OKAY 0 /* no error */ ------------------ 78| 3.12k|} mp_reduce: 11| 27.1k|{ 12| 27.1k| mp_int q; 13| 27.1k| mp_err err; 14| 27.1k| int um = m->used; 15| | 16| | /* q = x */ 17| 27.1k| if ((err = mp_init_copy(&q, x)) != MP_OKAY) { ------------------ | | 161| 27.1k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (17:8): [True: 0, False: 27.1k] ------------------ 18| 0| return err; 19| 0| } 20| | 21| | /* q1 = x / b**(k-1) */ 22| 27.1k| mp_rshd(&q, um - 1); 23| | 24| | /* according to HAC this optimization is ok */ 25| 27.1k| if ((mp_digit)um > ((mp_digit)1 << (MP_DIGIT_BIT - 1))) { ------------------ | | 82| 27.1k|# define MP_DIGIT_BIT 60 ------------------ | Branch (25:8): [True: 0, False: 27.1k] ------------------ 26| 0| if ((err = mp_mul(&q, mu, &q)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (26:11): [True: 0, False: 0] ------------------ 27| 0| goto CLEANUP; 28| 0| } 29| 27.1k| } else if (MP_HAS(S_MP_MUL_HIGH_DIGS)) { ------------------ | | 150| 27.1k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 27.1k|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 27.1k|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 27.1k, Folded] | | ------------------ ------------------ 30| 27.1k| if ((err = s_mp_mul_high_digs(&q, mu, &q, um)) != MP_OKAY) { ------------------ | | 161| 27.1k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (30:11): [True: 0, False: 27.1k] ------------------ 31| 0| goto CLEANUP; 32| 0| } 33| 27.1k| } else if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST)) { ------------------ | | 150| 0|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 0|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 0|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 0, Folded] | | ------------------ ------------------ 34| 0| if ((err = s_mp_mul_high_digs_fast(&q, mu, &q, um)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (34:11): [True: 0, False: 0] ------------------ 35| 0| goto CLEANUP; 36| 0| } 37| 0| } else { 38| 0| err = MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 39| 0| goto CLEANUP; 40| 0| } 41| | 42| | /* q3 = q2 / b**(k+1) */ 43| 27.1k| mp_rshd(&q, um + 1); 44| | 45| | /* x = x mod b**(k+1), quick (no division) */ 46| 27.1k| if ((err = mp_mod_2d(x, MP_DIGIT_BIT * (um + 1), x)) != MP_OKAY) { ------------------ | | 82| 27.1k|# define MP_DIGIT_BIT 60 ------------------ if ((err = mp_mod_2d(x, MP_DIGIT_BIT * (um + 1), x)) != MP_OKAY) { ------------------ | | 161| 27.1k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (46:8): [True: 0, False: 27.1k] ------------------ 47| 0| goto CLEANUP; 48| 0| } 49| | 50| | /* q = q * m mod b**(k+1), quick (no division) */ 51| 27.1k| if ((err = s_mp_mul_digs(&q, m, &q, um + 1)) != MP_OKAY) { ------------------ | | 161| 27.1k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (51:8): [True: 0, False: 27.1k] ------------------ 52| 0| goto CLEANUP; 53| 0| } 54| | 55| | /* x = x - q */ 56| 27.1k| if ((err = mp_sub(x, &q, x)) != MP_OKAY) { ------------------ | | 161| 27.1k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (56:8): [True: 0, False: 27.1k] ------------------ 57| 0| goto CLEANUP; 58| 0| } 59| | 60| | /* If x < 0, add b**(k+1) to it */ 61| 27.1k| if (mp_cmp_d(x, 0uL) == MP_LT) { ------------------ | | 154| 27.1k|#define MP_LT -1 /* less than */ ------------------ | Branch (61:8): [True: 713, False: 26.4k] ------------------ 62| 713| mp_set(&q, 1uL); 63| 713| if ((err = mp_lshd(&q, um + 1)) != MP_OKAY) { ------------------ | | 161| 713|#define MP_OKAY 0 /* no error */ ------------------ | Branch (63:11): [True: 0, False: 713] ------------------ 64| 0| goto CLEANUP; 65| 0| } 66| 713| if ((err = mp_add(x, &q, x)) != MP_OKAY) { ------------------ | | 161| 713|#define MP_OKAY 0 /* no error */ ------------------ | Branch (66:11): [True: 0, False: 713] ------------------ 67| 0| goto CLEANUP; 68| 0| } 69| 713| } 70| | 71| | /* Back off if it's too big */ 72| 78.9k| while (mp_cmp(x, m) != MP_LT) { ------------------ | | 154| 78.9k|#define MP_LT -1 /* less than */ ------------------ | Branch (72:11): [True: 51.8k, False: 27.1k] ------------------ 73| 51.8k| if ((err = s_mp_sub(x, m, x)) != MP_OKAY) { ------------------ | | 161| 51.8k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (73:11): [True: 0, False: 51.8k] ------------------ 74| 0| goto CLEANUP; 75| 0| } 76| 51.8k| } 77| | 78| 27.1k|CLEANUP: 79| 27.1k| mp_clear(&q); 80| | 81| 27.1k| return err; 82| 27.1k|} mp_reduce_2k_l: 11| 10.6k|{ 12| 10.6k| mp_int q; 13| 10.6k| mp_err err; 14| 10.6k| int p; 15| | 16| 10.6k| if ((err = mp_init(&q)) != MP_OKAY) { ------------------ | | 161| 10.6k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (16:8): [True: 0, False: 10.6k] ------------------ 17| 0| return err; 18| 0| } 19| | 20| 10.6k| p = mp_count_bits(n); 21| 5.63M|top: 22| | /* q = a/2**p, a = a mod 2**p */ 23| 5.63M| if ((err = mp_div_2d(a, p, &q, a)) != MP_OKAY) { ------------------ | | 161| 5.63M|#define MP_OKAY 0 /* no error */ ------------------ | Branch (23:8): [True: 0, False: 5.63M] ------------------ 24| 0| goto LBL_ERR; 25| 0| } 26| | 27| | /* q = q * d */ 28| 5.63M| if ((err = mp_mul(&q, d, &q)) != MP_OKAY) { ------------------ | | 161| 5.63M|#define MP_OKAY 0 /* no error */ ------------------ | Branch (28:8): [True: 0, False: 5.63M] ------------------ 29| 0| goto LBL_ERR; 30| 0| } 31| | 32| | /* a = a + q */ 33| 5.63M| if ((err = s_mp_add(a, &q, a)) != MP_OKAY) { ------------------ | | 161| 5.63M|#define MP_OKAY 0 /* no error */ ------------------ | Branch (33:8): [True: 0, False: 5.63M] ------------------ 34| 0| goto LBL_ERR; 35| 0| } 36| | 37| 5.63M| if (mp_cmp_mag(a, n) != MP_LT) { ------------------ | | 154| 5.63M|#define MP_LT -1 /* less than */ ------------------ | Branch (37:8): [True: 5.62M, False: 10.6k] ------------------ 38| 5.62M| if ((err = s_mp_sub(a, n, a)) != MP_OKAY) { ------------------ | | 161| 5.62M|#define MP_OKAY 0 /* no error */ ------------------ | Branch (38:11): [True: 0, False: 5.62M] ------------------ 39| 0| goto LBL_ERR; 40| 0| } 41| 5.62M| goto top; 42| 5.62M| } 43| | 44| 10.6k|LBL_ERR: 45| 10.6k| mp_clear(&q); 46| 10.6k| return err; 47| 5.63M|} mp_reduce_2k_setup_l: 8| 141|{ 9| 141| mp_err err; 10| 141| mp_int tmp; 11| | 12| 141| if ((err = mp_init(&tmp)) != MP_OKAY) { ------------------ | | 161| 141|#define MP_OKAY 0 /* no error */ ------------------ | Branch (12:8): [True: 0, False: 141] ------------------ 13| 0| return err; 14| 0| } 15| | 16| 141| if ((err = mp_2expt(&tmp, mp_count_bits(a))) != MP_OKAY) { ------------------ | | 161| 141|#define MP_OKAY 0 /* no error */ ------------------ | Branch (16:8): [True: 0, False: 141] ------------------ 17| 0| goto LBL_ERR; 18| 0| } 19| | 20| 141| if ((err = s_mp_sub(&tmp, a, d)) != MP_OKAY) { ------------------ | | 161| 141|#define MP_OKAY 0 /* no error */ ------------------ | Branch (20:8): [True: 0, False: 141] ------------------ 21| 0| goto LBL_ERR; 22| 0| } 23| | 24| 141|LBL_ERR: 25| 141| mp_clear(&tmp); 26| 141| return err; 27| 141|} mp_reduce_is_2k: 8| 2.69k|{ 9| 2.69k| int ix, iy, iw; 10| 2.69k| mp_digit iz; 11| | 12| 2.69k| if (a->used == 0) { ------------------ | Branch (12:8): [True: 0, False: 2.69k] ------------------ 13| 0| return MP_NO; ------------------ | | 159| 0|#define MP_NO 0 ------------------ 14| 2.69k| } else if (a->used == 1) { ------------------ | Branch (14:15): [True: 0, False: 2.69k] ------------------ 15| 0| return MP_YES; ------------------ | | 158| 0|#define MP_YES 1 ------------------ 16| 2.69k| } else if (a->used > 1) { ------------------ | Branch (16:15): [True: 2.69k, False: 0] ------------------ 17| 2.69k| iy = mp_count_bits(a); 18| 2.69k| iz = 1; 19| 2.69k| iw = 1; 20| | 21| | /* Test every bit from the second digit up, must be 1 */ 22| 21.8k| for (ix = MP_DIGIT_BIT; ix < iy; ix++) { ------------------ | | 82| 2.69k|# define MP_DIGIT_BIT 60 ------------------ | Branch (22:31): [True: 21.8k, False: 0] ------------------ 23| 21.8k| if ((a->dp[iw] & iz) == 0u) { ------------------ | Branch (23:14): [True: 2.69k, False: 19.1k] ------------------ 24| 2.69k| return MP_NO; ------------------ | | 159| 2.69k|#define MP_NO 0 ------------------ 25| 2.69k| } 26| 19.1k| iz <<= 1; 27| 19.1k| if (iz > MP_DIGIT_MAX) { ------------------ | | 107| 19.1k|#define MP_DIGIT_MAX MP_MASK | | ------------------ | | | | 106| 19.1k|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | | | ------------------ | | | | | | 82| 19.1k|# define MP_DIGIT_BIT 60 | | | | ------------------ | | ------------------ ------------------ | Branch (27:14): [True: 102, False: 19.0k] ------------------ 28| 102| ++iw; 29| 102| iz = 1; 30| 102| } 31| 19.1k| } 32| 0| return MP_YES; ------------------ | | 158| 0|#define MP_YES 1 ------------------ 33| 2.69k| } else { 34| 0| return MP_YES; ------------------ | | 158| 0|#define MP_YES 1 ------------------ 35| 0| } 36| 2.69k|} mp_reduce_is_2k_l: 8| 2.83k|{ 9| 2.83k| int ix, iy; 10| | 11| 2.83k| if (a->used == 0) { ------------------ | Branch (11:8): [True: 0, False: 2.83k] ------------------ 12| 0| return MP_NO; ------------------ | | 159| 0|#define MP_NO 0 ------------------ 13| 2.83k| } else if (a->used == 1) { ------------------ | Branch (13:15): [True: 0, False: 2.83k] ------------------ 14| 0| return MP_YES; ------------------ | | 158| 0|#define MP_YES 1 ------------------ 15| 2.83k| } else if (a->used > 1) { ------------------ | Branch (15:15): [True: 2.83k, False: 0] ------------------ 16| | /* if more than half of the digits are -1 we're sold */ 17| 89.4k| for (iy = ix = 0; ix < a->used; ix++) { ------------------ | Branch (17:25): [True: 86.6k, False: 2.83k] ------------------ 18| 86.6k| if (a->dp[ix] == MP_DIGIT_MAX) { ------------------ | | 107| 86.6k|#define MP_DIGIT_MAX MP_MASK | | ------------------ | | | | 106| 86.6k|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | | | ------------------ | | | | | | 82| 86.6k|# define MP_DIGIT_BIT 60 | | | | ------------------ | | ------------------ ------------------ | Branch (18:14): [True: 4.32k, False: 82.3k] ------------------ 19| 4.32k| ++iy; 20| 4.32k| } 21| 86.6k| } 22| 2.83k| return (iy >= (a->used/2)) ? MP_YES : MP_NO; ------------------ | | 158| 141|#define MP_YES 1 ------------------ return (iy >= (a->used/2)) ? MP_YES : MP_NO; ------------------ | | 159| 2.69k|#define MP_NO 0 ------------------ | Branch (22:14): [True: 141, False: 2.69k] ------------------ 23| 2.83k| } else { 24| 0| return MP_NO; ------------------ | | 159| 0|#define MP_NO 0 ------------------ 25| 0| } 26| 2.83k|} mp_reduce_setup: 10| 313|{ 11| 313| mp_err err; 12| 313| if ((err = mp_2expt(a, b->used * 2 * MP_DIGIT_BIT)) != MP_OKAY) { ------------------ | | 82| 313|# define MP_DIGIT_BIT 60 ------------------ if ((err = mp_2expt(a, b->used * 2 * MP_DIGIT_BIT)) != MP_OKAY) { ------------------ | | 161| 313|#define MP_OKAY 0 /* no error */ ------------------ | Branch (12:8): [True: 0, False: 313] ------------------ 13| 0| return err; 14| 0| } 15| 313| return mp_div(a, b, a, NULL); 16| 313|} mp_rshd: 8| 5.69M|{ 9| 5.69M| int x; 10| 5.69M| mp_digit *bottom, *top; 11| | 12| | /* if b <= 0 then ignore it */ 13| 5.69M| if (b <= 0) { ------------------ | Branch (13:8): [True: 23, False: 5.69M] ------------------ 14| 23| return; 15| 23| } 16| | 17| | /* if b > used then simply zero it and return */ 18| 5.69M| if (a->used <= b) { ------------------ | Branch (18:8): [True: 30.7k, False: 5.65M] ------------------ 19| 30.7k| mp_zero(a); 20| 30.7k| return; 21| 30.7k| } 22| | 23| | /* shift the digits down */ 24| | 25| | /* bottom */ 26| 5.65M| bottom = a->dp; 27| | 28| | /* top [offset into digits] */ 29| 5.65M| top = a->dp + b; 30| | 31| | /* this is implemented as a sliding window where 32| | * the window is b-digits long and digits from 33| | * the top of the window are copied to the bottom 34| | * 35| | * e.g. 36| | 37| | b-2 | b-1 | b0 | b1 | b2 | ... | bb | ----> 38| | /\ | ----> 39| | \-------------------/ ----> 40| | */ 41| 57.5M| for (x = 0; x < (a->used - b); x++) { ------------------ | Branch (41:16): [True: 51.9M, False: 5.65M] ------------------ 42| 51.9M| *bottom++ = *top++; 43| 51.9M| } 44| | 45| | /* zero the top digits */ 46| 5.65M| MP_ZERO_DIGITS(bottom, a->used - x); ------------------ | | 89| 5.65M|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 5.65M|do { \ | | 91| 5.65M| int zd_ = (digits); \ | | 92| 5.65M| mp_digit* zm_ = (mem); \ | | 93| 102M| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 96.8M, False: 5.65M] | | ------------------ | | 94| 96.8M| *zm_++ = 0; \ | | 95| 96.8M| } \ | | 96| 5.65M|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 5.65M] | | ------------------ ------------------ 47| | 48| | /* remove excess digits */ 49| 5.65M| a->used -= b; 50| 5.65M|} mp_set: 8| 2.29k|{ 9| 2.29k| a->dp[0] = b & MP_MASK; ------------------ | | 106| 2.29k|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 2.29k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 10| 2.29k| a->sign = MP_ZPOS; ------------------ | | 151| 2.29k|#define MP_ZPOS 0 /* positive integer */ ------------------ 11| 2.29k| a->used = (a->dp[0] != 0u) ? 1 : 0; ------------------ | Branch (11:15): [True: 2.29k, False: 0] ------------------ 12| 2.29k| MP_ZERO_DIGITS(a->dp + a->used, a->alloc - a->used); ------------------ | | 89| 2.29k|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 2.29k|do { \ | | 91| 2.29k| int zd_ = (digits); \ | | 92| 2.29k| mp_digit* zm_ = (mem); \ | | 93| 76.8k| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 74.5k, False: 2.29k] | | ------------------ | | 94| 74.5k| *zm_++ = 0; \ | | 95| 74.5k| } \ | | 96| 2.29k|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 2.29k] | | ------------------ ------------------ 13| 2.29k|} mp_sqr: 8| 7.18M|{ 9| 7.18M| mp_err err; 10| 7.18M| if (MP_HAS(S_MP_TOOM_SQR) && /* use Toom-Cook? */ ------------------ | | 150| 14.3M|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 7.18M|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 7.18M|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [Folded, False: 7.18M] | | ------------------ ------------------ 11| 0| (a->used >= MP_TOOM_SQR_CUTOFF)) { ------------------ | | 124| 0|# define MP_TOOM_SQR_CUTOFF TOOM_SQR_CUTOFF ------------------ | Branch (11:8): [True: 0, False: 0] ------------------ 12| 0| err = s_mp_toom_sqr(a, b); 13| 7.18M| } else if (MP_HAS(S_MP_KARATSUBA_SQR) && /* Karatsuba? */ ------------------ | | 150| 14.3M|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 7.18M|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 7.18M|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [Folded, False: 7.18M] | | ------------------ ------------------ 14| 0| (a->used >= MP_KARATSUBA_SQR_CUTOFF)) { ------------------ | | 122| 0|# define MP_KARATSUBA_SQR_CUTOFF KARATSUBA_SQR_CUTOFF ------------------ | Branch (14:15): [True: 0, False: 0] ------------------ 15| 0| err = s_mp_karatsuba_sqr(a, b); 16| 7.18M| } else if (MP_HAS(S_MP_SQR_FAST) && /* can we use the fast comba multiplier? */ ------------------ | | 150| 14.3M|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 7.18M|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 7.18M|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 7.18M, Folded] | | ------------------ ------------------ 17| 7.18M| (((a->used * 2) + 1) < MP_WARRAY) && ------------------ | | 172| 7.18M|#define MP_WARRAY PRIVATE_MP_WARRAY | | ------------------ | | | | 203| 7.18M|#define PRIVATE_MP_WARRAY (int)(1uLL << (((CHAR_BIT * sizeof(private_mp_word)) - (2 * MP_DIGIT_BIT)) + 1)) | | | | ------------------ | | | | | | 82| 7.18M|# define MP_DIGIT_BIT 60 | | | | ------------------ | | ------------------ ------------------ | Branch (17:15): [True: 7.18M, False: 0] ------------------ 18| 7.18M| (a->used < (MP_MAXFAST / 2))) { ------------------ | | 168| 7.18M|#define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 167| 7.18M|#define MP_SIZEOF_BITS(type) ((size_t)CHAR_BIT * sizeof(type)) | | ------------------ | | #define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 82| 7.18M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ | Branch (18:15): [True: 7.18M, False: 0] ------------------ 19| 7.18M| err = s_mp_sqr_fast(a, b); 20| 7.18M| } else if (MP_HAS(S_MP_SQR)) { ------------------ | | 150| 0|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 0|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 0|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 0, Folded] | | ------------------ ------------------ 21| 0| err = s_mp_sqr(a, b); 22| 0| } else { 23| 0| err = MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 24| 0| } 25| 7.18M| b->sign = MP_ZPOS; ------------------ | | 151| 7.18M|#define MP_ZPOS 0 /* positive integer */ ------------------ 26| 7.18M| return err; 27| 7.18M|} mp_sub: 8| 6.82M|{ 9| 6.82M| mp_sign sa = a->sign, sb = b->sign; 10| 6.82M| mp_err err; 11| | 12| 6.82M| if (sa != sb) { ------------------ | Branch (12:8): [True: 273k, False: 6.54M] ------------------ 13| | /* subtract a negative from a positive, OR */ 14| | /* subtract a positive from a negative. */ 15| | /* In either case, ADD their magnitudes, */ 16| | /* and use the sign of the first number. */ 17| 273k| c->sign = sa; 18| 273k| err = s_mp_add(a, b, c); 19| 6.54M| } else { 20| | /* subtract a positive from a positive, OR */ 21| | /* subtract a negative from a negative. */ 22| | /* First, take the difference between their */ 23| | /* magnitudes, then... */ 24| 6.54M| if (mp_cmp_mag(a, b) != MP_LT) { ------------------ | | 154| 6.54M|#define MP_LT -1 /* less than */ ------------------ | Branch (24:11): [True: 4.36M, False: 2.18M] ------------------ 25| | /* Copy the sign from the first */ 26| 4.36M| c->sign = sa; 27| | /* The first has a larger or equal magnitude */ 28| 4.36M| err = s_mp_sub(a, b, c); 29| 4.36M| } else { 30| | /* The result has the *opposite* sign from */ 31| | /* the first number. */ 32| 2.18M| c->sign = (sa == MP_ZPOS) ? MP_NEG : MP_ZPOS; ------------------ | | 151| 2.18M|#define MP_ZPOS 0 /* positive integer */ ------------------ c->sign = (sa == MP_ZPOS) ? MP_NEG : MP_ZPOS; ------------------ | | 152| 2.07M|#define MP_NEG 1 /* negative */ ------------------ c->sign = (sa == MP_ZPOS) ? MP_NEG : MP_ZPOS; ------------------ | | 151| 2.29M|#define MP_ZPOS 0 /* positive integer */ ------------------ | Branch (32:20): [True: 2.07M, False: 111k] ------------------ 33| | /* The second has a larger magnitude */ 34| 2.18M| err = s_mp_sub(b, a, c); 35| 2.18M| } 36| 6.54M| } 37| 6.82M| return err; 38| 6.82M|} mp_sub_d: 8| 2.09k|{ 9| 2.09k| mp_digit *tmpa, *tmpc; 10| 2.09k| mp_err err; 11| 2.09k| int ix, oldused; 12| | 13| | /* grow c as required */ 14| 2.09k| if (c->alloc < (a->used + 1)) { ------------------ | Branch (14:8): [True: 2.09k, False: 0] ------------------ 15| 2.09k| if ((err = mp_grow(c, a->used + 1)) != MP_OKAY) { ------------------ | | 161| 2.09k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (15:11): [True: 0, False: 2.09k] ------------------ 16| 0| return err; 17| 0| } 18| 2.09k| } 19| | 20| | /* if a is negative just do an unsigned 21| | * addition [with fudged signs] 22| | */ 23| 2.09k| if (a->sign == MP_NEG) { ------------------ | | 152| 2.09k|#define MP_NEG 1 /* negative */ ------------------ | Branch (23:8): [True: 0, False: 2.09k] ------------------ 24| 0| mp_int a_ = *a; 25| 0| a_.sign = MP_ZPOS; ------------------ | | 151| 0|#define MP_ZPOS 0 /* positive integer */ ------------------ 26| 0| err = mp_add_d(&a_, b, c); 27| 0| c->sign = MP_NEG; ------------------ | | 152| 0|#define MP_NEG 1 /* negative */ ------------------ 28| | 29| | /* clamp */ 30| 0| mp_clamp(c); 31| | 32| 0| return err; 33| 0| } 34| | 35| | /* setup regs */ 36| 2.09k| oldused = c->used; 37| 2.09k| tmpa = a->dp; 38| 2.09k| tmpc = c->dp; 39| | 40| | /* if a <= b simply fix the single digit */ 41| 2.09k| if (((a->used == 1) && (a->dp[0] <= b)) || (a->used == 0)) { ------------------ | Branch (41:9): [True: 0, False: 2.09k] | Branch (41:27): [True: 0, False: 0] | Branch (41:47): [True: 0, False: 2.09k] ------------------ 42| 0| if (a->used == 1) { ------------------ | Branch (42:11): [True: 0, False: 0] ------------------ 43| 0| *tmpc++ = b - *tmpa; 44| 0| } else { 45| 0| *tmpc++ = b; 46| 0| } 47| 0| ix = 1; 48| | 49| | /* negative/1digit */ 50| 0| c->sign = MP_NEG; ------------------ | | 152| 0|#define MP_NEG 1 /* negative */ ------------------ 51| 0| c->used = 1; 52| 2.09k| } else { 53| 2.09k| mp_digit mu = b; 54| | 55| | /* positive/size */ 56| 2.09k| c->sign = MP_ZPOS; ------------------ | | 151| 2.09k|#define MP_ZPOS 0 /* positive integer */ ------------------ 57| 2.09k| c->used = a->used; 58| | 59| | /* subtract digits, mu is carry */ 60| 75.2k| for (ix = 0; ix < a->used; ix++) { ------------------ | Branch (60:20): [True: 73.1k, False: 2.09k] ------------------ 61| 73.1k| *tmpc = *tmpa++ - mu; 62| 73.1k| mu = *tmpc >> (MP_SIZEOF_BITS(mp_digit) - 1u); ------------------ | | 167| 73.1k|#define MP_SIZEOF_BITS(type) ((size_t)CHAR_BIT * sizeof(type)) ------------------ 63| 73.1k| *tmpc++ &= MP_MASK; ------------------ | | 106| 73.1k|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 73.1k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 64| 73.1k| } 65| 2.09k| } 66| | 67| | /* zero excess digits */ 68| 2.09k| MP_ZERO_DIGITS(tmpc, oldused - ix); ------------------ | | 89| 2.09k|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 2.09k|do { \ | | 91| 2.09k| int zd_ = (digits); \ | | 92| 2.09k| mp_digit* zm_ = (mem); \ | | 93| 2.09k| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 0, False: 2.09k] | | ------------------ | | 94| 0| *zm_++ = 0; \ | | 95| 0| } \ | | 96| 2.09k|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 2.09k] | | ------------------ ------------------ 69| | 70| 2.09k| mp_clamp(c); 71| 2.09k| return MP_OKAY; ------------------ | | 161| 2.09k|#define MP_OKAY 0 /* no error */ ------------------ 72| 2.09k|} mp_to_ubin: 8| 7.76k|{ 9| 7.76k| size_t x, count; 10| 7.76k| mp_err err; 11| 7.76k| mp_int t; 12| | 13| 7.76k| count = mp_ubin_size(a); 14| 7.76k| if (count > maxlen) { ------------------ | Branch (14:8): [True: 0, False: 7.76k] ------------------ 15| 0| return MP_BUF; ------------------ | | 167| 0|#define MP_BUF -5 /* buffer overflow, supplied buffer too small */ ------------------ 16| 0| } 17| | 18| 7.76k| if ((err = mp_init_copy(&t, a)) != MP_OKAY) { ------------------ | | 161| 7.76k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (18:8): [True: 0, False: 7.76k] ------------------ 19| 0| return err; 20| 0| } 21| | 22| 1.05M| for (x = count; x --> 0u;) { ------------------ | Branch (22:20): [True: 1.04M, False: 7.76k] ------------------ 23| 1.04M|#ifndef MP_8BIT 24| 1.04M| buf[x] = (unsigned char)(t.dp[0] & 255u); 25| |#else 26| | buf[x] = (unsigned char)(t.dp[0] | ((t.dp[1] & 1u) << 7)); 27| |#endif 28| 1.04M| if ((err = mp_div_2d(&t, 8, &t, NULL)) != MP_OKAY) { ------------------ | | 161| 1.04M|#define MP_OKAY 0 /* no error */ ------------------ | Branch (28:11): [True: 0, False: 1.04M] ------------------ 29| 0| goto LBL_ERR; 30| 0| } 31| 1.04M| } 32| | 33| 7.76k| if (written != NULL) { ------------------ | Branch (33:8): [True: 5.96k, False: 1.79k] ------------------ 34| 5.96k| *written = count; 35| 5.96k| } 36| | 37| 7.76k|LBL_ERR: 38| 7.76k| mp_clear(&t); 39| 7.76k| return err; 40| 7.76k|} mp_ubin_size: 8| 10.7k|{ 9| 10.7k| size_t size = (size_t)mp_count_bits(a); 10| 10.7k| return (size / 8u) + (((size & 7u) != 0u) ? 1u : 0u); ------------------ | Branch (10:26): [True: 6.53k, False: 4.19k] ------------------ 11| 10.7k|} mp_zero: 8| 94.1k|{ 9| 94.1k| a->sign = MP_ZPOS; ------------------ | | 151| 94.1k|#define MP_ZPOS 0 /* positive integer */ ------------------ 10| 94.1k| a->used = 0; 11| 94.1k| MP_ZERO_DIGITS(a->dp, a->alloc); ------------------ | | 89| 94.1k|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 94.1k|do { \ | | 91| 94.1k| int zd_ = (digits); \ | | 92| 94.1k| mp_digit* zm_ = (mem); \ | | 93| 2.63M| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 2.53M, False: 94.1k] | | ------------------ | | 94| 2.53M| *zm_++ = 0; \ | | 95| 2.53M| } \ | | 96| 94.1k|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 94.1k] | | ------------------ ------------------ 12| 94.1k|} s_mp_add: 8| 9.48M|{ 9| 9.48M| const mp_int *x; 10| 9.48M| mp_err err; 11| 9.48M| int olduse, min, max; 12| | 13| | /* find sizes, we let |a| <= |b| which means we have to sort 14| | * them. "x" will point to the input with the most digits 15| | */ 16| 9.48M| if (a->used > b->used) { ------------------ | Branch (16:8): [True: 16.5k, False: 9.46M] ------------------ 17| 16.5k| min = b->used; 18| 16.5k| max = a->used; 19| 16.5k| x = a; 20| 9.46M| } else { 21| 9.46M| min = a->used; 22| 9.46M| max = b->used; 23| 9.46M| x = b; 24| 9.46M| } 25| | 26| | /* init result */ 27| 9.48M| if (c->alloc < (max + 1)) { ------------------ | Branch (27:8): [True: 26, False: 9.48M] ------------------ 28| 26| if ((err = mp_grow(c, max + 1)) != MP_OKAY) { ------------------ | | 161| 26|#define MP_OKAY 0 /* no error */ ------------------ | Branch (28:11): [True: 0, False: 26] ------------------ 29| 0| return err; 30| 0| } 31| 26| } 32| | 33| | /* get old used digit count and set new one */ 34| 9.48M| olduse = c->used; 35| 9.48M| c->used = max + 1; 36| | 37| 9.48M| { 38| 9.48M| mp_digit u, *tmpa, *tmpb, *tmpc; 39| 9.48M| int i; 40| | 41| | /* alias for digit pointers */ 42| | 43| | /* first input */ 44| 9.48M| tmpa = a->dp; 45| | 46| | /* second input */ 47| 9.48M| tmpb = b->dp; 48| | 49| | /* destination */ 50| 9.48M| tmpc = c->dp; 51| | 52| | /* zero the carry */ 53| 9.48M| u = 0; 54| 143M| for (i = 0; i < min; i++) { ------------------ | Branch (54:19): [True: 133M, False: 9.48M] ------------------ 55| | /* Compute the sum at one digit, T[i] = A[i] + B[i] + U */ 56| 133M| *tmpc = *tmpa++ + *tmpb++ + u; 57| | 58| | /* U = carry bit of T[i] */ 59| 133M| u = *tmpc >> (mp_digit)MP_DIGIT_BIT; ------------------ | | 82| 133M|# define MP_DIGIT_BIT 60 ------------------ 60| | 61| | /* take away carry bit from T[i] */ 62| 133M| *tmpc++ &= MP_MASK; ------------------ | | 106| 133M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 133M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 63| 133M| } 64| | 65| | /* now copy higher words if any, that is in A+B 66| | * if A or B has more digits add those in 67| | */ 68| 9.48M| if (min != max) { ------------------ | Branch (68:11): [True: 5.34M, False: 4.13M] ------------------ 69| 51.5M| for (; i < max; i++) { ------------------ | Branch (69:17): [True: 46.1M, False: 5.34M] ------------------ 70| | /* T[i] = X[i] + U */ 71| 46.1M| *tmpc = x->dp[i] + u; 72| | 73| | /* U = carry bit of T[i] */ 74| 46.1M| u = *tmpc >> (mp_digit)MP_DIGIT_BIT; ------------------ | | 82| 46.1M|# define MP_DIGIT_BIT 60 ------------------ 75| | 76| | /* take away carry bit from T[i] */ 77| 46.1M| *tmpc++ &= MP_MASK; ------------------ | | 106| 46.1M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 46.1M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 78| 46.1M| } 79| 5.34M| } 80| | 81| | /* add carry */ 82| 9.48M| *tmpc++ = u; 83| | 84| | /* clear digits above oldused */ 85| 9.48M| MP_ZERO_DIGITS(tmpc, olduse - c->used); ------------------ | | 89| 9.48M|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 9.48M|do { \ | | 91| 9.48M| int zd_ = (digits); \ | | 92| 9.48M| mp_digit* zm_ = (mem); \ | | 93| 9.48M| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 0, False: 9.48M] | | ------------------ | | 94| 0| *zm_++ = 0; \ | | 95| 0| } \ | | 96| 9.48M|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 9.48M] | | ------------------ ------------------ 86| 9.48M| } 87| | 88| 9.48M| mp_clamp(c); 89| 9.48M| return MP_OKAY; ------------------ | | 161| 9.48M|#define MP_OKAY 0 /* no error */ ------------------ 90| 9.48M|} s_mp_exptmod: 15| 454|{ 16| 454| mp_int M[TAB_SIZE], res, mu; 17| 454| mp_digit buf; 18| 454| mp_err err; 19| 454| int bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize; 20| 454| mp_err(*redux)(mp_int *x, const mp_int *m, const mp_int *mu); 21| | 22| | /* find window size */ 23| 454| x = mp_count_bits(X); 24| 454| if (x <= 7) { ------------------ | Branch (24:8): [True: 129, False: 325] ------------------ 25| 129| winsize = 2; 26| 325| } else if (x <= 36) { ------------------ | Branch (26:15): [True: 40, False: 285] ------------------ 27| 40| winsize = 3; 28| 285| } else if (x <= 140) { ------------------ | Branch (28:15): [True: 173, False: 112] ------------------ 29| 173| winsize = 4; 30| 173| } else if (x <= 450) { ------------------ | Branch (30:15): [True: 112, False: 0] ------------------ 31| 112| winsize = 5; 32| 112| } else if (x <= 1303) { ------------------ | Branch (32:15): [True: 0, False: 0] ------------------ 33| 0| winsize = 6; 34| 0| } else if (x <= 3529) { ------------------ | Branch (34:15): [True: 0, False: 0] ------------------ 35| 0| winsize = 7; 36| 0| } else { 37| 0| winsize = 8; 38| 0| } 39| | 40| 454| winsize = MAX_WINSIZE ? MP_MIN(MAX_WINSIZE, winsize) : winsize; ------------------ | | 11| 454|# define MAX_WINSIZE 0 | | ------------------ | | | Branch (11:24): [Folded, False: 454] | | ------------------ ------------------ winsize = MAX_WINSIZE ? MP_MIN(MAX_WINSIZE, winsize) : winsize; ------------------ | | 156| 0|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 0, False: 0] | | ------------------ ------------------ 41| | 42| | /* init M array */ 43| | /* init first cell */ 44| 454| if ((err = mp_init(&M[1])) != MP_OKAY) { ------------------ | | 161| 454|#define MP_OKAY 0 /* no error */ ------------------ | Branch (44:8): [True: 0, False: 454] ------------------ 45| 0| return err; 46| 0| } 47| | 48| | /* now init the second half of the array */ 49| 4.04k| for (x = 1<<(winsize-1); x < (1 << winsize); x++) { ------------------ | Branch (49:29): [True: 3.59k, False: 454] ------------------ 50| 3.59k| if ((err = mp_init(&M[x])) != MP_OKAY) { ------------------ | | 161| 3.59k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (50:11): [True: 0, False: 3.59k] ------------------ 51| 0| for (y = 1<<(winsize-1); y < x; y++) { ------------------ | Branch (51:35): [True: 0, False: 0] ------------------ 52| 0| mp_clear(&M[y]); 53| 0| } 54| 0| mp_clear(&M[1]); 55| 0| return err; 56| 0| } 57| 3.59k| } 58| | 59| | /* create mu, used for Barrett reduction */ 60| 454| if ((err = mp_init(&mu)) != MP_OKAY) goto LBL_M; ------------------ | | 161| 454|#define MP_OKAY 0 /* no error */ ------------------ | Branch (60:8): [True: 0, False: 454] ------------------ 61| | 62| 454| if (redmode == 0) { ------------------ | Branch (62:8): [True: 313, False: 141] ------------------ 63| 313| if ((err = mp_reduce_setup(&mu, P)) != MP_OKAY) goto LBL_MU; ------------------ | | 161| 313|#define MP_OKAY 0 /* no error */ ------------------ | Branch (63:11): [True: 0, False: 313] ------------------ 64| 313| redux = mp_reduce; 65| 313| } else { 66| 141| if ((err = mp_reduce_2k_setup_l(P, &mu)) != MP_OKAY) goto LBL_MU; ------------------ | | 161| 141|#define MP_OKAY 0 /* no error */ ------------------ | Branch (66:11): [True: 0, False: 141] ------------------ 67| 141| redux = mp_reduce_2k_l; 68| 141| } 69| | 70| | /* create M table 71| | * 72| | * The M table contains powers of the base, 73| | * e.g. M[x] = G**x mod P 74| | * 75| | * The first half of the table is not 76| | * computed though accept for M[0] and M[1] 77| | */ 78| 454| if ((err = mp_mod(G, P, &M[1])) != MP_OKAY) goto LBL_MU; ------------------ | | 161| 454|#define MP_OKAY 0 /* no error */ ------------------ | Branch (78:8): [True: 0, False: 454] ------------------ 79| | 80| | /* compute the value at M[1<<(winsize-1)] by squaring 81| | * M[1] (winsize-1) times 82| | */ 83| 454| if ((err = mp_copy(&M[1], &M[(size_t)1 << (winsize - 1)])) != MP_OKAY) goto LBL_MU; ------------------ | | 161| 454|#define MP_OKAY 0 /* no error */ ------------------ | Branch (83:8): [True: 0, False: 454] ------------------ 84| | 85| 1.63k| for (x = 0; x < (winsize - 1); x++) { ------------------ | Branch (85:16): [True: 1.17k, False: 454] ------------------ 86| | /* square it */ 87| 1.17k| if ((err = mp_sqr(&M[(size_t)1 << (winsize - 1)], ------------------ | Branch (87:11): [True: 0, False: 1.17k] ------------------ 88| 1.17k| &M[(size_t)1 << (winsize - 1)])) != MP_OKAY) goto LBL_MU; ------------------ | | 161| 1.17k|#define MP_OKAY 0 /* no error */ ------------------ 89| | 90| | /* reduce modulo P */ 91| 1.17k| if ((err = redux(&M[(size_t)1 << (winsize - 1)], P, &mu)) != MP_OKAY) goto LBL_MU; ------------------ | | 161| 1.17k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (91:11): [True: 0, False: 1.17k] ------------------ 92| 1.17k| } 93| | 94| | /* create upper table, that is M[x] = M[x-1] * M[1] (mod P) 95| | * for x = (2**(winsize - 1) + 1) to (2**winsize - 1) 96| | */ 97| 3.59k| for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) { ------------------ | Branch (97:39): [True: 3.14k, False: 454] ------------------ 98| 3.14k| if ((err = mp_mul(&M[x - 1], &M[1], &M[x])) != MP_OKAY) goto LBL_MU; ------------------ | | 161| 3.14k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (98:11): [True: 0, False: 3.14k] ------------------ 99| 3.14k| if ((err = redux(&M[x], P, &mu)) != MP_OKAY) goto LBL_MU; ------------------ | | 161| 3.14k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (99:11): [True: 0, False: 3.14k] ------------------ 100| 3.14k| } 101| | 102| | /* setup result */ 103| 454| if ((err = mp_init(&res)) != MP_OKAY) goto LBL_MU; ------------------ | | 161| 454|#define MP_OKAY 0 /* no error */ ------------------ | Branch (103:8): [True: 0, False: 454] ------------------ 104| 454| mp_set(&res, 1uL); 105| | 106| | /* set initial mode and bit cnt */ 107| 454| mode = 0; 108| 454| bitcnt = 1; 109| 454| buf = 0; 110| 454| digidx = X->used - 1; 111| 454| bitcpy = 0; 112| 454| bitbuf = 0; 113| | 114| 35.9k| for (;;) { 115| | /* grab next digit as required */ 116| 35.9k| if (--bitcnt == 0) { ------------------ | Branch (116:11): [True: 1.04k, False: 34.8k] ------------------ 117| | /* if digidx == -1 we are out of digits */ 118| 1.04k| if (digidx == -1) { ------------------ | Branch (118:14): [True: 454, False: 591] ------------------ 119| 454| break; 120| 454| } 121| | /* read next digit and reset the bitcnt */ 122| 591| buf = X->dp[digidx--]; 123| 591| bitcnt = (int)MP_DIGIT_BIT; ------------------ | | 82| 591|# define MP_DIGIT_BIT 60 ------------------ 124| 591| } 125| | 126| | /* grab the next msb from the exponent */ 127| 35.4k| y = (buf >> (mp_digit)(MP_DIGIT_BIT - 1)) & 1uL; ------------------ | | 82| 35.4k|# define MP_DIGIT_BIT 60 ------------------ 128| 35.4k| buf <<= (mp_digit)1; 129| | 130| | /* if the bit is zero and mode == 0 then we ignore it 131| | * These represent the leading zero bits before the first 1 bit 132| | * in the exponent. Technically this opt is not required but it 133| | * does lower the # of trivial squaring/reductions used 134| | */ 135| 35.4k| if ((mode == 0) && (y == 0)) { ------------------ | Branch (135:11): [True: 6.97k, False: 28.4k] | Branch (135:26): [True: 6.63k, False: 338] ------------------ 136| 6.63k| continue; 137| 6.63k| } 138| | 139| | /* if the bit is zero and mode == 1 then we square */ 140| 28.8k| if ((mode == 1) && (y == 0)) { ------------------ | Branch (140:11): [True: 12.5k, False: 16.3k] | Branch (140:26): [True: 8.32k, False: 4.17k] ------------------ 141| 8.32k| if ((err = mp_sqr(&res, &res)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 8.32k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (141:14): [True: 0, False: 8.32k] ------------------ 142| 8.32k| if ((err = redux(&res, P, &mu)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 8.32k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (142:14): [True: 0, False: 8.32k] ------------------ 143| 8.32k| continue; 144| 8.32k| } 145| | 146| | /* else we add it to the window */ 147| 20.4k| bitbuf |= (y << (winsize - ++bitcpy)); 148| 20.4k| mode = 2; 149| | 150| 20.4k| if (bitcpy == winsize) { ------------------ | Branch (150:11): [True: 4.37k, False: 16.1k] ------------------ 151| | /* ok window is filled so square as required and multiply */ 152| | /* square first */ 153| 24.5k| for (x = 0; x < winsize; x++) { ------------------ | Branch (153:22): [True: 20.1k, False: 4.37k] ------------------ 154| 20.1k| if ((err = mp_sqr(&res, &res)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 20.1k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (154:17): [True: 0, False: 20.1k] ------------------ 155| 20.1k| if ((err = redux(&res, P, &mu)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 20.1k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (155:17): [True: 0, False: 20.1k] ------------------ 156| 20.1k| } 157| | 158| | /* then multiply */ 159| 4.37k| if ((err = mp_mul(&res, &M[bitbuf], &res)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 4.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (159:14): [True: 0, False: 4.37k] ------------------ 160| 4.37k| if ((err = redux(&res, P, &mu)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 4.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (160:14): [True: 0, False: 4.37k] ------------------ 161| | 162| | /* empty window and reset */ 163| 4.37k| bitcpy = 0; 164| 4.37k| bitbuf = 0; 165| 4.37k| mode = 1; 166| 4.37k| } 167| 20.4k| } 168| | 169| | /* if bits remain then square/multiply */ 170| 454| if ((mode == 2) && (bitcpy > 0)) { ------------------ | Branch (170:8): [True: 144, False: 310] | Branch (170:23): [True: 144, False: 0] ------------------ 171| | /* square then multiply if the bit is set */ 172| 483| for (x = 0; x < bitcpy; x++) { ------------------ | Branch (172:19): [True: 339, False: 144] ------------------ 173| 339| if ((err = mp_sqr(&res, &res)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 339|#define MP_OKAY 0 /* no error */ ------------------ | Branch (173:14): [True: 0, False: 339] ------------------ 174| 339| if ((err = redux(&res, P, &mu)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 339|#define MP_OKAY 0 /* no error */ ------------------ | Branch (174:14): [True: 0, False: 339] ------------------ 175| | 176| 339| bitbuf <<= 1; 177| 339| if ((bitbuf & (1 << winsize)) != 0) { ------------------ | Branch (177:14): [True: 245, False: 94] ------------------ 178| | /* then multiply */ 179| 245| if ((err = mp_mul(&res, &M[1], &res)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 245|#define MP_OKAY 0 /* no error */ ------------------ | Branch (179:17): [True: 0, False: 245] ------------------ 180| 245| if ((err = redux(&res, P, &mu)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 245|#define MP_OKAY 0 /* no error */ ------------------ | Branch (180:17): [True: 0, False: 245] ------------------ 181| 245| } 182| 339| } 183| 144| } 184| | 185| 454| mp_exch(&res, Y); 186| 454| err = MP_OKAY; ------------------ | | 161| 454|#define MP_OKAY 0 /* no error */ ------------------ 187| 454|LBL_RES: 188| 454| mp_clear(&res); 189| 454|LBL_MU: 190| 454| mp_clear(&mu); 191| 454|LBL_M: 192| 454| mp_clear(&M[1]); 193| 4.04k| for (x = 1<<(winsize-1); x < (1 << winsize); x++) { ------------------ | Branch (193:29): [True: 3.59k, False: 454] ------------------ 194| 3.59k| mp_clear(&M[x]); 195| 3.59k| } 196| 454| return err; 197| 454|} s_mp_exptmod_fast: 23| 2.37k|{ 24| 2.37k| mp_int M[TAB_SIZE], res; 25| 2.37k| mp_digit buf, mp; 26| 2.37k| int bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize; 27| 2.37k| mp_err err; 28| | 29| | /* use a pointer to the reduction algorithm. This allows us to use 30| | * one of many reduction algorithms without modding the guts of 31| | * the code with if statements everywhere. 32| | */ 33| 2.37k| mp_err(*redux)(mp_int *x, const mp_int *n, mp_digit rho); 34| | 35| | /* find window size */ 36| 2.37k| x = mp_count_bits(X); 37| 2.37k| if (x <= 7) { ------------------ | Branch (37:8): [True: 169, False: 2.20k] ------------------ 38| 169| winsize = 2; 39| 2.20k| } else if (x <= 36) { ------------------ | Branch (39:15): [True: 15, False: 2.19k] ------------------ 40| 15| winsize = 3; 41| 2.19k| } else if (x <= 140) { ------------------ | Branch (41:15): [True: 50, False: 2.14k] ------------------ 42| 50| winsize = 4; 43| 2.14k| } else if (x <= 450) { ------------------ | Branch (43:15): [True: 59, False: 2.08k] ------------------ 44| 59| winsize = 5; 45| 2.08k| } else if (x <= 1303) { ------------------ | Branch (45:15): [True: 0, False: 2.08k] ------------------ 46| 0| winsize = 6; 47| 2.08k| } else if (x <= 3529) { ------------------ | Branch (47:15): [True: 2.08k, False: 0] ------------------ 48| 2.08k| winsize = 7; 49| 2.08k| } else { 50| 0| winsize = 8; 51| 0| } 52| | 53| 2.37k| winsize = MAX_WINSIZE ? MP_MIN(MAX_WINSIZE, winsize) : winsize; ------------------ | | 19| 2.37k|# define MAX_WINSIZE 0 | | ------------------ | | | Branch (19:24): [Folded, False: 2.37k] | | ------------------ ------------------ winsize = MAX_WINSIZE ? MP_MIN(MAX_WINSIZE, winsize) : winsize; ------------------ | | 156| 0|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 0, False: 0] | | ------------------ ------------------ 54| | 55| | /* init M array */ 56| | /* init first cell */ 57| 2.37k| if ((err = mp_init_size(&M[1], P->alloc)) != MP_OKAY) { ------------------ | | 161| 2.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (57:8): [True: 0, False: 2.37k] ------------------ 58| 0| return err; 59| 0| } 60| | 61| | /* now init the second half of the array */ 62| 137k| for (x = 1<<(winsize-1); x < (1 << winsize); x++) { ------------------ | Branch (62:29): [True: 135k, False: 2.37k] ------------------ 63| 135k| if ((err = mp_init_size(&M[x], P->alloc)) != MP_OKAY) { ------------------ | | 161| 135k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (63:11): [True: 0, False: 135k] ------------------ 64| 0| for (y = 1<<(winsize-1); y < x; y++) { ------------------ | Branch (64:35): [True: 0, False: 0] ------------------ 65| 0| mp_clear(&M[y]); 66| 0| } 67| 0| mp_clear(&M[1]); 68| 0| return err; 69| 0| } 70| 135k| } 71| | 72| | /* determine and setup reduction code */ 73| 2.37k| if (redmode == 0) { ------------------ | Branch (73:8): [True: 2.37k, False: 0] ------------------ 74| 2.37k| if (MP_HAS(MP_MONTGOMERY_SETUP)) { ------------------ | | 150| 2.37k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 2.37k|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 2.37k|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 2.37k, Folded] | | ------------------ ------------------ 75| | /* now setup montgomery */ 76| 2.37k| if ((err = mp_montgomery_setup(P, &mp)) != MP_OKAY) goto LBL_M; ------------------ | | 161| 2.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (76:14): [True: 0, False: 2.37k] ------------------ 77| 2.37k| } else { 78| 0| err = MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 79| 0| goto LBL_M; 80| 0| } 81| | 82| | /* automatically pick the comba one if available (saves quite a few calls/ifs) */ 83| 2.37k| if (MP_HAS(S_MP_MONTGOMERY_REDUCE_FAST) && ------------------ | | 150| 4.75k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 2.37k|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 2.37k|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 2.37k, Folded] | | ------------------ ------------------ 84| 2.37k| (((P->used * 2) + 1) < MP_WARRAY) && ------------------ | | 172| 2.37k|#define MP_WARRAY PRIVATE_MP_WARRAY | | ------------------ | | | | 203| 2.37k|#define PRIVATE_MP_WARRAY (int)(1uLL << (((CHAR_BIT * sizeof(private_mp_word)) - (2 * MP_DIGIT_BIT)) + 1)) | | | | ------------------ | | | | | | 82| 2.37k|# define MP_DIGIT_BIT 60 | | | | ------------------ | | ------------------ ------------------ | Branch (84:11): [True: 2.37k, False: 0] ------------------ 85| 2.37k| (P->used < MP_MAXFAST)) { ------------------ | | 168| 2.37k|#define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 167| 2.37k|#define MP_SIZEOF_BITS(type) ((size_t)CHAR_BIT * sizeof(type)) | | ------------------ | | #define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 82| 2.37k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ | Branch (85:11): [True: 2.37k, False: 0] ------------------ 86| 2.37k| redux = s_mp_montgomery_reduce_fast; 87| 2.37k| } else if (MP_HAS(MP_MONTGOMERY_REDUCE)) { ------------------ | | 150| 0|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 0|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 0|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 0, Folded] | | ------------------ ------------------ 88| | /* use slower baseline Montgomery method */ 89| 0| redux = mp_montgomery_reduce; 90| 0| } else { 91| 0| err = MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 92| 0| goto LBL_M; 93| 0| } 94| 2.37k| } else if (redmode == 1) { ------------------ | Branch (94:15): [True: 0, False: 0] ------------------ 95| 0| if (MP_HAS(MP_DR_SETUP) && MP_HAS(MP_DR_REDUCE)) { ------------------ | | 150| 0|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 0|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 0|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 0, Folded] | | ------------------ ------------------ if (MP_HAS(MP_DR_SETUP) && MP_HAS(MP_DR_REDUCE)) { ------------------ | | 150| 0|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 0|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 0|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 0, Folded] | | ------------------ ------------------ 96| | /* setup DR reduction for moduli of the form B**k - b */ 97| 0| mp_dr_setup(P, &mp); 98| 0| redux = mp_dr_reduce; 99| 0| } else { 100| 0| err = MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 101| 0| goto LBL_M; 102| 0| } 103| 0| } else if (MP_HAS(MP_REDUCE_2K_SETUP) && MP_HAS(MP_REDUCE_2K)) { ------------------ | | 150| 0|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 0|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 0|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 0, Folded] | | ------------------ ------------------ } else if (MP_HAS(MP_REDUCE_2K_SETUP) && MP_HAS(MP_REDUCE_2K)) { ------------------ | | 150| 0|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 0|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 0|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 0, Folded] | | ------------------ ------------------ 104| | /* setup DR reduction for moduli of the form 2**k - b */ 105| 0| if ((err = mp_reduce_2k_setup(P, &mp)) != MP_OKAY) goto LBL_M; ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (105:11): [True: 0, False: 0] ------------------ 106| 0| redux = mp_reduce_2k; 107| 0| } else { 108| 0| err = MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 109| 0| goto LBL_M; 110| 0| } 111| | 112| | /* setup result */ 113| 2.37k| if ((err = mp_init_size(&res, P->alloc)) != MP_OKAY) goto LBL_M; ------------------ | | 161| 2.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (113:8): [True: 0, False: 2.37k] ------------------ 114| | 115| | /* create M table 116| | * 117| | 118| | * 119| | * The first half of the table is not computed though accept for M[0] and M[1] 120| | */ 121| | 122| 2.37k| if (redmode == 0) { ------------------ | Branch (122:8): [True: 2.37k, False: 0] ------------------ 123| 2.37k| if (MP_HAS(MP_MONTGOMERY_CALC_NORMALIZATION)) { ------------------ | | 150| 2.37k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 2.37k|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 2.37k|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 2.37k, Folded] | | ------------------ ------------------ 124| | /* now we need R mod m */ 125| 2.37k| if ((err = mp_montgomery_calc_normalization(&res, P)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 2.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (125:14): [True: 0, False: 2.37k] ------------------ 126| | 127| | /* now set M[1] to G * R mod m */ 128| 2.37k| if ((err = mp_mulmod(G, &res, P, &M[1])) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 2.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (128:14): [True: 0, False: 2.37k] ------------------ 129| 2.37k| } else { 130| 0| err = MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 131| 0| goto LBL_RES; 132| 0| } 133| 2.37k| } else { 134| 0| mp_set(&res, 1uL); 135| 0| if ((err = mp_mod(G, P, &M[1])) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (135:11): [True: 0, False: 0] ------------------ 136| 0| } 137| | 138| | /* compute the value at M[1<<(winsize-1)] by squaring M[1] (winsize-1) times */ 139| 2.37k| if ((err = mp_copy(&M[1], &M[(size_t)1 << (winsize - 1)])) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 2.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (139:8): [True: 0, False: 2.37k] ------------------ 140| | 141| 15.4k| for (x = 0; x < (winsize - 1); x++) { ------------------ | Branch (141:16): [True: 13.0k, False: 2.37k] ------------------ 142| 13.0k| if ((err = mp_sqr(&M[(size_t)1 << (winsize - 1)], &M[(size_t)1 << (winsize - 1)])) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 13.0k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (142:11): [True: 0, False: 13.0k] ------------------ 143| 13.0k| if ((err = redux(&M[(size_t)1 << (winsize - 1)], P, mp)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 13.0k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (143:11): [True: 0, False: 13.0k] ------------------ 144| 13.0k| } 145| | 146| | /* create upper table */ 147| 135k| for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) { ------------------ | Branch (147:39): [True: 132k, False: 2.37k] ------------------ 148| 132k| if ((err = mp_mul(&M[x - 1], &M[1], &M[x])) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 132k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (148:11): [True: 0, False: 132k] ------------------ 149| 132k| if ((err = redux(&M[x], P, mp)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 132k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (149:11): [True: 0, False: 132k] ------------------ 150| 132k| } 151| | 152| | /* set initial mode and bit cnt */ 153| 2.37k| mode = 0; 154| 2.37k| bitcnt = 1; 155| 2.37k| buf = 0; 156| 2.37k| digidx = X->used - 1; 157| 2.37k| bitcpy = 0; 158| 2.37k| bitbuf = 0; 159| | 160| 4.39M| for (;;) { 161| | /* grab next digit as required */ 162| 4.39M| if (--bitcnt == 0) { ------------------ | Branch (162:11): [True: 75.5k, False: 4.31M] ------------------ 163| | /* if digidx == -1 we are out of digits so break */ 164| 75.5k| if (digidx == -1) { ------------------ | Branch (164:14): [True: 2.37k, False: 73.1k] ------------------ 165| 2.37k| break; 166| 2.37k| } 167| | /* read next digit and reset bitcnt */ 168| 73.1k| buf = X->dp[digidx--]; 169| 73.1k| bitcnt = (int)MP_DIGIT_BIT; ------------------ | | 82| 73.1k|# define MP_DIGIT_BIT 60 ------------------ 170| 73.1k| } 171| | 172| | /* grab the next msb from the exponent */ 173| 4.39M| y = (mp_digit)(buf >> (MP_DIGIT_BIT - 1)) & 1uL; ------------------ | | 82| 4.39M|# define MP_DIGIT_BIT 60 ------------------ 174| 4.39M| buf <<= (mp_digit)1; 175| | 176| | /* if the bit is zero and mode == 0 then we ignore it 177| | * These represent the leading zero bits before the first 1 bit 178| | * in the exponent. Technically this opt is not required but it 179| | * does lower the # of trivial squaring/reductions used 180| | */ 181| 4.39M| if ((mode == 0) && (y == 0)) { ------------------ | Branch (181:11): [True: 116k, False: 4.27M] | Branch (181:26): [True: 114k, False: 2.22k] ------------------ 182| 114k| continue; 183| 114k| } 184| | 185| | /* if the bit is zero and mode == 1 then we square */ 186| 4.27M| if ((mode == 1) && (y == 0)) { ------------------ | Branch (186:11): [True: 1.07M, False: 3.20M] | Branch (186:26): [True: 538k, False: 533k] ------------------ 187| 538k| if ((err = mp_sqr(&res, &res)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 538k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (187:14): [True: 0, False: 538k] ------------------ 188| 538k| if ((err = redux(&res, P, mp)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 538k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (188:14): [True: 0, False: 538k] ------------------ 189| 538k| continue; 190| 538k| } 191| | 192| | /* else we add it to the window */ 193| 3.73M| bitbuf |= (y << (winsize - ++bitcpy)); 194| 3.73M| mode = 2; 195| | 196| 3.73M| if (bitcpy == winsize) { ------------------ | Branch (196:11): [True: 533k, False: 3.20M] ------------------ 197| | /* ok window is filled so square as required and multiply */ 198| | /* square first */ 199| 4.26M| for (x = 0; x < winsize; x++) { ------------------ | Branch (199:22): [True: 3.73M, False: 533k] ------------------ 200| 3.73M| if ((err = mp_sqr(&res, &res)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 3.73M|#define MP_OKAY 0 /* no error */ ------------------ | Branch (200:17): [True: 0, False: 3.73M] ------------------ 201| 3.73M| if ((err = redux(&res, P, mp)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 3.73M|#define MP_OKAY 0 /* no error */ ------------------ | Branch (201:17): [True: 0, False: 3.73M] ------------------ 202| 3.73M| } 203| | 204| | /* then multiply */ 205| 533k| if ((err = mp_mul(&res, &M[bitbuf], &res)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 533k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (205:14): [True: 0, False: 533k] ------------------ 206| 533k| if ((err = redux(&res, P, mp)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 533k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (206:14): [True: 0, False: 533k] ------------------ 207| | 208| | /* empty window and reset */ 209| 533k| bitcpy = 0; 210| 533k| bitbuf = 0; 211| 533k| mode = 1; 212| 533k| } 213| 3.73M| } 214| | 215| | /* if bits remain then square/multiply */ 216| 2.37k| if ((mode == 2) && (bitcpy > 0)) { ------------------ | Branch (216:8): [True: 1.75k, False: 624] | Branch (216:23): [True: 1.75k, False: 0] ------------------ 217| | /* square then multiply if the bit is set */ 218| 8.31k| for (x = 0; x < bitcpy; x++) { ------------------ | Branch (218:19): [True: 6.56k, False: 1.75k] ------------------ 219| 6.56k| if ((err = mp_sqr(&res, &res)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 6.56k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (219:14): [True: 0, False: 6.56k] ------------------ 220| 6.56k| if ((err = redux(&res, P, mp)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 6.56k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (220:14): [True: 0, False: 6.56k] ------------------ 221| | 222| | /* get next bit of the window */ 223| 6.56k| bitbuf <<= 1; 224| 6.56k| if ((bitbuf & (1 << winsize)) != 0) { ------------------ | Branch (224:14): [True: 3.84k, False: 2.71k] ------------------ 225| | /* then multiply */ 226| 3.84k| if ((err = mp_mul(&res, &M[1], &res)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 3.84k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (226:17): [True: 0, False: 3.84k] ------------------ 227| 3.84k| if ((err = redux(&res, P, mp)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 3.84k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (227:17): [True: 0, False: 3.84k] ------------------ 228| 3.84k| } 229| 6.56k| } 230| 1.75k| } 231| | 232| 2.37k| if (redmode == 0) { ------------------ | Branch (232:8): [True: 2.37k, False: 0] ------------------ 233| | /* fixup result if Montgomery reduction is used 234| | * recall that any value in a Montgomery system is 235| | * actually multiplied by R mod n. So we have 236| | * to reduce one more time to cancel out the factor 237| | * of R. 238| | */ 239| 2.37k| if ((err = redux(&res, P, mp)) != MP_OKAY) goto LBL_RES; ------------------ | | 161| 2.37k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (239:11): [True: 0, False: 2.37k] ------------------ 240| 2.37k| } 241| | 242| | /* swap res with Y */ 243| 2.37k| mp_exch(&res, Y); 244| 2.37k| err = MP_OKAY; ------------------ | | 161| 2.37k|#define MP_OKAY 0 /* no error */ ------------------ 245| 2.37k|LBL_RES: 246| 2.37k| mp_clear(&res); 247| 2.37k|LBL_M: 248| 2.37k| mp_clear(&M[1]); 249| 137k| for (x = 1<<(winsize-1); x < (1 << winsize); x++) { ------------------ | Branch (249:29): [True: 135k, False: 2.37k] ------------------ 250| 135k| mp_clear(&M[x]); 251| 135k| } 252| 2.37k| return err; 253| 2.37k|} s_mp_invmod_fast: 13| 852|{ 14| 852| mp_int x, y, u, v, B, D; 15| 852| mp_sign neg; 16| 852| mp_err err; 17| | 18| | /* 2. [modified] b must be odd */ 19| 852| if (MP_IS_EVEN(b)) { ------------------ | | 164| 852|#define MP_IS_EVEN(a) (((a)->used == 0) || (((a)->dp[0] & 1u) == 0u)) | | ------------------ | | | Branch (164:24): [True: 0, False: 852] | | | Branch (164:44): [True: 0, False: 852] | | ------------------ ------------------ 20| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 21| 0| } 22| | 23| | /* init all our temps */ 24| 852| if ((err = mp_init_multi(&x, &y, &u, &v, &B, &D, NULL)) != MP_OKAY) { ------------------ | | 161| 852|#define MP_OKAY 0 /* no error */ ------------------ | Branch (24:8): [True: 0, False: 852] ------------------ 25| 0| return err; 26| 0| } 27| | 28| | /* x == modulus, y == value to invert */ 29| 852| if ((err = mp_copy(b, &x)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 852|#define MP_OKAY 0 /* no error */ ------------------ | Branch (29:8): [True: 0, False: 852] ------------------ 30| | 31| | /* we need y = |a| */ 32| 852| if ((err = mp_mod(a, b, &y)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 852|#define MP_OKAY 0 /* no error */ ------------------ | Branch (32:8): [True: 0, False: 852] ------------------ 33| | 34| | /* if one of x,y is zero return an error! */ 35| 852| if (MP_IS_ZERO(&x) || MP_IS_ZERO(&y)) { ------------------ | | 163| 1.70k|#define MP_IS_ZERO(a) ((a)->used == 0) | | ------------------ | | | Branch (163:23): [True: 0, False: 852] | | ------------------ ------------------ if (MP_IS_ZERO(&x) || MP_IS_ZERO(&y)) { ------------------ | | 163| 852|#define MP_IS_ZERO(a) ((a)->used == 0) | | ------------------ | | | Branch (163:23): [True: 0, False: 852] | | ------------------ ------------------ 36| 0| err = MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 37| 0| goto LBL_ERR; 38| 0| } 39| | 40| | /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */ 41| 852| if ((err = mp_copy(&x, &u)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 852|#define MP_OKAY 0 /* no error */ ------------------ | Branch (41:8): [True: 0, False: 852] ------------------ 42| 852| if ((err = mp_copy(&y, &v)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 852|#define MP_OKAY 0 /* no error */ ------------------ | Branch (42:8): [True: 0, False: 852] ------------------ 43| 852| mp_set(&D, 1uL); 44| | 45| 267k|top: 46| | /* 4. while u is even do */ 47| 543k| while (MP_IS_EVEN(&u)) { ------------------ | | 164| 543k|#define MP_IS_EVEN(a) (((a)->used == 0) || (((a)->dp[0] & 1u) == 0u)) | | ------------------ | | | Branch (164:24): [True: 0, False: 543k] | | | Branch (164:44): [True: 276k, False: 267k] | | ------------------ ------------------ 48| | /* 4.1 u = u/2 */ 49| 276k| if ((err = mp_div_2(&u, &u)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 276k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (49:11): [True: 0, False: 276k] ------------------ 50| | 51| | /* 4.2 if B is odd then */ 52| 276k| if (MP_IS_ODD(&B)) { ------------------ | | 165| 276k|#define MP_IS_ODD(a) (((a)->used > 0) && (((a)->dp[0] & 1u) == 1u)) | | ------------------ | | | Branch (165:24): [True: 276k, False: 0] | | | Branch (165:43): [True: 141k, False: 134k] | | ------------------ ------------------ 53| 141k| if ((err = mp_sub(&B, &x, &B)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 141k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (53:14): [True: 0, False: 141k] ------------------ 54| 141k| } 55| | /* B = B/2 */ 56| 276k| if ((err = mp_div_2(&B, &B)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 276k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (56:11): [True: 0, False: 276k] ------------------ 57| 276k| } 58| | 59| | /* 5. while v is even do */ 60| 517k| while (MP_IS_EVEN(&v)) { ------------------ | | 164| 517k|#define MP_IS_EVEN(a) (((a)->used == 0) || (((a)->dp[0] & 1u) == 0u)) | | ------------------ | | | Branch (164:24): [True: 0, False: 517k] | | | Branch (164:44): [True: 250k, False: 267k] | | ------------------ ------------------ 61| | /* 5.1 v = v/2 */ 62| 250k| if ((err = mp_div_2(&v, &v)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 250k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (62:11): [True: 0, False: 250k] ------------------ 63| | 64| | /* 5.2 if D is odd then */ 65| 250k| if (MP_IS_ODD(&D)) { ------------------ | | 165| 250k|#define MP_IS_ODD(a) (((a)->used > 0) && (((a)->dp[0] & 1u) == 1u)) | | ------------------ | | | Branch (165:24): [True: 250k, False: 0] | | | Branch (165:43): [True: 200k, False: 49.7k] | | ------------------ ------------------ 66| | /* D = (D-x)/2 */ 67| 200k| if ((err = mp_sub(&D, &x, &D)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 200k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (67:14): [True: 0, False: 200k] ------------------ 68| 200k| } 69| | /* D = D/2 */ 70| 250k| if ((err = mp_div_2(&D, &D)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 250k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (70:11): [True: 0, False: 250k] ------------------ 71| 250k| } 72| | 73| | /* 6. if u >= v then */ 74| 267k| if (mp_cmp(&u, &v) != MP_LT) { ------------------ | | 154| 267k|#define MP_LT -1 /* less than */ ------------------ | Branch (74:8): [True: 141k, False: 125k] ------------------ 75| | /* u = u - v, B = B - D */ 76| 141k| if ((err = mp_sub(&u, &v, &u)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 141k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (76:11): [True: 0, False: 141k] ------------------ 77| | 78| 141k| if ((err = mp_sub(&B, &D, &B)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 141k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (78:11): [True: 0, False: 141k] ------------------ 79| 141k| } else { 80| | /* v - v - u, D = D - B */ 81| 125k| if ((err = mp_sub(&v, &u, &v)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 125k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (81:11): [True: 0, False: 125k] ------------------ 82| | 83| 125k| if ((err = mp_sub(&D, &B, &D)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 125k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (83:11): [True: 0, False: 125k] ------------------ 84| 125k| } 85| | 86| | /* if not zero goto step 4 */ 87| 267k| if (!MP_IS_ZERO(&u)) { ------------------ | | 163| 267k|#define MP_IS_ZERO(a) ((a)->used == 0) ------------------ | Branch (87:8): [True: 266k, False: 852] ------------------ 88| 266k| goto top; 89| 266k| } 90| | 91| | /* now a = C, b = D, gcd == g*v */ 92| | 93| | /* if v != 1 then there is no inverse */ 94| 852| if (mp_cmp_d(&v, 1uL) != MP_EQ) { ------------------ | | 155| 852|#define MP_EQ 0 /* equal to */ ------------------ | Branch (94:8): [True: 5, False: 847] ------------------ 95| 5| err = MP_VAL; ------------------ | | 164| 5|#define MP_VAL -3 /* invalid input */ ------------------ 96| 5| goto LBL_ERR; 97| 5| } 98| | 99| | /* b is now the inverse */ 100| 847| neg = a->sign; 101| 1.62k| while (D.sign == MP_NEG) { ------------------ | | 152| 1.62k|#define MP_NEG 1 /* negative */ ------------------ | Branch (101:11): [True: 777, False: 847] ------------------ 102| 777| if ((err = mp_add(&D, b, &D)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 777|#define MP_OKAY 0 /* no error */ ------------------ | Branch (102:11): [True: 0, False: 777] ------------------ 103| 777| } 104| | 105| | /* too big */ 106| 848| while (mp_cmp_mag(&D, b) != MP_LT) { ------------------ | | 154| 848|#define MP_LT -1 /* less than */ ------------------ | Branch (106:11): [True: 1, False: 847] ------------------ 107| 1| if ((err = mp_sub(&D, b, &D)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 1|#define MP_OKAY 0 /* no error */ ------------------ | Branch (107:11): [True: 0, False: 1] ------------------ 108| 1| } 109| | 110| 847| mp_exch(&D, c); 111| 847| c->sign = neg; 112| 847| err = MP_OKAY; ------------------ | | 161| 847|#define MP_OKAY 0 /* no error */ ------------------ 113| | 114| 852|LBL_ERR: 115| | mp_clear_multi(&x, &y, &u, &v, &B, &D, NULL); 116| 852| return err; 117| 847|} s_mp_invmod_slow: 8| 56|{ 9| 56| mp_int x, y, u, v, A, B, C, D; 10| 56| mp_err err; 11| | 12| | /* b cannot be negative */ 13| 56| if ((b->sign == MP_NEG) || MP_IS_ZERO(b)) { ------------------ | | 152| 56|#define MP_NEG 1 /* negative */ ------------------ if ((b->sign == MP_NEG) || MP_IS_ZERO(b)) { ------------------ | | 163| 56|#define MP_IS_ZERO(a) ((a)->used == 0) | | ------------------ | | | Branch (163:23): [True: 0, False: 56] | | ------------------ ------------------ | Branch (13:8): [True: 0, False: 56] ------------------ 14| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 15| 0| } 16| | 17| | /* init temps */ 18| 56| if ((err = mp_init_multi(&x, &y, &u, &v, ------------------ | Branch (18:8): [True: 0, False: 56] ------------------ 19| 56| &A, &B, &C, &D, NULL)) != MP_OKAY) { ------------------ | | 161| 56|#define MP_OKAY 0 /* no error */ ------------------ 20| 0| return err; 21| 0| } 22| | 23| | /* x = a, y = b */ 24| 56| if ((err = mp_mod(a, b, &x)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 56|#define MP_OKAY 0 /* no error */ ------------------ | Branch (24:8): [True: 0, False: 56] ------------------ 25| 56| if ((err = mp_copy(b, &y)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 56|#define MP_OKAY 0 /* no error */ ------------------ | Branch (25:8): [True: 0, False: 56] ------------------ 26| | 27| | /* 2. [modified] if x,y are both even then return an error! */ 28| 56| if (MP_IS_EVEN(&x) && MP_IS_EVEN(&y)) { ------------------ | | 164| 112|#define MP_IS_EVEN(a) (((a)->used == 0) || (((a)->dp[0] & 1u) == 0u)) | | ------------------ | | | Branch (164:24): [True: 0, False: 56] | | | Branch (164:44): [True: 1, False: 55] | | ------------------ ------------------ if (MP_IS_EVEN(&x) && MP_IS_EVEN(&y)) { ------------------ | | 164| 1|#define MP_IS_EVEN(a) (((a)->used == 0) || (((a)->dp[0] & 1u) == 0u)) | | ------------------ | | | Branch (164:24): [True: 0, False: 1] | | | Branch (164:44): [True: 1, False: 0] | | ------------------ ------------------ 29| 1| err = MP_VAL; ------------------ | | 164| 1|#define MP_VAL -3 /* invalid input */ ------------------ 30| 1| goto LBL_ERR; 31| 1| } 32| | 33| | /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */ 34| 55| if ((err = mp_copy(&x, &u)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 55|#define MP_OKAY 0 /* no error */ ------------------ | Branch (34:8): [True: 0, False: 55] ------------------ 35| 55| if ((err = mp_copy(&y, &v)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 55|#define MP_OKAY 0 /* no error */ ------------------ | Branch (35:8): [True: 0, False: 55] ------------------ 36| 55| mp_set(&A, 1uL); 37| 55| mp_set(&D, 1uL); 38| | 39| 4.36k|top: 40| | /* 4. while u is even do */ 41| 7.70k| while (MP_IS_EVEN(&u)) { ------------------ | | 164| 7.70k|#define MP_IS_EVEN(a) (((a)->used == 0) || (((a)->dp[0] & 1u) == 0u)) | | ------------------ | | | Branch (164:24): [True: 0, False: 7.70k] | | | Branch (164:44): [True: 3.33k, False: 4.36k] | | ------------------ ------------------ 42| | /* 4.1 u = u/2 */ 43| 3.33k| if ((err = mp_div_2(&u, &u)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 3.33k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (43:11): [True: 0, False: 3.33k] ------------------ 44| | 45| | /* 4.2 if A or B is odd then */ 46| 3.33k| if (MP_IS_ODD(&A) || MP_IS_ODD(&B)) { ------------------ | | 165| 6.67k|#define MP_IS_ODD(a) (((a)->used > 0) && (((a)->dp[0] & 1u) == 1u)) | | ------------------ | | | Branch (165:24): [True: 3.33k, False: 0] | | | Branch (165:43): [True: 0, False: 3.33k] | | ------------------ ------------------ if (MP_IS_ODD(&A) || MP_IS_ODD(&B)) { ------------------ | | 165| 3.33k|#define MP_IS_ODD(a) (((a)->used > 0) && (((a)->dp[0] & 1u) == 1u)) | | ------------------ | | | Branch (165:24): [True: 3.33k, False: 0] | | | Branch (165:43): [True: 1.55k, False: 1.78k] | | ------------------ ------------------ 47| | /* A = (A+y)/2, B = (B-x)/2 */ 48| 1.55k| if ((err = mp_add(&A, &y, &A)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 1.55k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (48:14): [True: 0, False: 1.55k] ------------------ 49| 1.55k| if ((err = mp_sub(&B, &x, &B)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 1.55k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (49:14): [True: 0, False: 1.55k] ------------------ 50| 1.55k| } 51| | /* A = A/2, B = B/2 */ 52| 3.33k| if ((err = mp_div_2(&A, &A)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 3.33k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (52:11): [True: 0, False: 3.33k] ------------------ 53| 3.33k| if ((err = mp_div_2(&B, &B)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 3.33k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (53:11): [True: 0, False: 3.33k] ------------------ 54| 3.33k| } 55| | 56| | /* 5. while v is even do */ 57| 11.4k| while (MP_IS_EVEN(&v)) { ------------------ | | 164| 11.4k|#define MP_IS_EVEN(a) (((a)->used == 0) || (((a)->dp[0] & 1u) == 0u)) | | ------------------ | | | Branch (164:24): [True: 0, False: 11.4k] | | | Branch (164:44): [True: 7.03k, False: 4.36k] | | ------------------ ------------------ 58| | /* 5.1 v = v/2 */ 59| 7.03k| if ((err = mp_div_2(&v, &v)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 7.03k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (59:11): [True: 0, False: 7.03k] ------------------ 60| | 61| | /* 5.2 if C or D is odd then */ 62| 7.03k| if (MP_IS_ODD(&C) || MP_IS_ODD(&D)) { ------------------ | | 165| 14.0k|#define MP_IS_ODD(a) (((a)->used > 0) && (((a)->dp[0] & 1u) == 1u)) | | ------------------ | | | Branch (165:24): [True: 6.98k, False: 55] | | | Branch (165:43): [True: 0, False: 6.98k] | | ------------------ ------------------ if (MP_IS_ODD(&C) || MP_IS_ODD(&D)) { ------------------ | | 165| 7.03k|#define MP_IS_ODD(a) (((a)->used > 0) && (((a)->dp[0] & 1u) == 1u)) | | ------------------ | | | Branch (165:24): [True: 6.87k, False: 158] | | | Branch (165:43): [True: 4.45k, False: 2.42k] | | ------------------ ------------------ 63| | /* C = (C+y)/2, D = (D-x)/2 */ 64| 4.45k| if ((err = mp_add(&C, &y, &C)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 4.45k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (64:14): [True: 0, False: 4.45k] ------------------ 65| 4.45k| if ((err = mp_sub(&D, &x, &D)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 4.45k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (65:14): [True: 0, False: 4.45k] ------------------ 66| 4.45k| } 67| | /* C = C/2, D = D/2 */ 68| 7.03k| if ((err = mp_div_2(&C, &C)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 7.03k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (68:11): [True: 0, False: 7.03k] ------------------ 69| 7.03k| if ((err = mp_div_2(&D, &D)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 7.03k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (69:11): [True: 0, False: 7.03k] ------------------ 70| 7.03k| } 71| | 72| | /* 6. if u >= v then */ 73| 4.36k| if (mp_cmp(&u, &v) != MP_LT) { ------------------ | | 154| 4.36k|#define MP_LT -1 /* less than */ ------------------ | Branch (73:8): [True: 1.51k, False: 2.85k] ------------------ 74| | /* u = u - v, A = A - C, B = B - D */ 75| 1.51k| if ((err = mp_sub(&u, &v, &u)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 1.51k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (75:11): [True: 0, False: 1.51k] ------------------ 76| | 77| 1.51k| if ((err = mp_sub(&A, &C, &A)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 1.51k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (77:11): [True: 0, False: 1.51k] ------------------ 78| | 79| 1.51k| if ((err = mp_sub(&B, &D, &B)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 1.51k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (79:11): [True: 0, False: 1.51k] ------------------ 80| 2.85k| } else { 81| | /* v - v - u, C = C - A, D = D - B */ 82| 2.85k| if ((err = mp_sub(&v, &u, &v)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 2.85k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (82:11): [True: 0, False: 2.85k] ------------------ 83| | 84| 2.85k| if ((err = mp_sub(&C, &A, &C)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 2.85k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (84:11): [True: 0, False: 2.85k] ------------------ 85| | 86| 2.85k| if ((err = mp_sub(&D, &B, &D)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 2.85k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (86:11): [True: 0, False: 2.85k] ------------------ 87| 2.85k| } 88| | 89| | /* if not zero goto step 4 */ 90| 4.36k| if (!MP_IS_ZERO(&u)) { ------------------ | | 163| 4.36k|#define MP_IS_ZERO(a) ((a)->used == 0) ------------------ | Branch (90:8): [True: 4.30k, False: 55] ------------------ 91| 4.30k| goto top; 92| 4.30k| } 93| | 94| | /* now a = C, b = D, gcd == g*v */ 95| | 96| | /* if v != 1 then there is no inverse */ 97| 55| if (mp_cmp_d(&v, 1uL) != MP_EQ) { ------------------ | | 155| 55|#define MP_EQ 0 /* equal to */ ------------------ | Branch (97:8): [True: 11, False: 44] ------------------ 98| 11| err = MP_VAL; ------------------ | | 164| 11|#define MP_VAL -3 /* invalid input */ ------------------ 99| 11| goto LBL_ERR; 100| 11| } 101| | 102| | /* if its too low */ 103| 54| while (mp_cmp_d(&C, 0uL) == MP_LT) { ------------------ | | 154| 54|#define MP_LT -1 /* less than */ ------------------ | Branch (103:11): [True: 10, False: 44] ------------------ 104| 10| if ((err = mp_add(&C, b, &C)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 10|#define MP_OKAY 0 /* no error */ ------------------ | Branch (104:11): [True: 0, False: 10] ------------------ 105| 10| } 106| | 107| | /* too big */ 108| 47| while (mp_cmp_mag(&C, b) != MP_LT) { ------------------ | | 154| 47|#define MP_LT -1 /* less than */ ------------------ | Branch (108:11): [True: 3, False: 44] ------------------ 109| 3| if ((err = mp_sub(&C, b, &C)) != MP_OKAY) goto LBL_ERR; ------------------ | | 161| 3|#define MP_OKAY 0 /* no error */ ------------------ | Branch (109:11): [True: 0, False: 3] ------------------ 110| 3| } 111| | 112| | /* C is now the inverse */ 113| 44| mp_exch(&C, c); 114| 44| err = MP_OKAY; ------------------ | | 161| 44|#define MP_OKAY 0 /* no error */ ------------------ 115| 56|LBL_ERR: 116| | mp_clear_multi(&x, &y, &u, &v, &A, &B, &C, &D, NULL); 117| 56| return err; 118| 44|} s_mp_montgomery_reduce_fast: 15| 13.5M|{ 16| 13.5M| int ix, olduse; 17| 13.5M| mp_err err; 18| 13.5M| mp_word W[MP_WARRAY]; 19| | 20| 13.5M| if (x->used > MP_WARRAY) { ------------------ | | 172| 13.5M|#define MP_WARRAY PRIVATE_MP_WARRAY | | ------------------ | | | | 203| 13.5M|#define PRIVATE_MP_WARRAY (int)(1uLL << (((CHAR_BIT * sizeof(private_mp_word)) - (2 * MP_DIGIT_BIT)) + 1)) | | | | ------------------ | | | | | | 82| 13.5M|# define MP_DIGIT_BIT 60 | | | | ------------------ | | ------------------ ------------------ | Branch (20:8): [True: 0, False: 13.5M] ------------------ 21| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 22| 0| } 23| | 24| | /* get old used count */ 25| 13.5M| olduse = x->used; 26| | 27| | /* grow a as required */ 28| 13.5M| if (x->alloc < (n->used + 1)) { ------------------ | Branch (28:8): [True: 0, False: 13.5M] ------------------ 29| 0| if ((err = mp_grow(x, n->used + 1)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (29:11): [True: 0, False: 0] ------------------ 30| 0| return err; 31| 0| } 32| 0| } 33| | 34| | /* first we have to get the digits of the input into 35| | * an array of double precision words W[...] 36| | */ 37| 13.5M| { 38| 13.5M| mp_word *_W; 39| 13.5M| mp_digit *tmpx; 40| | 41| | /* alias for the W[] array */ 42| 13.5M| _W = W; 43| | 44| | /* alias for the digits of x*/ 45| 13.5M| tmpx = x->dp; 46| | 47| | /* copy the digits of a into W[0..a->used-1] */ 48| 496M| for (ix = 0; ix < x->used; ix++) { ------------------ | Branch (48:20): [True: 483M, False: 13.5M] ------------------ 49| 483M| *_W++ = *tmpx++; 50| 483M| } 51| | 52| | /* zero the high words of W[a->used..m->used*2] */ 53| 13.5M| if (ix < ((n->used * 2) + 1)) { ------------------ | Branch (53:11): [True: 13.5M, False: 0] ------------------ 54| 13.5M| MP_ZERO_BUFFER(_W, sizeof(mp_word) * (size_t)(((n->used * 2) + 1) - ix)); ------------------ | | 81| 13.5M|# define MP_ZERO_BUFFER(mem, size) \ | | 82| 13.5M|do { \ | | 83| 13.5M| size_t zs_ = (size); \ | | 84| 13.5M| char* zm_ = (char*)(mem); \ | | 85| 353M| while (zs_-- > 0u) { \ | | ------------------ | | | Branch (85:11): [True: 339M, False: 13.5M] | | ------------------ | | 86| 339M| *zm_++ = '\0'; \ | | 87| 339M| } \ | | 88| 13.5M|} while (0) | | ------------------ | | | Branch (88:10): [Folded, False: 13.5M] | | ------------------ ------------------ 55| 13.5M| } 56| 13.5M| } 57| | 58| | /* now we proceed to zero successive digits 59| | * from the least significant upwards 60| | */ 61| 259M| for (ix = 0; ix < n->used; ix++) { ------------------ | Branch (61:17): [True: 245M, False: 13.5M] ------------------ 62| | /* mu = ai * m' mod b 63| | * 64| | * We avoid a double precision multiplication (which isn't required) 65| | * by casting the value down to a mp_digit. Note this requires 66| | * that W[ix-1] have the carry cleared (see after the inner loop) 67| | */ 68| 245M| mp_digit mu; 69| 245M| mu = ((W[ix] & MP_MASK) * rho) & MP_MASK; ------------------ | | 106| 245M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 245M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ mu = ((W[ix] & MP_MASK) * rho) & MP_MASK; ------------------ | | 106| 245M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 245M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 70| | 71| | /* a = a + mu * m * b**i 72| | * 73| | * This is computed in place and on the fly. The multiplication 74| | * by b**i is handled by offseting which columns the results 75| | * are added to. 76| | * 77| | * Note the comba method normally doesn't handle carries in the 78| | * inner loop In this case we fix the carry from the previous 79| | * column since the Montgomery reduction requires digits of the 80| | * result (so far) [see above] to work. This is 81| | * handled by fixing up one carry after the inner loop. The 82| | * carry fixups are done in order so after these loops the 83| | * first m->used words of W[] have the carries fixed 84| | */ 85| 245M| { 86| 245M| int iy; 87| 245M| mp_digit *tmpn; 88| 245M| mp_word *_W; 89| | 90| | /* alias for the digits of the modulus */ 91| 245M| tmpn = n->dp; 92| | 93| | /* Alias for the columns set by an offset of ix */ 94| 245M| _W = W + ix; 95| | 96| | /* inner loop */ 97| 6.93G| for (iy = 0; iy < n->used; iy++) { ------------------ | Branch (97:23): [True: 6.68G, False: 245M] ------------------ 98| 6.68G| *_W++ += (mp_word)mu * (mp_word)*tmpn++; 99| 6.68G| } 100| 245M| } 101| | 102| | /* now fix carry for next digit, W[ix+1] */ 103| 245M| W[ix + 1] += W[ix] >> (mp_word)MP_DIGIT_BIT; ------------------ | | 82| 245M|# define MP_DIGIT_BIT 60 ------------------ 104| 245M| } 105| | 106| | /* now we have to propagate the carries and 107| | * shift the words downward [all those least 108| | * significant digits we zeroed]. 