X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Fec%2Fec_c25519_i15.c;h=8fadcf48039b5c9bca1f04aeab1c1c3ad4817fab;hp=6e4c4f8845766c0e3ed634dd9ac6c5d0e30782bb;hb=d5acc4f590a1b83b646dafa0232aa68912e00c07;hpb=693d2a0085f4c1d289cb6d79c02ddd23f18d9478;ds=sidebyside diff --git a/src/ec/ec_c25519_i15.c b/src/ec/ec_c25519_i15.c index 6e4c4f8..8fadcf4 100644 --- a/src/ec/ec_c25519_i15.c +++ b/src/ec/ec_c25519_i15.c @@ -82,10 +82,10 @@ static const unsigned char GEN[] = { }; static const unsigned char ORDER[] = { - 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6, - 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED + 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; static const unsigned char * @@ -104,6 +104,14 @@ api_order(int curve, size_t *len) return ORDER; } +static size_t +api_xoff(int curve, size_t *len) +{ + (void)curve; + *len = 32; + return 0; +} + static void cswap(uint16_t *a, uint16_t *b, uint32_t ctl) { @@ -171,8 +179,14 @@ static uint32_t api_mul(unsigned char *G, size_t Glen, const unsigned char *kb, size_t kblen, int curve) { +#define ILEN (18 * sizeof(uint16_t)) + + /* + * The a[] and b[] arrays have an extra word to allow for + * decoding without using br_i15_decode_reduce(). + */ uint16_t x1[18], x2[18], x3[18], z2[18], z3[18]; - uint16_t a[18], aa[18], b[18], bb[18]; + uint16_t a[19], aa[18], b[19], bb[18]; uint16_t c[18], d[18], e[18], da[18], cb[18]; unsigned char k[32]; uint32_t swap; @@ -197,23 +211,39 @@ api_mul(unsigned char *G, size_t Glen, */ byteswap(G); + /* + * Decode the point ('u' coordinate). This should be reduced + * modulo p, but we prefer to avoid the dependency on + * br_i15_decode_reduce(). Instead, we use br_i15_decode_mod() + * with a synthetic modulus of value 2^255 (this must work + * since G was truncated to 255 bits), then use a conditional + * subtraction. We use br_i15_decode_mod() and not + * br_i15_decode(), because the ec_prime_i15 implementation uses + * the former but not the latter. + * br_i15_decode_reduce(a, G, 32, C255_P); + */ + br_i15_zero(b, 0x111); + b[18] = 1; + br_i15_decode_mod(a, G, 32, b); + a[0] = 0x110; + br_i15_sub(a, C255_P, NOT(br_i15_sub(a, C255_P, 0))); + /* * Initialise variables x1, x2, z2, x3 and z3. We set all of them * into Montgomery representation. */ - br_i15_decode_reduce(a, G, 32, C255_P); br_i15_montymul(x1, a, C255_R2, C255_P, P0I); - memcpy(x3, x1, sizeof x1); + memcpy(x3, x1, ILEN); br_i15_zero(z2, C255_P[0]); - memcpy(x2, z2, sizeof z2); + memcpy(x2, z2, ILEN); x2[1] = 19; - memcpy(z3, x2, sizeof x2); + memcpy(z3, x2, ILEN); - memcpy(k, kb, kblen); - memset(k + kblen, 0, (sizeof k) - kblen); - k[0] &= 0xF8; - k[31] &= 0x7F; - k[31] |= 0x40; + memset(k, 0, (sizeof k) - kblen); + memcpy(k + (sizeof k) - kblen, kb, kblen); + k[31] &= 0xF8; + k[0] &= 0x7F; + k[0] |= 0x40; /* obsolete print_int_mont("x1", x1); @@ -223,7 +253,7 @@ api_mul(unsigned char *G, size_t Glen, for (i = 254; i >= 0; i --) { uint32_t kt; - kt = (k[i >> 3] >> (i & 7)) & 1; + kt = (k[31 - (i >> 3)] >> (i & 7)) & 1; swap ^= kt; cswap(x2, x3, swap); cswap(z2, z3, swap); @@ -283,12 +313,12 @@ api_mul(unsigned char *G, size_t Glen, * square-and-multiply algorithm; we mutualise most non-squarings * since the exponent contains almost only ones. */ - memcpy(a, z2, sizeof z2); + memcpy(a, z2, ILEN); for (i = 0; i < 15; i ++) { c255_mul(a, a, a); c255_mul(a, a, z2); } - memcpy(b, a, sizeof a); + memcpy(b, a, ILEN); for (i = 0; i < 14; i ++) { int j; @@ -303,11 +333,23 @@ api_mul(unsigned char *G, size_t Glen, c255_mul(b, z2, b); } } - c255_mul(x2, x2, b); - br_i15_from_monty(x2, C255_P, P0I); + c255_mul(b, x2, b); + + /* + * To avoid a dependency on br_i15_from_monty(), we use a + * Montgomery multiplication with 1. + * memcpy(x2, b, ILEN); + * br_i15_from_monty(x2, C255_P, P0I); + */ + br_i15_zero(a, C255_P[0]); + a[1] = 1; + br_i15_montymul(x2, a, b, C255_P, P0I); + br_i15_encode(G, 32, x2); byteswap(G); return 1; + +#undef ILEN } static size_t @@ -349,6 +391,7 @@ const br_ec_impl br_ec_c25519_i15 = { (uint32_t)0x20000000, &api_generator, &api_order, + &api_xoff, &api_mul, &api_mulgen, &api_muladd