felem_scalar(inx2, in, 2);
felem_scalar(inx4, in, 4);
- /*-
- * We have many cases were we want to do
- * in[x] * in[y] +
- * in[y] * in[x]
- * This is obviously just
- * 2 * in[x] * in[y]
- * However, rather than do the doubling on the 128 bit result, we
- * double one of the inputs to the multiplication by reading from
- * |inx2| */
+ /*-
+ * We have many cases were we want to do
+ * in[x] * in[y] +
+ * in[y] * in[x]
+ * This is obviously just
+ * 2 * in[x] * in[y]
+ * However, rather than do the doubling on the 128 bit result, we
+ * double one of the inputs to the multiplication by reading from
+ * |inx2|
+ */
out[0] = ((uint128_t) in[0]) * in[0];
out[1] = ((uint128_t) in[0]) * inx2[1];
out[1] += ((limb) in[0]) >> 58;
out[1] += (((limb) (in[0] >> 64)) & bottom52bits) << 6;
- /*-
- * out[1] < 2^58 + 2^6 + 2^58
- * = 2^59 + 2^6
- */
+ /*-
+ * out[1] < 2^58 + 2^6 + 2^58
+ * = 2^59 + 2^6
+ */
out[2] += ((limb) (in[0] >> 64)) >> 52;
out[2] += ((limb) in[1]) >> 58;
out[8] += ((limb) in[7]) >> 58;
out[8] += (((limb) (in[7] >> 64)) & bottom52bits) << 6;
- /*-
- * out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12
- * < 2^59 + 2^13
- */
+ /*-
+ * out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12
+ * < 2^59 + 2^13
+ */
overflow1 = ((limb) (in[7] >> 64)) >> 52;
overflow1 += ((limb) in[8]) >> 58;
out[1] += out[0] >> 58;
out[0] &= bottom58bits;
- /*-
- * out[0] < 2^58
- * out[1] < 2^59 + 2^6 + 2^13 + 2^2
- * < 2^59 + 2^14
- */
+ /*-
+ * out[0] < 2^58
+ * out[1] < 2^59 + 2^6 + 2^13 + 2^2
+ * < 2^59 + 2^14
+ */
}
static void felem_square_reduce(felem out, const felem in)
EC_R_POINT_AT_INFINITY);
return 0;
}
- if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) ||
- (!BN_to_felem(z1, &point->Z)))
+ if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) ||
+ (!BN_to_felem(z1, point->Z)))
return 0;
felem_inv(z2, z1);
felem_square(tmp, z2);
* this is an unusual input, and we don't guarantee
* constant-timeness
*/
- if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) {
+ if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) {
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
num_bytes = BN_bn2bin(p_scalar, tmp);
flip_endian(secrets[i], tmp, num_bytes);
/* precompute multiples */
- if ((!BN_to_felem(x_out, &p->X)) ||
- (!BN_to_felem(y_out, &p->Y)) ||
- (!BN_to_felem(z_out, &p->Z)))
+ if ((!BN_to_felem(x_out, p->X)) ||
+ (!BN_to_felem(y_out, p->Y)) ||
+ (!BN_to_felem(z_out, p->Z)))
goto err;
memcpy(pre_comp[i][1][0], x_out, sizeof(felem));
memcpy(pre_comp[i][1][1], y_out, sizeof(felem));
* this is an unusual input, and we don't guarantee
* constant-timeness
*/
- if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) {
+ if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) {
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
err:
BN_CTX_end(ctx);
- if (generator != NULL)
- EC_POINT_free(generator);
+ EC_POINT_free(generator);
if (new_ctx != NULL)
BN_CTX_free(new_ctx);
if (secrets != NULL)
ret = 1;
goto err;
}
- if ((!BN_to_felem(pre->g_pre_comp[1][0], &group->generator->X)) ||
- (!BN_to_felem(pre->g_pre_comp[1][1], &group->generator->Y)) ||
- (!BN_to_felem(pre->g_pre_comp[1][2], &group->generator->Z)))
+ if ((!BN_to_felem(pre->g_pre_comp[1][0], group->generator->X)) ||
+ (!BN_to_felem(pre->g_pre_comp[1][1], group->generator->Y)) ||
+ (!BN_to_felem(pre->g_pre_comp[1][2], group->generator->Z)))
goto err;
/* compute 2^130*G, 2^260*G, 2^390*G */
for (i = 1; i <= 4; i <<= 1) {
pre = NULL;
err:
BN_CTX_end(ctx);
- if (generator != NULL)
- EC_POINT_free(generator);
+ EC_POINT_free(generator);
if (new_ctx != NULL)
BN_CTX_free(new_ctx);
- if (pre)
- nistp521_pre_comp_free(pre);
+ nistp521_pre_comp_free(pre);
return ret;
}
projects / oweals / openssl.git / blobdiff