109| | */ 110| 13.5M| { 111| 13.5M| mp_digit *tmpx; 112| 13.5M| mp_word *_W, *_W1; 113| | 114| | /* nox fix rest of carries */ 115| | 116| | /* alias for current word */ 117| 13.5M| _W1 = W + ix; 118| | 119| | /* alias for next word, where the carry goes */ 120| 13.5M| _W = W + ++ix; 121| | 122| 259M| for (; ix < ((n->used * 2) + 1); ix++) { ------------------ | Branch (122:14): [True: 245M, False: 13.5M] ------------------ 123| 245M| *_W++ += *_W1++ >> (mp_word)MP_DIGIT_BIT; ------------------ | | 82| 245M|# define MP_DIGIT_BIT 60 ------------------ 124| 245M| } 125| | 126| | /* copy out, A = A/b**n 127| | * 128| | * The result is A/b**n but instead of converting from an 129| | * array of mp_word to mp_digit than calling mp_rshd 130| | * we just copy them in the right order 131| | */ 132| | 133| | /* alias for destination word */ 134| 13.5M| tmpx = x->dp; 135| | 136| | /* alias for shifted double precision result */ 137| 13.5M| _W = W + n->used; 138| | 139| 272M| for (ix = 0; ix < (n->used + 1); ix++) { ------------------ | Branch (139:20): [True: 259M, False: 13.5M] ------------------ 140| 259M| *tmpx++ = *_W++ & (mp_word)MP_MASK; ------------------ | | 106| 259M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 259M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 141| 259M| } 142| | 143| | /* zero oldused digits, if the input a was larger than 144| | * m->used+1 we'll have to clear the digits 145| | */ 146| 13.5M| MP_ZERO_DIGITS(tmpx, olduse - ix); ------------------ | | 89| 13.5M|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 13.5M|do { \ | | 91| 13.5M| int zd_ = (digits); \ | | 92| 13.5M| mp_digit* zm_ = (mem); \ | | 93| 238M| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 224M, False: 13.5M] | | ------------------ | | 94| 224M| *zm_++ = 0; \ | | 95| 224M| } \ | | 96| 13.5M|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 13.5M] | | ------------------ ------------------ 147| 13.5M| } 148| | 149| | /* set the max used and clamp */ 150| 13.5M| x->used = n->used + 1; 151| 13.5M| mp_clamp(x); 152| | 153| | /* if A >= m then A = A - m */ 154| 13.5M| if (mp_cmp_mag(x, n) != MP_LT) { ------------------ | | 154| 13.5M|#define MP_LT -1 /* less than */ ------------------ | Branch (154:8): [True: 126, False: 13.5M] ------------------ 155| 126| return s_mp_sub(x, n, x); 156| 126| } 157| 13.5M| return MP_OKAY; ------------------ | | 161| 13.5M|#define MP_OKAY 0 /* no error */ ------------------ 158| 13.5M|} s_mp_mul_digs: 11| 27.1k|{ 12| 27.1k| mp_int t; 13| 27.1k| mp_err err; 14| 27.1k| int pa, pb, ix, iy; 15| 27.1k| mp_digit u; 16| 27.1k| mp_word r; 17| 27.1k| mp_digit tmpx, *tmpt, *tmpy; 18| | 19| 27.1k| if (digs < 0) { ------------------ | Branch (19:8): [True: 0, False: 27.1k] ------------------ 20| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 21| 0| } 22| | 23| | /* can we use the fast multiplier? */ 24| 27.1k| if ((digs < MP_WARRAY) && ------------------ | | 172| 27.1k|#define MP_WARRAY PRIVATE_MP_WARRAY | | ------------------ | | | | 203| 27.1k|#define PRIVATE_MP_WARRAY (int)(1uLL << (((CHAR_BIT * sizeof(private_mp_word)) - (2 * MP_DIGIT_BIT)) + 1)) | | | | ------------------ | | | | | | 82| 27.1k|# define MP_DIGIT_BIT 60 | | | | ------------------ | | ------------------ ------------------ | Branch (24:8): [True: 27.1k, False: 0] ------------------ 25| 27.1k| (MP_MIN(a->used, b->used) < MP_MAXFAST)) { ------------------ | | 156| 27.1k|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 18.9k, False: 8.21k] | | ------------------ ------------------ (MP_MIN(a->used, b->used) < MP_MAXFAST)) { ------------------ | | 168| 27.1k|#define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 167| 27.1k|#define MP_SIZEOF_BITS(type) ((size_t)CHAR_BIT * sizeof(type)) | | ------------------ | | #define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 82| 27.1k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ | Branch (25:8): [True: 27.1k, False: 0] ------------------ 26| 27.1k| return s_mp_mul_digs_fast(a, b, c, digs); 27| 27.1k| } 28| | 29| 0| if ((err = mp_init_size(&t, digs)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (29:8): [True: 0, False: 0] ------------------ 30| 0| return err; 31| 0| } 32| 0| t.used = digs; 33| | 34| | /* compute the digits of the product directly */ 35| 0| pa = a->used; 36| 0| for (ix = 0; ix < pa; ix++) { ------------------ | Branch (36:17): [True: 0, False: 0] ------------------ 37| | /* set the carry to zero */ 38| 0| u = 0; 39| | 40| | /* limit ourselves to making digs digits of output */ 41| 0| pb = MP_MIN(b->used, digs - ix); ------------------ | | 156| 0|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 0, False: 0] | | ------------------ ------------------ 42| | 43| | /* setup some aliases */ 44| | /* copy of the digit from a used within the nested loop */ 45| 0| tmpx = a->dp[ix]; 46| | 47| | /* an alias for the destination shifted ix places */ 48| 0| tmpt = t.dp + ix; 49| | 50| | /* an alias for the digits of b */ 51| 0| tmpy = b->dp; 52| | 53| | /* compute the columns of the output and propagate the carry */ 54| 0| for (iy = 0; iy < pb; iy++) { ------------------ | Branch (54:20): [True: 0, False: 0] ------------------ 55| | /* compute the column as a mp_word */ 56| 0| r = (mp_word)*tmpt + 57| 0| ((mp_word)tmpx * (mp_word)*tmpy++) + 58| 0| (mp_word)u; 59| | 60| | /* the new column is the lower part of the result */ 61| 0| *tmpt++ = (mp_digit)(r & (mp_word)MP_MASK); ------------------ | | 106| 0|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 0|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 62| | 63| | /* get the carry word from the result */ 64| 0| u = (mp_digit)(r >> (mp_word)MP_DIGIT_BIT); ------------------ | | 82| 0|# define MP_DIGIT_BIT 60 ------------------ 65| 0| } 66| | /* set carry if it is placed below digs */ 67| 0| if ((ix + iy) < digs) { ------------------ | Branch (67:11): [True: 0, False: 0] ------------------ 68| 0| *tmpt = u; 69| 0| } 70| 0| } 71| | 72| 0| mp_clamp(&t); 73| 0| mp_exch(&t, c); 74| | 75| 0| mp_clear(&t); 76| 0| return MP_OKAY; ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ 77| 0|} s_mp_mul_digs_fast: 23| 12.0M|{ 24| 12.0M| int olduse, pa, ix, iz; 25| 12.0M| mp_err err; 26| 12.0M| mp_digit W[MP_WARRAY]; 27| 12.0M| mp_word _W; 28| | 29| 12.0M| if (digs < 0) { ------------------ | Branch (29:8): [True: 0, False: 12.0M] ------------------ 30| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 31| 0| } 32| | 33| | /* grow the destination as required */ 34| 12.0M| if (c->alloc < digs) { ------------------ | Branch (34:8): [True: 147k, False: 11.8M] ------------------ 35| 147k| if ((err = mp_grow(c, digs)) != MP_OKAY) { ------------------ | | 161| 147k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (35:11): [True: 0, False: 147k] ------------------ 36| 0| return err; 37| 0| } 38| 147k| } 39| | 40| | /* number of output digits to produce */ 41| 12.0M| pa = MP_MIN(digs, a->used + b->used); ------------------ | | 156| 12.0M|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 13.3k, False: 12.0M] | | ------------------ ------------------ 42| | 43| | /* clear the carry */ 44| 12.0M| _W = 0; 45| 306M| for (ix = 0; ix < pa; ix++) { ------------------ | Branch (45:17): [True: 294M, False: 12.0M] ------------------ 46| 294M| int tx, ty; 47| 294M| int iy; 48| 294M| mp_digit *tmpx, *tmpy; 49| | 50| | /* get offsets into the two bignums */ 51| 294M| ty = MP_MIN(b->used-1, ix); ------------------ | | 156| 294M|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 121M, False: 173M] | | ------------------ ------------------ 52| 294M| tx = ix - ty; 53| | 54| | /* setup temp aliases */ 55| 294M| tmpx = a->dp + tx; 56| 294M| tmpy = b->dp + ty; 57| | 58| | /* this is the number of times the loop will iterrate, essentially 59| | while (tx++ < a->used && ty-- >= 0) { ... } 60| | */ 61| 294M| iy = MP_MIN(a->used-tx, ty+1); ------------------ | | 156| 294M|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 173M, False: 121M] | | ------------------ ------------------ 62| | 63| | /* execute loop */ 64| 2.43G| for (iz = 0; iz < iy; ++iz) { ------------------ | Branch (64:20): [True: 2.13G, False: 294M] ------------------ 65| 2.13G| _W += (mp_word)*tmpx++ * (mp_word)*tmpy--; 66| | 67| 2.13G| } 68| | 69| | /* store term */ 70| 294M| W[ix] = (mp_digit)_W & MP_MASK; ------------------ | | 106| 294M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 294M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 71| | 72| | /* make next carry */ 73| 294M| _W = _W >> (mp_word)MP_DIGIT_BIT; ------------------ | | 82| 294M|# define MP_DIGIT_BIT 60 ------------------ 74| 294M| } 75| | 76| | /* setup dest */ 77| 12.0M| olduse = c->used; 78| 12.0M| c->used = pa; 79| | 80| 12.0M| { 81| 12.0M| mp_digit *tmpc; 82| 12.0M| tmpc = c->dp; 83| 306M| for (ix = 0; ix < pa; ix++) { ------------------ | Branch (83:20): [True: 294M, False: 12.0M] ------------------ 84| | /* now extract the previous digit [below the carry] */ 85| 294M| *tmpc++ = W[ix]; 86| 294M| } 87| | 88| | /* clear unused digits [that existed in the old copy of c] */ 89| 12.0M| MP_ZERO_DIGITS(tmpc, olduse - ix); ------------------ | | 89| 12.0M|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 12.0M|do { \ | | 91| 12.0M| int zd_ = (digits); \ | | 92| 12.0M| mp_digit* zm_ = (mem); \ | | 93| 12.0M| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 0, False: 12.0M] | | ------------------ | | 94| 0| *zm_++ = 0; \ | | 95| 0| } \ | | 96| 12.0M|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 12.0M] | | ------------------ ------------------ 90| 12.0M| } 91| 12.0M| mp_clamp(c); 92| 12.0M| return MP_OKAY; ------------------ | | 161| 12.0M|#define MP_OKAY 0 /* no error */ ------------------ 93| 12.0M|} s_mp_mul_high_digs: 10| 27.1k|{ 11| 27.1k| mp_int t; 12| 27.1k| int pa, pb, ix, iy; 13| 27.1k| mp_err err; 14| 27.1k| mp_digit u; 15| 27.1k| mp_word r; 16| 27.1k| mp_digit tmpx, *tmpt, *tmpy; 17| | 18| 27.1k| if (digs < 0) { ------------------ | Branch (18:8): [True: 0, False: 27.1k] ------------------ 19| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 20| 0| } 21| | 22| | /* can we use the fast multiplier? */ 23| 27.1k| if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST) ------------------ | | 150| 54.2k|#define MP_HAS(x) (sizeof(MP_STRINGIZE(BN_##x##_C)) == 1u) | | ------------------ | | | | 148| 27.1k|#define MP_STRINGIZE(x) MP__STRINGIZE(x) | | | | ------------------ | | | | | | 149| 27.1k|#define MP__STRINGIZE(x) ""#x"" | | | | ------------------ | | ------------------ | | | Branch (150:26): [True: 27.1k, Folded] | | ------------------ ------------------ 24| 27.1k| && ((a->used + b->used + 1) < MP_WARRAY) ------------------ | | 172| 27.1k|#define MP_WARRAY PRIVATE_MP_WARRAY | | ------------------ | | | | 203| 27.1k|#define PRIVATE_MP_WARRAY (int)(1uLL << (((CHAR_BIT * sizeof(private_mp_word)) - (2 * MP_DIGIT_BIT)) + 1)) | | | | ------------------ | | | | | | 82| 27.1k|# define MP_DIGIT_BIT 60 | | | | ------------------ | | ------------------ ------------------ | Branch (24:11): [True: 27.1k, False: 0] ------------------ 25| 27.1k| && (MP_MIN(a->used, b->used) < MP_MAXFAST)) { ------------------ | | 156| 27.1k|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 26.8k, False: 314] | | ------------------ ------------------ && (MP_MIN(a->used, b->used) < MP_MAXFAST)) { ------------------ | | 168| 27.1k|#define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 167| 27.1k|#define MP_SIZEOF_BITS(type) ((size_t)CHAR_BIT * sizeof(type)) | | ------------------ | | #define MP_MAXFAST (int)(1uL << (MP_SIZEOF_BITS(mp_word) - (2u * (size_t)MP_DIGIT_BIT))) | | ------------------ | | | | 82| 27.1k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ | Branch (25:11): [True: 27.1k, False: 0] ------------------ 26| 27.1k| return s_mp_mul_high_digs_fast(a, b, c, digs); 27| 27.1k| } 28| | 29| 0| if ((err = mp_init_size(&t, a->used + b->used + 1)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (29:8): [True: 0, False: 0] ------------------ 30| 0| return err; 31| 0| } 32| 0| t.used = a->used + b->used + 1; 33| | 34| 0| pa = a->used; 35| 0| pb = b->used; 36| 0| for (ix = 0; ix < pa; ix++) { ------------------ | Branch (36:17): [True: 0, False: 0] ------------------ 37| | /* clear the carry */ 38| 0| u = 0; 39| | 40| | /* left hand side of A[ix] * B[iy] */ 41| 0| tmpx = a->dp[ix]; 42| | 43| | /* alias to the address of where the digits will be stored */ 44| 0| tmpt = &(t.dp[digs]); 45| | 46| | /* alias for where to read the right hand side from */ 47| 0| tmpy = b->dp + (digs - ix); 48| | 49| 0| for (iy = digs - ix; iy < pb; iy++) { ------------------ | Branch (49:28): [True: 0, False: 0] ------------------ 50| | /* calculate the double precision result */ 51| 0| r = (mp_word)*tmpt + 52| 0| ((mp_word)tmpx * (mp_word)*tmpy++) + 53| 0| (mp_word)u; 54| | 55| | /* get the lower part */ 56| 0| *tmpt++ = (mp_digit)(r & (mp_word)MP_MASK); ------------------ | | 106| 0|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 0|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 57| | 58| | /* carry the carry */ 59| 0| u = (mp_digit)(r >> (mp_word)MP_DIGIT_BIT); ------------------ | | 82| 0|# define MP_DIGIT_BIT 60 ------------------ 60| 0| } 61| 0| *tmpt = u; 62| 0| } 63| 0| mp_clamp(&t); 64| 0| mp_exch(&t, c); 65| 0| mp_clear(&t); 66| 0| return MP_OKAY; ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ 67| 0|} s_mp_mul_high_digs_fast: 16| 27.1k|{ 17| 27.1k| int olduse, pa, ix, iz; 18| 27.1k| mp_err err; 19| 27.1k| mp_digit W[MP_WARRAY]; 20| 27.1k| mp_word _W; 21| | 22| 27.1k| if (digs < 0) { ------------------ | Branch (22:8): [True: 0, False: 27.1k] ------------------ 23| 0| return MP_VAL; ------------------ | | 164| 0|#define MP_VAL -3 /* invalid input */ ------------------ 24| 0| } 25| | 26| | /* grow the destination as required */ 27| 27.1k| pa = a->used + b->used; 28| 27.1k| if (c->alloc < pa) { ------------------ | Branch (28:8): [True: 27.1k, False: 0] ------------------ 29| 27.1k| if ((err = mp_grow(c, pa)) != MP_OKAY) { ------------------ | | 161| 27.1k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (29:11): [True: 0, False: 27.1k] ------------------ 30| 0| return err; 31| 0| } 32| 27.1k| } 33| | 34| | /* number of output digits to produce */ 35| 27.1k| pa = a->used + b->used; 36| 27.1k| _W = 0; 37| 270k| for (ix = digs; ix < pa; ix++) { ------------------ | Branch (37:20): [True: 243k, False: 27.1k] ------------------ 38| 243k| int tx, ty, iy; 39| 243k| mp_digit *tmpx, *tmpy; 40| | 41| | /* get offsets into the two bignums */ 42| 243k| ty = MP_MIN(b->used-1, ix); ------------------ | | 156| 243k|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 216k, False: 27.1k] | | ------------------ ------------------ 43| 243k| tx = ix - ty; 44| | 45| | /* setup temp aliases */ 46| 243k| tmpx = a->dp + tx; 47| 243k| tmpy = b->dp + ty; 48| | 49| | /* this is the number of times the loop will iterrate, essentially its 50| | while (tx++ < a->used && ty-- >= 0) { ... } 51| | */ 52| 243k| iy = MP_MIN(a->used-tx, ty+1); ------------------ | | 156| 243k|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 243k, False: 314] | | ------------------ ------------------ 53| | 54| | /* execute loop */ 55| 2.27M| for (iz = 0; iz < iy; iz++) { ------------------ | Branch (55:20): [True: 2.02M, False: 243k] ------------------ 56| 2.02M| _W += (mp_word)*tmpx++ * (mp_word)*tmpy--; 57| 2.02M| } 58| | 59| | /* store term */ 60| 243k| W[ix] = (mp_digit)_W & MP_MASK; ------------------ | | 106| 243k|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 243k|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 61| | 62| | /* make next carry */ 63| 243k| _W = _W >> (mp_word)MP_DIGIT_BIT; ------------------ | | 82| 243k|# define MP_DIGIT_BIT 60 ------------------ 64| 243k| } 65| | 66| | /* setup dest */ 67| 27.1k| olduse = c->used; 68| 27.1k| c->used = pa; 69| | 70| 27.1k| { 71| 27.1k| mp_digit *tmpc; 72| | 73| 27.1k| tmpc = c->dp + digs; 74| 270k| for (ix = digs; ix < pa; ix++) { ------------------ | Branch (74:23): [True: 243k, False: 27.1k] ------------------ 75| | /* now extract the previous digit [below the carry] */ 76| 243k| *tmpc++ = W[ix]; 77| 243k| } 78| | 79| | /* clear unused digits [that existed in the old copy of c] */ 80| 27.1k| MP_ZERO_DIGITS(tmpc, olduse - ix); ------------------ | | 89| 27.1k|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 27.1k|do { \ | | 91| 27.1k| int zd_ = (digits); \ | | 92| 27.1k| mp_digit* zm_ = (mem); \ | | 93| 27.1k| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 0, False: 27.1k] | | ------------------ | | 94| 0| *zm_++ = 0; \ | | 95| 0| } \ | | 96| 27.1k|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 27.1k] | | ------------------ ------------------ 81| 27.1k| } 82| 27.1k| mp_clamp(c); 83| 27.1k| return MP_OKAY; ------------------ | | 161| 27.1k|#define MP_OKAY 0 /* no error */ ------------------ 84| 27.1k|} s_mp_sqr_fast: 17| 7.18M|{ 18| 7.18M| int olduse, pa, ix, iz; 19| 7.18M| mp_digit W[MP_WARRAY], *tmpx; 20| 7.18M| mp_word W1; 21| 7.18M| mp_err err; 22| | 23| | /* grow the destination as required */ 24| 7.18M| pa = a->used + a->used; 25| 7.18M| if (b->alloc < pa) { ------------------ | Branch (25:8): [True: 5.85k, False: 7.17M] ------------------ 26| 5.85k| if ((err = mp_grow(b, pa)) != MP_OKAY) { ------------------ | | 161| 5.85k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (26:11): [True: 0, False: 5.85k] ------------------ 27| 0| return err; 28| 0| } 29| 5.85k| } 30| | 31| | /* number of output digits to produce */ 32| 7.18M| W1 = 0; 33| 355M| for (ix = 0; ix < pa; ix++) { ------------------ | Branch (33:17): [True: 348M, False: 7.18M] ------------------ 34| 348M| int tx, ty, iy; 35| 348M| mp_word _W; 36| 348M| mp_digit *tmpy; 37| | 38| | /* clear counter */ 39| 348M| _W = 0; 40| | 41| | /* get offsets into the two bignums */ 42| 348M| ty = MP_MIN(a->used-1, ix); ------------------ | | 156| 348M|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 174M, False: 174M] | | ------------------ ------------------ 43| 348M| tx = ix - ty; 44| | 45| | /* setup temp aliases */ 46| 348M| tmpx = a->dp + tx; 47| 348M| tmpy = a->dp + ty; 48| | 49| | /* this is the number of times the loop will iterrate, essentially 50| | while (tx++ < a->used && ty-- >= 0) { ... } 51| | */ 52| 348M| iy = MP_MIN(a->used-tx, ty+1); ------------------ | | 156| 348M|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 174M, False: 174M] | | ------------------ ------------------ 53| | 54| | /* now for squaring tx can never equal ty 55| | * we halve the distance since they approach at a rate of 2x 56| | * and we have to round because odd cases need to be executed 57| | */ 58| 348M| iy = MP_MIN(iy, ((ty-tx)+1)>>1); ------------------ | | 156| 348M|#define MP_MIN(x, y) (((x) < (y)) ? (x) : (y)) | | ------------------ | | | Branch (156:23): [True: 0, False: 348M] | | ------------------ ------------------ 59| | 60| | /* execute loop */ 61| 2.98G| for (iz = 0; iz < iy; iz++) { ------------------ | Branch (61:20): [True: 2.63G, False: 348M] ------------------ 62| 2.63G| _W += (mp_word)*tmpx++ * (mp_word)*tmpy--; 63| 2.63G| } 64| | 65| | /* double the inner product and add carry */ 66| 348M| _W = _W + _W + W1; 67| | 68| | /* even columns have the square term in them */ 69| 348M| if (((unsigned)ix & 1u) == 0u) { ------------------ | Branch (69:11): [True: 174M, False: 174M] ------------------ 70| 174M| _W += (mp_word)a->dp[ix>>1] * (mp_word)a->dp[ix>>1]; 71| 174M| } 72| | 73| | /* store it */ 74| 348M| W[ix] = (mp_digit)_W & MP_MASK; ------------------ | | 106| 348M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 348M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 75| | 76| | /* make next carry */ 77| 348M| W1 = _W >> (mp_word)MP_DIGIT_BIT; ------------------ | | 82| 348M|# define MP_DIGIT_BIT 60 ------------------ 78| 348M| } 79| | 80| | /* setup dest */ 81| 7.18M| olduse = b->used; 82| 7.18M| b->used = a->used+a->used; 83| | 84| 7.18M| { 85| 7.18M| mp_digit *tmpb; 86| 7.18M| tmpb = b->dp; 87| 355M| for (ix = 0; ix < pa; ix++) { ------------------ | Branch (87:20): [True: 348M, False: 7.18M] ------------------ 88| 348M| *tmpb++ = W[ix] & MP_MASK; ------------------ | | 106| 348M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 348M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 89| 348M| } 90| | 91| | /* clear unused digits [that existed in the old copy of c] */ 92| 7.18M| MP_ZERO_DIGITS(tmpb, olduse - ix); ------------------ | | 89| 7.18M|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 7.18M|do { \ | | 91| 7.18M| int zd_ = (digits); \ | | 92| 7.18M| mp_digit* zm_ = (mem); \ | | 93| 7.28M| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 95.5k, False: 7.18M] | | ------------------ | | 94| 95.5k| *zm_++ = 0; \ | | 95| 95.5k| } \ | | 96| 7.18M|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 7.18M] | | ------------------ ------------------ 93| 7.18M| } 94| 7.18M| mp_clamp(b); 95| 7.18M| return MP_OKAY; ------------------ | | 161| 7.18M|#define MP_OKAY 0 /* no error */ ------------------ 96| 7.18M|} s_mp_sub: 8| 14.1M|{ 9| 14.1M| int olduse, min, max; 10| 14.1M| mp_err err; 11| | 12| | /* find sizes */ 13| 14.1M| min = b->used; 14| 14.1M| max = a->used; 15| | 16| | /* init result */ 17| 14.1M| if (c->alloc < max) { ------------------ | Branch (17:8): [True: 0, False: 14.1M] ------------------ 18| 0| if ((err = mp_grow(c, max)) != MP_OKAY) { ------------------ | | 161| 0|#define MP_OKAY 0 /* no error */ ------------------ | Branch (18:11): [True: 0, False: 0] ------------------ 19| 0| return err; 20| 0| } 21| 0| } 22| 14.1M| olduse = c->used; 23| 14.1M| c->used = max; 24| | 25| 14.1M| { 26| 14.1M| mp_digit u, *tmpa, *tmpb, *tmpc; 27| 14.1M| int i; 28| | 29| | /* alias for digit pointers */ 30| 14.1M| tmpa = a->dp; 31| 14.1M| tmpb = b->dp; 32| 14.1M| tmpc = c->dp; 33| | 34| | /* set carry to zero */ 35| 14.1M| u = 0; 36| 187M| for (i = 0; i < min; i++) { ------------------ | Branch (36:19): [True: 173M, False: 14.1M] ------------------ 37| | /* T[i] = A[i] - B[i] - U */ 38| 173M| *tmpc = (*tmpa++ - *tmpb++) - u; 39| | 40| | /* U = carry bit of T[i] 41| | * Note this saves performing an AND operation since 42| | * if a carry does occur it will propagate all the way to the 43| | * MSB. As a result a single shift is enough to get the carry 44| | */ 45| 173M| u = *tmpc >> (MP_SIZEOF_BITS(mp_digit) - 1u); ------------------ | | 167| 173M|#define MP_SIZEOF_BITS(type) ((size_t)CHAR_BIT * sizeof(type)) ------------------ 46| | 47| | /* Clear carry from T[i] */ 48| 173M| *tmpc++ &= MP_MASK; ------------------ | | 106| 173M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 173M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 49| 173M| } 50| | 51| | /* now copy higher words if any, e.g. if A has more digits than B */ 52| 60.3M| for (; i < max; i++) { ------------------ | Branch (52:14): [True: 46.1M, False: 14.1M] ------------------ 53| | /* T[i] = A[i] - U */ 54| 46.1M| *tmpc = *tmpa++ - u; 55| | 56| | /* U = carry bit of T[i] */ 57| 46.1M| u = *tmpc >> (MP_SIZEOF_BITS(mp_digit) - 1u); ------------------ | | 167| 46.1M|#define MP_SIZEOF_BITS(type) ((size_t)CHAR_BIT * sizeof(type)) ------------------ 58| | 59| | /* Clear carry from T[i] */ 60| 46.1M| *tmpc++ &= MP_MASK; ------------------ | | 106| 46.1M|#define MP_MASK ((((mp_digit)1)<<((mp_digit)MP_DIGIT_BIT))-((mp_digit)1)) | | ------------------ | | | | 82| 46.1M|# define MP_DIGIT_BIT 60 | | ------------------ ------------------ 61| 46.1M| } 62| | 63| | /* clear digits above used (since we may not have grown result above) */ 64| 14.1M| MP_ZERO_DIGITS(tmpc, olduse - c->used); ------------------ | | 89| 14.1M|# define MP_ZERO_DIGITS(mem, digits) \ | | 90| 14.1M|do { \ | | 91| 14.1M| int zd_ = (digits); \ | | 92| 14.1M| mp_digit* zm_ = (mem); \ | | 93| 14.1M| while (zd_-- > 0) { \ | | ------------------ | | | Branch (93:11): [True: 35, False: 14.1M] | | ------------------ | | 94| 35| *zm_++ = 0; \ | | 95| 35| } \ | | 96| 14.1M|} while (0) | | ------------------ | | | Branch (96:10): [Folded, False: 14.1M] | | ------------------ ------------------ 65| 14.1M| } 66| | 67| 14.1M| mp_clamp(c); 68| 14.1M| return MP_OKAY; ------------------ | | 161| 14.1M|#define MP_OKAY 0 /* no error */ ------------------ 69| 14.1M|} m_mp_init: 31| 1.13k|void m_mp_init(mp_int *mp) { 32| | 33| 1.13k| if (mp_init(mp) != MP_OKAY) { ------------------ | | 161| 1.13k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (33:6): [True: 0, False: 1.13k] ------------------ 34| 0| dropbear_exit("Mem alloc error"); 35| 0| } 36| 1.13k|} m_mp_init_multi: 41| 2.85k|{ 42| 2.85k| mp_int* cur_arg = mp; 43| 2.85k| va_list args; 44| | 45| 2.85k| va_start(args, mp); /* init args to next argument from caller */ 46| 12.7k| while (cur_arg != NULL) { ------------------ | Branch (46:9): [True: 9.91k, False: 2.85k] ------------------ 47| 9.91k| if (mp_init(cur_arg) != MP_OKAY) { ------------------ | | 161| 9.91k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (47:7): [True: 0, False: 9.91k] ------------------ 48| 0| dropbear_exit("Mem alloc error"); 49| 0| } 50| 9.91k| cur_arg = va_arg(args, mp_int*); 51| 9.91k| } 52| 2.85k| va_end(args); 53| 2.85k|} m_mp_alloc_init_multi: 56| 2.78k|{ 57| 2.78k| mp_int** cur_arg = mp; 58| 2.78k| va_list args; 59| | 60| 2.78k| va_start(args, mp); /* init args to next argument from caller */ 61| 8.33k| while (cur_arg != NULL) { ------------------ | Branch (61:9): [True: 5.55k, False: 2.78k] ------------------ 62| 5.55k| *cur_arg = m_malloc(sizeof(mp_int)); 63| 5.55k| if (mp_init(*cur_arg) != MP_OKAY) { ------------------ | | 161| 5.55k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (63:7): [True: 0, False: 5.55k] ------------------ 64| 0| dropbear_exit("Mem alloc error"); 65| 0| } 66| 5.55k| cur_arg = va_arg(args, mp_int**); 67| 5.55k| } 68| 2.78k| va_end(args); 69| 2.78k|} m_mp_free_multi: 72| 298|{ 73| 298| mp_int** cur_arg = mp; 74| 298| va_list args; 75| | 76| 298| va_start(args, mp); /* init args to next argument from caller */ 77| 1.52k| while (cur_arg != NULL) { ------------------ | Branch (77:9): [True: 1.22k, False: 298] ------------------ 78| 1.22k| if (*cur_arg) { ------------------ | Branch (78:7): [True: 484, False: 745] ------------------ 79| 484| mp_clear(*cur_arg); 80| 484| } 81| 1.22k| m_free(*cur_arg); ------------------ | | 24| 1.22k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 1.22k] | | ------------------ ------------------ 82| 1.22k| cur_arg = va_arg(args, mp_int**); 83| 1.22k| } 84| | va_end(args); 85| 298|} bytes_to_mp: 87| 4.31k|void bytes_to_mp(mp_int *mp, const unsigned char* bytes, unsigned int len) { 88| | 89| 4.31k| if (mp_from_ubin(mp, (unsigned char*)bytes, len) != MP_OKAY) { ------------------ | | 161| 4.31k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (89:6): [True: 0, False: 4.31k] ------------------ 90| 0| dropbear_exit("Mem alloc error"); 91| 0| } 92| 4.31k|} buf_new: 41| 70.6k|buffer* buf_new(unsigned int size) { 42| 70.6k| buffer* buf; 43| 70.6k| if (size > BUF_MAX_SIZE) { ------------------ | | 35| 70.6k|#define BUF_MAX_SIZE 1000000000 ------------------ | Branch (43:6): [True: 0, False: 70.6k] ------------------ 44| 0| dropbear_exit("buf->size too big"); 45| 0| } 46| | 47| 70.6k| buf = (buffer*)m_malloc(sizeof(buffer)+size); 48| 70.6k| buf->data = (unsigned char*)buf + sizeof(buffer); 49| 70.6k| buf->size = size; 50| 70.6k| return buf; 51| 70.6k|} buf_free: 54| 50.6k|void buf_free(buffer* buf) { 55| | m_free(buf); ------------------ | | 24| 50.6k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 50.6k] | | ------------------ ------------------ 56| 50.6k|} buf_burn_free: 59| 15.2k|void buf_burn_free(buffer* buf) { 60| 15.2k| m_burn(buf->data, buf->size); 61| | m_free(buf); ------------------ | | 24| 15.2k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 15.2k] | | ------------------ ------------------ 62| 15.2k|} buf_resize: 67| 4.06k|buffer* buf_resize(buffer *buf, unsigned int newsize) { 68| 4.06k| if (newsize > BUF_MAX_SIZE) { ------------------ | | 35| 4.06k|#define BUF_MAX_SIZE 1000000000 ------------------ | Branch (68:6): [True: 0, False: 4.06k] ------------------ 69| 0| dropbear_exit("buf->size too big"); 70| 0| } 71| | 72| 4.06k| buf = m_realloc(buf, sizeof(buffer)+newsize); 73| 4.06k| buf->data = (unsigned char*)buf + sizeof(buffer); 74| 4.06k| buf->size = newsize; 75| 4.06k| buf->len = MIN(newsize, buf->len); ------------------ | Branch (75:13): [True: 0, False: 4.06k] ------------------ 76| | buf->pos = MIN(newsize, buf->pos); ------------------ | Branch (76:13): [True: 0, False: 4.06k] ------------------ 77| 4.06k| return buf; 78| 4.06k|} buf_newcopy: 82| 5.17k|buffer* buf_newcopy(const buffer* buf) { 83| | 84| 5.17k| buffer* ret; 85| | 86| 5.17k| ret = buf_new(buf->len); 87| 5.17k| ret->len = buf->len; 88| 5.17k| if (buf->len > 0) { ------------------ | Branch (88:6): [True: 5.17k, False: 0] ------------------ 89| 5.17k| memcpy(ret->data, buf->data, buf->len); 90| 5.17k| } 91| 5.17k| return ret; 92| 5.17k|} buf_setlen: 95| 87.2k|void buf_setlen(buffer* buf, unsigned int len) { 96| 87.2k| if (len > buf->size) { ------------------ | Branch (96:6): [True: 0, False: 87.2k] ------------------ 97| 0| dropbear_exit("Bad buf_setlen"); 98| 0| } 99| 87.2k| buf->len = len; 100| | buf->pos = MIN(buf->pos, buf->len); ------------------ | Branch (100:13): [True: 63.4k, False: 23.7k] ------------------ 101| 87.2k|} buf_incrlen: 104| 183k|void buf_incrlen(buffer* buf, unsigned int incr) { 105| 183k| if (incr > BUF_MAX_INCR || buf->len + incr > buf->size) { ------------------ | | 34| 366k|#define BUF_MAX_INCR 1000000000 ------------------ | Branch (105:6): [True: 0, False: 183k] | Branch (105:29): [True: 0, False: 183k] ------------------ 106| 0| dropbear_exit("Bad buf_incrlen"); 107| 0| } 108| 183k| buf->len += incr; 109| 183k|} buf_setpos: 111| 345k|void buf_setpos(buffer* buf, unsigned int pos) { 112| | 113| 345k| if (pos > buf->len) { ------------------ | Branch (113:6): [True: 0, False: 345k] ------------------ 114| 0| dropbear_exit("Bad buf_setpos"); 115| 0| } 116| 345k| buf->pos = pos; 117| 345k|} buf_incrwritepos: 120| 405k|void buf_incrwritepos(buffer* buf, unsigned int incr) { 121| 405k| if (incr > BUF_MAX_INCR || buf->pos + incr > buf->size) { ------------------ | | 34| 810k|#define BUF_MAX_INCR 1000000000 ------------------ | Branch (121:6): [True: 0, False: 405k] | Branch (121:29): [True: 0, False: 405k] ------------------ 122| 0| dropbear_exit("Bad buf_incrwritepos"); 123| 0| } 124| 405k| buf->pos += incr; 125| 405k| if (buf->pos > buf->len) { ------------------ | Branch (125:6): [True: 298k, False: 106k] ------------------ 126| 298k| buf->len = buf->pos; 127| 298k| } 128| 405k|} buf_incrpos: 131| 357k|void buf_incrpos(buffer* buf, unsigned int incr) { 132| 357k| if (incr > BUF_MAX_INCR ------------------ | | 34| 715k|#define BUF_MAX_INCR 1000000000 ------------------ | Branch (132:6): [True: 11, False: 357k] ------------------ 133| 357k| || (buf->pos + incr) > buf->len) { ------------------ | Branch (133:6): [True: 71, False: 357k] ------------------ 134| 82| dropbear_exit("Bad buf_incrpos"); 135| 82| } 136| 357k| buf->pos += incr; 137| 357k|} buf_decrpos: 140| 1.77k|void buf_decrpos(buffer* buf, unsigned int decr) { 141| 1.77k| if (decr > buf->pos) { ------------------ | Branch (141:6): [True: 0, False: 1.77k] ------------------ 142| 0| dropbear_exit("Bad buf_decrpos"); 143| 0| } 144| 1.77k| buf->pos -= decr; 145| 1.77k|} buf_getbyte: 148| 65.0k|unsigned char buf_getbyte(buffer* buf) { 149| | 150| | /* This check is really just ==, but the >= allows us to check for the 151| | * bad case of pos > len, which should _never_ happen. */ 152| 65.0k| if (buf->pos >= buf->len) { ------------------ | Branch (152:6): [True: 4, False: 65.0k] ------------------ 153| 4| dropbear_exit("Bad buf_getbyte"); 154| 4| } 155| 65.0k| return buf->data[buf->pos++]; 156| 65.0k|} buf_getbool: 159| 2.33k|unsigned char buf_getbool(buffer* buf) { 160| | 161| 2.33k| unsigned char b; 162| 2.33k| b = buf_getbyte(buf); 163| 2.33k| if (b != 0) ------------------ | Branch (163:6): [True: 158, False: 2.17k] ------------------ 164| 158| b = 1; 165| 2.33k| return b; 166| 2.33k|} buf_putbyte: 169| 182k|void buf_putbyte(buffer* buf, unsigned char val) { 170| | 171| 182k| if (buf->pos >= buf->len) { ------------------ | Branch (171:6): [True: 159k, False: 23.2k] ------------------ 172| 159k| buf_incrlen(buf, 1); 173| 159k| } 174| 182k| buf->data[buf->pos] = val; 175| 182k| buf->pos++; 176| 182k|} buf_getptr: 180| 462k|unsigned char* buf_getptr(const buffer* buf, unsigned int len) { 181| | 182| 462k| if (len > BUF_MAX_INCR || buf->pos + len > buf->len) { ------------------ | | 34| 924k|#define BUF_MAX_INCR 1000000000 ------------------ | Branch (182:6): [True: 6, False: 462k] | Branch (182:28): [True: 507, False: 461k] ------------------ 183| 513| dropbear_exit("Bad buf_getptr"); 184| 513| } 185| 461k| return &buf->data[buf->pos]; 186| 462k|} buf_getwriteptr: 190| 443k|unsigned char* buf_getwriteptr(const buffer* buf, unsigned int len) { 191| | 192| 443k| if (len > BUF_MAX_INCR || buf->pos + len > buf->size) { ------------------ | | 34| 887k|#define BUF_MAX_INCR 1000000000 ------------------ | Branch (192:6): [True: 0, False: 443k] | Branch (192:28): [True: 11, False: 443k] ------------------ 193| 11| dropbear_exit("Bad buf_getwriteptr"); 194| 11| } 195| 443k| return &buf->data[buf->pos]; 196| 443k|} buf_getstring: 201| 26.1k|char* buf_getstring(buffer* buf, unsigned int *retlen) { 202| | 203| 26.1k| unsigned int len; 204| 26.1k| char* ret; 205| 26.1k| void* src = NULL; 206| 26.1k| len = buf_getint(buf); 207| 26.1k| if (len > MAX_STRING_LEN) { ------------------ | | 253| 26.1k|#define MAX_STRING_LEN (MAX(MAX_CMD_LEN, 2400)) /* Sun SSH needs 2400 for algos, ------------------ | Branch (207:6): [True: 63, False: 26.1k] | Branch (207:12): [True: 26.0k, Folded] ------------------ 208| 63| dropbear_exit("String too long"); 209| 63| } 210| | 211| 26.1k| if (retlen != NULL) { ------------------ | Branch (211:6): [True: 26.0k, False: 102] ------------------ 212| 26.0k| *retlen = len; 213| 26.0k| } 214| 26.1k| src = buf_getptr(buf, len); 215| 26.1k| ret = m_malloc(len+1); 216| 26.1k| memcpy(ret, src, len); 217| 26.1k| buf_incrpos(buf, len); 218| 26.1k| ret[len] = '\0'; 219| | 220| 26.1k| return ret; 221| 26.1k|} buf_getstringbuf: 246| 585|buffer * buf_getstringbuf(buffer *buf) { 247| 585| return buf_getstringbuf_int(buf, 0); 248| 585|} buf_getptrcopy: 256| 47|buffer * buf_getptrcopy(const buffer* buf, unsigned int len) { 257| 47| unsigned char *src = buf_getptr(buf, len); 258| 47| buffer *ret = buf_new(len); 259| 47| buf_putbytes(ret, src, len); 260| 47| buf_setpos(ret, 0); 261| 47| return ret; 262| 47|} buf_eatstring: 266| 4.76k|void buf_eatstring(buffer *buf) { 267| | 268| 4.76k| buf_incrpos( buf, buf_getint(buf) ); 269| 4.76k|} buf_getint: 272| 61.8k|unsigned int buf_getint(buffer* buf) { 273| 61.8k| unsigned int ret; 274| | 275| 61.8k| LOAD32H(ret, buf_getptr(buf, 4)); ------------------ | | 66| 61.8k|#define LOAD32H(x, y) \ | | 67| 61.8k|do { XMEMCPY (&(x), (y), 4); \ | | ------------------ | | | | 39| 61.8k|#define XMEMCPY memcpy | | ------------------ | | 68| 61.8k| (x) = __builtin_bswap32 ((x)); } while(0) | | ------------------ | | | Branch (68:46): [Folded, False: 61.8k] | | ------------------ ------------------ 276| 61.8k| buf_incrpos(buf, 4); 277| 61.8k| return ret; 278| 61.8k|} buf_putint: 281| 126k|void buf_putint(buffer* buf, int unsigned val) { 282| | 283| 126k| STORE32H(val, buf_getwriteptr(buf, 4)); ------------------ | | 62| 126k|#define STORE32H(x, y) \ | | 63| 126k|do { ulong32 __t = __builtin_bswap32 ((x)); \ | | 64| 126k| XMEMCPY ((y), &__t, 4); } while(0) | | ------------------ | | | | 39| 126k|#define XMEMCPY memcpy | | ------------------ | | | Branch (64:39): [Folded, False: 126k] | | ------------------ ------------------ 284| 126k| buf_incrwritepos(buf, 4); 285| | 286| 126k|} buf_putstring: 289| 24.5k|void buf_putstring(buffer* buf, const char* str, unsigned int len) { 290| | 291| 24.5k| buf_putint(buf, len); 292| 24.5k| buf_putbytes(buf, (const unsigned char*)str, len); 293| | 294| 24.5k|} buf_putbufstring: 297| 4.83k|void buf_putbufstring(buffer *buf, const buffer* buf_str) { 298| 4.83k| buf_putstring(buf, (const char*)buf_str->data, buf_str->len); 299| 4.83k|} buf_putbytes: 303| 158k|void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) { 304| 158k| memcpy(buf_getwriteptr(buf, len), bytes, len); 305| 158k| buf_incrwritepos(buf, len); 306| 158k|} buf_putmpint: 311| 6.56k|void buf_putmpint(buffer* buf, const mp_int * mp) { 312| 6.56k| size_t written; 313| 6.56k| unsigned int len, pad = 0; 314| 6.56k| TRACE2(("enter buf_putmpint")) 315| | 316| 6.56k| dropbear_assert(mp != NULL); ------------------ | | 84| 6.56k|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 6.56k] | | | Branch (84:93): [Folded, False: 6.56k] | | ------------------ ------------------ 317| | 318| 6.56k| if (mp_isneg(mp)) { ------------------ | | 295| 6.56k|#define mp_isneg(a) (((a)->sign != MP_ZPOS) ? MP_YES : MP_NO) | | ------------------ | | | | 151| 6.56k|#define MP_ZPOS 0 /* positive integer */ | | ------------------ | | #define mp_isneg(a) (((a)->sign != MP_ZPOS) ? MP_YES : MP_NO) | | ------------------ | | | | 158| 0|#define MP_YES 1 | | ------------------ | | #define mp_isneg(a) (((a)->sign != MP_ZPOS) ? MP_YES : MP_NO) | | ------------------ | | | | 159| 6.56k|#define MP_NO 0 | | ------------------ | | | Branch (295:22): [True: 0, False: 6.56k] | | | Branch (295:23): [True: 0, False: 6.56k] | | ------------------ ------------------ 319| 0| dropbear_exit("negative bignum"); 320| 0| } 321| | 322| | /* zero check */ 323| 6.56k| if (mp_iszero(mp)) { ------------------ | | 292| 6.56k|#define mp_iszero(a) (((a)->used == 0) ? MP_YES : MP_NO) | | ------------------ | | | | 158| 586|#define MP_YES 1 | | ------------------ | | #define mp_iszero(a) (((a)->used == 0) ? MP_YES : MP_NO) | | ------------------ | | | | 159| 5.97k|#define MP_NO 0 | | ------------------ | | | Branch (292:22): [True: 586, False: 5.97k] | | | Branch (292:23): [True: 586, False: 5.97k] | | ------------------ ------------------ 324| 586| len = 0; 325| 5.97k| } else { 326| | /* SSH spec requires padding for mpints with the MSB set, this code 327| | * implements it */ 328| 5.97k| len = mp_count_bits(mp); 329| | /* if the top bit of MSB is set, we need to pad */ 330| 5.97k| pad = (len%8 == 0) ? 1 : 0; ------------------ | Branch (330:9): [True: 2.20k, False: 3.77k] ------------------ 331| 5.97k| len = len / 8 + 1; /* don't worry about rounding, we need it for 332| | padding anyway when len%8 == 0 */ 333| | 334| 5.97k| } 335| | 336| | /* store the length */ 337| 6.56k| buf_putint(buf, len); 338| | 339| | /* store the actual value */ 340| 6.56k| if (len > 0) { ------------------ | Branch (340:6): [True: 5.97k, False: 586] ------------------ 341| 5.97k| if (pad) { ------------------ | Branch (341:7): [True: 2.20k, False: 3.77k] ------------------ 342| 2.20k| buf_putbyte(buf, 0x00); 343| 2.20k| } 344| 5.97k| if (mp_to_ubin(mp, buf_getwriteptr(buf, len-pad), len-pad, &written) != MP_OKAY) { ------------------ | | 161| 5.97k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (344:7): [True: 0, False: 5.97k] ------------------ 345| 0| dropbear_exit("mpint error"); 346| 0| } 347| 5.97k| buf_incrwritepos(buf, written); 348| 5.97k| } 349| | 350| 6.56k| TRACE2(("leave buf_putmpint")) 351| 6.56k|} buf_getmpint: 356| 3.90k|int buf_getmpint(buffer* buf, mp_int* mp) { 357| | 358| 3.90k| unsigned int len; 359| 3.90k| len = buf_getint(buf); 360| | 361| 3.90k| if (len == 0) { ------------------ | Branch (361:6): [True: 767, False: 3.13k] ------------------ 362| 767| mp_zero(mp); 363| 767| return DROPBEAR_SUCCESS; ------------------ | | 111| 767|#define DROPBEAR_SUCCESS 0 ------------------ 364| 767| } 365| | 366| 3.13k| if (len > BUF_MAX_MPINT) { ------------------ | | 38| 3.13k|#define BUF_MAX_MPINT (8240 / 8) ------------------ | Branch (366:6): [True: 69, False: 3.06k] ------------------ 367| 69| return DROPBEAR_FAILURE; ------------------ | | 112| 69|#define DROPBEAR_FAILURE -1 ------------------ 368| 69| } 369| | 370| | /* check for negative */ 371| 3.06k| if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) { ------------------ | Branch (371:6): [True: 13, False: 3.05k] ------------------ 372| 13| return DROPBEAR_FAILURE; ------------------ | | 112| 13|#define DROPBEAR_FAILURE -1 ------------------ 373| 13| } 374| | 375| 3.05k| if (mp_from_ubin(mp, buf_getptr(buf, len), len) != MP_OKAY) { ------------------ | | 161| 3.05k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (375:6): [True: 0, False: 3.05k] ------------------ 376| 0| return DROPBEAR_FAILURE; ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ 377| 0| } 378| | 379| 3.05k| buf_incrpos(buf, len); 380| 3.05k| return DROPBEAR_SUCCESS; ------------------ | | 111| 3.05k|#define DROPBEAR_SUCCESS 0 ------------------ 381| 3.05k|} buffer.c:buf_getstringbuf_int: 224| 585|static buffer * buf_getstringbuf_int(buffer *buf, int incllen) { 225| 585| buffer *ret = NULL; 226| 585| unsigned int len = buf_getint(buf); 227| 585| int extra = 0; 228| 585| if (len > MAX_STRING_LEN) { ------------------ | | 253| 585|#define MAX_STRING_LEN (MAX(MAX_CMD_LEN, 2400)) /* Sun SSH needs 2400 for algos, ------------------ | Branch (228:6): [True: 35, False: 550] | Branch (228:12): [True: 574, Folded] ------------------ 229| 35| dropbear_exit("String too long"); 230| 35| } 231| 550| if (incllen) { ------------------ | Branch (231:6): [True: 0, False: 550] ------------------ 232| 0| extra = 4; 233| 0| } 234| 550| ret = buf_new(len+extra); 235| 550| if (incllen) { ------------------ | Branch (235:6): [True: 0, False: 550] ------------------ 236| 0| buf_putint(ret, len); 237| 0| } 238| 550| memcpy(buf_getwriteptr(ret, len), buf_getptr(buf, len), len); 239| 550| buf_incrpos(buf, len); 240| 550| buf_incrlen(ret, len); 241| 550| buf_setpos(ret, 0); 242| 550| return ret; 243| 585|} cli_auth_getmethods: 36| 258|void cli_auth_getmethods() { 37| 258| TRACE(("enter cli_auth_getmethods")) 38| 258| CHECKCLEARTOWRITE(); 39| 258| buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST); ------------------ | | 42| 258|#define SSH_MSG_USERAUTH_REQUEST 50 ------------------ 40| 258| buf_putstring(ses.writepayload, cli_opts.username, 41| 258| strlen(cli_opts.username)); 42| 258| buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, ------------------ | | 110| 258|#define SSH_SERVICE_CONNECTION "ssh-connection" ------------------ 43| 258| SSH_SERVICE_CONNECTION_LEN); ------------------ | | 111| 258|#define SSH_SERVICE_CONNECTION_LEN 14 ------------------ 44| 258| buf_putstring(ses.writepayload, "none", 4); /* 'none' method */ 45| | 46| 258| encrypt_packet(); 47| | 48| |#if DROPBEAR_CLI_IMMEDIATE_AUTH 49| | /* We can't haven't two auth requests in-flight with delayed zlib mode 50| | since if the first one succeeds then the remote side will 51| | expect the second one to be compressed. 52| | Race described at 53| | http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/zlib-openssh.html 54| | */ 55| | if (ses.keys->trans.algo_comp != DROPBEAR_COMP_ZLIB_DELAY) { 56| | ses.authstate.authtypes = AUTH_TYPE_PUBKEY; 57| |#if DROPBEAR_USE_PASSWORD_ENV 58| | if (getenv(DROPBEAR_PASSWORD_ENV)) { 59| | ses.authstate.authtypes |= AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT; 60| | } 61| |#endif 62| | if (cli_auth_try() == DROPBEAR_SUCCESS) { 63| | TRACE(("skipped initial none auth query")) 64| | /* Note that there will be two auth responses in-flight */ 65| | cli_ses.ignore_next_auth_response = 1; 66| | } 67| | } 68| |#endif 69| 258| TRACE(("leave cli_auth_getmethods")) 70| 258|} cli_tty_cleanup: 135| 3.33k|void cli_tty_cleanup() { 136| | 137| 3.33k| TRACE(("enter cli_tty_cleanup")) 138| | 139| 3.33k| if (cli_ses.tty_raw_mode == 0) { ------------------ | Branch (139:6): [True: 3.33k, False: 0] ------------------ 140| 3.33k| TRACE(("leave cli_tty_cleanup: not in raw mode")) 141| 3.33k| return; 142| 3.33k| } 143| | 144| 0| if (tcsetattr(STDIN_FILENO, TCSADRAIN, &cli_ses.saved_tio) == -1) { ------------------ | Branch (144:6): [True: 0, False: 0] ------------------ 145| 0| dropbear_log(LOG_WARNING, "Failed restoring TTY"); 146| 0| } else { 147| 0| cli_ses.tty_raw_mode = 0; 148| 0| } 149| | 150| 0| TRACE(("leave cli_tty_cleanup")) 151| 0|} send_msg_kexdh_init: 72| 5.66k|void send_msg_kexdh_init() { 73| 5.66k| TRACE(("send_msg_kexdh_init()")) 74| | 75| 5.66k| CHECKCLEARTOWRITE(); 76| | 77| 5.66k|#if DROPBEAR_FUZZ 78| 5.66k| if (fuzz.fuzzing && fuzz.skip_kexmaths) { ------------------ | Branch (78:6): [True: 5.66k, False: 0] | Branch (78:22): [True: 0, False: 5.66k] ------------------ 79| 0| return; 80| 0| } 81| 5.66k|#endif 82| | 83| 5.66k| cli_kex_free_param(); 84| | 85| 5.66k| buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT); ------------------ | | 38| 5.66k|#define SSH_MSG_KEXDH_INIT 30 ------------------ 86| 5.66k| switch (ses.newkeys->algo_kex->mode) { ------------------ | Branch (86:10): [True: 5.66k, False: 0] ------------------ 87| 0|#if DROPBEAR_NORMAL_DH 88| 1.09k| case DROPBEAR_KEX_NORMAL_DH: ------------------ | Branch (88:3): [True: 1.09k, False: 4.56k] ------------------ 89| 1.09k| cli_ses.dh_param = gen_kexdh_param(); 90| 1.09k| buf_putmpint(ses.writepayload, &cli_ses.dh_param->pub); 91| 1.09k| break; 92| 0|#endif 93| 0|#if DROPBEAR_ECDH 94| 633| case DROPBEAR_KEX_ECDH: ------------------ | Branch (94:3): [True: 633, False: 5.02k] ------------------ 95| 633| cli_ses.ecdh_param = gen_kexecdh_param(); 96| 633| buf_put_ecc_raw_pubkey_string(ses.writepayload, &cli_ses.ecdh_param->key); 97| 633| break; 98| 0|#endif 99| 0|#if DROPBEAR_CURVE25519 100| 500| case DROPBEAR_KEX_CURVE25519: ------------------ | Branch (100:3): [True: 500, False: 5.16k] ------------------ 101| 500| cli_ses.curve25519_param = gen_kexcurve25519_param(); 102| 500| buf_putstring(ses.writepayload, cli_ses.curve25519_param->pub, CURVE25519_LEN); ------------------ | | 122| 500|#define CURVE25519_LEN 32 ------------------ 103| 500| break; 104| 0|#endif 105| 0|#if DROPBEAR_PQHYBRID 106| 3.43k| case DROPBEAR_KEX_PQHYBRID: ------------------ | Branch (106:3): [True: 3.43k, False: 2.23k] ------------------ 107| 3.43k| cli_ses.pqhybrid_param = gen_kexpqhybrid_param(); 108| 3.43k| buf_putbufstring(ses.writepayload, cli_ses.pqhybrid_param->concat_public); 109| 3.43k| break; 110| 5.66k|#endif 111| 5.66k| } 112| | 113| 5.66k| encrypt_packet(); 114| 5.66k|} recv_msg_kexdh_reply: 117| 1.94k|void recv_msg_kexdh_reply() { 118| | 119| 1.94k| sign_key *hostkey = NULL; 120| 1.94k| unsigned int keytype, keybloblen; 121| 1.94k| unsigned char* keyblob = NULL; 122| | 123| 1.94k| TRACE(("enter recv_msg_kexdh_reply")) 124| | 125| 1.94k|#if DROPBEAR_FUZZ 126| 1.94k| if (fuzz.fuzzing && fuzz.skip_kexmaths) { ------------------ | Branch (126:6): [True: 1.94k, False: 0] | Branch (126:22): [True: 0, False: 1.94k] ------------------ 127| 0| return; 128| 0| } 129| 1.94k|#endif 130| | 131| 1.94k| if (cli_ses.kex_state != KEXDH_INIT_SENT) { ------------------ | Branch (131:6): [True: 0, False: 1.94k] ------------------ 132| 0| dropbear_exit("Received out-of-order kexdhreply"); 133| 0| } 134| 1.94k| keytype = ses.newkeys->algo_hostkey; 135| 1.94k| TRACE(("keytype is %d", keytype)) 136| | 137| 1.94k| hostkey = new_sign_key(); 138| 1.94k| keybloblen = buf_getint(ses.payload); 139| | 140| 1.94k| keyblob = buf_getptr(ses.payload, keybloblen); 141| 1.94k| if (!ses.kexstate.donefirstkex) { ------------------ | Branch (141:6): [True: 0, False: 1.94k] ------------------ 142| | /* Only makes sense the first time */ 143| 0| checkhostkey(keyblob, keybloblen); 144| 0| } 145| | 146| 1.94k| if (buf_get_pub_key(ses.payload, hostkey, &keytype) != DROPBEAR_SUCCESS) { ------------------ | | 111| 1.94k|#define DROPBEAR_SUCCESS 0 ------------------ | Branch (146:6): [True: 343, False: 1.60k] ------------------ 147| 343| TRACE(("failed getting pubkey")) 148| 343| dropbear_exit("Bad KEX packet"); 149| 343| } 150| | 151| | /* Derive the shared secret */ 152| 1.60k| switch (ses.newkeys->algo_kex->mode) { ------------------ | Branch (152:10): [True: 1.48k, False: 119] ------------------ 153| 0|#if DROPBEAR_NORMAL_DH 154| 1.00k| case DROPBEAR_KEX_NORMAL_DH: ------------------ | Branch (154:3): [True: 1.00k, False: 602] ------------------ 155| 1.00k| { 156| 1.00k| DEF_MP_INT(dh_f); ------------------ | | 81| 1.00k|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 157| 1.00k| m_mp_init(&dh_f); 158| 1.00k| if (buf_getmpint(ses.payload, &dh_f) != DROPBEAR_SUCCESS) { ------------------ | | 111| 1.00k|#define DROPBEAR_SUCCESS 0 ------------------ | Branch (158:8): [True: 5, False: 996] ------------------ 159| 5| TRACE(("failed getting mpint")) 160| 5| dropbear_exit("Bad KEX packet"); 161| 5| } 162| | 163| 996| kexdh_comb_key(cli_ses.dh_param, &dh_f, hostkey); 164| 996| mp_clear(&dh_f); 165| 996| } 166| 0| break; 167| 0|#endif 168| 0|#if DROPBEAR_ECDH 169| 106| case DROPBEAR_KEX_ECDH: ------------------ | Branch (169:3): [True: 106, False: 1.49k] ------------------ 170| 106| { 171| 106| buffer *ecdh_qs = buf_getstringbuf(ses.payload); 172| 106| kexecdh_comb_key(cli_ses.ecdh_param, ecdh_qs, hostkey); 173| 106| buf_free(ecdh_qs); 174| 106| } 175| 106| break; 176| 0|#endif 177| 0|#if DROPBEAR_CURVE25519 178| 328| case DROPBEAR_KEX_CURVE25519: ------------------ | Branch (178:3): [True: 328, False: 1.27k] ------------------ 179| 328| { 180| 328| buffer *ecdh_qs = buf_getstringbuf(ses.payload); 181| 328| kexcurve25519_comb_key(cli_ses.curve25519_param, ecdh_qs, hostkey); 182| 328| buf_free(ecdh_qs); 183| 328| } 184| 328| break; 185| 0|#endif 186| 0|#if DROPBEAR_PQHYBRID 187| 49| case DROPBEAR_KEX_PQHYBRID: ------------------ | Branch (187:3): [True: 49, False: 1.55k] ------------------ 188| 49| { 189| 49| buffer *q_s = buf_getstringbuf(ses.payload); 190| 49| kexpqhybrid_comb_key(cli_ses.pqhybrid_param, q_s, hostkey); 191| 49| buf_free(q_s); 192| 49| } 193| 49| break; 194| 1.60k|#endif 195| 1.60k| } 196| | 197| | /* Clear the local parameter */ 198| 1.32k| cli_kex_free_param(); 199| | 200| 1.32k| if (buf_verify(ses.payload, hostkey, ses.newkeys->algo_signature, ------------------ | Branch (200:6): [True: 931, False: 396] ------------------ 201| 1.32k| ses.hash) != DROPBEAR_SUCCESS) { ------------------ | | 111| 1.32k|#define DROPBEAR_SUCCESS 0 ------------------ 202| 931| dropbear_exit("Bad hostkey signature"); 203| 931| } 204| | 205| 396| sign_key_free(hostkey); 206| 396| hostkey = NULL; 207| | 208| 396| send_msg_newkeys(); 209| 396| ses.requirenext = SSH_MSG_NEWKEYS; ------------------ | | 37| 396|#define SSH_MSG_NEWKEYS 21 ------------------ 210| 396| TRACE(("leave recv_msg_kexdh_init")) 211| 396|} cli-kex.c:cli_kex_free_param: 45| 6.98k|static void cli_kex_free_param(void) { 46| 6.98k|#if DROPBEAR_NORMAL_DH 47| 6.98k| if (cli_ses.dh_param) { ------------------ | Branch (47:6): [True: 977, False: 6.01k] ------------------ 48| 977| free_kexdh_param(cli_ses.dh_param); 49| 977| cli_ses.dh_param = NULL; 50| 977| } 51| 6.98k|#endif 52| 6.98k|#if DROPBEAR_ECDH 53| 6.98k| if (cli_ses.ecdh_param) { ------------------ | Branch (53:6): [True: 65, False: 6.92k] ------------------ 54| 65| free_kexecdh_param(cli_ses.ecdh_param); 55| 65| cli_ses.ecdh_param = NULL; 56| 65| } 57| 6.98k|#endif 58| 6.98k|#if DROPBEAR_CURVE25519 59| 6.98k| if (cli_ses.curve25519_param) { ------------------ | Branch (59:6): [True: 244, False: 6.74k] ------------------ 60| 244| free_kexcurve25519_param(cli_ses.curve25519_param); 61| 244| cli_ses.curve25519_param = NULL; 62| 244| } 63| 6.98k|#endif 64| 6.98k|#if DROPBEAR_PQHYBRID 65| 6.98k| if (cli_ses.pqhybrid_param) { ------------------ | Branch (65:6): [True: 2.37k, False: 4.61k] ------------------ 66| 2.37k| free_kexpqhybrid_param(cli_ses.pqhybrid_param); 67| | cli_ses.pqhybrid_param = NULL; 68| 2.37k| } 69| 6.98k|#endif 70| 6.98k|} cli_getopts: 114| 1|void cli_getopts(int argc, char ** argv) { 115| 1| unsigned int i, j; 116| 1| const char ** next = NULL; 117| 1| enum { 118| 1| OPT_EXTENDED_OPTIONS, 119| 1|#if DROPBEAR_CLI_PUBKEY_AUTH 120| 1| OPT_AUTHKEY, 121| 1|#endif 122| 1|#if DROPBEAR_CLI_LOCALTCPFWD 123| 1| OPT_LOCALTCPFWD, 124| 1|#endif 125| 1|#if DROPBEAR_CLI_REMOTETCPFWD 126| 1| OPT_REMOTETCPFWD, 127| 1|#endif 128| 1|#if DROPBEAR_CLI_NETCAT 129| 1| OPT_NETCAT, 130| 1|#endif 131| | /* a flag (no arg) if 'next' is NULL, a string-valued option otherwise */ 132| 1| OPT_OTHER 133| 1| } opt; 134| 1| unsigned int cmdlen; 135| | 136| 1| const char* recv_window_arg = NULL; 137| 1| const char* idle_timeout_arg = NULL; 138| 1| const char* max_duration_arg = NULL; 139| 1| const char *host_arg = NULL; 140| 1| const char *proxycmd_arg = NULL; 141| 1| const char *remoteport_arg = NULL; 142| 1| const char *username_arg = NULL; 143| 1| const char *algo_print_arg = NULL; 144| 1| char c; 145| | 146| | /* see printhelp() for options */ 147| 1| cli_opts.progname = argv[0]; 148| 1| cli_opts.remotehost = NULL; 149| 1| cli_opts.remotehostfixed = 0; 150| 1| cli_opts.remoteport = NULL; 151| 1| cli_opts.username = NULL; 152| 1| cli_opts.cmd = NULL; 153| 1| cli_opts.no_cmd = 0; 154| 1| cli_opts.quiet = 0; 155| 1| cli_opts.backgrounded = 0; 156| 1| cli_opts.wantpty = 9; /* 9 means "it hasn't been touched", gets set later */ 157| 1| cli_opts.always_accept_key = 0; 158| 1| cli_opts.ask_hostkey = 1; 159| 1| cli_opts.no_hostkey_check = 0; 160| 1| cli_opts.is_subsystem = 0; 161| 1|#if DROPBEAR_CLI_PUBKEY_AUTH 162| 1| cli_opts.privkeys = list_new(); 163| 1|#endif 164| 1|#if DROPBEAR_CLI_ANYTCPFWD 165| 1| cli_opts.exit_on_fwd_failure = 0; 166| 1|#endif 167| 1| cli_opts.disable_trivial_auth = 0; 168| 1| cli_opts.password_authentication = 1; 169| 1| cli_opts.batch_mode = 0; 170| 1|#if DROPBEAR_CLI_LOCALTCPFWD 171| 1| cli_opts.localfwds = list_new(); 172| 1| opts.listen_fwd_all = 0; 173| 1|#endif 174| 1|#if DROPBEAR_CLI_REMOTETCPFWD 175| 1| cli_opts.remotefwds = list_new(); 176| 1|#endif 177| 1|#if DROPBEAR_CLI_AGENTFWD 178| 1| cli_opts.agent_fwd = 0; 179| 1| cli_opts.agent_fd = -1; 180| 1| cli_opts.agent_keys_loaded = 0; 181| 1|#endif 182| 1|#if DROPBEAR_CLI_PROXYCMD 183| 1| cli_opts.proxycmd = NULL; 184| 1|#endif 185| 1| cli_opts.bind_arg = NULL; 186| 1| cli_opts.bind_address = NULL; 187| 1| cli_opts.bind_port = NULL; 188| 1| cli_opts.keepalive_arg = NULL; 189| |#ifndef DISABLE_ZLIB 190| | opts.compression = DROPBEAR_CLI_COMPRESSION; 191| |#endif 192| 1|#if DROPBEAR_USER_ALGO_LIST 193| 1| opts.cipher_list = NULL; 194| 1| opts.mac_list = NULL; 195| 1|#endif 196| 1|#ifndef DISABLE_SYSLOG 197| 1| opts.usingsyslog = 0; 198| 1|#endif 199| | /* not yet 200| | opts.ipv4 = 1; 201| | opts.ipv6 = 1; 202| | */ 203| 1| opts.recv_window = DEFAULT_RECV_WINDOW; ------------------ | | 550| 1|#define DEFAULT_RECV_WINDOW 24576 ------------------ 204| 1| opts.keepalive_secs = DEFAULT_KEEPALIVE; ------------------ | | 566| 1|#define DEFAULT_KEEPALIVE 0 ------------------ 205| 1| opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT; ------------------ | | 579| 1|#define DEFAULT_IDLE_TIMEOUT 0 ------------------ 206| 1| opts.max_duration_secs = DEFAULT_MAX_DURATION; ------------------ | | 585| 1|#define DEFAULT_MAX_DURATION 0 ------------------ 207| | 208| 1| fill_own_user(); 209| | 210| 3| for (i = 1; i < (unsigned int)argc; i++) { ------------------ | Branch (210:14): [True: 3, False: 0] ------------------ 211| | /* Handle non-flag arguments such as hostname or commands for the remote host */ 212| 3| if (argv[i][0] != '-') ------------------ | Branch (212:7): [True: 2, False: 1] ------------------ 213| 2| { 214| 2| if (host_arg == NULL) { ------------------ | Branch (214:8): [True: 1, False: 1] ------------------ 215| 1| host_arg = argv[i]; 216| 1| continue; 217| 1| } 218| | /* Commands to pass to the remote host. No more flag handling, 219| | commands are consumed below */ 220| 1| break; 221| 2| } 222| | 223| | /* Begins with '-' */ 224| 1| opt = OPT_OTHER; 225| 2| for (j = 1; (c = argv[i][j]) != '\0' && !next && opt == OPT_OTHER; j++) { ------------------ | Branch (225:15): [True: 1, False: 1] | Branch (225:43): [True: 1, False: 0] | Branch (225:52): [True: 1, False: 0] ------------------ 226| 1| switch (c) { 227| 1| case 'y': ------------------ | Branch (227:5): [True: 1, False: 0] ------------------ 228| | /* once is always accept the remote hostkey, 229| | * the same as stricthostkeychecking=accept-new */ 230| 1| if (cli_opts.always_accept_key) { ------------------ | Branch (230:10): [True: 0, False: 1] ------------------ 231| | /* twice means no checking at all 232| | * (stricthostkeychecking=no) */ 233| 0| cli_opts.no_hostkey_check = 1; 234| 0| } 235| 1| cli_opts.always_accept_key = 1; 236| 1| break; 237| 0| case 'q': /* quiet */ ------------------ | Branch (237:5): [True: 0, False: 1] ------------------ 238| 0| cli_opts.quiet = 1; 239| 0| break; 240| 0| case 'p': /* remoteport */ ------------------ | Branch (240:5): [True: 0, False: 1] ------------------ 241| 0| next = &remoteport_arg; 242| 0| break; 243| 0|#if DROPBEAR_CLI_PUBKEY_AUTH 244| 0| case 'i': /* an identityfile */ ------------------ | Branch (244:5): [True: 0, False: 1] ------------------ 245| 0| opt = OPT_AUTHKEY; 246| 0| break; 247| 0|#endif 248| 0| case 't': /* we want a pty */ ------------------ | Branch (248:5): [True: 0, False: 1] ------------------ 249| 0| cli_opts.wantpty = 1; 250| 0| break; 251| 0| case 'T': /* don't want a pty */ ------------------ | Branch (251:5): [True: 0, False: 1] ------------------ 252| 0| cli_opts.wantpty = 0; 253| 0| break; 254| 0| case 'N': ------------------ | Branch (254:5): [True: 0, False: 1] ------------------ 255| 0| cli_opts.no_cmd = 1; 256| 0| break; 257| 0| case 'f': ------------------ | Branch (257:5): [True: 0, False: 1] ------------------ 258| 0| cli_opts.backgrounded = 1; 259| 0| break; 260| 0| case 's': ------------------ | Branch (260:5): [True: 0, False: 1] ------------------ 261| 0| cli_opts.is_subsystem = 1; 262| 0| break; 263| 0| case 'o': ------------------ | Branch (263:5): [True: 0, False: 1] ------------------ 264| 0| opt = OPT_EXTENDED_OPTIONS; 265| 0| break; 266| 0|#if DROPBEAR_CLI_LOCALTCPFWD 267| 0| case 'L': ------------------ | Branch (267:5): [True: 0, False: 1] ------------------ 268| 0| opt = OPT_LOCALTCPFWD; 269| 0| break; 270| 0| case 'g': ------------------ | Branch (270:5): [True: 0, False: 1] ------------------ 271| 0| opts.listen_fwd_all = 1; 272| 0| break; 273| 0|#endif 274| 0|#if DROPBEAR_CLI_REMOTETCPFWD 275| 0| case 'R': ------------------ | Branch (275:5): [True: 0, False: 1] ------------------ 276| 0| opt = OPT_REMOTETCPFWD; 277| 0| break; 278| 0|#endif 279| 0|#if DROPBEAR_CLI_NETCAT 280| 0| case 'B': ------------------ | Branch (280:5): [True: 0, False: 1] ------------------ 281| 0| opt = OPT_NETCAT; 282| 0| break; 283| 0|#endif 284| 0|#if DROPBEAR_CLI_PROXYCMD 285| 0| case 'J': ------------------ | Branch (285:5): [True: 0, False: 1] ------------------ 286| 0| next = &proxycmd_arg; 287| 0| break; 288| 0|#endif 289| 0| case 'l': ------------------ | Branch (289:5): [True: 0, False: 1] ------------------ 290| 0| next = &username_arg; 291| 0| break; 292| 0| case 'Q': ------------------ | Branch (292:5): [True: 0, False: 1] ------------------ 293| 0| next = &algo_print_arg; 294| 0| break; 295| 0| case 'h': ------------------ | Branch (295:5): [True: 0, False: 1] ------------------ 296| 0| printhelp(); 297| 0| exit(EXIT_SUCCESS); 298| 0| break; 299| 0| case 'u': ------------------ | Branch (299:5): [True: 0, False: 1] ------------------ 300| | /* backwards compatibility with old urandom option */ 301| 0| break; 302| 0| case 'W': ------------------ | Branch (302:5): [True: 0, False: 1] ------------------ 303| 0| next = &recv_window_arg; 304| 0| break; 305| 0| case 'K': ------------------ | Branch (305:5): [True: 0, False: 1] ------------------ 306| 0| next = &cli_opts.keepalive_arg; 307| 0| break; 308| 0| case 'I': ------------------ | Branch (308:5): [True: 0, False: 1] ------------------ 309| 0| next = &idle_timeout_arg; 310| 0| break; 311| 0| case 'M': ------------------ | Branch (311:5): [True: 0, False: 1] ------------------ 312| 0| next = &max_duration_arg; 313| 0| break; 314| 0|#if DROPBEAR_CLI_AGENTFWD 315| 0| case 'A': ------------------ | Branch (315:5): [True: 0, False: 1] ------------------ 316| 0| cli_opts.agent_fwd = 1; 317| 0| break; 318| 0|#endif 319| 0|#if DROPBEAR_USER_ALGO_LIST 320| 0| case 'c': ------------------ | Branch (320:5): [True: 0, False: 1] ------------------ 321| 0| next = &opts.cipher_list; 322| 0| break; 323| 0| case 'm': ------------------ | Branch (323:5): [True: 0, False: 1] ------------------ 324| 0| next = &opts.mac_list; 325| 0| break; 326| 0|#endif 327| |#if DEBUG_TRACE 328| | case 'v': 329| | debug_trace++; 330| | break; 331| |#endif 332| 0| case 'F': ------------------ | Branch (332:5): [True: 0, False: 1] ------------------ 333| 0| case 'e': ------------------ | Branch (333:5): [True: 0, False: 1] ------------------ 334| |#if !DROPBEAR_USER_ALGO_LIST 335| | case 'c': 336| | case 'm': 337| |#endif 338| 0| case 'D': ------------------ | Branch (338:5): [True: 0, False: 1] ------------------ 339| |#if !DROPBEAR_CLI_REMOTETCPFWD 340| | case 'R': 341| |#endif 342| |#if !DROPBEAR_CLI_LOCALTCPFWD 343| | case 'L': 344| |#endif 345| 0| case 'V': ------------------ | Branch (345:5): [True: 0, False: 1] ------------------ 346| 0| print_version(); 347| 0| exit(EXIT_SUCCESS); 348| 0| break; 349| 0| case 'b': ------------------ | Branch (349:5): [True: 0, False: 1] ------------------ 350| 0| next = &cli_opts.bind_arg; 351| 0| break; 352| 0| case 'z': ------------------ | Branch (352:5): [True: 0, False: 1] ------------------ 353| 0| opts.disable_ip_tos = 1; 354| 0| break; 355| 0| default: ------------------ | Branch (355:5): [True: 0, False: 1] ------------------ 356| 0| fprintf(stderr, ------------------ | | 100| 0|#define stderr (fuzz.fake_stderr) ------------------ 357| 0| "WARNING: Ignoring unknown option -%c\n", c); 358| 0| break; 359| 1| } /* Switch */ 360| 1| } 361| | 362| 1| if (!next && opt == OPT_OTHER) /* got a flag */ ------------------ | Branch (362:7): [True: 1, False: 0] | Branch (362:16): [True: 1, False: 0] ------------------ 363| 1| continue; 364| | 365| 0| if (c == '\0') { ------------------ | Branch (365:7): [True: 0, False: 0] ------------------ 366| 0| i++; 367| 0| j = 0; 368| 0| if (!argv[i]) ------------------ | Branch (368:8): [True: 0, False: 0] ------------------ 369| 0| dropbear_exit("Missing argument"); 370| 0| } 371| | 372| 0| if (opt == OPT_EXTENDED_OPTIONS) { ------------------ | Branch (372:7): [True: 0, False: 0] ------------------ 373| 0| TRACE(("opt extended")) 374| 0| add_extendedopt(&argv[i][j]); 375| 0| } 376| 0| else 377| 0|#if DROPBEAR_CLI_PUBKEY_AUTH 378| 0| if (opt == OPT_AUTHKEY) { ------------------ | Branch (378:7): [True: 0, False: 0] ------------------ 379| 0| TRACE(("opt authkey")) 380| 0| loadidentityfile(&argv[i][j], 1); 381| 0| } 382| 0| else 383| 0|#endif 384| 0|#if DROPBEAR_CLI_REMOTETCPFWD 385| 0| if (opt == OPT_REMOTETCPFWD) { ------------------ | Branch (385:7): [True: 0, False: 0] ------------------ 386| 0| TRACE(("opt remotetcpfwd")) 387| 0| addforward(&argv[i][j], cli_opts.remotefwds); 388| 0| } 389| 0| else 390| 0|#endif 391| 0|#if DROPBEAR_CLI_LOCALTCPFWD 392| 0| if (opt == OPT_LOCALTCPFWD) { ------------------ | Branch (392:7): [True: 0, False: 0] ------------------ 393| 0| TRACE(("opt localtcpfwd")) 394| 0| addforward(&argv[i][j], cli_opts.localfwds); 395| 0| } 396| 0| else 397| 0|#endif 398| 0|#if DROPBEAR_CLI_NETCAT 399| 0| if (opt == OPT_NETCAT) { ------------------ | Branch (399:7): [True: 0, False: 0] ------------------ 400| 0| TRACE(("opt netcat")) 401| 0| add_netcat(&argv[i][j]); 402| 0| } 403| 0| else 404| 0|#endif 405| 0| if (next) { ------------------ | Branch (405:7): [True: 0, False: 0] ------------------ 406| | /* The previous flag set a value to assign */ 407| 0| *next = &argv[i][j]; 408| 0| if (*next == NULL) ------------------ | Branch (408:8): [True: 0, False: 0] ------------------ 409| 0| dropbear_exit("Invalid null argument"); 410| 0| next = NULL; 411| 0| } 412| 0| } 413| | 414| 1|#if DROPBEAR_USER_ALGO_LIST 415| | /* -c help doesn't need a hostname */ 416| 1| parse_ciphers_macs(); 417| 1|#endif 418| | 419| 1| if (algo_print_arg) { ------------------ | Branch (419:6): [True: 0, False: 1] ------------------ 420| 0| print_algos(algo_print_arg); 421| | /* No return */ 422| 0| } 423| | 424| 1| if (host_arg == NULL) { /* missing hostname */ ------------------ | Branch (424:6): [True: 0, False: 1] ------------------ 425| 0| printhelp(); 426| 0| dropbear_exit("Remote host needs to provided."); 427| 0| } 428| 1| TRACE(("host is: %s", host_arg)) 429| | 430| 1|#if DROPBEAR_USE_SSH_CONFIG 431| 1| apply_config_settings(host_arg); 432| 1|#endif 433| | 434| | /* Apply needed defaults if missing from command line or config file. */ 435| 1| if (remoteport_arg) { ------------------ | Branch (435:6): [True: 0, False: 1] ------------------ 436| 0| m_free(cli_opts.remoteport); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 437| 0| cli_opts.remoteport = m_strdup(remoteport_arg); 438| 1| } else if (!cli_opts.remoteport) { ------------------ | Branch (438:13): [True: 1, False: 0] ------------------ 439| 1| cli_opts.remoteport = m_strdup("22"); 440| 1| } 441| | 442| 1| if (username_arg) { ------------------ | Branch (442:6): [True: 0, False: 1] ------------------ 443| 0| m_free(cli_opts.username); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 444| 0| cli_opts.username = m_strdup(username_arg); 445| 1| } else if(!cli_opts.username) { ------------------ | Branch (445:12): [True: 1, False: 0] ------------------ 446| 1| cli_opts.username = m_strdup(cli_opts.own_user); 447| 1| } 448| | 449| | /* Done with options/flags; now handle the hostname (which may not 450| | * start with a hyphen) and optional command */ 451| | 452| 1| if (i < (unsigned int)argc) { ------------------ | Branch (452:6): [True: 1, False: 0] ------------------ 453| | /* Build the command to send */ 454| 1| cmdlen = 0; 455| 2| for (j = i; j < (unsigned int)argc; j++) ------------------ | Branch (455:15): [True: 1, False: 1] ------------------ 456| 1| cmdlen += strlen(argv[j]) + 1; /* +1 for spaces */ 457| | 458| | /* Allocate the space */ 459| 1| cli_opts.cmd = (char*)m_malloc(cmdlen); 460| 1| cli_opts.cmd[0] = '\0'; 461| | 462| | /* Append all the bits */ 463| 2| for (j = i; j < (unsigned int)argc; j++) { ------------------ | Branch (463:15): [True: 1, False: 1] ------------------ 464| 1| strlcat(cli_opts.cmd, argv[j], cmdlen); 465| 1| strlcat(cli_opts.cmd, " ", cmdlen); 466| 1| } 467| | /* It'll be null-terminated here */ 468| 1| TRACE(("cmd is: %s", cli_opts.cmd)) 469| 1| } 470| | 471| | /* And now a few sanity checks and setup */ 472| | 473| 1|#if DROPBEAR_CLI_PROXYCMD 474| 1| if (proxycmd_arg) { ------------------ | Branch (474:6): [True: 0, False: 1] ------------------ 475| | /* To match the common path of m_freeing it */ 476| 0| cli_opts.proxycmd = m_strdup(proxycmd_arg); 477| 0| } 478| 1|#endif 479| | 480| 1| if (cli_opts.bind_arg) { ------------------ | Branch (480:6): [True: 0, False: 1] ------------------ 481| 0| if (split_address_port(cli_opts.bind_arg, ------------------ | Branch (481:7): [True: 0, False: 0] ------------------ 482| 0| &cli_opts.bind_address, &cli_opts.bind_port) 483| 0| == DROPBEAR_FAILURE) { ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ 484| 0| dropbear_exit("Bad -b argument"); 485| 0| } 486| 0| } 487| | 488| | /* If not explicitly specified with -t or -T, we don't want a pty if 489| | * there's a command, but we do otherwise */ 490| 1| if (cli_opts.wantpty == 9) { ------------------ | Branch (490:6): [True: 1, False: 0] ------------------ 491| 1| if (cli_opts.cmd == NULL) { ------------------ | Branch (491:7): [True: 0, False: 1] ------------------ 492| 0| if (isatty(STDIN_FILENO)) { ------------------ | Branch (492:8): [True: 0, False: 0] ------------------ 493| 0| cli_opts.wantpty = 1; 494| 0| } else { 495| 0| TRACE(("Not a TTY")); 496| 0| cli_opts.wantpty = 0; 497| 0| } 498| 1| } else { 499| 1| cli_opts.wantpty = 0; 500| 1| } 501| 1| } 502| | 503| 1| if (cli_opts.backgrounded && cli_opts.cmd == NULL ------------------ | Branch (503:6): [True: 0, False: 1] | Branch (503:31): [True: 0, False: 0] ------------------ 504| 0| && cli_opts.no_cmd == 0) { ------------------ | Branch (504:7): [True: 0, False: 0] ------------------ 505| 0| dropbear_exit("Command required for -f"); 506| 0| } 507| | 508| 1| if (recv_window_arg) { ------------------ | Branch (508:6): [True: 0, False: 1] ------------------ 509| 0| parse_recv_window(recv_window_arg); 510| 0| } 511| 1| if (cli_opts.keepalive_arg) { ------------------ | Branch (511:6): [True: 0, False: 1] ------------------ 512| 0| unsigned int val; 513| 0| if (m_str_to_uint(cli_opts.keepalive_arg, &val) == DROPBEAR_FAILURE) { ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ | Branch (513:7): [True: 0, False: 0] ------------------ 514| 0| dropbear_exit("Bad keepalive '%s'", cli_opts.keepalive_arg); 515| 0| } 516| 0| opts.keepalive_secs = val; 517| 0| } 518| | 519| 1| if (idle_timeout_arg) { ------------------ | Branch (519:6): [True: 0, False: 1] ------------------ 520| 0| unsigned int val; 521| 0| if (m_str_to_uint(idle_timeout_arg, &val) == DROPBEAR_FAILURE) { ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ | Branch (521:7): [True: 0, False: 0] ------------------ 522| 0| dropbear_exit("Bad idle_timeout '%s'", idle_timeout_arg); 523| 0| } 524| 0| opts.idle_timeout_secs = val; 525| 0| } 526| | 527| 1| if (max_duration_arg) { ------------------ | Branch (527:6): [True: 0, False: 1] ------------------ 528| 0| unsigned int val; 529| 0| if (m_str_to_uint(max_duration_arg, &val) == DROPBEAR_FAILURE) { ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ | Branch (529:7): [True: 0, False: 0] ------------------ 530| 0| dropbear_exit("Bad max_duration '%s'", max_duration_arg); 531| 0| } 532| 0| opts.max_duration_secs = val; 533| 0| } 534| | 535| 1|#if DROPBEAR_CLI_NETCAT 536| 1| if (cli_opts.cmd && cli_opts.netcat_host) { ------------------ | Branch (536:6): [True: 1, False: 0] | Branch (536:22): [True: 0, False: 1] ------------------ 537| 0| dropbear_log(LOG_INFO, "Ignoring command '%s' in netcat mode", cli_opts.cmd); 538| 0| } 539| 1|#endif 540| | 541| | /* The hostname gets set up last, since 542| | * in multi-hop mode it will require knowledge 543| | * of other flags such as -i */ 544| 1|#if DROPBEAR_CLI_MULTIHOP 545| 1| parse_multihop_hostname(host_arg, argv[0]); 546| |#else 547| | parse_hostname(host_arg); 548| |#endif 549| | 550| | /* We don't want to include default id_dropbear as a 551| | -i argument for multihop, so handle it later. */ 552| 1|#if (DROPBEAR_CLI_PUBKEY_AUTH) 553| 1| { 554| 1| loadidentityfile(DROPBEAR_DEFAULT_CLI_AUTHKEY, 0); ------------------ | | 408| 1|#define DROPBEAR_DEFAULT_CLI_AUTHKEY "~/.ssh/id_dropbear" ------------------ 555| 1| } 556| 1|#endif 557| 1|} loadidentityfile: 560| 1|void loadidentityfile(const char* filename, int warnfail) { 561| 1| sign_key *key; 562| 1| enum signkey_type keytype; 563| | 564| 1| char *id_key_path = expand_homedir_path(filename); 565| 1| TRACE(("loadidentityfile %s", id_key_path)) 566| | 567| 1| key = new_sign_key(); 568| 1| keytype = DROPBEAR_SIGNKEY_ANY; 569| 1| if ( readhostkey(id_key_path, key, &keytype) != DROPBEAR_SUCCESS ) { ------------------ | | 111| 1|#define DROPBEAR_SUCCESS 0 ------------------ | Branch (569:7): [True: 1, False: 0] ------------------ 570| 1| if (warnfail) { ------------------ | Branch (570:7): [True: 0, False: 1] ------------------ 571| 0| dropbear_log(LOG_WARNING, "Failed loading keyfile '%s'\n", id_key_path); 572| 0| } 573| 1| sign_key_free(key); 574| 1| m_free(id_key_path); ------------------ | | 24| 1|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 1] | | ------------------ ------------------ 575| 1| } else { 576| 0| key->type = keytype; 577| 0| key->source = SIGNKEY_SOURCE_RAW_FILE; 578| 0| key->filename = id_key_path; 579| 0| list_append(cli_opts.privkeys, key); 580| 0| } 581| 1|} cli-runopts.c:parse_multihop_hostname: 697| 1|static void parse_multihop_hostname(const char* orighostarg, const char* argv0) { 698| 1| char *userhostarg = NULL; 699| 1| char *hostbuf = NULL; 700| 1| char *last_hop = NULL; 701| 1| char *prior_hops = NULL; 702| | 703| | /* both scp and rsync parse a user@host argument 704| | * and turn it into "-l user host". This breaks 705| | * for our multihop syntax, so we suture it back together. 706| | * This will break usernames that have both '@' and ',' in them, 707| | * though that should be fairly uncommon. */ 708| 1| if (cli_opts.username ------------------ | Branch (708:6): [True: 1, False: 0] ------------------ 709| 1| && strchr(cli_opts.username, ',') ------------------ | Branch (709:7): [True: 0, False: 1] ------------------ 710| 0| && strchr(cli_opts.username, '@')) { ------------------ | Branch (710:7): [True: 0, False: 0] ------------------ 711| 0| unsigned int len = strlen(orighostarg) + strlen(cli_opts.username) + 2; 712| 0| hostbuf = m_malloc(len); 713| 0| m_snprintf(hostbuf, len, "%s@%s", cli_opts.username, orighostarg); 714| 1| } else { 715| 1| hostbuf = m_strdup(orighostarg); 716| 1| } 717| 1| userhostarg = hostbuf; 718| | 719| | /* Split off any last hostname and use that as remotehost/remoteport. 