X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Finner.h;h=8ada6125e631e9a8d5bf65e22fd699ec18ad2b29;hp=8417b2439206547bdb1f47e596745c5389d453d2;hb=2f454aad577ae53798935cc32438a2d3f02ba31f;hpb=28e4e120b84dacdf53963639f1a8a6fec2793662 diff --git a/src/inner.h b/src/inner.h index 8417b24..8ada612 100644 --- a/src/inner.h +++ b/src/inner.h @@ -571,16 +571,17 @@ MUL31_lo(uint32_t x, uint32_t y) #endif /* - * Multiply two words together; each word may contain up to 15 bits of - * data. If BR_CT_MUL15 is non-zero, then the macro will contain some - * extra operations that help in making the operation constant-time on - * some platforms, where the basic 32-bit multiplication is not - * constant-time. + * Multiply two words together; the sum of the lengths of the two + * operands must not exceed 31 (for instance, one operand may use 16 + * bits if the other fits on 15). If BR_CT_MUL15 is non-zero, then the + * macro will contain some extra operations that help in making the + * operation constant-time on some platforms, where the basic 32-bit + * multiplication is not constant-time. */ #if BR_CT_MUL15 #define MUL15(x, y) (((uint32_t)(x) | (uint32_t)0x80000000) \ * ((uint32_t)(y) | (uint32_t)0x80000000) \ - & (uint32_t)0x3FFFFFFF) + & (uint32_t)0x7FFFFFFF) #else #define MUL15(x, y) ((uint32_t)(x) * (uint32_t)(y)) #endif @@ -1455,28 +1456,14 @@ extern const br_ec_curve_def br_secp256r1; extern const br_ec_curve_def br_secp384r1; extern const br_ec_curve_def br_secp521r1; -#if 0 -/* obsolete */ /* - * Type for the parameters for a "prime curve": - * coordinates are in GF(p), with p prime - * curve equation is Y^2 = X^3 - 3*X + b - * b is in Montgomery representation - * curve order is n and is prime - * base point is G (encoded) and has order n + * For Curve25519, the advertised "order" really is 2^255-1, since the + * point multipliction function really works over arbitrary 255-bit + * scalars. This value is only meant as a hint for ECDH key generation; + * only ECDSA uses the exact curve order, and ECDSA is not used with + * that specific curve. */ -typedef struct { - const uint32_t *p; - const uint32_t *b; - const uint32_t p0i; -} br_ec_prime_i31_curve; - -extern const br_ec_prime_i31_curve br_ec_prime_i31_secp256r1; -extern const br_ec_prime_i31_curve br_ec_prime_i31_secp384r1; -extern const br_ec_prime_i31_curve br_ec_prime_i31_secp521r1; - -#define BR_EC_I31_LEN ((BR_MAX_EC_SIZE + 61) / 31) -#endif +extern const br_ec_curve_def br_curve25519; /* * Decode some bytes as an i31 integer, with truncation (corresponding