720| | * That is used for authorized_keys checking etc */ 721| 1| last_hop = strrchr(userhostarg, ','); 722| 1| if (last_hop) { ------------------ | Branch (722:6): [True: 0, False: 1] ------------------ 723| 0| if (last_hop == userhostarg) { ------------------ | Branch (723:7): [True: 0, False: 0] ------------------ 724| 0| dropbear_exit("Bad multi-hop hostnames"); 725| 0| } 726| 0| *last_hop = '\0'; 727| 0| last_hop++; 728| 0| prior_hops = userhostarg; 729| 0| userhostarg = last_hop; 730| 0| } 731| | 732| | /* Update cli_opts.remotehost and cli_opts.remoteport */ 733| 1| parse_hostname(userhostarg); 734| | 735| | /* Construct any multihop proxy command. Use proxyexec to 736| | * avoid worrying about shell escaping. */ 737| 1| if (prior_hops) { ------------------ | Branch (737:6): [True: 0, False: 1] ------------------ 738| 0| cli_opts.proxyexec = multihop_args(argv0, prior_hops); 739| | /* Any -J argument has been copied to proxyexec */ 740| 0| if (cli_opts.proxycmd) { ------------------ | Branch (740:7): [True: 0, False: 0] ------------------ 741| 0| m_free(cli_opts.proxycmd); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 742| 0| } 743| | 744| |#ifndef DISABLE_ZLIB 745| | /* This outer stream will be incompressible since it's encrypted. */ 746| | opts.compression = 0; 747| |#endif 748| 0| } 749| | 750| | m_free(hostbuf); ------------------ | | 24| 1|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 1] | | ------------------ ------------------ 751| 1|} cli-runopts.c:parse_hostname: 755| 1|static void parse_hostname(const char* orighostarg) { 756| 1| char *userhostarg = NULL; 757| 1| char *port = NULL; 758| 1| char* remotehost = NULL; 759| | 760| 1| userhostarg = m_strdup(orighostarg); 761| | 762| 1| remotehost = strchr(userhostarg, '@'); 763| 1| if (remotehost == NULL) { ------------------ | Branch (763:6): [True: 1, False: 0] ------------------ 764| | /* no username portion, the cli-auth.c code can figure the 765| | * local user's name */ 766| 1| remotehost = userhostarg; 767| 1| } else { 768| 0| remotehost[0] = '\0'; /* Split the user/host */ 769| 0| remotehost++; 770| 0| cli_opts.username = m_strdup(userhostarg); 771| 0| } 772| | 773| 1| port = strchr(remotehost, '^'); 774| 1| if (!port) { ------------------ | Branch (774:6): [True: 1, False: 0] ------------------ 775| | /* legacy separator */ 776| 1| port = strchr(remotehost, '/'); 777| 1| } 778| 1| if (port) { ------------------ | Branch (778:6): [True: 0, False: 1] ------------------ 779| 0| *port = '\0'; 780| 0| cli_opts.remoteport = m_strdup(port+1); 781| 0| } 782| | 783| 1| if (remotehost[0] == '\0') { ------------------ | Branch (783:6): [True: 0, False: 1] ------------------ 784| 0| dropbear_exit("Bad hostname."); 785| 0| } 786| | 787| 1| if (!cli_opts.remotehostfixed) { ------------------ | Branch (787:6): [True: 1, False: 0] ------------------ 788| 1| cli_opts.remotehost = m_strdup(remotehost); 789| 1| } 790| | m_free(userhostarg); ------------------ | | 24| 1|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 1] | | ------------------ ------------------ 791| 1|} cli-runopts.c:fill_own_user: 830| 1|static void fill_own_user() { 831| 1| uid_t uid; 832| 1| struct passwd *pw = NULL; 833| | 834| 1| uid = getuid(); 835| | 836| 1| pw = getpwuid(uid); ------------------ | | 109| 1|#define getpwuid(x) fuzz_getpwuid(x) ------------------ 837| 1| if (pw && pw->pw_name != NULL) { ------------------ | Branch (837:6): [True: 1, False: 0] | Branch (837:12): [True: 1, False: 0] ------------------ 838| 1| cli_opts.own_user = m_strdup(pw->pw_name); 839| 1| } else { 840| 0| dropbear_log(LOG_INFO, "Warning: failed to identify current user. Trying anyway."); 841| 0| cli_opts.own_user = m_strdup("unknown"); 842| 0| } 843| | 844| 1|} cli-runopts.c:apply_config_settings: 1140| 1|static void apply_config_settings(const char* cli_host_arg) { 1141| 1| char* is_multi_hop_host_target = strchr(cli_host_arg, ','); 1142| 1| if (!is_multi_hop_host_target) { ------------------ | Branch (1142:6): [True: 1, False: 0] ------------------ 1143| 1| char* config_path = expand_homedir_path(DROPBEAR_DEFAULT_SSH_CONFIG); ------------------ | | 118| 1|#define DROPBEAR_DEFAULT_SSH_CONFIG "~/.ssh/dropbear_config" ------------------ 1144| 1| FILE* f; 1145| 1| if ((f = fopen(config_path, "r")) == NULL) { ------------------ | Branch (1145:7): [True: 1, False: 0] ------------------ 1146| 1| DEBUG1(("Configuration file '%.200s' not found.", config_path)); 1147| 1| } 1148| 0| else { 1149| 0| parse_hostname(cli_host_arg); /* Needed as key into the config. */ 1150| 0| read_config_file(config_path, f, &cli_opts); 1151| 0| fclose(f); 1152| 0| } 1153| | m_free(config_path); ------------------ | | 24| 1|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 1] | | ------------------ ------------------ 1154| 1| } 1155| 1|} cli_session: 112| 3.33k|void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress, pid_t proxy_cmd_pid) { 113| | 114| 3.33k| common_session_init(sock_in, sock_out); 115| | 116| 3.33k| if (progress) { ------------------ | Branch (116:6): [True: 0, False: 3.33k] ------------------ 117| 0| connect_set_writequeue(progress, &ses.writequeue); 118| 0| } 119| | 120| 3.33k| chaninitialise(cli_chantypes); 121| 3.33k| cli_algos_initialise(); 122| | 123| | /* Set up cli_ses vars */ 124| 3.33k| cli_session_init(proxy_cmd_pid); 125| | 126| | /* Ready to go */ 127| 3.33k| ses.init_done = 1; 128| | 129| | /* Exchange identification */ 130| 3.33k| send_session_identification(); 131| | 132| 3.33k| kexfirstinitialise(); /* initialise the kex state */ 133| | 134| 3.33k| send_msg_kexinit(); 135| | 136| 3.33k| session_loop(cli_sessionloop); 137| | 138| | /* Not reached */ 139| | 140| 3.33k|} kill_proxy_command: 338| 3.33k|void kill_proxy_command(void) { 339| | /* 340| | * Send SIGHUP to proxy command if used. We don't wait() in 341| | * case it hangs and instead rely on init to reap the child 342| | */ 343| 3.33k| if (cli_ses.proxy_cmd_pid > 1) { ------------------ | Branch (343:6): [True: 0, False: 3.33k] ------------------ 344| 0| TRACE(("killing proxy command with PID='%d'", cli_ses.proxy_cmd_pid)); 345| 0| kill(cli_ses.proxy_cmd_pid, SIGHUP); ------------------ | | 57| 0|#define kill(pid, sig) fuzz_kill(pid, sig) ------------------ 346| 0| } 347| 3.33k|} cli_dropbear_exit: 433| 3.33k|void cli_dropbear_exit(int exitcode, const char* format, va_list param) { 434| 3.33k| char exitmsg[400]; 435| 3.33k| char fullmsg[550]; 436| | 437| | /* Note that exit message must be rendered before session cleanup */ 438| | 439| | /* Render the formatted exit message */ 440| 3.33k| vsnprintf(exitmsg, sizeof(exitmsg), format, param); 441| 3.33k| TRACE(("Exited, cleaning up: %s", exitmsg)) 442| | 443| | /* Add the prefix depending on session/auth state */ 444| 3.33k| if (!ses.init_done) { ------------------ | Branch (444:6): [True: 0, False: 3.33k] ------------------ 445| 0| snprintf(fullmsg, sizeof(fullmsg), "Exited: %s", exitmsg); 446| 3.33k| } else { 447| 3.33k| snprintf(fullmsg, sizeof(fullmsg), 448| 3.33k| "Connection to %s@%s:%s exited: %s", 449| 3.33k| cli_opts.username, cli_opts.remotehost, 450| 3.33k| cli_opts.remoteport, exitmsg); 451| 3.33k| } 452| | 453| | /* Do the cleanup first, since then the terminal will be reset */ 454| 3.33k| session_cleanup(); 455| | 456| 3.33k|#if DROPBEAR_FUZZ 457| 3.33k| if (fuzz.do_jmp) { ------------------ | Branch (457:9): [True: 3.33k, False: 0] ------------------ 458| 3.33k| longjmp(fuzz.jmp, 1); 459| 3.33k| } 460| 0|#endif 461| | 462| | /* Avoid printing onwards from terminal cruft */ 463| 0| fprintf(stderr, "\n"); ------------------ | | 100| 0|#define stderr (fuzz.fake_stderr) ------------------ 464| | 465| 0| dropbear_log(LOG_INFO, "%s", fullmsg); 466| | 467| 0| exit(exitcode); 468| 3.33k|} cli_dropbear_log: 470| 76|void cli_dropbear_log(int priority, const char* format, va_list param) { 471| | 472| 76| char printbuf[1024]; 473| 76| const char *name; 474| | 475| 76| name = cli_opts.progname; 476| 76| if (!name) { ------------------ | Branch (476:6): [True: 0, False: 76] ------------------ 477| 0| name = "dbclient"; 478| 0| } 479| | 480| 76| vsnprintf(printbuf, sizeof(printbuf), format, param); 481| | 482| 76|#ifndef DISABLE_SYSLOG 483| 76| if (opts.usingsyslog) { ------------------ | Branch (483:6): [True: 0, False: 76] ------------------ 484| 0| syslog(priority, "%s", printbuf); 485| 0| } 486| 76|#endif 487| | 488| 76| fprintf(stderr, "%s: %s\n", name, printbuf); ------------------ | | 100| 76|#define stderr (fuzz.fake_stderr) ------------------ 489| 76| fflush(stderr); ------------------ | | 100| 76|#define stderr (fuzz.fake_stderr) ------------------ 490| 76|} cli-session.c:cli_session_init: 148| 3.33k|static void cli_session_init(pid_t proxy_cmd_pid) { 149| | 150| 3.33k| cli_ses.state = STATE_NOTHING; 151| 3.33k| cli_ses.kex_state = KEX_NOTHING; 152| | 153| 3.33k| cli_ses.tty_raw_mode = 0; 154| 3.33k| cli_ses.winchange = 0; 155| | 156| | /* We store std{in,out,err}'s flags, so we can set them back on exit 157| | * (otherwise busybox's ash isn't happy */ 158| 3.33k| cli_ses.stdincopy = dup(STDIN_FILENO); 159| 3.33k| cli_ses.stdinflags = fcntl(STDIN_FILENO, F_GETFL, 0); 160| 3.33k| cli_ses.stdoutcopy = dup(STDOUT_FILENO); 161| 3.33k| cli_ses.stdoutflags = fcntl(STDOUT_FILENO, F_GETFL, 0); 162| 3.33k| cli_ses.stderrcopy = dup(STDERR_FILENO); 163| 3.33k| cli_ses.stderrflags = fcntl(STDERR_FILENO, F_GETFL, 0); 164| | 165| 3.33k| cli_ses.retval = EXIT_SUCCESS; /* Assume it's clean if we don't get a 166| | specific exit status */ 167| 3.33k| cli_ses.proxy_cmd_pid = proxy_cmd_pid; 168| 3.33k| TRACE(("proxy command PID='%d'", proxy_cmd_pid)); 169| | 170| | /* Auth */ 171| 3.33k| cli_ses.lastprivkey = NULL; 172| 3.33k| cli_ses.lastauthtype = 0; 173| 3.33k| cli_ses.is_trivial_auth = 1; 174| | 175| | /* For printing "remote host closed" for the user */ 176| 3.33k| ses.remoteclosed = cli_remoteclosed; 177| | 178| 3.33k| ses.extra_session_cleanup = cli_session_cleanup; 179| | 180| | /* packet handlers */ 181| 3.33k| ses.packettypes = cli_packettypes; 182| | 183| 3.33k| ses.isserver = 0; 184| | 185| 3.33k|#if DROPBEAR_KEX_FIRST_FOLLOWS 186| 3.33k| ses.send_kex_first_guess = cli_send_kex_first_guess; 187| 3.33k|#endif 188| | 189| 3.33k|} cli-session.c:cli_remoteclosed: 386| 824|static void cli_remoteclosed() { 387| | 388| | /* XXX TODO perhaps print a friendlier message if we get this but have 389| | * already sent/received disconnect message(s) ??? */ 390| 824| m_close(ses.sock_in); 391| 824| m_close(ses.sock_out); 392| 824| ses.sock_in = -1; 393| 824| ses.sock_out = -1; 394| 824| dropbear_exit("Remote closed the connection"); 395| 824|} cli-session.c:cli_session_cleanup: 349| 3.33k|static void cli_session_cleanup(void) { 350| | 351| 3.33k| if (!ses.init_done) { ------------------ | Branch (351:6): [True: 0, False: 3.33k] ------------------ 352| 0| return; 353| 0| } 354| | 355| 3.33k| kill_proxy_command(); 356| | 357| | /* Set std{in,out,err} back to non-blocking - busybox ash dies nastily if 358| | * we don't revert the flags */ 359| | /* Ignore return value since there's nothing we can do */ 360| 3.33k| (void)fcntl(cli_ses.stdincopy, F_SETFL, cli_ses.stdinflags); 361| 3.33k| (void)fcntl(cli_ses.stdoutcopy, F_SETFL, cli_ses.stdoutflags); 362| 3.33k| (void)fcntl(cli_ses.stderrcopy, F_SETFL, cli_ses.stderrflags); 363| | 364| | /* Don't leak */ 365| 3.33k| m_close(cli_ses.stdincopy); 366| 3.33k| m_close(cli_ses.stdoutcopy); 367| 3.33k| m_close(cli_ses.stderrcopy); 368| | 369| 3.33k| cli_tty_cleanup(); 370| 3.33k| if (cli_ses.server_sig_algs) { ------------------ | Branch (370:6): [True: 0, False: 3.33k] ------------------ 371| 0| buf_free(cli_ses.server_sig_algs); 372| 0| } 373| 3.33k|} cli-session.c:cli_send_kex_first_guess: 143| 3.33k|static void cli_send_kex_first_guess() { 144| 3.33k| send_msg_kexdh_init(); 145| 3.33k|} cli-session.c:cli_sessionloop: 210| 93.6k|static void cli_sessionloop() { 211| | 212| 93.6k| TRACE2(("enter cli_sessionloop")) 213| | 214| 93.6k| if (ses.lastpacket == 0) { ------------------ | Branch (214:6): [True: 29.2k, False: 64.4k] ------------------ 215| 29.2k| TRACE2(("exit cli_sessionloop: no real packets yet")) 216| 29.2k| return; 217| 29.2k| } 218| | 219| 64.4k| if (ses.lastpacket == SSH_MSG_KEXINIT && cli_ses.kex_state == KEX_NOTHING) { ------------------ | | 36| 128k|#define SSH_MSG_KEXINIT 20 ------------------ | Branch (219:6): [True: 15.0k, False: 49.3k] | Branch (219:43): [True: 2.32k, False: 12.7k] ------------------ 220| | /* We initiate the KEXDH. If DH wasn't the correct type, the KEXINIT 221| | * negotiation would have failed. */ 222| 2.32k| if (!ses.kexstate.our_first_follows_matches) { ------------------ | Branch (222:7): [True: 2.32k, False: 0] ------------------ 223| 2.32k| send_msg_kexdh_init(); 224| 2.32k| } 225| 2.32k| cli_ses.kex_state = KEXDH_INIT_SENT; 226| 2.32k| TRACE(("leave cli_sessionloop: done with KEXINIT_RCVD")) 227| 2.32k| return; 228| 2.32k| } 229| | 230| | /* A KEX has finished, so we should go back to our KEX_NOTHING state */ 231| 62.1k| if (cli_ses.kex_state != KEX_NOTHING && ses.kexstate.sentnewkeys) { ------------------ | Branch (231:6): [True: 14.7k, False: 47.3k] | Branch (231:42): [True: 0, False: 14.7k] ------------------ 232| 0| cli_ses.kex_state = KEX_NOTHING; 233| 0| } 234| | 235| | /* We shouldn't do anything else if a KEX is in progress */ 236| 62.1k| if (cli_ses.kex_state != KEX_NOTHING) { ------------------ | Branch (236:6): [True: 14.7k, False: 47.3k] ------------------ 237| 14.7k| TRACE(("leave cli_sessionloop: kex_state != KEX_NOTHING")) 238| 14.7k| return; 239| 14.7k| } 240| | 241| 47.3k| if (ses.kexstate.donefirstkex == 0) { ------------------ | Branch (241:6): [True: 0, False: 47.3k] ------------------ 242| | /* We might reach here if we have partial packet reads or have 243| | * received SSG_MSG_IGNORE etc. Just skip it */ 244| 0| TRACE2(("donefirstkex false\n")) 245| 0| return; 246| 0| } 247| | 248| 47.3k| switch (cli_ses.state) { 249| | 250| 258| case STATE_NOTHING: ------------------ | Branch (250:3): [True: 258, False: 47.1k] ------------------ 251| | /* We've got the transport layer sorted, we now need to request 252| | * userauth */ 253| 258| send_msg_service_request(SSH_SERVICE_USERAUTH); ------------------ | | 108| 258|#define SSH_SERVICE_USERAUTH "ssh-userauth" ------------------ 254| | /* We aren't using any "implicit server authentication" methods, 255| | so don't need to wait for a response for SSH_SERVICE_USERAUTH 256| | before sending the auth messages (rfc4253 10) */ 257| 258| cli_auth_getmethods(); 258| 258| cli_ses.state = USERAUTH_REQ_SENT; 259| 258| TRACE(("leave cli_sessionloop: sent userauth methods req")) 260| 258| return; 261| | 262| 47.1k| case USERAUTH_REQ_SENT: ------------------ | Branch (262:3): [True: 47.1k, False: 258] ------------------ 263| 47.1k| TRACE(("leave cli_sessionloop: waiting, req_sent")) 264| 47.1k| return; 265| | 266| 0| case USERAUTH_FAIL_RCVD: ------------------ | Branch (266:3): [True: 0, False: 47.3k] ------------------ 267| 0| if (cli_auth_try() == DROPBEAR_FAILURE) { ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ | Branch (267:8): [True: 0, False: 0] ------------------ 268| 0| dropbear_exit("No auth methods could be used."); 269| 0| } 270| 0| cli_ses.state = USERAUTH_REQ_SENT; 271| 0| TRACE(("leave cli_sessionloop: cli_auth_try")) 272| 0| return; 273| | 274| 0| case USERAUTH_SUCCESS_RCVD: ------------------ | Branch (274:3): [True: 0, False: 47.3k] ------------------ 275| 0|#ifndef DISABLE_SYSLOG 276| 0| if (opts.usingsyslog) { ------------------ | Branch (276:8): [True: 0, False: 0] ------------------ 277| 0| dropbear_log(LOG_INFO, "Authentication succeeded."); 278| 0| } 279| 0|#endif 280| | 281| 0| if (cli_opts.backgrounded) { ------------------ | Branch (281:8): [True: 0, False: 0] ------------------ 282| 0| int devnull; 283| | /* keeping stdin open steals input from the terminal and 284| | is confusing, though stdout/stderr could be useful. */ 285| 0| devnull = open(DROPBEAR_PATH_DEVNULL, O_RDONLY); ------------------ | | 53| 0|#define DROPBEAR_PATH_DEVNULL "/dev/null" ------------------ 286| 0| if (devnull < 0) { ------------------ | Branch (286:9): [True: 0, False: 0] ------------------ 287| 0| dropbear_exit("Opening /dev/null: %d %s", 288| 0| errno, strerror(errno)); 289| 0| } 290| 0| dup2(devnull, STDIN_FILENO); 291| 0| if (daemon(0, 1) < 0) { ------------------ | Branch (291:9): [True: 0, False: 0] ------------------ 292| 0| dropbear_exit("Backgrounding failed: %d %s", 293| 0| errno, strerror(errno)); 294| 0| } 295| 0| } 296| | 297| 0|#if DROPBEAR_CLI_NETCAT 298| 0| if (cli_opts.netcat_host) { ------------------ | Branch (298:8): [True: 0, False: 0] ------------------ 299| 0| cli_send_netcat_request(); 300| 0| } else 301| 0|#endif 302| 0| if (!cli_opts.no_cmd) { ------------------ | Branch (302:8): [True: 0, False: 0] ------------------ 303| 0| cli_send_chansess_request(); 304| 0| } 305| | 306| 0|#if DROPBEAR_CLI_LOCALTCPFWD 307| 0| setup_localtcp(); 308| 0|#endif 309| 0|#if DROPBEAR_CLI_REMOTETCPFWD 310| 0| setup_remotetcp(); 311| 0|#endif 312| | 313| 0| TRACE(("leave cli_sessionloop: running")) 314| 0| cli_ses.state = SESSION_RUNNING; 315| 0| return; 316| | 317| 0| case SESSION_RUNNING: ------------------ | Branch (317:3): [True: 0, False: 47.3k] ------------------ 318| 0| if (ses.chancount < 1 && !cli_opts.no_cmd) { ------------------ | Branch (318:8): [True: 0, False: 0] | Branch (318:29): [True: 0, False: 0] ------------------ 319| 0| cli_finished(); 320| 0| } 321| | 322| 0| if (cli_ses.winchange) { ------------------ | Branch (322:8): [True: 0, False: 0] ------------------ 323| 0| cli_chansess_winchange(); 324| 0| } 325| 0| return; 326| | 327| | /* XXX more here needed */ 328| | 329| | 330| 0| default: ------------------ | Branch (330:2): [True: 0, False: 47.3k] ------------------ 331| 0| break; 332| 47.3k| } 333| | 334| 47.3k| TRACE2(("leave cli_sessionloop: fell out")) 335| | 336| 47.3k|} cli-session.c:send_msg_service_request: 191| 258|static void send_msg_service_request(const char* servicename) { 192| | 193| 258| TRACE(("enter send_msg_service_request: servicename='%s'", servicename)) 194| | 195| 258| CHECKCLEARTOWRITE(); 196| | 197| 258| buf_putbyte(ses.writepayload, SSH_MSG_SERVICE_REQUEST); ------------------ | | 33| 258|#define SSH_MSG_SERVICE_REQUEST 5 ------------------ 198| 258| buf_putstring(ses.writepayload, servicename, strlen(servicename)); 199| | 200| 258| encrypt_packet(); 201| 258| TRACE(("leave send_msg_service_request")) 202| 258|} cli-session.c:cli_algos_initialise: 492| 3.33k|static void cli_algos_initialise(void) { 493| 3.33k| algo_type *algo; 494| 46.6k| for (algo = sshkex; algo->name; algo++) { ------------------ | Branch (494:22): [True: 43.3k, False: 3.33k] ------------------ 495| 43.3k| if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) { ------------------ | | 104| 43.3k|#define SSH_STRICT_KEX_S "kex-strict-s-v00@openssh.com" ------------------ | Branch (495:7): [True: 3.33k, False: 39.9k] ------------------ 496| 3.33k| algo->usable = 0; 497| 3.33k| } 498| 43.3k| } 499| 3.33k|} buf_put_algolist_all: 361| 26.6k|void buf_put_algolist_all(buffer * buf, const algo_type localalgos[], int useall) { 362| 26.6k| unsigned int i, len; 363| 26.6k| unsigned int donefirst = 0; 364| 26.6k| unsigned int startpos; 365| | 366| 26.6k| startpos = buf->pos; 367| | /* Placeholder for length */ 368| 26.6k| buf_putint(buf, 0); 369| 133k| for (i = 0; localalgos[i].name != NULL; i++) { ------------------ | Branch (369:14): [True: 106k, False: 26.6k] ------------------ 370| 106k| if (localalgos[i].usable || useall) { ------------------ | Branch (370:7): [True: 103k, False: 3.33k] | Branch (370:31): [True: 0, False: 3.33k] ------------------ 371| 103k| if (donefirst) { ------------------ | Branch (371:8): [True: 76.6k, False: 26.6k] ------------------ 372| 76.6k| buf_putbyte(buf, ','); 373| 76.6k| } 374| 103k| donefirst = 1; 375| 103k| len = strlen(localalgos[i].name); 376| 103k| buf_putbytes(buf, (const unsigned char *) localalgos[i].name, len); 377| 103k| } 378| 106k| } 379| | /* Fill out the length */ 380| 26.6k| len = buf->pos - startpos - 4; 381| 26.6k| buf_setpos(buf, startpos); 382| 26.6k| buf_putint(buf, len); 383| 26.6k| TRACE(("algolist add %d '%.*s'", len, len, buf_getptr(buf, len))) 384| 26.6k| buf_incrwritepos(buf, len); 385| 26.6k|} buf_put_algolist: 387| 26.6k|void buf_put_algolist(buffer * buf, const algo_type localalgos[]) { 388| 26.6k| buf_put_algolist_all(buf, localalgos, 0); 389| 26.6k|} buf_has_algo: 433| 2.68k|int buf_has_algo(buffer *buf, const char *algo) { 434| 2.68k| unsigned char* algolist = NULL; 435| 2.68k| unsigned int orig_pos = buf->pos; 436| 2.68k| unsigned int len, remotecount, i; 437| 2.68k| const char *remotenames[MAX_PROPOSED_ALGO]; 438| 2.68k| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 2.68k|#define DROPBEAR_FAILURE -1 ------------------ 439| | 440| 2.68k| algolist = buf_getstring(buf, &len); 441| 2.68k| remotecount = MAX_PROPOSED_ALGO; ------------------ | | 237| 2.68k|#define MAX_PROPOSED_ALGO 50 ------------------ 442| 2.68k| get_algolist(algolist, len, remotenames, &remotecount); 443| 14.5k| for (i = 0; i < remotecount; i++) ------------------ | Branch (443:14): [True: 11.8k, False: 2.65k] ------------------ 444| 11.8k| { 445| 11.8k| if (strcmp(remotenames[i], algo) == 0) { ------------------ | Branch (445:7): [True: 36, False: 11.8k] ------------------ 446| 36| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 36|#define DROPBEAR_SUCCESS 0 ------------------ 447| 36| break; 448| 36| } 449| 11.8k| } 450| 2.68k| if (algolist) { ------------------ | Branch (450:6): [True: 2.63k, False: 56] ------------------ 451| | m_free(algolist); ------------------ | | 24| 2.63k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 2.63k] | | ------------------ ------------------ 452| 2.63k| } 453| 2.68k| buf_setpos(buf, orig_pos); 454| 2.68k| return ret; 455| 2.68k|} first_usable_algo: 457| 6.66k|algo_type * first_usable_algo(algo_type algos[]) { 458| 6.66k| int i; 459| 6.66k| for (i = 0; algos[i].name != NULL; i++) { ------------------ | Branch (459:14): [True: 6.66k, False: 0] ------------------ 460| 6.66k| if (algos[i].usable) { ------------------ | Branch (460:7): [True: 6.66k, False: 0] ------------------ 461| 6.66k| return &algos[i]; 462| 6.66k| } 463| 6.66k| } 464| 0| return NULL; 465| 6.66k|} buf_match_algo: 473| 19.6k| int kexguess2, int *goodguess) { 474| 19.6k| char * algolist = NULL; 475| 19.6k| const char *remotenames[MAX_PROPOSED_ALGO], *localnames[MAX_PROPOSED_ALGO]; 476| 19.6k| unsigned int len; 477| 19.6k| unsigned int remotecount, localcount, clicount, servcount, i, j; 478| 19.6k| algo_type * ret = NULL; 479| 19.6k| const char **clinames, **servnames; 480| | 481| 19.6k| if (goodguess) { ------------------ | Branch (481:6): [True: 5.08k, False: 14.5k] ------------------ 482| 5.08k| *goodguess = 0; 483| 5.08k| } 484| | 485| | /* get the comma-separated list from the buffer ie "algo1,algo2,algo3" */ 486| 19.6k| algolist = buf_getstring(buf, &len); 487| 19.6k| DEBUG3(("buf_match_algo: %s", algolist)) 488| 19.6k| remotecount = MAX_PROPOSED_ALGO; ------------------ | | 237| 19.6k|#define MAX_PROPOSED_ALGO 50 ------------------ 489| 19.6k| get_algolist(algolist, len, remotenames, &remotecount); 490| | 491| 100k| for (i = 0; localalgos[i].name != NULL; i++) { ------------------ | Branch (491:14): [True: 80.5k, False: 19.6k] ------------------ 492| 80.5k| if (localalgos[i].usable) { ------------------ | Branch (492:7): [True: 77.8k, False: 2.63k] ------------------ 493| 77.8k| localnames[i] = localalgos[i].name; 494| 77.8k| } else { 495| 2.63k| localnames[i] = NULL; 496| 2.63k| } 497| 80.5k| } 498| 19.6k| localcount = i; 499| | 500| 19.6k| if (IS_DROPBEAR_SERVER) { ------------------ | | 381| 19.6k|#define IS_DROPBEAR_SERVER (ses.isserver == 1) | | ------------------ | | | Branch (381:28): [True: 0, False: 19.6k] | | ------------------ ------------------ 501| 0| clinames = remotenames; 502| 0| clicount = remotecount; 503| 0| servnames = localnames; 504| 0| servcount = localcount; 505| 19.6k| } else { 506| 19.6k| clinames = localnames; 507| 19.6k| clicount = localcount; 508| 19.6k| servnames = remotenames; 509| 19.6k| servcount = remotecount; 510| 19.6k| } 511| | 512| | /* iterate and find the first match */ 513| 57.2k| for (i = 0; i < clicount; i++) { ------------------ | Branch (513:14): [True: 56.6k, False: 629] ------------------ 514| 167k| for (j = 0; j < servcount; j++) { ------------------ | Branch (514:15): [True: 129k, False: 37.6k] ------------------ 515| 129k| if (!(servnames[j] && clinames[i])) { ------------------ | Branch (515:10): [True: 129k, False: 0] | Branch (515:26): [True: 129k, False: 370] ------------------ 516| | /* unusable algos are NULL */ 517| 370| continue; 518| 370| } 519| 129k| if (strcmp(servnames[j], clinames[i]) == 0) { ------------------ | Branch (519:8): [True: 19.0k, False: 110k] ------------------ 520| | /* set if it was a good guess */ 521| 19.0k| if (goodguess != NULL) { ------------------ | Branch (521:9): [True: 4.90k, False: 14.1k] ------------------ 522| 4.90k| if (kexguess2) { ------------------ | Branch (522:10): [True: 70, False: 4.83k] ------------------ 523| 70| if (i == 0) { ------------------ | Branch (523:11): [True: 1, False: 69] ------------------ 524| 1| *goodguess = 1; 525| 1| } 526| 4.83k| } else { 527| 4.83k| if (i == 0 && j == 0) { ------------------ | Branch (527:11): [True: 506, False: 4.33k] | Branch (527:21): [True: 143, False: 363] ------------------ 528| 143| *goodguess = 1; 529| 143| } 530| 4.83k| } 531| 4.90k| } 532| | /* set the algo to return */ 533| 19.0k| if (IS_DROPBEAR_SERVER) { ------------------ | | 381| 19.0k|#define IS_DROPBEAR_SERVER (ses.isserver == 1) | | ------------------ | | | Branch (381:28): [True: 0, False: 19.0k] | | ------------------ ------------------ 534| 0| ret = &localalgos[j]; 535| 19.0k| } else { 536| 19.0k| ret = &localalgos[i]; 537| 19.0k| } 538| 19.0k| goto out; 539| 19.0k| } 540| 129k| } 541| 56.6k| } 542| | 543| 19.6k|out: 544| | m_free(algolist); ------------------ | | 24| 19.6k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 19.6k] | | ------------------ ------------------ 545| 19.6k| return ret; 546| 19.6k|} common-algo.c:void_cipher: 43| 62.2k| unsigned long len, void* UNUSED(cipher_state)) { 44| 62.2k| if (in != out) { ------------------ | Branch (44:6): [True: 0, False: 62.2k] ------------------ 45| 0| memmove(out, in, len); 46| 0| } 47| 62.2k| return CRYPT_OK; 48| 62.2k|} common-algo.c:get_algolist: 396| 22.2k| const char* *ret_list, unsigned int *ret_count) { 397| 22.2k| unsigned int max_count = *ret_count; 398| 22.2k| unsigned int i; 399| | 400| 22.2k| if (*ret_count == 0) { ------------------ | Branch (400:6): [True: 0, False: 22.2k] ------------------ 401| 0| return; 402| 0| } 403| 22.2k| if (algolist_len > MAX_PROPOSED_ALGO*(MAX_NAME_LEN+1)) { ------------------ | | 237| 22.2k|#define MAX_PROPOSED_ALGO 50 ------------------ if (algolist_len > MAX_PROPOSED_ALGO*(MAX_NAME_LEN+1)) { ------------------ | | 233| 22.2k|#define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't ------------------ | Branch (403:6): [True: 6, False: 22.2k] ------------------ 404| 6| *ret_count = 0; 405| 6| } 406| | 407| | /* ret_list will contain a list of the strings parsed out. 408| | We will have at least one string (even if it's just "") */ 409| 22.2k| ret_list[0] = algolist; 410| 22.2k| *ret_count = 1; 411| 441k| for (i = 0; i < algolist_len; i++) { ------------------ | Branch (411:14): [True: 419k, False: 22.2k] ------------------ 412| 419k| if (algolist[i] == '\0') { ------------------ | Branch (412:7): [True: 34, False: 419k] ------------------ 413| | /* someone is trying something strange */ 414| 34| *ret_count = 0; 415| 34| return; 416| 34| } 417| | 418| 419k| if (algolist[i] == ',') { ------------------ | Branch (418:7): [True: 22.4k, False: 396k] ------------------ 419| 22.4k| if (*ret_count >= max_count) { ------------------ | Branch (419:8): [True: 2, False: 22.4k] ------------------ 420| 2| dropbear_exit("Too many remote algorithms"); 421| 0| *ret_count = 0; 422| 0| return; 423| 2| } 424| 22.4k| algolist[i] = '\0'; 425| 22.4k| ret_list[*ret_count] = &algolist[i+1]; 426| 22.4k| (*ret_count)++; 427| 22.4k| } 428| 419k| } 429| 22.2k|} chaninitialise: 70| 3.33k|void chaninitialise(const struct ChanType *chantypes[]) { 71| | 72| | /* may as well create space for a single channel */ 73| 3.33k| ses.channels = (struct Channel**)m_malloc(sizeof(struct Channel*)); 74| 3.33k| ses.chansize = 1; 75| 3.33k| ses.channels[0] = NULL; 76| 3.33k| ses.chancount = 0; 77| | 78| 3.33k| ses.chantypes = chantypes; 79| | 80| 3.33k|#if DROPBEAR_LISTENERS 81| 3.33k| listeners_initialise(); 82| 3.33k|#endif 83| | 84| 3.33k|} chancleanup: 87| 3.33k|void chancleanup() { 88| | 89| 3.33k| unsigned int i; 90| | 91| 3.33k| TRACE(("enter chancleanup")) 92| 6.66k| for (i = 0; i < ses.chansize; i++) { ------------------ | Branch (92:14): [True: 3.33k, False: 3.33k] ------------------ 93| 3.33k| if (ses.channels[i] != NULL) { ------------------ | Branch (93:7): [True: 0, False: 3.33k] ------------------ 94| 0| TRACE(("channel %d closing", i)) 95| 0| remove_channel(ses.channels[i]); 96| 0| } 97| 3.33k| } 98| | m_free(ses.channels); ------------------ | | 24| 3.33k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 3.33k] | | ------------------ ------------------ 99| 3.33k| TRACE(("leave chancleanup")) 100| 3.33k|} channelio: 199| 93.6k|void channelio(const fd_set *readfds, const fd_set *writefds) { 200| | 201| | /* Listeners such as TCP, X11, agent-auth */ 202| 93.6k| struct Channel *channel; 203| 93.6k| unsigned int i; 204| | 205| | /* foreach channel */ 206| 187k| for (i = 0; i < ses.chansize; i++) { ------------------ | Branch (206:14): [True: 93.6k, False: 93.6k] ------------------ 207| | /* Close checking only needs to occur for channels that had IO events */ 208| 93.6k| int do_check_close = 0; 209| | 210| 93.6k| channel = ses.channels[i]; 211| 93.6k| if (channel == NULL) { ------------------ | Branch (211:7): [True: 93.6k, False: 0] ------------------ 212| | /* only process in-use channels */ 213| 93.6k| continue; 214| 93.6k| } 215| | 216| | /* read data and send it over the wire */ 217| 0| if (channel->readfd >= 0 && FD_ISSET(channel->readfd, readfds)) { ------------------ | Branch (217:7): [True: 0, False: 0] | Branch (217:31): [True: 0, False: 0] ------------------ 218| 0| TRACE(("send normal readfd")) 219| 0| send_msg_channel_data(channel, 0); 220| 0| do_check_close = 1; 221| 0| } 222| | 223| | /* read stderr data and send it over the wire */ 224| 0| if (ERRFD_IS_READ(channel) && channel->errfd >= 0 ------------------ | | 59| 0|#define ERRFD_IS_READ(channel) ((channel)->extrabuf == NULL) | | ------------------ | | | Branch (59:32): [True: 0, False: 0] | | ------------------ ------------------ | Branch (224:33): [True: 0, False: 0] ------------------ 225| 0| && FD_ISSET(channel->errfd, readfds)) { ------------------ | Branch (225:7): [True: 0, False: 0] ------------------ 226| 0| TRACE(("send normal errfd")) 227| 0| send_msg_channel_data(channel, 1); 228| 0| do_check_close = 1; 229| 0| } 230| | 231| | /* write to program/pipe stdin */ 232| 0| if (channel->writefd >= 0 && FD_ISSET(channel->writefd, writefds)) { ------------------ | Branch (232:7): [True: 0, False: 0] | Branch (232:32): [True: 0, False: 0] ------------------ 233| 0| writechannel(channel, channel->writefd, channel->writebuf, NULL, NULL); 234| 0| do_check_close = 1; 235| 0| } 236| | 237| | /* stderr for client mode */ 238| 0| if (ERRFD_IS_WRITE(channel) ------------------ | | 60| 0|#define ERRFD_IS_WRITE(channel) (!ERRFD_IS_READ(channel)) | | ------------------ | | | | 59| 0|#define ERRFD_IS_READ(channel) ((channel)->extrabuf == NULL) | | ------------------ | | | Branch (60:33): [True: 0, False: 0] | | ------------------ ------------------ 239| 0| && channel->errfd >= 0 && FD_ISSET(channel->errfd, writefds)) { ------------------ | Branch (239:8): [True: 0, False: 0] | Branch (239:31): [True: 0, False: 0] ------------------ 240| 0| writechannel(channel, channel->errfd, channel->extrabuf, NULL, NULL); 241| 0| do_check_close = 1; 242| 0| } 243| | 244| 0| if (ses.channel_signal_pending) { ------------------ | Branch (244:7): [True: 0, False: 0] ------------------ 245| | /* SIGCHLD can change channel state for server sessions */ 246| 0| do_check_close = 1; 247| 0| } 248| | 249| | /* handle any channel closing etc */ 250| 0| if (do_check_close) { ------------------ | Branch (250:7): [True: 0, False: 0] ------------------ 251| 0| check_close(channel); 252| 0| } 253| 0| } 254| | 255| 93.6k|#if DROPBEAR_LISTENERS 256| 93.6k| handle_listeners(readfds); 257| 93.6k|#endif 258| 93.6k|} setchannelfds: 542| 97.0k|void setchannelfds(fd_set *readfds, fd_set *writefds, int allow_reads) { 543| | 544| 97.0k| unsigned int i; 545| 97.0k| struct Channel * channel; 546| | 547| 194k| for (i = 0; i < ses.chansize; i++) { ------------------ | Branch (547:14): [True: 97.0k, False: 97.0k] ------------------ 548| | 549| 97.0k| channel = ses.channels[i]; 550| 97.0k| if (channel == NULL) { ------------------ | Branch (550:7): [True: 97.0k, False: 0] ------------------ 551| 97.0k| continue; 552| 97.0k| } 553| | 554| | /* Stuff to put over the wire. 555| | Avoid queueing data to send if we're in the middle of a 556| | key re-exchange (!dataallowed), but still read from the 557| | FD if there's the possibility of "~."" to kill an 558| | interactive session (the read_mangler) */ 559| 0| if (channel->transwindow > 0 ------------------ | Branch (559:7): [True: 0, False: 0] ------------------ 560| 0| && ((ses.dataallowed && allow_reads) || channel->read_mangler)) { ------------------ | Branch (560:11): [True: 0, False: 0] | Branch (560:30): [True: 0, False: 0] | Branch (560:46): [True: 0, False: 0] ------------------ 561| | 562| 0| if (channel->readfd >= 0) { ------------------ | Branch (562:8): [True: 0, False: 0] ------------------ 563| 0| FD_SET(channel->readfd, readfds); 564| 0| } 565| | 566| 0| if (ERRFD_IS_READ(channel) && channel->errfd >= 0) { ------------------ | | 59| 0|#define ERRFD_IS_READ(channel) ((channel)->extrabuf == NULL) | | ------------------ | | | Branch (59:32): [True: 0, False: 0] | | ------------------ ------------------ | Branch (566:34): [True: 0, False: 0] ------------------ 567| 0| FD_SET(channel->errfd, readfds); 568| 0| } 569| 0| } 570| | 571| | /* Stuff from the wire */ 572| 0| if (channel->writefd >= 0 && cbuf_getused(channel->writebuf) > 0) { ------------------ | Branch (572:7): [True: 0, False: 0] | Branch (572:32): [True: 0, False: 0] ------------------ 573| 0| FD_SET(channel->writefd, writefds); 574| 0| } 575| | 576| 0| if (ERRFD_IS_WRITE(channel) && channel->errfd >= 0 ------------------ | | 60| 0|#define ERRFD_IS_WRITE(channel) (!ERRFD_IS_READ(channel)) | | ------------------ | | | | 59| 0|#define ERRFD_IS_READ(channel) ((channel)->extrabuf == NULL) | | ------------------ | | | Branch (60:33): [True: 0, False: 0] | | ------------------ ------------------ | Branch (576:34): [True: 0, False: 0] ------------------ 577| 0| && cbuf_getused(channel->extrabuf) > 0) { ------------------ | Branch (577:8): [True: 0, False: 0] ------------------ 578| 0| FD_SET(channel->errfd, writefds); 579| 0| } 580| | 581| 0| } /* foreach channel */ 582| | 583| 97.0k|#if DROPBEAR_LISTENERS 584| 97.0k| set_listener_fds(readfds); 585| 97.0k|#endif 586| | 587| 97.0k|} send_msg_kexinit: 51| 3.33k|void send_msg_kexinit() { 52| | 53| 3.33k| CHECKCLEARTOWRITE(); 54| 3.33k| buf_putbyte(ses.writepayload, SSH_MSG_KEXINIT); ------------------ | | 36| 3.33k|#define SSH_MSG_KEXINIT 20 ------------------ 55| | 56| | /* cookie */ 57| 3.33k| genrandom(buf_getwriteptr(ses.writepayload, 16), 16); 58| 3.33k| buf_incrwritepos(ses.writepayload, 16); 59| | 60| | /* kex algos */ 61| 3.33k| buf_put_algolist(ses.writepayload, sshkex); 62| | 63| | /* server_host_key_algorithms */ 64| 3.33k| buf_put_algolist(ses.writepayload, sigalgs); 65| | 66| | /* encryption_algorithms_client_to_server */ 67| 3.33k| buf_put_algolist(ses.writepayload, sshciphers); 68| | 69| | /* encryption_algorithms_server_to_client */ 70| 3.33k| buf_put_algolist(ses.writepayload, sshciphers); 71| | 72| | /* mac_algorithms_client_to_server */ 73| 3.33k| buf_put_algolist(ses.writepayload, sshhashes); 74| | 75| | /* mac_algorithms_server_to_client */ 76| 3.33k| buf_put_algolist(ses.writepayload, sshhashes); 77| | 78| | 79| | /* compression_algorithms_client_to_server */ 80| 3.33k| buf_put_algolist(ses.writepayload, ses.compress_algos_c2s); 81| | 82| | /* compression_algorithms_server_to_client */ 83| 3.33k| buf_put_algolist(ses.writepayload, ses.compress_algos_s2c); 84| | 85| | /* languages_client_to_server */ 86| 3.33k| buf_putstring(ses.writepayload, "", 0); 87| | 88| | /* languages_server_to_client */ 89| 3.33k| buf_putstring(ses.writepayload, "", 0); 90| | 91| | /* first_kex_packet_follows */ 92| 3.33k| buf_putbyte(ses.writepayload, (ses.send_kex_first_guess != NULL)); 93| | 94| | /* reserved unit32 */ 95| 3.33k| buf_putint(ses.writepayload, 0); 96| | 97| | /* set up transmitted kex packet buffer for hashing. 98| | * This is freed after the end of the kex */ 99| 3.33k| ses.transkexinit = buf_newcopy(ses.writepayload); 100| | 101| 3.33k| encrypt_packet(); 102| 3.33k| ses.dataallowed = 0; /* don't send other packets during kex */ 103| | 104| 3.33k| ses.kexstate.sentkexinit = 1; 105| | 106| 3.33k| ses.newkeys = (struct key_context*)m_malloc(sizeof(struct key_context)); 107| | 108| 3.33k| if (ses.send_kex_first_guess) { ------------------ | Branch (108:6): [True: 3.33k, False: 0] ------------------ 109| 3.33k| ses.newkeys->algo_kex = first_usable_algo(sshkex)->data; 110| 3.33k| ses.newkeys->algo_signature = first_usable_algo(sigalgs)->val; 111| 3.33k| ses.newkeys->algo_hostkey = signkey_type_from_signature(ses.newkeys->algo_signature); 112| 3.33k| ses.send_kex_first_guess(); 113| 3.33k| } 114| | 115| 3.33k| TRACE(("DATAALLOWED=0")) 116| 3.33k| TRACE(("-> KEXINIT")) 117| | 118| 3.33k|} kexfirstinitialise: 230| 3.33k|void kexfirstinitialise() { 231| 3.33k| kex_setup_compress(); 232| 3.33k| kexinitialise(); 233| 3.33k|} recv_msg_kexinit: 492| 2.69k|void recv_msg_kexinit() { 493| | 494| 2.69k| unsigned int kexhashbuf_len = 0; 495| 2.69k| unsigned int remote_ident_len = 0; 496| 2.69k| unsigned int local_ident_len = 0; 497| | 498| 2.69k| TRACE(("<- KEXINIT")) 499| 2.69k| TRACE(("enter recv_msg_kexinit")) 500| | 501| 2.69k| if (!ses.kexstate.sentkexinit) { ------------------ | Branch (501:6): [True: 0, False: 2.69k] ------------------ 502| | /* we need to send a kex packet */ 503| 0| send_msg_kexinit(); 504| 0| TRACE(("continue recv_msg_kexinit: sent kexinit")) 505| 0| } 506| | 507| | /* "Once a party has sent a SSH_MSG_KEXINIT message ... 508| | further SSH_MSG_KEXINIT messages MUST NOT be sent" */ 509| 2.69k| if (ses.kexstate.recvkexinit) { ------------------ | Branch (509:6): [True: 0, False: 2.69k] ------------------ 510| 0| dropbear_exit("Unexpected KEXINIT"); 511| 0| } 512| | 513| | /* start the kex hash */ 514| 2.69k| local_ident_len = strlen(LOCAL_IDENT); ------------------ | | 14| 2.69k|#define LOCAL_IDENT "SSH-2.0-dropbear" IDENT_VERSION_PART | | ------------------ | | | | 12| 2.69k|#define IDENT_VERSION_PART "_" DROPBEAR_VERSION | | | | ------------------ | | | | | | 7| 2.69k|#define DROPBEAR_VERSION "2026.91" | | | | ------------------ | | ------------------ ------------------ 515| 2.69k| remote_ident_len = strlen(ses.remoteident); 516| | 517| 2.69k| kexhashbuf_len = local_ident_len + remote_ident_len 518| 2.69k| + ses.transkexinit->len + ses.payload->len 519| 2.69k| + KEXHASHBUF_MAX_INTS; ------------------ | | 290| 2.69k|#define KEXHASHBUF_MAX_INTS (MAX_PUBKEY_SIZE + MAX_KEX_PARTS) | | ------------------ | | | | 261| 2.69k|#define MAX_PUBKEY_SIZE 600 | | ------------------ | | #define KEXHASHBUF_MAX_INTS (MAX_PUBKEY_SIZE + MAX_KEX_PARTS) | | ------------------ | | | | 274| 2.69k|#define MAX_KEX_PARTS (2*4 + 1184 + 1088 + 32*2 + 68) | | ------------------ ------------------ 520| | 521| 2.69k| ses.kexhashbuf = buf_new(kexhashbuf_len); 522| | 523| 2.69k| if (IS_DROPBEAR_CLIENT) { ------------------ | | 382| 2.69k|#define IS_DROPBEAR_CLIENT (ses.isserver == 0) | | ------------------ | | | Branch (382:28): [True: 2.69k, False: 0] | | ------------------ ------------------ 524| | 525| | /* read the peer's choice of algos */ 526| 2.69k| read_kex_algos(); 527| | 528| | /* V_C, the client's version string (CR and NL excluded) */ 529| 2.69k| buf_putstring(ses.kexhashbuf, LOCAL_IDENT, local_ident_len); ------------------ | | 14| 2.69k|#define LOCAL_IDENT "SSH-2.0-dropbear" IDENT_VERSION_PART | | ------------------ | | | | 12| 2.69k|#define IDENT_VERSION_PART "_" DROPBEAR_VERSION | | | | ------------------ | | | | | | 7| 2.69k|#define DROPBEAR_VERSION "2026.91" | | | | ------------------ | | ------------------ ------------------ 530| | /* V_S, the server's version string (CR and NL excluded) */ 531| 2.69k| buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len); 532| | 533| | /* I_C, the payload of the client's SSH_MSG_KEXINIT */ 534| 2.69k| buf_putstring(ses.kexhashbuf, 535| 2.69k| (const char*)ses.transkexinit->data, ses.transkexinit->len); 536| | /* I_S, the payload of the server's SSH_MSG_KEXINIT */ 537| 2.69k| buf_setpos(ses.payload, ses.payload_beginning); 538| 2.69k| buf_putstring(ses.kexhashbuf, 539| 2.69k| (const char*)buf_getptr(ses.payload, ses.payload->len-ses.payload->pos), 540| 2.69k| ses.payload->len-ses.payload->pos); 541| 2.69k| ses.requirenext = SSH_MSG_KEXDH_REPLY; ------------------ | | 39| 2.69k|#define SSH_MSG_KEXDH_REPLY 31 ------------------ 542| 2.69k| } else { 543| | /* SERVER */ 544| | 545| | /* read the peer's choice of algos */ 546| 0| read_kex_algos(); 547| | /* V_C, the client's version string (CR and NL excluded) */ 548| 0| buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len); 549| | /* V_S, the server's version string (CR and NL excluded) */ 550| 0| buf_putstring(ses.kexhashbuf, LOCAL_IDENT, local_ident_len); ------------------ | | 14| 0|#define LOCAL_IDENT "SSH-2.0-dropbear" IDENT_VERSION_PART | | ------------------ | | | | 12| 0|#define IDENT_VERSION_PART "_" DROPBEAR_VERSION | | | | ------------------ | | | | | | 7| 0|#define DROPBEAR_VERSION "2026.91" | | | | ------------------ | | ------------------ ------------------ 551| | 552| | /* I_C, the payload of the client's SSH_MSG_KEXINIT */ 553| 0| buf_setpos(ses.payload, ses.payload_beginning); 554| 0| buf_putstring(ses.kexhashbuf, 555| 0| (const char*)buf_getptr(ses.payload, ses.payload->len-ses.payload->pos), 556| 0| ses.payload->len-ses.payload->pos); 557| | 558| | /* I_S, the payload of the server's SSH_MSG_KEXINIT */ 559| 0| buf_putstring(ses.kexhashbuf, 560| 0| (const char*)ses.transkexinit->data, ses.transkexinit->len); 561| | 562| 0| ses.requirenext = SSH_MSG_KEXDH_INIT; ------------------ | | 38| 0|#define SSH_MSG_KEXDH_INIT 30 ------------------ 563| 0| } 564| | 565| 2.69k| buf_free(ses.transkexinit); 566| 2.69k| ses.transkexinit = NULL; 567| | /* the rest of ses.kexhashbuf will be done after DH exchange */ 568| | 569| 2.69k| ses.kexstate.recvkexinit = 1; 570| | 571| 2.69k| if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && ses.recvseq != 1) { ------------------ | Branch (571:6): [True: 0, False: 2.69k] | Branch (571:33): [True: 0, False: 0] | Branch (571:63): [True: 0, False: 0] ------------------ 572| 0| dropbear_exit("First packet wasn't kexinit"); 573| 0| } 574| | 575| 2.69k| TRACE(("leave recv_msg_kexinit")) 576| 2.69k|} finish_kexhashbuf: 579| 1.32k|void finish_kexhashbuf(void) { 580| 1.32k| hash_state hs; 581| 1.32k| const struct ltc_hash_descriptor *hash_desc = ses.newkeys->algo_kex->hash_desc; 582| | 583| 1.32k| hash_desc->init(&hs); 584| 1.32k| buf_setpos(ses.kexhashbuf, 0); 585| 1.32k| hash_desc->process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), 586| 1.32k| ses.kexhashbuf->len); 587| 1.32k| ses.hash = buf_new(hash_desc->hashsize); 588| 1.32k| hash_desc->done(&hs, buf_getwriteptr(ses.hash, hash_desc->hashsize)); 589| 1.32k| buf_setlen(ses.hash, hash_desc->hashsize); 590| | 591| |#if defined(DEBUG_KEXHASH) && DEBUG_TRACE 592| | if (!debug_trace) { 593| | printhex("kexhashbuf", ses.kexhashbuf->data, ses.kexhashbuf->len); 594| | printhex("kexhash", ses.hash->data, ses.hash->len); 595| | } 596| |#endif 597| | 598| 1.32k| buf_burn_free(ses.kexhashbuf); 599| 1.32k| m_burn(&hs, sizeof(hash_state)); 600| 1.32k| ses.kexhashbuf = NULL; 601| | 602| | /* first time around, we set the session_id to H */ 603| 1.32k| if (ses.session_id == NULL) { ------------------ | Branch (603:6): [True: 1.32k, False: 0] ------------------ 604| | /* create the session_id, this never needs freeing */ 605| 1.32k| ses.session_id = buf_newcopy(ses.hash); 606| 1.32k| } 607| 1.32k|} common-kex.c:kex_setup_compress: 204| 3.33k|static void kex_setup_compress(void) { 205| 3.33k|#ifdef DISABLE_ZLIB 206| 3.33k| ses.compress_algos_c2s = ssh_nocompress; 207| 3.33k| ses.compress_algos_s2c = ssh_nocompress; 208| |#else 209| | 210| | if (!opts.compression) { 211| | ses.compress_algos_c2s = ssh_nocompress; 212| | ses.compress_algos_s2c = ssh_nocompress; 213| | return; 214| | } 215| | 216| | if (IS_DROPBEAR_CLIENT) { 217| | /* TODO: should c2s in dbclient be disabled? 218| | * Current Dropbear server disables it. Disabling it also 219| | * lets DROPBEAR_CLI_IMMEDIATE_AUTH work (see comment there) */ 220| | ses.compress_algos_c2s = ssh_compress; 221| | ses.compress_algos_s2c = ssh_compress; 222| | } else { 223| | ses.compress_algos_c2s = ssh_nocompress; 224| | ses.compress_algos_s2c = ssh_compress; 225| | } 226| |#endif 227| 3.33k|} common-kex.c:kexinitialise: 236| 3.33k|static void kexinitialise() { 237| | 238| 3.33k| TRACE(("kexinitialise()")) 239| | 240| | /* sent/recv'd MSG_KEXINIT */ 241| 3.33k| ses.kexstate.sentkexinit = 0; 242| 3.33k| ses.kexstate.recvkexinit = 0; 243| | 244| | /* sent/recv'd MSG_NEWKEYS */ 245| 3.33k| ses.kexstate.recvnewkeys = 0; 246| 3.33k| ses.kexstate.sentnewkeys = 0; 247| | 248| | /* first_packet_follows */ 249| 3.33k| ses.kexstate.them_firstfollows = 0; 250| | 251| 3.33k| ses.kexstate.datatrans = 0; 252| 3.33k| ses.kexstate.datarecv = 0; 253| | 254| 3.33k| ses.kexstate.our_first_follows_matches = 0; 255| | 256| 3.33k| ses.kexstate.lastkextime = monotonic_now(); 257| | 258| 3.33k|} common-kex.c:read_kex_algos: 611| 2.69k|static void read_kex_algos() { 612| | 613| | /* for asymmetry */ 614| 2.69k| algo_type * c2s_hash_algo = NULL; 615| 2.69k| algo_type * s2c_hash_algo = NULL; 616| 2.69k| algo_type * c2s_cipher_algo = NULL; 617| 2.69k| algo_type * s2c_cipher_algo = NULL; 618| 2.69k| algo_type * c2s_comp_algo = NULL; 619| 2.69k| algo_type * s2c_comp_algo = NULL; 620| | /* the generic one */ 621| 2.69k| algo_type * algo = NULL; 622| | 623| | /* which algo couldn't match */ 624| 2.69k| char * erralgo = NULL; 625| | 626| 2.69k| int goodguess = 0; 627| 2.69k| int allgood = 1; /* we AND this with each goodguess and see if its still 628| | true after */ 629| 2.69k| int kexguess2 = 0; 630| | 631| 2.69k| buf_incrpos(ses.payload, 16); /* start after the cookie */ 632| | 633| 2.69k| memset(ses.newkeys, 0x0, sizeof(*ses.newkeys)); 634| | 635| | /* kex_algorithms */ 636| 2.69k|#if DROPBEAR_KEXGUESS2 637| 2.69k| if (buf_has_algo(ses.payload, KEXGUESS2_ALGO_NAME) == DROPBEAR_SUCCESS) { ------------------ | | 137| 2.69k|#define KEXGUESS2_ALGO_NAME "kexguess2@matt.ucc.asn.au" ------------------ if (buf_has_algo(ses.payload, KEXGUESS2_ALGO_NAME) == DROPBEAR_SUCCESS) { ------------------ | | 111| 2.69k|#define DROPBEAR_SUCCESS 0 ------------------ | Branch (637:6): [True: 36, False: 2.65k] ------------------ 638| 36| kexguess2 = 1; 639| 36| } 640| 2.69k|#endif 641| | 642| 2.69k|#if DROPBEAR_EXT_INFO 643| | /* Determine if SSH_MSG_EXT_INFO messages should be sent. 644| | Should be done for the first key exchange. Only required on server side 645| | for server-sig-algs */ 646| 2.69k| if (IS_DROPBEAR_SERVER) { ------------------ | | 381| 2.69k|#define IS_DROPBEAR_SERVER (ses.isserver == 1) | | ------------------ | | | Branch (381:28): [True: 0, False: 2.69k] | | ------------------ ------------------ 647| 0| if (!ses.kexstate.donefirstkex) { ------------------ | Branch (647:7): [True: 0, False: 0] ------------------ 648| 0| if (buf_has_algo(ses.payload, SSH_EXT_INFO_C) == DROPBEAR_SUCCESS) { ------------------ | | 100| 0|#define SSH_EXT_INFO_C "ext-info-c" ------------------ if (buf_has_algo(ses.payload, SSH_EXT_INFO_C) == DROPBEAR_SUCCESS) { ------------------ | | 111| 0|#define DROPBEAR_SUCCESS 0 ------------------ | Branch (648:8): [True: 0, False: 0] ------------------ 649| 0| ses.allow_ext_info = 1; 650| 0| } 651| 0| } 652| 0| } 653| 2.69k|#endif 654| | 655| 2.69k| if (!ses.kexstate.donefirstkex) { ------------------ | Branch (655:6): [True: 0, False: 2.69k] ------------------ 656| 0| const char* strict_name; 657| 0| if (IS_DROPBEAR_CLIENT) { ------------------ | | 382| 0|#define IS_DROPBEAR_CLIENT (ses.isserver == 0) | | ------------------ | | | Branch (382:28): [True: 0, False: 0] | | ------------------ ------------------ 658| 0| strict_name = SSH_STRICT_KEX_S; ------------------ | | 104| 0|#define SSH_STRICT_KEX_S "kex-strict-s-v00@openssh.com" ------------------ 659| 0| } else { 660| 0| strict_name = SSH_STRICT_KEX_C; ------------------ | | 105| 0|#define SSH_STRICT_KEX_C "kex-strict-c-v00@openssh.com" ------------------ 661| 0| } 662| 0| if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) { ------------------ | | 111| 0|#define DROPBEAR_SUCCESS 0 ------------------ | Branch (662:7): [True: 0, False: 0] ------------------ 663| 0| ses.kexstate.strict_kex = 1; 664| 0| } 665| 0| } 666| | 667| 2.69k| algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess); 668| 2.69k| allgood &= goodguess; 669| 2.69k| if (algo == NULL || algo->data == NULL) { ------------------ | Branch (669:6): [True: 231, False: 2.46k] | Branch (669:22): [True: 4, False: 2.45k] ------------------ 670| | /* kexguess2, ext-info-c, ext-info-s should not match negotiation */ 671| 174| erralgo = "kex"; 672| 174| goto error; 673| 174| } 674| 2.51k| TRACE(("kexguess2 %d", kexguess2)) 675| 2.51k| DEBUG3(("kex algo %s", algo->name)) 676| 2.51k| ses.newkeys->algo_kex = algo->data; 677| | 678| | /* server_host_key_algorithms */ 679| 2.51k| algo = buf_match_algo(ses.payload, sigalgs, kexguess2, &goodguess); 680| 2.51k| allgood &= goodguess; 681| 2.51k| if (algo == NULL) { ------------------ | Branch (681:6): [True: 1, False: 2.51k] ------------------ 682| 1| erralgo = "hostkey"; 683| 1| goto error; 684| 1| } 685| 2.51k| DEBUG2(("hostkey algo %s", algo->name)) 686| 2.51k| ses.newkeys->algo_signature = algo->val; 687| 2.51k| ses.newkeys->algo_hostkey = signkey_type_from_signature(ses.newkeys->algo_signature); 688| | 689| | /* encryption_algorithms_client_to_server */ 690| 2.51k| c2s_cipher_algo = buf_match_algo(ses.payload, sshciphers, 0, NULL); 691| 2.51k| if (c2s_cipher_algo == NULL) { ------------------ | Branch (691:6): [True: 3, False: 2.51k] ------------------ 692| 3| erralgo = "enc c->s"; 693| 3| goto error; 694| 3| } 695| 2.51k| DEBUG2(("enc c2s is %s", c2s_cipher_algo->name)) 696| | 697| | /* encryption_algorithms_server_to_client */ 698| 2.51k| s2c_cipher_algo = buf_match_algo(ses.payload, sshciphers, 0, NULL); 699| 2.51k| if (s2c_cipher_algo == NULL) { ------------------ | Branch (699:6): [True: 1, False: 2.51k] ------------------ 700| 1| erralgo = "enc s->c"; 701| 1| goto error; 702| 1| } 703| 2.51k| DEBUG2(("enc s2c is %s", s2c_cipher_algo->name)) 704| | 705| | /* mac_algorithms_client_to_server */ 706| 2.51k| c2s_hash_algo = buf_match_algo(ses.payload, sshhashes, 0, NULL); 707| 2.51k|#if DROPBEAR_AEAD_MODE 708| 2.51k| if (((struct dropbear_cipher_mode*)c2s_cipher_algo->mode)->aead_crypt != NULL) { ------------------ | Branch (708:6): [True: 245, False: 2.26k] ------------------ 709| 245| c2s_hash_algo = NULL; 710| 245| } else 711| 2.26k|#endif 712| 2.26k| if (c2s_hash_algo == NULL) { ------------------ | Branch (712:6): [True: 3, False: 2.26k] ------------------ 713| 3| erralgo = "mac c->s"; 714| 3| goto error; 715| 3| } 716| 2.51k| DEBUG2(("hmac c2s is %s", c2s_hash_algo ? c2s_hash_algo->name : "")) 717| | 718| | /* mac_algorithms_server_to_client */ 719| 2.51k| s2c_hash_algo = buf_match_algo(ses.payload, sshhashes, 0, NULL); 720| 2.51k|#if DROPBEAR_AEAD_MODE 721| 2.51k| if (((struct dropbear_cipher_mode*)s2c_cipher_algo->mode)->aead_crypt != NULL) { ------------------ | Branch (721:6): [True: 220, False: 2.29k] ------------------ 722| 220| s2c_hash_algo = NULL; 723| 220| } else 724| 2.29k|#endif 725| 2.29k| if (s2c_hash_algo == NULL) { ------------------ | Branch (725:6): [True: 3, False: 2.28k] ------------------ 726| 3| erralgo = "mac s->c"; 727| 3| goto error; 728| 3| } 729| 2.50k| DEBUG2(("hmac s2c is %s", s2c_hash_algo ? s2c_hash_algo->name : "")) 730| | 731| | /* compression_algorithms_client_to_server */ 732| 2.50k| c2s_comp_algo = buf_match_algo(ses.payload, ses.compress_algos_c2s, 0, NULL); 733| 2.50k| if (c2s_comp_algo == NULL) { ------------------ | Branch (733:6): [True: 3, False: 2.50k] ------------------ 734| 3| erralgo = "comp c->s"; 735| 3| goto error; 736| 3| } 737| 2.50k| DEBUG2(("comp c2s is %s", c2s_comp_algo->name)) 738| | 739| | /* compression_algorithms_server_to_client */ 740| 2.50k| s2c_comp_algo = buf_match_algo(ses.payload, ses.compress_algos_s2c, 0, NULL); 741| 2.50k| if (s2c_comp_algo == NULL) { ------------------ | Branch (741:6): [True: 2, False: 2.50k] ------------------ 742| 2| erralgo = "comp s->c"; 743| 2| goto error; 744| 2| } 745| 2.50k| DEBUG2(("comp s2c is %s", s2c_comp_algo->name)) 746| | 747| | /* languages_client_to_server */ 748| 2.50k| buf_eatstring(ses.payload); 749| | 750| | /* languages_server_to_client */ 751| 2.50k| buf_eatstring(ses.payload); 752| | 753| | /* their first_kex_packet_follows */ 754| 2.50k| if (buf_getbool(ses.payload)) { ------------------ | Branch (754:6): [True: 158, False: 2.34k] ------------------ 755| 158| TRACE(("them kex firstfollows. allgood %d", allgood)) 756| 158| ses.kexstate.them_firstfollows = 1; 757| | /* if the guess wasn't good, we ignore the packet sent */ 758| 158| if (!allgood) { ------------------ | Branch (758:7): [True: 158, False: 0] ------------------ 759| 158| ses.ignorenext = 1; 760| 158| } 761| 158| } 762| | 763| | /* Handle the asymmetry */ 764| 2.50k| if (IS_DROPBEAR_CLIENT) { ------------------ | | 382| 2.50k|#define IS_DROPBEAR_CLIENT (ses.isserver == 0) | | ------------------ | | | Branch (382:28): [True: 2.33k, False: 169] | | ------------------ ------------------ 765| 2.33k| ses.newkeys->recv.algo_crypt = 766| 2.33k| (struct dropbear_cipher*)s2c_cipher_algo->data; 767| 2.33k| ses.newkeys->trans.algo_crypt = 768| 2.33k| (struct dropbear_cipher*)c2s_cipher_algo->data; 769| 2.33k| ses.newkeys->recv.crypt_mode = 770| 2.33k| (struct dropbear_cipher_mode*)s2c_cipher_algo->mode; 771| 2.33k| ses.newkeys->trans.crypt_mode = 772| 2.33k| (struct dropbear_cipher_mode*)c2s_cipher_algo->mode; 773| 2.33k| ses.newkeys->recv.algo_mac = 774| 2.33k|#if DROPBEAR_AEAD_MODE 775| 2.33k| s2c_hash_algo == NULL ? ses.newkeys->recv.crypt_mode->aead_mac : ------------------ | Branch (775:4): [True: 216, False: 2.11k] ------------------ 776| 2.33k|#endif 777| 2.33k| (struct dropbear_hash*)s2c_hash_algo->data; 778| 2.33k| ses.newkeys->trans.algo_mac = 779| 2.33k|#if DROPBEAR_AEAD_MODE 780| 2.33k| c2s_hash_algo == NULL ? ses.newkeys->trans.crypt_mode->aead_mac : ------------------ | Branch (780:4): [True: 239, False: 2.09k] ------------------ 781| 2.33k|#endif 782| 2.33k| (struct dropbear_hash*)c2s_hash_algo->data; 783| 2.33k| ses.newkeys->recv.algo_comp = s2c_comp_algo->val; 784| 2.33k| ses.newkeys->trans.algo_comp = c2s_comp_algo->val; 785| 2.33k| } else { 786| | /* SERVER */ 787| 169| ses.newkeys->recv.algo_crypt = 788| 169| (struct dropbear_cipher*)c2s_cipher_algo->data; 789| 169| ses.newkeys->trans.algo_crypt = 790| 169| (struct dropbear_cipher*)s2c_cipher_algo->data; 791| 169| ses.newkeys->recv.crypt_mode = 792| 169| (struct dropbear_cipher_mode*)c2s_cipher_algo->mode; 793| 169| ses.newkeys->trans.crypt_mode = 794| 169| (struct dropbear_cipher_mode*)s2c_cipher_algo->mode; 795| 169| ses.newkeys->recv.algo_mac = 796| 169|#if DROPBEAR_AEAD_MODE 797| 169| c2s_hash_algo == NULL ? ses.newkeys->recv.crypt_mode->aead_mac : ------------------ | Branch (797:4): [True: 0, False: 169] ------------------ 798| 169|#endif 799| 169| (struct dropbear_hash*)c2s_hash_algo->data; 800| 169| ses.newkeys->trans.algo_mac = 801| 169|#if DROPBEAR_AEAD_MODE 802| 169| s2c_hash_algo == NULL ? ses.newkeys->trans.crypt_mode->aead_mac : ------------------ | Branch (802:4): [True: 0, False: 169] ------------------ 803| 169|#endif 804| 169| (struct dropbear_hash*)s2c_hash_algo->data; 805| 169| ses.newkeys->recv.algo_comp = c2s_comp_algo->val; 806| 169| ses.newkeys->trans.algo_comp = s2c_comp_algo->val; 807| 169| } 808| | 809| 2.50k|#if DROPBEAR_FUZZ 810| 2.50k| if (fuzz.fuzzing) { ------------------ | Branch (810:6): [True: 2.33k, False: 169] ------------------ 811| 2.33k| fuzz_kex_fakealgos(); 812| 2.33k| } 813| 2.50k|#endif 814| | 815| | /* reserved for future extensions */ 816| 2.50k| buf_getint(ses.payload); 817| | 818| 2.50k| if (ses.send_kex_first_guess && allgood) { ------------------ | Branch (818:6): [True: 2.32k, False: 173] | Branch (818:34): [True: 0, False: 2.32k] ------------------ 819| 0| TRACE(("our_first_follows_matches 1")) 820| 0| ses.kexstate.our_first_follows_matches = 1; 821| 0| } 822| 2.50k| return; 823| | 824| 190|error: 825| 190| dropbear_exit("No matching algo %s", erralgo); 826| 2.50k|} readhostkey: 39| 1| enum signkey_type *type) { 40| | 41| 1| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 1|#define DROPBEAR_FAILURE -1 ------------------ 42| 1| buffer *buf; 43| | 44| 1| buf = buf_new(MAX_PRIVKEY_SIZE); ------------------ | | 262| 1|#define MAX_PRIVKEY_SIZE 1700 ------------------ 45| | 46| 1| if (buf_readfile(buf, filename) == DROPBEAR_FAILURE) { ------------------ | | 112| 1|#define DROPBEAR_FAILURE -1 ------------------ | Branch (46:6): [True: 1, False: 0] ------------------ 47| 1| goto out; 48| 1| } 49| 0| buf_setpos(buf, 0); 50| | 51| 0| addrandom(buf_getptr(buf, buf->len), buf->len); 52| | 53| 0| if (buf_get_priv_key(buf, hostkey, type) == DROPBEAR_FAILURE) { ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ | Branch (53:6): [True: 0, False: 0] ------------------ 54| 0| goto out; 55| 0| } 56| | 57| 0| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 0|#define DROPBEAR_SUCCESS 0 ------------------ 58| 1|out: 59| | 60| 1| buf_burn_free(buf); 61| 1| return ret; 62| 0|} parse_ciphers_macs: 66| 1|parse_ciphers_macs() { 67| 1| int printed_help = 0; 68| 1| if (opts.cipher_list) { ------------------ | Branch (68:6): [True: 0, False: 1] ------------------ 69| 0| if (strcmp(opts.cipher_list, "help") == 0) { ------------------ | Branch (69:7): [True: 0, False: 0] ------------------ 70| 0| char *ciphers = algolist_string(sshciphers); 71| 0| dropbear_log(LOG_INFO, "Available ciphers: %s", ciphers); 72| 0| m_free(ciphers); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 73| 0| printed_help = 1; 74| 0| } else { 75| 0| if (check_user_algos(opts.cipher_list, sshciphers, "cipher") == 0) { ------------------ | Branch (75:8): [True: 0, False: 0] ------------------ 76| 0| dropbear_exit("No valid ciphers specified for '-c'"); 77| 0| } 78| 0| } 79| 0| } 80| | 81| 1| if (opts.mac_list) { ------------------ | Branch (81:6): [True: 0, False: 1] ------------------ 82| 0| if (strcmp(opts.mac_list, "help") == 0) { ------------------ | Branch (82:7): [True: 0, False: 0] ------------------ 83| 0| char *macs = algolist_string(sshhashes); 84| 0| dropbear_log(LOG_INFO, "Available MACs: %s", macs); 85| 0| m_free(macs); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 86| 0| printed_help = 1; 87| 0| } else { 88| 0| if (check_user_algos(opts.mac_list, sshhashes, "MAC") == 0) { ------------------ | Branch (88:8): [True: 0, False: 0] ------------------ 89| 0| dropbear_exit("No valid MACs specified for '-m'"); 90| 0| } 91| 0| } 92| 0| } 93| 1| if (printed_help) { ------------------ | Branch (93:6): [True: 0, False: 1] ------------------ 94| 0| dropbear_exit("."); 95| 0| } 96| 1|} common_session_init: 47| 3.33k|void common_session_init(int sock_in, int sock_out) { 48| 3.33k| time_t now; 49| | 50| |#if DEBUG_TRACE 51| | debug_start_net(); 52| |#endif 53| | 54| 3.33k| TRACE(("enter session_init")) 55| | 56| 3.33k| ses.sock_in = sock_in; 57| 3.33k| ses.sock_out = sock_out; 58| 3.33k| ses.maxfd = MAX(sock_in, sock_out); ------------------ | Branch (58:14): [True: 0, False: 3.33k] ------------------ 59| | 60| 3.33k| if (sock_in >= 0) { ------------------ | Branch (60:6): [True: 3.33k, False: 0] ------------------ 61| 3.33k| setnonblocking(sock_in); 62| 3.33k| } 63| 3.33k| if (sock_out >= 0) { ------------------ | Branch (63:6): [True: 3.33k, False: 0] ------------------ 64| 3.33k| setnonblocking(sock_out); 65| 3.33k| } 66| | 67| 3.33k| ses.socket_prio = DROPBEAR_PRIO_NORMAL; 68| | /* Sets it to lowdelay */ 69| 3.33k| update_channel_prio(); 70| | 71| |#if !DROPBEAR_SVR_MULTIUSER 72| | /* A sanity check to prevent an accidental configuration option 73| | leaving multiuser systems exposed */ 74| | { 75| | int ret; 76| | errno = 0; 77| | ret = getgroups(0, NULL); 78| | if (!(ret == -1 && errno == ENOSYS)) { 79| | dropbear_exit("Non-multiuser Dropbear requires a non-multiuser kernel"); 80| | } 81| | } 82| |#endif 83| | 84| 3.33k| now = monotonic_now(); 85| 3.33k| ses.connect_time = now; 86| 3.33k| ses.last_packet_time_keepalive_recv = now; 87| 3.33k| ses.last_packet_time_idle = now; 88| 3.33k| ses.last_packet_time_any_sent = 0; 89| 3.33k| ses.last_packet_time_keepalive_sent = 0; 90| | 91| 3.33k|#if DROPBEAR_FUZZ 92| 3.33k| if (!fuzz.fuzzing) ------------------ | Branch (92:6): [True: 0, False: 3.33k] ------------------ 93| 0|#endif 94| 0| { 95| 0| if (pipe(ses.signal_pipe) < 0) { ------------------ | Branch (95:6): [True: 0, False: 0] ------------------ 96| 0| dropbear_exit("Signal pipe failed"); 97| 0| } 98| 0| setnonblocking(ses.signal_pipe[0]); 99| 0| setnonblocking(ses.signal_pipe[1]); 100| 0| ses.maxfd = MAX(ses.maxfd, ses.signal_pipe[0]); ------------------ | Branch (100:14): [True: 0, False: 0] ------------------ 101| 0| ses.maxfd = MAX(ses.maxfd, ses.signal_pipe[1]); ------------------ | Branch (101:14): [True: 0, False: 0] ------------------ 102| 0| } 103| | 104| 3.33k| ses.writepayload = buf_new(TRANS_MAX_PAYLOAD_LEN); ------------------ | | 560| 3.33k|#define TRANS_MAX_PAYLOAD_LEN 16384 ------------------ 105| 3.33k| ses.transseq = 0; 106| | 107| 3.33k| ses.readbuf = NULL; 108| 3.33k| ses.payload = NULL; 109| 3.33k| ses.recvseq = 0; 110| | 111| 3.33k| initqueue(&ses.writequeue); 112| | 113| 3.33k| ses.requirenext = SSH_MSG_KEXINIT; ------------------ | | 36| 3.33k|#define SSH_MSG_KEXINIT 20 ------------------ 114| 3.33k| ses.dataallowed = 1; /* we can send data until we actually 115| | send the SSH_MSG_KEXINIT */ 116| 3.33k| ses.ignorenext = 0; 117| 3.33k| ses.lastpacket = 0; 118| 3.33k| ses.reply_queue_head = NULL; 119| 3.33k| ses.reply_queue_tail = NULL; 120| | 121| | /* set all the algos to none */ 122| 3.33k| ses.keys = (struct key_context*)m_malloc(sizeof(struct key_context)); 123| 3.33k| ses.newkeys = NULL; 124| 3.33k| ses.keys->recv.algo_crypt = &dropbear_nocipher; 125| 3.33k| ses.keys->trans.algo_crypt = &dropbear_nocipher; 126| 3.33k| ses.keys->recv.crypt_mode = &dropbear_mode_none; 127| 3.33k| ses.keys->trans.crypt_mode = &dropbear_mode_none; 128| | 129| 3.33k| ses.keys->recv.algo_mac = &dropbear_nohash; 130| 3.33k| ses.keys->trans.algo_mac = &dropbear_nohash; 131| | 132| 3.33k| ses.keys->algo_kex = NULL; 133| 3.33k| ses.keys->algo_hostkey = -1; 134| 3.33k| ses.keys->recv.algo_comp = DROPBEAR_COMP_NONE; 135| 3.33k| ses.keys->trans.algo_comp = DROPBEAR_COMP_NONE; 136| | 137| |#ifndef DISABLE_ZLIB 138| | ses.keys->recv.zstream = NULL; 139| | ses.keys->trans.zstream = NULL; 140| |#endif 141| | 142| | /* key exchange buffers */ 143| 3.33k| ses.session_id = NULL; 144| 3.33k| ses.kexhashbuf = NULL; 145| 3.33k| ses.transkexinit = NULL; 146| 3.33k| ses.dh_K = NULL; 147| 3.33k| ses.remoteident = NULL; 148| | 149| 3.33k| ses.chantypes = NULL; 150| | 151| 3.33k| ses.allowprivport = 0; 152| | 153| |#if DROPBEAR_PLUGIN 154| | ses.plugin_session = NULL; 155| |#endif 156| | 157| 3.33k| TRACE(("leave session_init")) 158| 3.33k|} session_loop: 160| 3.33k|void session_loop(void(*loophandler)(void)) { 161| | 162| 3.33k| fd_set readfd, writefd; 163| 3.33k| struct timeval timeout; 164| 3.33k| int val; 165| | 166| | /* main loop, select()s for all sockets in use */ 167| 97.0k| for(;;) { 168| 97.0k| const int writequeue_has_space = (ses.writequeue_len <= 2*TRANS_MAX_PAYLOAD_LEN); ------------------ | | 560| 97.0k|#define TRANS_MAX_PAYLOAD_LEN 16384 ------------------ 169| | 170| 97.0k| timeout.tv_sec = select_timeout(); 171| 97.0k| timeout.tv_usec = 0; 172| 97.0k| DROPBEAR_FD_ZERO(&writefd); ------------------ | | 106| 97.0k|#define DROPBEAR_FD_ZERO(fds) FD_ZERO(fds) ------------------ | Branch (172:3): [Folded, False: 97.0k] ------------------ 173| 97.0k| DROPBEAR_FD_ZERO(&readfd); ------------------ | | 106| 97.0k|#define DROPBEAR_FD_ZERO(fds) FD_ZERO(fds) ------------------ | Branch (173:3): [Folded, False: 97.0k] ------------------ 174| | 175| 97.0k| dropbear_assert(ses.payload == NULL); ------------------ | | 84| 97.0k|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 97.0k] | | | Branch (84:93): [Folded, False: 97.0k] | | ------------------ ------------------ 176| | 177| | /* We get woken up when signal handlers write to this pipe. 178| | SIGCHLD in svr-chansession is the only one currently. */ 179| 97.0k|#if DROPBEAR_FUZZ 180| 97.0k| if (!fuzz.fuzzing) ------------------ | Branch (180:7): [True: 0, False: 97.0k] ------------------ 181| 0|#endif 182| 0| { 183| 0| FD_SET(ses.signal_pipe[0], &readfd); 184| 0| } 185| | 186| | /* set up for channels which can be read/written */ 187| 97.0k| setchannelfds(&readfd, &writefd, writequeue_has_space); 188| | 189| | /* Pending connections to test */ 190| 97.0k| set_connect_fds(&writefd); 191| | 192| | /* We delay reading from the input socket during initial setup until 193| | after we have written out our initial KEXINIT packet (empty writequeue). 194| | This means our initial packet can be in-flight while we're doing a blocking 195| | read for the remote ident. 196| | We also avoid reading from the socket if the writequeue is full, that avoids 197| | replies backing up */ 198| 97.0k| if (ses.sock_in != -1 ------------------ | Branch (198:7): [True: 97.0k, False: 0] ------------------ 199| 97.0k| && (ses.remoteident || isempty(&ses.writequeue)) ------------------ | Branch (199:8): [True: 83.5k, False: 13.4k] | Branch (199:27): [True: 3.49k, False: 9.99k] ------------------ 200| 87.0k| && writequeue_has_space) { ------------------ | Branch (200:7): [True: 87.0k, False: 0] ------------------ 201| 87.0k| FD_SET(ses.sock_in, &readfd); 202| 87.0k| } 203| | 204| | /* Ordering is important, this test must occur after any other function 205| | might have queued packets (such as connection handlers) */ 206| 97.0k| if (ses.sock_out != -1 && !isempty(&ses.writequeue)) { ------------------ | Branch (206:7): [True: 97.0k, False: 0] | Branch (206:29): [True: 9.99k, False: 87.0k] ------------------ 207| 9.99k| FD_SET(ses.sock_out, &writefd); 208| 9.99k| } 209| | 210| 97.0k| val = select(ses.maxfd+1, &readfd, &writefd, NULL, &timeout); ------------------ | | 53| 97.0k| wrapfd_select(nfds, readfds, writefds, exceptfds, timeout) ------------------ 211| | 212| 97.0k| if (ses.exitflag) { ------------------ | Branch (212:7): [True: 0, False: 97.0k] ------------------ 213| 0| dropbear_exit("Terminated by signal"); 214| 0| } 215| | 216| 97.0k| if (val < 0 && errno != EINTR) { ------------------ | Branch (216:7): [True: 128, False: 96.8k] | Branch (216:18): [True: 0, False: 128] ------------------ 217| 0| dropbear_exit("Error in select"); 218| 0| } 219| | 220| 97.0k| if (val <= 0) { ------------------ | Branch (220:7): [True: 3.43k, False: 93.5k] ------------------ 221| | /* If we were interrupted or the select timed out, we still 222| | * want to iterate over channels etc for reading, to handle 223| | * server processes exiting etc. 224| | * We don't want to read/write FDs. */ 225| 3.43k| DROPBEAR_FD_ZERO(&writefd); ------------------ | | 106| 3.43k|#define DROPBEAR_FD_ZERO(fds) FD_ZERO(fds) ------------------ | Branch (225:4): [Folded, False: 3.43k] ------------------ 226| 3.43k| DROPBEAR_FD_ZERO(&readfd); ------------------ | | 106| 3.43k|#define DROPBEAR_FD_ZERO(fds) FD_ZERO(fds) ------------------ | Branch (226:4): [Folded, False: 3.43k] ------------------ 227| 3.43k| } 228| | 229| | /* We'll just empty out the pipe if required. We don't do 230| | any thing with the data, since the pipe's purpose is purely to 231| | wake up the select() above. */ 232| 97.0k| ses.channel_signal_pending = 0; 233| 97.0k| if (FD_ISSET(ses.signal_pipe[0], &readfd)) { ------------------ | Branch (233:7): [True: 0, False: 97.0k] ------------------ 234| 0| char x; 235| 0| TRACE(("signal pipe set")) 236| 0| while (read(ses.signal_pipe[0], &x, 1) > 0) {} ------------------ | | 55| 0|#define read(fd, buf, count) wrapfd_read(fd, buf, count) ------------------ | Branch (236:11): [True: 0, False: 0] ------------------ 237| 0| ses.channel_signal_pending = 1; 238| 0| } 239| | 240| | /* check for auth timeout, rekeying required etc */ 241| 97.0k| checktimeouts(); 242| | 243| | /* process session socket's incoming data */ 244| 97.0k| if (ses.sock_in != -1) { ------------------ | Branch (244:7): [True: 97.0k, False: 0] ------------------ 245| 97.0k| if (FD_ISSET(ses.sock_in, &readfd)) { ------------------ | Branch (245:8): [True: 83.7k, False: 13.2k] ------------------ 246| 83.7k| if (!ses.remoteident) { ------------------ | Branch (246:9): [True: 3.33k, False: 80.4k] ------------------ 247| | /* blocking read of the version string */ 248| 3.33k| read_session_identification(); 249| 80.4k| } else { 250| 80.4k| read_packet(); 251| 80.4k| } 252| 83.7k| } 253| | 254| | /* Process the decrypted packet. After this, the read buffer 255| | * will be ready for a new packet */ 256| 97.0k| if (ses.payload != NULL) { ------------------ | Branch (256:8): [True: 19.3k, False: 77.6k] ------------------ 257| 19.3k| process_packet(); 258| 19.3k| } 259| 97.0k| } 260| | 261| | /* if required, flush out any queued reply packets that 262| | were being held up during a KEX */ 263| 97.0k| maybe_flush_reply_queue(); 264| | 265| 97.0k| handle_connect_fds(&writefd); 266| | 267| | /* loop handler prior to channelio, in case the server loophandler closes 268| | channels on process exit */ 269| 97.0k| loophandler(); 270| | 271| | /* process pipes etc for the channels, ses.dataallowed == 0 272| | * during rekeying ) */ 273| 97.0k| channelio(&readfd, &writefd); 274| | 275| | /* process session socket's outgoing data */ 276| 97.0k| if (ses.sock_out != -1) { ------------------ | Branch (276:7): [True: 93.6k, False: 3.33k] ------------------ 277| 93.6k| if (!isempty(&ses.writequeue)) { ------------------ | Branch (277:8): [True: 26.5k, False: 67.0k] ------------------ 278| 26.5k| write_packet(); 279| 26.5k| } 280| 93.6k| } 281| | 282| 97.0k| } /* for(;;) */ 283| | 284| | /* Not reached */ 285| 3.33k|} session_cleanup: 296| 3.33k|void session_cleanup() { 297| | 298| 3.33k| TRACE(("enter session_cleanup")) 299| | 300| | /* we can't cleanup if we don't know the session state */ 301| 3.33k| if (!ses.init_done) { ------------------ | Branch (301:6): [True: 0, False: 3.33k] ------------------ 302| 0| TRACE(("leave session_cleanup: !ses.init_done")) 303| 0| return; 304| 0| } 305| | 306| | /* BEWARE of changing order of functions here. */ 307| | 308| | /* Must be before extra_session_cleanup() */ 309| 3.33k| chancleanup(); 310| | 311| 3.33k| if (ses.extra_session_cleanup) { ------------------ | Branch (311:6): [True: 3.33k, False: 0] ------------------ 312| 3.33k| ses.extra_session_cleanup(); 313| 3.33k| } 314| | 315| | /* After these are freed most functions will fail */ 316| 3.33k|#if DROPBEAR_CLEANUP 317| | /* listeners call cleanup functions, this should occur before 318| | other session state is freed. */ 319| 3.33k| remove_all_listeners(); 320| | 321| 3.33k| remove_connect_pending(); 322| | 323| 3.33k| while (!isempty(&ses.writequeue)) { ------------------ | Branch (323:9): [True: 0, False: 3.33k] ------------------ 324| 0| buf_free(dequeue(&ses.writequeue)); 325| 0| } 326| | 327| 3.33k| m_free(ses.newkeys); ------------------ | | 24| 3.33k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 3.33k] | | ------------------ ------------------ 328| |#ifndef DISABLE_ZLIB 329| | if (ses.keys->recv.zstream != NULL) { 330| | if (inflateEnd(ses.keys->recv.zstream) == Z_STREAM_ERROR) { 331| | dropbear_exit("Crypto error"); 332| | } 333| | m_free(ses.keys->recv.zstream); 334| | } 335| | if (ses.keys->trans.zstream != NULL) { 336| | if (deflateEnd(ses.keys->trans.zstream) == Z_STREAM_ERROR) { 337| | dropbear_exit("Crypto error"); 338| | } 339| | m_free(ses.keys->trans.zstream); 340| | } 341| |#endif 342| | 343| 3.33k| m_free(ses.remoteident); ------------------ | | 24| 3.33k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 3.33k] | | ------------------ ------------------ 344| 3.33k| m_free(ses.authstate.pw_dir); ------------------ | | 24| 3.33k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 3.33k] | | ------------------ ------------------ 345| 3.33k| m_free(ses.authstate.pw_name); ------------------ | | 24| 3.33k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 3.33k] | | ------------------ ------------------ 346| 3.33k| m_free(ses.authstate.pw_shell); ------------------ | | 24| 3.33k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 3.33k] | | ------------------ ------------------ 347| 3.33k| m_free(ses.authstate.pw_passwd); ------------------ | | 24| 3.33k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 3.33k] | | ------------------ ------------------ 348| 3.33k| m_free(ses.authstate.username); ------------------ | | 24| 3.33k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 3.33k] | | ------------------ ------------------ 349| 3.33k|#endif 350| | 351| 3.33k| cleanup_buf(&ses.session_id); 352| 3.33k| cleanup_buf(&ses.hash); 353| 3.33k| cleanup_buf(&ses.payload); 354| 3.33k| cleanup_buf(&ses.readbuf); 355| 3.33k| cleanup_buf(&ses.writepayload); 356| 3.33k| cleanup_buf(&ses.kexhashbuf); 357| 3.33k| cleanup_buf(&ses.transkexinit); 358| 3.33k| if (ses.dh_K) { ------------------ | Branch (358:6): [True: 1.29k, False: 2.03k] ------------------ 359| 1.29k| mp_clear(ses.dh_K); 360| 1.29k| } 361| 3.33k| m_free(ses.dh_K); ------------------ | | 24| 3.33k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 3.33k] | | ------------------ ------------------ 362| 3.33k| if (ses.dh_K_bytes) { ------------------ | Branch (362:6): [True: 41, False: 3.29k] ------------------ 363| 41| buf_burn_free(ses.dh_K_bytes); 364| 41| } 365| | 366| 3.33k| m_burn(ses.keys, sizeof(struct key_context)); 367| 3.33k| m_free(ses.keys); ------------------ | | 24| 3.33k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 3.33k] | | ------------------ ------------------ 368| | 369| 3.33k| TRACE(("leave session_cleanup")) 370| 3.33k|} send_session_identification: 372| 3.33k|void send_session_identification() { 373| 3.33k| buffer *writebuf = buf_new(strlen(LOCAL_IDENT "\r\n") + 1); ------------------ | | 14| 3.33k|#define LOCAL_IDENT "SSH-2.0-dropbear" IDENT_VERSION_PART ------------------ 374| 3.33k| buf_putbytes(writebuf, (const unsigned char *) LOCAL_IDENT "\r\n", strlen(LOCAL_IDENT "\r\n")); ------------------ | | 14| 3.33k|#define LOCAL_IDENT "SSH-2.0-dropbear" IDENT_VERSION_PART ------------------ buf_putbytes(writebuf, (const unsigned char *) LOCAL_IDENT "\r\n", strlen(LOCAL_IDENT "\r\n")); ------------------ | | 14| 3.33k|#define LOCAL_IDENT "SSH-2.0-dropbear" IDENT_VERSION_PART ------------------ 375| 3.33k| writebuf_enqueue(writebuf); 376| 3.33k|} update_channel_prio: 699| 3.33k|void update_channel_prio() { 700| 3.33k| enum dropbear_prio new_prio; 701| 3.33k| int any = 0; 702| 3.33k| unsigned int i; 703| | 704| 3.33k| TRACE(("update_channel_prio")) 705| | 706| 3.33k| if (ses.sock_out < 0) { ------------------ | Branch (706:6): [True: 0, False: 3.33k] ------------------ 707| 0| TRACE(("leave update_channel_prio: no socket")) 708| 0| return; 709| 0| } 710| | 711| 3.33k| new_prio = DROPBEAR_PRIO_NORMAL; 712| 3.33k| for (i = 0; i < ses.chansize; i++) { ------------------ | Branch (712:14): [True: 0, False: 3.33k] ------------------ 713| 0| struct Channel *channel = ses.channels[i]; 714| 0| if (!channel) { ------------------ | Branch (714:7): [True: 0, False: 0] ------------------ 715| 0| continue; 716| 0| } 717| 0| any = 1; 718| 0| if (channel->prio == DROPBEAR_PRIO_LOWDELAY) { ------------------ | Branch (718:7): [True: 0, False: 0] ------------------ 719| 0| new_prio = DROPBEAR_PRIO_LOWDELAY; 720| 0| break; 721| 0| } 722| 0| } 723| | 724| 3.33k| if (any == 0) { ------------------ | Branch (724:6): [True: 3.33k, False: 0] ------------------ 725| | /* lowdelay during setup */ 726| 3.33k| TRACE(("update_channel_prio: not any")) 727| 3.33k| new_prio = DROPBEAR_PRIO_LOWDELAY; 728| 3.33k| } 729| | 730| 3.33k| if (new_prio != ses.socket_prio) { ------------------ | Branch (730:6): [True: 3.33k, False: 0] ------------------ 731| 3.33k| TRACE(("Dropbear priority transitioning %d -> %d", ses.socket_prio, new_prio)) 732| 3.33k| set_sock_priority(ses.sock_out, new_prio); 733| 3.33k| ses.socket_prio = new_prio; 734| 3.33k| } 735| 3.33k|} common-session.c:cleanup_buf: 287| 23.3k|static void cleanup_buf(buffer **buf) { 288| 23.3k| if (!*buf) { ------------------ | Branch (288:6): [True: 11.8k, False: 11.4k] ------------------ 289| 11.8k| return; 290| 11.8k| } 291| 11.4k| buf_burn_free(*buf); 292| | *buf = NULL; 293| 11.4k|} common-session.c:read_session_identification: 378| 3.33k|static void read_session_identification() { 379| | /* max length of 255 chars */ 380| 3.33k| char linebuf[256]; 381| 3.33k| int len = 0; 382| 3.33k| char done = 0; 383| 3.33k| int i; 384| | 385| | /* Servers may send other lines of data before sending the 386| | * version string, client must be able to process such lines. 387| | * If they send more than 50 lines, something is wrong */ 388| 6.51k| for (i = IS_DROPBEAR_CLIENT ? 50 : 1; i > 0; i--) { ------------------ | | 382| 3.33k|#define IS_DROPBEAR_CLIENT (ses.isserver == 0) | | ------------------ | | | Branch (382:28): [True: 3.33k, False: 0] | | ------------------ ------------------ | Branch (388:40): [True: 6.46k, False: 56] ------------------ 389| 6.46k| len = ident_readln(ses.sock_in, linebuf, sizeof(linebuf)); 390| | 391| 6.46k| if (len < 0 && errno != EINTR) { ------------------ | Branch (391:7): [True: 2.85k, False: 3.60k] | Branch (391:18): [True: 99, False: 2.75k] ------------------ 392| | /* It failed */ 393| 99| break; 394| 99| } 395| | 396| 6.36k| if (len >= 4 && memcmp(linebuf, "SSH-", 4) == 0) { ------------------ | Branch (396:7): [True: 3.52k, False: 2.83k] | Branch (396:19): [True: 3.17k, False: 348] ------------------ 397| | /* start of line matches */ 398| 3.17k| done = 1; 399| 3.17k| break; 400| 3.17k| } 401| 6.36k| } 402| | 403| 3.33k| if (!done) { ------------------ | Branch (403:6): [True: 155, False: 3.17k] ------------------ 404| 155| TRACE(("error reading remote ident: %s\n", strerror(errno))) 405| 155| ses.remoteclosed(); 406| 3.17k| } else { 407| | /* linebuf is already null terminated */ 408| 3.17k| ses.remoteident = m_malloc(len); 409| 3.17k| memcpy(ses.remoteident, linebuf, len); 410| 3.17k| } 411| | 412| | /* Shall assume that 2.x will be backwards compatible. */ 413| 3.33k| if (strncmp(ses.remoteident, "SSH-2.", 6) != 0 ------------------ | Branch (413:6): [True: 65, False: 3.26k] ------------------ 414| 65| && strncmp(ses.remoteident, "SSH-1.99-", 9) != 0) { ------------------ | Branch (414:7): [True: 64, False: 1] ------------------ 415| 64| dropbear_exit("Incompatible remote version '%s'", ses.remoteident); 416| 64| } 417| | 418| 3.33k| DEBUG1(("remoteident: %s", ses.remoteident)) 419| | 420| 3.33k|} common-session.c:ident_readln: 424| 6.46k|static int ident_readln(int fd, char* buf, int count) { 425| | 426| 6.46k| char in; 427| 6.46k| int pos = 0; 428| 6.46k| int num = 0; 429| 6.46k| fd_set fds; 430| 6.46k| struct timeval timeout; 431| | 432| 6.46k| TRACE(("enter ident_readln")) 433| | 434| 6.46k| if (count < 1) { ------------------ | Branch (434:6): [True: 0, False: 6.46k] ------------------ 435| 0| return -1; 436| 0| } 437| | 438| 6.46k| DROPBEAR_FD_ZERO(&fds); ------------------ | | 106| 6.46k|#define DROPBEAR_FD_ZERO(fds) FD_ZERO(fds) ------------------ | Branch (438:2): [Folded, False: 6.46k] ------------------ 439| | 440| | /* select since it's a non-blocking fd */ 441| | 442| | /* leave space to null-terminate */ 443| 93.3k| while (pos < count-1) { ------------------ | Branch (443:9): [True: 93.2k, False: 130] ------------------ 444| | 445| 93.2k| FD_SET(fd, &fds); 446| | 447| 93.2k| timeout.tv_sec = 1; 448| 93.2k| timeout.tv_usec = 0; 449| 93.2k| if (select(fd+1, &fds, NULL, NULL, &timeout) < 0) { ------------------ | | 53| 93.2k| wrapfd_select(nfds, readfds, writefds, exceptfds, timeout) ------------------ | Branch (449:7): [True: 221, False: 93.0k] ------------------ 450| 221| if (errno == EINTR) { ------------------ | Branch (450:8): [True: 221, False: 0] ------------------ 451| 221| continue; 452| 221| } 453| 0| TRACE(("leave ident_readln: select error")) 454| 0| return -1; 455| 221| } 456| | 457| 93.0k| checktimeouts(); 458| | 459| | /* Have to go one byte at a time, since we don't want to read past 460| | * the end, and have to somehow shove bytes back into the normal 461| | * packet reader */ 462| 93.0k| if (FD_ISSET(fd, &fds)) { ------------------ | Branch (462:7): [True: 93.0k, False: 0] ------------------ 463| 93.0k| num = read(fd, &in, 1); ------------------ | | 55| 93.0k|#define read(fd, buf, count) wrapfd_read(fd, buf, count) ------------------ 464| | /* a "\n" is a newline, "\r" we want to read in and keep going 465| | * so that it won't be read as part of the next line */ 466| 93.0k| if (num < 0) { ------------------ | Branch (466:8): [True: 146, False: 92.8k] ------------------ 467| | /* error */ 468| 146| if (errno == EINTR) { ------------------ | Branch (468:9): [True: 131, False: 15] ------------------ 469| 131| continue; /* not a real error */ 470| 131| } 471| 15| TRACE(("leave ident_readln: read error")) 472| 15| return -1; 473| 146| } 474| 92.8k| if (num == 0) { ------------------ | Branch (474:8): [True: 2.84k, False: 90.0k] ------------------ 475| | /* EOF */ 476| 2.84k| TRACE(("leave ident_readln: EOF")) 477| 2.84k| return -1; 478| 2.84k| } 479| | 480| 90.0k|#if DROPBEAR_FUZZ 481| 90.0k| fuzz_dump(&in, 1); 482| 90.0k|#endif 483| | 484| 90.0k| if (in == '\n') { ------------------ | Branch (484:8): [True: 3.47k, False: 86.5k] ------------------ 485| | /* end of ident string */ 486| 3.47k| break; 487| 3.47k| } 488| | /* we don't want to include '\r's */ 489| 86.5k| if (in != '\r') { ------------------ | Branch (489:8): [True: 84.1k, False: 2.43k] ------------------ 490| 84.1k| buf[pos] = in; 491| 84.1k| pos++; 492| 84.1k| } 493| 86.5k| } 494| 93.0k| } 495| | 496| 3.60k| buf[pos] = '\0'; 497| 3.60k| TRACE(("leave ident_readln: return %d", pos+1)) 498| 3.60k| return pos+1; 499| 6.46k|} common-session.c:checktimeouts: 545| 190k|static void checktimeouts() { 546| | 547| 190k| time_t now; 548| 190k| now = monotonic_now(); 549| | 550| 190k| if (IS_DROPBEAR_SERVER && ses.authstate.authdone != 1 ------------------ | | 381| 380k|#define IS_DROPBEAR_SERVER (ses.isserver == 1) | | ------------------ | | | Branch (381:28): [True: 0, False: 190k] | | ------------------ ------------------ | Branch (550:28): [True: 0, False: 0] ------------------ 551| 0| && elapsed(now, ses.connect_time) >= AUTH_TIMEOUT) { ------------------ | | 35| 0|#define AUTH_TIMEOUT 300 /* we choose 5 minutes */ ------------------ | Branch (551:6): [True: 0, False: 0] ------------------ 552| 0| dropbear_close("Timeout before auth"); 553| 0| } 554| | 555| | /* we can't rekey if we haven't done remote ident exchange yet */ 556| 190k| if (ses.remoteident == NULL) { ------------------ | Branch (556:6): [True: 106k, False: 83.5k] ------------------ 557| 106k| return; 558| 106k| } 559| | 560| 83.5k| if (!ses.kexstate.sentkexinit ------------------ | Branch (560:6): [True: 0, False: 83.5k] ------------------ 561| 0| && (elapsed(now, ses.kexstate.lastkextime) >= KEX_REKEY_TIMEOUT ------------------ | | 28| 0|#define KEX_REKEY_TIMEOUT (3600 * 8) ------------------ | Branch (561:8): [True: 0, False: 0] ------------------ 562| 0| || ses.kexstate.datarecv+ses.kexstate.datatrans >= KEX_REKEY_DATA ------------------ | | 31| 0|#define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */ ------------------ | Branch (562:7): [True: 0, False: 0] ------------------ 563| 0| || ses.kexstate.needrekey)) { ------------------ | Branch (563:7): [True: 0, False: 0] ------------------ 564| 0| TRACE(("rekeying after timeout or max data reached")) 565| 0| ses.kexstate.needrekey = 0; 566| 0| send_msg_kexinit(); 567| 0| } 568| | 569| 83.5k| if (opts.keepalive_secs > 0 && ses.authstate.authdone) { ------------------ | Branch (569:6): [True: 0, False: 83.5k] | Branch (569:33): [True: 0, False: 0] ------------------ 570| | /* Avoid sending keepalives prior to auth - those are 571| | not valid pre-auth packet types */ 572| | 573| | /* Send keepalives if we've been idle */ 574| 0| if (elapsed(now, ses.last_packet_time_any_sent) >= opts.keepalive_secs) { ------------------ | Branch (574:7): [True: 0, False: 0] ------------------ 575| 0| send_msg_keepalive(); 576| 0| } 577| | 578| | /* Also send an explicit keepalive message to trigger a response 579| | if the remote end hasn't sent us anything */ 580| 0| if (elapsed(now, ses.last_packet_time_keepalive_recv) >= opts.keepalive_secs ------------------ | Branch (580:7): [True: 0, False: 0] ------------------ 581| 0| && elapsed(now, ses.last_packet_time_keepalive_sent) >= opts.keepalive_secs) { ------------------ | Branch (581:7): [True: 0, False: 0] ------------------ 582| 0| send_msg_keepalive(); 583| 0| } 584| | 585| 0| if (elapsed(now, ses.last_packet_time_keepalive_recv) ------------------ | Branch (585:7): [True: 0, False: 0] ------------------ 586| 0| >= opts.keepalive_secs * DEFAULT_KEEPALIVE_LIMIT) { ------------------ | | 573| 0|#define DEFAULT_KEEPALIVE_LIMIT 3 ------------------ 587| 0| dropbear_exit("Keepalive timeout"); 588| 0| } 589| 0| } 590| | 591| 83.5k| if (opts.idle_timeout_secs > 0 ------------------ | Branch (591:6): [True: 0, False: 83.5k] ------------------ 592| 0| && elapsed(now, ses.last_packet_time_idle) >= opts.idle_timeout_secs) { ------------------ | Branch (592:7): [True: 0, False: 0] ------------------ 593| 0| dropbear_close("Idle timeout"); 594| 0| } 595| | 596| 83.5k| if (opts.max_duration_secs > 0 ------------------ | Branch (596:6): [True: 0, False: 83.5k] ------------------ 597| 0| && elapsed(now, ses.connect_time) >= opts.max_duration_secs) { ------------------ | Branch (597:7): [True: 0, False: 0] ------------------ 598| 0| dropbear_close("Max duration reached"); 599| 0| } 600| 83.5k|} common-session.c:select_timeout: 613| 97.0k|static long select_timeout() { 614| | /* determine the minimum timeout that might be required, so 615| | as to avoid waking when unneccessary */ 616| 97.0k| long timeout = KEX_REKEY_TIMEOUT; ------------------ | | 28| 97.0k|#define KEX_REKEY_TIMEOUT (3600 * 8) ------------------ 617| 97.0k| time_t now = monotonic_now(); 618| | 619| 97.0k| if (!ses.kexstate.sentkexinit) { ------------------ | Branch (619:6): [True: 0, False: 97.0k] ------------------ 620| 0| update_timeout(KEX_REKEY_TIMEOUT, now, ses.kexstate.lastkextime, &timeout); ------------------ | | 28| 0|#define KEX_REKEY_TIMEOUT (3600 * 8) ------------------ 621| 0| } 622| 97.0k| if (ses.kexstate.needrekey) { ------------------ | Branch (622:6): [True: 0, False: 97.0k] ------------------ 623| 0| timeout = 0; 624| 0| } 625| | 626| 97.0k| if (ses.authstate.authdone != 1 && IS_DROPBEAR_SERVER) { ------------------ | | 381| 97.0k|#define IS_DROPBEAR_SERVER (ses.isserver == 1) | | ------------------ | | | Branch (381:28): [True: 0, False: 97.0k] | | ------------------ ------------------ | Branch (626:6): [True: 97.0k, False: 0] ------------------ 627| | /* AUTH_TIMEOUT is only relevant before authdone */ 628| 0| update_timeout(AUTH_TIMEOUT, now, ses.connect_time, &timeout); ------------------ | | 35| 0|#define AUTH_TIMEOUT 300 /* we choose 5 minutes */ ------------------ 629| 0| } 630| | 631| 97.0k| if (ses.authstate.authdone) { ------------------ | Branch (631:6): [True: 0, False: 97.0k] ------------------ 632| 0| update_timeout(opts.keepalive_secs, now, 633| 0| MAX(ses.last_packet_time_keepalive_recv, ses.last_packet_time_keepalive_sent), ------------------ | Branch (633:4): [True: 0, False: 0] ------------------ 634| 0| &timeout); 635| 0| } 636| | 637| 97.0k| update_timeout(opts.idle_timeout_secs, now, ses.last_packet_time_idle, 638| 97.0k| &timeout); 639| | 640| 97.0k| update_timeout(opts.max_duration_secs, now, ses.connect_time, 641| 97.0k| &timeout); 642| | 643| | /* clamp negative timeouts to zero - event has already triggered */ 644| | return MAX(timeout, 0); ------------------ | Branch (644:9): [True: 97.0k, False: 0] ------------------ 645| 97.0k|} common-session.c:update_timeout: 602| 194k|static void update_timeout(long limit, time_t now, time_t last_event, long * timeout) { 603| 194k| TRACE2(("update_timeout limit %ld, now %llu, last %llu, timeout %ld", 604| 194k| limit, 605| 194k| (unsigned long long)now, 606| 194k| (unsigned long long)last_event, *timeout)) 607| 194k| if (last_event > 0 && limit > 0) { ------------------ | Branch (607:6): [True: 194k, False: 0] | Branch (607:24): [True: 0, False: 194k] ------------------ 608| | *timeout = MIN(*timeout, MAX(0, limit - elapsed(now, last_event))); ------------------ | Branch (608:14): [True: 0, False: 0] | Branch (608:14): [True: 0, False: 0] | Branch (608:14): [True: 0, False: 0] ------------------ 609| 0| TRACE2(("new timeout %ld", *timeout)) 610| 0| } 611| 194k|} strlcat: 128| 2|{ 129| 2| char *d = dst; 130| 2| const char *s = src; 131| 2| size_t n = siz; 132| 2| size_t dlen; 133| | 134| | /* Find the end of dst and adjust bytes left but don't go past end */ 135| 8| while (n-- != 0 && *d != '\0') ------------------ | Branch (135:9): [True: 8, False: 0] | Branch (135:21): [True: 6, False: 2] ------------------ 136| 6| d++; 137| 2| dlen = d - dst; 138| 2| n = siz - dlen; 139| | 140| 2| if (n == 0) ------------------ | Branch (140:6): [True: 0, False: 2] ------------------ 141| 0| return(dlen + strlen(s)); 142| 9| while (*s != '\0') { ------------------ | Branch (142:9): [True: 7, False: 2] ------------------ 143| 7| if (n != 1) { ------------------ | Branch (143:7): [True: 6, False: 1] ------------------ 144| 6| *d++ = *s; 145| 6| n--; 146| 6| } 147| 7| s++; 148| 7| } 149| 2| *d = '\0'; 150| | 151| 2| return(dlen + (s - src)); /* count does not include NUL */ 152| 2|} crypto_init: 21| 1|void crypto_init() { 22| | 23| 1| const struct ltc_cipher_descriptor *regciphers[] = { 24| 1|#if DROPBEAR_AES 25| 1| &aes_desc, 26| 1|#endif 27| |#if DROPBEAR_3DES 28| | &des3_desc, 29| |#endif 30| 1| NULL 31| 1| }; 32| | 33| 1| const struct ltc_hash_descriptor *reghashes[] = { 34| |#if DROPBEAR_SHA1_HMAC 35| | &sha1_desc, 36| |#endif 37| 1|#if DROPBEAR_SHA256 38| 1| &sha256_desc, 39| 1|#endif 40| 1|#if DROPBEAR_SHA384 41| 1| &sha384_desc, 42| 1|#endif 43| 1|#if DROPBEAR_SHA512 44| 1| &sha512_desc, 45| 1|#endif 46| 1| NULL 47| 1| }; 48| 1| int i; 49| | 50| 2| for (i = 0; regciphers[i] != NULL; i++) { ------------------ | Branch (50:14): [True: 1, False: 1] ------------------ 51| 1| if (register_cipher(regciphers[i]) == -1) { ------------------ | Branch (51:7): [True: 0, False: 1] ------------------ 52| 0| dropbear_exit("Error registering crypto"); 53| 0| } 54| 1| } 55| | 56| 4| for (i = 0; reghashes[i] != NULL; i++) { ------------------ | Branch (56:14): [True: 3, False: 1] ------------------ 57| 3| if (register_hash(reghashes[i]) == -1) { ------------------ | Branch (57:7): [True: 0, False: 3] ------------------ 58| 0| dropbear_exit("Error registering crypto"); 59| 0| } 60| 3| } 61| | 62| 1|#if DROPBEAR_LTC_PRNG 63| 1| dropbear_ltc_prng = register_prng(&dropbear_prng_desc); 64| 1| if (dropbear_ltc_prng == -1) { ------------------ | Branch (64:6): [True: 0, False: 1] ------------------ 65| 0| dropbear_exit("Error registering crypto"); 66| 0| } 67| 1|#endif 68| | 69| 1| mp_rand_source(dropbear_rand_source); 70| | 71| 1|#if DROPBEAR_ECC 72| 1| ltc_mp = ltm_desc; 73| 1| dropbear_ecc_fill_dp(); 74| 1|#endif 75| 1|} dropbear_curve25519_scalarmult: 214| 4.21k|{ 215| 4.21k| u8 z[32]; 216| 4.21k| i64 x[80],r,i; 217| 4.21k| gf a,b,c,d,e,f; 218| 130k| FOR(i,31) z[i]=n[i]; ------------------ | | 34| 134k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 130k, False: 4.21k] | | ------------------ ------------------ 219| 4.21k| z[31]=(n[31]&127)|64; 220| 4.21k| z[0]&=248; 221| 4.21k| unpack25519(x,p); 222| 67.4k| FOR(i,16) { ------------------ | | 34| 71.7k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 67.4k, False: 4.21k] | | ------------------ ------------------ 223| 67.4k| b[i]=x[i]; 224| 67.4k| d[i]=a[i]=c[i]=0; 225| 67.4k| } 226| 4.21k| a[0]=d[0]=1; 227| 1.07M| for(i=254;i>=0;--i) { ------------------ | Branch (227:13): [True: 1.07M, False: 4.21k] ------------------ 228| 1.07M| r=(z[i>>3]>>(i&7))&1; 229| 1.07M| sel25519(a,b,r); 230| 1.07M| sel25519(c,d,r); 231| 1.07M| A(e,a,c); 232| 1.07M| Z(a,a,c); 233| 1.07M| A(c,b,d); 234| 1.07M| Z(b,b,d); 235| 1.07M| S(d,e); 236| 1.07M| S(f,a); 237| 1.07M| M(a,c,a); 238| 1.07M| M(c,b,e); 239| 1.07M| A(e,a,c); 240| 1.07M| Z(a,a,c); 241| 1.07M| S(b,a); 242| 1.07M| Z(c,d,f); 243| 1.07M| M(a,c,_121665); 244| 1.07M| A(a,a,d); 245| 1.07M| M(c,c,a); 246| 1.07M| M(a,d,f); 247| 1.07M| M(d,b,x); 248| 1.07M| S(b,e); 249| 1.07M| sel25519(a,b,r); 250| 1.07M| sel25519(c,d,r); 251| 1.07M| } 252| 67.4k| FOR(i,16) { ------------------ | | 34| 71.7k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 67.4k, False: 4.21k] | | ------------------ ------------------ 253| 67.4k| x[i+16]=a[i]; 254| 67.4k| x[i+32]=c[i]; 255| 67.4k| x[i+48]=b[i]; 256| 67.4k| x[i+64]=d[i]; 257| 67.4k| } 258| 4.21k| inv25519(x+32,x+32); 259| 4.21k| M(x+16,x+16,x+32); 260| 4.21k| pack25519(q,x+16); 261| 4.21k|} dropbear_ed25519_verify: 506| 32|{ 507| 32| hash_state hs; 508| 32| u8 t[32],h[64]; 509| 32| gf p[4],q[4]; 510| | 511| 32| if (slen < 64) return -1; ------------------ | Branch (511:7): [True: 0, False: 32] ------------------ 512| | 513| 32| if (s_lt_l(s + 32) == -1) { ------------------ | Branch (513:7): [True: 12, False: 20] ------------------ 514| 12| return -1; 515| 12| } 516| | 517| 20| if (unpackneg(q,pk)) return -1; ------------------ | Branch (517:7): [True: 7, False: 13] ------------------ 518| | 519| 13| sha512_init(&hs); 520| 13| sha512_process(&hs,s,32); 521| 13| sha512_process(&hs,pk,32); 522| 13| sha512_process(&hs,m,mlen); 523| 13| sha512_done(&hs,h); 524| | 525| 13| reduce(h); 526| 13| scalarmult(p,q,h); 527| | 528| 13| scalarbase(q,s + 32); 529| 13| add(p,q); 530| 13| pack(t,p); 531| | 532| 13| if (crypto_verify_32(s, t)) ------------------ | Branch (532:7): [True: 13, False: 0] ------------------ 533| 13| return -1; 534| | 535| 0| return 0; 536| 13|} curve25519.c:unpack25519: 152| 4.23k|{ 153| 4.23k| int i; 154| 67.8k| FOR(i,16) o[i]=n[2*i]+((i64)n[2*i+1]<<8); ------------------ | | 34| 72.0k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 67.8k, False: 4.23k] | | ------------------ ------------------ 155| 4.23k| o[15]&=0x7fff; 156| 4.23k|} curve25519.c:sel25519: 98| 4.36M|{ 99| 4.36M| i64 t,i,c=~(b-1); 100| 69.8M| FOR(i,16) { ------------------ | | 34| 74.1M|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 69.8M, False: 4.36M] | | ------------------ ------------------ 101| 69.8M| t= c&(p[i]^q[i]); 102| 69.8M| p[i]^=t; 103| 69.8M| q[i]^=t; 104| 69.8M| } 105| 4.36M|} curve25519.c:A: 159| 4.36M|{ 160| 4.36M| int i; 161| 69.9M| FOR(i,16) o[i]=a[i]+b[i]; ------------------ | | 34| 74.2M|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 69.9M, False: 4.36M] | | ------------------ ------------------ 162| 4.36M|} curve25519.c:Z: 165| 4.35M|{ 166| 4.35M| int i; 167| 69.6M| FOR(i,16) o[i]=a[i]-b[i]; ------------------ | | 34| 74.0M|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 69.6M, False: 4.35M] | | ------------------ ------------------ 168| 4.35M|} curve25519.c:S: 182| 5.38M|{ 183| 5.38M| M(o,a,a); 184| 5.38M|} curve25519.c:M: 171| 13.0M|{ 172| 13.0M| i64 i,j,t[31]; 173| 403M| FOR(i,31) t[i]=0; ------------------ | | 34| 416M|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 403M, False: 13.0M] | | ------------------ ------------------ 174| 3.33G| FOR(i,16) FOR(j,16) t[i+j]+=a[i]*b[j]; ------------------ | | 34| 221M|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 208M, False: 13.0M] | | ------------------ ------------------ FOR(i,16) FOR(j,16) t[i+j]+=a[i]*b[j]; ------------------ | | 34| 3.54G|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 3.33G, False: 208M] | | ------------------ ------------------ 175| 195M| FOR(i,15) t[i]+=38*t[i+16]; ------------------ | | 34| 208M|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 195M, False: 13.0M] | | ------------------ ------------------ 176| 208M| FOR(i,16) o[i]=t[i]; ------------------ | | 34| 221M|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 208M, False: 13.0M] | | ------------------ ------------------ 177| 13.0M| car25519(o); 178| 13.0M| car25519(o); 179| 13.0M|} curve25519.c:car25519: 86| 26.0M|{ 87| 26.0M| int i; 88| 26.0M| i64 c; 89| 417M| FOR(i,16) { ------------------ | | 34| 443M|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 417M, False: 26.0M] | | ------------------ ------------------ 90| 417M| o[i]+=(1LL<<16); 91| 417M| c=o[i]>>16; 92| 417M| o[(i+1)*(i<15)]+=c-1+37*(c-1)*(i==15); 93| 417M| o[i]-=((u64)c)<<16; 94| 417M| } 95| 26.0M|} curve25519.c:inv25519: 187| 4.23k|{ 188| 4.23k| gf c; 189| 4.23k| int a; 190| 67.6k| FOR(a,16) c[a]=i[a]; ------------------ | | 34| 71.9k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 67.6k, False: 4.23k] | | ------------------ ------------------ 191| 1.07M| for(a=253;a>=0;a--) { ------------------ | Branch (191:13): [True: 1.07M, False: 4.23k] ------------------ 192| 1.07M| S(c,c); 193| 1.07M| if(a!=2&&a!=4) M(c,c,i); ------------------ | Branch (193:8): [True: 1.07M, False: 4.23k] | Branch (193:14): [True: 1.06M, False: 4.23k] ------------------ 194| 1.07M| } 195| 67.6k| FOR(a,16) o[a]=c[a]; ------------------ | | 34| 71.9k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 67.6k, False: 4.23k] | | ------------------ ------------------ 196| 4.23k|} curve25519.c:pack25519: 108| 4.33k|{ 109| 4.33k| int i,j,b; 110| 4.33k| gf m,t; 111| 69.3k| FOR(i,16) t[i]=n[i]; ------------------ | | 34| 73.6k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 69.3k, False: 4.33k] | | ------------------ ------------------ 112| 4.33k| car25519(t); 113| 4.33k| car25519(t); 114| 4.33k| car25519(t); 115| 8.66k| FOR(j,2) { ------------------ | | 34| 12.9k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 8.66k, False: 4.33k] | | ------------------ ------------------ 116| 8.66k| m[0]=t[0]-0xffed; 117| 129k| for(i=1;i<15;i++) { ------------------ | Branch (117:13): [True: 121k, False: 8.66k] ------------------ 118| 121k| m[i]=t[i]-0xffff-((m[i-1]>>16)&1); 119| 121k| m[i-1]&=0xffff; 120| 121k| } 121| 8.66k| m[15]=t[15]-0x7fff-((m[14]>>16)&1); 122| 8.66k| b=(m[15]>>16)&1; 123| 8.66k| m[14]&=0xffff; 124| 8.66k| sel25519(t,m,1-b); 125| 8.66k| } 126| 69.3k| FOR(i,16) { ------------------ | | 34| 73.6k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 69.3k, False: 4.33k] | | ------------------ ------------------ 127| 69.3k| o[2*i]=t[i]&0xff; 128| 69.3k| o[2*i+1]=t[i]>>8; 129| 69.3k| } 130| 4.33k|} curve25519.c:scalarbase: 333| 13|{ 334| 13| gf q[4]; 335| 13| set25519(q[0],X); 336| 13| set25519(q[1],Y); 337| 13| set25519(q[2],gf1); 338| 13| M(q[3],X,Y); 339| 13| scalarmult(p,q,s); 340| 13|} curve25519.c:set25519: 79| 163|{ 80| 163| int i; 81| 2.60k| FOR(i,16) r[i]=a[i]; ------------------ | | 34| 2.77k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 2.60k, False: 163] | | ------------------ ------------------ 82| 163|} curve25519.c:pack: 307| 13|{ 308| 13| gf tx, ty, zi; 309| 13| inv25519(zi, p[2]); 310| 13| M(tx, p[0], zi); 311| 13| M(ty, p[1], zi); 312| 13| pack25519(r, ty); 313| 13| r[31] ^= par25519(tx) << 7; 314| 13|} curve25519.c:par25519: 144| 26|{ 145| 26| u8 d[32]; 146| 26| pack25519(d,a); 147| 26| return d[0]&1; 148| 26|} curve25519.c:reduce: 387| 13|{ 388| 13| i64 x[64],i; 389| 832| FOR(i,64) x[i] = (u64) r[i]; ------------------ | | 34| 845|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 832, False: 13] | | ------------------ ------------------ 390| 832| FOR(i,64) r[i] = 0; ------------------ | | 34| 845|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 832, False: 13] | | ------------------ ------------------ 391| 13| modL(r,x); 392| 13|} curve25519.c:modL: 361| 13|{ 362| 13| i64 carry,i,j; 363| 429| for (i = 63;i >= 32;--i) { ------------------ | Branch (363:15): [True: 416, False: 13] ------------------ 364| 416| carry = 0; 365| 8.73k| for (j = i - 32;j < i - 12;++j) { ------------------ | Branch (365:21): [True: 8.32k, False: 416] ------------------ 366| 8.32k| x[j] += carry - 16 * x[i] * L[j - (i - 32)]; 367| 8.32k| carry = (x[j] + 128) >> 8; 368| 8.32k| x[j] -= ((u64)carry) << 8; 369| 8.32k| } 370| 416| x[j] += carry; 371| 416| x[i] = 0; 372| 416| } 373| 13| carry = 0; 374| 416| FOR(j,32) { ------------------ | | 34| 429|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 416, False: 13] | | ------------------ ------------------ 375| 416| x[j] += carry - (x[31] >> 4) * L[j]; 376| 416| carry = x[j] >> 8; 377| 416| x[j] &= 255; 378| 416| } 379| 416| FOR(j,32) x[j] -= carry * L[j]; ------------------ | | 34| 429|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 416, False: 13] | | ------------------ ------------------ 380| 416| FOR(i,32) { ------------------ | | 34| 429|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 416, False: 13] | | ------------------ ------------------ 381| 416| x[i+1] += x[i] >> 8; 382| 416| r[i] = x[i] & 255; 383| 416| } 384| 13|} curve25519.c:s_lt_l: 434| 32|static int s_lt_l(const u8 *s) { 435| 32| int i; 436| 68| for (i = 31; i >= 0; i--) { ------------------ | Branch (436:16): [True: 68, False: 0] ------------------ 437| 68| if (s[i] < L[i]) { ------------------ | Branch (437:9): [True: 20, False: 48] ------------------ 438| 20| return 0; 439| 20| } 440| 48| if (s[i] > L[i]) { ------------------ | Branch (440:9): [True: 12, False: 36] ------------------ 441| 12| return -1; 442| 12| } 443| 48| } 444| 0| return -1; 445| 32|} curve25519.c:unpackneg: 464| 20|{ 465| 20| gf t, chk, num, den, den2, den4, den6; 466| 20| set25519(r[2],gf1); 467| 20| unpack25519(r[1],p); 468| | 469| | /* Check that pubkey y < 2^255 - 19 */ 470| 20| if (y_lt_p(r[1])) { ------------------ | Branch (470:7): [True: 1, False: 19] ------------------ 471| 1| return -1; 472| 1| } 473| | 474| 19| S(num,r[1]); 475| 19| M(den,num,D); 476| 19| Z(num,num,r[2]); 477| 19| A(den,r[2],den); 478| | 479| 19| S(den2,den); 480| 19| S(den4,den2); 481| 19| M(den6,den4,den2); 482| 19| M(t,den6,num); 483| 19| M(t,t,den); 484| | 485| 19| pow2523(t,t); 486| 19| M(t,t,num); 487| 19| M(t,t,den); 488| 19| M(t,t,den); 489| 19| M(r[0],t,den); 490| | 491| 19| S(chk,r[0]); 492| 19| M(chk,chk,den); 493| 19| if (neq25519(chk, num)) M(r[0],r[0],I); ------------------ | Branch (493:7): [True: 11, False: 8] ------------------ 494| | 495| 19| S(chk,r[0]); 496| 19| M(chk,chk,den); 497| 19| if (neq25519(chk, num)) return -1; ------------------ | Branch (497:7): [True: 6, False: 13] ------------------ 498| | 499| 13| if (par25519(r[0]) == (p[31]>>7)) Z(r[0],gf0,r[0]); ------------------ | Branch (499:7): [True: 4, False: 9] ------------------ 500| | 501| 13| M(r[3],r[0],r[1]); 502| 13| return 0; 503| 19|} curve25519.c:y_lt_p: 450| 20|static int y_lt_p(const gf y) { 451| 20| int i; 452| 58| for (i = 15; i >= 0; i--) { ------------------ | Branch (452:16): [True: 58, False: 0] ------------------ 453| 58| if (y[i] < field_prime[i]) { ------------------ | Branch (453:9): [True: 19, False: 39] ------------------ 454| 19| return 0; 455| 19| } 456| 39| if (y[i] > field_prime[i]) { ------------------ | Branch (456:9): [True: 1, False: 38] ------------------ 457| 1| return -1; 458| 1| } 459| 39| } 460| 0| return -1; 461| 20|} curve25519.c:pow2523: 200| 19|{ 201| 19| gf c; 202| 19| int a; 203| 304| FOR(a,16) c[a]=i[a]; ------------------ | | 34| 323|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 304, False: 19] | | ------------------ ------------------ 204| 4.78k| for(a=250;a>=0;a--) { ------------------ | Branch (204:13): [True: 4.76k, False: 19] ------------------ 205| 4.76k| S(c,c); 206| 4.76k| if(a!=1) M(c,c,i); ------------------ | Branch (206:8): [True: 4.75k, False: 19] ------------------ 207| 4.76k| } 208| 304| FOR(a,16) o[a]=c[a]; ------------------ | | 34| 323|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 304, False: 19] | | ------------------ ------------------ 209| 19|} curve25519.c:neq25519: 135| 38|{ 136| 38| u8 c[32],d[32]; 137| 38| pack25519(c,a); 138| 38| pack25519(d,b); 139| 38| return crypto_verify_32(c,d); 140| 38|} curve25519.c:scalarmult: 317| 26|{ 318| 26| int i; 319| 26| set25519(p[0],gf0); 320| 26| set25519(p[1],gf1); 321| 26| set25519(p[2],gf1); 322| 26| set25519(p[3],gf0); 323| 6.68k| for (i = 255;i >= 0;--i) { ------------------ | Branch (323:16): [True: 6.65k, False: 26] ------------------ 324| 6.65k| u8 b = (s[i/8]>>(i&7))&1; 325| 6.65k| cswap(p,q,b); 326| 6.65k| add(q,p); 327| 6.65k| add(p,p); 328| 6.65k| cswap(p,q,b); 329| 6.65k| } 330| 26|} curve25519.c:cswap: 300| 13.3k|{ 301| 13.3k| int i; 302| 13.3k| FOR(i,4) ------------------ | | 34| 66.5k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 53.2k, False: 13.3k] | | ------------------ ------------------ 303| 53.2k| sel25519(p[i],q[i],b); 304| 13.3k|} curve25519.c:add: 275| 13.3k|{ 276| 13.3k| gf a,b,c,d,t,e,f,g,h; 277| | 278| 13.3k| Z(a, p[1], p[0]); 279| 13.3k| Z(t, q[1], q[0]); 280| 13.3k| M(a, a, t); 281| 13.3k| A(b, p[0], p[1]); 282| 13.3k| A(t, q[0], q[1]); 283| 13.3k| M(b, b, t); 284| 13.3k| M(c, p[3], q[3]); 285| 13.3k| M(c, c, D2); 286| 13.3k| M(d, p[2], q[2]); 287| 13.3k| A(d, d, d); 288| 13.3k| Z(e, b, a); 289| 13.3k| Z(f, d, c); 290| 13.3k| A(g, d, c); 291| 13.3k| A(h, b, a); 292| | 293| 13.3k| M(p[0], e, f); 294| 13.3k| M(p[1], h, g); 295| 13.3k| M(p[2], g, f); 296| 13.3k| M(p[3], e, h); 297| 13.3k|} curve25519.c:crypto_verify_32: 73| 51|{ 74| 51| return vn(x,y,32); 75| 51|} curve25519.c:vn: 66| 51|{ 67| 51| u32 i,d = 0; 68| 1.63k| FOR(i,n) d |= x[i]^y[i]; ------------------ | | 34| 1.68k|#define FOR(i,n) for (i = 0;i < n;++i) | | ------------------ | | | Branch (34:29): [True: 1.63k, False: 51] | | ------------------ ------------------ 69| 51| return (1 & ((d - 1) >> 8)) - 1; 70| 51|} m_burn: 5| 5.20M|void m_burn(void *data, unsigned int len) { 6| | 7| |#if defined(HAVE_MEMSET_S) 8| | memset_s(data, len, 0x0, len); 9| |#elif defined(HAVE_EXPLICIT_BZERO) 10| | explicit_bzero(data, len); 11| |#else 12| | /* This must be volatile to avoid compiler optimisation */ 13| | volatile void *p = data; 14| | memset((void*)p, 0x0, len); 15| |#endif 16| 5.20M|} m_calloc: 5| 5.26M|void * m_calloc(size_t nmemb, size_t size) { 6| 5.26M| if (SIZE_T_MAX / nmemb < size) { ------------------ | | 175| 5.26M|#define SIZE_T_MAX ULONG_MAX ------------------ | Branch (6:9): [True: 0, False: 5.26M] ------------------ 7| 0| dropbear_exit("m_calloc failed"); 8| 0| } 9| 5.26M| return m_malloc(nmemb*size); 10| 5.26M|} m_strdup: 12| 6|void * m_strdup(const char * str) { 13| 6| char* ret; 14| 6| unsigned int len; 15| 6| len = strlen(str); 16| | 17| 6| ret = m_malloc(len+1); 18| 6| if (ret == NULL) { ------------------ | Branch (18:9): [True: 0, False: 6] ------------------ 19| 0| dropbear_exit("m_strdup failed"); 20| 0| } 21| 6| memcpy(ret, str, len+1); 22| 6| return ret; 23| 6|} m_malloc_set_epoch: 76| 3.33k|void m_malloc_set_epoch(unsigned int epoch) { 77| 3.33k| current_epoch = epoch; 78| 3.33k|} m_malloc_free_epoch: 80| 3.33k|void m_malloc_free_epoch(unsigned int epoch, int dofree) { 81| 3.33k| struct dbmalloc_header* header; 82| 3.33k| struct dbmalloc_header* nextheader = NULL; 83| 3.33k| struct dbmalloc_header* oldstaple = staple; 84| 3.33k| staple = NULL; 85| | /* free allocations from this epoch, create a new staple-anchored list from 86| | the remainder */ 87| 3.40M| for (header = oldstaple; header; header = nextheader) ------------------ | Branch (87:30): [True: 3.40M, False: 3.33k] ------------------ 88| 3.40M| { 89| 3.40M| nextheader = header->next; 90| 3.40M| if (header->epoch == epoch) { ------------------ | Branch (90:13): [True: 20.3k, False: 3.38M] ------------------ 91| 20.3k| if (dofree) { ------------------ | Branch (91:17): [True: 20.3k, False: 0] ------------------ 92| 20.3k| free(header); 93| 20.3k| } 94| 3.38M| } else { 95| 3.38M| header->prev = NULL; 96| | header->next = NULL; 97| 3.38M| put_alloc(header); 98| 3.38M| } 99| 3.40M| } 100| 3.33k|} m_malloc: 131| 5.42M|void * m_malloc(size_t size) { 132| 5.42M| char* mem = NULL; 133| 5.42M| struct dbmalloc_header* header = NULL; 134| | 135| 5.42M| if (size == 0 || size > 1e9) { ------------------ | Branch (135:9): [True: 0, False: 5.42M] | Branch (135:22): [True: 0, False: 5.42M] ------------------ 136| 0| dropbear_exit("m_malloc failed"); 137| 0| } 138| | 139| 5.42M| size = size + sizeof(struct dbmalloc_header); 140| | 141| 5.42M| mem = calloc(1, size); 142| 5.42M| if (mem == NULL) { ------------------ | Branch (142:9): [True: 0, False: 5.42M] ------------------ 143| 0| dropbear_exit("m_malloc failed"); 144| 0| } 145| 5.42M| header = (struct dbmalloc_header*)mem; 146| 5.42M| put_alloc(header); 147| 5.42M| header->epoch = current_epoch; 148| 5.42M| return &mem[sizeof(struct dbmalloc_header)]; 149| 5.42M|} m_realloc: 151| 265k|void * m_realloc(void* ptr, size_t size) { 152| 265k| char* mem = NULL; 153| 265k| struct dbmalloc_header* header = NULL; 154| 265k| if (size == 0 || size > 1e9) { ------------------ | Branch (154:9): [True: 0, False: 265k] | Branch (154:22): [True: 0, False: 265k] ------------------ 155| 0| dropbear_exit("m_realloc failed"); 156| 0| } 157| | 158| 265k| header = get_header(ptr); 159| 265k| remove_alloc(header); 160| | 161| 265k| size = size + sizeof(struct dbmalloc_header); 162| 265k| mem = realloc(header, size); 163| 265k| if (mem == NULL) { ------------------ | Branch (163:9): [True: 0, False: 265k] ------------------ 164| 0| dropbear_exit("m_realloc failed"); 165| 0| } 166| | 167| 265k| header = (struct dbmalloc_header*)mem; 168| 265k| put_alloc(header); 169| 265k| return &mem[sizeof(struct dbmalloc_header)]; 170| 265k|} m_free_direct: 172| 5.42M|void m_free_direct(void* ptr) { 173| 5.42M| struct dbmalloc_header* header = NULL; 174| 5.42M| if (!ptr) { ------------------ | Branch (174:9): [True: 19.5k, False: 5.40M] ------------------ 175| 19.5k| return; 176| 19.5k| } 177| 5.40M| header = get_header(ptr); 178| 5.40M| remove_alloc(header); 179| 5.40M| free(header); 180| 5.40M|} m_realloc_ltm: 184| 261k|void * m_realloc_ltm(void* ptr, size_t oldsize, size_t newsize) { 185| 261k| (void)oldsize; 186| 261k| return m_realloc(ptr, newsize); 187| 261k|} m_free_ltm: 189| 2.75M|void m_free_ltm(void *mem, size_t size) { 190| 2.75M| (void)size; 191| 2.75M| m_free_direct(mem); 192| 2.75M|} dbmalloc.c:put_alloc: 102| 9.07M|static void put_alloc(struct dbmalloc_header *header) { 103| 9.07M| assert(header->next == NULL); ------------------ | Branch (103:5): [True: 0, False: 9.07M] | Branch (103:5): [True: 9.07M, False: 0] ------------------ 104| 9.07M| assert(header->prev == NULL); ------------------ | Branch (104:5): [True: 0, False: 9.07M] | Branch (104:5): [True: 9.07M, False: 0] ------------------ 105| 9.07M| if (staple) { ------------------ | Branch (105:9): [True: 9.07M, False: 3.33k] ------------------ 106| 9.07M| staple->prev = header; 107| 9.07M| } 108| 9.07M| header->next = staple; 109| 9.07M| staple = header; 110| 9.07M|} dbmalloc.c:get_header: 126| 5.67M|static struct dbmalloc_header* get_header(void* ptr) { 127| 5.67M| char* bptr = ptr; 128| 5.67M| return (struct dbmalloc_header*)&bptr[-sizeof(struct dbmalloc_header)]; 129| 5.67M|} dbmalloc.c:remove_alloc: 112| 5.67M|static void remove_alloc(struct dbmalloc_header *header) { 113| 5.67M| if (header->prev) { ------------------ | Branch (113:9): [True: 3.99M, False: 1.68M] ------------------ 114| 3.99M| header->prev->next = header->next; 115| 3.99M| } 116| 5.67M| if (header->next) { ------------------ | Branch (116:9): [True: 5.67M, False: 0] ------------------ 117| 5.67M| header->next->prev = header->prev; 118| 5.67M| } 119| 5.67M| if (staple == header) { ------------------ | Branch (119:9): [True: 1.68M, False: 3.99M] ------------------ 120| 1.68M| staple = header->next; 121| 1.68M| } 122| 5.67M| header->prev = NULL; 123| | header->next = NULL; 124| 5.67M|} fuzz_seed: 153| 3.33k|void fuzz_seed(const unsigned char* dat, unsigned int len) { 154| 3.33k| hash_state hs; 155| 3.33k| sha256_init(&hs); 156| 3.33k| sha256_process(&hs, "fuzzfuzzfuzz", strlen("fuzzfuzzfuzz")); 157| 3.33k| sha256_process(&hs, dat, len); 158| 3.33k| sha256_done(&hs, hashpool); 159| 3.33k| counter = 0; 160| 3.33k| donerandinit = 1; 161| 3.33k|} genrandom: 313| 5.18M|void genrandom(unsigned char* buf, unsigned int len) { 314| | 315| 5.18M| hash_state hs; 316| 5.18M| unsigned char hash[SHA256_HASH_SIZE]; 317| 5.18M| unsigned int copylen; 318| | 319| 5.18M| if (!donerandinit) { ------------------ | Branch (319:6): [True: 0, False: 5.18M] ------------------ 320| 0| dropbear_exit("seedrandom not done"); 321| 0| } 322| | 323| 10.3M| while (len > 0) { ------------------ | Branch (323:9): [True: 5.20M, False: 5.18M] ------------------ 324| 5.20M| sha256_init(&hs); 325| 5.20M| sha256_process(&hs, (void*)hashpool, sizeof(hashpool)); 326| 5.20M| sha256_process(&hs, (void*)&counter, sizeof(counter)); 327| 5.20M| sha256_done(&hs, hash); 328| | 329| 5.20M| counter++; 330| 5.20M| if (counter > MAX_COUNTER) { ------------------ | | 35| 5.20M|#define MAX_COUNTER (1<<30) ------------------ | Branch (330:7): [True: 0, False: 5.20M] ------------------ 331| 0| seedrandom(); 332| 0| } 333| | 334| | copylen = MIN(len, SHA256_HASH_SIZE); ------------------ | Branch (334:13): [True: 5.17M, False: 30.7k] ------------------ 335| 5.20M| memcpy(buf, hash, copylen); 336| 5.20M| len -= copylen; 337| 5.20M| buf += copylen; 338| 5.20M| } 339| 5.18M| m_burn(hash, sizeof(hash)); 340| 5.18M|} gen_random_mpint: 347| 1.09k|void gen_random_mpint(const mp_int *max, mp_int *rand) { 348| | 349| 1.09k| unsigned char *randbuf = NULL; 350| 1.09k| unsigned int len = 0; 351| 1.09k| const unsigned char masks[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f}; 352| | 353| 1.09k| const int size_bits = mp_count_bits(max); 354| | 355| 1.09k| len = size_bits / 8; 356| 1.09k| if ((size_bits % 8) != 0) { ------------------ | Branch (356:6): [True: 1.09k, False: 0] ------------------ 357| 1.09k| len += 1; 358| 1.09k| } 359| | 360| 1.09k| randbuf = (unsigned char*)m_malloc(len); 361| 1.09k| do { 362| 1.09k| genrandom(randbuf, len); 363| | /* Mask out the unrequired bits - mp_read_unsigned_bin expects 364| | * MSB first.*/ 365| 1.09k| randbuf[0] &= masks[size_bits % 8]; 366| | 367| 1.09k| bytes_to_mp(rand, randbuf, len); 368| | 369| | /* keep regenerating until we get one satisfying 370| | * 0 < rand < max */ 371| 1.09k| } while (!(mp_cmp(rand, max) == MP_LT && mp_cmp_d(rand, 0) == MP_GT)); ------------------ | | 154| 2.19k|#define MP_LT -1 /* less than */ ------------------ } while (!(mp_cmp(rand, max) == MP_LT && mp_cmp_d(rand, 0) == MP_GT)); ------------------ | | 156| 1.09k|#define MP_GT 1 /* greater than */ ------------------ | Branch (371:13): [True: 1.09k, False: 0] | Branch (371:43): [True: 1.09k, False: 0] ------------------ 372| 1.09k| m_burn(randbuf, len); 373| | m_free(randbuf); ------------------ | | 24| 1.09k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 1.09k] | | ------------------ ------------------ 374| 1.09k|} dropbear_close: 95| 4|void dropbear_close(const char* format, ...) { 96| | 97| 4| va_list param; 98| | 99| 4| va_start(param, format); 100| 4| _dropbear_exit(EXIT_SUCCESS, format, param); 101| 4| va_end(param); 102| | 103| 0|} dropbear_exit: 105| 3.32k|void dropbear_exit(const char* format, ...) { 106| | 107| 3.32k| va_list param; 108| | 109| 3.32k| va_start(param, format); 110| 3.32k| _dropbear_exit(EXIT_FAILURE, format, param); 111| 3.32k| va_end(param); 112| 0|} dropbear_log: 148| 76|void dropbear_log(int priority, const char* format, ...) { 149| | 150| 76| va_list param; 151| | 152| 76| va_start(param, format); 153| 76| _dropbear_log(priority, format, param); 154| | va_end(param); 155| 76|} buf_readfile: 489| 1|int buf_readfile(buffer* buf, const char* filename) { 490| | 491| 1| int fd = -1; 492| 1| int len; 493| 1| int maxlen; 494| 1| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 1|#define DROPBEAR_FAILURE -1 ------------------ 495| | 496| 1| fd = open(filename, O_RDONLY); 497| | 498| 1| if (fd < 0) { ------------------ | Branch (498:6): [True: 1, False: 0] ------------------ 499| 1| goto out; 500| 1| } 501| | 502| 0| do { 503| 0| maxlen = buf->size - buf->pos; 504| 0| len = read(fd, buf_getwriteptr(buf, maxlen), maxlen); ------------------ | | 55| 0|#define read(fd, buf, count) wrapfd_read(fd, buf, count) ------------------ 505| 0| if (len < 0) { ------------------ | Branch (505:7): [True: 0, False: 0] ------------------ 506| 0| if (errno == EINTR || errno == EAGAIN) { ------------------ | Branch (506:8): [True: 0, False: 0] | Branch (506:26): [True: 0, False: 0] ------------------ 507| 0| continue; 508| 0| } 509| 0| goto out; 510| 0| } 511| 0| buf_incrwritepos(buf, len); 512| 0| } while (len < maxlen && len > 0); ------------------ | Branch (512:11): [True: 0, False: 0] | Branch (512:27): [True: 0, False: 0] ------------------ 513| | 514| 0| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 0|#define DROPBEAR_SUCCESS 0 ------------------ 515| | 516| 1|out: 517| 1| if (fd >= 0) { ------------------ | Branch (517:6): [True: 0, False: 1] ------------------ 518| 0| m_close(fd); 519| 0| } 520| 1| return ret; 521| 0|} m_close: 565| 11.6k|void m_close(int fd) { 566| 11.6k| int val; 567| | 568| 11.6k| if (fd < 0) { ------------------ | Branch (568:6): [True: 0, False: 11.6k] ------------------ 569| 0| return; 570| 0| } 571| | 572| 11.6k| do { 573| 11.6k| val = close(fd); ------------------ | | 56| 11.6k|#define close(fd) wrapfd_close(fd) ------------------ 574| 11.6k| } while (val < 0 && errno == EINTR); ------------------ | Branch (574:11): [True: 824, False: 10.8k] | Branch (574:22): [True: 0, False: 824] ------------------ 575| | 576| 11.6k| if (val < 0 && errno != EBADF) { ------------------ | Branch (576:6): [True: 824, False: 10.8k] | Branch (576:17): [True: 0, False: 824] ------------------ 577| | /* Linux says EIO can happen */ 578| | dropbear_exit("Error closing fd %d, %s", fd, strerror(errno)); 579| 0| } 580| 11.6k|} setnonblocking: 582| 6.66k|void setnonblocking(int fd) { 583| | 584| 6.66k| int fl = 0; 585| 6.66k| TRACE(("setnonblocking: %d", fd)) 586| | 587| 6.66k|#if DROPBEAR_FUZZ 588| 6.66k| if (fuzz.fuzzing) { ------------------ | Branch (588:6): [True: 6.66k, False: 0] ------------------ 589| 6.66k| return; 590| 6.66k| } 591| 0|#endif 592| 0| fl = fcntl(fd, F_GETFL, 0); 593| 0| if (fl == -1) { ------------------ | Branch (593:6): [True: 0, False: 0] ------------------ 594| | /* F_GETFL shouldn't fail */ 595| 0| dropbear_exit("Couldn't set nonblocking"); 596| 0| } 597| | 598| 0| if (fcntl(fd, F_SETFL, fl | O_NONBLOCK) == -1) { ------------------ | Branch (598:6): [True: 0, False: 0] ------------------ 599| 0| if (errno == ENODEV) { ------------------ | Branch (599:7): [True: 0, False: 0] ------------------ 600| | /* Some devices (like /dev/null redirected in) 601| | * can't be set to non-blocking */ 602| 0| TRACE(("ignoring ENODEV for setnonblocking")) 603| 0| } else { 604| 0| dropbear_exit("Couldn't set nonblocking"); 605| 0| } 606| 0| } 607| 0| TRACE(("leave setnonblocking")) 608| 0|} disallow_core: 610| 1|void disallow_core() { 611| 1| struct rlimit lim = {0}; 612| 1| if (getrlimit(RLIMIT_CORE, &lim) < 0) { ------------------ | Branch (612:6): [True: 0, False: 1] ------------------ 613| 0| TRACE(("getrlimit(RLIMIT_CORE) failed")); 614| 0| } 615| 1| lim.rlim_cur = 0; 616| 1| if (setrlimit(RLIMIT_CORE, &lim) < 0) { ------------------ | Branch (616:6): [True: 0, False: 1] ------------------ 617| 0| TRACE(("setrlimit(RLIMIT_CORE) failed")); 618| 0| } 619| 1|} expand_homedir_path_home: 647| 2|char * expand_homedir_path_home(const char *inpath, const char *homedir) { 648| 2| if (strncmp(inpath, "~/", 2) == 0 && homedir) { ------------------ | Branch (648:6): [True: 2, False: 0] | Branch (648:39): [True: 2, False: 0] ------------------ 649| 2| size_t len = strlen(inpath)-2 + strlen(homedir) + 2; 650| 2| char *buf = m_malloc(len); 651| 2| snprintf(buf, len, "%s/%s", homedir, inpath+2); 652| 2| return buf; 653| 2| } 654| | /* Fallback */ 655| 0| return m_strdup(inpath); 656| 2|} expand_homedir_path: 660| 2|char * expand_homedir_path(const char *inpath) { 661| 2| struct passwd *pw = NULL; 662| 2| char *homedir = getenv("HOME"); 663| | 664| 2| if (!homedir) { ------------------ | Branch (664:6): [True: 0, False: 2] ------------------ 665| 0| pw = getpwuid(getuid()); ------------------ | | 109| 0|#define getpwuid(x) fuzz_getpwuid(x) ------------------ 666| 0| if (pw) { ------------------ | Branch (666:7): [True: 0, False: 0] ------------------ 667| 0| homedir = pw->pw_dir; 668| 0| } 669| 0| } 670| 2| return expand_homedir_path_home(inpath, homedir); 671| 2|} constant_time_memcmp: 674| 288|{ 675| 288| const char *xa = a, *xb = b; 676| 288| uint8_t c = 0; 677| 288| size_t i; 678| 9.50k| for (i = 0; i < n; i++) ------------------ | Branch (678:14): [True: 9.21k, False: 288] ------------------ 679| 9.21k| { 680| 9.21k| c |= (xa[i] ^ xb[i]); 681| 9.21k| } 682| 288| return c; 683| 288|} gettime_wrapper: 686| 336k|void gettime_wrapper(struct timespec *now) { 687| 336k| struct timeval tv; 688| 336k|#if DROPBEAR_FUZZ 689| 336k| if (fuzz.fuzzing) { ------------------ | Branch (689:6): [True: 336k, False: 0] ------------------ 690| | /* time stands still when fuzzing */ 691| 336k| now->tv_sec = 5; 692| 336k| now->tv_nsec = 0; 693| 336k| } 694| 336k|#endif 695| | 696| 336k|#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC) 697| | /* POSIX monotonic clock. Newer Linux, BSD, MacOSX >10.12 */ 698| 336k| if (clock_gettime(CLOCK_MONOTONIC, now) == 0) { ------------------ | Branch (698:6): [True: 336k, False: 0] ------------------ 699| 336k| return; 700| 336k| } 701| 0|#endif 702| | 703| 0|#if defined(__linux__) && defined(SYS_clock_gettime) 704| 0| { 705| | /* Old linux toolchain - kernel might support it but not the build headers */ 706| | /* Also glibc <2.17 requires -lrt which we neglect to add */ 707| 0| static int linux_monotonic_failed = 0; 708| 0| if (!linux_monotonic_failed) { ------------------ | Branch (708:6): [True: 0, False: 0] ------------------ 709| | /* CLOCK_MONOTONIC isn't in some headers */ 710| 0| int clock_source_monotonic = 1; 711| 0| if (syscall(SYS_clock_gettime, clock_source_monotonic, now) == 0) { ------------------ | Branch (711:7): [True: 0, False: 0] ------------------ 712| 0| return; 713| 0| } else { 714| | /* Don't try again */ 715| 0| linux_monotonic_failed = 1; 716| 0| } 717| 0| } 718| 0| } 719| 0|#endif /* linux fallback clock_gettime */ 720| | 721| |#if defined(HAVE_MACH_ABSOLUTE_TIME) 722| | { 723| | /* OS X pre 10.12, see https://developer.apple.com/library/mac/qa/qa1398/_index.html */ 724| | static mach_timebase_info_data_t timebase_info; 725| | uint64_t scaled_time; 726| | if (timebase_info.denom == 0) { 727| | mach_timebase_info(&timebase_info); 728| | } 729| | scaled_time = mach_absolute_time() * timebase_info.numer / timebase_info.denom; 730| | now->tv_sec = scaled_time / 1000000000; 731| | now->tv_nsec = scaled_time % 1000000000; 732| | } 733| |#endif /* osx mach_absolute_time */ 734| | 735| | /* Fallback for everything else - this will sometimes go backwards */ 736| 0| gettimeofday(&tv, NULL); 737| 0| now->tv_sec = tv.tv_sec; 738| 0| now->tv_nsec = 1000*(long)tv.tv_usec; 739| 0|} monotonic_now: 742| 336k|time_t monotonic_now() { 743| 336k| struct timespec ts; 744| 336k| gettime_wrapper(&ts); 745| 336k| return ts.tv_sec; 746| 336k|} buf_get_dss_pub_key: 46| 274|int buf_get_dss_pub_key(buffer* buf, dropbear_dss_key *key) { 47| 274| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 274|#define DROPBEAR_FAILURE -1 ------------------ 48| | 49| 274| TRACE(("enter buf_get_dss_pub_key")) 50| 274| dropbear_assert(key != NULL); ------------------ | | 84| 274|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 274] | | | Branch (84:93): [Folded, False: 274] | | ------------------ ------------------ 51| 274| m_mp_alloc_init_multi(&key->p, &key->q, &key->g, &key->y, NULL); 52| 274| key->x = NULL; 53| | 54| 274| buf_incrpos(buf, 4+SSH_SIGNKEY_DSS_LEN); /* int + "ssh-dss" */ ------------------ | | 115| 274|#define SSH_SIGNKEY_DSS_LEN 7 ------------------ 55| 274| if (buf_getmpint(buf, key->p) == DROPBEAR_FAILURE ------------------ | | 112| 548|#define DROPBEAR_FAILURE -1 ------------------ | Branch (55:6): [True: 56, False: 218] ------------------ 56| 218| || buf_getmpint(buf, key->q) == DROPBEAR_FAILURE ------------------ | | 112| 492|#define DROPBEAR_FAILURE -1 ------------------ | Branch (56:6): [True: 30, False: 188] ------------------ 57| 188| || buf_getmpint(buf, key->g) == DROPBEAR_FAILURE ------------------ | | 112| 462|#define DROPBEAR_FAILURE -1 ------------------ | Branch (57:6): [True: 8, False: 180] ------------------ 58| 180| || buf_getmpint(buf, key->y) == DROPBEAR_FAILURE) { ------------------ | | 112| 180|#define DROPBEAR_FAILURE -1 ------------------ | Branch (58:6): [True: 6, False: 174] ------------------ 59| 65| TRACE(("leave buf_get_dss_pub_key: failed reading mpints")) 60| 65| ret = DROPBEAR_FAILURE; ------------------ | | 112| 65|#define DROPBEAR_FAILURE -1 ------------------ 61| 65| goto out; 62| 65| } 63| | 64| 209| if (mp_count_bits(key->p) != DSS_P_BITS) { ------------------ | | 44| 209|#define DSS_P_BITS 1024 ------------------ | Branch (64:6): [True: 22, False: 187] ------------------ 65| 22| dropbear_log(LOG_WARNING, "Bad DSS p"); 66| 22| ret = DROPBEAR_FAILURE; ------------------ | | 112| 22|#define DROPBEAR_FAILURE -1 ------------------ 67| 22| goto out; 68| 22| } 69| | 70| 187| if (mp_count_bits(key->q) != DSS_Q_BITS) { ------------------ | | 45| 187|#define DSS_Q_BITS 160 ------------------ | Branch (70:6): [True: 3, False: 184] ------------------ 71| 3| dropbear_log(LOG_WARNING, "Bad DSS q"); 72| 3| ret = DROPBEAR_FAILURE; ------------------ | | 112| 3|#define DROPBEAR_FAILURE -1 ------------------ 73| 3| goto out; 74| 3| } 75| | 76| | /* test 1 < g < p */ 77| 184| if (mp_cmp_d(key->g, 1) != MP_GT) { ------------------ | | 156| 184|#define MP_GT 1 /* greater than */ ------------------ | Branch (77:6): [True: 1, False: 183] ------------------ 78| 1| dropbear_log(LOG_WARNING, "Bad DSS g"); 79| 1| ret = DROPBEAR_FAILURE; ------------------ | | 112| 1|#define DROPBEAR_FAILURE -1 ------------------ 80| 1| goto out; 81| 1| } 82| 183| if (mp_cmp(key->g, key->p) != MP_LT) { ------------------ | | 154| 183|#define MP_LT -1 /* less than */ ------------------ | Branch (82:6): [True: 2, False: 181] ------------------ 83| 2| dropbear_log(LOG_WARNING, "Bad DSS g"); 84| 2| ret = DROPBEAR_FAILURE; ------------------ | | 112| 2|#define DROPBEAR_FAILURE -1 ------------------ 85| 2| goto out; 86| 2| } 87| | 88| 181| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 181|#define DROPBEAR_SUCCESS 0 ------------------ 89| 181| TRACE(("leave buf_get_dss_pub_key: success")) 90| 239|out: 91| 239| if (ret == DROPBEAR_FAILURE) { ------------------ | | 112| 239|#define DROPBEAR_FAILURE -1 ------------------ | Branch (91:6): [True: 93, False: 146] ------------------ 92| | m_mp_free_multi(&key->p, &key->q, &key->g, &key->y, NULL); 93| 93| } 94| 239| return ret; 95| 181|} dss_key_free: 122| 368|void dss_key_free(dropbear_dss_key *key) { 123| | 124| 368| TRACE2(("enter dsa_key_free")) 125| 368| if (key == NULL) { ------------------ | Branch (125:6): [True: 275, False: 93] ------------------ 126| 275| TRACE2(("enter dsa_key_free: key == NULL")) 127| 275| return; 128| 275| } 129| 93| m_mp_free_multi(&key->p, &key->q, &key->g, &key->y, &key->x, NULL); 130| | m_free(key); ------------------ | | 24| 93|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 93] | | ------------------ ------------------ 131| 93| TRACE2(("leave dsa_key_free")) 132| 93|} buf_put_dss_pub_key: 142| 141|void buf_put_dss_pub_key(buffer* buf, const dropbear_dss_key *key) { 143| | 144| 141| dropbear_assert(key != NULL); ------------------ | | 84| 141|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 141] | | | Branch (84:93): [Folded, False: 141] | | ------------------ ------------------ 145| 141| buf_putstring(buf, SSH_SIGNKEY_DSS, SSH_SIGNKEY_DSS_LEN); ------------------ | | 114| 141|#define SSH_SIGNKEY_DSS "ssh-dss" ------------------ buf_putstring(buf, SSH_SIGNKEY_DSS, SSH_SIGNKEY_DSS_LEN); ------------------ | | 115| 141|#define SSH_SIGNKEY_DSS_LEN 7 ------------------ 146| 141| buf_putmpint(buf, key->p); 147| 141| buf_putmpint(buf, key->q); 148| 141| buf_putmpint(buf, key->g); 149| 141| buf_putmpint(buf, key->y); 150| | 151| 141|} buf_dss_verify: 165| 137|int buf_dss_verify(buffer* buf, const dropbear_dss_key *key, const buffer *data_buf) { 166| 137| unsigned char msghash[SHA1_HASH_SIZE]; 167| 137| hash_state hs; 168| 137| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 137|#define DROPBEAR_FAILURE -1 ------------------ 169| 137| DEF_MP_INT(val1); ------------------ | | 81| 137|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 170| 137| DEF_MP_INT(val2); ------------------ | | 81| 137|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 171| 137| DEF_MP_INT(val3); ------------------ | | 81| 137|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 172| 137| DEF_MP_INT(val4); ------------------ | | 81| 137|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 173| 137| char * string = NULL; 174| 137| unsigned int stringlen; 175| | 176| 137| TRACE(("enter buf_dss_verify")) 177| 137| dropbear_assert(key != NULL); ------------------ | | 84| 137|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 137] | | | Branch (84:93): [Folded, False: 137] | | ------------------ ------------------ 178| | 179| 137| m_mp_init_multi(&val1, &val2, &val3, &val4, NULL); 180| | 181| | /* get blob, check length */ 182| 137| string = buf_getstring(buf, &stringlen); 183| 137| if (stringlen != 2*SHA1_HASH_SIZE) { ------------------ | | 133| 137|#define SHA1_HASH_SIZE 20 ------------------ | Branch (183:6): [True: 10, False: 127] ------------------ 184| 10| goto out; 185| 10| } 186| | 187| |#if DEBUG_DSS_VERIFY 188| | printmpint("dss verify p", key->p); 189| | printmpint("dss verify q", key->q); 190| | printmpint("dss verify g", key->g); 191| | printmpint("dss verify y", key->y); 192| |#endif 193| | 194| | /* hash the data */ 195| 127| sha1_init(&hs); 196| 127| sha1_process(&hs, data_buf->data, data_buf->len); 197| 127| sha1_done(&hs, msghash); 198| | 199| | /* create the signature - s' and r' are the received signatures in buf */ 200| | /* w = (s')-1 mod q */ 201| | /* let val1 = s' */ 202| 127| bytes_to_mp(&val1, (const unsigned char*) &string[SHA1_HASH_SIZE], SHA1_HASH_SIZE); ------------------ | | 133| 127|#define SHA1_HASH_SIZE 20 ------------------ bytes_to_mp(&val1, (const unsigned char*) &string[SHA1_HASH_SIZE], SHA1_HASH_SIZE); ------------------ | | 133| 127|#define SHA1_HASH_SIZE 20 ------------------ 203| |#if DEBUG_DSS_VERIFY 204| | printmpint("dss verify s'", &val1); 205| |#endif 206| | 207| 127| if (mp_cmp(&val1, key->q) != MP_LT) { ------------------ | | 154| 127|#define MP_LT -1 /* less than */ ------------------ | Branch (207:6): [True: 2, False: 125] ------------------ 208| 2| TRACE(("verify failed, s' >= q")) 209| 2| goto out; 210| 2| } 211| 125| if (mp_cmp_d(&val1, 0) != MP_GT) { ------------------ | | 156| 125|#define MP_GT 1 /* greater than */ ------------------ | Branch (211:6): [True: 1, False: 124] ------------------ 212| 1| TRACE(("verify failed, s' <= 0")) 213| 1| goto out; 214| 1| } 215| | /* let val2 = w = (s')^-1 mod q*/ 216| 124| if (mp_invmod(&val1, key->q, &val2) != MP_OKAY) { ------------------ | | 161| 124|#define MP_OKAY 0 /* no error */ ------------------ | Branch (216:6): [True: 17, False: 107] ------------------ 217| 17| goto out; 218| 17| } 219| | 220| | /* u1 = ((SHA(M')w) mod q */ 221| | /* let val1 = SHA(M') = msghash */ 222| 107| bytes_to_mp(&val1, msghash, SHA1_HASH_SIZE); ------------------ | | 133| 107|#define SHA1_HASH_SIZE 20 ------------------ 223| |#if DEBUG_DSS_VERIFY 224| | printmpint("dss verify r'", &val1); 225| |#endif 226| | 227| | /* let val3 = u1 = ((SHA(M')w) mod q */ 228| 107| if (mp_mulmod(&val1, &val2, key->q, &val3) != MP_OKAY) { ------------------ | | 161| 107|#define MP_OKAY 0 /* no error */ ------------------ | Branch (228:6): [True: 0, False: 107] ------------------ 229| 0| goto out; 230| 0| } 231| | 232| | /* u2 = ((r')w) mod q */ 233| | /* let val1 = r' */ 234| 107| bytes_to_mp(&val1, (const unsigned char*) &string[0], SHA1_HASH_SIZE); ------------------ | | 133| 107|#define SHA1_HASH_SIZE 20 ------------------ 235| 107| if (mp_cmp(&val1, key->q) != MP_LT) { ------------------ | | 154| 107|#define MP_LT -1 /* less than */ ------------------ | Branch (235:6): [True: 4, False: 103] ------------------ 236| 4| TRACE(("verify failed, r' >= q")) 237| 4| goto out; 238| 4| } 239| 103| if (mp_cmp_d(&val1, 0) != MP_GT) { ------------------ | | 156| 103|#define MP_GT 1 /* greater than */ ------------------ | Branch (239:6): [True: 1, False: 102] ------------------ 240| 1| TRACE(("verify failed, r' <= 0")) 241| 1| goto out; 242| 1| } 243| | /* let val4 = u2 = ((r')w) mod q */ 244| 102| if (mp_mulmod(&val1, &val2, key->q, &val4) != MP_OKAY) { ------------------ | | 161| 102|#define MP_OKAY 0 /* no error */ ------------------ | Branch (244:6): [True: 0, False: 102] ------------------ 245| 0| goto out; 246| 0| } 247| | 248| | /* v = (((g)^u1 (y)^u2) mod p) mod q */ 249| | /* val2 = g^u1 mod p */ 250| 102| if (mp_exptmod(key->g, &val3, key->p, &val2) != MP_OKAY) { ------------------ | | 161| 102|#define MP_OKAY 0 /* no error */ ------------------ | Branch (250:6): [True: 0, False: 102] ------------------ 251| 0| goto out; 252| 0| } 253| | /* val3 = y^u2 mod p */ 254| 102| if (mp_exptmod(key->y, &val4, key->p, &val3) != MP_OKAY) { ------------------ | | 161| 102|#define MP_OKAY 0 /* no error */ ------------------ | Branch (254:6): [True: 0, False: 102] ------------------ 255| 0| goto out; 256| 0| } 257| | /* val4 = ((g)^u1 (y)^u2) mod p */ 258| 102| if (mp_mulmod(&val2, &val3, key->p, &val4) != MP_OKAY) { ------------------ | | 161| 102|#define MP_OKAY 0 /* no error */ ------------------ | Branch (258:6): [True: 0, False: 102] ------------------ 259| 0| goto out; 260| 0| } 261| | /* val2 = v = (((g)^u1 (y)^u2) mod p) mod q */ 262| 102| if (mp_mod(&val4, key->q, &val2) != MP_OKAY) { ------------------ | | 161| 102|#define MP_OKAY 0 /* no error */ ------------------ | Branch (262:6): [True: 0, False: 102] ------------------ 263| 0| goto out; 264| 0| } 265| | 266| | /* check whether signatures verify */ 267| 102| if (mp_cmp(&val2, &val1) == MP_EQ) { ------------------ | | 155| 102|#define MP_EQ 0 /* equal to */ ------------------ | Branch (267:6): [True: 0, False: 102] ------------------ 268| | /* good sig */ 269| 0| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 0|#define DROPBEAR_SUCCESS 0 ------------------ 270| 0| } 271| | 272| 135|out: 273| 135| mp_clear_multi(&val1, &val2, &val3, &val4, NULL); 274| 135| m_free(string); ------------------ | | 24| 135|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 135] | | ------------------ ------------------ 275| | 276| 135| return ret; 277| | 278| 102|} dropbear_ecc_fill_dp: 47| 1|void dropbear_ecc_fill_dp() { 48| 1| struct dropbear_ecc_curve **curve; 49| | /* libtomcrypt guarantees they're ordered by size */ 50| 1| const ltc_ecc_set_type *dp = ltc_ecc_sets; 51| 4| for (curve = dropbear_ecc_curves; *curve; curve++) { ------------------ | Branch (51:36): [True: 3, False: 1] ------------------ 52| 5| for (;dp->size > 0; dp++) { ------------------ | Branch (52:9): [True: 5, False: 0] ------------------ 53| 5| if (dp->size == (*curve)->ltc_size) { ------------------ | Branch (53:8): [True: 3, False: 2] ------------------ 54| 3| (*curve)->dp = dp; 55| 3| break; 56| 3| } 57| 5| } 58| 3| if (!(*curve)->dp) { ------------------ | Branch (58:7): [True: 0, False: 3] ------------------ 59| 0| dropbear_exit("Missing ECC params %s", (*curve)->name); 60| 0| } 61| 3| } 62| 1|} curve_for_dp: 64| 177|struct dropbear_ecc_curve* curve_for_dp(const ltc_ecc_set_type *dp) { 65| 177| struct dropbear_ecc_curve **curve = NULL; 66| 531| for (curve = dropbear_ecc_curves; *curve; curve++) { ------------------ | Branch (66:36): [True: 531, False: 0] ------------------ 67| 531| if ((*curve)->dp == dp) { ------------------ | Branch (67:7): [True: 177, False: 354] ------------------ 68| 177| break; 69| 177| } 70| 531| } 71| 177| assert(*curve); ------------------ | Branch (71:2): [True: 0, False: 177] | Branch (71:2): [True: 177, False: 0] ------------------ 72| 177| return *curve; 73| 177|} new_ecc_key: 75| 169|ecc_key * new_ecc_key(void) { 76| 169| ecc_key *key = m_malloc(sizeof(*key)); 77| 169| m_mp_alloc_init_multi((mp_int**)&key->pubkey.x, (mp_int**)&key->pubkey.y, 78| | (mp_int**)&key->pubkey.z, (mp_int**)&key->k, NULL); 79| 169| return key; 80| 169|} buf_put_ecc_raw_pubkey_string: 135| 852|void buf_put_ecc_raw_pubkey_string(buffer *buf, ecc_key *key) { 136| 852| unsigned long len = key->dp->size*2 + 1; 137| 852| int err; 138| 852| buf_putint(buf, len); 139| 852| err = ecc_ansi_x963_export(key, buf_getwriteptr(buf, len), &len); 140| 852| if (err != CRYPT_OK) { ------------------ | Branch (140:6): [True: 0, False: 852] ------------------ 141| 0| dropbear_exit("ECC error"); 142| 0| } 143| 852| buf_incrwritepos(buf, len); 144| 852|} buf_get_ecc_raw_pubkey: 147| 203|ecc_key * buf_get_ecc_raw_pubkey(buffer *buf, const struct dropbear_ecc_curve *curve) { 148| 203| ecc_key *key = NULL; 149| 203| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 203|#define DROPBEAR_FAILURE -1 ------------------ 150| 203| const unsigned int size = curve->dp->size; 151| 203| unsigned char first; 152| | 153| 203| TRACE(("enter buf_get_ecc_raw_pubkey")) 154| | 155| 203| buf_setpos(buf, 0); 156| 203| first = buf_getbyte(buf); 157| 203| if (first == 2 || first == 3) { ------------------ | Branch (157:6): [True: 4, False: 199] | Branch (157:20): [True: 1, False: 198] ------------------ 158| 2| dropbear_log(LOG_WARNING, "Dropbear doesn't support ECC point compression"); 159| 2| return NULL; 160| 2| } 161| 201| if (first != 4 || buf->len != 1+2*size) { ------------------ | Branch (161:6): [True: 15, False: 186] | Branch (161:20): [True: 17, False: 169] ------------------ 162| 29| TRACE(("leave, wrong size")) 163| 29| return NULL; 164| 29| } 165| | 166| 172| key = new_ecc_key(); 167| 172| key->dp = curve->dp; 168| | 169| 172| if (mp_from_ubin(key->pubkey.x, buf_getptr(buf, size), size) != MP_OKAY) { ------------------ | | 161| 172|#define MP_OKAY 0 /* no error */ ------------------ | Branch (169:6): [True: 0, False: 172] ------------------ 170| 0| TRACE(("failed to read x")) 171| 0| goto out; 172| 0| } 173| 172| buf_incrpos(buf, size); 174| | 175| 172| if (mp_from_ubin(key->pubkey.y, buf_getptr(buf, size), size) != MP_OKAY) { ------------------ | | 161| 172|#define MP_OKAY 0 /* no error */ ------------------ | Branch (175:6): [True: 0, False: 172] ------------------ 176| 0| TRACE(("failed to read y")) 177| 0| goto out; 178| 0| } 179| 172| buf_incrpos(buf, size); 180| | 181| 172| mp_set(key->pubkey.z, 1); 182| | 183| 172| if (ecc_is_point(key) != CRYPT_OK) { ------------------ | Branch (183:6): [True: 14, False: 158] ------------------ 184| 14| TRACE(("failed, not a point")) 185| 14| goto out; 186| 14| } 187| | 188| | /* SEC1 3.2.3.1 Check that Q != 0 */ 189| 158| if (mp_cmp_d(key->pubkey.x, 0) == LTC_MP_EQ) { ------------------ | | 13| 158|#define LTC_MP_EQ 0 ------------------ | Branch (189:6): [True: 0, False: 158] ------------------ 190| 0| TRACE(("failed, x == 0")) 191| 0| goto out; 192| 0| } 193| 158| if (mp_cmp_d(key->pubkey.y, 0) == LTC_MP_EQ) { ------------------ | | 13| 158|#define LTC_MP_EQ 0 ------------------ | Branch (193:6): [True: 0, False: 158] ------------------ 194| 0| TRACE(("failed, y == 0")) 195| 0| goto out; 196| 0| } 197| | 198| 158| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 158|#define DROPBEAR_SUCCESS 0 ------------------ 199| | 200| 169| out: 201| 169| if (ret == DROPBEAR_FAILURE) { ------------------ | | 112| 169|#define DROPBEAR_FAILURE -1 ------------------ | Branch (201:6): [True: 14, False: 155] ------------------ 202| 14| if (key) { ------------------ | Branch (202:7): [True: 14, False: 0] ------------------ 203| 14| ecc_free(key); 204| 14| m_free(key); ------------------ | | 24| 14|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 14] | | ------------------ ------------------ 205| 14| key = NULL; 206| 14| } 207| 14| } 208| | 209| 169| return key; 210| | 211| 158|} dropbear_ecc_shared_secret: 216| 65|{ 217| 65| ecc_point *result = NULL; 218| 65| mp_int *prime = NULL, *shared_secret = NULL; 219| 65| int err = DROPBEAR_FAILURE; ------------------ | | 112| 65|#define DROPBEAR_FAILURE -1 ------------------ 220| | 221| | /* type valid? */ 222| 65| if (private_key->type != PK_PRIVATE) { ------------------ | Branch (222:6): [True: 0, False: 65] ------------------ 223| 0| goto out; 224| 0| } 225| | 226| 65| if (private_key->dp != public_key->dp) { ------------------ | Branch (226:6): [True: 0, False: 65] ------------------ 227| 0| goto out; 228| 0| } 229| | 230| | /* make new point */ 231| 65| result = ltc_ecc_new_point(); 232| 65| if (result == NULL) { ------------------ | Branch (232:6): [True: 0, False: 65] ------------------ 233| 0| goto out; 234| 0| } 235| | 236| 65| prime = m_malloc(sizeof(*prime)); 237| 65| m_mp_init(prime); 238| | 239| 65| if (mp_read_radix(prime, (char *)private_key->dp->prime, 16) != CRYPT_OK) { ------------------ | Branch (239:6): [True: 0, False: 65] ------------------ 240| 0| goto out; 241| 0| } 242| 65| if (ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, prime, 1) != CRYPT_OK) { ------------------ | Branch (242:6): [True: 0, False: 65] ------------------ 243| 0| goto out; 244| 0| } 245| | 246| 65| shared_secret = m_malloc(sizeof(*shared_secret)); 247| 65| m_mp_init(shared_secret); 248| 65| if (mp_copy(result->x, shared_secret) != CRYPT_OK) { ------------------ | Branch (248:6): [True: 0, False: 65] ------------------ 249| 0| goto out; 250| 0| } 251| | 252| 65| mp_clear(prime); 253| 65| m_free(prime); ------------------ | | 24| 65|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 65] | | ------------------ ------------------ 254| 65| ltc_ecc_del_point(result); 255| | 256| 65| err = DROPBEAR_SUCCESS; ------------------ | | 111| 65|#define DROPBEAR_SUCCESS 0 ------------------ 257| 65| out: 258| 65| if (err == DROPBEAR_FAILURE) { ------------------ | | 112| 65|#define DROPBEAR_FAILURE -1 ------------------ | Branch (258:6): [True: 0, False: 65] ------------------ 259| 0| dropbear_exit("ECC error"); 260| 0| } 261| 65| return shared_secret; 262| 65|} ecc.c:ecc_is_point: 85| 169|{ 86| 169| mp_int *prime, *b, *t1, *t2; 87| 169| int err; 88| | 89| 169| m_mp_alloc_init_multi(&prime, &b, &t1, &t2, NULL); 90| | 91| | /* load prime and b */ 92| 169| if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK) { goto error; } ------------------ | Branch (92:6): [True: 0, False: 169] ------------------ 93| 169| if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK) { goto error; } ------------------ | Branch (93:6): [True: 0, False: 169] ------------------ 94| | 95| | /* compute y^2 */ 96| 169| if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK) { goto error; } ------------------ | Branch (96:6): [True: 0, False: 169] ------------------ 97| | 98| | /* compute x^3 */ 99| 169| if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK) { goto error; } ------------------ | Branch (99:6): [True: 0, False: 169] ------------------ 100| 169| if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK) { goto error; } ------------------ | Branch (100:6): [True: 0, False: 169] ------------------ 101| 169| if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK) { goto error; } ------------------ | Branch (101:6): [True: 0, False: 169] ------------------ 102| | 103| | /* compute y^2 - x^3 */ 104| 169| if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK) { goto error; } ------------------ | Branch (104:6): [True: 0, False: 169] ------------------ 105| | 106| | /* compute y^2 - x^3 + 3x */ 107| 169| if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } ------------------ | Branch (107:6): [True: 0, False: 169] ------------------ 108| 169| if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } ------------------ | Branch (108:6): [True: 0, False: 169] ------------------ 109| 169| if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK) { goto error; } ------------------ | Branch (109:6): [True: 0, False: 169] ------------------ 110| 169| if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK) { goto error; } ------------------ | Branch (110:6): [True: 0, False: 169] ------------------ 111| 169| while (mp_cmp_d(t1, 0) == LTC_MP_LT) { ------------------ | | 12| 169|#define LTC_MP_LT -1 ------------------ | Branch (111:9): [True: 0, False: 169] ------------------ 112| 0| if ((err = mp_add(t1, prime, t1)) != CRYPT_OK) { goto error; } ------------------ | Branch (112:7): [True: 0, False: 0] ------------------ 113| 0| } 114| 169| while (mp_cmp(t1, prime) != LTC_MP_LT) { ------------------ | | 12| 169|#define LTC_MP_LT -1 ------------------ | Branch (114:9): [True: 0, False: 169] ------------------ 115| 0| if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK) { goto error; } ------------------ | Branch (115:7): [True: 0, False: 0] ------------------ 116| 0| } 117| | 118| | /* compare to b */ 119| 169| if (mp_cmp(t1, b) != LTC_MP_EQ) { ------------------ | | 13| 169|#define LTC_MP_EQ 0 ------------------ | Branch (119:6): [True: 14, False: 155] ------------------ 120| 14| err = CRYPT_INVALID_PACKET; 121| 155| } else { 122| 155| err = CRYPT_OK; 123| 155| } 124| | 125| 169| error: 126| 169| mp_clear_multi(prime, b, t1, t2, NULL); 127| 169| m_free(prime); ------------------ | | 24| 169|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 169] | | ------------------ ------------------ 128| 169| m_free(b); ------------------ | | 24| 169|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 169] | | ------------------ ------------------ 129| 169| m_free(t1); ------------------ | | 24| 169|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 169] | | ------------------ ------------------ 130| | m_free(t2); ------------------ | | 24| 169|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 169] | | ------------------ ------------------ 131| 169| return err; 132| 169|} signkey_is_ecdsa: 11| 3.21k|{ 12| 3.21k| return type == DROPBEAR_SIGNKEY_ECDSA_NISTP256 ------------------ | Branch (12:9): [True: 0, False: 3.21k] ------------------ 13| 3.21k| || type == DROPBEAR_SIGNKEY_ECDSA_NISTP384 ------------------ | Branch (13:6): [True: 0, False: 3.21k] ------------------ 14| 3.21k| || type == DROPBEAR_SIGNKEY_ECDSA_NISTP521; ------------------ | Branch (14:6): [True: 308, False: 2.90k] ------------------ 15| 3.21k|} buf_get_ecdsa_pub_key: 77| 131|ecc_key *buf_get_ecdsa_pub_key(buffer* buf) { 78| 131| unsigned char *key_ident = NULL, *identifier = NULL; 79| 131| unsigned int key_ident_len, identifier_len; 80| 131| buffer *q_buf = NULL; 81| 131| struct dropbear_ecc_curve **curve; 82| 131| ecc_key *new_key = NULL; 83| | 84| | /* string "ecdsa-sha2-[identifier]" or "sk-ecdsa-sha2-nistp256@openssh.com" */ 85| 131| key_ident = (unsigned char*)buf_getstring(buf, &key_ident_len); 86| | /* string "[identifier]" */ 87| 131| identifier = (unsigned char*)buf_getstring(buf, &identifier_len); 88| | 89| 131| if (strcmp (key_ident, "sk-ecdsa-sha2-nistp256@openssh.com") == 0) { ------------------ | Branch (89:6): [True: 0, False: 131] ------------------ 90| 0| if (strcmp (identifier, "nistp256") != 0) { ------------------ | Branch (90:7): [True: 0, False: 0] ------------------ 91| 0| TRACE(("mismatching identifiers")) 92| 0| goto out; 93| 0| } 94| 131| } else { 95| 131| if (key_ident_len != identifier_len + strlen ("ecdsa-sha2-")) { ------------------ | Branch (95:7): [True: 13, False: 118] ------------------ 96| 13| TRACE(("Bad identifier lengths")) 97| 13| goto out; 98| 13| } 99| 118| if (memcmp(&key_ident[strlen ("ecdsa-sha2-")], identifier, identifier_len) != 0) { ------------------ | Branch (99:7): [True: 15, False: 103] ------------------ 100| 15| TRACE(("mismatching identifiers")) 101| 15| goto out; 102| 15| } 103| 118| } 104| | 105| 307| for (curve = dropbear_ecc_curves; *curve; curve++) { ------------------ | Branch (105:36): [True: 306, False: 1] ------------------ 106| 306| if (memcmp(identifier, (char*)(*curve)->name, strlen((char*)(*curve)->name)) == 0) { ------------------ | Branch (106:7): [True: 102, False: 204] ------------------ 107| 102| break; 108| 102| } 109| 306| } 110| 103| if (!*curve) { ------------------ | Branch (110:6): [True: 0, False: 103] ------------------ 111| 0| TRACE(("couldn't match ecc curve")) 112| 0| goto out; 113| 0| } 114| | 115| | /* string Q */ 116| 103| q_buf = buf_getstringbuf(buf); 117| 103| new_key = buf_get_ecc_raw_pubkey(q_buf, *curve); 118| | 119| 130|out: 120| 130| m_free(key_ident); ------------------ | | 24| 130|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 130] | | ------------------ ------------------ 121| 130| m_free(identifier); ------------------ | | 24| 130|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 130] | | ------------------ ------------------ 122| 130| if (q_buf) { ------------------ | Branch (122:6): [True: 102, False: 28] ------------------ 123| 102| buf_free(q_buf); 124| | q_buf = NULL; 125| 102| } 126| 130| TRACE(("leave buf_get_ecdsa_pub_key")) 127| 130| return new_key; 128| 103|} buf_put_ecdsa_pub_key: 147| 89|void buf_put_ecdsa_pub_key(buffer *buf, ecc_key *key) { 148| 89| struct dropbear_ecc_curve *curve = NULL; 149| 89| char key_ident[30]; 150| | 151| 89| curve = curve_for_dp(key->dp); 152| 89| snprintf(key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name); 153| 89| buf_putstring(buf, key_ident, strlen(key_ident)); 154| 89| buf_putstring(buf, curve->name, strlen(curve->name)); 155| 89| buf_put_ecc_raw_pubkey_string(buf, key); 156| 89|} buf_ecdsa_verify: 281| 88|int buf_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf) { 282| | /* Based on libtomcrypt's ecc_verify_hash but without the asn1 */ 283| 88| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 88|#define DROPBEAR_FAILURE -1 ------------------ 284| 88| hash_state hs; 285| 88| struct dropbear_ecc_curve *curve = NULL; 286| 88| unsigned char hash[64]; 287| 88| ecc_point *mG = NULL, *mQ = NULL; 288| 88| void *r = NULL, *s = NULL, *v = NULL, *w = NULL, *u1 = NULL, *u2 = NULL, 289| 88| *e = NULL, *p = NULL, *m = NULL; 290| 88| void *mp = NULL; 291| | 292| | /* verify 293| | * 294| | * w = s^-1 mod n 295| | * u1 = xw 296| | * u2 = rw 297| | * X = u1*G + u2*Q 298| | * v = X_x1 mod n 299| | * accept if v == r 300| | */ 301| | 302| 88| TRACE(("buf_ecdsa_verify")) 303| 88| curve = curve_for_dp(key->dp); 304| | 305| 88| mG = ltc_ecc_new_point(); 306| 88| mQ = ltc_ecc_new_point(); 307| 88| if (ltc_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL) != CRYPT_OK ------------------ | Branch (307:6): [True: 0, False: 88] ------------------ 308| 88| || !mG ------------------ | Branch (308:6): [True: 0, False: 88] ------------------ 309| 88| || !mQ) { ------------------ | Branch (309:6): [True: 0, False: 88] ------------------ 310| 0| dropbear_exit("ECC error"); 311| 0| } 312| | 313| 88| if (buf_get_ecdsa_verify_params(buf, r, s) != DROPBEAR_SUCCESS) { ------------------ | | 111| 88|#define DROPBEAR_SUCCESS 0 ------------------ | Branch (313:6): [True: 38, False: 50] ------------------ 314| 38| goto out; 315| 38| } 316| | 317| 50| curve->hash_desc->init(&hs); 318| 50| curve->hash_desc->process(&hs, data_buf->data, data_buf->len); 319| 50| curve->hash_desc->done(&hs, hash); 320| | 321| 50| if (ltc_mp.unsigned_read(e, hash, curve->hash_desc->hashsize) != CRYPT_OK) { ------------------ | Branch (321:6): [True: 0, False: 50] ------------------ 322| 0| goto out; 323| 0| } 324| | 325| | /* get the order */ 326| 50| if (ltc_mp.read_radix(p, (char *)key->dp->order, 16) != CRYPT_OK) { ------------------ | Branch (326:6): [True: 0, False: 50] ------------------ 327| 0| goto out; 328| 0| } 329| | 330| | /* get the modulus */ 331| 50| if (ltc_mp.read_radix(m, (char *)key->dp->prime, 16) != CRYPT_OK) { ------------------ | Branch (331:6): [True: 0, False: 50] ------------------ 332| 0| goto out; 333| 0| } 334| | 335| | /* check for zero */ 336| 50| if (ltc_mp.compare_d(r, 0) == LTC_MP_EQ ------------------ | | 13| 100|#define LTC_MP_EQ 0 ------------------ | Branch (336:6): [True: 3, False: 47] ------------------ 337| 47| || ltc_mp.compare_d(s, 0) == LTC_MP_EQ ------------------ | | 13| 97|#define LTC_MP_EQ 0 ------------------ | Branch (337:6): [True: 1, False: 46] ------------------ 338| 46| || ltc_mp.compare(r, p) != LTC_MP_LT ------------------ | | 12| 96|#define LTC_MP_LT -1 ------------------ | Branch (338:6): [True: 1, False: 45] ------------------ 339| 45| || ltc_mp.compare(s, p) != LTC_MP_LT) { ------------------ | | 12| 45|#define LTC_MP_LT -1 ------------------ | Branch (339:6): [True: 1, False: 44] ------------------ 340| 5| goto out; 341| 5| } 342| | 343| | /* w = s^-1 mod n */ 344| 45| if (ltc_mp.invmod(s, p, w) != CRYPT_OK) { ------------------ | Branch (344:6): [True: 0, False: 45] ------------------ 345| 0| goto out; 346| 0| } 347| | 348| | /* u1 = ew */ 349| 45| if (ltc_mp.mulmod(e, w, p, u1) != CRYPT_OK) { ------------------ | Branch (349:6): [True: 0, False: 45] ------------------ 350| 0| goto out; 351| 0| } 352| | 353| | /* u2 = rw */ 354| 45| if (ltc_mp.mulmod(r, w, p, u2) != CRYPT_OK) { ------------------ | Branch (354:6): [True: 0, False: 45] ------------------ 355| 0| goto out; 356| 0| } 357| | 358| | /* find mG and mQ */ 359| 45| if (ltc_mp.read_radix(mG->x, (char *)key->dp->Gx, 16) != CRYPT_OK) { ------------------ | Branch (359:6): [True: 0, False: 45] ------------------ 360| 0| goto out; 361| 0| } 362| 45| if (ltc_mp.read_radix(mG->y, (char *)key->dp->Gy, 16) != CRYPT_OK) { ------------------ | Branch (362:6): [True: 0, False: 45] ------------------ 363| 0| goto out; 364| 0| } 365| 45| if (ltc_mp.set_int(mG->z, 1) != CRYPT_OK) { ------------------ | Branch (365:6): [True: 0, False: 45] ------------------ 366| 0| goto out; 367| 0| } 368| | 369| 45| if (ltc_mp.copy(key->pubkey.x, mQ->x) != CRYPT_OK ------------------ | Branch (369:6): [True: 1, False: 44] ------------------ 370| 44| || ltc_mp.copy(key->pubkey.y, mQ->y) != CRYPT_OK ------------------ | Branch (370:6): [True: 0, False: 44] ------------------ 371| 44| || ltc_mp.copy(key->pubkey.z, mQ->z) != CRYPT_OK) { ------------------ | Branch (371:6): [True: 0, False: 44] ------------------ 372| 0| goto out; 373| 0| } 374| | 375| | /* compute u1*mG + u2*mQ = mG */ 376| 45| if (ltc_mp.ecc_mul2add == NULL) { ------------------ | Branch (376:6): [True: 0, False: 45] ------------------ 377| 0| if (ltc_mp.ecc_ptmul(u1, mG, mG, m, 0) != CRYPT_OK) { ------------------ | Branch (377:7): [True: 0, False: 0] ------------------ 378| 0| goto out; 379| 0| } 380| 0| if (ltc_mp.ecc_ptmul(u2, mQ, mQ, m, 0) != CRYPT_OK) { ------------------ | Branch (380:7): [True: 0, False: 0] ------------------ 381| 0| goto out; 382| 0| } 383| | 384| | /* find the montgomery mp */ 385| 0| if (ltc_mp.montgomery_setup(m, &mp) != CRYPT_OK) { ------------------ | Branch (385:7): [True: 0, False: 0] ------------------ 386| 0| goto out; 387| 0| } 388| | 389| | /* add them */ 390| 0| if (ltc_mp.ecc_ptadd(mQ, mG, mG, m, mp) != CRYPT_OK) { ------------------ | Branch (390:7): [True: 0, False: 0] ------------------ 391| 0| goto out; 392| 0| } 393| | 394| | /* reduce */ 395| 0| if (ltc_mp.ecc_map(mG, m, mp) != CRYPT_OK) { ------------------ | Branch (395:7): [True: 0, False: 0] ------------------ 396| 0| goto out; 397| 0| } 398| 45| } else { 399| | /* use Shamir's trick to compute u1*mG + u2*mQ using half of the doubles */ 400| 45| if (ltc_mp.ecc_mul2add(mG, u1, mQ, u2, mG, m) != CRYPT_OK) { ------------------ | Branch (400:7): [True: 0, False: 45] ------------------ 401| 0| goto out; 402| 0| } 403| 45| } 404| | 405| | /* v = X_x1 mod n */ 406| 45| if (ltc_mp.mpdiv(mG->x, p, NULL, v) != CRYPT_OK) { ------------------ | Branch (406:6): [True: 0, False: 45] ------------------ 407| 0| goto out; 408| 0| } 409| | 410| | /* does v == r */ 411| 45| if (ltc_mp.compare(v, r) == LTC_MP_EQ) { ------------------ | | 13| 45|#define LTC_MP_EQ 0 ------------------ | Branch (411:6): [True: 0, False: 45] ------------------ 412| 0| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 0|#define DROPBEAR_SUCCESS 0 ------------------ 413| 0| } 414| | 415| 87|out: 416| 87| ltc_ecc_del_point(mG); 417| 87| ltc_ecc_del_point(mQ); 418| 87| ltc_deinit_multi(r, s, v, w, u1, u2, p, e, m, NULL); 419| 87| if (mp != NULL) { ------------------ | Branch (419:6): [True: 0, False: 87] ------------------ 420| 0| ltc_mp.montgomery_deinit(mp); 421| 0| } 422| 87| return ret; 423| 45|} ecdsa.c:buf_get_ecdsa_verify_params: 258| 88| void *r, void* s) { 259| 88| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 88|#define DROPBEAR_FAILURE -1 ------------------ 260| 88| unsigned int sig_len; 261| 88| unsigned int sig_pos; 262| | 263| 88| sig_len = buf_getint(buf); 264| 88| sig_pos = buf->pos; 265| 88| if (buf_getmpint(buf, r) != DROPBEAR_SUCCESS) { ------------------ | | 111| 88|#define DROPBEAR_SUCCESS 0 ------------------ | Branch (265:6): [True: 1, False: 87] ------------------ 266| 1| goto out; 267| 1| } 268| 87| if (buf_getmpint(buf, s) != DROPBEAR_SUCCESS) { ------------------ | | 111| 87|#define DROPBEAR_SUCCESS 0 ------------------ | Branch (268:6): [True: 1, False: 86] ------------------ 269| 1| goto out; 270| 1| } 271| 86| if (buf->pos - sig_pos != sig_len) { ------------------ | Branch (271:6): [True: 36, False: 50] ------------------ 272| 36| goto out; 273| 36| } 274| 50| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 50|#define DROPBEAR_SUCCESS 0 ------------------ 275| | 276| 87|out: 277| 87| return ret; 278| 50|} buf_get_ed25519_pub_key: 42| 427| enum signkey_type expect_keytype) { 43| | 44| | 45| 427| unsigned int len, typelen; 46| 427| char *keytype = NULL; 47| 427| enum signkey_type buf_keytype; 48| | 49| 427| TRACE(("enter buf_get_ed25519_pub_key")) 50| 427| dropbear_assert(key != NULL); ------------------ | | 84| 427|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 427] | | | Branch (84:93): [Folded, False: 427] | | ------------------ ------------------ 51| | 52| | /* consume and check the key string */ 53| 427| keytype = buf_getstring(buf, &typelen); 54| 427| buf_keytype = signkey_type_from_name(keytype, typelen); 55| 427| m_free(keytype); ------------------ | | 24| 427|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 427] | | ------------------ ------------------ 56| 427| if (buf_keytype != expect_keytype) { ------------------ | Branch (56:6): [True: 0, False: 427] ------------------ 57| 0| TRACE(("leave buf_get_ed25519_pub_key: mismatch key type")) 58| 0| return DROPBEAR_FAILURE; ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ 59| 0| } 60| | 61| 427| len = buf_getint(buf); 62| 427| if (len != CURVE25519_LEN || buf->len - buf->pos < len) { ------------------ | | 34| 854|#define CURVE25519_LEN 32 ------------------ | Branch (62:6): [True: 41, False: 386] | Branch (62:31): [True: 8, False: 378] ------------------ 63| 49| TRACE(("leave buf_get_ed25519_pub_key: failure")) 64| 49| return DROPBEAR_FAILURE; ------------------ | | 112| 49|#define DROPBEAR_FAILURE -1 ------------------ 65| 49| } 66| | 67| 378| m_burn(key->priv, CURVE25519_LEN); ------------------ | | 34| 378|#define CURVE25519_LEN 32 ------------------ 68| 378| memcpy(key->pub, buf_getptr(buf, CURVE25519_LEN), CURVE25519_LEN); ------------------ | | 34| 378|#define CURVE25519_LEN 32 ------------------ memcpy(key->pub, buf_getptr(buf, CURVE25519_LEN), CURVE25519_LEN); ------------------ | | 34| 378|#define CURVE25519_LEN 32 ------------------ 69| 378| buf_incrpos(buf, CURVE25519_LEN); ------------------ | | 34| 378|#define CURVE25519_LEN 32 ------------------ 70| | 71| 378| TRACE(("leave buf_get_ed25519_pub_key: success")) 72| 378| return DROPBEAR_SUCCESS; ------------------ | | 111| 378|#define DROPBEAR_SUCCESS 0 ------------------ 73| 427|} buf_get_ed25519_priv_key: 78| 1|int buf_get_ed25519_priv_key(buffer *buf, dropbear_ed25519_key *key) { 79| | 80| 1| unsigned int len; 81| | 82| 1| TRACE(("enter buf_get_ed25519_priv_key")) 83| 1| dropbear_assert(key != NULL); ------------------ | | 84| 1|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 1] | | | Branch (84:93): [Folded, False: 1] | | ------------------ ------------------ 84| | 85| 1| buf_incrpos(buf, 4+SSH_SIGNKEY_ED25519_LEN); /* int + "ssh-ed25519" */ ------------------ | | 119| 1|#define SSH_SIGNKEY_ED25519_LEN 11 ------------------ 86| | 87| 1| len = buf_getint(buf); 88| 1| if (len != CURVE25519_LEN*2 || buf->len - buf->pos < len) { ------------------ | | 34| 1|#define CURVE25519_LEN 32 ------------------ | Branch (88:6): [True: 0, False: 1] | Branch (88:33): [True: 0, False: 1] ------------------ 89| 0| TRACE(("leave buf_get_ed25519_priv_key: failure")) 90| 0| return DROPBEAR_FAILURE; ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ 91| 0| } 92| | 93| 1| memcpy(key->priv, buf_getptr(buf, CURVE25519_LEN), CURVE25519_LEN); ------------------ | | 34| 1|#define CURVE25519_LEN 32 ------------------ memcpy(key->priv, buf_getptr(buf, CURVE25519_LEN), CURVE25519_LEN); ------------------ | | 34| 1|#define CURVE25519_LEN 32 ------------------ 94| 1| buf_incrpos(buf, CURVE25519_LEN); ------------------ | | 34| 1|#define CURVE25519_LEN 32 ------------------ 95| 1| memcpy(key->pub, buf_getptr(buf, CURVE25519_LEN), CURVE25519_LEN); ------------------ | | 34| 1|#define CURVE25519_LEN 32 ------------------ memcpy(key->pub, buf_getptr(buf, CURVE25519_LEN), CURVE25519_LEN); ------------------ | | 34| 1|#define CURVE25519_LEN 32 ------------------ 96| 1| buf_incrpos(buf, CURVE25519_LEN); ------------------ | | 34| 1|#define CURVE25519_LEN 32 ------------------ 97| | 98| 1| TRACE(("leave buf_get_ed25519_priv_key: success")) 99| 1| return DROPBEAR_SUCCESS; ------------------ | | 111| 1|#define DROPBEAR_SUCCESS 0 ------------------ 100| 1|} ed25519_key_free: 103| 429|void ed25519_key_free(dropbear_ed25519_key *key) { 104| | 105| 429| TRACE2(("enter ed25519_key_free")) 106| | 107| 429| if (key == NULL) { ------------------ | Branch (107:6): [True: 429, False: 0] ------------------ 108| 429| TRACE2(("leave ed25519_key_free: key == NULL")) 109| 429| return; 110| 429| } 111| 0| m_burn(key->priv, CURVE25519_LEN); ------------------ | | 34| 0|#define CURVE25519_LEN 32 ------------------ 112| 0| m_free(key); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 113| | 114| 0| TRACE2(("leave ed25519_key_free")) 115| 0|} buf_put_ed25519_pub_key: 118| 276|void buf_put_ed25519_pub_key(buffer *buf, const dropbear_ed25519_key *key) { 119| | 120| 276| TRACE(("enter buf_put_ed25519_pub_key")) 121| 276| dropbear_assert(key != NULL); ------------------ | | 84| 276|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 276] | | | Branch (84:93): [Folded, False: 276] | | ------------------ ------------------ 122| | 123| 276| buf_putstring(buf, SSH_SIGNKEY_ED25519, SSH_SIGNKEY_ED25519_LEN); ------------------ | | 118| 276|#define SSH_SIGNKEY_ED25519 "ssh-ed25519" ------------------ buf_putstring(buf, SSH_SIGNKEY_ED25519, SSH_SIGNKEY_ED25519_LEN); ------------------ | | 119| 276|#define SSH_SIGNKEY_ED25519_LEN 11 ------------------ 124| 276| buf_putstring(buf, key->pub, CURVE25519_LEN); ------------------ | | 34| 276|#define CURVE25519_LEN 32 ------------------ 125| | 126| 276| TRACE(("leave buf_put_ed25519_pub_key")) 127| 276|} buf_ed25519_verify: 163| 78|int buf_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf) { 164| | 165| 78| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 78|#define DROPBEAR_FAILURE -1 ------------------ 166| 78| unsigned char *s; 167| 78| unsigned long slen; 168| | 169| 78| TRACE(("enter buf_ed25519_verify")) 170| 78| dropbear_assert(key != NULL); ------------------ | | 84| 78|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 78] | | | Branch (84:93): [Folded, False: 78] | | ------------------ ------------------ 171| | 172| 78| slen = buf_getint(buf); 173| 78| if (slen != 64 || buf->len - buf->pos < slen) { ------------------ | Branch (173:6): [True: 38, False: 40] | Branch (173:20): [True: 8, False: 32] ------------------ 174| 46| TRACE(("leave buf_ed25519_verify: bad size")) 175| 46| goto out; 176| 46| } 177| 32| s = buf_getptr(buf, slen); 178| | 179| 32| if (dropbear_ed25519_verify(data_buf->data, data_buf->len, ------------------ | Branch (179:6): [True: 0, False: 32] ------------------ 180| 32| s, slen, key->pub) == 0) { 181| | /* signature is valid */ 182| 0| TRACE(("leave buf_ed25519_verify: success!")) 183| 0| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 0|#define DROPBEAR_SUCCESS 0 ------------------ 184| 0| } 185| | 186| 78|out: 187| 78| TRACE(("leave buf_ed25519_verify: ret %d", ret)) 188| 78| return ret; 189| 32|} gen_kexdh_param: 21| 1.09k|struct kex_dh_param *gen_kexdh_param() { 22| 1.09k| struct kex_dh_param *param = NULL; 23| | 24| 1.09k| DEF_MP_INT(dh_p); ------------------ | | 81| 1.09k|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 25| 1.09k| DEF_MP_INT(dh_q); ------------------ | | 81| 1.09k|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 26| 1.09k| DEF_MP_INT(dh_g); ------------------ | | 81| 1.09k|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 27| | 28| 1.09k| TRACE(("enter gen_kexdh_vals")) 29| | 30| 1.09k| param = m_malloc(sizeof(*param)); 31| 1.09k| m_mp_init_multi(¶m->pub, ¶m->priv, &dh_g, &dh_p, &dh_q, NULL); 32| | 33| | /* read the prime and generator*/ 34| 1.09k| load_dh_p(&dh_p); 35| | 36| 1.09k| mp_set_ul(&dh_g, DH_G_VAL); 37| | 38| | /* calculate q = (p-1)/2 */ 39| | /* dh_priv is just a temp var here */ 40| 1.09k| if (mp_sub_d(&dh_p, 1, ¶m->priv) != MP_OKAY) { ------------------ | | 161| 1.09k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (40:9): [True: 0, False: 1.09k] ------------------ 41| 0| dropbear_exit("Diffie-Hellman error"); 42| 0| } 43| 1.09k| if (mp_div_2(¶m->priv, &dh_q) != MP_OKAY) { ------------------ | | 161| 1.09k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (43:9): [True: 0, False: 1.09k] ------------------ 44| 0| dropbear_exit("Diffie-Hellman error"); 45| 0| } 46| | 47| | /* Generate a private portion 0 < dh_priv < dh_q */ 48| 1.09k| gen_random_mpint(&dh_q, ¶m->priv); 49| | 50| | /* f = g^y mod p */ 51| 1.09k| if (mp_exptmod(&dh_g, ¶m->priv, &dh_p, ¶m->pub) != MP_OKAY) { ------------------ | | 161| 1.09k|#define MP_OKAY 0 /* no error */ ------------------ | Branch (51:9): [True: 0, False: 1.09k] ------------------ 52| 0| dropbear_exit("Diffie-Hellman error"); 53| 0| } 54| 1.09k| mp_clear_multi(&dh_g, &dh_p, &dh_q, NULL); 55| 1.09k| return param; 56| 1.09k|} free_kexdh_param: 59| 977|{ 60| 977| mp_clear_multi(¶m->pub, ¶m->priv, NULL); 61| | m_free(param); ------------------ | | 24| 977|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 977] | | ------------------ ------------------ 62| 977|} kexdh_comb_key: 69| 994| sign_key *hostkey) { 70| | 71| 994| DEF_MP_INT(dh_p); ------------------ | | 81| 994|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 72| 994| DEF_MP_INT(dh_p_min1); ------------------ | | 81| 994|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 73| 994| mp_int *dh_e = NULL, *dh_f = NULL; 74| | 75| 994| m_mp_init_multi(&dh_p, &dh_p_min1, NULL); 76| 994| load_dh_p(&dh_p); 77| | 78| 994| if (mp_sub_d(&dh_p, 1, &dh_p_min1) != MP_OKAY) { ------------------ | | 161| 994|#define MP_OKAY 0 /* no error */ ------------------ | Branch (78:9): [True: 0, False: 994] ------------------ 79| 0| dropbear_exit("Diffie-Hellman error"); 80| 0| } 81| | 82| | /* Check that dh_pub_them (dh_e or dh_f) is in the range [2, p-2] */ 83| 994| if (mp_cmp(dh_pub_them, &dh_p_min1) != MP_LT ------------------ | | 154| 1.98k|#define MP_LT -1 /* less than */ ------------------ | Branch (83:9): [True: 2, False: 992] ------------------ 84| 992| || mp_cmp_d(dh_pub_them, 1) != MP_GT) { ------------------ | | 156| 992|#define MP_GT 1 /* greater than */ ------------------ | Branch (84:16): [True: 5, False: 987] ------------------ 85| 7| dropbear_exit("Diffie-Hellman error"); 86| 7| } 87| | 88| | /* K = e^y mod p = f^x mod p */ 89| 987| m_mp_alloc_init_multi(&ses.dh_K, NULL); 90| 987| if (mp_exptmod(dh_pub_them, ¶m->priv, &dh_p, ses.dh_K) != MP_OKAY) { ------------------ | | 161| 987|#define MP_OKAY 0 /* no error */ ------------------ | Branch (90:9): [True: 0, False: 987] ------------------ 91| 0| dropbear_exit("Diffie-Hellman error"); 92| 0| } 93| | 94| | /* clear no longer needed vars */ 95| 987| mp_clear_multi(&dh_p, &dh_p_min1, NULL); 96| | 97| | /* From here on, the code needs to work with the _same_ vars on each side, 98| | * not vice-versaing for client/server */ 99| 987| if (IS_DROPBEAR_CLIENT) { ------------------ | | 382| 987|#define IS_DROPBEAR_CLIENT (ses.isserver == 0) | | ------------------ | | | Branch (382:28): [True: 987, False: 0] | | ------------------ ------------------ 100| 987| dh_e = ¶m->pub; 101| 987| dh_f = dh_pub_them; 102| 987| } else { 103| 0| dh_e = dh_pub_them; 104| 0| dh_f = ¶m->pub; 105| 0| } 106| | 107| | /* Create the remainder of the hash buffer, to generate the exchange hash */ 108| | /* K_S, the host key */ 109| 987| buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey); 110| | /* e, exchange value sent by the client */ 111| 987| buf_putmpint(ses.kexhashbuf, dh_e); 112| | /* f, exchange value sent by the server */ 113| 987| buf_putmpint(ses.kexhashbuf, dh_f); 114| | /* K, the shared secret */ 115| 987| buf_putmpint(ses.kexhashbuf, ses.dh_K); 116| | 117| | /* calculate the hash H to sign */ 118| 987| finish_kexhashbuf(); 119| 987|} kex-dh.c:load_dh_p: 13| 2.09k|{ 14| 2.09k| bytes_to_mp(dh_p, ses.newkeys->algo_kex->dh_p_bytes, 15| 2.09k| ses.newkeys->algo_kex->dh_p_len); 16| 2.09k|} gen_kexecdh_param: 11| 633|struct kex_ecdh_param *gen_kexecdh_param() { 12| 633| struct kex_ecdh_param *param = m_malloc(sizeof(*param)); 13| 633| const struct dropbear_ecc_curve *curve = ses.newkeys->algo_kex->details; 14| 633| if (ecc_make_key_ex(NULL, dropbear_ltc_prng, ------------------ | Branch (14:9): [True: 0, False: 633] ------------------ 15| 633| ¶m->key, curve->dp) != CRYPT_OK) { 16| 0| dropbear_exit("ECC error"); 17| 0| } 18| 633| return param; 19| 633|} free_kexecdh_param: 21| 65|void free_kexecdh_param(struct kex_ecdh_param *param) { 22| 65| ecc_free(¶m->key); 23| 65| m_free(param); ------------------ | | 24| 65|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 65] | | ------------------ ------------------ 24| | 25| 65|} kexecdh_comb_key: 27| 101| sign_key *hostkey) { 28| 101| const struct dropbear_ecc_curve *curve 29| 101| = ses.newkeys->algo_kex->details; 30| | /* public keys from client and server */ 31| 101| ecc_key *Q_C, *Q_S, *Q_them; 32| | 33| 101| Q_them = buf_get_ecc_raw_pubkey(pub_them, curve); 34| 101| if (Q_them == NULL) { ------------------ | Branch (34:9): [True: 33, False: 68] ------------------ 35| 33| dropbear_exit("ECC error"); 36| 33| } 37| | 38| 68| ses.dh_K = dropbear_ecc_shared_secret(Q_them, ¶m->key); 39| | 40| | /* Create the remainder of the hash buffer, to generate the exchange hash 41| | See RFC5656 section 4 page 7 */ 42| 68| if (IS_DROPBEAR_CLIENT) { ------------------ | | 382| 68|#define IS_DROPBEAR_CLIENT (ses.isserver == 0) | | ------------------ | | | Branch (382:28): [True: 65, False: 3] | | ------------------ ------------------ 43| 65| Q_C = ¶m->key; 44| 65| Q_S = Q_them; 45| 65| } else { 46| 3| Q_C = Q_them; 47| 3| Q_S = ¶m->key; 48| 3| } 49| | 50| | /* K_S, the host key */ 51| 68| buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey); 52| | /* Q_C, client's ephemeral public key octet string */ 53| 68| buf_put_ecc_raw_pubkey_string(ses.kexhashbuf, Q_C); 54| | /* Q_S, server's ephemeral public key octet string */ 55| 68| buf_put_ecc_raw_pubkey_string(ses.kexhashbuf, Q_S); 56| | /* K, the shared secret */ 57| 68| buf_putmpint(ses.kexhashbuf, ses.dh_K); 58| | 59| 68| ecc_free(Q_them); 60| 68| m_free(Q_them); ------------------ | | 24| 68|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 68] | | ------------------ ------------------ 61| | 62| | /* calculate the hash H to sign */ 63| 68| finish_kexhashbuf(); 64| 68|} gen_kexpqhybrid_param: 13| 3.43k|struct kex_pqhybrid_param *gen_kexpqhybrid_param() { 14| 3.43k| struct kex_pqhybrid_param *param = m_malloc(sizeof(*param)); 15| 3.43k| const struct dropbear_kem_desc *kem = ses.newkeys->algo_kex->details; 16| | 17| 3.43k| param->curve25519 = gen_kexcurve25519_param(); 18| | 19| 3.43k| if (IS_DROPBEAR_CLIENT) { ------------------ | | 382| 3.43k|#define IS_DROPBEAR_CLIENT (ses.isserver == 0) | | ------------------ | | | Branch (382:28): [True: 3.43k, False: 0] | | ------------------ ------------------ 20| 3.43k| param->kem_cli_secret = buf_new(kem->secret_len); 21| 3.43k| param->concat_public = buf_new(kem->public_len + CURVE25519_LEN); ------------------ | | 122| 3.43k|#define CURVE25519_LEN 32 ------------------ 22| 3.43k| kem->kem_gen( 23| 3.43k| buf_getwriteptr(param->concat_public, kem->public_len), 24| 3.43k| buf_getwriteptr(param->kem_cli_secret, kem->secret_len)); 25| 3.43k| buf_incrwritepos(param->concat_public, kem->public_len); 26| 3.43k| buf_incrwritepos(param->kem_cli_secret, kem->secret_len); 27| 3.43k| buf_setpos(param->kem_cli_secret, 0); 28| | /* Append the curve25519 parameter */ 29| 3.43k| buf_putbytes(param->concat_public, param->curve25519->pub, CURVE25519_LEN); ------------------ | | 122| 3.43k|#define CURVE25519_LEN 32 ------------------ 30| 3.43k| } 31| | 32| 3.43k| return param; 33| 3.43k|} free_kexpqhybrid_param: 35| 2.37k|void free_kexpqhybrid_param(struct kex_pqhybrid_param *param) { 36| 2.37k| free_kexcurve25519_param(param->curve25519); 37| 2.37k| if (param->kem_cli_secret) { ------------------ | Branch (37:9): [True: 2.32k, False: 41] ------------------ 38| 2.32k| buf_burn_free(param->kem_cli_secret); 39| 2.32k| param->kem_cli_secret = NULL; 40| 2.32k| } 41| 2.37k| buf_free(param->concat_public); 42| | m_free(param); ------------------ | | 24| 2.37k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 2.37k] | | ------------------ ------------------ 43| 2.37k|} kexpqhybrid_comb_key: 46| 48| buffer *buf_pub, sign_key *hostkey) { 47| | 48| 48| const struct dropbear_kem_desc *kem = ses.newkeys->algo_kex->details; 49| 48| const struct ltc_hash_descriptor *hash_desc 50| 48| = ses.newkeys->algo_kex->hash_desc; 51| | 52| | /* Either public key (from client) or ciphertext (from server) */ 53| 48| unsigned char *remote_pub_kem = NULL; 54| 48| buffer *pub_25519 = NULL; 55| 48| buffer *k_out = NULL; 56| 48| unsigned int remote_len; 57| 48| hash_state hs; 58| 48| const buffer * Q_C = NULL; 59| 48| const buffer * Q_S = NULL; 60| | 61| | /* Extract input parts from the remote peer */ 62| 48| if (IS_DROPBEAR_CLIENT) { ------------------ | | 382| 48|#define IS_DROPBEAR_CLIENT (ses.isserver == 0) | | ------------------ | | | Branch (382:28): [True: 48, False: 0] | | ------------------ ------------------ 63| | /* S_REPLY = S_CT2 || S_PK1 */ 64| 48| remote_len = kem->ciphertext_len; 65| 48| } else { 66| | /* C_INIT = C_PK2 || C_PK1 */ 67| 0| remote_len = kem->public_len; 68| 0| } 69| 48| remote_pub_kem = buf_getptr(buf_pub, remote_len); 70| 48| buf_incrpos(buf_pub, remote_len); 71| 48| pub_25519 = buf_getptrcopy(buf_pub, CURVE25519_LEN); ------------------ | | 122| 48|#define CURVE25519_LEN 32 ------------------ 72| 48| buf_incrpos(buf_pub, CURVE25519_LEN); ------------------ | | 122| 48|#define CURVE25519_LEN 32 ------------------ 73| | /* Check all is consumed */ 74| 48| if (buf_pub->pos != buf_pub->len) { ------------------ | Branch (74:9): [True: 4, False: 44] ------------------ 75| 4| dropbear_exit("Bad sntrup"); 76| 4| } 77| | 78| | /* k_out = K_PQ || K_CL */ 79| 44| k_out = buf_new(kem->output_len + CURVE25519_LEN); ------------------ | | 122| 44|#define CURVE25519_LEN 32 ------------------ 80| | 81| | /* Derive pq kem part (K_PQ) */ 82| 44| if (IS_DROPBEAR_CLIENT) { ------------------ | | 382| 44|#define IS_DROPBEAR_CLIENT (ses.isserver == 0) | | ------------------ | | | Branch (382:28): [True: 42, False: 2] | | ------------------ ------------------ 83| 42| kem->kem_dec( 84| 42| buf_getwriteptr(k_out, kem->output_len), 85| 42| remote_pub_kem, 86| 42| buf_getptr(param->kem_cli_secret, kem->secret_len)); 87| 42| buf_burn_free(param->kem_cli_secret); 88| 42| param->kem_cli_secret = NULL; 89| 42| } else { 90| | /* Server returns ciphertext */ 91| 2| assert(param->concat_public == NULL); ------------------ | Branch (91:9): [True: 0, False: 2] | Branch (91:9): [True: 0, False: 2] ------------------ 92| 2| param->concat_public = buf_new(kem->ciphertext_len + CURVE25519_LEN); ------------------ | | 122| 0|#define CURVE25519_LEN 32 ------------------ 93| 0| kem->kem_enc( 94| 0| buf_getwriteptr(param->concat_public, kem->ciphertext_len), 95| 0| buf_getwriteptr(k_out, kem->output_len), 96| 0| remote_pub_kem); 97| 0| buf_incrwritepos(param->concat_public, kem->ciphertext_len); 98| | /* Append the curve25519 parameter */ 99| 0| buf_putbytes(param->concat_public, param->curve25519->pub, CURVE25519_LEN); ------------------ | | 122| 0|#define CURVE25519_LEN 32 ------------------ 100| 0| } 101| 44| buf_incrwritepos(k_out, kem->output_len); 102| | 103| | /* Derive ec part (K_CL) */ 104| 42| kexcurve25519_derive(param->curve25519, pub_25519, 105| 42| buf_getwriteptr(k_out, CURVE25519_LEN)); ------------------ | | 122| 42|#define CURVE25519_LEN 32 ------------------ 106| 42| buf_incrwritepos(k_out, CURVE25519_LEN); ------------------ | | 122| 42|#define CURVE25519_LEN 32 ------------------ 107| | 108| | /* dh_K_bytes = HASH(k_out) 109| | dh_K_bytes is a SSH string with length prefix, since 110| | that is what needs to be hashed in gen_new_keys() */ 111| 42| ses.dh_K_bytes = buf_new(4 + hash_desc->hashsize); 112| 42| buf_putint(ses.dh_K_bytes, hash_desc->hashsize); 113| 42| hash_desc->init(&hs); 114| 42| hash_desc->process(&hs, k_out->data, k_out->len); 115| 42| hash_desc->done(&hs, buf_getwriteptr(ses.dh_K_bytes, hash_desc->hashsize)); 116| 42| m_burn(&hs, sizeof(hash_state)); 117| 42| buf_incrwritepos(ses.dh_K_bytes, hash_desc->hashsize); 118| | 119| | /* Create the remainder of the hash buffer */ 120| 42| if (IS_DROPBEAR_CLIENT) { ------------------ | | 382| 42|#define IS_DROPBEAR_CLIENT (ses.isserver == 0) | | ------------------ | | | Branch (382:28): [True: 41, False: 1] | | ------------------ ------------------ 121| 41| Q_C = param->concat_public; 122| 41| Q_S = buf_pub; 123| 41| } else { 124| 1| Q_S = param->concat_public; 125| 1| Q_C = buf_pub; 126| 1| } 127| | 128| | /* K_S, the host key */ 129| 42| buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey); 130| 42| buf_putbufstring(ses.kexhashbuf, Q_C); 131| 42| buf_putbufstring(ses.kexhashbuf, Q_S); 132| | /* K, the shared secret */ 133| 42| buf_putbytes(ses.kexhashbuf, ses.dh_K_bytes->data, ses.dh_K_bytes->len); 134| | 135| | /* calculate the hash H to sign */ 136| 42| finish_kexhashbuf(); 137| | 138| 42| buf_burn_free(k_out); 139| 42| buf_free(pub_25519); 140| 42|} gen_kexcurve25519_param: 14| 3.93k|struct kex_curve25519_param *gen_kexcurve25519_param() { 15| | /* Per http://cr.yp.to/ecdh.html */ 16| 3.93k| struct kex_curve25519_param *param = m_malloc(sizeof(*param)); 17| 3.93k| const unsigned char basepoint[32] = {9}; 18| | 19| 3.93k| genrandom(param->priv, CURVE25519_LEN); ------------------ | | 122| 3.93k|#define CURVE25519_LEN 32 ------------------ 20| 3.93k| dropbear_curve25519_scalarmult(param->pub, param->priv, basepoint); 21| | 22| 3.93k| return param; 23| 3.93k|} free_kexcurve25519_param: 25| 2.61k|void free_kexcurve25519_param(struct kex_curve25519_param *param) { 26| 2.61k| m_burn(param->priv, CURVE25519_LEN); ------------------ | | 122| 2.61k|#define CURVE25519_LEN 32 ------------------ 27| | m_free(param); ------------------ | | 24| 2.61k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 2.61k] | | ------------------ ------------------ 28| 2.61k|} kexcurve25519_derive: 32| 303| unsigned char *out) { 33| 303| char zeroes[CURVE25519_LEN] = {0}; 34| 303| if (buf_pub_them->len != CURVE25519_LEN) ------------------ | | 122| 303|#define CURVE25519_LEN 32 ------------------ | Branch (34:9): [True: 15, False: 288] ------------------ 35| 15| { 36| 15| dropbear_exit("Bad curve25519"); 37| 15| } 38| | 39| 288| dropbear_curve25519_scalarmult(out, param->priv, buf_pub_them->data); 40| | 41| 288| if (constant_time_memcmp(zeroes, out, CURVE25519_LEN) == 0) { ------------------ | | 122| 288|#define CURVE25519_LEN 32 ------------------ | Branch (41:9): [True: 2, False: 286] ------------------ 42| 2| dropbear_exit("Bad curve25519"); 43| 2| } 44| 288|} kexcurve25519_comb_key: 52| 261| sign_key *hostkey) { 53| 261| unsigned char out[CURVE25519_LEN]; 54| 261| const unsigned char* Q_C = NULL; 55| 261| const unsigned char* Q_S = NULL; 56| | 57| 261| kexcurve25519_derive(param, buf_pub_them, out); 58| | 59| 261| m_mp_alloc_init_multi(&ses.dh_K, NULL); 60| 261| bytes_to_mp(ses.dh_K, out, CURVE25519_LEN); ------------------ | | 122| 261|#define CURVE25519_LEN 32 ------------------ 61| 261| m_burn(out, sizeof(out)); 62| | 63| | /* Create the remainder of the hash buffer, to generate the exchange hash. 64| | See RFC5656 section 4 page 7 */ 65| 261| if (IS_DROPBEAR_CLIENT) { ------------------ | | 382| 261|#define IS_DROPBEAR_CLIENT (ses.isserver == 0) | | ------------------ | | | Branch (382:28): [True: 245, False: 16] | | ------------------ ------------------ 66| 245| Q_C = param->pub; 67| 245| Q_S = buf_pub_them->data; 68| 245| } else { 69| 16| Q_S = param->pub; 70| 16| Q_C = buf_pub_them->data; 71| 16| } 72| | 73| | /* K_S, the host key */ 74| 261| buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey); 75| | /* Q_C, client's ephemeral public key octet string */ 76| 261| buf_putstring(ses.kexhashbuf, (const char*)Q_C, CURVE25519_LEN); ------------------ | | 122| 261|#define CURVE25519_LEN 32 ------------------ 77| | /* Q_S, server's ephemeral public key octet string */ 78| 261| buf_putstring(ses.kexhashbuf, (const char*)Q_S, CURVE25519_LEN); ------------------ | | 122| 261|#define CURVE25519_LEN 32 ------------------ 79| | /* K, the shared secret */ 80| 261| buf_putmpint(ses.kexhashbuf, ses.dh_K); 81| | 82| | /* calculate the hash H to sign */ 83| 261| finish_kexhashbuf(); 84| 261|} mlkem768.c:libcrux_ml_kem_mlkem768_portable_generate_key_pair: 11618| 51|libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]) { 11619| | /* Passing arrays by value in Rust generates a copy in C */ 11620| 51| uint8_t copy_of_randomness[64U]; 11621| 51| memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); 11622| 51| return libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_d5( 11623| 51| copy_of_randomness); 11624| 51|} mlkem768.c:libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_d5: 11607| 51| uint8_t randomness[64U]) { 11608| | /* Passing arrays by value in Rust generates a copy in C */ 11609| 51| uint8_t copy_of_randomness[64U]; 11610| 51| memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); 11611| 51| return libcrux_ml_kem_ind_cca_generate_keypair_8c(copy_of_randomness); 11612| 51|} mlkem768.c:libcrux_ml_kem_ind_cca_generate_keypair_8c: 11557| 51|libcrux_ml_kem_ind_cca_generate_keypair_8c(uint8_t randomness[64U]) { 11558| 51| Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( ------------------ | | 113| 51| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 11559| 51| randomness, (size_t)0U, 11560| 51| LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); 11561| 51| Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( ------------------ | | 117| 51| EURYDICE_SLICE((t *)x, r, size) | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 11562| 51| (size_t)64U, randomness, 11563| 51| LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, 11564| 51| size_t); 11565| 51| libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = 11566| 51| libcrux_ml_kem_ind_cpa_generate_keypair_fc(ind_cpa_keypair_randomness); 11567| 51| uint8_t ind_cpa_private_key[1152U]; 11568| 51| memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); 11569| 51| uint8_t public_key[1184U]; 11570| 51| memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); 11571| 51| uint8_t secret_key_serialized[2400U]; 11572| 51| libcrux_ml_kem_ind_cca_serialize_kem_secret_key_48( 11573| 51| Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), ------------------ | | 107| 51| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 51| end) /* x is already at an array type, no need for cast */ ------------------ 11574| 51| Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), ------------------ | | 107| 51| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 51| end) /* x is already at an array type, no need for cast */ ------------------ 11575| 51| implicit_rejection_value, secret_key_serialized); 11576| | /* Passing arrays by value in Rust generates a copy in C */ 11577| 51| uint8_t copy_of_secret_key_serialized[2400U]; 11578| 51| memcpy(copy_of_secret_key_serialized, secret_key_serialized, 11579| 51| (size_t)2400U * sizeof(uint8_t)); 11580| 51| libcrux_ml_kem_types_MlKemPrivateKey_55 private_key = 11581| 51| libcrux_ml_kem_types_from_05_f2(copy_of_secret_key_serialized); 11582| 51| libcrux_ml_kem_types_MlKemPrivateKey_55 uu____2 = private_key; 11583| | /* Passing arrays by value in Rust generates a copy in C */ 11584| 51| uint8_t copy_of_public_key[1184U]; 11585| 51| memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); 11586| 51| return libcrux_ml_kem_types_from_17_35( 11587| 51| uu____2, libcrux_ml_kem_types_from_b6_da(copy_of_public_key)); 11588| 51|} mlkem768.c:libcrux_ml_kem_ind_cpa_generate_keypair_fc: 11418| 51|libcrux_ml_kem_ind_cpa_generate_keypair_fc(Eurydice_slice key_generation_seed) { 11419| 51| uint8_t hashed[64U]; 11420| 51| libcrux_ml_kem_variant_cpa_keygen_seed_d8_0e(key_generation_seed, hashed); 11421| 51| Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( ------------------ | | 139| 51| (CLITERAL(ret_t){ \ | | ------------------ | | | | 61| 51|#define CLITERAL(type) (type) | | ------------------ | | 140| 51| .fst = EURYDICE_SLICE((element_type *)slice.ptr, 0, mid), \ | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 141| 51| .snd = EURYDICE_SLICE((element_type *)slice.ptr, mid, slice.len)}) | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 11422| 51| Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, 11423| 51| uint8_t, Eurydice_slice_uint8_t_x2); 11424| 51| Eurydice_slice seed_for_A0 = uu____0.fst; 11425| 51| Eurydice_slice seed_for_secret_and_error = uu____0.snd; 11426| 51| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A_transpose[3U][3U]; 11427| 51| uint8_t ret[34U]; 11428| 51| libcrux_ml_kem_utils_into_padded_array_ea1(seed_for_A0, ret); 11429| 51| libcrux_ml_kem_matrix_sample_matrix_A_38(ret, true, A_transpose); 11430| 51| uint8_t prf_input[33U]; 11431| 51| libcrux_ml_kem_utils_into_padded_array_ea2(seed_for_secret_and_error, 11432| 51| prf_input); 11433| | /* Passing arrays by value in Rust generates a copy in C */ 11434| 51| uint8_t copy_of_prf_input0[33U]; 11435| 51| memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); 11436| 51| tuple_b0 uu____2 = libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_fc( 11437| 51| copy_of_prf_input0, 0U); 11438| 51| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U]; 11439| 51| memcpy( 11440| 51| secret_as_ntt, uu____2.fst, 11441| 51| (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); 11442| 51| uint8_t domain_separator = uu____2.snd; 11443| | /* Passing arrays by value in Rust generates a copy in C */ 11444| 51| uint8_t copy_of_prf_input[33U]; 11445| 51| memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); 11446| 51| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_as_ntt[3U]; 11447| 51| memcpy( 11448| 51| error_as_ntt, 11449| 51| libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_fc(copy_of_prf_input, 11450| 51| domain_separator) 11451| 51| .fst, 11452| 51| (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); 11453| 51| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 t_as_ntt[3U]; 11454| 51| libcrux_ml_kem_matrix_compute_As_plus_e_60(A_transpose, secret_as_ntt, 11455| 51| error_as_ntt, t_as_ntt); 11456| 51| uint8_t seed_for_A[32U]; 11457| 51| Result_00 dst; 11458| 51| Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U]); ------------------ | | 152| 51| Eurydice_slice_to_array3(&(dst)->tag, (char *)&(dst)->val.case_Ok, src, \ | | 153| 51| sizeof(t_arr)) ------------------ 11459| 51| unwrap_41_83(dst, seed_for_A); 11460| 51| uint8_t public_key_serialized[1184U]; 11461| 51| libcrux_ml_kem_ind_cpa_serialize_public_key_79( 11462| 51| t_as_ntt, Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ------------------ | | 107| 51| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 51| end) /* x is already at an array type, no need for cast */ ------------------ 11463| 51| public_key_serialized); 11464| 51| uint8_t secret_key_serialized[1152U]; 11465| 51| libcrux_ml_kem_ind_cpa_serialize_secret_key_b5(secret_as_ntt, 11466| 51| secret_key_serialized); 11467| | /* Passing arrays by value in Rust generates a copy in C */ 11468| 51| uint8_t copy_of_secret_key_serialized[1152U]; 11469| 51| memcpy(copy_of_secret_key_serialized, secret_key_serialized, 11470| 51| (size_t)1152U * sizeof(uint8_t)); 11471| | /* Passing arrays by value in Rust generates a copy in C */ 11472| 51| uint8_t copy_of_public_key_serialized[1184U]; 11473| 51| memcpy(copy_of_public_key_serialized, public_key_serialized, 11474| 51| (size_t)1184U * sizeof(uint8_t)); 11475| 51| libcrux_ml_kem_utils_extraction_helper_Keypair768 lit; 11476| 51| memcpy(lit.fst, copy_of_secret_key_serialized, 11477| 51| (size_t)1152U * sizeof(uint8_t)); 11478| 51| memcpy(lit.snd, copy_of_public_key_serialized, 11479| 51| (size_t)1184U * sizeof(uint8_t)); 11480| 51| return lit; 11481| 51|} mlkem768.c:libcrux_ml_kem_variant_cpa_keygen_seed_d8_0e: 11197| 51| Eurydice_slice key_generation_seed, uint8_t ret[64U]) { 11198| 51| uint8_t seed[33U] = {0U}; 11199| 51| Eurydice_slice_copy( ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 11200| 51| Eurydice_array_to_subslice2( 11201| 51| seed, (size_t)0U, 11202| 51| LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t), 11203| 51| key_generation_seed, uint8_t); 11204| 51| seed[LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE] = ------------------ | | 290| 51|#define LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE ((size_t)32U) ------------------ 11205| 51| (uint8_t)(size_t)3U; 11206| 51| uint8_t ret0[64U]; 11207| 51| libcrux_ml_kem_hash_functions_portable_G_f1_e4( 11208| 51| Eurydice_array_to_slice((size_t)33U, seed, uint8_t), ret0); ------------------ | | 107| 51| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 51| end) /* x is already at an array type, no need for cast */ ------------------ 11209| 51| memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t)); 11210| 51|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_G_f1_e4: 9293| 51| Eurydice_slice input, uint8_t ret[64U]) { 9294| 51| libcrux_ml_kem_hash_functions_portable_G(input, ret); 9295| 51|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_G: 5799| 51| Eurydice_slice input, uint8_t ret[64U]) { 5800| 51| uint8_t digest[64U] = {0U}; 5801| 51| libcrux_sha3_portable_sha512( 5802| 51| Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); ------------------ | | 107| 51| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 51| end) /* x is already at an array type, no need for cast */ ------------------ 5803| 51| memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); 5804| 51|} mlkem768.c:libcrux_sha3_portable_sha512: 2529| 51| Eurydice_slice data) { 2530| 51| Eurydice_slice buf0[1U] = {data}; 2531| 51| Eurydice_slice buf[1U] = {digest}; 2532| 51| libcrux_sha3_portable_keccakx1_ce(buf0, buf); 2533| 51|} mlkem768.c:libcrux_sha3_portable_keccakx1_ce: 2518| 51| Eurydice_slice data[1U], Eurydice_slice out[1U]) { 2519| | /* Passing arrays by value in Rust generates a copy in C */ 2520| 51| Eurydice_slice copy_of_data[1U]; 2521| 51| memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); 2522| 51| libcrux_sha3_generic_keccak_keccak_e9(copy_of_data, out); 2523| 51|} mlkem768.c:libcrux_sha3_generic_keccak_keccak_e9: 2447| 51| Eurydice_slice data[1U], Eurydice_slice out[1U]) { 2448| 51| libcrux_sha3_generic_keccak_KeccakState_48 s = 2449| 51| libcrux_sha3_generic_keccak_new_1e_f4(); 2450| 51| for (size_t i = (size_t)0U; 2451| 51| i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)72U; i++) { ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ | Branch (2451:8): [True: 0, False: 51] ------------------ 2452| 0| size_t i0 = i; 2453| 0| libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; 2454| | /* Passing arrays by value in Rust generates a copy in C */ 2455| 0| Eurydice_slice copy_of_data[1U]; 2456| 0| memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); 2457| 0| Eurydice_slice ret[1U]; 2458| 0| libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)72U, 2459| 0| (size_t)72U, ret); 2460| 0| libcrux_sha3_generic_keccak_absorb_block_df(uu____0, ret); 2461| 0| } 2462| 51| size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)72U; ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2463| 51| libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; 2464| | /* Passing arrays by value in Rust generates a copy in C */ 2465| 51| Eurydice_slice copy_of_data[1U]; 2466| 51| memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); 2467| 51| Eurydice_slice ret[1U]; 2468| 51| libcrux_sha3_portable_keccak_slice_n_5a( 2469| 51| copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2470| 51| libcrux_sha3_generic_keccak_absorb_final_c7(uu____2, ret); 2471| 51| size_t outlen = Eurydice_slice_len(out[0U], uint8_t); ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2472| 51| size_t blocks = outlen / (size_t)72U; 2473| 51| size_t last = outlen - outlen % (size_t)72U; 2474| 51| if (blocks == (size_t)0U) { ------------------ | Branch (2474:7): [True: 51, False: 0] ------------------ 2475| 51| libcrux_sha3_generic_keccak_squeeze_first_and_last_c5(&s, out); 2476| 51| } else { 2477| 0| Eurydice_slice_uint8_t_1size_t__x2 uu____4 = 2478| 0| libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)72U); 2479| 0| Eurydice_slice o0[1U]; 2480| 0| memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice)); 2481| 0| Eurydice_slice o1[1U]; 2482| 0| memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice)); 2483| 0| libcrux_sha3_generic_keccak_squeeze_first_block_84(&s, o0); 2484| 0| core_ops_range_Range_b3 iter = 2485| 0| core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( ------------------ | | 208| 0| Eurydice_into_iter | | ------------------ | | | | 206| 0|#define Eurydice_into_iter(x, t, _ret_t) (x) | | ------------------ ------------------ 2486| 0| (CLITERAL(core_ops_range_Range_b3){.start = (size_t)1U, 2487| 0| .end = blocks}), 2488| 0| core_ops_range_Range_b3, core_ops_range_Range_b3); 2489| 0| while (true) { ------------------ | Branch (2489:12): [True: 0, Folded] ------------------ 2490| 0| if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next( ------------------ | | 203| 0| Eurydice_range_iter_next | | ------------------ | | | | 198| 0| (((iter_ptr)->start == (iter_ptr)->end) \ | | | | ------------------ | | | | | Branch (198:4): [True: 0, False: 0] | | | | ------------------ | | | | 199| 0| ? (CLITERAL(ret_t){.tag = None}) \ | | | | ------------------ | | | | | | 61| 0|#define CLITERAL(type) (type) | | | | ------------------ | | | | ? (CLITERAL(ret_t){.tag = None}) \ | | | | ------------------ | | | | | | 251| 0|#define None 0 | | | | ------------------ | | | | 200| 0| : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++})) | | | | ------------------ | | | | | | 61| 0|#define CLITERAL(type) (type) | | | | ------------------ | | | | : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++})) | | | | ------------------ | | | | | | 252| 0|#define Some 1 | | | | ------------------ | | ------------------ ------------------ | Branch (2490:11): [True: 0, False: 0] ------------------ 2491| 0| &iter, size_t, Option_b3) 2492| 0| .tag == None) { ------------------ | | 251| 0|#define None 0 ------------------ 2493| 0| break; 2494| 0| } else { 2495| 0| Eurydice_slice_uint8_t_1size_t__x2 uu____5 = 2496| 0| libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)72U); 2497| 0| Eurydice_slice o[1U]; 2498| 0| memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice)); 2499| 0| Eurydice_slice orest[1U]; 2500| 0| memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice)); 2501| 0| libcrux_sha3_generic_keccak_squeeze_next_block_fc(&s, o); 2502| 0| memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice)); 2503| 0| } 2504| 0| } 2505| 0| if (last < outlen) { ------------------ | Branch (2505:9): [True: 0, False: 0] ------------------ 2506| 0| libcrux_sha3_generic_keccak_squeeze_last_cf(s, o1); 2507| 0| } 2508| 0| } 2509| 51|} mlkem768.c:libcrux_sha3_generic_keccak_new_1e_f4: 1068| 867|libcrux_sha3_generic_keccak_new_1e_f4(void) { 1069| 867| libcrux_sha3_generic_keccak_KeccakState_48 lit; 1070| 867| lit.st[0U][0U] = libcrux_sha3_portable_keccak_zero_5a(); 1071| 867| lit.st[0U][1U] = libcrux_sha3_portable_keccak_zero_5a(); 1072| 867| lit.st[0U][2U] = libcrux_sha3_portable_keccak_zero_5a(); 1073| 867| lit.st[0U][3U] = libcrux_sha3_portable_keccak_zero_5a(); 1074| 867| lit.st[0U][4U] = libcrux_sha3_portable_keccak_zero_5a(); 1075| 867| lit.st[1U][0U] = libcrux_sha3_portable_keccak_zero_5a(); 1076| 867| lit.st[1U][1U] = libcrux_sha3_portable_keccak_zero_5a(); 1077| 867| lit.st[1U][2U] = libcrux_sha3_portable_keccak_zero_5a(); 1078| 867| lit.st[1U][3U] = libcrux_sha3_portable_keccak_zero_5a(); 1079| 867| lit.st[1U][4U] = libcrux_sha3_portable_keccak_zero_5a(); 1080| 867| lit.st[2U][0U] = libcrux_sha3_portable_keccak_zero_5a(); 1081| 867| lit.st[2U][1U] = libcrux_sha3_portable_keccak_zero_5a(); 1082| 867| lit.st[2U][2U] = libcrux_sha3_portable_keccak_zero_5a(); 1083| 867| lit.st[2U][3U] = libcrux_sha3_portable_keccak_zero_5a(); 1084| 867| lit.st[2U][4U] = libcrux_sha3_portable_keccak_zero_5a(); 1085| 867| lit.st[3U][0U] = libcrux_sha3_portable_keccak_zero_5a(); 1086| 867| lit.st[3U][1U] = libcrux_sha3_portable_keccak_zero_5a(); 1087| 867| lit.st[3U][2U] = libcrux_sha3_portable_keccak_zero_5a(); 1088| 867| lit.st[3U][3U] = libcrux_sha3_portable_keccak_zero_5a(); 1089| 867| lit.st[3U][4U] = libcrux_sha3_portable_keccak_zero_5a(); 1090| 867| lit.st[4U][0U] = libcrux_sha3_portable_keccak_zero_5a(); 1091| 867| lit.st[4U][1U] = libcrux_sha3_portable_keccak_zero_5a(); 1092| 867| lit.st[4U][2U] = libcrux_sha3_portable_keccak_zero_5a(); 1093| 867| lit.st[4U][3U] = libcrux_sha3_portable_keccak_zero_5a(); 1094| 867| lit.st[4U][4U] = libcrux_sha3_portable_keccak_zero_5a(); 1095| 867| return lit; 1096| 867|} mlkem768.c:libcrux_sha3_portable_keccak_zero_5a: 918| 21.6k|static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak_zero_5a(void) { 919| 21.6k| return 0ULL; 920| 21.6k|} mlkem768.c:libcrux_sha3_portable_keccak_slice_n_5a: 1012| 816| Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) { 1013| | /* Passing arrays by value in Rust generates a copy in C */ 1014| 816| Eurydice_slice copy_of_a[1U]; 1015| 816| memcpy(copy_of_a, a, (size_t)1U * sizeof(Eurydice_slice)); 1016| 816| Eurydice_slice ret0[1U]; 1017| 816| libcrux_sha3_portable_keccak_slice_1(copy_of_a, start, len, ret0); 1018| 816| memcpy(ret, ret0, (size_t)1U * sizeof(Eurydice_slice)); 1019| 816|} mlkem768.c:libcrux_sha3_portable_keccak_slice_1: 1003| 816| Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) { 1004| 816| ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t); ------------------ | | 101| 816| EURYDICE_SLICE((t *)s.ptr, start, end) | | ------------------ | | | | 88| 816| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 816|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 1005| 816|} mlkem768.c:libcrux_sha3_portable_keccak_load_block_2c: 1104| 51| uint64_t (*s)[5U], Eurydice_slice blocks[1U]) { 1105| 510| for (size_t i = (size_t)0U; i < (size_t)72U / (size_t)8U; i++) { ------------------ | Branch (1105:31): [True: 459, False: 51] ------------------ 1106| 459| size_t i0 = i; 1107| 459| uint8_t uu____0[8U]; 1108| 459| Result_56 dst; 1109| 459| Eurydice_slice_to_array2( ------------------ | | 152| 459| Eurydice_slice_to_array3(&(dst)->tag, (char *)&(dst)->val.case_Ok, src, \ | | 153| 459| sizeof(t_arr)) ------------------ 1110| 459| &dst, 1111| 459| Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, 1112| 459| (size_t)8U * i0 + (size_t)8U, uint8_t), 1113| 459| Eurydice_slice, uint8_t[8U]); 1114| 459| unwrap_41_ac(dst, uu____0); 1115| 459| size_t uu____1 = i0 / (size_t)5U; 1116| 459| size_t uu____2 = i0 % (size_t)5U; 1117| 459| s[uu____1][uu____2] = 1118| 459| s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0); 1119| 459| } 1120| 51|} mlkem768.c:unwrap_41_ac: 727| 23.1k|static inline void unwrap_41_ac(Result_56 self, uint8_t ret[8U]) { 728| 23.1k| if (self.tag == Ok) { ------------------ | | 246| 23.1k|#define Ok 0 ------------------ | Branch (728:7): [True: 23.1k, False: 0] ------------------ 729| 23.1k| uint8_t f0[8U]; 730| 23.1k| memcpy(f0, self.val.case_Ok, (size_t)8U * sizeof(uint8_t)); 731| 23.1k| memcpy(ret, f0, (size_t)8U * sizeof(uint8_t)); 732| 23.1k| } else { 733| 0| KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, 734| 0| "unwrap not Ok"); 735| 0| KRML_HOST_EXIT(255U); ------------------ | | 35| 0|#define KRML_HOST_EXIT(x) dropbear_exit("mlkem") ------------------ 736| 0| } 737| 23.1k|} mlkem768.c:core_num__u64_9__from_le_bytes: 167| 23.1k|static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) { 168| 23.1k| uint64_t v; 169| 23.1k| memcpy(&v, buf, sizeof(v)); 170| | return le64toh(v); 171| 23.1k|} mlkem768.c:libcrux_sha3_generic_keccak_keccakf1600_21: 2209| 2.29k| libcrux_sha3_generic_keccak_KeccakState_48 *s) { 2210| 57.4k| for (size_t i = (size_t)0U; i < (size_t)24U; i++) { ------------------ | Branch (2210:31): [True: 55.1k, False: 2.29k] ------------------ 2211| 55.1k| size_t i0 = i; 2212| 55.1k| libcrux_sha3_generic_keccak_theta_rho_16(s); 2213| 55.1k| libcrux_sha3_generic_keccak_pi_1d(s); 2214| 55.1k| libcrux_sha3_generic_keccak_chi_12(s); 2215| 55.1k| libcrux_sha3_generic_keccak_iota_62(s, i0); 2216| 55.1k| } 2217| 2.29k|} mlkem768.c:libcrux_sha3_generic_keccak_theta_rho_16: 2048| 55.1k| libcrux_sha3_generic_keccak_KeccakState_48 *s) { 2049| 55.1k| uint64_t c[5U] = { 2050| 55.1k| libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][0U], s->st[1U][0U], 2051| 55.1k| s->st[2U][0U], s->st[3U][0U], 2052| 55.1k| s->st[4U][0U]), 2053| 55.1k| libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][1U], s->st[1U][1U], 2054| 55.1k| s->st[2U][1U], s->st[3U][1U], 2055| 55.1k| s->st[4U][1U]), 2056| 55.1k| libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][2U], s->st[1U][2U], 2057| 55.1k| s->st[2U][2U], s->st[3U][2U], 2058| 55.1k| s->st[4U][2U]), 2059| 55.1k| libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][3U], s->st[1U][3U], 2060| 55.1k| s->st[2U][3U], s->st[3U][3U], 2061| 55.1k| s->st[4U][3U]), 2062| 55.1k| libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][4U], s->st[1U][4U], 2063| 55.1k| s->st[2U][4U], s->st[3U][4U], 2064| 55.1k| s->st[4U][4U])}; 2065| 55.1k| uint64_t uu____0 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a( 2066| 55.1k| c[((size_t)0U + (size_t)4U) % (size_t)5U], 2067| 55.1k| c[((size_t)0U + (size_t)1U) % (size_t)5U]); 2068| 55.1k| uint64_t uu____1 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a( 2069| 55.1k| c[((size_t)1U + (size_t)4U) % (size_t)5U], 2070| 55.1k| c[((size_t)1U + (size_t)1U) % (size_t)5U]); 2071| 55.1k| uint64_t uu____2 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a( 2072| 55.1k| c[((size_t)2U + (size_t)4U) % (size_t)5U], 2073| 55.1k| c[((size_t)2U + (size_t)1U) % (size_t)5U]); 2074| 55.1k| uint64_t uu____3 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a( 2075| 55.1k| c[((size_t)3U + (size_t)4U) % (size_t)5U], 2076| 55.1k| c[((size_t)3U + (size_t)1U) % (size_t)5U]); 2077| 55.1k| uint64_t t[5U] = {uu____0, uu____1, uu____2, uu____3, 2078| 55.1k| libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a( 2079| 55.1k| c[((size_t)4U + (size_t)4U) % (size_t)5U], 2080| 55.1k| c[((size_t)4U + (size_t)1U) % (size_t)5U])}; 2081| 55.1k| s->st[0U][0U] = libcrux_sha3_portable_keccak_xor_5a(s->st[0U][0U], t[0U]); 2082| 55.1k| s->st[1U][0U] = 2083| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb(s->st[1U][0U], t[0U]); 2084| 55.1k| s->st[2U][0U] = 2085| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb0(s->st[2U][0U], t[0U]); 2086| 55.1k| s->st[3U][0U] = 2087| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb1(s->st[3U][0U], t[0U]); 2088| 55.1k| s->st[4U][0U] = 2089| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb2(s->st[4U][0U], t[0U]); 2090| 55.1k| s->st[0U][1U] = 2091| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb3(s->st[0U][1U], t[1U]); 2092| 55.1k| s->st[1U][1U] = 2093| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb4(s->st[1U][1U], t[1U]); 2094| 55.1k| s->st[2U][1U] = 2095| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb5(s->st[2U][1U], t[1U]); 2096| 55.1k| s->st[3U][1U] = 2097| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb6(s->st[3U][1U], t[1U]); 2098| 55.1k| s->st[4U][1U] = 2099| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb7(s->st[4U][1U], t[1U]); 2100| 55.1k| s->st[0U][2U] = 2101| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb8(s->st[0U][2U], t[2U]); 2102| 55.1k| s->st[1U][2U] = 2103| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb9(s->st[1U][2U], t[2U]); 2104| 55.1k| s->st[2U][2U] = 2105| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb10(s->st[2U][2U], t[2U]); 2106| 55.1k| s->st[3U][2U] = 2107| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb11(s->st[3U][2U], t[2U]); 2108| 55.1k| s->st[4U][2U] = 2109| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb12(s->st[4U][2U], t[2U]); 2110| 55.1k| s->st[0U][3U] = 2111| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb13(s->st[0U][3U], t[3U]); 2112| 55.1k| s->st[1U][3U] = 2113| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb14(s->st[1U][3U], t[3U]); 2114| 55.1k| s->st[2U][3U] = 2115| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb15(s->st[2U][3U], t[3U]); 2116| 55.1k| s->st[3U][3U] = 2117| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb16(s->st[3U][3U], t[3U]); 2118| 55.1k| s->st[4U][3U] = 2119| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb17(s->st[4U][3U], t[3U]); 2120| 55.1k| s->st[0U][4U] = 2121| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb18(s->st[0U][4U], t[4U]); 2122| 55.1k| s->st[1U][4U] = 2123| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb19(s->st[1U][4U], t[4U]); 2124| 55.1k| s->st[2U][4U] = 2125| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb20(s->st[2U][4U], t[4U]); 2126| 55.1k| s->st[3U][4U] = 2127| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb21(s->st[3U][4U], t[4U]); 2128| 55.1k| uint64_t uu____27 = 2129| 55.1k| libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb22(s->st[4U][4U], t[4U]); 2130| 55.1k| s->st[4U][4U] = uu____27; 2131| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor5_5a: 935| 275k| uint64_t a, uint64_t b, uint64_t c, uint64_t d, uint64_t e) { 936| 275k| return libcrux_sha3_portable_keccak__veor5q_u64(a, b, c, d, e); 937| 275k|} mlkem768.c:libcrux_sha3_portable_keccak__veor5q_u64: 923| 275k| uint64_t a, uint64_t b, uint64_t c, uint64_t d, uint64_t e) { 924| 275k| uint64_t ab = a ^ b; 925| 275k| uint64_t cd = c ^ d; 926| 275k| uint64_t abcd = ab ^ cd; 927| 275k| return abcd ^ e; 928| 275k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a: 961| 275k|libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(uint64_t a, uint64_t b) { 962| 275k| return libcrux_sha3_portable_keccak__vrax1q_u64(a, b); 963| 275k|} mlkem768.c:libcrux_sha3_portable_keccak__vrax1q_u64: 951| 275k|libcrux_sha3_portable_keccak__vrax1q_u64(uint64_t a, uint64_t b) { 952| 275k| uint64_t uu____0 = a; 953| 275k| return uu____0 ^ libcrux_sha3_portable_keccak_rotate_left_cb(b); 954| 275k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb: 946| 330k|libcrux_sha3_portable_keccak_rotate_left_cb(uint64_t x) { 947| 330k| return x << (uint32_t)(int32_t)1 | x >> (uint32_t)(int32_t)63; 948| 330k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_5a: 998| 55.1k|libcrux_sha3_portable_keccak_xor_5a(uint64_t a, uint64_t b) { 999| 55.1k| return a ^ b; 1000| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb: 1174| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb(uint64_t a, uint64_t b) { 1175| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_42(a, b); 1176| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_42: 1158| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_42(uint64_t a, uint64_t b) { 1159| 55.1k| uint64_t ab = a ^ b; 1160| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb0(ab); 1161| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb0: 1147| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb0(uint64_t x) { 1148| 55.1k| return x << (uint32_t)(int32_t)36 | x >> (uint32_t)(int32_t)28; 1149| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb0: 1212| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb0(uint64_t a, uint64_t b) { 1213| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_420(a, b); 1214| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_420: 1196| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_420(uint64_t a, uint64_t b) { 1197| 55.1k| uint64_t ab = a ^ b; 1198| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb1(ab); 1199| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb1: 1185| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb1(uint64_t x) { 1186| 55.1k| return x << (uint32_t)(int32_t)3 | x >> (uint32_t)(int32_t)61; 1187| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb1: 1250| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb1(uint64_t a, uint64_t b) { 1251| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_421(a, b); 1252| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_421: 1234| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_421(uint64_t a, uint64_t b) { 1235| 55.1k| uint64_t ab = a ^ b; 1236| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb2(ab); 1237| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb2: 1223| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb2(uint64_t x) { 1224| 55.1k| return x << (uint32_t)(int32_t)41 | x >> (uint32_t)(int32_t)23; 1225| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb2: 1288| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb2(uint64_t a, uint64_t b) { 1289| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_422(a, b); 1290| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_422: 1272| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_422(uint64_t a, uint64_t b) { 1273| 55.1k| uint64_t ab = a ^ b; 1274| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb3(ab); 1275| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb3: 1261| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb3(uint64_t x) { 1262| 55.1k| return x << (uint32_t)(int32_t)18 | x >> (uint32_t)(int32_t)46; 1263| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb3: 1315| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb3(uint64_t a, uint64_t b) { 1316| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_423(a, b); 1317| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_423: 1299| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_423(uint64_t a, uint64_t b) { 1300| 55.1k| uint64_t ab = a ^ b; 1301| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb(ab); 1302| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb4: 1353| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb4(uint64_t a, uint64_t b) { 1354| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_424(a, b); 1355| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_424: 1337| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_424(uint64_t a, uint64_t b) { 1338| 55.1k| uint64_t ab = a ^ b; 1339| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb4(ab); 1340| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb4: 1326| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb4(uint64_t x) { 1327| 55.1k| return x << (uint32_t)(int32_t)44 | x >> (uint32_t)(int32_t)20; 1328| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb5: 1391| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb5(uint64_t a, uint64_t b) { 1392| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_425(a, b); 1393| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_425: 1375| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_425(uint64_t a, uint64_t b) { 1376| 55.1k| uint64_t ab = a ^ b; 1377| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb5(ab); 1378| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb5: 1364| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb5(uint64_t x) { 1365| 55.1k| return x << (uint32_t)(int32_t)10 | x >> (uint32_t)(int32_t)54; 1366| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb6: 1429| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb6(uint64_t a, uint64_t b) { 1430| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_426(a, b); 1431| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_426: 1413| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_426(uint64_t a, uint64_t b) { 1414| 55.1k| uint64_t ab = a ^ b; 1415| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb6(ab); 1416| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb6: 1402| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb6(uint64_t x) { 1403| 55.1k| return x << (uint32_t)(int32_t)45 | x >> (uint32_t)(int32_t)19; 1404| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb7: 1467| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb7(uint64_t a, uint64_t b) { 1468| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_427(a, b); 1469| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_427: 1451| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_427(uint64_t a, uint64_t b) { 1452| 55.1k| uint64_t ab = a ^ b; 1453| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb7(ab); 1454| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb7: 1440| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb7(uint64_t x) { 1441| 55.1k| return x << (uint32_t)(int32_t)2 | x >> (uint32_t)(int32_t)62; 1442| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb8: 1505| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb8(uint64_t a, uint64_t b) { 1506| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_428(a, b); 1507| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_428: 1489| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_428(uint64_t a, uint64_t b) { 1490| 55.1k| uint64_t ab = a ^ b; 1491| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb8(ab); 1492| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb8: 1478| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb8(uint64_t x) { 1479| 55.1k| return x << (uint32_t)(int32_t)62 | x >> (uint32_t)(int32_t)2; 1480| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb9: 1543| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb9(uint64_t a, uint64_t b) { 1544| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_429(a, b); 1545| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_429: 1527| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_429(uint64_t a, uint64_t b) { 1528| 55.1k| uint64_t ab = a ^ b; 1529| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb9(ab); 1530| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb9: 1516| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb9(uint64_t x) { 1517| 55.1k| return x << (uint32_t)(int32_t)6 | x >> (uint32_t)(int32_t)58; 1518| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb10: 1581| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb10(uint64_t a, uint64_t b) { 1582| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4210(a, b); 1583| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4210: 1565| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4210(uint64_t a, uint64_t b) { 1566| 55.1k| uint64_t ab = a ^ b; 1567| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb10(ab); 1568| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb10: 1554| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb10(uint64_t x) { 1555| 55.1k| return x << (uint32_t)(int32_t)43 | x >> (uint32_t)(int32_t)21; 1556| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb11: 1619| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb11(uint64_t a, uint64_t b) { 1620| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4211(a, b); 1621| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4211: 1603| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4211(uint64_t a, uint64_t b) { 1604| 55.1k| uint64_t ab = a ^ b; 1605| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb11(ab); 1606| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb11: 1592| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb11(uint64_t x) { 1593| 55.1k| return x << (uint32_t)(int32_t)15 | x >> (uint32_t)(int32_t)49; 1594| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb12: 1657| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb12(uint64_t a, uint64_t b) { 1658| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4212(a, b); 1659| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4212: 1641| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4212(uint64_t a, uint64_t b) { 1642| 55.1k| uint64_t ab = a ^ b; 1643| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb12(ab); 1644| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb12: 1630| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb12(uint64_t x) { 1631| 55.1k| return x << (uint32_t)(int32_t)61 | x >> (uint32_t)(int32_t)3; 1632| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb13: 1695| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb13(uint64_t a, uint64_t b) { 1696| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4213(a, b); 1697| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4213: 1679| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4213(uint64_t a, uint64_t b) { 1680| 55.1k| uint64_t ab = a ^ b; 1681| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb13(ab); 1682| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb13: 1668| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb13(uint64_t x) { 1669| 55.1k| return x << (uint32_t)(int32_t)28 | x >> (uint32_t)(int32_t)36; 1670| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb14: 1733| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb14(uint64_t a, uint64_t b) { 1734| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4214(a, b); 1735| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4214: 1717| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4214(uint64_t a, uint64_t b) { 1718| 55.1k| uint64_t ab = a ^ b; 1719| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb14(ab); 1720| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb14: 1706| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb14(uint64_t x) { 1707| 55.1k| return x << (uint32_t)(int32_t)55 | x >> (uint32_t)(int32_t)9; 1708| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb15: 1771| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb15(uint64_t a, uint64_t b) { 1772| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4215(a, b); 1773| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4215: 1755| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4215(uint64_t a, uint64_t b) { 1756| 55.1k| uint64_t ab = a ^ b; 1757| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb15(ab); 1758| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb15: 1744| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb15(uint64_t x) { 1745| 55.1k| return x << (uint32_t)(int32_t)25 | x >> (uint32_t)(int32_t)39; 1746| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb16: 1809| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb16(uint64_t a, uint64_t b) { 1810| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4216(a, b); 1811| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4216: 1793| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4216(uint64_t a, uint64_t b) { 1794| 55.1k| uint64_t ab = a ^ b; 1795| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb16(ab); 1796| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb16: 1782| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb16(uint64_t x) { 1783| 55.1k| return x << (uint32_t)(int32_t)21 | x >> (uint32_t)(int32_t)43; 1784| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb17: 1847| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb17(uint64_t a, uint64_t b) { 1848| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4217(a, b); 1849| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4217: 1831| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4217(uint64_t a, uint64_t b) { 1832| 55.1k| uint64_t ab = a ^ b; 1833| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb17(ab); 1834| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb17: 1820| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb17(uint64_t x) { 1821| 55.1k| return x << (uint32_t)(int32_t)56 | x >> (uint32_t)(int32_t)8; 1822| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb18: 1885| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb18(uint64_t a, uint64_t b) { 1886| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4218(a, b); 1887| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4218: 1869| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4218(uint64_t a, uint64_t b) { 1870| 55.1k| uint64_t ab = a ^ b; 1871| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb18(ab); 1872| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb18: 1858| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb18(uint64_t x) { 1859| 55.1k| return x << (uint32_t)(int32_t)27 | x >> (uint32_t)(int32_t)37; 1860| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb19: 1923| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb19(uint64_t a, uint64_t b) { 1924| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4219(a, b); 1925| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4219: 1907| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4219(uint64_t a, uint64_t b) { 1908| 55.1k| uint64_t ab = a ^ b; 1909| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb19(ab); 1910| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb19: 1896| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb19(uint64_t x) { 1897| 55.1k| return x << (uint32_t)(int32_t)20 | x >> (uint32_t)(int32_t)44; 1898| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb20: 1961| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb20(uint64_t a, uint64_t b) { 1962| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4220(a, b); 1963| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4220: 1945| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4220(uint64_t a, uint64_t b) { 1946| 55.1k| uint64_t ab = a ^ b; 1947| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb20(ab); 1948| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb20: 1934| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb20(uint64_t x) { 1935| 55.1k| return x << (uint32_t)(int32_t)39 | x >> (uint32_t)(int32_t)25; 1936| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb21: 1999| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb21(uint64_t a, uint64_t b) { 2000| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4221(a, b); 2001| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4221: 1983| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4221(uint64_t a, uint64_t b) { 1984| 55.1k| uint64_t ab = a ^ b; 1985| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb21(ab); 1986| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb21: 1972| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb21(uint64_t x) { 1973| 55.1k| return x << (uint32_t)(int32_t)8 | x >> (uint32_t)(int32_t)56; 1974| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb22: 2037| 55.1k|libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb22(uint64_t a, uint64_t b) { 2038| 55.1k| return libcrux_sha3_portable_keccak__vxarq_u64_4222(a, b); 2039| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__vxarq_u64_4222: 2021| 55.1k|libcrux_sha3_portable_keccak__vxarq_u64_4222(uint64_t a, uint64_t b) { 2022| 55.1k| uint64_t ab = a ^ b; 2023| 55.1k| return libcrux_sha3_portable_keccak_rotate_left_cb22(ab); 2024| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_rotate_left_cb22: 2010| 55.1k|libcrux_sha3_portable_keccak_rotate_left_cb22(uint64_t x) { 2011| 55.1k| return x << (uint32_t)(int32_t)14 | x >> (uint32_t)(int32_t)50; 2012| 55.1k|} mlkem768.c:libcrux_sha3_generic_keccak_pi_1d: 2140| 55.1k| libcrux_sha3_generic_keccak_KeccakState_48 *s) { 2141| 55.1k| uint64_t old[5U][5U]; 2142| 55.1k| memcpy(old, s->st, (size_t)5U * sizeof(uint64_t[5U])); 2143| 55.1k| s->st[0U][1U] = old[1U][1U]; 2144| 55.1k| s->st[0U][2U] = old[2U][2U]; 2145| 55.1k| s->st[0U][3U] = old[3U][3U]; 2146| 55.1k| s->st[0U][4U] = old[4U][4U]; 2147| 55.1k| s->st[1U][0U] = old[0U][3U]; 2148| 55.1k| s->st[1U][1U] = old[1U][4U]; 2149| 55.1k| s->st[1U][2U] = old[2U][0U]; 2150| 55.1k| s->st[1U][3U] = old[3U][1U]; 2151| 55.1k| s->st[1U][4U] = old[4U][2U]; 2152| 55.1k| s->st[2U][0U] = old[0U][1U]; 2153| 55.1k| s->st[2U][1U] = old[1U][2U]; 2154| 55.1k| s->st[2U][2U] = old[2U][3U]; 2155| 55.1k| s->st[2U][3U] = old[3U][4U]; 2156| 55.1k| s->st[2U][4U] = old[4U][0U]; 2157| 55.1k| s->st[3U][0U] = old[0U][4U]; 2158| 55.1k| s->st[3U][1U] = old[1U][0U]; 2159| 55.1k| s->st[3U][2U] = old[2U][1U]; 2160| 55.1k| s->st[3U][3U] = old[3U][2U]; 2161| 55.1k| s->st[3U][4U] = old[4U][3U]; 2162| 55.1k| s->st[4U][0U] = old[0U][2U]; 2163| 55.1k| s->st[4U][1U] = old[1U][3U]; 2164| 55.1k| s->st[4U][2U] = old[2U][4U]; 2165| 55.1k| s->st[4U][3U] = old[3U][0U]; 2166| 55.1k| s->st[4U][4U] = old[4U][1U]; 2167| 55.1k|} mlkem768.c:libcrux_sha3_generic_keccak_chi_12: 2176| 55.1k| libcrux_sha3_generic_keccak_KeccakState_48 *s) { 2177| 55.1k| uint64_t old[5U][5U]; 2178| 55.1k| memcpy(old, s->st, (size_t)5U * sizeof(uint64_t[5U])); 2179| 330k| for (size_t i0 = (size_t)0U; i0 < (size_t)5U; i0++) { ------------------ | Branch (2179:32): [True: 275k, False: 55.1k] ------------------ 2180| 275k| size_t i1 = i0; 2181| 1.65M| for (size_t i = (size_t)0U; i < (size_t)5U; i++) { ------------------ | Branch (2181:33): [True: 1.37M, False: 275k] ------------------ 2182| 1.37M| size_t j = i; 2183| 1.37M| s->st[i1][j] = libcrux_sha3_portable_keccak_and_not_xor_5a( 2184| 1.37M| s->st[i1][j], old[i1][(j + (size_t)2U) % (size_t)5U], 2185| 1.37M| old[i1][(j + (size_t)1U) % (size_t)5U]); 2186| 1.37M| } 2187| 275k| } 2188| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_and_not_xor_5a: 975| 1.37M| uint64_t a, uint64_t b, uint64_t c) { 976| 1.37M| return libcrux_sha3_portable_keccak__vbcaxq_u64(a, b, c); 977| 1.37M|} mlkem768.c:libcrux_sha3_portable_keccak__vbcaxq_u64: 966| 1.37M|libcrux_sha3_portable_keccak__vbcaxq_u64(uint64_t a, uint64_t b, uint64_t c) { 967| 1.37M| return a ^ (b & ~c); 968| 1.37M|} mlkem768.c:libcrux_sha3_generic_keccak_iota_62: 2197| 55.1k| libcrux_sha3_generic_keccak_KeccakState_48 *s, size_t i) { 2198| 55.1k| s->st[0U][0U] = libcrux_sha3_portable_keccak_xor_constant_5a( 2199| 55.1k| s->st[0U][0U], libcrux_sha3_generic_keccak_ROUNDCONSTANTS[i]); 2200| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak_xor_constant_5a: 989| 55.1k|libcrux_sha3_portable_keccak_xor_constant_5a(uint64_t a, uint64_t c) { 990| 55.1k| return libcrux_sha3_portable_keccak__veorq_n_u64(a, c); 991| 55.1k|} mlkem768.c:libcrux_sha3_portable_keccak__veorq_n_u64: 980| 55.1k|libcrux_sha3_portable_keccak__veorq_n_u64(uint64_t a, uint64_t c) { 981| 55.1k| return a ^ c; 982| 55.1k|} mlkem768.c:libcrux_sha3_generic_keccak_absorb_final_c7: 2274| 51| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { 2275| 51| size_t last_len = Eurydice_slice_len(last[0U], uint8_t); ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2276| 51| uint8_t blocks[1U][200U] = {{0U}}; 2277| 102| for (size_t i = (size_t)0U; i < (size_t)1U; i++) { ------------------ | Branch (2277:31): [True: 51, False: 51] ------------------ 2278| 51| size_t i0 = i; 2279| 51| if (last_len > (size_t)0U) { ------------------ | Branch (2279:9): [True: 51, False: 0] ------------------ 2280| 51| Eurydice_slice uu____0 = Eurydice_array_to_subslice2( ------------------ | | 113| 51| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 2281| 51| blocks[i0], (size_t)0U, last_len, uint8_t); 2282| 51| Eurydice_slice_copy(uu____0, last[i0], uint8_t); ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 2283| 51| } 2284| 51| blocks[i0][last_len] = 6U; 2285| 51| size_t uu____1 = i0; 2286| 51| size_t uu____2 = (size_t)72U - (size_t)1U; 2287| 51| blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; 2288| 51| } 2289| 51| uint64_t(*uu____3)[5U] = s->st; 2290| 51| uint8_t uu____4[1U][200U]; 2291| 51| memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); 2292| 51| libcrux_sha3_portable_keccak_load_block_full_5a_d2(uu____3, uu____4); 2293| 51| libcrux_sha3_generic_keccak_keccakf1600_21(s); 2294| 51|} mlkem768.c:libcrux_sha3_portable_keccak_load_block_full_5a_d2: 2257| 51| uint64_t (*a)[5U], uint8_t b[1U][200U]) { 2258| 51| uint64_t(*uu____0)[5U] = a; 2259| | /* Passing arrays by value in Rust generates a copy in C */ 2260| 51| uint8_t copy_of_b[1U][200U]; 2261| 51| memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); 2262| 51| libcrux_sha3_portable_keccak_load_block_full_df(uu____0, copy_of_b); 2263| 51|} mlkem768.c:libcrux_sha3_portable_keccak_load_block_full_df: 2241| 51| uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { 2242| 51| Eurydice_slice buf[1U] = { 2243| 51| Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; ------------------ | | 107| 51| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 51| end) /* x is already at an array type, no need for cast */ ------------------ 2244| 51| libcrux_sha3_portable_keccak_load_block_2c(s, buf); 2245| 51|} mlkem768.c:libcrux_sha3_generic_keccak_squeeze_first_and_last_c5: 2354| 51| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) { 2355| 51| uint8_t b[1U][200U]; 2356| 51| libcrux_sha3_portable_keccak_store_block_full_5a_29(s->st, b); 2357| 102| for (size_t i = (size_t)0U; i < (size_t)1U; i++) { ------------------ | Branch (2357:31): [True: 51, False: 51] ------------------ 2358| 51| size_t i0 = i; 2359| 51| Eurydice_slice uu____0 = out[i0]; 2360| 51| uint8_t *uu____1 = b[i0]; 2361| 51| core_ops_range_Range_b3 lit; 2362| 51| lit.start = (size_t)0U; 2363| 51| lit.end = Eurydice_slice_len(out[i0], uint8_t); ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2364| 51| Eurydice_slice_copy( ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 2365| 51| uu____0, 2366| 51| Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, 2367| 51| core_ops_range_Range_b3), 2368| 51| uint8_t); 2369| 51| } 2370| 51|} mlkem768.c:libcrux_sha3_portable_keccak_store_block_full_5a_29: 2341| 51| uint64_t (*a)[5U], uint8_t ret[1U][200U]) { 2342| 51| libcrux_sha3_portable_keccak_store_block_full_2d(a, ret); 2343| 51|} mlkem768.c:libcrux_sha3_portable_keccak_store_block_full_2d: 2320| 51| uint64_t (*s)[5U], uint8_t ret[1U][200U]) { 2321| 51| uint8_t out[200U] = {0U}; 2322| 51| Eurydice_slice buf[1U] = { 2323| 51| Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; ------------------ | | 107| 51| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 51| end) /* x is already at an array type, no need for cast */ ------------------ 2324| 51| libcrux_sha3_portable_keccak_store_block_58(s, buf); 2325| | /* Passing arrays by value in Rust generates a copy in C */ 2326| 51| uint8_t copy_of_out[200U]; 2327| 51| memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); 2328| 51| memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); 2329| 51|} mlkem768.c:libcrux_sha3_portable_keccak_store_block_58: 2302| 51| uint64_t (*s)[5U], Eurydice_slice out[1U]) { 2303| 510| for (size_t i = (size_t)0U; i < (size_t)72U / (size_t)8U; i++) { ------------------ | Branch (2303:31): [True: 459, False: 51] ------------------ 2304| 459| size_t i0 = i; 2305| 459| Eurydice_slice uu____0 = Eurydice_slice_subslice2( ------------------ | | 101| 459| EURYDICE_SLICE((t *)s.ptr, start, end) | | ------------------ | | | | 88| 459| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 459|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 2306| 459| out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); 2307| 459| uint8_t ret[8U]; 2308| 459| core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); 2309| 459| Eurydice_slice_copy( ------------------ | | 120| 459| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 2310| 459| uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); 2311| 459| } 2312| 51|} mlkem768.c:core_num__u64_9__to_le_bytes: 163| 37.6k|static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) { 164| | v = htole64(v); 165| 37.6k| memcpy(buf, &v, sizeof(v)); 166| 37.6k|} mlkem768.c:libcrux_sha3_portable_keccak_split_at_mut_n_5a: 1040| 918| size_t mid) { 1041| 918| return libcrux_sha3_portable_keccak_split_at_mut_1(a, mid); 1042| 918|} mlkem768.c:libcrux_sha3_portable_keccak_split_at_mut_1: 1023| 918| size_t mid) { 1024| 918| Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut( ------------------ | | 143| 918| (CLITERAL(ret_t){ \ | | ------------------ | | | | 61| 918|#define CLITERAL(type) (type) | | ------------------ | | 144| 918| .fst = {.ptr = slice.ptr, .len = mid}, \ | | 145| 918| .snd = {.ptr = (char *)slice.ptr + mid * sizeof(element_type), \ | | 146| 918| .len = slice.len - mid}}) ------------------ 1025| 918| out[0U], mid, uint8_t, Eurydice_slice_uint8_t_x2); 1026| 918| Eurydice_slice out00 = uu____0.fst; 1027| 918| Eurydice_slice out01 = uu____0.snd; 1028| 918| Eurydice_slice_uint8_t_1size_t__x2 lit; 1029| 918| lit.fst[0U] = out00; 1030| 918| lit.snd[0U] = out01; 1031| 918| return lit; 1032| 918|} mlkem768.c:libcrux_ml_kem_utils_into_padded_array_ea1: 611| 51| Eurydice_slice slice, uint8_t ret[34U]) { 612| 51| uint8_t out[34U] = {0U}; 613| 51| uint8_t *uu____0 = out; 614| 51| Eurydice_slice_copy( ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 615| 51| Eurydice_array_to_subslice2(uu____0, (size_t)0U, 616| 51| Eurydice_slice_len(slice, uint8_t), uint8_t), 617| 51| slice, uint8_t); 618| 51| memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); 619| 51|} mlkem768.c:libcrux_ml_kem_matrix_sample_matrix_A_38: 9838| 51| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U][3U]) { 9839| 51| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A_transpose[3U][3U]; 9840| 204| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9840:31): [True: 153, False: 51] ------------------ 9841| 153| libcrux_ml_kem_matrix_sample_matrix_A_closure_4b(i, A_transpose[i]); 9842| 153| } 9843| 204| for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { ------------------ | Branch (9843:32): [True: 153, False: 51] ------------------ 9844| 153| size_t i1 = i0; 9845| | /* Passing arrays by value in Rust generates a copy in C */ 9846| 153| uint8_t copy_of_seed[34U]; 9847| 153| memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); 9848| 153| uint8_t seeds[3U][34U]; 9849| 612| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9849:33): [True: 459, False: 153] ------------------ 9850| 459| memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t)); 9851| 459| } 9852| 612| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9852:33): [True: 459, False: 153] ------------------ 9853| 459| size_t j = i; 9854| 459| seeds[j][32U] = (uint8_t)i1; 9855| 459| seeds[j][33U] = (uint8_t)j; 9856| 459| } 9857| | /* Passing arrays by value in Rust generates a copy in C */ 9858| 153| uint8_t copy_of_seeds[3U][34U]; 9859| 153| memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); 9860| 153| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sampled[3U]; 9861| 153| libcrux_ml_kem_sampling_sample_from_xof_3f(copy_of_seeds, sampled); 9862| 153| for (size_t i = (size_t)0U; 9863| 612| i < Eurydice_slice_len( ------------------ | | 118| 612|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 612|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ | Branch (9863:10): [True: 459, False: 153] ------------------ 9864| 153| Eurydice_array_to_slice( 9865| 153| (size_t)3U, sampled, 9866| 153| libcrux_ml_kem_polynomial_PolynomialRingElement_f0), 9867| 153| libcrux_ml_kem_polynomial_PolynomialRingElement_f0); 9868| 459| i++) { 9869| 459| size_t j = i; 9870| 459| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sample = sampled[j]; 9871| 459| if (transpose) { ------------------ | Branch (9871:11): [True: 459, False: 0] ------------------ 9872| 459| A_transpose[j][i1] = sample; 9873| 459| } else { 9874| 0| A_transpose[i1][j] = sample; 9875| 0| } 9876| 459| } 9877| 153| } 9878| 51| memcpy(ret, A_transpose, 9879| 51| (size_t)3U * 9880| 51| sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U])); 9881| 51|} mlkem768.c:libcrux_ml_kem_matrix_sample_matrix_A_closure_4b: 9430| 153| size_t _i, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) { 9431| 612| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9431:31): [True: 459, False: 153] ------------------ 9432| 459| ret[i] = libcrux_ml_kem_polynomial_ZERO_89_ea(); 9433| 459| } 9434| 153|} mlkem768.c:libcrux_ml_kem_polynomial_ZERO_89_ea: 8196| 2.14k|libcrux_ml_kem_polynomial_ZERO_89_ea(void) { 8197| 2.14k| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 lit; 8198| 2.14k| lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8199| 2.14k| lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8200| 2.14k| lit.coefficients[2U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8201| 2.14k| lit.coefficients[3U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8202| 2.14k| lit.coefficients[4U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8203| 2.14k| lit.coefficients[5U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8204| 2.14k| lit.coefficients[6U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8205| 2.14k| lit.coefficients[7U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8206| 2.14k| lit.coefficients[8U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8207| 2.14k| lit.coefficients[9U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8208| 2.14k| lit.coefficients[10U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8209| 2.14k| lit.coefficients[11U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8210| 2.14k| lit.coefficients[12U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8211| 2.14k| lit.coefficients[13U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8212| 2.14k| lit.coefficients[14U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8213| 2.14k| lit.coefficients[15U] = libcrux_ml_kem_vector_portable_ZERO_0d(); 8214| 2.14k| return lit; 8215| 2.14k|} mlkem768.c:libcrux_ml_kem_vector_portable_ZERO_0d: 6701| 34.2k|libcrux_ml_kem_vector_portable_ZERO_0d(void) { 6702| 34.2k| return libcrux_ml_kem_vector_portable_vector_type_zero(); 6703| 34.2k|} mlkem768.c:libcrux_ml_kem_vector_portable_vector_type_zero: 6106| 41.6k|libcrux_ml_kem_vector_portable_vector_type_zero(void) { 6107| 41.6k| libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; 6108| 41.6k| lit.elements[0U] = (int16_t)0; 6109| 41.6k| lit.elements[1U] = (int16_t)0; 6110| 41.6k| lit.elements[2U] = (int16_t)0; 6111| 41.6k| lit.elements[3U] = (int16_t)0; 6112| 41.6k| lit.elements[4U] = (int16_t)0; 6113| 41.6k| lit.elements[5U] = (int16_t)0; 6114| 41.6k| lit.elements[6U] = (int16_t)0; 6115| 41.6k| lit.elements[7U] = (int16_t)0; 6116| 41.6k| lit.elements[8U] = (int16_t)0; 6117| 41.6k| lit.elements[9U] = (int16_t)0; 6118| 41.6k| lit.elements[10U] = (int16_t)0; 6119| 41.6k| lit.elements[11U] = (int16_t)0; 6120| 41.6k| lit.elements[12U] = (int16_t)0; 6121| 41.6k| lit.elements[13U] = (int16_t)0; 6122| 41.6k| lit.elements[14U] = (int16_t)0; 6123| 41.6k| lit.elements[15U] = (int16_t)0; 6124| 41.6k| return lit; 6125| 41.6k|} mlkem768.c:libcrux_ml_kem_sampling_sample_from_xof_3f: 9784| 153| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) { 9785| 153| size_t sampled_coefficients[3U] = {0U}; 9786| 153| int16_t out[3U][272U] = {{0U}}; 9787| | /* Passing arrays by value in Rust generates a copy in C */ 9788| 153| uint8_t copy_of_seeds[3U][34U]; 9789| 153| memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); 9790| 153| libcrux_ml_kem_hash_functions_portable_PortableHash_58 xof_state = 9791| 153| libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_f1_8c( 9792| 153| copy_of_seeds); 9793| 153| uint8_t randomness0[3U][504U]; 9794| 153| libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_f1_69( 9795| 153| &xof_state, randomness0); 9796| | /* Passing arrays by value in Rust generates a copy in C */ 9797| 153| uint8_t copy_of_randomness0[3U][504U]; 9798| 153| memcpy(copy_of_randomness0, randomness0, (size_t)3U * sizeof(uint8_t[504U])); 9799| 153| bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_db( 9800| 153| copy_of_randomness0, sampled_coefficients, out); 9801| 188| while (true) { ------------------ | Branch (9801:10): [True: 188, Folded] ------------------ 9802| 188| if (done) { ------------------ | Branch (9802:9): [True: 153, False: 35] ------------------ 9803| 153| break; 9804| 153| } else { 9805| 35| uint8_t randomness[3U][168U]; 9806| 35| libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_f1_60( 9807| 35| &xof_state, randomness); 9808| | /* Passing arrays by value in Rust generates a copy in C */ 9809| 35| uint8_t copy_of_randomness[3U][168U]; 9810| 35| memcpy(copy_of_randomness, randomness, 9811| 35| (size_t)3U * sizeof(uint8_t[168U])); 9812| 35| done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_db0( 9813| 35| copy_of_randomness, sampled_coefficients, out); 9814| 35| } 9815| 188| } 9816| | /* Passing arrays by value in Rust generates a copy in C */ 9817| 153| int16_t copy_of_out[3U][272U]; 9818| 153| memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); 9819| 153| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret0[3U]; 9820| 612| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9820:31): [True: 459, False: 153] ------------------ 9821| 459| ret0[i] = 9822| 459| libcrux_ml_kem_sampling_sample_from_xof_closure_04(copy_of_out[i]); 9823| 459| } 9824| 153| memcpy( 9825| 153| ret, ret0, 9826| 153| (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); 9827| 153|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_f1_8c: 9485| 153| uint8_t input[3U][34U]) { 9486| | /* Passing arrays by value in Rust generates a copy in C */ 9487| 153| uint8_t copy_of_input[3U][34U]; 9488| 153| memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U])); 9489| 153| return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_b7( 9490| 153| copy_of_input); 9491| 153|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_b7: 9452| 153| uint8_t input[3U][34U]) { 9453| 153| libcrux_sha3_generic_keccak_KeccakState_48 shake128_state[3U]; 9454| 612| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9454:31): [True: 459, False: 153] ------------------ 9455| 459| shake128_state[i] = libcrux_sha3_portable_incremental_shake128_init(); 9456| 459| } 9457| 612| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9457:31): [True: 459, False: 153] ------------------ 9458| 459| size_t i0 = i; 9459| 459| libcrux_sha3_portable_incremental_shake128_absorb_final( 9460| 459| &shake128_state[i0], 9461| 459| Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t)); ------------------ | | 107| 459| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 459| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 459|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 459| end) /* x is already at an array type, no need for cast */ ------------------ 9462| 459| } 9463| | /* Passing arrays by value in Rust generates a copy in C */ 9464| 153| libcrux_sha3_generic_keccak_KeccakState_48 copy_of_shake128_state[3U]; 9465| 153| memcpy(copy_of_shake128_state, shake128_state, 9466| 153| (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48)); 9467| 153| libcrux_ml_kem_hash_functions_portable_PortableHash_58 lit; 9468| 153| memcpy(lit.shake128_state, copy_of_shake128_state, 9469| 153| (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48)); 9470| 153| return lit; 9471| 153|} mlkem768.c:libcrux_sha3_portable_incremental_shake128_init: 3029| 459|libcrux_sha3_portable_incremental_shake128_init(void) { 3030| 459| return libcrux_sha3_generic_keccak_new_1e_f4(); 3031| 459|} mlkem768.c:libcrux_sha3_portable_incremental_shake128_absorb_final: 3123| 459| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice data0) { 3124| 459| Eurydice_slice buf[1U] = {data0}; 3125| 459| libcrux_sha3_generic_keccak_absorb_final_c72(s, buf); 3126| 459|} mlkem768.c:libcrux_sha3_generic_keccak_absorb_final_c72: 3096| 459| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { 3097| 459| size_t last_len = Eurydice_slice_len(last[0U], uint8_t); ------------------ | | 118| 459|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 459|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 3098| 459| uint8_t blocks[1U][200U] = {{0U}}; 3099| 918| for (size_t i = (size_t)0U; i < (size_t)1U; i++) { ------------------ | Branch (3099:31): [True: 459, False: 459] ------------------ 3100| 459| size_t i0 = i; 3101| 459| if (last_len > (size_t)0U) { ------------------ | Branch (3101:9): [True: 459, False: 0] ------------------ 3102| 459| Eurydice_slice uu____0 = Eurydice_array_to_subslice2( ------------------ | | 113| 459| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 459| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 459|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 3103| 459| blocks[i0], (size_t)0U, last_len, uint8_t); 3104| 459| Eurydice_slice_copy(uu____0, last[i0], uint8_t); ------------------ | | 120| 459| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 3105| 459| } 3106| 459| blocks[i0][last_len] = 31U; 3107| 459| size_t uu____1 = i0; 3108| 459| size_t uu____2 = (size_t)168U - (size_t)1U; 3109| 459| blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; 3110| 459| } 3111| 459| uint64_t(*uu____3)[5U] = s->st; 3112| 459| uint8_t uu____4[1U][200U]; 3113| 459| memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); 3114| 459| libcrux_sha3_portable_keccak_load_block_full_5a_d21(uu____3, uu____4); 3115| 459| libcrux_sha3_generic_keccak_keccakf1600_21(s); 3116| 459|} mlkem768.c:libcrux_sha3_portable_keccak_load_block_full_5a_d21: 3079| 459| uint64_t (*a)[5U], uint8_t b[1U][200U]) { 3080| 459| uint64_t(*uu____0)[5U] = a; 3081| | /* Passing arrays by value in Rust generates a copy in C */ 3082| 459| uint8_t copy_of_b[1U][200U]; 3083| 459| memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); 3084| 459| libcrux_sha3_portable_keccak_load_block_full_df1(uu____0, copy_of_b); 3085| 459|} mlkem768.c:libcrux_sha3_portable_keccak_load_block_full_df1: 3063| 459| uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { 3064| 459| Eurydice_slice buf[1U] = { 3065| 459| Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; ------------------ | | 107| 459| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 459| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 459|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 459| end) /* x is already at an array type, no need for cast */ ------------------ 3066| 459| libcrux_sha3_portable_keccak_load_block_2c1(s, buf); 3067| 459|} mlkem768.c:libcrux_sha3_portable_keccak_load_block_2c1: 3039| 459| uint64_t (*s)[5U], Eurydice_slice blocks[1U]) { 3040| 10.0k| for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)8U; i++) { ------------------ | Branch (3040:31): [True: 9.63k, False: 459] ------------------ 3041| 9.63k| size_t i0 = i; 3042| 9.63k| uint8_t uu____0[8U]; 3043| 9.63k| Result_56 dst; 3044| 9.63k| Eurydice_slice_to_array2( ------------------ | | 152| 9.63k| Eurydice_slice_to_array3(&(dst)->tag, (char *)&(dst)->val.case_Ok, src, \ | | 153| 9.63k| sizeof(t_arr)) ------------------ 3045| 9.63k| &dst, 3046| 9.63k| Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, 3047| 9.63k| (size_t)8U * i0 + (size_t)8U, uint8_t), 3048| 9.63k| Eurydice_slice, uint8_t[8U]); 3049| 9.63k| unwrap_41_ac(dst, uu____0); 3050| 9.63k| size_t uu____1 = i0 / (size_t)5U; 3051| 9.63k| size_t uu____2 = i0 % (size_t)5U; 3052| 9.63k| s[uu____1][uu____2] = 3053| 9.63k| s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0); 3054| 9.63k| } 3055| 459|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_f1_69: 9526| 153| uint8_t ret[3U][504U]) { 9527| 153| libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_ca(self, 9528| 153| ret); 9529| 153|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_ca: 9502| 153| uint8_t ret[3U][504U]) { 9503| 153| uint8_t out[3U][504U] = {{0U}}; 9504| 612| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9504:31): [True: 459, False: 153] ------------------ 9505| 459| size_t i0 = i; 9506| 459| libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( 9507| 459| &st->shake128_state[i0], 9508| 459| Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t)); ------------------ | | 107| 459| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 459| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 459|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 459| end) /* x is already at an array type, no need for cast */ ------------------ 9509| 459| } 9510| 153| memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); 9511| 153|} mlkem768.c:libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks: 3227| 459| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out0) { 3228| 459| Eurydice_slice buf[1U] = {out0}; 3229| 459| libcrux_sha3_generic_keccak_squeeze_first_three_blocks_cc(s, buf); 3230| 459|} mlkem768.c:libcrux_sha3_generic_keccak_squeeze_first_three_blocks_cc: 3204| 459| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) { 3205| 459| Eurydice_slice_uint8_t_1size_t__x2 uu____0 = 3206| 459| libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)168U); 3207| 459| Eurydice_slice o0[1U]; 3208| 459| memcpy(o0, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice)); 3209| 459| Eurydice_slice o10[1U]; 3210| 459| memcpy(o10, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice)); 3211| 459| libcrux_sha3_generic_keccak_squeeze_first_block_841(s, o0); 3212| 459| Eurydice_slice_uint8_t_1size_t__x2 uu____1 = 3213| 459| libcrux_sha3_portable_keccak_split_at_mut_n_5a(o10, (size_t)168U); 3214| 459| Eurydice_slice o1[1U]; 3215| 459| memcpy(o1, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice)); 3216| 459| Eurydice_slice o2[1U]; 3217| 459| memcpy(o2, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice)); 3218| 459| libcrux_sha3_generic_keccak_squeeze_next_block_fc1(s, o1); 3219| 459| libcrux_sha3_generic_keccak_squeeze_next_block_fc1(s, o2); 3220| 459|} mlkem768.c:libcrux_sha3_generic_keccak_squeeze_first_block_841: 3191| 459| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) { 3192| 459| libcrux_sha3_portable_keccak_store_block_5a_591(s->st, out); 3193| 459|} mlkem768.c:libcrux_sha3_portable_keccak_store_block_5a_591: 3156| 1.48k| uint64_t (*a)[5U], Eurydice_slice b[1U]) { 3157| 1.48k| libcrux_sha3_portable_keccak_store_block_581(a, b); 3158| 1.48k|} mlkem768.c:libcrux_sha3_portable_keccak_store_block_581: 3134| 1.48k| uint64_t (*s)[5U], Eurydice_slice out[1U]) { 3135| 32.6k| for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)8U; i++) { ------------------ | Branch (3135:31): [True: 31.1k, False: 1.48k] ------------------ 3136| 31.1k| size_t i0 = i; 3137| 31.1k| Eurydice_slice uu____0 = Eurydice_slice_subslice2( ------------------ | | 101| 31.1k| EURYDICE_SLICE((t *)s.ptr, start, end) | | ------------------ | | | | 88| 31.1k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 31.1k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 3138| 31.1k| out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); 3139| 31.1k| uint8_t ret[8U]; 3140| 31.1k| core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); 3141| 31.1k| Eurydice_slice_copy( ------------------ | | 120| 31.1k| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 3142| 31.1k| uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); 3143| 31.1k| } 3144| 1.48k|} mlkem768.c:libcrux_sha3_generic_keccak_squeeze_next_block_fc1: 3168| 1.02k| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) { 3169| 1.02k| libcrux_sha3_generic_keccak_keccakf1600_21(s); 3170| 1.02k| libcrux_sha3_portable_keccak_store_block_5a_591(s->st, out); 3171| 1.02k|} mlkem768.c:libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_db: 9582| 153| int16_t (*out)[272U]) { 9583| 612| for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { ------------------ | Branch (9583:32): [True: 459, False: 153] ------------------ 9584| 459| size_t i1 = i0; 9585| 10.0k| for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { ------------------ | Branch (9585:33): [True: 9.63k, False: 459] ------------------ 9586| 9.63k| size_t r = i; 9587| 9.63k| if (sampled_coefficients[i1] < ------------------ | Branch (9587:11): [True: 9.30k, False: 333] ------------------ 9588| 9.63k| LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { ------------------ | | 282| 9.63k|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) ------------------ 9589| 9.30k| Eurydice_slice uu____0 = 9590| 9.30k| Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U, ------------------ | | 113| 9.30k| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 9.30k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 9.30k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 9591| 9.30k| r * (size_t)24U + (size_t)24U, uint8_t); 9592| 9.30k| size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d( 9593| 9.30k| uu____0, Eurydice_array_to_subslice2( ------------------ | | 113| 9.30k| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 9.30k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 9.30k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 9594| 9.30k| out[i1], sampled_coefficients[i1], 9595| 9.30k| sampled_coefficients[i1] + (size_t)16U, int16_t)); 9596| 9.30k| size_t uu____1 = i1; 9597| 9.30k| sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; 9598| 9.30k| } 9599| 9.63k| } 9600| 459| } 9601| 153| bool done = true; 9602| 612| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9602:31): [True: 459, False: 153] ------------------ 9603| 459| size_t i0 = i; 9604| 459| if (sampled_coefficients[i0] >= ------------------ | Branch (9604:9): [True: 423, False: 36] ------------------ 9605| 459| LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { ------------------ | | 282| 459|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) ------------------ 9606| 423| sampled_coefficients[i0] = 9607| 423| LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; ------------------ | | 282| 423|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) ------------------ 9608| 423| } else { 9609| | done = false; 9610| 36| } 9611| 459| } 9612| 153| return done; 9613| 153|} mlkem768.c:libcrux_ml_kem_vector_portable_rej_sample_0d: 8109| 9.34k| Eurydice_slice a, Eurydice_slice out) { 8110| 9.34k| return libcrux_ml_kem_vector_portable_sampling_rej_sample(a, out); 8111| 9.34k|} mlkem768.c:libcrux_ml_kem_vector_portable_sampling_rej_sample: 8045| 9.34k| Eurydice_slice result) { 8046| 9.34k| size_t sampled = (size_t)0U; 8047| 84.1k| for (size_t i = (size_t)0U; i < Eurydice_slice_len(a, uint8_t) / (size_t)3U; ------------------ | | 118| 84.1k|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 84.1k|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ | Branch (8047:31): [True: 74.7k, False: 9.34k] ------------------ 8048| 74.7k| i++) { 8049| 74.7k| size_t i0 = i; 8050| 74.7k| int16_t b1 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)0U, ------------------ | | 95| 74.7k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 8051| 74.7k| uint8_t, uint8_t *); 8052| 74.7k| int16_t b2 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)1U, ------------------ | | 95| 74.7k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 8053| 74.7k| uint8_t, uint8_t *); 8054| 74.7k| int16_t b3 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)2U, ------------------ | | 95| 74.7k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 8055| 74.7k| uint8_t, uint8_t *); 8056| 74.7k| int16_t d1 = (b2 & (int16_t)15) << 8U | b1; 8057| 74.7k| int16_t d2 = b3 << 4U | b2 >> 4U; 8058| 74.7k| bool uu____0; 8059| 74.7k| int16_t uu____1; 8060| 74.7k| bool uu____2; 8061| 74.7k| size_t uu____3; 8062| 74.7k| int16_t uu____4; 8063| 74.7k| size_t uu____5; 8064| 74.7k| int16_t uu____6; 8065| 74.7k| if (d1 < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS) { ------------------ | | 5863| 74.7k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS ((int16_t)3329) ------------------ | Branch (8065:9): [True: 60.1k, False: 14.5k] ------------------ 8066| 60.1k| if (sampled < (size_t)16U) { ------------------ | Branch (8066:11): [True: 60.1k, False: 0] ------------------ 8067| 60.1k| Eurydice_slice_index(result, sampled, int16_t, int16_t *) = d1; ------------------ | | 95| 60.1k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 8068| 60.1k| sampled++; 8069| 60.1k| uu____1 = d2; 8070| 60.1k| uu____6 = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; ------------------ | | 5863| 60.1k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS ((int16_t)3329) ------------------ 8071| 60.1k| uu____0 = uu____1 < uu____6; 8072| 60.1k| if (uu____0) { ------------------ | Branch (8072:13): [True: 48.4k, False: 11.7k] ------------------ 8073| 48.4k| uu____3 = sampled; 8074| 48.4k| uu____2 = uu____3 < (size_t)16U; 8075| 48.4k| if (uu____2) { ------------------ | Branch (8075:15): [True: 48.4k, False: 0] ------------------ 8076| 48.4k| uu____4 = d2; 8077| 48.4k| uu____5 = sampled; 8078| 48.4k| Eurydice_slice_index(result, uu____5, int16_t, int16_t *) = uu____4; ------------------ | | 95| 48.4k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 8079| 48.4k| sampled++; 8080| 48.4k| continue; 8081| 48.4k| } 8082| 48.4k| } 8083| 11.7k| continue; 8084| 60.1k| } 8085| 60.1k| } 8086| 14.5k| uu____1 = d2; 8087| 14.5k| uu____6 = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; ------------------ | | 5863| 14.5k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS ((int16_t)3329) ------------------ 8088| 14.5k| uu____0 = uu____1 < uu____6; 8089| 14.5k| if (uu____0) { ------------------ | Branch (8089:9): [True: 11.8k, False: 2.75k] ------------------ 8090| 11.8k| uu____3 = sampled; 8091| 11.8k| uu____2 = uu____3 < (size_t)16U; 8092| 11.8k| if (uu____2) { ------------------ | Branch (8092:11): [True: 11.8k, False: 0] ------------------ 8093| 11.8k| uu____4 = d2; 8094| 11.8k| uu____5 = sampled; 8095| 11.8k| Eurydice_slice_index(result, uu____5, int16_t, int16_t *) = uu____4; ------------------ | | 95| 11.8k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 8096| 11.8k| sampled++; 8097| 11.8k| continue; 8098| 11.8k| } 8099| 11.8k| } 8100| 14.5k| } 8101| 9.34k| return sampled; 8102| 9.34k|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_f1_60: 9648| 35| uint8_t ret[3U][168U]) { 9649| 35| libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_dd(self, ret); 9650| 35|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_dd: 9624| 35| uint8_t ret[3U][168U]) { 9625| 35| uint8_t out[3U][168U] = {{0U}}; 9626| 140| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9626:31): [True: 105, False: 35] ------------------ 9627| 105| size_t i0 = i; 9628| 105| libcrux_sha3_portable_incremental_shake128_squeeze_next_block( 9629| 105| &st->shake128_state[i0], 9630| 105| Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t)); ------------------ | | 107| 105| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 105| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 105|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 105| end) /* x is already at an array type, no need for cast */ ------------------ 9631| 105| } 9632| 35| memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); 9633| 35|} mlkem768.c:libcrux_sha3_portable_incremental_shake128_squeeze_next_block: 3178| 105| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out0) { 3179| 105| Eurydice_slice buf[1U] = {out0}; 3180| 105| libcrux_sha3_generic_keccak_squeeze_next_block_fc1(s, buf); 3181| 105|} mlkem768.c:libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_db0: 9703| 35| int16_t (*out)[272U]) { 9704| 140| for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { ------------------ | Branch (9704:32): [True: 105, False: 35] ------------------ 9705| 105| size_t i1 = i0; 9706| 840| for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { ------------------ | Branch (9706:33): [True: 735, False: 105] ------------------ 9707| 735| size_t r = i; 9708| 735| if (sampled_coefficients[i1] < ------------------ | Branch (9708:11): [True: 39, False: 696] ------------------ 9709| 735| LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { ------------------ | | 282| 735|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) ------------------ 9710| 39| Eurydice_slice uu____0 = 9711| 39| Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U, ------------------ | | 113| 39| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 39| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 39|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 9712| 39| r * (size_t)24U + (size_t)24U, uint8_t); 9713| 39| size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d( 9714| 39| uu____0, Eurydice_array_to_subslice2( ------------------ | | 113| 39| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 39| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 39|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 9715| 39| out[i1], sampled_coefficients[i1], 9716| 39| sampled_coefficients[i1] + (size_t)16U, int16_t)); 9717| 39| size_t uu____1 = i1; 9718| 39| sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; 9719| 39| } 9720| 735| } 9721| 105| } 9722| 35| bool done = true; 9723| 140| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9723:31): [True: 105, False: 35] ------------------ 9724| 105| size_t i0 = i; 9725| 105| if (sampled_coefficients[i0] >= ------------------ | Branch (9725:9): [True: 105, False: 0] ------------------ 9726| 105| LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { ------------------ | | 282| 105|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) ------------------ 9727| 105| sampled_coefficients[i0] = 9728| 105| LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; ------------------ | | 282| 105|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) ------------------ 9729| 105| } else { 9730| | done = false; 9731| 0| } 9732| 105| } 9733| 35| return done; 9734| 35|} mlkem768.c:libcrux_ml_kem_sampling_sample_from_xof_closure_04: 9770| 459|libcrux_ml_kem_sampling_sample_from_xof_closure_04(int16_t s[272U]) { 9771| 459| return libcrux_ml_kem_polynomial_from_i16_array_89_c1( 9772| 459| Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); ------------------ | | 113| 459| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 459| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 459|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 9773| 459|} mlkem768.c:libcrux_ml_kem_polynomial_from_i16_array_89_c1: 9747| 765|libcrux_ml_kem_polynomial_from_i16_array_89_c1(Eurydice_slice a) { 9748| 765| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 result = 9749| 765| libcrux_ml_kem_polynomial_ZERO_89_ea(); 9750| 765| for (size_t i = (size_t)0U; 9751| 13.0k| i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { ------------------ | | 5860| 13.0k| (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ | | ------------------ | | | | 282| 13.0k|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) | | ------------------ | | 5861| 13.0k| LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR) | | ------------------ | | | | 5857| 13.0k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) | | ------------------ ------------------ | Branch (9751:8): [True: 12.2k, False: 765] ------------------ 9752| 12.2k| size_t i0 = i; 9753| 12.2k| libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = 9754| 12.2k| libcrux_ml_kem_vector_portable_from_i16_array_0d( 9755| 12.2k| Eurydice_slice_subslice2(a, i0 * (size_t)16U, ------------------ | | 101| 12.2k| EURYDICE_SLICE((t *)s.ptr, start, end) | | ------------------ | | | | 88| 12.2k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 12.2k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 9756| 12.2k| (i0 + (size_t)1U) * (size_t)16U, int16_t)); 9757| 12.2k| result.coefficients[i0] = uu____0; 9758| 12.2k| } 9759| 765| return result; 9760| 765|} mlkem768.c:libcrux_ml_kem_vector_portable_from_i16_array_0d: 5894| 12.2k|libcrux_ml_kem_vector_portable_from_i16_array_0d(Eurydice_slice array) { 5895| 12.2k| return libcrux_ml_kem_vector_portable_vector_type_from_i16_array(array); 5896| 12.2k|} mlkem768.c:libcrux_ml_kem_vector_portable_vector_type_from_i16_array: 5877| 12.2k| Eurydice_slice array) { 5878| 12.2k| libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; 5879| 12.2k| int16_t ret[16U]; 5880| 12.2k| Result_c0 dst; 5881| 12.2k| Eurydice_slice_to_array2( ------------------ | | 152| 12.2k| Eurydice_slice_to_array3(&(dst)->tag, (char *)&(dst)->val.case_Ok, src, \ | | 153| 12.2k| sizeof(t_arr)) ------------------ 5882| 12.2k| &dst, Eurydice_slice_subslice2(array, (size_t)0U, (size_t)16U, int16_t), 5883| 12.2k| Eurydice_slice, int16_t[16U]); 5884| 12.2k| unwrap_41_f9(dst, ret); 5885| 12.2k| memcpy(lit.elements, ret, (size_t)16U * sizeof(int16_t)); 5886| 12.2k| return lit; 5887| 12.2k|} mlkem768.c:unwrap_41_f9: 694| 12.2k|static inline void unwrap_41_f9(Result_c0 self, int16_t ret[16U]) { 695| 12.2k| if (self.tag == Ok) { ------------------ | | 246| 12.2k|#define Ok 0 ------------------ | Branch (695:7): [True: 12.2k, False: 0] ------------------ 696| 12.2k| int16_t f0[16U]; 697| 12.2k| memcpy(f0, self.val.case_Ok, (size_t)16U * sizeof(int16_t)); 698| 12.2k| memcpy(ret, f0, (size_t)16U * sizeof(int16_t)); 699| 12.2k| } else { 700| 0| KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, 701| 0| "unwrap not Ok"); 702| 0| KRML_HOST_EXIT(255U); ------------------ | | 35| 0|#define KRML_HOST_EXIT(x) dropbear_exit("mlkem") ------------------ 703| 0| } 704| 12.2k|} mlkem768.c:libcrux_ml_kem_utils_into_padded_array_ea2: 592| 51| Eurydice_slice slice, uint8_t ret[33U]) { 593| 51| uint8_t out[33U] = {0U}; 594| 51| uint8_t *uu____0 = out; 595| 51| Eurydice_slice_copy( ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 596| 51| Eurydice_array_to_subslice2(uu____0, (size_t)0U, 597| 51| Eurydice_slice_len(slice, uint8_t), uint8_t), 598| 51| slice, uint8_t); 599| 51| memcpy(ret, out, (size_t)33U * sizeof(uint8_t)); 600| 51|} mlkem768.c:libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_fc: 10155| 102| uint8_t domain_separator) { 10156| 102| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re_as_ntt[3U]; 10157| 408| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (10157:31): [True: 306, False: 102] ------------------ 10158| 306| re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_89_ea(); 10159| 306| } 10160| | /* Passing arrays by value in Rust generates a copy in C */ 10161| 102| uint8_t copy_of_prf_input[33U]; 10162| 102| memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); 10163| 102| uint8_t prf_inputs[3U][33U]; 10164| 408| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (10164:31): [True: 306, False: 102] ------------------ 10165| 306| memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); 10166| 306| } 10167| 408| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (10167:31): [True: 306, False: 102] ------------------ 10168| 306| size_t i0 = i; 10169| 306| prf_inputs[i0][32U] = domain_separator; 10170| 306| domain_separator = (uint32_t)domain_separator + 1U; 10171| 306| } 10172| 102| uint8_t prf_outputs[3U][128U]; 10173| 102| libcrux_ml_kem_hash_functions_portable_PRFxN_f1_93(prf_inputs, prf_outputs); 10174| 408| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (10174:31): [True: 306, False: 102] ------------------ 10175| 306| size_t i0 = i; 10176| 306| re_as_ntt[i0] = 10177| 306| libcrux_ml_kem_sampling_sample_from_binomial_distribution_c6( 10178| 306| Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); ------------------ | | 107| 306| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 306| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 306|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 306| end) /* x is already at an array type, no need for cast */ ------------------ 10179| 306| libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_0f(&re_as_ntt[i0]); 10180| 306| } 10181| | /* Passing arrays by value in Rust generates a copy in C */ 10182| 102| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_re_as_ntt[3U]; 10183| 102| memcpy( 10184| 102| copy_of_re_as_ntt, re_as_ntt, 10185| 102| (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); 10186| 102| tuple_b0 lit; 10187| 102| memcpy( 10188| 102| lit.fst, copy_of_re_as_ntt, 10189| 102| (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); 10190| 102| lit.snd = domain_separator; 10191| 102| return lit; 10192| 102|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_PRFxN_f1_93: 9938| 102| uint8_t (*input)[33U], uint8_t ret[3U][128U]) { 9939| 102| libcrux_ml_kem_hash_functions_portable_PRFxN_c5(input, ret); 9940| 102|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_PRFxN_c5: 9916| 102| uint8_t (*input)[33U], uint8_t ret[3U][128U]) { 9917| 102| uint8_t out[3U][128U] = {{0U}}; 9918| 408| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (9918:31): [True: 306, False: 102] ------------------ 9919| 306| size_t i0 = i; 9920| 306| libcrux_sha3_portable_shake256( 9921| 306| Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t), ------------------ | | 107| 306| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 306| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 306|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 306| end) /* x is already at an array type, no need for cast */ ------------------ 9922| 306| Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t)); ------------------ | | 107| 306| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 306| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 306|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 306| end) /* x is already at an array type, no need for cast */ ------------------ 9923| 306| } 9924| 102| memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); 9925| 102|} mlkem768.c:libcrux_sha3_portable_shake256: 3016| 306| Eurydice_slice digest, Eurydice_slice data) { 3017| 306| Eurydice_slice buf0[1U] = {data}; 3018| 306| Eurydice_slice buf[1U] = {digest}; 3019| 306| libcrux_sha3_portable_keccakx1_ce1(buf0, buf); 3020| 306|} mlkem768.c:libcrux_sha3_portable_keccakx1_ce1: 3005| 306| Eurydice_slice data[1U], Eurydice_slice out[1U]) { 3006| | /* Passing arrays by value in Rust generates a copy in C */ 3007| 306| Eurydice_slice copy_of_data[1U]; 3008| 306| memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); 3009| 306| libcrux_sha3_generic_keccak_keccak_e91(copy_of_data, out); 3010| 306|} mlkem768.c:libcrux_sha3_generic_keccak_keccak_e91: 2934| 306| Eurydice_slice data[1U], Eurydice_slice out[1U]) { 2935| 306| libcrux_sha3_generic_keccak_KeccakState_48 s = 2936| 306| libcrux_sha3_generic_keccak_new_1e_f4(); 2937| 306| for (size_t i = (size_t)0U; 2938| 306| i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) { ------------------ | | 118| 306|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 306|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ | Branch (2938:8): [True: 0, False: 306] ------------------ 2939| 0| size_t i0 = i; 2940| 0| libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; 2941| | /* Passing arrays by value in Rust generates a copy in C */ 2942| 0| Eurydice_slice copy_of_data[1U]; 2943| 0| memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); 2944| 0| Eurydice_slice ret[1U]; 2945| 0| libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U, 2946| 0| (size_t)136U, ret); 2947| 0| libcrux_sha3_generic_keccak_absorb_block_df0(uu____0, ret); 2948| 0| } 2949| 306| size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U; ------------------ | | 118| 306|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 306|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2950| 306| libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; 2951| | /* Passing arrays by value in Rust generates a copy in C */ 2952| 306| Eurydice_slice copy_of_data[1U]; 2953| 306| memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); 2954| 306| Eurydice_slice ret[1U]; 2955| 306| libcrux_sha3_portable_keccak_slice_n_5a( 2956| 306| copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); ------------------ | | 118| 306|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 306|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2957| 306| libcrux_sha3_generic_keccak_absorb_final_c71(uu____2, ret); 2958| 306| size_t outlen = Eurydice_slice_len(out[0U], uint8_t); ------------------ | | 118| 306|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 306|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2959| 306| size_t blocks = outlen / (size_t)136U; 2960| 306| size_t last = outlen - outlen % (size_t)136U; 2961| 306| if (blocks == (size_t)0U) { ------------------ | Branch (2961:7): [True: 306, False: 0] ------------------ 2962| 306| libcrux_sha3_generic_keccak_squeeze_first_and_last_c50(&s, out); 2963| 306| } else { 2964| 0| Eurydice_slice_uint8_t_1size_t__x2 uu____4 = 2965| 0| libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)136U); 2966| 0| Eurydice_slice o0[1U]; 2967| 0| memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice)); 2968| 0| Eurydice_slice o1[1U]; 2969| 0| memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice)); 2970| 0| libcrux_sha3_generic_keccak_squeeze_first_block_840(&s, o0); 2971| 0| core_ops_range_Range_b3 iter = 2972| 0| core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( ------------------ | | 208| 0| Eurydice_into_iter | | ------------------ | | | | 206| 0|#define Eurydice_into_iter(x, t, _ret_t) (x) | | ------------------ ------------------ 2973| 0| (CLITERAL(core_ops_range_Range_b3){.start = (size_t)1U, 2974| 0| .end = blocks}), 2975| 0| core_ops_range_Range_b3, core_ops_range_Range_b3); 2976| 0| while (true) { ------------------ | Branch (2976:12): [True: 0, Folded] ------------------ 2977| 0| if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next( ------------------ | | 203| 0| Eurydice_range_iter_next | | ------------------ | | | | 198| 0| (((iter_ptr)->start == (iter_ptr)->end) \ | | | | ------------------ | | | | | Branch (198:4): [True: 0, False: 0] | | | | ------------------ | | | | 199| 0| ? (CLITERAL(ret_t){.tag = None}) \ | | | | ------------------ | | | | | | 61| 0|#define CLITERAL(type) (type) | | | | ------------------ | | | | ? (CLITERAL(ret_t){.tag = None}) \ | | | | ------------------ | | | | | | 251| 0|#define None 0 | | | | ------------------ | | | | 200| 0| : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++})) | | | | ------------------ | | | | | | 61| 0|#define CLITERAL(type) (type) | | | | ------------------ | | | | : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++})) | | | | ------------------ | | | | | | 252| 0|#define Some 1 | | | | ------------------ | | ------------------ ------------------ | Branch (2977:11): [True: 0, False: 0] ------------------ 2978| 0| &iter, size_t, Option_b3) 2979| 0| .tag == None) { ------------------ | | 251| 0|#define None 0 ------------------ 2980| 0| break; 2981| 0| } else { 2982| 0| Eurydice_slice_uint8_t_1size_t__x2 uu____5 = 2983| 0| libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)136U); 2984| 0| Eurydice_slice o[1U]; 2985| 0| memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice)); 2986| 0| Eurydice_slice orest[1U]; 2987| 0| memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice)); 2988| 0| libcrux_sha3_generic_keccak_squeeze_next_block_fc0(&s, o); 2989| 0| memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice)); 2990| 0| } 2991| 0| } 2992| 0| if (last < outlen) { ------------------ | Branch (2992:9): [True: 0, False: 0] ------------------ 2993| 0| libcrux_sha3_generic_keccak_squeeze_last_cf0(s, o1); 2994| 0| } 2995| 0| } 2996| 306|} mlkem768.c:libcrux_sha3_generic_keccak_absorb_block_df0: 2585| 408| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice blocks[1U]) { 2586| 408| uint64_t(*uu____0)[5U] = s->st; 2587| 408| Eurydice_slice uu____1[1U]; 2588| 408| memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice)); 2589| 408| libcrux_sha3_portable_keccak_load_block_5a_b80(uu____0, uu____1); 2590| 408| libcrux_sha3_generic_keccak_keccakf1600_21(s); 2591| 408|} mlkem768.c:libcrux_sha3_portable_keccak_load_block_5a_b80: 2569| 408| uint64_t (*a)[5U], Eurydice_slice b[1U]) { 2570| 408| uint64_t(*uu____0)[5U] = a; 2571| | /* Passing arrays by value in Rust generates a copy in C */ 2572| 408| Eurydice_slice copy_of_b[1U]; 2573| 408| memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); 2574| 408| libcrux_sha3_portable_keccak_load_block_2c0(uu____0, copy_of_b); 2575| 408|} mlkem768.c:libcrux_sha3_portable_keccak_load_block_2c0: 2541| 765| uint64_t (*s)[5U], Eurydice_slice blocks[1U]) { 2542| 13.7k| for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)8U; i++) { ------------------ | Branch (2542:31): [True: 13.0k, False: 765] ------------------ 2543| 13.0k| size_t i0 = i; 2544| 13.0k| uint8_t uu____0[8U]; 2545| 13.0k| Result_56 dst; 2546| 13.0k| Eurydice_slice_to_array2( ------------------ | | 152| 13.0k| Eurydice_slice_to_array3(&(dst)->tag, (char *)&(dst)->val.case_Ok, src, \ | | 153| 13.0k| sizeof(t_arr)) ------------------ 2547| 13.0k| &dst, 2548| 13.0k| Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, 2549| 13.0k| (size_t)8U * i0 + (size_t)8U, uint8_t), 2550| 13.0k| Eurydice_slice, uint8_t[8U]); 2551| 13.0k| unwrap_41_ac(dst, uu____0); 2552| 13.0k| size_t uu____1 = i0 / (size_t)5U; 2553| 13.0k| size_t uu____2 = i0 % (size_t)5U; 2554| 13.0k| s[uu____1][uu____2] = 2555| 13.0k| s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0); 2556| 13.0k| } 2557| 765|} mlkem768.c:libcrux_sha3_generic_keccak_absorb_final_c71: 2903| 306| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { 2904| 306| size_t last_len = Eurydice_slice_len(last[0U], uint8_t); ------------------ | | 118| 306|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 306|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2905| 306| uint8_t blocks[1U][200U] = {{0U}}; 2906| 612| for (size_t i = (size_t)0U; i < (size_t)1U; i++) { ------------------ | Branch (2906:31): [True: 306, False: 306] ------------------ 2907| 306| size_t i0 = i; 2908| 306| if (last_len > (size_t)0U) { ------------------ | Branch (2908:9): [True: 306, False: 0] ------------------ 2909| 306| Eurydice_slice uu____0 = Eurydice_array_to_subslice2( ------------------ | | 113| 306| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 306| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 306|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 2910| 306| blocks[i0], (size_t)0U, last_len, uint8_t); 2911| 306| Eurydice_slice_copy(uu____0, last[i0], uint8_t); ------------------ | | 120| 306| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 2912| 306| } 2913| 306| blocks[i0][last_len] = 31U; 2914| 306| size_t uu____1 = i0; 2915| 306| size_t uu____2 = (size_t)136U - (size_t)1U; 2916| 306| blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; 2917| 306| } 2918| 306| uint64_t(*uu____3)[5U] = s->st; 2919| 306| uint8_t uu____4[1U][200U]; 2920| 306| memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); 2921| 306| libcrux_sha3_portable_keccak_load_block_full_5a_d20(uu____3, uu____4); 2922| 306| libcrux_sha3_generic_keccak_keccakf1600_21(s); 2923| 306|} mlkem768.c:libcrux_sha3_portable_keccak_load_block_full_5a_d20: 2615| 357| uint64_t (*a)[5U], uint8_t b[1U][200U]) { 2616| 357| uint64_t(*uu____0)[5U] = a; 2617| | /* Passing arrays by value in Rust generates a copy in C */ 2618| 357| uint8_t copy_of_b[1U][200U]; 2619| 357| memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); 2620| 357| libcrux_sha3_portable_keccak_load_block_full_df0(uu____0, copy_of_b); 2621| 357|} mlkem768.c:libcrux_sha3_portable_keccak_load_block_full_df0: 2599| 357| uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { 2600| 357| Eurydice_slice buf[1U] = { 2601| 357| Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; ------------------ | | 107| 357| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 357| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 357|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 357| end) /* x is already at an array type, no need for cast */ ------------------ 2602| 357| libcrux_sha3_portable_keccak_load_block_2c0(s, buf); 2603| 357|} mlkem768.c:libcrux_sha3_generic_keccak_squeeze_first_and_last_c50: 2713| 357| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) { 2714| 357| uint8_t b[1U][200U]; 2715| 357| libcrux_sha3_portable_keccak_store_block_full_5a_290(s->st, b); 2716| 714| for (size_t i = (size_t)0U; i < (size_t)1U; i++) { ------------------ | Branch (2716:31): [True: 357, False: 357] ------------------ 2717| 357| size_t i0 = i; 2718| 357| Eurydice_slice uu____0 = out[i0]; 2719| 357| uint8_t *uu____1 = b[i0]; 2720| 357| core_ops_range_Range_b3 lit; 2721| 357| lit.start = (size_t)0U; 2722| 357| lit.end = Eurydice_slice_len(out[i0], uint8_t); ------------------ | | 118| 357|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 357|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2723| 357| Eurydice_slice_copy( ------------------ | | 120| 357| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 2724| 357| uu____0, 2725| 357| Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, 2726| 357| core_ops_range_Range_b3), 2727| 357| uint8_t); 2728| 357| } 2729| 357|} mlkem768.c:libcrux_sha3_portable_keccak_store_block_full_5a_290: 2700| 357| uint8_t ret[1U][200U]) { 2701| 357| libcrux_sha3_portable_keccak_store_block_full_2d0(a, ret); 2702| 357|} mlkem768.c:libcrux_sha3_portable_keccak_store_block_full_2d0: 2678| 357| uint64_t (*s)[5U], uint8_t ret[1U][200U]) { 2679| 357| uint8_t out[200U] = {0U}; 2680| 357| Eurydice_slice buf[1U] = { 2681| 357| Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; ------------------ | | 107| 357| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 357| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 357|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 357| end) /* x is already at an array type, no need for cast */ ------------------ 2682| 357| libcrux_sha3_portable_keccak_store_block_580(s, buf); 2683| | /* Passing arrays by value in Rust generates a copy in C */ 2684| 357| uint8_t copy_of_out[200U]; 2685| 357| memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); 2686| 357| memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); 2687| 357|} mlkem768.c:libcrux_sha3_portable_keccak_store_block_580: 2660| 357| uint64_t (*s)[5U], Eurydice_slice out[1U]) { 2661| 6.42k| for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)8U; i++) { ------------------ | Branch (2661:31): [True: 6.06k, False: 357] ------------------ 2662| 6.06k| size_t i0 = i; 2663| 6.06k| Eurydice_slice uu____0 = Eurydice_slice_subslice2( ------------------ | | 101| 6.06k| EURYDICE_SLICE((t *)s.ptr, start, end) | | ------------------ | | | | 88| 6.06k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 6.06k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 2664| 6.06k| out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); 2665| 6.06k| uint8_t ret[8U]; 2666| 6.06k| core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); 2667| 6.06k| Eurydice_slice_copy( ------------------ | | 120| 6.06k| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 2668| 6.06k| uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); 2669| 6.06k| } 2670| 357|} mlkem768.c:libcrux_ml_kem_sampling_sample_from_binomial_distribution_c6: 10090| 306| Eurydice_slice randomness) { 10091| 306| return libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_85( 10092| 306| randomness); 10093| 306|} mlkem768.c:libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_85: 9999| 306| Eurydice_slice randomness) { 10000| 306| int16_t sampled_i16s[256U] = {0U}; 10001| 306| for (size_t i0 = (size_t)0U; 10002| 10.0k| i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) { ------------------ | | 118| 10.0k|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 10.0k|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ | Branch (10002:8): [True: 9.79k, False: 306] ------------------ 10003| 9.79k| size_t chunk_number = i0; 10004| 9.79k| Eurydice_slice byte_chunk = Eurydice_slice_subslice2( ------------------ | | 101| 9.79k| EURYDICE_SLICE((t *)s.ptr, start, end) | | ------------------ | | | | 88| 9.79k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 9.79k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 10005| 9.79k| randomness, chunk_number * (size_t)4U, 10006| 9.79k| chunk_number * (size_t)4U + (size_t)4U, uint8_t); 10007| 9.79k| uint32_t random_bits_as_u32 = 10008| 9.79k| (((uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t, ------------------ | | 95| 9.79k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 10009| 9.79k| uint8_t *) | 10010| 9.79k| (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, ------------------ | | 95| 9.79k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 10011| 9.79k| uint8_t *) 10012| 9.79k| << 8U) | 10013| 9.79k| (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, ------------------ | | 95| 9.79k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 10014| 9.79k| uint8_t *) 10015| 9.79k| << 16U) | 10016| 9.79k| (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)3U, uint8_t, ------------------ | | 95| 9.79k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 10017| 9.79k| uint8_t *) 10018| 9.79k| << 24U; 10019| 9.79k| uint32_t even_bits = random_bits_as_u32 & 1431655765U; 10020| 9.79k| uint32_t odd_bits = random_bits_as_u32 >> 1U & 1431655765U; 10021| 9.79k| uint32_t coin_toss_outcomes = even_bits + odd_bits; 10022| 88.1k| for (uint32_t i = 0U; i < CORE_NUM__U32_8__BITS / 4U; i++) { ------------------ | | 268| 88.1k|#define CORE_NUM__U32_8__BITS (32U) ------------------ | Branch (10022:27): [True: 78.3k, False: 9.79k] ------------------ 10023| 78.3k| uint32_t outcome_set = i; 10024| 78.3k| uint32_t outcome_set0 = outcome_set * 4U; 10025| 78.3k| int16_t outcome_1 = 10026| 78.3k| (int16_t)(coin_toss_outcomes >> (uint32_t)outcome_set0 & 3U); 10027| 78.3k| int16_t outcome_2 = 10028| 78.3k| (int16_t)(coin_toss_outcomes >> (uint32_t)(outcome_set0 + 2U) & 3U); 10029| 78.3k| size_t offset = (size_t)(outcome_set0 >> 2U); 10030| 78.3k| sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; 10031| 78.3k| } 10032| 9.79k| } 10033| 306| return libcrux_ml_kem_polynomial_from_i16_array_89_c1( 10034| 306| Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); ------------------ | | 107| 306| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 306| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 306|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 306| end) /* x is already at an array type, no need for cast */ ------------------ 10035| 306|} mlkem768.c:libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_0f: 10125| 306| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re) { 10126| 306| libcrux_ml_kem_ntt_ntt_at_layer_7_f4(re); 10127| 306| size_t zeta_i = (size_t)1U; 10128| 306| libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51(&zeta_i, re, (size_t)6U, 10129| 306| (size_t)3U); 10130| 306| libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51(&zeta_i, re, (size_t)5U, 10131| 306| (size_t)3U); 10132| 306| libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51(&zeta_i, re, (size_t)4U, 10133| 306| (size_t)3U); 10134| 306| libcrux_ml_kem_ntt_ntt_at_layer_3_fd(&zeta_i, re, (size_t)3U, (size_t)3U); 10135| 306| libcrux_ml_kem_ntt_ntt_at_layer_2_ad(&zeta_i, re, (size_t)2U, (size_t)3U); 10136| 306| libcrux_ml_kem_ntt_ntt_at_layer_1_a2(&zeta_i, re, (size_t)1U, (size_t)3U); 10137| 306| libcrux_ml_kem_polynomial_poly_barrett_reduce_89_8b(re); 10138| 306|} mlkem768.c:libcrux_ml_kem_ntt_ntt_at_layer_7_f4: 10102| 306| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re) { 10103| 306| size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U; ------------------ | | 5860| 306| (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ | | ------------------ | | | | 282| 306|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) | | ------------------ | | 5861| 306| LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR) | | ------------------ | | | | 5857| 306|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) | | ------------------ ------------------ 10104| 2.75k| for (size_t i = (size_t)0U; i < step; i++) { ------------------ | Branch (10104:31): [True: 2.44k, False: 306] ------------------ 10105| 2.44k| size_t j = i; 10106| 2.44k| libcrux_ml_kem_vector_portable_vector_type_PortableVector t = 10107| 2.44k| libcrux_ml_kem_vector_portable_multiply_by_constant_0d( 10108| 2.44k| re->coefficients[j + step], (int16_t)-1600); 10109| 2.44k| re->coefficients[j + step] = 10110| 2.44k| libcrux_ml_kem_vector_portable_sub_0d(re->coefficients[j], &t); 10111| 2.44k| libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 = 10112| 2.44k| libcrux_ml_kem_vector_portable_add_0d(re->coefficients[j], &t); 10113| 2.44k| re->coefficients[j] = uu____1; 10114| 2.44k| } 10115| 306|} mlkem768.c:libcrux_ml_kem_vector_portable_multiply_by_constant_0d: 6771| 2.44k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { 6772| 2.44k| return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(v, c); 6773| 2.44k|} mlkem768.c:libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant: 6755| 2.44k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { 6756| 2.44k| for (size_t i = (size_t)0U; 6757| 41.6k| i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { ------------------ | | 5857| 41.6k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) ------------------ | Branch (6757:8): [True: 39.1k, False: 2.44k] ------------------ 6758| 39.1k| size_t i0 = i; 6759| 39.1k| size_t uu____0 = i0; 6760| 39.1k| v.elements[uu____0] = v.elements[uu____0] * c; 6761| 39.1k| } 6762| 2.44k| return v; 6763| 2.44k|} mlkem768.c:libcrux_ml_kem_vector_portable_sub_0d: 6749| 9.79k| libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { 6750| 9.79k| return libcrux_ml_kem_vector_portable_arithmetic_sub(lhs, rhs); 6751| 9.79k|} mlkem768.c:libcrux_ml_kem_vector_portable_arithmetic_sub: 6732| 9.79k| libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { 6733| 9.79k| for (size_t i = (size_t)0U; 6734| 166k| i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { ------------------ | | 5857| 166k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) ------------------ | Branch (6734:8): [True: 156k, False: 9.79k] ------------------ 6735| 156k| size_t i0 = i; 6736| 156k| size_t uu____0 = i0; 6737| 156k| lhs.elements[uu____0] = lhs.elements[uu____0] - rhs->elements[i0]; 6738| 156k| } 6739| 9.79k| return lhs; 6740| 9.79k|} mlkem768.c:libcrux_ml_kem_vector_portable_add_0d: 6725| 24.4k| libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { 6726| 24.4k| return libcrux_ml_kem_vector_portable_arithmetic_add(lhs, rhs); 6727| 24.4k|} mlkem768.c:libcrux_ml_kem_vector_portable_arithmetic_add: 6708| 24.4k| libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { 6709| 24.4k| for (size_t i = (size_t)0U; 6710| 416k| i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { ------------------ | | 5857| 416k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) ------------------ | Branch (6710:8): [True: 391k, False: 24.4k] ------------------ 6711| 391k| size_t i0 = i; 6712| 391k| size_t uu____0 = i0; 6713| 391k| lhs.elements[uu____0] = lhs.elements[uu____0] + rhs->elements[i0]; 6714| 391k| } 6715| 24.4k| return lhs; 6716| 24.4k|} mlkem768.c:libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51: 8497| 918| size_t layer, size_t _initial_coefficient_bound) { 8498| 918| size_t step = (size_t)1U << (uint32_t)layer; 8499| 5.20k| for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { ------------------ | Branch (8499:32): [True: 4.28k, False: 918] ------------------ 8500| 4.28k| size_t round = i0; 8501| 4.28k| zeta_i[0U] = zeta_i[0U] + (size_t)1U; 8502| 4.28k| size_t offset = round * step * (size_t)2U; 8503| 4.28k| size_t offset_vec = offset / (size_t)16U; 8504| 4.28k| size_t step_vec = step / (size_t)16U; 8505| 11.6k| for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { ------------------ | Branch (8505:33): [True: 7.34k, False: 4.28k] ------------------ 8506| 7.34k| size_t j = i; 8507| 7.34k| libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 = 8508| 7.34k| libcrux_ml_kem_ntt_ntt_layer_int_vec_step_0c( 8509| 7.34k| re->coefficients[j], re->coefficients[j + step_vec], 8510| 7.34k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); 8511| 7.34k| libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; 8512| 7.34k| libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; 8513| 7.34k| re->coefficients[j] = x; 8514| 7.34k| re->coefficients[j + step_vec] = y; 8515| 7.34k| } 8516| 4.28k| } 8517| 918|} mlkem768.c:libcrux_ml_kem_ntt_ntt_layer_int_vec_step_0c: 8479| 7.34k| int16_t zeta_r) { 8480| 7.34k| libcrux_ml_kem_vector_portable_vector_type_PortableVector t = 8481| 7.34k| libcrux_ml_kem_vector_traits_montgomery_multiply_fe_67(b, zeta_r); 8482| 7.34k| b = libcrux_ml_kem_vector_portable_sub_0d(a, &t); 8483| 7.34k| a = libcrux_ml_kem_vector_portable_add_0d(a, &t); 8484| 7.34k| return ( 8485| 7.34k| CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2){ ------------------ | | 61| 7.34k|#define CLITERAL(type) (type) ------------------ 8486| 7.34k| .fst = a, .snd = b}); 8487| 7.34k|} mlkem768.c:libcrux_ml_kem_vector_traits_montgomery_multiply_fe_67: 8463| 7.34k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t fer) { 8464| 7.34k| return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(v, 8465| 7.34k| fer); 8466| 7.34k|} mlkem768.c:libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d: 6967| 9.79k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t r) { 6968| 9.79k| return libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( 6969| 9.79k| v, r); 6970| 9.79k|} mlkem768.c:libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant: 6950| 9.79k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { 6951| 9.79k| for (size_t i = (size_t)0U; 6952| 166k| i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { ------------------ | | 5857| 166k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) ------------------ | Branch (6952:8): [True: 156k, False: 9.79k] ------------------ 6953| 156k| size_t i0 = i; 6954| 156k| v.elements[i0] = 6955| 156k| libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( 6956| 156k| v.elements[i0], c); 6957| 156k| } 6958| 9.79k| return v; 6959| 9.79k|} mlkem768.c:libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer: 6943| 274k| int16_t fe, int16_t fer) { 6944| 274k| return libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( 6945| 274k| (int32_t)fe * (int32_t)fer); 6946| 274k|} mlkem768.c:libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element: 6913| 450k| int32_t value) { 6914| 450k| int32_t k = 6915| 450k| (int32_t)(int16_t)value * 6916| 450k| (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R; ------------------ | | 5869| 450k| (62209U) ------------------ 6917| 450k| int32_t k_times_modulus = 6918| 450k| (int32_t)(int16_t)k * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; ------------------ | | 5863| 450k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS ((int16_t)3329) ------------------ 6919| 450k| int16_t c = 6920| 450k| (int16_t)(k_times_modulus >> 6921| 450k| (uint32_t) 6922| 450k| LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT); ------------------ | | 6891| 450k|#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (16U) ------------------ 6923| 450k| int16_t value_high = 6924| 450k| (int16_t)(value >> 6925| 450k| (uint32_t) 6926| 450k| LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT); ------------------ | | 6891| 450k|#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (16U) ------------------ 6927| 450k| return value_high - c; 6928| 450k|} mlkem768.c:libcrux_ml_kem_ntt_ntt_at_layer_3_fd: 8527| 306| size_t _layer, size_t _initial_coefficient_bound) { 8528| 5.20k| for (size_t i = (size_t)0U; i < (size_t)16U; i++) { ------------------ | Branch (8528:31): [True: 4.89k, False: 306] ------------------ 8529| 4.89k| size_t round = i; 8530| 4.89k| zeta_i[0U] = zeta_i[0U] + (size_t)1U; 8531| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = 8532| 4.89k| libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d( 8533| 4.89k| re->coefficients[round], 8534| 4.89k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); 8535| 4.89k| re->coefficients[round] = uu____0; 8536| 4.89k| } 8537| 306|} mlkem768.c:libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d: 7150| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) { 7151| 4.89k| return libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(a, zeta); 7152| 4.89k|} mlkem768.c:libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step: 7126| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) { 7127| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)0U, (size_t)8U); 7128| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)1U, (size_t)9U); 7129| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)2U, 7130| 4.89k| (size_t)10U); 7131| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)3U, 7132| 4.89k| (size_t)11U); 7133| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)4U, 7134| 4.89k| (size_t)12U); 7135| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)5U, 7136| 4.89k| (size_t)13U); 7137| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)6U, 7138| 4.89k| (size_t)14U); 7139| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)7U, 7140| 4.89k| (size_t)15U); 7141| 4.89k| return v; 7142| 4.89k|} mlkem768.c:libcrux_ml_kem_vector_portable_ntt_ntt_step: 7047| 117k| size_t i, size_t j) { 7048| 117k| int16_t t = 7049| 117k| libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( 7050| 117k| v->elements[j], zeta); 7051| 117k| v->elements[j] = v->elements[i] - t; 7052| 117k| v->elements[i] = v->elements[i] + t; 7053| 117k|} mlkem768.c:libcrux_ml_kem_ntt_ntt_at_layer_2_ad: 8547| 306| size_t _layer, size_t _initial_coefficient_bound) { 8548| 5.20k| for (size_t i = (size_t)0U; i < (size_t)16U; i++) { ------------------ | Branch (8548:31): [True: 4.89k, False: 306] ------------------ 8549| 4.89k| size_t round = i; 8550| 4.89k| zeta_i[0U] = zeta_i[0U] + (size_t)1U; 8551| 4.89k| re->coefficients[round] = 8552| 4.89k| libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d( 8553| 4.89k| re->coefficients[round], 8554| 4.89k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], 8555| 4.89k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + 8556| 4.89k| (size_t)1U]); 8557| 4.89k| zeta_i[0U] = zeta_i[0U] + (size_t)1U; 8558| 4.89k| } 8559| 306|} mlkem768.c:libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d: 7120| 4.89k| int16_t zeta1) { 7121| 4.89k| return libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(a, zeta0, zeta1); 7122| 4.89k|} mlkem768.c:libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step: 7093| 4.89k| int16_t zeta1) { 7094| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U, 7095| 4.89k| (size_t)4U); 7096| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U, 7097| 4.89k| (size_t)5U); 7098| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)2U, 7099| 4.89k| (size_t)6U); 7100| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)3U, 7101| 4.89k| (size_t)7U); 7102| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)8U, 7103| 4.89k| (size_t)12U); 7104| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)9U, 7105| 4.89k| (size_t)13U); 7106| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)10U, 7107| 4.89k| (size_t)14U); 7108| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)11U, 7109| 4.89k| (size_t)15U); 7110| 4.89k| return v; 7111| 4.89k|} mlkem768.c:libcrux_ml_kem_ntt_ntt_at_layer_1_a2: 8569| 306| size_t _layer, size_t _initial_coefficient_bound) { 8570| 5.20k| for (size_t i = (size_t)0U; i < (size_t)16U; i++) { ------------------ | Branch (8570:31): [True: 4.89k, False: 306] ------------------ 8571| 4.89k| size_t round = i; 8572| 4.89k| zeta_i[0U] = zeta_i[0U] + (size_t)1U; 8573| 4.89k| re->coefficients[round] = 8574| 4.89k| libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d( 8575| 4.89k| re->coefficients[round], 8576| 4.89k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], 8577| 4.89k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + 8578| 4.89k| (size_t)1U], 8579| 4.89k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + 8580| 4.89k| (size_t)2U], 8581| 4.89k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + 8582| 4.89k| (size_t)3U]); 8583| 4.89k| zeta_i[0U] = zeta_i[0U] + (size_t)3U; 8584| 4.89k| } 8585| 306|} mlkem768.c:libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d: 7085| 4.89k| int16_t zeta1, int16_t zeta2, int16_t zeta3) { 7086| 4.89k| return libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(a, zeta0, zeta1, 7087| 4.89k| zeta2, zeta3); 7088| 4.89k|} mlkem768.c:libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step: 7058| 4.89k| int16_t zeta1, int16_t zeta2, int16_t zeta3) { 7059| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U, 7060| 4.89k| (size_t)2U); 7061| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U, 7062| 4.89k| (size_t)3U); 7063| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)4U, 7064| 4.89k| (size_t)6U); 7065| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)5U, 7066| 4.89k| (size_t)7U); 7067| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)8U, 7068| 4.89k| (size_t)10U); 7069| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)9U, 7070| 4.89k| (size_t)11U); 7071| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)12U, 7072| 4.89k| (size_t)14U); 7073| 4.89k| libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)13U, 7074| 4.89k| (size_t)15U); 7075| 4.89k| return v; 7076| 4.89k|} mlkem768.c:libcrux_ml_kem_polynomial_poly_barrett_reduce_89_8b: 8598| 306| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self) { 8599| 306| for (size_t i = (size_t)0U; 8600| 5.20k| i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { ------------------ | | 5860| 5.20k| (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ | | ------------------ | | | | 282| 5.20k|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) | | ------------------ | | 5861| 5.20k| LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR) | | ------------------ | | | | 5857| 5.20k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) | | ------------------ ------------------ | Branch (8600:8): [True: 4.89k, False: 306] ------------------ 8601| 4.89k| size_t i0 = i; 8602| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = 8603| 4.89k| libcrux_ml_kem_vector_portable_barrett_reduce_0d( 8604| 4.89k| self->coefficients[i0]); 8605| 4.89k| self->coefficients[i0] = uu____0; 8606| 4.89k| } 8607| 306|} mlkem768.c:libcrux_ml_kem_vector_portable_barrett_reduce_0d: 6887| 7.34k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { 6888| 7.34k| return libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(v); 6889| 7.34k|} mlkem768.c:libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce: 6870| 7.34k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { 6871| 7.34k| for (size_t i = (size_t)0U; 6872| 124k| i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { ------------------ | | 5857| 124k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) ------------------ | Branch (6872:8): [True: 117k, False: 7.34k] ------------------ 6873| 117k| size_t i0 = i; 6874| 117k| v.elements[i0] = 6875| 117k| libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( 6876| 117k| v.elements[i0]); 6877| 117k| } 6878| 7.34k| return v; 6879| 7.34k|} mlkem768.c:libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element: 6857| 117k| int16_t value) { 6858| 117k| int32_t t = (int32_t)value * 6859| 117k| LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER + ------------------ | | 6834| 117k| ((int32_t)20159) ------------------ 6860| 117k| (LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R >> 1U); ------------------ | | 6839| 117k| ((int32_t)1 << (uint32_t) \ | | 6840| 117k| LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT) | | ------------------ | | | | 6836| 117k|#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT ((int32_t)26) | | ------------------ ------------------ 6861| 117k| int16_t quotient = 6862| 117k| (int16_t)(t >> 6863| 117k| (uint32_t) 6864| 117k| LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT); ------------------ | | 6836| 117k|#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT ((int32_t)26) ------------------ 6865| 117k| return value - quotient * LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; ------------------ | | 5863| 117k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS ((int16_t)3329) ------------------ 6866| 117k|} mlkem768.c:libcrux_ml_kem_matrix_compute_As_plus_e_60: 11278| 51| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) { 11279| 51| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 result[3U]; 11280| 204| for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ------------------ | Branch (11280:31): [True: 153, False: 51] ------------------ 11281| 153| result[i] = libcrux_ml_kem_polynomial_ZERO_89_ea(); 11282| 153| } 11283| 51| for (size_t i0 = (size_t)0U; 11284| 204| i0 < Eurydice_slice_len( ------------------ | | 118| 204|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 204|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ | Branch (11284:8): [True: 153, False: 51] ------------------ 11285| 51| Eurydice_array_to_slice( 11286| 51| (size_t)3U, matrix_A, 11287| 51| libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]), 11288| 51| libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]); 11289| 153| i0++) { 11290| 153| size_t i1 = i0; 11291| 153| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *row = matrix_A[i1]; 11292| 153| for (size_t i = (size_t)0U; 11293| 612| i < Eurydice_slice_len( ------------------ | | 118| 612|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 612|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ | Branch (11293:10): [True: 459, False: 153] ------------------ 11294| 153| Eurydice_array_to_slice( 11295| 153| (size_t)3U, row, 11296| 153| libcrux_ml_kem_polynomial_PolynomialRingElement_f0), 11297| 153| libcrux_ml_kem_polynomial_PolynomialRingElement_f0); 11298| 459| i++) { 11299| 459| size_t j = i; 11300| 459| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *matrix_element = 11301| 459| &row[j]; 11302| 459| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 product = 11303| 459| libcrux_ml_kem_polynomial_ntt_multiply_89_2a(matrix_element, 11304| 459| &s_as_ntt[j]); 11305| 459| libcrux_ml_kem_polynomial_add_to_ring_element_89_84(&result[i1], 11306| 459| &product); 11307| 459| } 11308| 153| libcrux_ml_kem_polynomial_add_standard_error_reduce_89_03( 11309| 153| &result[i1], &error_as_ntt[i1]); 11310| 153| } 11311| 51| memcpy( 11312| 51| ret, result, 11313| 51| (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); 11314| 51|} mlkem768.c:libcrux_ml_kem_polynomial_ntt_multiply_89_2a: 8859| 459| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *rhs) { 8860| 459| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 out = 8861| 459| libcrux_ml_kem_polynomial_ZERO_89_ea(); 8862| 459| for (size_t i = (size_t)0U; 8863| 7.80k| i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { ------------------ | | 5860| 7.80k| (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ | | ------------------ | | | | 282| 7.80k|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) | | ------------------ | | 5861| 7.80k| LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR) | | ------------------ | | | | 5857| 7.80k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) | | ------------------ ------------------ | Branch (8863:8): [True: 7.34k, False: 459] ------------------ 8864| 7.34k| size_t i0 = i; 8865| 7.34k| libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = 8866| 7.34k| libcrux_ml_kem_vector_portable_ntt_multiply_0d( 8867| 7.34k| &self->coefficients[i0], &rhs->coefficients[i0], 8868| 7.34k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + 8869| 7.34k| (size_t)4U * i0], 8870| 7.34k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + 8871| 7.34k| (size_t)4U * i0 + 8872| 7.34k| (size_t)1U], 8873| 7.34k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + 8874| 7.34k| (size_t)4U * i0 + 8875| 7.34k| (size_t)2U], 8876| 7.34k| libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + 8877| 7.34k| (size_t)4U * i0 + 8878| 7.34k| (size_t)3U]); 8879| 7.34k| out.coefficients[i0] = uu____0; 8880| 7.34k| } 8881| 459| return out; 8882| 459|} mlkem768.c:libcrux_ml_kem_vector_portable_ntt_multiply_0d: 7344| 7.34k| int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { 7345| 7.34k| return libcrux_ml_kem_vector_portable_ntt_ntt_multiply(lhs, rhs, zeta0, zeta1, 7346| 7.34k| zeta2, zeta3); 7347| 7.34k|} mlkem768.c:libcrux_ml_kem_vector_portable_ntt_ntt_multiply: 7314| 7.34k| int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { 7315| 7.34k| libcrux_ml_kem_vector_portable_vector_type_PortableVector out = 7316| 7.34k| libcrux_ml_kem_vector_portable_vector_type_zero(); 7317| 7.34k| libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( 7318| 7.34k| lhs, rhs, zeta0, (size_t)0U, (size_t)1U, &out); 7319| 7.34k| libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( 7320| 7.34k| lhs, rhs, -zeta0, (size_t)2U, (size_t)3U, &out); 7321| 7.34k| libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( 7322| 7.34k| lhs, rhs, zeta1, (size_t)4U, (size_t)5U, &out); 7323| 7.34k| libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( 7324| 7.34k| lhs, rhs, -zeta1, (size_t)6U, (size_t)7U, &out); 7325| 7.34k| libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( 7326| 7.34k| lhs, rhs, zeta2, (size_t)8U, (size_t)9U, &out); 7327| 7.34k| libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( 7328| 7.34k| lhs, rhs, -zeta2, (size_t)10U, (size_t)11U, &out); 7329| 7.34k| libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( 7330| 7.34k| lhs, rhs, zeta3, (size_t)12U, (size_t)13U, &out); 7331| 7.34k| libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( 7332| 7.34k| lhs, rhs, -zeta3, (size_t)14U, (size_t)15U, &out); 7333| 7.34k| return out; 7334| 7.34k|} mlkem768.c:libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials: 7295| 58.7k| libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { 7296| 58.7k| int16_t o0 = libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( 7297| 58.7k| (int32_t)a->elements[i] * (int32_t)b->elements[i] + 7298| 58.7k| (int32_t) 7299| 58.7k| libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( 7300| 58.7k| (int32_t)a->elements[j] * (int32_t)b->elements[j]) * 7301| 58.7k| (int32_t)zeta); 7302| 58.7k| int16_t o1 = 7303| 58.7k| libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( 7304| 58.7k| (int32_t)a->elements[i] * (int32_t)b->elements[j] + 7305| 58.7k| (int32_t)a->elements[j] * (int32_t)b->elements[i]); 7306| 58.7k| out->elements[i] = o0; 7307| 58.7k| out->elements[j] = o1; 7308| 58.7k|} mlkem768.c:libcrux_ml_kem_polynomial_add_to_ring_element_89_84: 8900| 459| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *rhs) { 8901| 459| for (size_t i = (size_t)0U; 8902| 7.80k| i < Eurydice_slice_len( ------------------ | | 118| 7.80k|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 7.80k|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ | Branch (8902:8): [True: 7.34k, False: 459] ------------------ 8903| 459| Eurydice_array_to_slice( 8904| 459| (size_t)16U, self->coefficients, 8905| 459| libcrux_ml_kem_vector_portable_vector_type_PortableVector), 8906| 459| libcrux_ml_kem_vector_portable_vector_type_PortableVector); 8907| 7.34k| i++) { 8908| 7.34k| size_t i0 = i; 8909| 7.34k| libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = 8910| 7.34k| libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0], 8911| 7.34k| &rhs->coefficients[i0]); 8912| 7.34k| self->coefficients[i0] = uu____0; 8913| 7.34k| } 8914| 459|} mlkem768.c:libcrux_ml_kem_polynomial_add_standard_error_reduce_89_03: 11249| 153| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *error) { 11250| 153| for (size_t i = (size_t)0U; 11251| 2.60k| i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { ------------------ | | 5860| 2.60k| (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ | | ------------------ | | | | 282| 2.60k|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) | | ------------------ | | 5861| 2.60k| LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR) | | ------------------ | | | | 5857| 2.60k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) | | ------------------ ------------------ | Branch (11251:8): [True: 2.44k, False: 153] ------------------ 11252| 2.44k| size_t j = i; 11253| 2.44k| libcrux_ml_kem_vector_portable_vector_type_PortableVector 11254| 2.44k| coefficient_normal_form = 11255| 2.44k| libcrux_ml_kem_vector_traits_to_standard_domain_59( 11256| 2.44k| self->coefficients[j]); 11257| 2.44k| libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = 11258| 2.44k| libcrux_ml_kem_vector_portable_barrett_reduce_0d( 11259| 2.44k| libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form, 11260| 2.44k| &error->coefficients[j])); 11261| 2.44k| self->coefficients[j] = uu____0; 11262| 2.44k| } 11263| 153|} mlkem768.c:libcrux_ml_kem_vector_traits_to_standard_domain_59: 11231| 2.44k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { 11232| 2.44k| return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d( 11233| 2.44k| v, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS); ------------------ | | 5866| 2.44k| ((int16_t)1353) ------------------ 11234| 2.44k|} mlkem768.c:Eurydice_slice_to_array3: 156| 35.3k| Eurydice_slice src, size_t sz) { 157| 35.3k| *dst_tag = 0; 158| 35.3k| memcpy(dst_ok, src.ptr, sz); 159| 35.3k|} mlkem768.c:unwrap_41_83: 525| 51|static inline void unwrap_41_83(Result_00 self, uint8_t ret[32U]) { 526| 51| if (self.tag == Ok) { ------------------ | | 246| 51|#define Ok 0 ------------------ | Branch (526:7): [True: 51, False: 0] ------------------ 527| 51| uint8_t f0[32U]; 528| 51| memcpy(f0, self.val.case_Ok, (size_t)32U * sizeof(uint8_t)); 529| 51| memcpy(ret, f0, (size_t)32U * sizeof(uint8_t)); 530| 51| } else { 531| 0| KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, 532| 0| "unwrap not Ok"); 533| 0| KRML_HOST_EXIT(255U); ------------------ | | 35| 0|#define KRML_HOST_EXIT(x) dropbear_exit("mlkem") ------------------ 534| 0| } 535| 51|} mlkem768.c:libcrux_ml_kem_ind_cpa_serialize_public_key_79: 11390| 51| Eurydice_slice seed_for_a, uint8_t ret[1184U]) { 11391| 51| uint8_t public_key_serialized[1184U] = {0U}; 11392| 51| Eurydice_slice uu____0 = Eurydice_array_to_subslice2( ------------------ | | 113| 51| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 11393| 51| public_key_serialized, (size_t)0U, (size_t)1152U, uint8_t); 11394| 51| uint8_t ret0[1152U]; 11395| 51| libcrux_ml_kem_ind_cpa_serialize_secret_key_b5(t_as_ntt, ret0); 11396| 51| Eurydice_slice_copy( ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 11397| 51| uu____0, Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t), uint8_t); 11398| 51| Eurydice_slice_copy( ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 11399| 51| Eurydice_array_to_subslice_from((size_t)1184U, public_key_serialized, 11400| 51| (size_t)1152U, uint8_t, size_t), 11401| 51| seed_for_a, uint8_t); 11402| 51| memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); 11403| 51|} mlkem768.c:libcrux_ml_kem_ind_cpa_serialize_secret_key_b5: 11354| 102| uint8_t ret[1152U]) { 11355| 102| uint8_t out[1152U] = {0U}; 11356| 102| for (size_t i = (size_t)0U; 11357| 408| i < Eurydice_slice_len( ------------------ | | 118| 408|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 408|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ | Branch (11357:8): [True: 306, False: 102] ------------------ 11358| 102| Eurydice_array_to_slice( 11359| 102| (size_t)3U, key, 11360| 102| libcrux_ml_kem_polynomial_PolynomialRingElement_f0), 11361| 102| libcrux_ml_kem_polynomial_PolynomialRingElement_f0); 11362| 306| i++) { 11363| 306| size_t i0 = i; 11364| 306| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = key[i0]; 11365| 306| Eurydice_slice uu____0 = Eurydice_array_to_subslice2( ------------------ | | 113| 306| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 306| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 306|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 11366| 306| out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, 11367| 306| (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, 11368| 306| uint8_t); 11369| 306| uint8_t ret0[384U]; 11370| 306| libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_5b(&re, ret0); 11371| 306| Eurydice_slice_copy( ------------------ | | 120| 306| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 11372| 306| uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); 11373| 306| } 11374| 102| memcpy(ret, out, (size_t)1152U * sizeof(uint8_t)); 11375| 102|} mlkem768.c:libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_5b: 11324| 306| libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re, uint8_t ret[384U]) { 11325| 306| uint8_t serialized[384U] = {0U}; 11326| 306| for (size_t i = (size_t)0U; 11327| 5.20k| i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { ------------------ | | 5860| 5.20k| (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ | | ------------------ | | | | 282| 5.20k|#define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) | | ------------------ | | 5861| 5.20k| LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR) | | ------------------ | | | | 5857| 5.20k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) | | ------------------ ------------------ | Branch (11327:8): [True: 4.89k, False: 306] ------------------ 11328| 4.89k| size_t i0 = i; 11329| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = 11330| 4.89k| libcrux_ml_kem_vector_traits_to_unsigned_representative_db( 11331| 4.89k| re->coefficients[i0]); 11332| 4.89k| uint8_t bytes[24U]; 11333| 4.89k| libcrux_ml_kem_vector_portable_serialize_12_0d(coefficient, bytes); 11334| 4.89k| Eurydice_slice uu____0 = Eurydice_array_to_subslice2( ------------------ | | 113| 4.89k| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 4.89k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 4.89k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 11335| 4.89k| serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t); 11336| 4.89k| Eurydice_slice_copy( ------------------ | | 120| 4.89k| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 11337| 4.89k| uu____0, Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); 11338| 4.89k| } 11339| 306| memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); 11340| 306|} mlkem768.c:libcrux_ml_kem_vector_traits_to_unsigned_representative_db: 9163| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { 9164| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector t = 9165| 4.89k| libcrux_ml_kem_vector_portable_shift_right_0d_19(a); 9166| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector fm = 9167| 4.89k| libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d( 9168| 4.89k| t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); ------------------ | | 5863| 4.89k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS ((int16_t)3329) ------------------ 9169| 4.89k| return libcrux_ml_kem_vector_portable_add_0d(a, &fm); 9170| 4.89k|} mlkem768.c:libcrux_ml_kem_vector_portable_shift_right_0d_19: 9151| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { 9152| 4.89k| return libcrux_ml_kem_vector_portable_arithmetic_shift_right_94(v); 9153| 4.89k|} mlkem768.c:libcrux_ml_kem_vector_portable_arithmetic_shift_right_94: 9131| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { 9132| 4.89k| for (size_t i = (size_t)0U; 9133| 83.2k| i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { ------------------ | | 5857| 83.2k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) ------------------ | Branch (9133:8): [True: 78.3k, False: 4.89k] ------------------ 9134| 78.3k| size_t i0 = i; 9135| 78.3k| v.elements[i0] = v.elements[i0] >> (uint32_t)(int32_t)15; 9136| 78.3k| } 9137| 4.89k| return v; 9138| 4.89k|} mlkem768.c:libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d: 6793| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { 6794| 4.89k| return libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(v, 6795| 4.89k| c); 6796| 4.89k|} mlkem768.c:libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant: 6777| 4.89k| libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { 6778| 4.89k| for (size_t i = (size_t)0U; 6779| 83.2k| i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { ------------------ | | 5857| 83.2k|#define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) ------------------ | Branch (6779:8): [True: 78.3k, False: 4.89k] ------------------ 6780| 78.3k| size_t i0 = i; 6781| 78.3k| size_t uu____0 = i0; 6782| 78.3k| v.elements[uu____0] = v.elements[uu____0] & c; 6783| 78.3k| } 6784| 4.89k| return v; 6785| 4.89k|} mlkem768.c:libcrux_ml_kem_vector_portable_serialize_12_0d: 7969| 4.89k| uint8_t ret[24U]) { 7970| 4.89k| libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret); 7971| 4.89k|} mlkem768.c:libcrux_ml_kem_vector_portable_serialize_serialize_12: 7914| 4.89k| uint8_t ret[24U]) { 7915| 4.89k| uint8_t_x3 r0_2 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( 7916| 4.89k| Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)2U, int16_t)); ------------------ | | 113| 4.89k| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 4.89k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 4.89k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 7917| 4.89k| uint8_t_x3 r3_5 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( 7918| 4.89k| Eurydice_array_to_subslice2(v.elements, (size_t)2U, (size_t)4U, int16_t)); ------------------ | | 113| 4.89k| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 4.89k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 4.89k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 7919| 4.89k| uint8_t_x3 r6_8 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( 7920| 4.89k| Eurydice_array_to_subslice2(v.elements, (size_t)4U, (size_t)6U, int16_t)); ------------------ | | 113| 4.89k| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 4.89k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 4.89k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 7921| 4.89k| uint8_t_x3 r9_11 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( 7922| 4.89k| Eurydice_array_to_subslice2(v.elements, (size_t)6U, (size_t)8U, int16_t)); ------------------ | | 113| 4.89k| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 4.89k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 4.89k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 7923| 4.89k| uint8_t_x3 r12_14 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( 7924| 4.89k| Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)10U, ------------------ | | 113| 4.89k| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 4.89k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 4.89k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 7925| 4.89k| int16_t)); 7926| 4.89k| uint8_t_x3 r15_17 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( 7927| 4.89k| Eurydice_array_to_subslice2(v.elements, (size_t)10U, (size_t)12U, ------------------ | | 113| 4.89k| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 4.89k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 4.89k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 7928| 4.89k| int16_t)); 7929| 4.89k| uint8_t_x3 r18_20 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( 7930| 4.89k| Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)14U, ------------------ | | 113| 4.89k| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 4.89k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 4.89k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 7931| 4.89k| int16_t)); 7932| 4.89k| uint8_t_x3 r21_23 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( 7933| 4.89k| Eurydice_array_to_subslice2(v.elements, (size_t)14U, (size_t)16U, ------------------ | | 113| 4.89k| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 4.89k| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 4.89k|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 7934| 4.89k| int16_t)); 7935| 4.89k| uint8_t result[24U] = {0U}; 7936| 4.89k| result[0U] = r0_2.fst; 7937| 4.89k| result[1U] = r0_2.snd; 7938| 4.89k| result[2U] = r0_2.thd; 7939| 4.89k| result[3U] = r3_5.fst; 7940| 4.89k| result[4U] = r3_5.snd; 7941| 4.89k| result[5U] = r3_5.thd; 7942| 4.89k| result[6U] = r6_8.fst; 7943| 4.89k| result[7U] = r6_8.snd; 7944| 4.89k| result[8U] = r6_8.thd; 7945| 4.89k| result[9U] = r9_11.fst; 7946| 4.89k| result[10U] = r9_11.snd; 7947| 4.89k| result[11U] = r9_11.thd; 7948| 4.89k| result[12U] = r12_14.fst; 7949| 4.89k| result[13U] = r12_14.snd; 7950| 4.89k| result[14U] = r12_14.thd; 7951| 4.89k| result[15U] = r15_17.fst; 7952| 4.89k| result[16U] = r15_17.snd; 7953| 4.89k| result[17U] = r15_17.thd; 7954| 4.89k| result[18U] = r18_20.fst; 7955| 4.89k| result[19U] = r18_20.snd; 7956| 4.89k| result[20U] = r18_20.thd; 7957| 4.89k| result[21U] = r21_23.fst; 7958| 4.89k| result[22U] = r21_23.snd; 7959| 4.89k| result[23U] = r21_23.thd; 7960| 4.89k| memcpy(ret, result, (size_t)24U * sizeof(uint8_t)); 7961| 4.89k|} mlkem768.c:libcrux_ml_kem_vector_portable_serialize_serialize_12_int: 7896| 39.1k|libcrux_ml_kem_vector_portable_serialize_serialize_12_int(Eurydice_slice v) { 7897| 39.1k| uint8_t r0 = 7898| 39.1k| (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) & ------------------ | | 95| 39.1k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 7899| 39.1k| (int16_t)255); 7900| 39.1k| uint8_t r1 = 7901| 39.1k| (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) >> 8U | ------------------ | | 95| 39.1k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 7902| 39.1k| (Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) & ------------------ | | 95| 39.1k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 7903| 39.1k| (int16_t)15) 7904| 39.1k| << 4U); 7905| 39.1k| uint8_t r2 = 7906| 39.1k| (uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) >> 4U & ------------------ | | 95| 39.1k|#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) ------------------ 7907| 39.1k| (int16_t)255); 7908| 39.1k| return (CLITERAL(uint8_t_x3){.fst = r0, .snd = r1, .thd = r2}); ------------------ | | 61| 39.1k|#define CLITERAL(type) (type) ------------------ 7909| 39.1k|} mlkem768.c:libcrux_ml_kem_ind_cca_serialize_kem_secret_key_48: 11495| 51| Eurydice_slice implicit_rejection_value, uint8_t ret[2400U]) { 11496| 51| uint8_t out[2400U] = {0U}; 11497| 51| size_t pointer = (size_t)0U; 11498| 51| uint8_t *uu____0 = out; 11499| 51| size_t uu____1 = pointer; 11500| 51| size_t uu____2 = pointer; 11501| 51| Eurydice_slice_copy( ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 11502| 51| Eurydice_array_to_subslice2( 11503| 51| uu____0, uu____1, uu____2 + Eurydice_slice_len(private_key, uint8_t), 11504| 51| uint8_t), 11505| 51| private_key, uint8_t); 11506| 51| pointer = pointer + Eurydice_slice_len(private_key, uint8_t); ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 11507| 51| uint8_t *uu____3 = out; 11508| 51| size_t uu____4 = pointer; 11509| 51| size_t uu____5 = pointer; 11510| 51| Eurydice_slice_copy( ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 11511| 51| Eurydice_array_to_subslice2( 11512| 51| uu____3, uu____4, uu____5 + Eurydice_slice_len(public_key, uint8_t), 11513| 51| uint8_t), 11514| 51| public_key, uint8_t); 11515| 51| pointer = pointer + Eurydice_slice_len(public_key, uint8_t); ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 11516| 51| Eurydice_slice uu____6 = Eurydice_array_to_subslice2( ------------------ | | 113| 51| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 11517| 51| out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t); 11518| 51| uint8_t ret0[32U]; 11519| 51| libcrux_ml_kem_hash_functions_portable_H_f1_1a(public_key, ret0); 11520| 51| Eurydice_slice_copy( ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 11521| 51| uu____6, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); 11522| 51| pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; ------------------ | | 292| 51|#define LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE ((size_t)32U) ------------------ 11523| 51| uint8_t *uu____7 = out; 11524| 51| size_t uu____8 = pointer; 11525| 51| size_t uu____9 = pointer; 11526| 51| Eurydice_slice_copy( ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 11527| 51| Eurydice_array_to_subslice2( 11528| 51| uu____7, uu____8, 11529| 51| uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), 11530| 51| uint8_t), 11531| 51| implicit_rejection_value, uint8_t); 11532| 51| memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); 11533| 51|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_H_f1_1a: 11061| 51| Eurydice_slice input, uint8_t ret[32U]) { 11062| 51| libcrux_ml_kem_hash_functions_portable_H(input, ret); 11063| 51|} mlkem768.c:libcrux_ml_kem_hash_functions_portable_H: 5807| 51| Eurydice_slice input, uint8_t ret[32U]) { 5808| 51| uint8_t digest[32U] = {0U}; 5809| 51| libcrux_sha3_portable_sha256( 5810| 51| Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); ------------------ | | 107| 51| EURYDICE_SLICE(x, 0, \ | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ | | 108| 51| end) /* x is already at an array type, no need for cast */ ------------------ 5811| 51| memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); 5812| 51|} mlkem768.c:libcrux_sha3_portable_sha256: 2888| 51| Eurydice_slice data) { 2889| 51| Eurydice_slice buf0[1U] = {data}; 2890| 51| Eurydice_slice buf[1U] = {digest}; 2891| 51| libcrux_sha3_portable_keccakx1_ce0(buf0, buf); 2892| 51|} mlkem768.c:libcrux_sha3_portable_keccakx1_ce0: 2877| 51| Eurydice_slice data[1U], Eurydice_slice out[1U]) { 2878| | /* Passing arrays by value in Rust generates a copy in C */ 2879| 51| Eurydice_slice copy_of_data[1U]; 2880| 51| memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); 2881| 51| libcrux_sha3_generic_keccak_keccak_e90(copy_of_data, out); 2882| 51|} mlkem768.c:libcrux_sha3_generic_keccak_keccak_e90: 2806| 51| Eurydice_slice data[1U], Eurydice_slice out[1U]) { 2807| 51| libcrux_sha3_generic_keccak_KeccakState_48 s = 2808| 51| libcrux_sha3_generic_keccak_new_1e_f4(); 2809| 51| for (size_t i = (size_t)0U; 2810| 459| i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) { ------------------ | | 118| 459|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 459|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ | Branch (2810:8): [True: 408, False: 51] ------------------ 2811| 408| size_t i0 = i; 2812| 408| libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; 2813| | /* Passing arrays by value in Rust generates a copy in C */ 2814| 408| Eurydice_slice copy_of_data[1U]; 2815| 408| memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); 2816| 408| Eurydice_slice ret[1U]; 2817| 408| libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U, 2818| 408| (size_t)136U, ret); 2819| 408| libcrux_sha3_generic_keccak_absorb_block_df0(uu____0, ret); 2820| 408| } 2821| 51| size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U; ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2822| 51| libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; 2823| | /* Passing arrays by value in Rust generates a copy in C */ 2824| 51| Eurydice_slice copy_of_data[1U]; 2825| 51| memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); 2826| 51| Eurydice_slice ret[1U]; 2827| 51| libcrux_sha3_portable_keccak_slice_n_5a( 2828| 51| copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2829| 51| libcrux_sha3_generic_keccak_absorb_final_c70(uu____2, ret); 2830| 51| size_t outlen = Eurydice_slice_len(out[0U], uint8_t); ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2831| 51| size_t blocks = outlen / (size_t)136U; 2832| 51| size_t last = outlen - outlen % (size_t)136U; 2833| 51| if (blocks == (size_t)0U) { ------------------ | Branch (2833:7): [True: 51, False: 0] ------------------ 2834| 51| libcrux_sha3_generic_keccak_squeeze_first_and_last_c50(&s, out); 2835| 51| } else { 2836| 0| Eurydice_slice_uint8_t_1size_t__x2 uu____4 = 2837| 0| libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)136U); 2838| 0| Eurydice_slice o0[1U]; 2839| 0| memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice)); 2840| 0| Eurydice_slice o1[1U]; 2841| 0| memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice)); 2842| 0| libcrux_sha3_generic_keccak_squeeze_first_block_840(&s, o0); 2843| 0| core_ops_range_Range_b3 iter = 2844| 0| core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( ------------------ | | 208| 0| Eurydice_into_iter | | ------------------ | | | | 206| 0|#define Eurydice_into_iter(x, t, _ret_t) (x) | | ------------------ ------------------ 2845| 0| (CLITERAL(core_ops_range_Range_b3){.start = (size_t)1U, 2846| 0| .end = blocks}), 2847| 0| core_ops_range_Range_b3, core_ops_range_Range_b3); 2848| 0| while (true) { ------------------ | Branch (2848:12): [True: 0, Folded] ------------------ 2849| 0| if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next( ------------------ | | 203| 0| Eurydice_range_iter_next | | ------------------ | | | | 198| 0| (((iter_ptr)->start == (iter_ptr)->end) \ | | | | ------------------ | | | | | Branch (198:4): [True: 0, False: 0] | | | | ------------------ | | | | 199| 0| ? (CLITERAL(ret_t){.tag = None}) \ | | | | ------------------ | | | | | | 61| 0|#define CLITERAL(type) (type) | | | | ------------------ | | | | ? (CLITERAL(ret_t){.tag = None}) \ | | | | ------------------ | | | | | | 251| 0|#define None 0 | | | | ------------------ | | | | 200| 0| : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++})) | | | | ------------------ | | | | | | 61| 0|#define CLITERAL(type) (type) | | | | ------------------ | | | | : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++})) | | | | ------------------ | | | | | | 252| 0|#define Some 1 | | | | ------------------ | | ------------------ ------------------ | Branch (2849:11): [True: 0, False: 0] ------------------ 2850| 0| &iter, size_t, Option_b3) 2851| 0| .tag == None) { ------------------ | | 251| 0|#define None 0 ------------------ 2852| 0| break; 2853| 0| } else { 2854| 0| Eurydice_slice_uint8_t_1size_t__x2 uu____5 = 2855| 0| libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)136U); 2856| 0| Eurydice_slice o[1U]; 2857| 0| memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice)); 2858| 0| Eurydice_slice orest[1U]; 2859| 0| memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice)); 2860| 0| libcrux_sha3_generic_keccak_squeeze_next_block_fc0(&s, o); 2861| 0| memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice)); 2862| 0| } 2863| 0| } 2864| 0| if (last < outlen) { ------------------ | Branch (2864:9): [True: 0, False: 0] ------------------ 2865| 0| libcrux_sha3_generic_keccak_squeeze_last_cf0(s, o1); 2866| 0| } 2867| 0| } 2868| 51|} mlkem768.c:libcrux_sha3_generic_keccak_absorb_final_c70: 2632| 51| libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { 2633| 51| size_t last_len = Eurydice_slice_len(last[0U], uint8_t); ------------------ | | 118| 51|#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) | | ------------------ | | | | 89| 51|#define EURYDICE_SLICE_LEN(s, _) s.len | | ------------------ ------------------ 2634| 51| uint8_t blocks[1U][200U] = {{0U}}; 2635| 102| for (size_t i = (size_t)0U; i < (size_t)1U; i++) { ------------------ | Branch (2635:31): [True: 51, False: 51] ------------------ 2636| 51| size_t i0 = i; 2637| 51| if (last_len > (size_t)0U) { ------------------ | Branch (2637:9): [True: 51, False: 0] ------------------ 2638| 51| Eurydice_slice uu____0 = Eurydice_array_to_subslice2( ------------------ | | 113| 51| EURYDICE_SLICE((t *)x, start, end) | | ------------------ | | | | 88| 51| (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) | | | | ------------------ | | | | | | 61| 51|#define CLITERAL(type) (type) | | | | ------------------ | | ------------------ ------------------ 2639| 51| blocks[i0], (size_t)0U, last_len, uint8_t); 2640| 51| Eurydice_slice_copy(uu____0, last[i0], uint8_t); ------------------ | | 120| 51| memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) ------------------ 2641| 51| } 2642| 51| blocks[i0][last_len] = 6U; 2643| 51| size_t uu____1 = i0; 2644| 51| size_t uu____2 = (size_t)136U - (size_t)1U; 2645| 51| blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; 2646| 51| } 2647| 51| uint64_t(*uu____3)[5U] = s->st; 2648| 51| uint8_t uu____4[1U][200U]; 2649| 51| memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); 2650| 51| libcrux_sha3_portable_keccak_load_block_full_5a_d20(uu____3, uu____4); 2651| 51| libcrux_sha3_generic_keccak_keccakf1600_21(s); 2652| 51|} mlkem768.c:libcrux_ml_kem_types_from_05_f2: 495| 51|libcrux_ml_kem_types_from_05_f2(uint8_t value[2400U]) { 496| | /* Passing arrays by value in Rust generates a copy in C */ 497| 51| uint8_t copy_of_value[2400U]; 498| 51| memcpy(copy_of_value, value, (size_t)2400U * sizeof(uint8_t)); 499| 51| libcrux_ml_kem_types_MlKemPrivateKey_55 lit; 500| 51| memcpy(lit.value, copy_of_value, (size_t)2400U * sizeof(uint8_t)); 501| 51| return lit; 502| 51|} mlkem768.c:libcrux_ml_kem_types_from_17_35: 480| 51| libcrux_ml_kem_types_MlKemPublicKey_15 pk) { 481| 51| return ( 482| 51| CLITERAL(libcrux_ml_kem_mlkem768_MlKem768KeyPair){.sk = sk, .pk = pk}); ------------------ | | 61| 51|#define CLITERAL(type) (type) ------------------ 483| 51|} mlkem768.c:libcrux_ml_kem_types_from_b6_da: 442| 51|libcrux_ml_kem_types_from_b6_da(uint8_t value[1184U]) { 443| | /* Passing arrays by value in Rust generates a copy in C */ 444| 51| uint8_t copy_of_value[1184U]; 445| 51| memcpy(copy_of_value, value, (size_t)1184U * sizeof(uint8_t)); 446| 51| libcrux_ml_kem_types_MlKemPublicKey_15 lit; 447| 51| memcpy(lit.value, copy_of_value, (size_t)1184U * sizeof(uint8_t)); 448| 51| return lit; 449| 51|} list_append: 5| 1|void list_append(m_list *list, void *item) { 6| 1| m_list_elem *elem; 7| | 8| 1| elem = m_malloc(sizeof(*elem)); 9| 1| elem->item = item; 10| 1| elem->list = list; 11| 1| elem->next = NULL; 12| 1| if (!list->first) { ------------------ | Branch (12:6): [True: 1, False: 0] ------------------ 13| 1| list->first = elem; 14| 1| elem->prev = NULL; 15| 1| } else { 16| 0| elem->prev = list->last; 17| 0| list->last->next = elem; 18| 0| } 19| 1| list->last = elem; 20| 1|} list_new: 22| 3|m_list * list_new() { 23| 3| m_list *ret = m_malloc(sizeof(m_list)); 24| | ret->first = ret->last = NULL; 25| 3| return ret; 26| 3|} listeners_initialise: 30| 3.33k|void listeners_initialise() { 31| | 32| | /* just one slot to start with */ 33| 3.33k| ses.listeners = (struct Listener**)m_malloc(sizeof(struct Listener*)); 34| 3.33k| ses.listensize = 1; 35| 3.33k| ses.listeners[0] = NULL; 36| | 37| 3.33k|} set_listener_fds: 39| 97.0k|void set_listener_fds(fd_set * readfds) { 40| | 41| 97.0k| unsigned int i, j; 42| 97.0k| struct Listener *listener; 43| | 44| | /* check each in turn */ 45| 194k| for (i = 0; i < ses.listensize; i++) { ------------------ | Branch (45:14): [True: 97.0k, False: 97.0k] ------------------ 46| 97.0k| listener = ses.listeners[i]; 47| 97.0k| if (listener != NULL) { ------------------ | Branch (47:7): [True: 0, False: 97.0k] ------------------ 48| 0| for (j = 0; j < listener->nsocks; j++) { ------------------ | Branch (48:16): [True: 0, False: 0] ------------------ 49| | FD_SET(listener->socks[j], readfds); 50| 0| } 51| 0| } 52| 97.0k| } 53| 97.0k|} handle_listeners: 56| 93.6k|void handle_listeners(const fd_set * readfds) { 57| | 58| 93.6k| unsigned int i, j; 59| 93.6k| struct Listener *listener; 60| 93.6k| int sock; 61| | 62| | /* check each in turn */ 63| 187k| for (i = 0; i < ses.listensize; i++) { ------------------ | Branch (63:14): [True: 93.6k, False: 93.6k] ------------------ 64| 93.6k| listener = ses.listeners[i]; 65| 93.6k| if (listener != NULL) { ------------------ | Branch (65:7): [True: 0, False: 93.6k] ------------------ 66| 0| for (j = 0; j < listener->nsocks; j++) { ------------------ | Branch (66:16): [True: 0, False: 0] ------------------ 67| 0| sock = listener->socks[j]; 68| 0| if (FD_ISSET(sock, readfds)) { ------------------ | Branch (68:9): [True: 0, False: 0] ------------------ 69| 0| listener->acceptor(listener, sock); 70| 0| } 71| 0| } 72| 0| } 73| 93.6k| } 74| 93.6k|} /* Woo brace matching */ remove_all_listeners: 166| 3.33k|void remove_all_listeners(void) { 167| 3.33k| unsigned int i; 168| 6.66k| for (i = 0; i < ses.listensize; i++) { ------------------ | Branch (168:14): [True: 3.33k, False: 3.33k] ------------------ 169| 3.33k| if (ses.listeners[i]) { ------------------ | Branch (169:7): [True: 0, False: 3.33k] ------------------ 170| 0| remove_listener(ses.listeners[i]); 171| 0| } 172| 3.33k| } 173| | m_free(ses.listeners); ------------------ | | 24| 3.33k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 3.33k] | | ------------------ ------------------ 174| 3.33k|} dropbear_prng_read: 70| 633|{ 71| 633| LTC_ARGCHK(out != NULL); ------------------ | | 32| 633|#define LTC_ARGCHK(x) do { if (!(x)) { crypt_argchk(#x, __FILE__, __LINE__); } }while(0) | | ------------------ | | | Branch (32:32): [True: 0, False: 633] | | | Branch (32:87): [Folded, False: 633] | | ------------------ ------------------ 72| 633| genrandom(out, outlen); 73| 633| return outlen; 74| 633|} crypto_kem_mlkem768_keypair: 59| 51|{ 60| 51| unsigned char rnd[LIBCRUX_ML_KEM_KEY_PAIR_PRNG_LEN]; 61| 51| struct libcrux_mlkem768_keypair keypair; 62| | 63| 51| static_assert(sizeof(keypair.sk.value) == crypto_kem_mlkem768_SECRETKEYBYTES, "len"); 64| 51| static_assert(sizeof(keypair.pk.value) == crypto_kem_mlkem768_PUBLICKEYBYTES, "len"); 65| | 66| 51| genrandom(rnd, sizeof(rnd)); 67| 51| keypair = libcrux_ml_kem_mlkem768_portable_generate_key_pair(rnd); 68| 51| memcpy(pk, keypair.pk.value, crypto_kem_mlkem768_PUBLICKEYBYTES); ------------------ | | 3| 51|#define crypto_kem_mlkem768_PUBLICKEYBYTES 1184 ------------------ 69| 51| memcpy(sk, keypair.sk.value, crypto_kem_mlkem768_SECRETKEYBYTES); ------------------ | | 4| 51|#define crypto_kem_mlkem768_SECRETKEYBYTES 2400 ------------------ 70| 51| m_burn(rnd, sizeof(rnd)); 71| 51| m_burn(&keypair, sizeof(keypair)); 72| 51| return 0; 73| 51|} remove_connect_pending: 291| 3.33k|void remove_connect_pending() { 292| 3.33k| while (ses.conn_pending.first) { ------------------ | Branch (292:9): [True: 0, False: 3.33k] ------------------ 293| 0| struct dropbear_progress_connection *c = ses.conn_pending.first->item; 294| 0| remove_connect(c, ses.conn_pending.first); 295| 0| } 296| 3.33k|} set_connect_fds: 299| 97.0k|void set_connect_fds(fd_set *writefd) { 300| 97.0k| m_list_elem *iter; 301| 97.0k| iter = ses.conn_pending.first; 302| 97.0k| while (iter) { ------------------ | Branch (302:9): [True: 0, False: 97.0k] ------------------ 303| 0| m_list_elem *next_iter = iter->next; 304| 0| struct dropbear_progress_connection *c = iter->item; 305| | /* Set one going */ 306| 0| while (c->res_iter && c->sock < 0) { ------------------ | Branch (306:10): [True: 0, False: 0] | Branch (306:25): [True: 0, False: 0] ------------------ 307| 0| connect_try_next(c); 308| 0| } 309| 0| if (c->sock >= 0) { ------------------ | Branch (309:7): [True: 0, False: 0] ------------------ 310| 0| FD_SET(c->sock, writefd); 311| 0| } else { 312| | /* Final failure */ 313| 0| if (!c->errstring) { ------------------ | Branch (313:8): [True: 0, False: 0] ------------------ 314| 0| c->errstring = m_strdup("unexpected failure"); 315| 0| } 316| 0| c->cb(DROPBEAR_FAILURE, -1, c->cb_data, c->errstring); ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ 317| 0| remove_connect(c, iter); 318| 0| } 319| 0| iter = next_iter; 320| 0| } 321| 97.0k|} handle_connect_fds: 323| 93.6k|void handle_connect_fds(const fd_set *writefd) { 324| 93.6k| m_list_elem *iter; 325| 93.6k| for (iter = ses.conn_pending.first; iter; iter = iter->next) { ------------------ | Branch (325:38): [True: 0, False: 93.6k] ------------------ 326| 0| int val; 327| 0| socklen_t vallen = sizeof(val); 328| 0| struct dropbear_progress_connection *c = iter->item; 329| | 330| 0| if (c->sock < 0 || !FD_ISSET(c->sock, writefd)) { ------------------ | Branch (330:7): [True: 0, False: 0] | Branch (330:22): [True: 0, False: 0] ------------------ 331| 0| continue; 332| 0| } 333| | 334| 0| TRACE(("handling %s port %s socket %d", c->remotehost, c->remoteport, c->sock)); 335| | 336| 0| if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &val, &vallen) != 0) { ------------------ | Branch (336:7): [True: 0, False: 0] ------------------ 337| 0| TRACE(("handle_connect_fds getsockopt(%d) SO_ERROR failed: %s", c->sock, strerror(errno))) 338| | /* This isn't expected to happen - Unix has surprises though, continue gracefully. */ 339| 0| m_close(c->sock); 340| 0| c->sock = -1; 341| 0| } else if (val != 0) { ------------------ | Branch (341:14): [True: 0, False: 0] ------------------ 342| | /* Connect failed */ 343| 0| TRACE(("connect to %s port %s failed.", c->remotehost, c->remoteport)) 344| 0| m_close(c->sock); 345| 0| c->sock = -1; 346| | 347| 0| m_free(c->errstring); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 348| 0| c->errstring = m_strdup(strerror(val)); 349| 0| } else { 350| | /* New connection has been established */ 351| 0| c->cb(DROPBEAR_SUCCESS, c->sock, c->cb_data, NULL); ------------------ | | 111| 0|#define DROPBEAR_SUCCESS 0 ------------------ 352| 0| remove_connect(c, iter); 353| 0| TRACE(("leave handle_connect_fds - success")) 354| | /* Must return here - remove_connect() invalidates iter */ 355| 0| return; 356| 0| } 357| 0| } 358| 93.6k|} packet_queue_to_iovec: 364| 26.5k|void packet_queue_to_iovec(const struct Queue *queue, struct iovec *iov, unsigned int *iov_count) { 365| 26.5k| struct Link *l; 366| 26.5k| unsigned int i; 367| 26.5k| int len; 368| 26.5k| buffer *writebuf; 369| | 370| |#ifndef IOV_MAX 371| | #if (defined(__CYGWIN__) || defined(__GNU__)) && !defined(UIO_MAXIOV) 372| | #define IOV_MAX 1024 373| | #elif defined(__sgi) 374| | #define IOV_MAX 512 375| | #else 376| | #define IOV_MAX UIO_MAXIOV 377| | #endif 378| |#endif 379| | 380| 26.5k| *iov_count = MIN(MIN(queue->count, IOV_MAX), *iov_count); ------------------ | Branch (380:15): [True: 26.5k, False: 0] | Branch (380:15): [True: 26.5k, False: 0] | Branch (380:15): [True: 26.5k, False: 0] ------------------ 381| | 382| 63.1k| for (l = queue->head, i = 0; i < *iov_count; l = l->link, i++) ------------------ | Branch (382:31): [True: 36.5k, False: 26.5k] ------------------ 383| 36.5k| { 384| 36.5k| writebuf = (buffer*)l->item; 385| 36.5k| len = writebuf->len - writebuf->pos; 386| 36.5k| dropbear_assert(len > 0); ------------------ | | 84| 36.5k|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 36.5k] | | | Branch (84:93): [Folded, False: 36.5k] | | ------------------ ------------------ 387| 36.5k| TRACE2(("write_packet writev #%d len %d/%d", i, 388| 36.5k| len, writebuf->len)) 389| 36.5k| iov[i].iov_base = buf_getptr(writebuf, len); 390| 36.5k| iov[i].iov_len = len; 391| 36.5k| } 392| 26.5k|} packet_queue_consume: 394| 26.5k|void packet_queue_consume(struct Queue *queue, ssize_t written) { 395| 26.5k| buffer *writebuf; 396| 26.5k| int len; 397| 53.1k| while (written > 0) { ------------------ | Branch (397:9): [True: 26.5k, False: 26.5k] ------------------ 398| 26.5k| writebuf = (buffer*)examine(queue); 399| 26.5k| len = writebuf->len - writebuf->pos; 400| 26.5k| if (len > written) { ------------------ | Branch (400:7): [True: 0, False: 26.5k] ------------------ 401| | /* partial buffer write */ 402| 0| buf_incrpos(writebuf, written); 403| 0| written = 0; 404| 26.5k| } else { 405| 26.5k| written -= len; 406| 26.5k| dequeue(queue); 407| 26.5k| buf_free(writebuf); 408| 26.5k| } 409| 26.5k| } 410| 26.5k|} set_sock_priority: 430| 3.33k|void set_sock_priority(int sock, enum dropbear_prio prio) { 431| | 432| 3.33k| int rc; 433| 3.33k| int val; 434| | 435| 3.33k|#if DROPBEAR_FUZZ 436| 3.33k| if (fuzz.fuzzing) { ------------------ | Branch (436:6): [True: 3.33k, False: 0] ------------------ 437| 3.33k| TRACE(("fuzzing skips set_sock_prio")) 438| 3.33k| return; 439| 3.33k| } 440| 0|#endif 441| | /* Don't log ENOTSOCK errors so that this can harmlessly be called 442| | * on a client '-J' proxy pipe */ 443| | 444| 0| if (opts.disable_ip_tos == 0) { ------------------ | Branch (444:6): [True: 0, False: 0] ------------------ 445| 0|#ifdef IP_TOS 446| | /* Set the DSCP field for outbound IP packet priority. 447| | rfc4594 has some guidance to meanings. 448| | 449| | We set AF21 as "Low-Latency" class for interactive (tty session, 450| | also handshake/setup packets). Other traffic is left at the default. 451| | 452| | OpenSSH at present uses AF21/CS1, rationale 453| | https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284 454| | 455| | Old Dropbear/OpenSSH and Debian/Ubuntu OpenSSH (at Jan 2022) use 456| | IPTOS_LOWDELAY/IPTOS_THROUGHPUT 457| | 458| | DSCP constants are from Linux headers, applicable to other platforms 459| | such as macos. 460| | */ 461| 0| if (prio == DROPBEAR_PRIO_LOWDELAY) { ------------------ | Branch (461:6): [True: 0, False: 0] ------------------ 462| 0| val = 0x48; /* IPTOS_DSCP_AF21 */ 463| 0| } else { 464| 0| val = 0; /* default */ 465| 0| } 466| 0|#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) 467| 0| rc = setsockopt(sock, IPPROTO_IPV6, IPV6_TCLASS, (void*)&val, sizeof(val)); 468| 0| if (rc < 0 && errno != ENOTSOCK) { ------------------ | Branch (468:6): [True: 0, False: 0] | Branch (468:16): [True: 0, False: 0] ------------------ 469| 0| TRACE(("Couldn't set IPV6_TCLASS (%s)", strerror(errno))); 470| 0| } 471| 0|#endif 472| 0| rc = setsockopt(sock, IPPROTO_IP, IP_TOS, (void*)&val, sizeof(val)); 473| 0| if (rc < 0 && errno != ENOTSOCK) { ------------------ | Branch (473:6): [True: 0, False: 0] | Branch (473:16): [True: 0, False: 0] ------------------ 474| 0| TRACE(("Couldn't set IP_TOS (%s)", strerror(errno))); 475| 0| } 476| 0|#endif /* IP_TOS */ 477| 0| } 478| | 479| 0|#ifdef HAVE_LINUX_PKT_SCHED_H 480| | /* Set scheduling priority within the local Linux network stack */ 481| 0| if (prio == DROPBEAR_PRIO_LOWDELAY) { ------------------ | Branch (481:6): [True: 0, False: 0] ------------------ 482| 0| val = TC_PRIO_INTERACTIVE; 483| 0| } else { 484| 0| val = 0; 485| 0| } 486| | /* linux specific, sets QoS class. see tc-prio(8) */ 487| 0| rc = setsockopt(sock, SOL_SOCKET, SO_PRIORITY, (void*) &val, sizeof(val)); 488| 0| if (rc < 0 && errno != ENOTSOCK) { ------------------ | Branch (488:6): [True: 0, False: 0] | Branch (488:16): [True: 0, False: 0] ------------------ 489| 0| TRACE(("Couldn't set SO_PRIORITY (%s)", strerror(errno))) 490| 0| } 491| 0|#endif 492| | 493| 0|} write_packet: 58| 26.5k|void write_packet() { 59| | 60| 26.5k| ssize_t written; 61| 26.5k|#if defined(HAVE_WRITEV) && (defined(IOV_MAX) || defined(UIO_MAXIOV)) 62| | /* 50 is somewhat arbitrary */ 63| 26.5k| unsigned int iov_count = 50; 64| 26.5k| struct iovec iov[50]; 65| |#else 66| | int len; 67| | buffer* writebuf; 68| |#endif 69| | 70| 26.5k| TRACE2(("enter write_packet")) 71| 26.5k| dropbear_assert(!isempty(&ses.writequeue)); ------------------ | | 84| 26.5k|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 26.5k] | | | Branch (84:93): [Folded, False: 26.5k] | | ------------------ ------------------ 72| | 73| 26.5k|#if defined(HAVE_WRITEV) && (defined(IOV_MAX) || defined(UIO_MAXIOV)) 74| | 75| 26.5k| packet_queue_to_iovec(&ses.writequeue, iov, &iov_count); 76| | /* This may return EAGAIN. The main loop sometimes 77| | calls write_packet() without bothering to test with select() since 78| | it's likely to be necessary */ 79| 26.5k|#if DROPBEAR_FUZZ 80| 26.5k| if (fuzz.fuzzing) { ------------------ | Branch (80:6): [True: 26.5k, False: 0] ------------------ 81| | /* pretend to write one packet at a time */ 82| | /* TODO(fuzz): randomise amount written based on the fuzz input */ 83| 26.5k| written = iov[0].iov_len; 84| 26.5k| } 85| 0| else 86| 0|#endif 87| 0| { 88| 0| written = writev(ses.sock_out, iov, iov_count); 89| 0| if (written < 0) { ------------------ | Branch (89:6): [True: 0, False: 0] ------------------ 90| 0| if (errno == EINTR || errno == EAGAIN) { ------------------ | Branch (90:7): [True: 0, False: 0] | Branch (90:25): [True: 0, False: 0] ------------------ 91| 0| TRACE2(("leave write_packet: EINTR")) 92| 0| return; 93| 0| } else { 94| 0| dropbear_exit("Error writing: %s", strerror(errno)); 95| 0| } 96| 0| } 97| 0| } 98| | 99| 26.5k| packet_queue_consume(&ses.writequeue, written); 100| 26.5k| ses.writequeue_len -= written; 101| | 102| 26.5k| if (written == 0) { ------------------ | Branch (102:6): [True: 0, False: 26.5k] ------------------ 103| 0| ses.remoteclosed(); 104| 0| } 105| | 106| |#else /* No writev () */ 107| |#if DROPBEAR_FUZZ 108| | _Static_assert(0, "No fuzzing code for no-writev writes"); 109| |#endif 110| | /* Get the next buffer in the queue of encrypted packets to write*/ 111| | writebuf = (buffer*)examine(&ses.writequeue); 112| | 113| | len = writebuf->len - writebuf->pos; 114| | dropbear_assert(len > 0); 115| | /* Try to write as much as possible */ 116| | written = write(ses.sock_out, buf_getptr(writebuf, len), len); 117| | 118| | if (written < 0) { 119| | if (errno == EINTR || errno == EAGAIN) { 120| | TRACE2(("leave writepacket: EINTR")) 121| | return; 122| | } else { 123| | dropbear_exit("Error writing: %s", strerror(errno)); 124| | } 125| | } 126| | 127| | if (written == 0) { 128| | ses.remoteclosed(); 129| | } 130| | 131| | ses.writequeue_len -= written; 132| | 133| | if (written == len) { 134| | /* We've finished with the packet, free it */ 135| | dequeue(&ses.writequeue); 136| | buf_free(writebuf); 137| | writebuf = NULL; 138| | } else { 139| | /* More packet left to write, leave it in the queue for later */ 140| | buf_incrpos(writebuf, written); 141| | } 142| |#endif /* writev */ 143| | 144| 26.5k| TRACE2(("leave write_packet")) 145| 26.5k|} read_packet: 150| 80.4k|void read_packet() { 151| | 152| 80.4k| int len; 153| 80.4k| unsigned int maxlen; 154| 80.4k| unsigned char blocksize; 155| | 156| 80.4k| TRACE2(("enter read_packet")) 157| 80.4k| blocksize = ses.keys->recv.algo_crypt->blocksize; 158| | 159| 80.4k| if (ses.readbuf == NULL || ses.readbuf->len < blocksize) { ------------------ | Branch (159:6): [True: 20.1k, False: 60.3k] | Branch (159:29): [True: 33.7k, False: 26.5k] ------------------ 160| 53.9k| int ret; 161| | /* In the first blocksize of a packet */ 162| | 163| | /* Read the first blocksize of the packet, so we can decrypt it and 164| | * find the length of the whole packet */ 165| 53.9k| ret = read_packet_init(); 166| | 167| 53.9k| if (ret == DROPBEAR_FAILURE) { ------------------ | | 112| 53.9k|#define DROPBEAR_FAILURE -1 ------------------ | Branch (167:7): [True: 33.7k, False: 20.1k] ------------------ 168| | /* didn't read enough to determine the length */ 169| 33.7k| TRACE2(("leave read_packet: packetinit done")) 170| 33.7k| return; 171| 33.7k| } 172| 53.9k| } 173| | 174| | /* Attempt to read the remainder of the packet, note that there 175| | * mightn't be any available (EAGAIN) */ 176| 46.6k| maxlen = ses.readbuf->len - ses.readbuf->pos; 177| 46.6k| if (maxlen == 0) { ------------------ | Branch (177:6): [True: 11.8k, False: 34.8k] ------------------ 178| | /* Occurs when the packet is only a single block long and has all 179| | * been read in read_packet_init(). Usually means that MAC is disabled 180| | */ 181| 11.8k| len = 0; 182| 34.8k| } else { 183| 34.8k| len = read(ses.sock_in, buf_getptr(ses.readbuf, maxlen), maxlen); ------------------ | | 55| 34.8k|#define read(fd, buf, count) wrapfd_read(fd, buf, count) ------------------ 184| | 185| 34.8k| if (len == 0) { ------------------ | Branch (185:7): [True: 124, False: 34.6k] ------------------ 186| 124| ses.remoteclosed(); 187| 124| } 188| | 189| 34.8k| if (len < 0) { ------------------ | Branch (189:7): [True: 42, False: 34.7k] ------------------ 190| 42| if (errno == EINTR || errno == EAGAIN) { ------------------ | Branch (190:8): [True: 41, False: 1] | Branch (190:26): [True: 0, False: 1] ------------------ 191| 41| TRACE2(("leave read_packet: EINTR or EAGAIN")) 192| 41| return; 193| 41| } else { 194| 1| dropbear_exit("Error reading: %s", strerror(errno)); 195| 1| } 196| 42| } 197| | 198| 34.7k| buf_incrpos(ses.readbuf, len); 199| 34.7k| } 200| | 201| 46.6k| if ((unsigned int)len == maxlen) { ------------------ | Branch (201:6): [True: 19.4k, False: 27.2k] ------------------ 202| | /* The whole packet has been read */ 203| 19.4k| decrypt_packet(); 204| | /* The main select() loop process_packet() to 205| | * handle the packet contents... */ 206| 19.4k| } 207| 46.6k| TRACE2(("leave read_packet")) 208| 46.6k|} decrypt_packet: 298| 19.4k|void decrypt_packet() { 299| | 300| 19.4k| unsigned char blocksize; 301| 19.4k| unsigned char macsize; 302| 19.4k| unsigned int padlen; 303| 19.4k| unsigned int len; 304| | 305| 19.4k| TRACE2(("enter decrypt_packet")) 306| 19.4k| blocksize = ses.keys->recv.algo_crypt->blocksize; 307| 19.4k| macsize = ses.keys->recv.algo_mac->hashsize; 308| | 309| 19.4k| ses.kexstate.datarecv += ses.readbuf->len; 310| | 311| 19.4k|#if DROPBEAR_AEAD_MODE 312| 19.4k| if (ses.keys->recv.crypt_mode->aead_crypt) { ------------------ | Branch (312:6): [True: 0, False: 19.4k] ------------------ 313| | /* first blocksize is not decrypted yet */ 314| 0| buf_setpos(ses.readbuf, 0); 315| | 316| | /* decrypt it in-place */ 317| 0| len = ses.readbuf->len - macsize - ses.readbuf->pos; 318| 0| if (ses.keys->recv.crypt_mode->aead_crypt(ses.recvseq, ------------------ | Branch (318:7): [True: 0, False: 0] ------------------ 319| 0| buf_getptr(ses.readbuf, len + macsize), 320| 0| buf_getwriteptr(ses.readbuf, len), 321| 0| len, macsize, 322| 0| &ses.keys->recv.cipher_state, LTC_DECRYPT) != CRYPT_OK) { ------------------ | | 70| 0|#define LTC_DECRYPT 1 ------------------ 323| 0| dropbear_exit("Error decrypting"); 324| 0| } 325| 0| buf_incrpos(ses.readbuf, len); 326| 0| } else 327| 19.4k|#endif 328| 19.4k| { 329| | /* we've already decrypted the first blocksize in read_packet_init */ 330| 19.4k| buf_setpos(ses.readbuf, blocksize); 331| | 332| | /* decrypt it in-place */ 333| 19.4k| len = ses.readbuf->len - macsize - ses.readbuf->pos; 334| 19.4k| if (ses.keys->recv.crypt_mode->decrypt( ------------------ | Branch (334:7): [True: 0, False: 19.4k] ------------------ 335| 19.4k| buf_getptr(ses.readbuf, len), 336| 19.4k| buf_getwriteptr(ses.readbuf, len), 337| 19.4k| len, 338| 19.4k| &ses.keys->recv.cipher_state) != CRYPT_OK) { 339| 0| dropbear_exit("Error decrypting"); 340| 0| } 341| 19.4k| buf_incrpos(ses.readbuf, len); 342| | 343| | /* check the hmac */ 344| 19.4k| if (checkmac() != DROPBEAR_SUCCESS) { ------------------ | | 111| 19.4k|#define DROPBEAR_SUCCESS 0 ------------------ | Branch (344:7): [True: 0, False: 19.4k] ------------------ 345| 0| dropbear_exit("Integrity error"); 346| 0| } 347| | 348| 19.4k| } 349| | 350| 19.4k|#if DROPBEAR_FUZZ 351| 19.4k| fuzz_dump(ses.readbuf->data, ses.readbuf->len); 352| 19.4k|#endif 353| | 354| | /* get padding length */ 355| 19.4k| buf_setpos(ses.readbuf, PACKET_PADDING_OFF); ------------------ | | 48| 19.4k|#define PACKET_PADDING_OFF 4 ------------------ 356| 19.4k| padlen = buf_getbyte(ses.readbuf); 357| | 358| | /* payload length */ 359| | /* - 4 - 1 is for LEN and PADLEN values */ 360| 19.4k| len = ses.readbuf->len - padlen - 4 - 1 - macsize; 361| 19.4k| if ((len > RECV_MAX_PAYLOAD_LEN+ZLIB_COMPRESS_EXPANSION) || (len < 1)) { ------------------ | | 555| 19.4k|#define RECV_MAX_PAYLOAD_LEN 32768 ------------------ if ((len > RECV_MAX_PAYLOAD_LEN+ZLIB_COMPRESS_EXPANSION) || (len < 1)) { ------------------ | | 50| 19.4k|#define ZLIB_COMPRESS_EXPANSION (((RECV_MAX_PAYLOAD_LEN/16384)+1)*5 + 6) | | ------------------ | | | | 555| 19.4k|#define RECV_MAX_PAYLOAD_LEN 32768 | | ------------------ ------------------ | Branch (361:6): [True: 14, False: 19.3k] | Branch (361:62): [True: 1, False: 19.3k] ------------------ 362| 15| dropbear_exit("Bad packet size %u", len); 363| 15| } 364| | 365| 19.3k| buf_setpos(ses.readbuf, PACKET_PAYLOAD_OFF); ------------------ | | 49| 19.3k|#define PACKET_PAYLOAD_OFF 5 ------------------ 366| | 367| |#ifndef DISABLE_ZLIB 368| | if (is_compress_recv()) { 369| | /* decompress */ 370| | ses.payload = buf_decompress(ses.readbuf, len); 371| | buf_setpos(ses.payload, 0); 372| | ses.payload_beginning = 0; 373| | buf_free(ses.readbuf); 374| | } else 375| |#endif 376| 19.3k| { 377| 19.3k| ses.payload = ses.readbuf; 378| 19.3k| ses.payload_beginning = ses.payload->pos; 379| 19.3k| buf_setlen(ses.payload, ses.payload->pos + len); 380| 19.3k| } 381| 19.3k| ses.readbuf = NULL; 382| | 383| 19.3k| ses.recvseq++; 384| | 385| 19.3k| TRACE2(("leave decrypt_packet")) 386| 19.3k|} maybe_flush_reply_queue: 495| 93.6k|void maybe_flush_reply_queue() { 496| 93.6k| struct packetlist *tmp_item = NULL, *curr_item = NULL; 497| 93.6k| if (!ses.dataallowed) ------------------ | Branch (497:6): [True: 93.6k, False: 0] ------------------ 498| 93.6k| { 499| 93.6k| TRACE(("maybe_empty_reply_queue - no data allowed")) 500| 93.6k| return; 501| 93.6k| } 502| | 503| 0| for (curr_item = ses.reply_queue_head; curr_item; ) { ------------------ | Branch (503:41): [True: 0, False: 0] ------------------ 504| 0| CHECKCLEARTOWRITE(); 505| 0| buf_putbytes(ses.writepayload, 506| 0| curr_item->payload->data, curr_item->payload->len); 507| | 508| 0| buf_free(curr_item->payload); 509| 0| tmp_item = curr_item; 510| 0| curr_item = curr_item->next; 511| 0| m_free(tmp_item); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 512| 0| encrypt_packet(); 513| 0| } 514| | ses.reply_queue_head = ses.reply_queue_tail = NULL; 515| 0|} encrypt_packet: 519| 23.7k|void encrypt_packet() { 520| | 521| 23.7k| unsigned char padlen; 522| 23.7k| unsigned char blocksize, mac_size; 523| 23.7k| buffer * writebuf; /* the packet which will go on the wire. This is 524| | encrypted in-place. */ 525| 23.7k| unsigned char packet_type; 526| 23.7k| unsigned int len, encrypt_buf_size; 527| 23.7k| unsigned char mac_bytes[MAX_MAC_LEN]; 528| | 529| 23.7k| time_t now; 530| | 531| 23.7k| TRACE2(("enter encrypt_packet()")) 532| | 533| 23.7k| buf_setpos(ses.writepayload, 0); 534| 23.7k| packet_type = buf_getbyte(ses.writepayload); 535| 23.7k| buf_setpos(ses.writepayload, 0); 536| | 537| 23.7k| TRACE2(("encrypt_packet type is %d", packet_type)) 538| | 539| 23.7k| if ((!ses.dataallowed && !packet_is_okay_kex(packet_type))) { ------------------ | Branch (539:7): [True: 20.4k, False: 3.33k] | Branch (539:27): [True: 516, False: 19.9k] ------------------ 540| | /* During key exchange only particular packets are allowed. 541| | Since this packet_type isn't OK we just enqueue it to send 542| | after the KEX, see maybe_flush_reply_queue */ 543| 516| enqueue_reply_packet(); 544| 516| return; 545| 516| } 546| | 547| 23.2k| blocksize = ses.keys->trans.algo_crypt->blocksize; 548| 23.2k| mac_size = ses.keys->trans.algo_mac->hashsize; 549| | 550| | /* Encrypted packet len is payload+5. We need to then make sure 551| | * there is enough space for padding or MIN_PACKET_LEN. 552| | * Add extra 3 since we need at least 4 bytes of padding */ 553| 23.2k| encrypt_buf_size = (ses.writepayload->len+4+1) 554| 23.2k| + MAX(MIN_PACKET_LEN, blocksize) + 3 ------------------ | Branch (554:5): [True: 23.2k, False: 0] ------------------ 555| | /* add space for the MAC at the end */ 556| 23.2k| + mac_size 557| |#ifndef DISABLE_ZLIB 558| | /* some extra in case 'compression' makes it larger */ 559| | + ZLIB_COMPRESS_EXPANSION 560| |#endif 561| | /* and an extra cleartext (stripped before transmission) byte for the 562| | * packet type */ 563| 23.2k| + 1; 564| | 565| 23.2k| writebuf = buf_new(encrypt_buf_size); 566| 23.2k| buf_setlen(writebuf, PACKET_PAYLOAD_OFF); ------------------ | | 49| 23.2k|#define PACKET_PAYLOAD_OFF 5 ------------------ 567| 23.2k| buf_setpos(writebuf, PACKET_PAYLOAD_OFF); ------------------ | | 49| 23.2k|#define PACKET_PAYLOAD_OFF 5 ------------------ 568| | 569| |#ifndef DISABLE_ZLIB 570| | /* compression */ 571| | if (is_compress_trans()) { 572| | buf_compress(writebuf, ses.writepayload, ses.writepayload->len); 573| | } else 574| |#endif 575| 23.2k| { 576| 23.2k| memcpy(buf_getwriteptr(writebuf, ses.writepayload->len), 577| 23.2k| buf_getptr(ses.writepayload, ses.writepayload->len), 578| 23.2k| ses.writepayload->len); 579| 23.2k| buf_incrwritepos(writebuf, ses.writepayload->len); 580| 23.2k| } 581| | 582| | /* finished with payload */ 583| 23.2k| buf_setpos(ses.writepayload, 0); 584| 23.2k| buf_setlen(ses.writepayload, 0); 585| | 586| | /* length of padding - packet length excluding the packetlength uint32 587| | * field in aead mode must be a multiple of blocksize, with a minimum of 588| | * 4 bytes of padding */ 589| 23.2k| len = writebuf->len; 590| 23.2k|#if DROPBEAR_AEAD_MODE 591| 23.2k| if (ses.keys->trans.crypt_mode->aead_crypt) { ------------------ | Branch (591:6): [True: 0, False: 23.2k] ------------------ 592| 0| len -= 4; 593| 0| } 594| 23.2k|#endif 595| 23.2k| padlen = blocksize - len % blocksize; 596| 23.2k| if (padlen < 4) { ------------------ | Branch (596:6): [True: 449, False: 22.8k] ------------------ 597| 449| padlen += blocksize; 598| 449| } 599| | /* check for min packet length */ 600| 23.2k| if (writebuf->len + padlen < MIN_PACKET_LEN) { ------------------ | | 241| 23.2k|#define MIN_PACKET_LEN 16 ------------------ | Branch (600:6): [True: 0, False: 23.2k] ------------------ 601| 0| padlen += blocksize; 602| 0| } 603| | 604| 23.2k| buf_setpos(writebuf, 0); 605| | /* packet length excluding the packetlength uint32 */ 606| 23.2k| buf_putint(writebuf, writebuf->len + padlen - 4); 607| | 608| | /* padding len */ 609| 23.2k| buf_putbyte(writebuf, padlen); 610| | /* actual padding */ 611| 23.2k| buf_setpos(writebuf, writebuf->len); 612| 23.2k| buf_incrlen(writebuf, padlen); 613| 23.2k| genrandom(buf_getptr(writebuf, padlen), padlen); 614| | 615| 23.2k|#if DROPBEAR_AEAD_MODE 616| 23.2k| if (ses.keys->trans.crypt_mode->aead_crypt) { ------------------ | Branch (616:6): [True: 0, False: 23.2k] ------------------ 617| | /* do the actual encryption, in-place */ 618| 0| buf_setpos(writebuf, 0); 619| | /* encrypt it in-place*/ 620| 0| len = writebuf->len; 621| 0| buf_incrlen(writebuf, mac_size); 622| 0| if (ses.keys->trans.crypt_mode->aead_crypt(ses.transseq, ------------------ | Branch (622:7): [True: 0, False: 0] ------------------ 623| 0| buf_getptr(writebuf, len), 624| 0| buf_getwriteptr(writebuf, len + mac_size), 625| 0| len, mac_size, 626| 0| &ses.keys->trans.cipher_state, LTC_ENCRYPT) != CRYPT_OK) { ------------------ | | 68| 0|#define LTC_ENCRYPT 0 ------------------ 627| 0| dropbear_exit("Error encrypting"); 628| 0| } 629| 0| buf_incrpos(writebuf, len + mac_size); 630| 0| } else 631| 23.2k|#endif 632| 23.2k| { 633| 23.2k| make_mac(ses.transseq, &ses.keys->trans, writebuf, writebuf->len, mac_bytes); 634| | 635| | /* do the actual encryption, in-place */ 636| 23.2k| buf_setpos(writebuf, 0); 637| | /* encrypt it in-place*/ 638| 23.2k| len = writebuf->len; 639| 23.2k| if (ses.keys->trans.crypt_mode->encrypt( ------------------ | Branch (639:7): [True: 0, False: 23.2k] ------------------ 640| 23.2k| buf_getptr(writebuf, len), 641| 23.2k| buf_getwriteptr(writebuf, len), 642| 23.2k| len, 643| 23.2k| &ses.keys->trans.cipher_state) != CRYPT_OK) { 644| 0| dropbear_exit("Error encrypting"); 645| 0| } 646| 23.2k| buf_incrpos(writebuf, len); 647| | 648| | /* stick the MAC on it */ 649| 23.2k| buf_putbytes(writebuf, mac_bytes, mac_size); 650| 23.2k| } 651| | 652| | /* Update counts */ 653| 23.2k| ses.kexstate.datatrans += writebuf->len; 654| | 655| 23.2k| writebuf_enqueue(writebuf); 656| | 657| | /* Update counts */ 658| 23.2k| ses.transseq++; 659| | 660| 23.2k| now = monotonic_now(); 661| 23.2k| ses.last_packet_time_any_sent = now; 662| | /* idle timeout shouldn't be affected by responses to keepalives. 663| | send_msg_keepalive() itself also does tricks with 664| | ses.last_packet_idle_time - read that if modifying this code */ 665| 23.2k| if (packet_type != SSH_MSG_REQUEST_FAILURE ------------------ | | 65| 46.5k|#define SSH_MSG_REQUEST_FAILURE 82 ------------------ | Branch (665:6): [True: 23.2k, False: 0] ------------------ 666| 23.2k| && packet_type != SSH_MSG_UNIMPLEMENTED ------------------ | | 31| 46.5k|#define SSH_MSG_UNIMPLEMENTED 3 ------------------ | Branch (666:6): [True: 8.99k, False: 14.2k] ------------------ 667| 8.99k| && packet_type != SSH_MSG_IGNORE) { ------------------ | | 30| 8.99k|#define SSH_MSG_IGNORE 2 ------------------ | Branch (667:6): [True: 8.99k, False: 0] ------------------ 668| 8.99k| ses.last_packet_time_idle = now; 669| | 670| 8.99k| } 671| | 672| 23.2k| TRACE2(("leave encrypt_packet()")) 673| 23.2k|} writebuf_enqueue: 675| 26.5k|void writebuf_enqueue(buffer * writebuf) { 676| | /* enqueue the packet for sending. It will get freed after transmission. */ 677| 26.5k| buf_setpos(writebuf, 0); 678| 26.5k| enqueue(&ses.writequeue, (void*)writebuf); 679| 26.5k| ses.writequeue_len += writebuf->len; 680| 26.5k|} packet.c:read_packet_init: 214| 53.9k|static int read_packet_init() { 215| | 216| 53.9k| unsigned int maxlen; 217| 53.9k| int slen; 218| 53.9k| unsigned int len, plen; 219| 53.9k| unsigned int blocksize; 220| 53.9k| unsigned int macsize; 221| | 222| | 223| 53.9k| blocksize = ses.keys->recv.algo_crypt->blocksize; 224| 53.9k| macsize = ses.keys->recv.algo_mac->hashsize; 225| | 226| 53.9k| if (ses.readbuf == NULL) { ------------------ | Branch (226:6): [True: 20.1k, False: 33.7k] ------------------ 227| | /* start of a new packet */ 228| 20.1k| ses.readbuf = buf_new(INIT_READBUF); ------------------ | | 51| 20.1k|#define INIT_READBUF 128 ------------------ 229| 20.1k| } 230| | 231| 53.9k| maxlen = blocksize - ses.readbuf->pos; 232| | 233| | /* read the rest of the packet if possible */ 234| 53.9k| slen = read(ses.sock_in, buf_getwriteptr(ses.readbuf, maxlen), ------------------ | | 55| 53.9k|#define read(fd, buf, count) wrapfd_read(fd, buf, count) ------------------ 235| 53.9k| maxlen); 236| 53.9k| if (slen == 0) { ------------------ | Branch (236:6): [True: 545, False: 53.3k] ------------------ 237| 545| ses.remoteclosed(); 238| 545| } 239| 53.9k| if (slen < 0) { ------------------ | Branch (239:6): [True: 99, False: 53.8k] ------------------ 240| 99| if (errno == EINTR || errno == EAGAIN) { ------------------ | Branch (240:7): [True: 94, False: 5] | Branch (240:25): [True: 0, False: 5] ------------------ 241| 94| TRACE2(("leave read_packet_init: EINTR")) 242| 94| return DROPBEAR_FAILURE; ------------------ | | 112| 94|#define DROPBEAR_FAILURE -1 ------------------ 243| 94| } 244| 5| dropbear_exit("Error reading: %s", strerror(errno)); 245| 99| } 246| | 247| 53.8k| buf_incrwritepos(ses.readbuf, slen); 248| | 249| 53.8k| if ((unsigned int)slen != maxlen) { ------------------ | Branch (249:6): [True: 33.6k, False: 20.1k] ------------------ 250| | /* don't have enough bytes to determine length, get next time */ 251| 33.6k| return DROPBEAR_FAILURE; ------------------ | | 112| 33.6k|#define DROPBEAR_FAILURE -1 ------------------ 252| 33.6k| } 253| | 254| | /* now we have the first block, need to get packet length, so we decrypt 255| | * the first block (only need first 4 bytes) */ 256| 20.1k| buf_setpos(ses.readbuf, 0); 257| 20.1k|#if DROPBEAR_AEAD_MODE 258| 20.1k| if (ses.keys->recv.crypt_mode->aead_crypt) { ------------------ | Branch (258:6): [True: 0, False: 20.1k] ------------------ 259| 0| if (ses.keys->recv.crypt_mode->aead_getlength(ses.recvseq, ------------------ | Branch (259:7): [True: 0, False: 0] ------------------ 260| 0| buf_getptr(ses.readbuf, blocksize), &plen, 261| 0| blocksize, 262| 0| &ses.keys->recv.cipher_state) != CRYPT_OK) { 263| 0| dropbear_exit("Error decrypting"); 264| 0| } 265| 0| len = plen + 4 + macsize; 266| 0| } else 267| 20.1k|#endif 268| 20.1k| { 269| 20.1k| if (ses.keys->recv.crypt_mode->decrypt(buf_getptr(ses.readbuf, blocksize), ------------------ | Branch (269:7): [True: 0, False: 20.1k] ------------------ 270| 20.1k| buf_getwriteptr(ses.readbuf, blocksize), 271| 20.1k| blocksize, 272| 20.1k| &ses.keys->recv.cipher_state) != CRYPT_OK) { 273| 0| dropbear_exit("Error decrypting"); 274| 0| } 275| 20.1k| plen = buf_getint(ses.readbuf) + 4; 276| 20.1k| len = plen + macsize; 277| 20.1k| } 278| | 279| 20.1k| TRACE2(("packet size is %u, block %u mac %u", len, blocksize, macsize)) 280| | 281| | 282| | /* check packet length */ 283| 20.1k| if ((len > RECV_MAX_PACKET_LEN) || ------------------ | | 243| 20.1k|#define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100))) ------------------ | Branch (283:6): [True: 589, False: 19.5k] | Branch (283:13): [True: 19.5k, Folded] ------------------ 284| 19.5k| (plen < blocksize) || ------------------ | Branch (284:3): [True: 5, False: 19.5k] ------------------ 285| 19.5k| (plen % blocksize != 0)) { ------------------ | Branch (285:3): [True: 12, False: 19.5k] ------------------ 286| 61| dropbear_exit("Integrity error (bad packet size %u)", len); 287| 61| } 288| | 289| 20.0k| if (len > ses.readbuf->size) { ------------------ | Branch (289:6): [True: 4.06k, False: 16.0k] ------------------ 290| 4.06k| ses.readbuf = buf_resize(ses.readbuf, len); 291| 4.06k| } 292| 20.0k| buf_setlen(ses.readbuf, len); 293| 20.0k| buf_setpos(ses.readbuf, blocksize); 294| 20.0k| return DROPBEAR_SUCCESS; ------------------ | | 111| 20.0k|#define DROPBEAR_SUCCESS 0 ------------------ 295| 20.1k|} packet.c:checkmac: 390| 19.4k|static int checkmac() { 391| | 392| 19.4k| unsigned char mac_bytes[MAX_MAC_LEN]; 393| 19.4k| unsigned int mac_size, contents_len; 394| | 395| 19.4k| mac_size = ses.keys->recv.algo_mac->hashsize; 396| 19.4k| contents_len = ses.readbuf->len - mac_size; 397| | 398| 19.4k| buf_setpos(ses.readbuf, 0); 399| 19.4k| make_mac(ses.recvseq, &ses.keys->recv, ses.readbuf, contents_len, mac_bytes); 400| | 401| 19.4k|#if DROPBEAR_FUZZ 402| 19.4k| if (fuzz.fuzzing) { ------------------ | Branch (402:6): [True: 19.4k, False: 0] ------------------ 403| | /* fail 1 in 2000 times to test error path. */ 404| 19.4k| unsigned int value = 0; 405| 19.4k| if (mac_size > sizeof(value)) { ------------------ | Branch (405:7): [True: 0, False: 19.4k] ------------------ 406| 0| memcpy(&value, mac_bytes, sizeof(value)); 407| 0| } 408| 19.4k| if (value % 2000 == 99) { ------------------ | Branch (408:7): [True: 0, False: 19.4k] ------------------ 409| 0| return DROPBEAR_FAILURE; ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ 410| 0| } 411| 19.4k| return DROPBEAR_SUCCESS; ------------------ | | 111| 19.4k|#define DROPBEAR_SUCCESS 0 ------------------ 412| 19.4k| } 413| 0|#endif 414| | 415| | /* compare the hash */ 416| 0| buf_setpos(ses.readbuf, contents_len); 417| 0| if (constant_time_memcmp(mac_bytes, buf_getptr(ses.readbuf, mac_size), mac_size) != 0) { ------------------ | Branch (417:6): [True: 0, False: 0] ------------------ 418| 0| return DROPBEAR_FAILURE; ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ 419| 0| } else { 420| 0| return DROPBEAR_SUCCESS; ------------------ | | 111| 0|#define DROPBEAR_SUCCESS 0 ------------------ 421| 0| } 422| 0|} packet.c:packet_is_okay_kex: 464| 20.4k|static int packet_is_okay_kex(unsigned char type) { 465| 20.4k| if (type >= SSH_MSG_USERAUTH_REQUEST) { ------------------ | | 42| 20.4k|#define SSH_MSG_USERAUTH_REQUEST 50 ------------------ | Branch (465:6): [True: 258, False: 20.1k] ------------------ 466| 258| return 0; 467| 258| } 468| 20.1k| if (type == SSH_MSG_SERVICE_REQUEST || type == SSH_MSG_SERVICE_ACCEPT) { ------------------ | | 33| 40.3k|#define SSH_MSG_SERVICE_REQUEST 5 ------------------ if (type == SSH_MSG_SERVICE_REQUEST || type == SSH_MSG_SERVICE_ACCEPT) { ------------------ | | 34| 19.9k|#define SSH_MSG_SERVICE_ACCEPT 6 ------------------ | Branch (468:6): [True: 258, False: 19.9k] | Branch (468:41): [True: 0, False: 19.9k] ------------------ 469| 258| return 0; 470| 258| } 471| 19.9k| if (type == SSH_MSG_KEXINIT) { ------------------ | | 36| 19.9k|#define SSH_MSG_KEXINIT 20 ------------------ | Branch (471:6): [True: 0, False: 19.9k] ------------------ 472| | /* XXX should this die horribly if !dataallowed ?? */ 473| 0| return 0; 474| 0| } 475| 19.9k| return 1; 476| 19.9k|} packet.c:enqueue_reply_packet: 478| 516|static void enqueue_reply_packet() { 479| 516| struct packetlist * new_item = NULL; 480| 516| new_item = m_malloc(sizeof(struct packetlist)); 481| 516| new_item->next = NULL; 482| | 483| 516| new_item->payload = buf_newcopy(ses.writepayload); 484| 516| buf_setpos(ses.writepayload, 0); 485| 516| buf_setlen(ses.writepayload, 0); 486| | 487| 516| if (ses.reply_queue_tail) { ------------------ | Branch (487:6): [True: 258, False: 258] ------------------ 488| 258| ses.reply_queue_tail->next = new_item; 489| 258| } else { 490| 258| ses.reply_queue_head = new_item; 491| 258| } 492| 516| ses.reply_queue_tail = new_item; 493| 516|} packet.c:make_mac: 687| 42.6k| unsigned char *output_mac) { 688| 42.6k| unsigned char seqbuf[4]; 689| 42.6k| unsigned long bufsize; 690| 42.6k| hmac_state hmac; 691| | 692| 42.6k| if (key_state->algo_mac->hashsize > 0) { ------------------ | Branch (692:6): [True: 0, False: 42.6k] ------------------ 693| | /* calculate the mac */ 694| 0| if (hmac_init(&hmac, ------------------ | Branch (694:7): [True: 0, False: 0] ------------------ 695| 0| key_state->hash_index, 696| 0| key_state->mackey, 697| 0| key_state->algo_mac->keysize) != CRYPT_OK) { 698| 0| dropbear_exit("HMAC error"); 699| 0| } 700| | 701| | /* sequence number */ 702| 0| STORE32H(seqno, seqbuf); ------------------ | | 62| 0|#define STORE32H(x, y) \ | | 63| 0|do { ulong32 __t = __builtin_bswap32 ((x)); \ | | 64| 0| XMEMCPY ((y), &__t, 4); } while(0) | | ------------------ | | | | 39| 0|#define XMEMCPY memcpy | | ------------------ | | | Branch (64:39): [Folded, False: 0] | | ------------------ ------------------ 703| 0| if (hmac_process(&hmac, seqbuf, 4) != CRYPT_OK) { ------------------ | Branch (703:7): [True: 0, False: 0] ------------------ 704| 0| dropbear_exit("HMAC error"); 705| 0| } 706| | 707| | /* the actual contents */ 708| 0| buf_setpos(clear_buf, 0); 709| 0| if (hmac_process(&hmac, ------------------ | Branch (709:7): [True: 0, False: 0] ------------------ 710| 0| buf_getptr(clear_buf, clear_len), 711| 0| clear_len) != CRYPT_OK) { 712| 0| dropbear_exit("HMAC error"); 713| 0| } 714| | 715| 0| bufsize = MAX_MAC_LEN; ------------------ | | 147| 0|#define MAX_MAC_LEN 32 ------------------ 716| 0| if (hmac_done(&hmac, output_mac, &bufsize) != CRYPT_OK) { ------------------ | Branch (716:7): [True: 0, False: 0] ------------------ 717| 0| dropbear_exit("HMAC error"); 718| 0| } 719| 0| } 720| 42.6k| TRACE2(("leave writemac")) 721| 42.6k|} process_packet: 43| 19.3k|void process_packet() { 44| | 45| 19.3k| unsigned char type; 46| 19.3k| unsigned int i; 47| 19.3k| unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.recvfirstnewkeys; ------------------ | Branch (47:34): [True: 0, False: 19.3k] | Branch (47:61): [True: 0, False: 0] ------------------ 48| 19.3k| time_t now; 49| | 50| 19.3k| TRACE2(("enter process_packet")) 51| | 52| 19.3k| type = buf_getbyte(ses.payload); 53| 19.3k| TRACE(("process_packet: packet type = %d, len %d", type, ses.payload->len)) 54| | 55| 19.3k| now = monotonic_now(); 56| 19.3k| ses.last_packet_time_keepalive_recv = now; 57| | 58| | 59| 19.3k| if (type == SSH_MSG_DISCONNECT) { ------------------ | | 29| 19.3k|#define SSH_MSG_DISCONNECT 1 ------------------ | Branch (59:6): [True: 4, False: 19.3k] ------------------ 60| | /* Allowed at any time */ 61| 4| dropbear_close("Disconnect received"); 62| 4| } 63| | 64| | /* These packets may be received at any time, 65| | except during first kex with strict kex */ 66| 19.3k| if (!first_strict_kex) { ------------------ | Branch (66:6): [True: 19.3k, False: 4] ------------------ 67| 19.3k| switch(type) { ------------------ | Branch (67:10): [True: 426, False: 18.9k] ------------------ 68| 101| case SSH_MSG_IGNORE: ------------------ | | 30| 101|#define SSH_MSG_IGNORE 2 ------------------ | Branch (68:4): [True: 101, False: 19.2k] ------------------ 69| 101| goto out; 70| 257| case SSH_MSG_DEBUG: ------------------ | | 32| 257|#define SSH_MSG_DEBUG 4 ------------------ | Branch (70:4): [True: 257, False: 19.1k] ------------------ 71| 257| goto out; 72| 68| case SSH_MSG_UNIMPLEMENTED: ------------------ | | 31| 68|#define SSH_MSG_UNIMPLEMENTED 3 ------------------ | Branch (72:4): [True: 68, False: 19.3k] ------------------ 73| 68| TRACE(("SSH_MSG_UNIMPLEMENTED")) 74| 68| goto out; 75| 19.3k| } 76| 19.3k| } 77| | 78| | /* Ignore these packet types so that keepalives don't interfere with 79| | idle detection. This is slightly incorrect since a tcp forwarded 80| | global request with failure won't trigger the idle timeout, 81| | but that's probably acceptable */ 82| 18.9k| if (!(type == SSH_MSG_GLOBAL_REQUEST ------------------ | | 63| 37.9k|#define SSH_MSG_GLOBAL_REQUEST 80 ------------------ | Branch (82:8): [True: 5, False: 18.9k] ------------------ 83| 18.9k| || type == SSH_MSG_REQUEST_FAILURE ------------------ | | 65| 37.9k|#define SSH_MSG_REQUEST_FAILURE 82 ------------------ | Branch (83:6): [True: 1, False: 18.9k] ------------------ 84| 18.9k| || type == SSH_MSG_CHANNEL_FAILURE)) { ------------------ | | 76| 18.9k|#define SSH_MSG_CHANNEL_FAILURE 100 ------------------ | Branch (84:6): [True: 1, False: 18.9k] ------------------ 85| 18.9k| ses.last_packet_time_idle = now; 86| 18.9k| } 87| | 88| | /* This applies for KEX, where the spec says the next packet MUST be 89| | * NEWKEYS */ 90| 18.9k| if (ses.requirenext != 0) { ------------------ | Branch (90:6): [True: 18.9k, False: 4] ------------------ 91| 18.9k| if (ses.requirenext == type) ------------------ | Branch (91:7): [True: 4.64k, False: 14.3k] ------------------ 92| 4.64k| { 93| | /* Got what we expected */ 94| 4.64k| TRACE(("got expected packet %d during kexinit", type)) 95| 4.64k| } 96| 14.3k| else 97| 14.3k| { 98| | /* RFC4253 7.1 - various messages are allowed at this point. 99| | The only ones we know about have already been handled though, 100| | so just return "unimplemented" */ 101| 14.3k| if (type >= 1 && type <= 49 ------------------ | Branch (101:8): [True: 14.2k, False: 17] | Branch (101:21): [True: 14.2k, False: 28] ------------------ 102| 14.2k| && type != SSH_MSG_SERVICE_REQUEST ------------------ | | 33| 28.5k|#define SSH_MSG_SERVICE_REQUEST 5 ------------------ | Branch (102:8): [True: 14.2k, False: 1] ------------------ 103| 14.2k| && type != SSH_MSG_SERVICE_ACCEPT ------------------ | | 34| 28.5k|#define SSH_MSG_SERVICE_ACCEPT 6 ------------------ | Branch (103:8): [True: 14.2k, False: 1] ------------------ 104| 14.2k| && type != SSH_MSG_KEXINIT ------------------ | | 36| 28.5k|#define SSH_MSG_KEXINIT 20 ------------------ | Branch (104:8): [True: 14.2k, False: 1] ------------------ 105| 14.2k| && !first_strict_kex) ------------------ | Branch (105:8): [True: 14.2k, False: 0] ------------------ 106| 14.2k| { 107| 14.2k| TRACE(("unknown allowed packet during kexinit")) 108| 14.2k| recv_unimplemented(); 109| 14.2k| goto out; 110| 14.2k| } 111| 48| else 112| 48| { 113| 48| TRACE(("disallowed packet during kexinit")) 114| 48| dropbear_exit("Unexpected packet type %d, expected %d", type, 115| 48| ses.requirenext); 116| 48| } 117| 14.3k| } 118| 18.9k| } 119| | 120| | /* Check if we should ignore this packet. Used currently only for 121| | * KEX code, with first_kex_packet_follows */ 122| 4.64k| if (ses.ignorenext) { ------------------ | Branch (122:6): [True: 2, False: 4.64k] ------------------ 123| 2| TRACE(("Ignoring packet, type = %d", type)) 124| 2| ses.ignorenext = 0; 125| 2| goto out; 126| 2| } 127| | 128| | /* Only clear the flag after we have checked ignorenext */ 129| 4.64k| if (ses.requirenext != 0 && ses.requirenext == type) ------------------ | Branch (129:6): [True: 4.63k, False: 4] | Branch (129:30): [True: 4.63k, False: 0] ------------------ 130| 4.63k| { 131| 4.63k| ses.requirenext = 0; 132| 4.63k| } 133| | 134| | 135| | /* Kindly the protocol authors gave all the preauth packets type values 136| | * less-than-or-equal-to 60 ( == MAX_UNAUTH_PACKET_TYPE ). 137| | * NOTE: if the protocol changes and new types are added, revisit this 138| | * assumption */ 139| 4.64k| if ( !ses.authstate.authdone && type > MAX_UNAUTH_PACKET_TYPE ) { ------------------ | | 38| 4.63k|#define MAX_UNAUTH_PACKET_TYPE SSH_MSG_USERAUTH_PK_OK | | ------------------ | | | | 52| 4.63k|#define SSH_MSG_USERAUTH_PK_OK 60 | | ------------------ ------------------ | Branch (139:7): [True: 4.63k, False: 4] | Branch (139:34): [True: 0, False: 4.63k] ------------------ 140| 0| dropbear_exit("Received message %d before userauth", type); 141| 0| } 142| | 143| 29.7k| for (i = 0; ; i++) { 144| 29.7k| if (ses.packettypes[i].type == 0) { ------------------ | Branch (144:7): [True: 0, False: 29.7k] ------------------ 145| | /* end of list */ 146| 0| break; 147| 0| } 148| | 149| 29.7k| if (ses.packettypes[i].type == type) { ------------------ | Branch (149:7): [True: 4.63k, False: 25.1k] ------------------ 150| 4.63k| ses.packettypes[i].handler(); 151| 4.63k| goto out; 152| 4.63k| } 153| 29.7k| } 154| | 155| | 156| | /* TODO do something more here? */ 157| 4| TRACE(("preauth unknown packet")) 158| 4| recv_unimplemented(); 159| | 160| 17.0k|out: 161| 17.0k| ses.lastpacket = type; 162| 17.0k| buf_free(ses.payload); 163| 17.0k| ses.payload = NULL; 164| | 165| 17.0k| TRACE2(("leave process_packet")) 166| 17.0k|} process-packet.c:recv_unimplemented: 174| 14.2k|static void recv_unimplemented() { 175| | 176| 14.2k| CHECKCLEARTOWRITE(); 177| | 178| 14.2k| buf_putbyte(ses.writepayload, SSH_MSG_UNIMPLEMENTED); ------------------ | | 31| 14.2k|#define SSH_MSG_UNIMPLEMENTED 3 ------------------ 179| | /* the decryption routine increments the sequence number, we must 180| | * decrement */ 181| 14.2k| buf_putint(ses.writepayload, ses.recvseq - 1); 182| | 183| 14.2k| encrypt_packet(); 184| 14.2k|} initqueue: 29| 3.33k|void initqueue(struct Queue* queue) { 30| | 31| 3.33k| queue->head = NULL; 32| | queue->tail = NULL; 33| 3.33k| queue->count = 0; 34| 3.33k|} isempty: 36| 287k|int isempty(const struct Queue* queue) { 37| | 38| | return (queue->head == NULL); 39| 287k|} dequeue: 41| 26.5k|void* dequeue(struct Queue* queue) { 42| | 43| 26.5k| void* ret; 44| 26.5k| struct Link* oldhead; 45| 26.5k| dropbear_assert(!isempty(queue)); ------------------ | | 84| 26.5k|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 26.5k] | | | Branch (84:93): [Folded, False: 26.5k] | | ------------------ ------------------ 46| | 47| 26.5k| ret = queue->head->item; 48| 26.5k| oldhead = queue->head; 49| | 50| 26.5k| if (oldhead->link != NULL) { ------------------ | Branch (50:6): [True: 6.66k, False: 19.9k] ------------------ 51| 6.66k| queue->head = oldhead->link; 52| 19.9k| } else { 53| 19.9k| queue->head = NULL; 54| 19.9k| queue->tail = NULL; 55| 19.9k| TRACE(("empty queue dequeing")) 56| 19.9k| } 57| | 58| | m_free(oldhead); ------------------ | | 24| 26.5k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 26.5k] | | ------------------ ------------------ 59| 26.5k| queue->count--; 60| 26.5k| return ret; 61| 26.5k|} examine: 63| 26.5k|void *examine(const struct Queue* queue) { 64| | 65| 26.5k| dropbear_assert(!isempty(queue)); ------------------ | | 84| 26.5k|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 26.5k] | | | Branch (84:93): [Folded, False: 26.5k] | | ------------------ ------------------ 66| 26.5k| return queue->head->item; 67| 26.5k|} enqueue: 69| 26.5k|void enqueue(struct Queue* queue, void* item) { 70| | 71| 26.5k| struct Link* newlink; 72| | 73| 26.5k| newlink = (struct Link*)m_malloc(sizeof(struct Link)); 74| | 75| 26.5k| newlink->item = item; 76| 26.5k| newlink->link = NULL; 77| | 78| 26.5k| if (queue->tail != NULL) { ------------------ | Branch (78:6): [True: 6.66k, False: 19.9k] ------------------ 79| 6.66k| queue->tail->link = newlink; 80| 6.66k| } 81| 26.5k| queue->tail = newlink; 82| | 83| 26.5k| if (queue->head == NULL) { ------------------ | Branch (83:6): [True: 19.9k, False: 6.66k] ------------------ 84| 19.9k| queue->head = newlink; 85| 19.9k| } 86| 26.5k| queue->count++; 87| 26.5k|} buf_get_rsa_pub_key: 53| 937|int buf_get_rsa_pub_key(buffer* buf, dropbear_rsa_key *key) { 54| | 55| 937| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 937|#define DROPBEAR_FAILURE -1 ------------------ 56| 937| TRACE(("enter buf_get_rsa_pub_key")) 57| 937| dropbear_assert(key != NULL); ------------------ | | 84| 937|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 937] | | | Branch (84:93): [Folded, False: 937] | | ------------------ ------------------ 58| 937| m_mp_alloc_init_multi(&key->e, &key->n, NULL); 59| 937| key->d = NULL; 60| 937| key->p = NULL; 61| 937| key->q = NULL; 62| | 63| 937| buf_incrpos(buf, 4+SSH_SIGNKEY_RSA_LEN); /* int + "ssh-rsa" */ ------------------ | | 117| 937|#define SSH_SIGNKEY_RSA_LEN 7 ------------------ 64| | 65| 937| if (buf_getmpint(buf, key->e) == DROPBEAR_FAILURE ------------------ | | 112| 1.87k|#define DROPBEAR_FAILURE -1 ------------------ | Branch (65:6): [True: 7, False: 930] ------------------ 66| 930| || buf_getmpint(buf, key->n) == DROPBEAR_FAILURE) { ------------------ | | 112| 930|#define DROPBEAR_FAILURE -1 ------------------ | Branch (66:6): [True: 14, False: 916] ------------------ 67| 10| TRACE(("leave buf_get_rsa_pub_key: failure")) 68| 10| goto out; 69| 10| } 70| | 71| 927| if (mp_count_bits(key->n) < MIN_RSA_KEYLEN) { ------------------ | | 69| 927|#define MIN_RSA_KEYLEN 1024 ------------------ | Branch (71:6): [True: 42, False: 885] ------------------ 72| 42| dropbear_log(LOG_WARNING, "RSA key too short"); 73| 42| goto out; 74| 42| } 75| | 76| | /* 64 bit is limit used by openssl, so we won't block any keys in the wild */ 77| 885| if (mp_count_bits(key->e) > 64) { ------------------ | Branch (77:6): [True: 4, False: 881] ------------------ 78| 4| dropbear_log(LOG_WARNING, "RSA key bad e"); 79| 4| goto out; 80| 4| } 81| | 82| 881| TRACE(("leave buf_get_rsa_pub_key: success")) 83| 881| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 881|#define DROPBEAR_SUCCESS 0 ------------------ 84| 926|out: 85| 926| if (ret == DROPBEAR_FAILURE) { ------------------ | | 112| 926|#define DROPBEAR_FAILURE -1 ------------------ | Branch (85:6): [True: 56, False: 870] ------------------ 86| | m_mp_free_multi(&key->e, &key->n, NULL); 87| 56| } 88| 926| return ret; 89| 881|} rsa_key_free: 143| 994|void rsa_key_free(dropbear_rsa_key *key) { 144| | 145| 994| TRACE2(("enter rsa_key_free")) 146| | 147| 994| if (key == NULL) { ------------------ | Branch (147:6): [True: 938, False: 56] ------------------ 148| 938| TRACE2(("leave rsa_key_free: key == NULL")) 149| 938| return; 150| 938| } 151| 56| m_mp_free_multi(&key->d, &key->e, &key->p, &key->q, &key->n, NULL); 152| | m_free(key); ------------------ | | 24| 56|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 56] | | ------------------ ------------------ 153| 56| TRACE2(("leave rsa_key_free")) 154| 56|} buf_put_rsa_pub_key: 162| 832|void buf_put_rsa_pub_key(buffer* buf, const dropbear_rsa_key *key) { 163| | 164| 832| TRACE(("enter buf_put_rsa_pub_key")) 165| 832| dropbear_assert(key != NULL); ------------------ | | 84| 832|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 832] | | | Branch (84:93): [Folded, False: 832] | | ------------------ ------------------ 166| | 167| 832| buf_putstring(buf, SSH_SIGNKEY_RSA, SSH_SIGNKEY_RSA_LEN); ------------------ | | 116| 832|#define SSH_SIGNKEY_RSA "ssh-rsa" ------------------ buf_putstring(buf, SSH_SIGNKEY_RSA, SSH_SIGNKEY_RSA_LEN); ------------------ | | 117| 832|#define SSH_SIGNKEY_RSA_LEN 7 ------------------ 168| 832| buf_putmpint(buf, key->e); 169| 832| buf_putmpint(buf, key->n); 170| | 171| 832| TRACE(("leave buf_put_rsa_pub_key")) 172| | 173| 832|} buf_rsa_verify: 201| 631| enum signature_type sigtype, const buffer *data_buf) { 202| 631| unsigned int slen; 203| 631| DEF_MP_INT(rsa_s); ------------------ | | 81| 631|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 204| 631| DEF_MP_INT(rsa_mdash); ------------------ | | 81| 631|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 205| 631| DEF_MP_INT(rsa_em); ------------------ | | 81| 631|#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} ------------------ 206| 631| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 631|#define DROPBEAR_FAILURE -1 ------------------ 207| | 208| 631| TRACE(("enter buf_rsa_verify")) 209| | 210| 631| dropbear_assert(key != NULL); ------------------ | | 84| 631|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 631] | | | Branch (84:93): [Folded, False: 631] | | ------------------ ------------------ 211| | 212| 631| m_mp_init_multi(&rsa_mdash, &rsa_s, &rsa_em, NULL); 213| | 214| 631| slen = buf_getint(buf); 215| 631| if (slen != (unsigned int)mp_ubin_size(key->n)) { ------------------ | Branch (215:6): [True: 50, False: 581] ------------------ 216| 50| TRACE(("bad size")) 217| 50| goto out; 218| 50| } 219| | 220| 581| if (mp_from_ubin(&rsa_s, buf_getptr(buf, buf->len - buf->pos), ------------------ | Branch (220:6): [True: 0, False: 581] ------------------ 221| 581| buf->len - buf->pos) != MP_OKAY) { ------------------ | | 161| 581|#define MP_OKAY 0 /* no error */ ------------------ 222| 0| TRACE(("failed reading rsa_s")) 223| 0| goto out; 224| 0| } 225| | 226| | /* check that s <= n-1 */ 227| 581| if (mp_cmp(&rsa_s, key->n) != MP_LT) { ------------------ | | 154| 581|#define MP_LT -1 /* less than */ ------------------ | Branch (227:6): [True: 34, False: 547] ------------------ 228| 34| TRACE(("s > n-1")) 229| 34| goto out; 230| 34| } 231| | 232| | /* create the magic PKCS padded value */ 233| 547| rsa_pad_em(key, data_buf, &rsa_em, sigtype); 234| | 235| 547| if (mp_exptmod(&rsa_s, key->e, key->n, &rsa_mdash) != MP_OKAY) { ------------------ | | 161| 547|#define MP_OKAY 0 /* no error */ ------------------ | Branch (235:6): [True: 0, False: 547] ------------------ 236| 0| TRACE(("failed exptmod rsa_s")) 237| 0| goto out; 238| 0| } 239| | 240| 547| if (mp_cmp(&rsa_em, &rsa_mdash) == MP_EQ) { ------------------ | | 155| 547|#define MP_EQ 0 /* equal to */ ------------------ | Branch (240:6): [True: 0, False: 547] ------------------ 241| | /* signature is valid */ 242| 0| TRACE(("success!")) 243| 0| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 0|#define DROPBEAR_SUCCESS 0 ------------------ 244| 0| } 245| | 246| 631|out: 247| | mp_clear_multi(&rsa_mdash, &rsa_s, &rsa_em, NULL); 248| 631| TRACE(("leave buf_rsa_verify: ret %d", ret)) 249| 631| return ret; 250| 547|} rsa.c:rsa_pad_em: 398| 547| const buffer *data_buf, mp_int * rsa_em, enum signature_type sigtype) { 399| | /* EM = 0x00 || 0x01 || PS || 0x00 || T 400| | PS is padding of 0xff to make EM the size of key->n 401| | 402| | T is the DER encoding of the hash alg (sha1 or sha256) 403| | */ 404| | 405| | /* From rfc8017 page 46 */ 406| 547|#if DROPBEAR_RSA_SHA1 407| 547| const unsigned char T_sha1[] = 408| 547| {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 409| 547| 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14}; 410| 547|#endif 411| 547|#if DROPBEAR_RSA_SHA256 412| 547| const unsigned char T_sha256[] = 413| 547| {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 414| 547| 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; 415| 547|#endif 416| | 417| 547| int Tlen = 0; 418| 547| const unsigned char *T = NULL; 419| 547| const struct ltc_hash_descriptor *hash_desc = NULL; 420| 547| buffer * rsa_EM = NULL; 421| 547| hash_state hs; 422| 547| unsigned int nsize; 423| | 424| 547| switch (sigtype) { 425| 0|#if DROPBEAR_RSA_SHA1 426| 547| case DROPBEAR_SIGNATURE_RSA_SHA1: ------------------ | Branch (426:3): [True: 547, False: 0] ------------------ 427| 547| Tlen = sizeof(T_sha1); 428| 547| T = T_sha1; 429| 547| hash_desc = &sha1_desc; 430| 547| break; 431| 0|#endif 432| 0|#if DROPBEAR_RSA_SHA256 433| 0| case DROPBEAR_SIGNATURE_RSA_SHA256: ------------------ | Branch (433:3): [True: 0, False: 547] ------------------ 434| 0| Tlen = sizeof(T_sha256); 435| 0| T = T_sha256; 436| 0| hash_desc = &sha256_desc; 437| 0| break; 438| 0|#endif 439| 0| default: ------------------ | Branch (439:3): [True: 0, False: 547] ------------------ 440| 0| assert(0); ------------------ | Branch (440:4): [Folded, False: 0] | Branch (440:4): [Folded, False: 0] ------------------ 441| 547| } 442| | 443| | 444| 547| nsize = mp_ubin_size(key->n); 445| | 446| 547| rsa_EM = buf_new(nsize); 447| | /* type byte */ 448| 547| buf_putbyte(rsa_EM, 0x00); 449| 547| buf_putbyte(rsa_EM, 0x01); 450| | /* Padding with PS 0xFF bytes */ 451| 52.6k| while(rsa_EM->pos != rsa_EM->size - (1 + Tlen + hash_desc->hashsize)) { ------------------ | Branch (451:8): [True: 52.0k, False: 547] ------------------ 452| 52.0k| buf_putbyte(rsa_EM, 0xff); 453| 52.0k| } 454| 547| buf_putbyte(rsa_EM, 0x00); 455| | /* Magic ASN1 stuff */ 456| 547| buf_putbytes(rsa_EM, T, Tlen); 457| | 458| | /* The hash of the data */ 459| 547| hash_desc->init(&hs); 460| 547| hash_desc->process(&hs, data_buf->data, data_buf->len); 461| 547| hash_desc->done(&hs, buf_getwriteptr(rsa_EM, hash_desc->hashsize)); 462| 547| buf_incrwritepos(rsa_EM, hash_desc->hashsize); 463| | 464| 547| dropbear_assert(rsa_EM->pos == rsa_EM->size); ------------------ | | 84| 547|#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) | | ------------------ | | | Branch (84:37): [True: 0, False: 547] | | | Branch (84:93): [Folded, False: 547] | | ------------------ ------------------ 465| | 466| | /* Create the mp_int from the encoded bytes */ 467| 547| buf_setpos(rsa_EM, 0); 468| 547| bytes_to_mp(rsa_em, buf_getptr(rsa_EM, rsa_EM->size), 469| 547| rsa_EM->size); 470| 547| buf_free(rsa_EM); 471| 547|} new_sign_key: 62| 1.94k|sign_key * new_sign_key() { 63| | 64| 1.94k| sign_key * ret; 65| | 66| 1.94k| ret = (sign_key*)m_malloc(sizeof(sign_key)); 67| 1.94k| ret->type = DROPBEAR_SIGNKEY_NONE; 68| 1.94k| ret->source = SIGNKEY_SOURCE_INVALID; 69| 1.94k| return ret; 70| 1.94k|} signkey_type_from_name: 86| 2.67k|enum signkey_type signkey_type_from_name(const char* name, unsigned int namelen) { 87| 2.67k| int i; 88| 10.8k| for (i = 0; i < DROPBEAR_SIGNKEY_NUM_NAMED; i++) { ------------------ | Branch (88:14): [True: 10.7k, False: 162] ------------------ 89| 10.7k| const char *fixed_name = signkey_names[i]; 90| 10.7k| if (namelen == strlen(fixed_name) ------------------ | Branch (90:7): [True: 3.60k, False: 7.10k] ------------------ 91| 3.60k| && memcmp(fixed_name, name, namelen) == 0) { ------------------ | Branch (91:7): [True: 2.50k, False: 1.09k] ------------------ 92| | 93| 2.50k|#if DROPBEAR_ECDSA 94| | /* Some of the ECDSA key sizes are defined even if they're not compiled in */ 95| 2.50k| if (0 ------------------ | Branch (95:8): [Folded, False: 2.50k] ------------------ 96| |#if !DROPBEAR_ECC_256 97| | || i == DROPBEAR_SIGNKEY_ECDSA_NISTP256 98| |#endif 99| |#if !DROPBEAR_ECC_384 100| | || i == DROPBEAR_SIGNKEY_ECDSA_NISTP384 101| |#endif 102| |#if !DROPBEAR_ECC_521 103| | || i == DROPBEAR_SIGNKEY_ECDSA_NISTP521 104| |#endif 105| 2.50k| ) { 106| 0| TRACE(("attempt to use ecdsa type %d not compiled in", i)) 107| 0| return DROPBEAR_SIGNKEY_NONE; 108| 0| } 109| 2.50k|#endif 110| | 111| 2.50k| return (enum signkey_type)i; 112| 2.50k| } 113| 10.7k| } 114| | 115| 162| TRACE(("signkey_type_from_name unexpected key type.")) 116| | 117| 162| return DROPBEAR_SIGNKEY_NONE; 118| 2.67k|} signature_type_from_name: 145| 1.00k|enum signature_type signature_type_from_name(const char* name, unsigned int namelen) { 146| 1.00k|#if DROPBEAR_RSA 147| 1.00k|#if DROPBEAR_RSA_SHA256 148| 1.00k| if (namelen == strlen(SSH_SIGNATURE_RSA_SHA256) ------------------ | | 121| 1.00k|#define SSH_SIGNATURE_RSA_SHA256 "rsa-sha2-256" ------------------ | Branch (148:6): [True: 18, False: 985] ------------------ 149| 18| && memcmp(name, SSH_SIGNATURE_RSA_SHA256, namelen) == 0) { ------------------ | | 121| 18|#define SSH_SIGNATURE_RSA_SHA256 "rsa-sha2-256" ------------------ | Branch (149:6): [True: 2, False: 16] ------------------ 150| 2| return DROPBEAR_SIGNATURE_RSA_SHA256; 151| 2| } 152| 1.00k|#endif 153| 1.00k|#if DROPBEAR_RSA_SHA1 154| 1.00k| if (namelen == strlen(SSH_SIGNKEY_RSA) ------------------ | | 116| 1.00k|#define SSH_SIGNKEY_RSA "ssh-rsa" ------------------ | Branch (154:6): [True: 781, False: 220] ------------------ 155| 781| && memcmp(name, SSH_SIGNKEY_RSA, namelen) == 0) { ------------------ | | 116| 781|#define SSH_SIGNKEY_RSA "ssh-rsa" ------------------ | Branch (155:6): [True: 632, False: 149] ------------------ 156| 632| return DROPBEAR_SIGNATURE_RSA_SHA1; 157| 632| } 158| 369|#endif 159| 369|#endif /* DROPBEAR_RSA */ 160| 369| return (enum signature_type)signkey_type_from_name(name, namelen); 161| 1.00k|} signkey_type_from_signature: 173| 6.71k|enum signkey_type signkey_type_from_signature(enum signature_type sigtype) { 174| 6.71k|#if DROPBEAR_RSA 175| 6.71k|#if DROPBEAR_RSA_SHA256 176| 6.71k| if (sigtype == DROPBEAR_SIGNATURE_RSA_SHA256) { ------------------ | Branch (176:6): [True: 8, False: 6.70k] ------------------ 177| 8| return DROPBEAR_SIGNKEY_RSA; 178| 8| } 179| 6.70k|#endif 180| 6.70k|#if DROPBEAR_RSA_SHA1 181| 6.70k| if (sigtype == DROPBEAR_SIGNATURE_RSA_SHA1) { ------------------ | Branch (181:6): [True: 1.70k, False: 4.99k] ------------------ 182| 1.70k| return DROPBEAR_SIGNKEY_RSA; 183| 1.70k| } 184| 4.99k|#endif 185| 4.99k|#endif /* DROPBEAR_RSA */ 186| 6.70k| assert((int)sigtype < (int)DROPBEAR_SIGNKEY_NUM_NAMED); ------------------ | Branch (186:2): [True: 0, False: 4.99k] | Branch (186:2): [True: 4.99k, False: 0] ------------------ 187| 4.99k| return (enum signkey_type)sigtype; 188| 4.99k|} signkey_key_ptr: 193| 308|signkey_key_ptr(sign_key *key, enum signkey_type type) { 194| 308| switch (type) { 195| 0|#if DROPBEAR_ED25519 196| 0| case DROPBEAR_SIGNKEY_ED25519: ------------------ | Branch (196:3): [True: 0, False: 308] ------------------ 197| 0|#if DROPBEAR_SK_ED25519 198| 0| case DROPBEAR_SIGNKEY_SK_ED25519: ------------------ | Branch (198:3): [True: 0, False: 308] ------------------ 199| 0|#endif 200| 0| return (void**)&key->ed25519key; 201| 0|#endif 202| 0|#if DROPBEAR_ECDSA 203| 0|#if DROPBEAR_ECC_256 204| 0| case DROPBEAR_SIGNKEY_ECDSA_NISTP256: ------------------ | Branch (204:3): [True: 0, False: 308] ------------------ 205| 0|#if DROPBEAR_SK_ECDSA 206| 0| case DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256: ------------------ | Branch (206:3): [True: 0, False: 308] ------------------ 207| 0|#endif 208| 0| return (void**)&key->ecckey256; 209| 0|#endif 210| 0|#if DROPBEAR_ECC_384 211| 0| case DROPBEAR_SIGNKEY_ECDSA_NISTP384: ------------------ | Branch (211:3): [True: 0, False: 308] ------------------ 212| 0| return (void**)&key->ecckey384; 213| 0|#endif 214| 0|#if DROPBEAR_ECC_521 215| 308| case DROPBEAR_SIGNKEY_ECDSA_NISTP521: ------------------ | Branch (215:3): [True: 308, False: 0] ------------------ 216| 308| return (void**)&key->ecckey521; 217| 0|#endif 218| 0|#endif /* DROPBEAR_ECDSA */ 219| 0|#if DROPBEAR_RSA 220| 0| case DROPBEAR_SIGNKEY_RSA: ------------------ | Branch (220:3): [True: 0, False: 308] ------------------ 221| 0| return (void**)&key->rsakey; 222| 0|#endif 223| 0|#if DROPBEAR_DSS 224| 0| case DROPBEAR_SIGNKEY_DSS: ------------------ | Branch (224:3): [True: 0, False: 308] ------------------ 225| 0| return (void**)&key->dsskey; 226| 0|#endif 227| 0| default: ------------------ | Branch (227:3): [True: 0, False: 308] ------------------ 228| | return NULL; 229| 308| } 230| 308|} buf_get_pub_key: 235| 1.87k|int buf_get_pub_key(buffer *buf, sign_key *key, enum signkey_type *type) { 236| | 237| 1.87k| char *ident; 238| 1.87k| unsigned int len; 239| 1.87k| enum signkey_type keytype; 240| 1.87k| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 1.87k|#define DROPBEAR_FAILURE -1 ------------------ 241| | 242| 1.87k| TRACE2(("enter buf_get_pub_key")) 243| | 244| 1.87k| ident = buf_getstring(buf, &len); 245| 1.87k| keytype = signkey_type_from_name(ident, len); 246| 1.87k| m_free(ident); ------------------ | | 24| 1.87k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 1.87k] | | ------------------ ------------------ 247| | 248| 1.87k| if (*type != DROPBEAR_SIGNKEY_ANY && *type != keytype) { ------------------ | Branch (248:6): [True: 1.87k, False: 1] | Branch (248:39): [True: 105, False: 1.76k] ------------------ 249| 105| TRACE(("buf_get_pub_key bad type - got %d, expected %d", keytype, *type)) 250| 105| return DROPBEAR_FAILURE; ------------------ | | 112| 105|#define DROPBEAR_FAILURE -1 ------------------ 251| 105| } 252| | 253| 1.77k| TRACE2(("buf_get_pub_key keytype is %d", keytype)) 254| | 255| 1.77k| *type = keytype; 256| | 257| | /* Rewind the buffer back before "ssh-rsa" etc */ 258| 1.77k| buf_decrpos(buf, len + 4); 259| | 260| 1.77k|#if DROPBEAR_DSS 261| 1.77k| if (keytype == DROPBEAR_SIGNKEY_DSS) { ------------------ | Branch (261:6): [True: 274, False: 1.49k] ------------------ 262| 274| dss_key_free(key->dsskey); 263| 274| key->dsskey = m_malloc(sizeof(*key->dsskey)); 264| 274| ret = buf_get_dss_pub_key(buf, key->dsskey); 265| 274| if (ret == DROPBEAR_FAILURE) { ------------------ | | 112| 274|#define DROPBEAR_FAILURE -1 ------------------ | Branch (265:7): [True: 93, False: 181] ------------------ 266| 93| dss_key_free(key->dsskey); 267| 93| key->dsskey = NULL; 268| 93| } 269| 274| } 270| 1.77k|#endif 271| 1.77k|#if DROPBEAR_RSA 272| 1.77k| if (keytype == DROPBEAR_SIGNKEY_RSA) { ------------------ | Branch (272:6): [True: 937, False: 833] ------------------ 273| 937| rsa_key_free(key->rsakey); 274| 937| key->rsakey = m_malloc(sizeof(*key->rsakey)); 275| 937| ret = buf_get_rsa_pub_key(buf, key->rsakey); 276| 937| if (ret == DROPBEAR_FAILURE) { ------------------ | | 112| 937|#define DROPBEAR_FAILURE -1 ------------------ | Branch (276:7): [True: 56, False: 881] ------------------ 277| 56| rsa_key_free(key->rsakey); 278| 56| key->rsakey = NULL; 279| 56| } 280| 937| } 281| 1.77k|#endif 282| 1.77k|#if DROPBEAR_ECDSA 283| 1.77k| if (signkey_is_ecdsa(keytype) ------------------ | Branch (283:6): [True: 178, False: 1.59k] ------------------ 284| 1.59k|#if DROPBEAR_SK_ECDSA 285| 1.59k| || keytype == DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256 ------------------ | Branch (285:6): [True: 0, False: 1.59k] ------------------ 286| 1.77k|#endif 287| 1.77k| ) { 288| 131| ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype); 289| 131| if (eck) { ------------------ | Branch (289:7): [True: 131, False: 0] ------------------ 290| 131| if (*eck) { ------------------ | Branch (290:8): [True: 0, False: 131] ------------------ 291| 0| ecc_free(*eck); 292| 0| m_free(*eck); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 293| 0| *eck = NULL; 294| 0| } 295| 131| *eck = buf_get_ecdsa_pub_key(buf); 296| 131| if (*eck) { ------------------ | Branch (296:8): [True: 90, False: 41] ------------------ 297| 90| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 90|#define DROPBEAR_SUCCESS 0 ------------------ 298| 90| } 299| 131| } 300| 131| } 301| 1.77k|#endif 302| 1.77k|#if DROPBEAR_ED25519 303| 1.77k| if (keytype == DROPBEAR_SIGNKEY_ED25519 ------------------ | Branch (303:6): [True: 475, False: 1.29k] ------------------ 304| 1.29k|#if DROPBEAR_SK_ED25519 305| 1.29k| || keytype == DROPBEAR_SIGNKEY_SK_ED25519 ------------------ | Branch (305:6): [True: 0, False: 1.29k] ------------------ 306| 1.77k|#endif 307| 1.77k| ) { 308| 427| ed25519_key_free(key->ed25519key); 309| 427| key->ed25519key = m_malloc(sizeof(*key->ed25519key)); 310| 427| ret = buf_get_ed25519_pub_key(buf, key->ed25519key, keytype); 311| 427| if (ret == DROPBEAR_FAILURE) { ------------------ | | 112| 427|#define DROPBEAR_FAILURE -1 ------------------ | Branch (311:7): [True: 49, False: 378] ------------------ 312| 49| m_free(key->ed25519key); ------------------ | | 24| 49|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 49] | | ------------------ ------------------ 313| 49| key->ed25519key = NULL; 314| 49| } 315| 427| } 316| 1.77k|#endif 317| | 318| 1.77k|#if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519 319| 1.77k| if (0 ------------------ | Branch (319:6): [Folded, False: 1.72k] ------------------ 320| 1.72k|#if DROPBEAR_SK_ED25519 321| 1.72k| || keytype == DROPBEAR_SIGNKEY_SK_ED25519 ------------------ | Branch (321:6): [True: 0, False: 1.72k] ------------------ 322| 1.72k|#endif 323| 1.72k|#if DROPBEAR_SK_ECDSA 324| 1.72k| || keytype == DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256 ------------------ | Branch (324:6): [True: 0, False: 1.72k] ------------------ 325| 1.77k|#endif 326| 1.77k| ) { 327| 0| key->sk_app = buf_getstring(buf, &key->sk_applen); 328| 0| } 329| 1.77k|#endif 330| | 331| 1.77k| TRACE2(("leave buf_get_pub_key")) 332| | 333| 1.77k| return ret; 334| 1.87k|} buf_get_priv_key: 339| 1|int buf_get_priv_key(buffer *buf, sign_key *key, enum signkey_type *type) { 340| | 341| 1| char *ident; 342| 1| unsigned int len; 343| 1| enum signkey_type keytype; 344| 1| int ret = DROPBEAR_FAILURE; ------------------ | | 112| 1|#define DROPBEAR_FAILURE -1 ------------------ 345| | 346| 1| TRACE2(("enter buf_get_priv_key")) 347| | 348| 1| ident = buf_getstring(buf, &len); 349| 1| keytype = signkey_type_from_name(ident, len); 350| 1| m_free(ident); ------------------ | | 24| 1|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 1] | | ------------------ ------------------ 351| | 352| 1| if (*type != DROPBEAR_SIGNKEY_ANY && *type != keytype) { ------------------ | Branch (352:6): [True: 0, False: 1] | Branch (352:39): [True: 0, False: 0] ------------------ 353| 0| TRACE(("wrong key type: %d %d", *type, keytype)) 354| 0| return DROPBEAR_FAILURE; ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ 355| 0| } 356| | 357| 1| *type = keytype; 358| | 359| | /* Rewind the buffer back before "ssh-rsa" etc */ 360| 1| buf_decrpos(buf, len + 4); 361| | 362| 1|#if DROPBEAR_DSS 363| 1| if (keytype == DROPBEAR_SIGNKEY_DSS) { ------------------ | Branch (363:6): [True: 0, False: 1] ------------------ 364| 0| dss_key_free(key->dsskey); 365| 0| key->dsskey = m_malloc(sizeof(*key->dsskey)); 366| 0| ret = buf_get_dss_priv_key(buf, key->dsskey); 367| 0| if (ret == DROPBEAR_FAILURE) { ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ | Branch (367:7): [True: 0, False: 0] ------------------ 368| 0| dss_key_free(key->dsskey); 369| 0| key->dsskey = NULL; 370| 0| } 371| 0| } 372| 1|#endif 373| 1|#if DROPBEAR_RSA 374| 1| if (keytype == DROPBEAR_SIGNKEY_RSA) { ------------------ | Branch (374:6): [True: 0, False: 1] ------------------ 375| 0| rsa_key_free(key->rsakey); 376| 0| key->rsakey = m_malloc(sizeof(*key->rsakey)); 377| 0| ret = buf_get_rsa_priv_key(buf, key->rsakey); 378| 0| if (ret == DROPBEAR_FAILURE) { ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ | Branch (378:7): [True: 0, False: 0] ------------------ 379| 0| rsa_key_free(key->rsakey); 380| 0| key->rsakey = NULL; 381| 0| } 382| 0| } 383| 1|#endif 384| 1|#if DROPBEAR_ECDSA 385| 1| if (signkey_is_ecdsa(keytype)) { ------------------ | Branch (385:6): [True: 0, False: 1] ------------------ 386| 0| ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype); 387| 0| if (eck) { ------------------ | Branch (387:7): [True: 0, False: 0] ------------------ 388| 0| if (*eck) { ------------------ | Branch (388:8): [True: 0, False: 0] ------------------ 389| 0| ecc_free(*eck); 390| 0| m_free(*eck); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 391| 0| *eck = NULL; 392| 0| } 393| 0| *eck = buf_get_ecdsa_priv_key(buf); 394| 0| if (*eck) { ------------------ | Branch (394:8): [True: 0, False: 0] ------------------ 395| 0| ret = DROPBEAR_SUCCESS; ------------------ | | 111| 0|#define DROPBEAR_SUCCESS 0 ------------------ 396| 0| } 397| 0| } 398| 0| } 399| 1|#endif 400| 1|#if DROPBEAR_ED25519 401| 1| if (keytype == DROPBEAR_SIGNKEY_ED25519) { ------------------ | Branch (401:6): [True: 1, False: 0] ------------------ 402| 1| ed25519_key_free(key->ed25519key); 403| 1| key->ed25519key = m_malloc(sizeof(*key->ed25519key)); 404| 1| ret = buf_get_ed25519_priv_key(buf, key->ed25519key); 405| 1| if (ret == DROPBEAR_FAILURE) { ------------------ | | 112| 1|#define DROPBEAR_FAILURE -1 ------------------ | Branch (405:7): [True: 0, False: 1] ------------------ 406| 0| m_free(key->ed25519key); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 407| 0| key->ed25519key = NULL; 408| 0| } 409| 1| } 410| 1|#endif 411| | 412| 1| TRACE2(("leave buf_get_priv_key")) 413| | 414| 1| return ret; 415| | 416| 1|} buf_put_pub_key: 419| 1.33k|void buf_put_pub_key(buffer* buf, sign_key *key, enum signkey_type type) { 420| | 421| 1.33k| buffer *pubkeys; 422| | 423| 1.33k| TRACE2(("enter buf_put_pub_key")) 424| 1.33k| pubkeys = buf_new(MAX_PUBKEY_SIZE); ------------------ | | 261| 1.33k|#define MAX_PUBKEY_SIZE 600 ------------------ 425| | 426| 1.33k|#if DROPBEAR_DSS 427| 1.33k| if (type == DROPBEAR_SIGNKEY_DSS) { ------------------ | Branch (427:6): [True: 141, False: 1.19k] ------------------ 428| 141| buf_put_dss_pub_key(pubkeys, key->dsskey); 429| 141| } 430| 1.33k|#endif 431| 1.33k|#if DROPBEAR_RSA 432| 1.33k| if (type == DROPBEAR_SIGNKEY_RSA) { ------------------ | Branch (432:6): [True: 832, False: 506] ------------------ 433| 832| buf_put_rsa_pub_key(pubkeys, key->rsakey); 434| 832| } 435| 1.33k|#endif 436| 1.33k|#if DROPBEAR_ECDSA 437| 1.33k| if (signkey_is_ecdsa(type) ------------------ | Branch (437:6): [True: 100, False: 1.23k] ------------------ 438| 1.23k|#if DROPBEAR_SK_ECDSA 439| 1.23k| || type == DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256 ------------------ | Branch (439:6): [True: 0, False: 1.23k] ------------------ 440| 1.33k|#endif 441| 1.33k| ) { 442| 89| ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type); 443| 89| if (eck && *eck) { ------------------ | Branch (443:7): [True: 89, False: 0] | Branch (443:14): [True: 89, False: 0] ------------------ 444| 89| buf_put_ecdsa_pub_key(pubkeys, *eck); 445| 89| } 446| 89| } 447| 1.33k|#endif 448| 1.33k|#if DROPBEAR_ED25519 449| 1.33k| if (type == DROPBEAR_SIGNKEY_ED25519 ------------------ | Branch (449:6): [True: 287, False: 1.05k] ------------------ 450| 1.05k|#if DROPBEAR_SK_ED25519 451| 1.05k| || type == DROPBEAR_SIGNKEY_SK_ED25519 ------------------ | Branch (451:6): [True: 0, False: 1.05k] ------------------ 452| 1.33k|#endif 453| 1.33k| ) { 454| 276| buf_put_ed25519_pub_key(pubkeys, key->ed25519key); 455| 276| } 456| 1.33k|#endif 457| 1.33k| if (pubkeys->len == 0) { ------------------ | Branch (457:6): [True: 0, False: 1.33k] ------------------ 458| 0| dropbear_exit("Bad key types in buf_put_pub_key"); 459| 0| } 460| | 461| 1.33k| buf_putbufstring(buf, pubkeys); 462| 1.33k| buf_free(pubkeys); 463| 1.33k| TRACE2(("leave buf_put_pub_key")) 464| 1.33k|} sign_key_free: 506| 1|void sign_key_free(sign_key *key) { 507| | 508| 1| TRACE2(("enter sign_key_free")) 509| | 510| 1|#if DROPBEAR_DSS 511| 1| dss_key_free(key->dsskey); 512| 1| key->dsskey = NULL; 513| 1|#endif 514| 1|#if DROPBEAR_RSA 515| 1| rsa_key_free(key->rsakey); 516| 1| key->rsakey = NULL; 517| 1|#endif 518| 1|#if DROPBEAR_ECDSA 519| 1|#if DROPBEAR_ECC_256 520| 1| if (key->ecckey256) { ------------------ | Branch (520:6): [True: 0, False: 1] ------------------ 521| 0| ecc_free(key->ecckey256); 522| 0| m_free(key->ecckey256); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 523| 0| key->ecckey256 = NULL; 524| 0| } 525| 1|#endif 526| 1|#if DROPBEAR_ECC_384 527| 1| if (key->ecckey384) { ------------------ | Branch (527:6): [True: 0, False: 1] ------------------ 528| 0| ecc_free(key->ecckey384); 529| 0| m_free(key->ecckey384); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 530| 0| key->ecckey384 = NULL; 531| 0| } 532| 1|#endif 533| 1|#if DROPBEAR_ECC_521 534| 1| if (key->ecckey521) { ------------------ | Branch (534:6): [True: 0, False: 1] ------------------ 535| 0| ecc_free(key->ecckey521); 536| 0| m_free(key->ecckey521); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 537| 0| key->ecckey521 = NULL; 538| 0| } 539| 1|#endif 540| 1|#endif 541| 1|#if DROPBEAR_ED25519 542| 1| ed25519_key_free(key->ed25519key); 543| 1| key->ed25519key = NULL; 544| 1|#endif 545| | 546| 1| m_free(key->filename); ------------------ | | 24| 1|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 1] | | ------------------ ------------------ 547| 1|#if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519 548| 1| if (key->sk_app) { ------------------ | Branch (548:6): [True: 0, False: 1] ------------------ 549| 0| m_free(key->sk_app); ------------------ | | 24| 0|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 0] | | ------------------ ------------------ 550| 0| } 551| 1|#endif 552| | 553| | m_free(key); ------------------ | | 24| 1|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 1] | | ------------------ ------------------ 554| 1| TRACE2(("leave sign_key_free")) 555| 1|} buf_verify: 645| 1.32k|int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype, const buffer *data_buf) { 646| | 647| 1.32k| char *type_name = NULL; 648| 1.32k| unsigned int type_name_len = 0; 649| 1.32k| enum signature_type sigtype; 650| 1.32k| enum signkey_type keytype; 651| | 652| 1.32k| TRACE(("enter buf_verify")) 653| | 654| 1.32k| buf_getint(buf); /* blob length */ 655| 1.32k| type_name = buf_getstring(buf, &type_name_len); 656| 1.32k| sigtype = signature_type_from_name(type_name, type_name_len); 657| 1.32k| m_free(type_name); ------------------ | | 24| 1.32k|#define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0) | | ------------------ | | | Branch (24:61): [Folded, False: 1.32k] | | ------------------ ------------------ 658| | 659| 1.32k| if (expect_sigtype != sigtype) { ------------------ | Branch (659:6): [True: 69, False: 1.25k] ------------------ 660| 69| dropbear_exit("Non-matching signing type"); 661| 69| } 662| | 663| 1.25k| keytype = signkey_type_from_signature(sigtype); 664| 1.25k|#if DROPBEAR_DSS 665| 1.25k| if (keytype == DROPBEAR_SIGNKEY_DSS) { ------------------ | Branch (665:6): [True: 137, False: 1.12k] ------------------ 666| 137| if (key->dsskey == NULL) { ------------------ | Branch (666:7): [True: 0, False: 137] ------------------ 667| 0| dropbear_exit("No DSS key to verify signature"); 668| 0| } 669| 137| return buf_dss_verify(buf, key->dsskey, data_buf); 670| 137| } 671| 1.12k|#endif 672| | 673| 1.12k|#if DROPBEAR_RSA 674| 1.12k| if (keytype == DROPBEAR_SIGNKEY_RSA) { ------------------ | Branch (674:6): [True: 631, False: 490] ------------------ 675| 631| if (key->rsakey == NULL) { ------------------ | Branch (675:7): [True: 0, False: 631] ------------------ 676| 0| dropbear_exit("No RSA key to verify signature"); 677| 0| } 678| 631| return buf_rsa_verify(buf, key->rsakey, sigtype, data_buf); 679| 631| } 680| 490|#endif 681| 490|#if DROPBEAR_ECDSA 682| 490| if (signkey_is_ecdsa(keytype)) { ------------------ | Branch (682:6): [True: 88, False: 402] ------------------ 683| 88| ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype); 684| 88| if (eck && *eck) { ------------------ | Branch (684:7): [True: 88, False: 0] | Branch (684:14): [True: 88, False: 0] ------------------ 685| 88| return buf_ecdsa_verify(buf, *eck, data_buf); 686| 88| } 687| 88| } 688| 402|#endif 689| 402|#if DROPBEAR_ED25519 690| 402| if (keytype == DROPBEAR_SIGNKEY_ED25519) { ------------------ | Branch (690:6): [True: 78, False: 324] ------------------ 691| 78| if (key->ed25519key == NULL) { ------------------ | Branch (691:7): [True: 0, False: 78] ------------------ 692| 0| dropbear_exit("No Ed25519 key to verify signature"); 693| 0| } 694| 78| return buf_ed25519_verify(buf, key->ed25519key, data_buf); 695| 78| } 696| 324|#endif 697| 324|#if DROPBEAR_SK_ECDSA 698| 324| if (keytype == DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256) { ------------------ | Branch (698:6): [True: 0, False: 324] ------------------ 699| 0| ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype); 700| 0| if (eck && *eck) { ------------------ | Branch (700:7): [True: 0, False: 0] | Branch (700:14): [True: 0, False: 0] ------------------ 701| 0| return buf_sk_ecdsa_verify(buf, *eck, data_buf, key->sk_app, key->sk_applen, key->sk_flags_mask); 702| 0| } 703| 0| } 704| 324|#endif 705| 324|#if DROPBEAR_SK_ED25519 706| 324| if (keytype == DROPBEAR_SIGNKEY_SK_ED25519) { ------------------ | Branch (706:6): [True: 0, False: 324] ------------------ 707| 0| dropbear_ed25519_key **eck = (dropbear_ed25519_key**)signkey_key_ptr(key, keytype); 708| 0| if (eck && *eck) { ------------------ | Branch (708:7): [True: 0, False: 0] | Branch (708:14): [True: 0, False: 0] ------------------ 709| 0| return buf_sk_ed25519_verify(buf, *eck, data_buf, key->sk_app, key->sk_applen, key->sk_flags_mask); 710| 0| } 711| 0| } 712| 324|#endif 713| | 714| 324| dropbear_exit("Non-matching signing type"); 715| 0| return DROPBEAR_FAILURE; ------------------ | | 112| 0|#define DROPBEAR_FAILURE -1 ------------------ 716| 324|} crypto_kem_sntrup761_keypair: 2170| 3.37k|int crypto_kem_sntrup761_keypair(unsigned char *pk, unsigned char *sk) { 2171| 3.37k| int i; 2172| 3.37k| ZKeyGen(pk, sk); 2173| 3.37k| sk += SecretKeys_bytes; ------------------ | | 1763| 3.37k|#define SecretKeys_bytes (2 * Small_bytes) | | ------------------ | | | | 1761| 3.37k|#define Small_bytes ((p + 3) / 4) | | | | ------------------ | | | | | | 1754| 3.37k|#define p 761 | | | | ------------------ | | ------------------ ------------------ 2174| 3.91M| for (i = 0; i < crypto_kem_sntrup761_PUBLICKEYBYTES; ++i) *sk++ = pk[i]; ------------------ | | 4| 3.91M|#define crypto_kem_sntrup761_PUBLICKEYBYTES 1158 ------------------ | Branch (2174:15): [True: 3.91M, False: 3.37k] ------------------ 2175| 3.37k| randombytes(sk, Small_bytes); ------------------ | | 1761| 3.37k|#define Small_bytes ((p + 3) / 4) | | ------------------ | | | | 1754| 3.37k|#define p 761 | | ------------------ ------------------ 2176| 3.37k| Hash_prefix(sk + Small_bytes, 4, pk, crypto_kem_sntrup761_PUBLICKEYBYTES); ------------------ | | 1761| 3.37k|#define Small_bytes ((p + 3) / 4) | | ------------------ | | | | 1754| 3.37k|#define p 761 | | ------------------ ------------------ Hash_prefix(sk + Small_bytes, 4, pk, crypto_kem_sntrup761_PUBLICKEYBYTES); ------------------ | | 4| 3.37k|#define crypto_kem_sntrup761_PUBLICKEYBYTES 1158 ------------------ 2177| 3.37k| return 0; 2178| 3.37k|} crypto_kem_sntrup761_dec: 2203| 42|int crypto_kem_sntrup761_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk) { 2204| 42| const unsigned char *pk = sk + SecretKeys_bytes; ------------------ | | 1763| 42|#define SecretKeys_bytes (2 * Small_bytes) | | ------------------ | | | | 1761| 42|#define Small_bytes ((p + 3) / 4) | | | | ------------------ | | | | | | 1754| 42|#define p 761 | | | | ------------------ | | ------------------ ------------------ 2205| 42| const unsigned char *rho = pk + crypto_kem_sntrup761_PUBLICKEYBYTES; ------------------ | | 4| 42|#define crypto_kem_sntrup761_PUBLICKEYBYTES 1158 ------------------ 2206| 42| const unsigned char *cache = rho + Small_bytes; ------------------ | | 1761| 42|#define Small_bytes ((p + 3) / 4) | | ------------------ | | | | 1754| 42|#define p 761 | | ------------------ ------------------ 2207| 42| Inputs r; 2208| 42| unsigned char r_enc[Small_bytes], cnew[crypto_kem_sntrup761_CIPHERTEXTBYTES]; 2209| 42| int mask, i; 2210| 42| ZDecrypt(r, c, sk); 2211| 42| Hide(cnew, r_enc, r, pk, cache); 2212| 42| mask = Ciphertexts_diff_mask(c, cnew); 2213| 8.06k| for (i = 0; i < Small_bytes; ++i) r_enc[i] ^= mask & (r_enc[i] ^ rho[i]); ------------------ | | 1761| 8.06k|#define Small_bytes ((p + 3) / 4) | | ------------------ | | | | 1754| 8.06k|#define p 761 | | ------------------ ------------------ | Branch (2213:15): [True: 8.02k, False: 42] ------------------ 2214| 42| HashSession(k, 1 + mask, r_enc, c); 2215| 42| return 0; 2216| 42|} sntrup761.c:ZKeyGen: 2129| 3.37k|static void ZKeyGen(unsigned char *pk, unsigned char *sk) { 2130| 3.37k| Fq h[p]; 2131| 3.37k| small f[p], v[p]; 2132| 3.37k| KeyGen(h, f, v); 2133| 3.37k| Rq_encode(pk, h); 2134| 3.37k| Small_encode(sk, f); 2135| 3.37k| Small_encode(sk + Small_bytes, v); ------------------ | | 1761| 3.37k|#define Small_bytes ((p + 3) / 4) | | ------------------ | | | | 1754| 3.37k|#define p 761 | | ------------------ ------------------ 2136| 3.37k|} sntrup761.c:KeyGen: 2044| 3.37k|static void KeyGen(Fq *h, small *f, small *ginv) { 2045| 3.37k| small g[p]; 2046| 3.37k| Fq finv[p]; 2047| 3.38k| for (;;) { 2048| 3.38k| int result; 2049| 3.38k| Small_random(g); 2050| 3.38k| result = R3_recip(ginv, g); 2051| 3.38k| crypto_declassify(&result, sizeof result); ------------------ | | 14| 3.38k|#define crypto_declassify(x, y) do {} while (0) | | ------------------ | | | Branch (14:46): [Folded, False: 3.38k] | | ------------------ ------------------ 2052| 3.38k| if (result == 0) break; ------------------ | Branch (2052:9): [True: 3.37k, False: 1] ------------------ 2053| 3.38k| } 2054| 3.37k| Short_random(f); 2055| 3.37k| Rq_recip3(finv, f); 2056| 3.37k| Rq_mult_small(h, finv, g); 2057| 3.37k|} sntrup761.c:Small_random: 2039| 3.38k|static void Small_random(small *out) { 2040| 3.38k| int i; 2041| 2.57M| for (i = 0; i < p; ++i) out[i] = (((urandom32() & 0x3fffffff) * 3) >> 30) - 1; ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (2041:15): [True: 2.57M, False: 3.38k] ------------------ 2042| 3.38k|} sntrup761.c:urandom32: 2023| 5.14M|static uint32_t urandom32(void) { 2024| 5.14M| unsigned char c[4]; 2025| 5.14M| uint32_t result = 0; 2026| 5.14M| int i; 2027| 5.14M| randombytes(c, 4); 2028| 25.7M| for (i = 0; i < 4; ++i) result += ((uint32_t)c[i]) << (8 * i); ------------------ | Branch (2028:15): [True: 20.5M, False: 5.14M] ------------------ 2029| 5.14M| return result; 2030| 5.14M|} sntrup761.c:R3_recip: 1900| 3.38k|static int R3_recip(small *out, const small *in) { 1901| 3.38k| small f[p + 1], g[p + 1], v[p + 1], r[p + 1]; 1902| 3.38k| int sign, swap, t, i, loop, delta = 1; 1903| 2.57M| for (i = 0; i < p + 1; ++i) v[i] = 0; ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (1903:15): [True: 2.57M, False: 3.38k] ------------------ 1904| 2.57M| for (i = 0; i < p + 1; ++i) r[i] = 0; ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (1904:15): [True: 2.57M, False: 3.38k] ------------------ 1905| 3.38k| r[0] = 1; 1906| 2.57M| for (i = 0; i < p; ++i) f[i] = 0; ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (1906:15): [True: 2.57M, False: 3.38k] ------------------ 1907| 3.38k| f[0] = 1; 1908| 3.38k| f[p - 1] = f[p] = -1; ------------------ | | 1754| 3.38k|#define p 761 ------------------ f[p - 1] = f[p] = -1; ------------------ | | 1754| 3.38k|#define p 761 ------------------ 1909| 2.57M| for (i = 0; i < p; ++i) g[p - 1 - i] = in[i]; ------------------ | | 1754| 2.57M|#define p 761 ------------------ for (i = 0; i < p; ++i) g[p - 1 - i] = in[i]; ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (1909:15): [True: 2.57M, False: 3.38k] ------------------ 1910| 3.38k| g[p] = 0; ------------------ | | 1754| 3.38k|#define p 761 ------------------ 1911| 5.14M| for (loop = 0; loop < 2 * p - 1; ++loop) { ------------------ | | 1754| 5.14M|#define p 761 ------------------ | Branch (1911:18): [True: 5.14M, False: 3.38k] ------------------ 1912| 3.91G| for (i = p; i > 0; --i) v[i] = v[i - 1]; ------------------ | | 1754| 5.14M|#define p 761 ------------------ | Branch (1912:17): [True: 3.91G, False: 5.14M] ------------------ 1913| 5.14M| v[0] = 0; 1914| 5.14M| sign = -g[0] * f[0]; 1915| 5.14M| swap = crypto_int16_negative_mask(-delta) & crypto_int16_nonzero_mask(g[0]); 1916| 5.14M| delta ^= swap & (delta ^ -delta); 1917| 5.14M| delta += 1; 1918| 3.92G| for (i = 0; i < p + 1; ++i) { ------------------ | | 1754| 3.92G|#define p 761 ------------------ | Branch (1918:17): [True: 3.91G, False: 5.14M] ------------------ 1919| 3.91G| t = swap & (f[i] ^ g[i]); 1920| 3.91G| f[i] ^= t; 1921| 3.91G| g[i] ^= t; 1922| 3.91G| t = swap & (v[i] ^ r[i]); 1923| 3.91G| v[i] ^= t; 1924| 3.91G| r[i] ^= t; 1925| 3.91G| } 1926| 3.92G| for (i = 0; i < p + 1; ++i) g[i] = F3_freeze(g[i] + sign * f[i]); ------------------ | | 1754| 3.92G|#define p 761 ------------------ | Branch (1926:17): [True: 3.91G, False: 5.14M] ------------------ 1927| 3.92G| for (i = 0; i < p + 1; ++i) r[i] = F3_freeze(r[i] + sign * v[i]); ------------------ | | 1754| 3.92G|#define p 761 ------------------ | Branch (1927:17): [True: 3.91G, False: 5.14M] ------------------ 1928| 3.91G| for (i = 0; i < p; ++i) g[i] = g[i + 1]; ------------------ | | 1754| 3.91G|#define p 761 ------------------ | Branch (1928:17): [True: 3.91G, False: 5.14M] ------------------ 1929| 5.14M| g[p] = 0; ------------------ | | 1754| 5.14M|#define p 761 ------------------ 1930| 5.14M| } 1931| 3.38k| sign = f[0]; 1932| 2.57M| for (i = 0; i < p; ++i) out[i] = sign * v[p - 1 - i]; ------------------ | | 1754| 2.57M|#define p 761 ------------------ for (i = 0; i < p; ++i) out[i] = sign * v[p - 1 - i]; ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (1932:15): [True: 2.57M, False: 3.38k] ------------------ 1933| 3.38k| return crypto_int16_nonzero_mask(delta); 1934| 3.38k|} sntrup761.c:crypto_int16_negative_mask: 74| 10.2M|crypto_int16 crypto_int16_negative_mask(crypto_int16 crypto_int16_x) { 75| 10.2M|#if defined(__GNUC__) && defined(__x86_64__) 76| 10.2M| __asm__ ("sarw $15,%0" : "+r"(crypto_int16_x) : : "cc"); 77| 10.2M| return crypto_int16_x; 78| |#elif defined(__GNUC__) && defined(__aarch64__) 79| | crypto_int16 crypto_int16_y; 80| | __asm__ ("sbfx %w0,%w1,15,1" : "=r"(crypto_int16_y) : "r"(crypto_int16_x) : ); 81| | return crypto_int16_y; 82| |#else 83| | crypto_int16_x >>= 16-6; 84| | crypto_int16_x += crypto_int16_optblocker; 85| | crypto_int16_x >>= 5; 86| | return crypto_int16_x; 87| |#endif 88| 10.2M|} sntrup761.c:crypto_int16_nonzero_mask: 232| 10.2M|crypto_int16 crypto_int16_nonzero_mask(crypto_int16 crypto_int16_x) { 233| 10.2M|#if defined(__GNUC__) && defined(__x86_64__) 234| 10.2M| crypto_int16 crypto_int16_q,crypto_int16_z; ------------------ | | 35| 10.2M|#define crypto_int16 int16_t ------------------ 235| 10.2M| __asm__ ("xorw %0,%0\n movw $-1,%1\n testw %2,%2\n cmovnew %1,%0" : "=&r"(crypto_int16_z), "=&r"(crypto_int16_q) : "r"(crypto_int16_x) : "cc"); 236| 10.2M| return crypto_int16_z; 237| |#elif defined(__GNUC__) && defined(__aarch64__) 238| | crypto_int16 crypto_int16_z; 239| | __asm__ ("tst %w1,65535\n csetm %w0,ne" : "=r"(crypto_int16_z) : "r"(crypto_int16_x) : "cc"); 240| | return crypto_int16_z; 241| |#else 242| | crypto_int16_x |= -crypto_int16_x; 243| | return crypto_int16_negative_mask(crypto_int16_x); 244| |#endif 245| 10.2M|} sntrup761.c:F3_freeze: 1766| 7.83G|static small F3_freeze(int16_t x) { return x - 3 * ((10923 * x + 16384) >> 15); } sntrup761.c:Rq_recip3: 1962| 3.37k|static int Rq_recip3(Fq *out, const small *in) { 1963| 3.37k| Fq f[p + 1], g[p + 1], v[p + 1], r[p + 1], scale; 1964| 3.37k| int swap, t, i, loop, delta = 1; 1965| 3.37k| int32_t f0, g0; 1966| 2.57M| for (i = 0; i < p + 1; ++i) v[i] = 0; ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (1966:15): [True: 2.57M, False: 3.37k] ------------------ 1967| 2.57M| for (i = 0; i < p + 1; ++i) r[i] = 0; ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (1967:15): [True: 2.57M, False: 3.37k] ------------------ 1968| 3.37k| r[0] = Fq_recip(3); 1969| 2.57M| for (i = 0; i < p; ++i) f[i] = 0; ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (1969:15): [True: 2.57M, False: 3.37k] ------------------ 1970| 3.37k| f[0] = 1; 1971| 3.37k| f[p - 1] = f[p] = -1; ------------------ | | 1754| 3.37k|#define p 761 ------------------ f[p - 1] = f[p] = -1; ------------------ | | 1754| 3.37k|#define p 761 ------------------ 1972| 2.57M| for (i = 0; i < p; ++i) g[p - 1 - i] = in[i]; ------------------ | | 1754| 2.57M|#define p 761 ------------------ for (i = 0; i < p; ++i) g[p - 1 - i] = in[i]; ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (1972:15): [True: 2.57M, False: 3.37k] ------------------ 1973| 3.37k| g[p] = 0; ------------------ | | 1754| 3.37k|#define p 761 ------------------ 1974| 5.14M| for (loop = 0; loop < 2 * p - 1; ++loop) { ------------------ | | 1754| 5.14M|#define p 761 ------------------ | Branch (1974:18): [True: 5.13M, False: 3.37k] ------------------ 1975| 3.91G| for (i = p; i > 0; --i) v[i] = v[i - 1]; ------------------ | | 1754| 5.13M|#define p 761 ------------------ | Branch (1975:17): [True: 3.91G, False: 5.13M] ------------------ 1976| 5.13M| v[0] = 0; 1977| 5.13M| swap = crypto_int16_negative_mask(-delta) & crypto_int16_nonzero_mask(g[0]); 1978| 5.13M| delta ^= swap & (delta ^ -delta); 1979| 5.13M| delta += 1; 1980| 3.92G| for (i = 0; i < p + 1; ++i) { ------------------ | | 1754| 3.92G|#define p 761 ------------------ | Branch (1980:17): [True: 3.91G, False: 5.13M] ------------------ 1981| 3.91G| t = swap & (f[i] ^ g[i]); 1982| 3.91G| f[i] ^= t; 1983| 3.91G| g[i] ^= t; 1984| 3.91G| t = swap & (v[i] ^ r[i]); 1985| 3.91G| v[i] ^= t; 1986| 3.91G| r[i] ^= t; 1987| 3.91G| } 1988| 5.13M| f0 = f[0]; 1989| 5.13M| g0 = g[0]; 1990| 3.92G| for (i = 0; i < p + 1; ++i) g[i] = Fq_freeze(f0 * g[i] - g0 * f[i]); ------------------ | | 1754| 3.92G|#define p 761 ------------------ | Branch (1990:17): [True: 3.91G, False: 5.13M] ------------------ 1991| 3.92G| for (i = 0; i < p + 1; ++i) r[i] = Fq_freeze(f0 * r[i] - g0 * v[i]); ------------------ | | 1754| 3.92G|#define p 761 ------------------ | Branch (1991:17): [True: 3.91G, False: 5.13M] ------------------ 1992| 3.91G| for (i = 0; i < p; ++i) g[i] = g[i + 1]; ------------------ | | 1754| 3.91G|#define p 761 ------------------ | Branch (1992:17): [True: 3.91G, False: 5.13M] ------------------ 1993| 5.13M| g[p] = 0; ------------------ | | 1754| 5.13M|#define p 761 ------------------ 1994| 5.13M| } 1995| 3.37k| scale = Fq_recip(f[0]); 1996| 2.57M| for (i = 0; i < p; ++i) out[i] = Fq_freeze(scale * (int32_t)v[p - 1 - i]); ------------------ | | 1754| 2.57M|#define p 761 ------------------ for (i = 0; i < p; ++i) out[i] = Fq_freeze(scale * (int32_t)v[p - 1 - i]); ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (1996:15): [True: 2.57M, False: 3.37k] ------------------ 1997| 3.37k| return crypto_int16_nonzero_mask(delta); 1998| 3.37k|} sntrup761.c:Fq_recip: 1952| 6.75k|static Fq Fq_recip(Fq a1) { 1953| 6.75k| int i = 1; 1954| 6.75k| Fq ai = a1; 1955| 31.0M| while (i < q - 2) { ------------------ | | 1755| 31.0M|#define q 4591 ------------------ | Branch (1955:10): [True: 31.0M, False: 6.75k] ------------------ 1956| 31.0M| ai = Fq_freeze(a1 * (int32_t)ai); 1957| 31.0M| i += 1; 1958| 31.0M| } 1959| 6.75k| return ai; 1960| 6.75k|} sntrup761.c:Fq_freeze: 1768| 7.86G|static Fq Fq_freeze(int32_t x) { 1769| 7.86G| const int32_t q16 = (0x10000 + q / 2) / q; ------------------ | | 1755| 7.86G|#define q 4591 ------------------ const int32_t q16 = (0x10000 + q / 2) / q; ------------------ | | 1755| 7.86G|#define q 4591 ------------------ 1770| 7.86G| const int32_t q20 = (0x100000 + q / 2) / q; ------------------ | | 1755| 7.86G|#define q 4591 ------------------ const int32_t q20 = (0x100000 + q / 2) / q; ------------------ | | 1755| 7.86G|#define q 4591 ------------------ 1771| 7.86G| const int32_t q28 = (0x10000000 + q / 2) / q; ------------------ | | 1755| 7.86G|#define q 4591 ------------------ const int32_t q28 = (0x10000000 + q / 2) / q; ------------------ | | 1755| 7.86G|#define q 4591 ------------------ 1772| 7.86G| x -= q * ((q16 * x) >> 16); ------------------ | | 1755| 7.86G|#define q 4591 ------------------ 1773| 7.86G| x -= q * ((q20 * x) >> 20); ------------------ | | 1755| 7.86G|#define q 4591 ------------------ 1774| 7.86G| return x - q * ((q28 * x + 0x8000000) >> 28); ------------------ | | 1755| 7.86G|#define q 4591 ------------------ 1775| 7.86G|} sntrup761.c:Rq_mult_small: 1936| 3.46k|static void Rq_mult_small(Fq *h, const Fq *f, const small *g) { 1937| 3.46k| int32_t fg[p + p - 1]; 1938| 3.46k| int i, j; 1939| 5.27M| for (i = 0; i < p + p - 1; ++i) fg[i] = 0; ------------------ | | 1754| 5.27M|#define p 761 ------------------ for (i = 0; i < p + p - 1; ++i) fg[i] = 0; ------------------ | | 1754| 5.27M|#define p 761 ------------------ | Branch (1939:15): [True: 5.26M, False: 3.46k] ------------------ 1940| 2.63M| for (i = 0; i < p; ++i) ------------------ | | 1754| 2.63M|#define p 761 ------------------ | Branch (1940:15): [True: 2.63M, False: 3.46k] ------------------ 1941| 2.00G| for (j = 0; j < p; ++j) fg[i + j] += f[i] * (int32_t)g[j]; ------------------ | | 1754| 2.00G|#define p 761 ------------------ | Branch (1941:17): [True: 2.00G, False: 2.63M] ------------------ 1942| 2.63M| for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i]; ------------------ | | 1754| 3.46k|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i]; ------------------ | | 1754| 2.63M|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i]; ------------------ | | 1754| 2.63M|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i]; ------------------ | | 1754| 2.63M|#define p 761 ------------------ | Branch (1942:15): [True: 2.63M, False: 3.46k] ------------------ 1943| 2.63M| for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i]; ------------------ | | 1754| 3.46k|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i]; ------------------ | | 1754| 2.63M|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i]; ------------------ | | 1754| 2.63M|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i]; ------------------ | | 1754| 2.63M|#define p 761 ------------------ | Branch (1943:15): [True: 2.63M, False: 3.46k] ------------------ 1944| 2.63M| for (i = 0; i < p; ++i) h[i] = Fq_freeze(fg[i]); ------------------ | | 1754| 2.63M|#define p 761 ------------------ | Branch (1944:15): [True: 2.63M, False: 3.46k] ------------------ 1945| 3.46k|} sntrup761.c:Rq_encode: 2097| 3.37k|static void Rq_encode(unsigned char *s, const Fq *r) { 2098| 3.37k| uint16_t R[p], M[p]; 2099| 3.37k| int i; 2100| 2.57M| for (i = 0; i < p; ++i) R[i] = r[i] + q12; ------------------ | | 1754| 2.57M|#define p 761 ------------------ for (i = 0; i < p; ++i) R[i] = r[i] + q12; ------------------ | | 1757| 2.57M|#define q12 ((q - 1) / 2) | | ------------------ | | | | 1755| 2.57M|#define q 4591 | | ------------------ ------------------ | Branch (2100:15): [True: 2.57M, False: 3.37k] ------------------ 2101| 2.57M| for (i = 0; i < p; ++i) M[i] = q; ------------------ | | 1754| 2.57M|#define p 761 ------------------ for (i = 0; i < p; ++i) M[i] = q; ------------------ | | 1755| 2.57M|#define q 4591 ------------------ | Branch (2101:15): [True: 2.57M, False: 3.37k] ------------------ 2102| 3.37k| Encode(s, R, M, p); ------------------ | | 1754| 3.37k|#define p 761 ------------------ 2103| 3.37k|} sntrup761.c:Encode: 1806| 37.6k|static void Encode(unsigned char *out, const uint16_t *R, const uint16_t *M, long long len) { 1807| 37.6k| if (len == 1) { ------------------ | Branch (1807:7): [True: 3.42k, False: 34.2k] ------------------ 1808| 3.42k| uint16_t r = R[0], m = M[0]; 1809| 10.2k| while (m > 1) { ------------------ | Branch (1809:12): [True: 6.84k, False: 3.42k] ------------------ 1810| 6.84k| *out++ = r; 1811| 6.84k| r >>= 8; 1812| 6.84k| m = (m + 255) >> 8; 1813| 6.84k| } 1814| 3.42k| } 1815| 37.6k| if (len > 1) { ------------------ | Branch (1815:7): [True: 34.2k, False: 3.42k] ------------------ 1816| 34.2k| uint16_t R2[(len + 1) / 2], M2[(len + 1) / 2]; 1817| 34.2k| long long i; 1818| 2.63M| for (i = 0; i < len - 1; i += 2) { ------------------ | Branch (1818:17): [True: 2.59M, False: 34.2k] ------------------ 1819| 2.59M| uint32_t m0 = M[i]; 1820| 2.59M| uint32_t r = R[i] + R[i + 1] * m0; 1821| 2.59M| uint32_t m = M[i + 1] * m0; 1822| 6.54M| while (m >= 16384) { ------------------ | Branch (1822:14): [True: 3.94M, False: 2.59M] ------------------ 1823| 3.94M| *out++ = r; 1824| 3.94M| r >>= 8; 1825| 3.94M| m = (m + 255) >> 8; 1826| 3.94M| } 1827| 2.59M| R2[i / 2] = r; 1828| 2.59M| M2[i / 2] = m; 1829| 2.59M| } 1830| 34.2k| if (i < len) { ------------------ | Branch (1830:9): [True: 13.6k, False: 20.5k] ------------------ 1831| 13.6k| R2[i / 2] = R[i]; 1832| 13.6k| M2[i / 2] = M[i]; 1833| 13.6k| } 1834| 34.2k| Encode(out, R2, M2, (len + 1) / 2); 1835| 34.2k| } 1836| 37.6k|} sntrup761.c:Small_encode: 2078| 6.80k|static void Small_encode(unsigned char *s, const small *f) { 2079| 6.80k| int i, j; 2080| 1.29M| for (i = 0; i < p / 4; ++i) { ------------------ | | 1754| 1.29M|#define p 761 ------------------ | Branch (2080:15): [True: 1.29M, False: 6.80k] ------------------ 2081| 1.29M| small x = 0; 2082| 6.46M| for (j = 0;j < 4;++j) x += (*f++ + 1) << (2 * j); ------------------ | Branch (2082:16): [True: 5.16M, False: 1.29M] ------------------ 2083| 1.29M| *s++ = x; 2084| 1.29M| } 2085| 6.80k| *s = *f++ + 1; 2086| 6.80k|} sntrup761.c:Hash_prefix: 2014| 3.54k|static void Hash_prefix(unsigned char *out, int b, const unsigned char *in, int inlen) { 2015| 3.54k| unsigned char x[inlen + 1], h[64]; 2016| 3.54k| int i; 2017| 3.54k| x[0] = b; 2018| 3.98M| for (i = 0; i < inlen; ++i) x[i + 1] = in[i]; ------------------ | Branch (2018:15): [True: 3.97M, False: 3.54k] ------------------ 2019| 3.54k| crypto_hash_sha512(h, x, inlen + 1); 2020| 117k| for (i = 0; i < 32; ++i) out[i] = h[i]; ------------------ | Branch (2020:15): [True: 113k, False: 3.54k] ------------------ 2021| 3.54k|} sntrup761.c:Short_random: 2032| 3.37k|static void Short_random(small *out) { 2033| 3.37k| uint32_t L[p]; 2034| 3.37k| int i; 2035| 2.57M| for (i = 0; i < p; ++i) L[i] = urandom32(); ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (2035:15): [True: 2.57M, False: 3.37k] ------------------ 2036| 3.37k| Short_fromlist(out, L); 2037| 3.37k|} sntrup761.c:Short_fromlist: 2005| 3.37k|static void Short_fromlist(small *out, const uint32_t *in) { 2006| 3.37k| uint32_t L[p]; 2007| 3.37k| int i; 2008| 969k| for (i = 0; i < w; ++i) L[i] = in[i] & (uint32_t)-2; ------------------ | | 1756| 969k|#define w 286 ------------------ | Branch (2008:15): [True: 966k, False: 3.37k] ------------------ 2009| 1.60M| for (i = w; i < p; ++i) L[i] = (in[i] & (uint32_t)-3) | 1; ------------------ | | 1756| 3.37k|#define w 286 ------------------ for (i = w; i < p; ++i) L[i] = (in[i] & (uint32_t)-3) | 1; ------------------ | | 1754| 1.60M|#define p 761 ------------------ | Branch (2009:15): [True: 1.60M, False: 3.37k] ------------------ 2010| 3.37k| crypto_sort_uint32(L, p); ------------------ | | 1754| 3.37k|#define p 761 ------------------ 2011| 2.57M| for (i = 0; i < p; ++i) out[i] = (L[i] & 3) - 1; ------------------ | | 1754| 2.57M|#define p 761 ------------------ | Branch (2011:15): [True: 2.57M, False: 3.37k] ------------------ 2012| 3.37k|} sntrup761.c:crypto_sort_uint32: 1743| 3.37k|{ 1744| 3.37k| crypto_uint32 *x = array; 1745| 3.37k| long long j; 1746| 2.57M| for (j = 0;j < n;++j) x[j] ^= 0x80000000; ------------------ | Branch (1746:14): [True: 2.57M, False: 3.37k] ------------------ 1747| 3.37k| crypto_sort_int32(array,n); 1748| 2.57M| for (j = 0;j < n;++j) x[j] ^= 0x80000000; ------------------ | Branch (1748:14): [True: 2.57M, False: 3.37k] ------------------ 1749| 3.37k|} sntrup761.c:crypto_sort_int32: 1680| 3.37k|{ 1681| 3.37k| long long top,p,q,r,i,j; 1682| 3.37k| int32 *x = array; ------------------ | | 20| 3.37k|#define int32 crypto_int32 | | ------------------ | | | | 574| 3.37k|#define crypto_int32 int32_t | | ------------------ ------------------ 1683| | 1684| 3.37k| if (n < 2) return; ------------------ | Branch (1684:7): [True: 0, False: 3.37k] ------------------ 1685| 3.37k| top = 1; 1686| 33.7k| while (top < n - top) top += top; ------------------ | Branch (1686:10): [True: 30.4k, False: 3.37k] ------------------ 1687| | 1688| 37.1k| for (p = top;p >= 1;p >>= 1) { ------------------ | Branch (1688:16): [True: 33.7k, False: 3.37k] ------------------ 1689| 33.7k| i = 0; 1690| 2.58M| while (i + 2 * p <= n) { ------------------ | Branch (1690:12): [True: 2.54M, False: 33.7k] ------------------ 1691| 12.9M| for (j = i;j < i + p;++j) ------------------ | Branch (1691:18): [True: 10.3M, False: 2.54M] ------------------ 1692| 10.3M| int32_MINMAX(x[j],x[j+p]); ------------------ | | 1677| 10.3M|#define int32_MINMAX(a,b) crypto_int32_minmax(&a,&b) ------------------ 1693| 2.54M| i += 2 * p; 1694| 2.54M| } 1695| 1.59M| for (j = i;j < n - p;++j) ------------------ | Branch (1695:16): [True: 1.56M, False: 33.7k] ------------------ 1696| 1.56M| int32_MINMAX(x[j],x[j+p]); ------------------ | | 1677| 1.56M|#define int32_MINMAX(a,b) crypto_int32_minmax(&a,&b) ------------------ 1697| | 1698| 33.7k| i = 0; 1699| 33.7k| j = 0; 1700| 185k| for (q = top;q > p;q >>= 1) { ------------------ | Branch (1700:18): [True: 152k, False: 33.7k] ------------------ 1701| 152k| if (j != i) for (;;) { ------------------ | Branch (1701:11): [True: 43.9k, False: 108k] ------------------ 1702| 84.4k| if (j == n - q) goto done; ------------------ | Branch (1702:13): [True: 0, False: 84.4k] ------------------ 1703| 84.4k| int32 a = x[j + p]; ------------------ | | 20| 84.4k|#define int32 crypto_int32 | | ------------------ | | | | 574| 84.4k|#define crypto_int32 int32_t | | ------------------ ------------------ 1704| 391k| for (r = q;r > p;r >>= 1) ------------------ | Branch (1704:20): [True: 307k, False: 84.4k] ------------------ 1705| 307k| int32_MINMAX(a,x[j + r]); ------------------ | | 1677| 391k|#define int32_MINMAX(a,b) crypto_int32_minmax(&a,&b) ------------------ 1706| 84.4k| x[j + p] = a; 1707| 84.4k| ++j; 1708| 84.4k| if (j == i + p) { ------------------ | Branch (1708:13): [True: 43.9k, False: 40.5k] ------------------ 1709| 43.9k| i += 2 * p; 1710| 43.9k| break; 1711| 43.9k| } 1712| 84.4k| } 1713| 2.64M| while (i + p <= n - q) { ------------------ | Branch (1713:14): [True: 2.49M, False: 152k] ------------------ 1714| 11.8M| for (j = i;j < i + p;++j) { ------------------ | Branch (1714:20): [True: 9.35M, False: 2.49M] ------------------ 1715| 9.35M| int32 a = x[j + p]; ------------------ | | 20| 9.35M|#define int32 crypto_int32 | | ------------------ | | | | 574| 9.35M|#define crypto_int32 int32_t | | ------------------ ------------------ 1716| 52.6M| for (r = q;r > p;r >>= 1) ------------------ | Branch (1716:22): [True: 43.3M, False: 9.35M] ------------------ 1717| 43.3M| int32_MINMAX(a,x[j+r]); ------------------ | | 1677| 43.3M|#define int32_MINMAX(a,b) crypto_int32_minmax(&a,&b) ------------------ 1718| 9.35M| x[j + p] = a; 1719| 9.35M| } 1720| 2.49M| i += 2 * p; 1721| 2.49M| } 1722| | /* now i + p > n - q */ 1723| 152k| j = i; 1724| 1.04M| while (j < n - q) { ------------------ | Branch (1724:14): [True: 892k, False: 152k] ------------------ 1725| 892k| int32 a = x[j + p]; ------------------ | | 20| 892k|#define int32 crypto_int32 | | ------------------ | | | | 574| 892k|#define crypto_int32 int32_t | | ------------------ ------------------ 1726| 1.94M| for (r = q;r > p;r >>= 1) ------------------ | Branch (1726:20): [True: 1.05M, False: 892k] ------------------ 1727| 1.05M| int32_MINMAX(a,x[j+r]); ------------------ | | 1677| 1.05M|#define int32_MINMAX(a,b) crypto_int32_minmax(&a,&b) ------------------ 1728| 892k| x[j + p] = a; 1729| 892k| ++j; 1730| 892k| } 1731| | 1732| 152k| done: ; 1733| 152k| } 1734| 33.7k| } 1735| 3.37k|} sntrup761.c:crypto_int32_minmax: 981| 56.6M|void crypto_int32_minmax(crypto_int32 *crypto_int32_p,crypto_int32 *crypto_int32_q) { 982| 56.6M| crypto_int32 crypto_int32_x = *crypto_int32_p; ------------------ | | 574| 56.6M|#define crypto_int32 int32_t ------------------ 983| 56.6M| crypto_int32 crypto_int32_y = *crypto_int32_q; ------------------ | | 574| 56.6M|#define crypto_int32 int32_t ------------------ 984| 56.6M|#if defined(__GNUC__) && defined(__x86_64__) 985| 56.6M| crypto_int32 crypto_int32_z; ------------------ | | 574| 56.6M|#define crypto_int32 int32_t ------------------ 986| 56.6M| __asm__ ("cmpl %2,%1\n movl %1,%0\n cmovgl %2,%1\n cmovgl %0,%2" : "=&r"(crypto_int32_z), "+&r"(crypto_int32_x), "+r"(crypto_int32_y) : : "cc"); 987| 56.6M| *crypto_int32_p = crypto_int32_x; 988| 56.6M| *crypto_int32_q = crypto_int32_y; 989| |#elif defined(__GNUC__) && defined(__aarch64__) 990| | crypto_int32 crypto_int32_r, crypto_int32_s; 991| | __asm__ ("cmp %w2,%w3\n csel %w0,%w2,%w3,lt\n csel %w1,%w3,%w2,lt" : "=&r"(crypto_int32_r), "=r"(crypto_int32_s) : "r"(crypto_int32_x), "r"(crypto_int32_y) : "cc"); 992| | *crypto_int32_p = crypto_int32_r; 993| | *crypto_int32_q = crypto_int32_s; 994| |#else 995| | crypto_int64 crypto_int32_r = (crypto_int64)crypto_int32_y ^ (crypto_int64)crypto_int32_x; 996| | crypto_int64 crypto_int32_z = (crypto_int64)crypto_int32_y - (crypto_int64)crypto_int32_x; 997| | crypto_int32_z ^= crypto_int32_r & (crypto_int32_z ^ crypto_int32_y); 998| | crypto_int32_z = crypto_int32_negative_mask(crypto_int32_z); 999| | crypto_int32_z &= crypto_int32_r; 1000| | crypto_int32_x ^= crypto_int32_z; 1001| | crypto_int32_y ^= crypto_int32_z; 1002| | *crypto_int32_p = crypto_int32_x; 1003| | *crypto_int32_q = crypto_int32_y; 1004| |#endif 1005| 56.6M|} sntrup761.c:Hide: 2180| 42|static void Hide(unsigned char *c, unsigned char *r_enc, const Inputs r, const unsigned char *pk, const unsigned char *cache) { 2181| 42| Small_encode(r_enc, r); 2182| 42| ZEncrypt(c, r, pk); 2183| 42| HashConfirm(c + crypto_kem_sntrup761_CIPHERTEXTBYTES - Confirm_bytes, r_enc, cache); ------------------ | | 6| 42|#define crypto_kem_sntrup761_CIPHERTEXTBYTES 1039 ------------------ HashConfirm(c + crypto_kem_sntrup761_CIPHERTEXTBYTES - Confirm_bytes, r_enc, cache); ------------------ | | 1764| 42|#define Confirm_bytes 32 ------------------ 2184| 42|} sntrup761.c:ZEncrypt: 2138| 42|static void ZEncrypt(unsigned char *C, const Inputs r, const unsigned char *pk) { 2139| 42| Fq h[p], c[p]; 2140| 42| Rq_decode(h, pk); 2141| 42| Encrypt(c, r, h); 2142| 42| Rounded_encode(C, c); 2143| 42|} sntrup761.c:Rq_decode: 2105| 42|static void Rq_decode(Fq *r, const unsigned char *s) { 2106| 42| uint16_t R[p], M[p]; 2107| 42| int i; 2108| 32.0k| for (i = 0; i < p; ++i) M[i] = q; ------------------ | | 1754| 32.0k|#define p 761 ------------------ for (i = 0; i < p; ++i) M[i] = q; ------------------ | | 1755| 31.9k|#define q 4591 ------------------ | Branch (2108:15): [True: 31.9k, False: 42] ------------------ 2109| 42| Decode(R, s, M, p); ------------------ | | 1754| 42|#define p 761 ------------------ 2110| 32.0k| for (i = 0; i < p; ++i) r[i] = ((Fq)R[i]) - q12; ------------------ | | 1754| 32.0k|#define p 761 ------------------ for (i = 0; i < p; ++i) r[i] = ((Fq)R[i]) - q12; ------------------ | | 1757| 31.9k|#define q12 ((q - 1) / 2) | | ------------------ | | | | 1755| 31.9k|#define q 4591 | | ------------------ ------------------ | Branch (2110:15): [True: 31.9k, False: 42] ------------------ 2111| 42|} sntrup761.c:Decode: 1838| 924|static void Decode(uint16_t *out, const unsigned char *S, const uint16_t *M, long long len) { 1839| 924| if (len == 1) { ------------------ | Branch (1839:7): [True: 84, False: 840] ------------------ 1840| 84| if (M[0] == 1) ------------------ | Branch (1840:9): [True: 0, False: 84] ------------------ 1841| 0| *out = 0; 1842| 84| else if (M[0] <= 256) ------------------ | Branch (1842:14): [True: 0, False: 84] ------------------ 1843| 0| *out = uint32_mod_uint14(S[0], M[0]); 1844| 84| else 1845| 84| *out = uint32_mod_uint14(S[0] + (((uint16_t)S[1]) << 8), M[0]); 1846| 84| } 1847| 924| if (len > 1) { ------------------ | Branch (1847:7): [True: 840, False: 84] ------------------ 1848| 840| uint16_t R2[(len + 1) / 2], M2[(len + 1) / 2], bottomr[len / 2]; 1849| 840| uint32_t bottomt[len / 2]; 1850| 840| long long i; 1851| 64.6k| for (i = 0; i < len - 1; i += 2) { ------------------ | Branch (1851:17): [True: 63.8k, False: 840] ------------------ 1852| 63.8k| uint32_t m = M[i] * (uint32_t)M[i + 1]; 1853| 63.8k| if (m > 256 * 16383) { ------------------ | Branch (1853:11): [True: 26.9k, False: 36.9k] ------------------ 1854| 26.9k| bottomt[i / 2] = 256 * 256; 1855| 26.9k| bottomr[i / 2] = S[0] + 256 * S[1]; 1856| 26.9k| S += 2; 1857| 26.9k| M2[i / 2] = (((m + 255) >> 8) + 255) >> 8; 1858| 36.9k| } else if (m >= 16384) { ------------------ | Branch (1858:18): [True: 36.9k, False: 0] ------------------ 1859| 36.9k| bottomt[i / 2] = 256; 1860| 36.9k| bottomr[i / 2] = S[0]; 1861| 36.9k| S += 1; 1862| 36.9k| M2[i / 2] = (m + 255) >> 8; 1863| 36.9k| } else { 1864| 0| bottomt[i / 2] = 1; 1865| 0| bottomr[i / 2] = 0; 1866| 0| M2[i / 2] = m; 1867| 0| } 1868| 63.8k| } 1869| 840| if (i < len) M2[i / 2] = M[i]; ------------------ | Branch (1869:9): [True: 336, False: 504] ------------------ 1870| 840| Decode(R2, S, M2, (len + 1) / 2); 1871| 64.6k| for (i = 0; i < len - 1; i += 2) { ------------------ | Branch (1871:17): [True: 63.8k, False: 840] ------------------ 1872| 63.8k| uint32_t r1, r = bottomr[i / 2]; 1873| 63.8k| uint16_t r0; 1874| 63.8k| r += bottomt[i / 2] * R2[i / 2]; 1875| 63.8k| uint32_divmod_uint14(&r1, &r0, r, M[i]); 1876| 63.8k| r1 = uint32_mod_uint14(r1, M[i + 1]); 1877| 63.8k| *out++ = r0; 1878| 63.8k| *out++ = r1; 1879| 63.8k| } 1880| 840| if (i < len) *out++ = R2[i / 2]; ------------------ | Branch (1880:9): [True: 336, False: 504] ------------------ 1881| 840| } 1882| 924|} sntrup761.c:uint32_mod_uint14: 1799| 63.9k|static uint16_t uint32_mod_uint14(uint32_t x, uint16_t m) { 1800| 63.9k| uint32_t Q; 1801| 63.9k| uint16_t r; 1802| 63.9k| uint32_divmod_uint14(&Q, &r, x, m); 1803| 63.9k| return r; 1804| 63.9k|} sntrup761.c:uint32_divmod_uint14: 1783| 127k|static void uint32_divmod_uint14(uint32_t *Q, uint16_t *r, uint32_t x, uint16_t m) { 1784| 127k| uint32_t qpart, mask, v = 0x80000000 / m; 1785| 127k| qpart = (x * (uint64_t)v) >> 31; 1786| 127k| x -= qpart * m; 1787| 127k| *Q = qpart; 1788| 127k| qpart = (x * (uint64_t)v) >> 31; 1789| 127k| x -= qpart * m; 1790| 127k| *Q += qpart; 1791| 127k| x -= m; 1792| 127k| *Q += 1; 1793| 127k| mask = crypto_int32_negative_mask(x); 1794| 127k| x += mask & (uint32_t)m; 1795| 127k| *Q += mask; 1796| 127k| *r = x; 1797| 127k|} sntrup761.c:crypto_int32_negative_mask: 621| 127k|crypto_int32 crypto_int32_negative_mask(crypto_int32 crypto_int32_x) { 622| 127k|#if defined(__GNUC__) && defined(__x86_64__) 623| 127k| __asm__ ("sarl $31,%0" : "+r"(crypto_int32_x) : : "cc"); 624| 127k| return crypto_int32_x; 625| |#elif defined(__GNUC__) && defined(__aarch64__) 626| | crypto_int32 crypto_int32_y; 627| | __asm__ ("asr %w0,%w1,31" : "=r"(crypto_int32_y) : "r"(crypto_int32_x) : ); 628| | return crypto_int32_y; 629| |#else 630| | crypto_int32_x >>= 32-6; 631| | crypto_int32_x += crypto_int32_optblocker; 632| | crypto_int32_x >>= 5; 633| | return crypto_int32_x; 634| |#endif 635| 127k|} sntrup761.c:Encrypt: 2059| 42|static void Encrypt(Fq *c, const small *r, const Fq *h) { 2060| 42| Fq hr[p]; 2061| 42| Rq_mult_small(hr, h, r); 2062| 42| Round(c, hr); 2063| 42|} sntrup761.c:Round: 2000| 42|static void Round(Fq *out, const Fq *a) { 2001| 42| int i; 2002| 32.0k| for (i = 0; i < p; ++i) out[i] = a[i] - F3_freeze(a[i]); ------------------ | | 1754| 32.0k|#define p 761 ------------------ | Branch (2002:15): [True: 31.9k, False: 42] ------------------ 2003| 42|} sntrup761.c:Rounded_encode: 2113| 42|static void Rounded_encode(unsigned char *s, const Fq *r) { 2114| 42| uint16_t R[p], M[p]; 2115| 42| int i; 2116| 32.0k| for (i = 0; i < p; ++i) R[i] = ((r[i] + q12) * 10923) >> 15; ------------------ | | 1754| 32.0k|#define p 761 ------------------ for (i = 0; i < p; ++i) R[i] = ((r[i] + q12) * 10923) >> 15; ------------------ | | 1757| 31.9k|#define q12 ((q - 1) / 2) | | ------------------ | | | | 1755| 31.9k|#define q 4591 | | ------------------ ------------------ | Branch (2116:15): [True: 31.9k, False: 42] ------------------ 2117| 32.0k| for (i = 0; i < p; ++i) M[i] = (q + 2) / 3; ------------------ | | 1754| 32.0k|#define p 761 ------------------ for (i = 0; i < p; ++i) M[i] = (q + 2) / 3; ------------------ | | 1755| 31.9k|#define q 4591 ------------------ | Branch (2117:15): [True: 31.9k, False: 42] ------------------ 2118| 42| Encode(s, R, M, p); ------------------ | | 1754| 42|#define p 761 ------------------ 2119| 42|} sntrup761.c:HashConfirm: 2154| 42|static void HashConfirm(unsigned char *h, const unsigned char *r, const unsigned char *cache) { 2155| 42| unsigned char x[Hash_bytes * 2]; 2156| 42| int i; 2157| 42| Hash_prefix(x, 3, r, Small_bytes); ------------------ | | 1761| 42|#define Small_bytes ((p + 3) / 4) | | ------------------ | | | | 1754| 42|#define p 761 | | ------------------ ------------------ 2158| 1.38k| for (i = 0; i < Hash_bytes; ++i) x[Hash_bytes + i] = cache[i]; ------------------ | | 1760| 1.38k|#define Hash_bytes 32 ------------------ for (i = 0; i < Hash_bytes; ++i) x[Hash_bytes + i] = cache[i]; ------------------ | | 1760| 1.34k|#define Hash_bytes 32 ------------------ | Branch (2158:15): [True: 1.34k, False: 42] ------------------ 2159| 42| Hash_prefix(h, 2, x, sizeof x); 2160| 42|} sntrup761.c:HashSession: 2162| 42|static void HashSession(unsigned char *k, int b, const unsigned char *y, const unsigned char *z) { 2163| 42| unsigned char x[Hash_bytes + crypto_kem_sntrup761_CIPHERTEXTBYTES]; 2164| 42| int i; 2165| 42| Hash_prefix(x, 3, y, Small_bytes); ------------------ | | 1761| 42|#define Small_bytes ((p + 3) / 4) | | ------------------ | | | | 1754| 42|#define p 761 | | ------------------ ------------------ 2166| 43.6k| for (i = 0; i < crypto_kem_sntrup761_CIPHERTEXTBYTES; ++i) x[Hash_bytes + i] = z[i]; ------------------ | | 6| 43.6k|#define crypto_kem_sntrup761_CIPHERTEXTBYTES 1039 ------------------ for (i = 0; i < crypto_kem_sntrup761_CIPHERTEXTBYTES; ++i) x[Hash_bytes + i] = z[i]; ------------------ | | 1760| 43.6k|#define Hash_bytes 32 ------------------ | Branch (2166:15): [True: 43.6k, False: 42] ------------------ 2167| 42| Hash_prefix(k, b, x, sizeof x); 2168| 42|} sntrup761.c:ZDecrypt: 2145| 42|static void ZDecrypt(Inputs r, const unsigned char *C, const unsigned char *sk) { 2146| 42| small f[p], v[p]; 2147| 42| Fq c[p]; 2148| 42| Small_decode(f, sk); 2149| 42| Small_decode(v, sk + Small_bytes); ------------------ | | 1761| 42|#define Small_bytes ((p + 3) / 4) | | ------------------ | | | | 1754| 42|#define p 761 | | ------------------ ------------------ 2150| 42| Rounded_decode(c, C); 2151| 42| Decrypt(r, c, f, v); 2152| 42|} sntrup761.c:Small_decode: 2088| 84|static void Small_decode(small *f, const unsigned char *s) { 2089| 84| int i, j; 2090| 16.0k| for (i = 0; i < p / 4; ++i) { ------------------ | | 1754| 16.0k|#define p 761 ------------------ | Branch (2090:15): [True: 15.9k, False: 84] ------------------ 2091| 15.9k| unsigned char x = *s++; 2092| 79.8k| for (j = 0;j < 4;++j) *f++ = ((small)((x >> (2 * j)) & 3)) - 1; ------------------ | Branch (2092:16): [True: 63.8k, False: 15.9k] ------------------ 2093| 15.9k| } 2094| 84| *f++ = ((small)(*s & 3)) - 1; 2095| 84|} sntrup761.c:Rounded_decode: 2121| 42|static void Rounded_decode(Fq *r, const unsigned char *s) { 2122| 42| uint16_t R[p], M[p]; 2123| 42| int i; 2124| 32.0k| for (i = 0; i < p; ++i) M[i] = (q + 2) / 3; ------------------ | | 1754| 32.0k|#define p 761 ------------------ for (i = 0; i < p; ++i) M[i] = (q + 2) / 3; ------------------ | | 1755| 31.9k|#define q 4591 ------------------ | Branch (2124:15): [True: 31.9k, False: 42] ------------------ 2125| 42| Decode(R, s, M, p); ------------------ | | 1754| 42|#define p 761 ------------------ 2126| 32.0k| for (i = 0; i < p; ++i) r[i] = R[i] * 3 - q12; ------------------ | | 1754| 32.0k|#define p 761 ------------------ for (i = 0; i < p; ++i) r[i] = R[i] * 3 - q12; ------------------ | | 1757| 31.9k|#define q12 ((q - 1) / 2) | | ------------------ | | | | 1755| 31.9k|#define q 4591 | | ------------------ ------------------ | Branch (2126:15): [True: 31.9k, False: 42] ------------------ 2127| 42|} sntrup761.c:Decrypt: 2065| 42|static void Decrypt(small *r, const Fq *c, const small *f, const small *ginv) { 2066| 42| Fq cf[p], cf3[p]; 2067| 42| small e[p], ev[p]; 2068| 42| int mask, i; 2069| 42| Rq_mult_small(cf, c, f); 2070| 42| Rq_mult3(cf3, cf); 2071| 42| R3_fromRq(e, cf3); 2072| 42| R3_mult(ev, e, ginv); 2073| 42| mask = Weightw_mask(ev); 2074| 12.0k| for (i = 0; i < w; ++i) r[i] = ((ev[i] ^ 1) & ~mask) ^ 1; ------------------ | | 1756| 12.0k|#define w 286 ------------------ | Branch (2074:15): [True: 12.0k, False: 42] ------------------ 2075| 19.9k| for (i = w; i < p; ++i) r[i] = ev[i] & ~mask; ------------------ | | 1756| 42|#define w 286 ------------------ for (i = w; i < p; ++i) r[i] = ev[i] & ~mask; ------------------ | | 1754| 19.9k|#define p 761 ------------------ | Branch (2075:15): [True: 19.9k, False: 42] ------------------ 2076| 42|} sntrup761.c:Rq_mult3: 1947| 42|static void Rq_mult3(Fq *h, const Fq *f) { 1948| 42| int i; 1949| 32.0k| for (i = 0; i < p; ++i) h[i] = Fq_freeze(3 * f[i]); ------------------ | | 1754| 32.0k|#define p 761 ------------------ | Branch (1949:15): [True: 31.9k, False: 42] ------------------ 1950| 42|} sntrup761.c:R3_fromRq: 1884| 42|static void R3_fromRq(small *out, const Fq *r) { 1885| 42| int i; 1886| 32.0k| for (i = 0; i < p; ++i) out[i] = F3_freeze(r[i]); ------------------ | | 1754| 32.0k|#define p 761 ------------------ | Branch (1886:15): [True: 31.9k, False: 42] ------------------ 1887| 42|} sntrup761.c:R3_mult: 1889| 42|static void R3_mult(small *h, const small *f, const small *g) { 1890| 42| int16_t fg[p + p - 1]; 1891| 42| int i, j; 1892| 63.9k| for (i = 0; i < p + p - 1; ++i) fg[i] = 0; ------------------ | | 1754| 63.9k|#define p 761 ------------------ for (i = 0; i < p + p - 1; ++i) fg[i] = 0; ------------------ | | 1754| 63.9k|#define p 761 ------------------ | Branch (1892:15): [True: 63.8k, False: 42] ------------------ 1893| 32.0k| for (i = 0; i < p; ++i) ------------------ | | 1754| 32.0k|#define p 761 ------------------ | Branch (1893:15): [True: 31.9k, False: 42] ------------------ 1894| 24.3M| for (j = 0; j < p; ++j) fg[i + j] += f[i] * (int16_t)g[j]; ------------------ | | 1754| 24.3M|#define p 761 ------------------ | Branch (1894:17): [True: 24.3M, False: 31.9k] ------------------ 1895| 31.9k| for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i]; ------------------ | | 1754| 42|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i]; ------------------ | | 1754| 31.9k|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i]; ------------------ | | 1754| 31.9k|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p] += fg[i]; ------------------ | | 1754| 31.9k|#define p 761 ------------------ | Branch (1895:15): [True: 31.9k, False: 42] ------------------ 1896| 31.9k| for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i]; ------------------ | | 1754| 42|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i]; ------------------ | | 1754| 31.9k|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i]; ------------------ | | 1754| 31.9k|#define p 761 ------------------ for (i = p; i < p + p - 1; ++i) fg[i - p + 1] += fg[i]; ------------------ | | 1754| 31.9k|#define p 761 ------------------ | Branch (1896:15): [True: 31.9k, False: 42] ------------------ 1897| 32.0k| for (i = 0; i < p; ++i) h[i] = F3_freeze(fg[i]); ------------------ | | 1754| 32.0k|#define p 761 ------------------ | Branch (1897:15): [True: 31.9k, False: 42] ------------------ 1898| 42|} sntrup761.c:Weightw_mask: 1777| 42|static int Weightw_mask(small *r) { 1778| 42| int i, weight = 0; 1779| 32.0k| for (i = 0; i < p; ++i) weight += crypto_int64_bottombit_01(r[i]); ------------------ | | 1754| 32.0k|#define p 761 ------------------ | Branch (1779:15): [True: 31.9k, False: 42] ------------------ 1780| 42| return crypto_int16_nonzero_mask(weight - w); ------------------ | | 1756| 42|#define w 286 ------------------ 1781| 42|} sntrup761.c:crypto_int64_bottombit_01: 1253| 32.0k|crypto_int64 crypto_int64_bottombit_01(crypto_int64 crypto_int64_x) { 1254| 32.0k|#if defined(__GNUC__) && defined(__x86_64__) 1255| 32.0k| __asm__ ("andq $1,%0" : "+r"(crypto_int64_x) : : "cc"); 1256| 32.0k| return crypto_int64_x; 1257| |#elif defined(__GNUC__) && defined(__aarch64__) 1258| | crypto_int64 crypto_int64_y; 1259| | __asm__ ("ubfx %0,%1,0,1" : "=r"(crypto_int64_y) : "r"(crypto_int64_x) : ); 1260| | return crypto_int64_y; 1261| |#else 1262| | crypto_int64_x &= 1 + crypto_int64_optblocker; 1263| | return crypto_int64_x; 1264| |#endif 1265| 32.0k|} sntrup761.c:Ciphertexts_diff_mask: 2196| 42|static int Ciphertexts_diff_mask(const unsigned char *c, const unsigned char *c2) { 2197| 42| uint16_t differentbits = 0; 2198| 42| int len = crypto_kem_sntrup761_CIPHERTEXTBYTES; ------------------ | | 6| 42|#define crypto_kem_sntrup761_CIPHERTEXTBYTES 1039 ------------------ 2199| 43.6k| while (len-- > 0) differentbits |= (*c++) ^ (*c2++); ------------------ | Branch (2199:10): [True: 43.6k, False: 42] ------------------ 2200| 42| return (crypto_int64_bitmod_01((differentbits - 1),8)) - 1; 2201| 42|} sntrup761.c:crypto_int64_bitmod_01: 1332| 42|crypto_int64 crypto_int64_bitmod_01(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) { 1333| 42| crypto_int64_x = crypto_int64_shrmod(crypto_int64_x,crypto_int64_s); 1334| 42| return crypto_int64_bottombit_01(crypto_int64_x); 1335| 42|} sntrup761.c:crypto_int64_shrmod: 1310| 42|crypto_int64 crypto_int64_shrmod(crypto_int64 crypto_int64_x,crypto_int64 crypto_int64_s) { 1311| 42|#if defined(__GNUC__) && defined(__x86_64__) 1312| 42| __asm__ ("sarq %%cl,%0" : "+r"(crypto_int64_x) : "c"(crypto_int64_s) : "cc"); 1313| |#elif defined(__GNUC__) && defined(__aarch64__) 1314| | __asm__ ("asr %0,%0,%1" : "+r"(crypto_int64_x) : "r"(crypto_int64_s) : ); 1315| |#else 1316| | int crypto_int64_k, crypto_int64_l; 1317| | for (crypto_int64_l = 0,crypto_int64_k = 1;crypto_int64_k < 64;++crypto_int64_l,crypto_int64_k *= 2) 1318| | crypto_int64_x ^= (crypto_int64_x ^ (crypto_int64_x >> crypto_int64_k)) & crypto_int64_bitinrangepublicpos_mask(crypto_int64_s,crypto_int64_l); 1319| |#endif 1320| 42| return crypto_int64_x; 1321| 42|} sntrup761.c:randombytes: 24| 5.14M|static inline void randombytes(unsigned char* buf, unsigned int len) { 25| 5.14M| genrandom(buf, len); 26| 5.14M|} sntrup761.c:crypto_hash_sha512: 36| 3.54k|{ 37| 3.54k| hash_state hs; 38| | 39| 3.54k| sha512_init(&hs); 40| 3.54k| sha512_process(&hs, m, n); 41| 3.54k| return sha512_done(&hs, out); 42| 3.54k|}