OpenCoverage

curve448.c

Absolute File Name:

/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/ec/curve448/curve448.c

Switch to Source code

Preprocessed file

Line Source Count

1 -

2 static const curve448_scalar_t precomputed_scalarmul_adjustment = { -

3 { -

4 { -

5 (0xc873d6d54a7bb0cf), (0xe933d8d723a70aad), -

6 (0xbb124b65129c96fd), (0x00000008335dc163) -

7 } -

8 } -

9 }; -

10 -

11 -

12 -

13 -

14 -

15 -

16 static void gf_invert(gf y, const gf x, int assert_nonzero) -

17 { -

18 mask_t ret; -

19 gf t1, t2; -

20 -

21 gf_sqr(t1, x); -

22 ret = gf_isr(t2, t1); -

23 (void)ret; -

if (assert_nonzero

assert_nonzero	Description
TRUE	evaluated 63 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 1073 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

)

63-1073

25 -

((

executed 63 times by 2 tests: ((void) (0)) ;

Executed by:

curve448_internal_test
libcrypto.so.1.1

void) (0))

executed 63 times by 2 tests: ((void) (0)) ;

Executed by:

curve448_internal_test
libcrypto.so.1.1

;

executed 63 times by 2 tests: ((void) (0)) ;

Executed by:

curve448_internal_test
libcrypto.so.1.1

28 gf_sqr(t1, t2); -

29 gf_mul(t2, t1, x); -

30 gf_copy(y, t2); -

}

executed 1136 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

1136

32 -

33 -

34 const curve448_point_t curve448_point_identity = -

35 { {{{{0}}}, {{{1}}}, {{{1}}}, {{{0}}}} }; -

36 -

37 static void point_double_internal(curve448_point_t p, const curve448_point_t q, -

38 int before_double) -

39 { -

40 gf a, b, c, d; -

41 -

42 gf_sqr(c, q->x); -

43 gf_sqr(a, q->y); -

44 gf_add_RAW(d, c, a); -

45 gf_add_RAW(p->t, q->y, q->x); -

46 gf_sqr(b, p->t); -

47 gf_subx_nr(b, b, d, 3); -

48 gf_sub_nr(p->t, a, c); -

49 gf_sqr(p->x, q->z); -

50 gf_add_RAW(p->z, p->x, p->x); -

51 gf_subx_nr(a, p->z, p->t, 4); -

if (2 == 5

2 == 5	Description
TRUE	never evaluated
FALSE	evaluated 6091 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

)

0-6091

gf_weak_reduce(a);

never executed: gf_weak_reduce(a);

54 gf_mul(p->x, a, b); -

55 gf_mul(p->z, p->t, a); -

56 gf_mul(p->y, p->t, d); -

if (!before_double

!before_double	Description
TRUE	evaluated 3161 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 2930 times by 1 test Evaluated by: libcrypto.so.1.1

)

2930-3161

gf_mul(p->t, b, d);

executed 3161 times by 2 tests: gf_mul(p->t, b, d);

Executed by:

curve448_internal_test
libcrypto.so.1.1

3161

}

executed 6091 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

6091

60 -

61 void curve448_point_double(curve448_point_t p, const curve448_point_t q) -

62 { -

63 point_double_internal(p, q, 0); -

}

executed 9 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

65 -

66 -

67 static inline void cond_neg_niels(niels_t n, mask_t neg) -

68 { -

69 gf_cond_swap(n->a, n->b, neg); -

70 gf_cond_neg(n->c, neg); -

}

executed 10980 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

10980

72 -

73 static void pt_to_pniels(pniels_t b, const curve448_point_t a) -

74 { -

75 gf_sub(b->n->a, a->y, a->x); -

76 gf_add(b->n->b, a->x, a->y); -

77 gf_mulw(b->n->c, a->t, 2 * ((-39081) - 1)); -

78 gf_add(b->z, a->z, a->z); -

}

executed 81 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

80 -

81 static void pniels_to_pt(curve448_point_t e, const pniels_t d) -

82 { -

83 gf eu; -

84 -

85 gf_add(eu, d->n->b, d->n->a); -

86 gf_sub(e->y, d->n->b, d->n->a); -

87 gf_mul(e->t, e->y, eu); -

88 gf_mul(e->x, d->z, e->y); -

89 gf_mul(e->y, d->z, eu); -

90 gf_sqr(e->z, d->z); -

}

executed 6 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

92 -

93 static void niels_to_pt(curve448_point_t e, const niels_t n) -

94 { -

95 gf_add(e->y, n->b, n->a); -

96 gf_sub(e->x, n->b, n->a); -

97 gf_mul(e->t, e->y, e->x); -

98 gf_copy(e->z, ONE); -

}

executed 125 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

125

100 -

101 static void add_niels_to_pt(curve448_point_t d, const niels_t e, -

102 int before_double) -

103 { -

104 gf a, b, c; -

105 -

106 gf_sub_nr(b, d->y, d->x); -

107 gf_mul(a, e->a, b); -

108 gf_add_RAW(b, d->x, d->y); -

109 gf_mul(d->y, e->b, b); -

110 gf_mul(d->x, e->c, d->t); -

111 gf_add_RAW(c, a, d->y); -

112 gf_sub_nr(b, d->y, a); -

113 gf_sub_nr(d->y, d->z, d->x); -

114 gf_add_RAW(a, d->x, d->z); -

115 gf_mul(d->z, a, d->y); -

116 gf_mul(d->x, d->y, b); -

117 gf_mul(d->y, a, c); -

118

if (!before_double

!before_double	Description
TRUE	evaluated 8899 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 2619 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

)

2619-8899

119

gf_mul(d->t, b, c);

executed 8899 times by 2 tests: gf_mul(d->t, b, c);

Executed by:

curve448_internal_test
libcrypto.so.1.1

8899

120

}

executed 11518 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

11518

121 -

122 static void sub_niels_from_pt(curve448_point_t d, const niels_t e, -

123 int before_double) -

124 { -

125 gf a, b, c; -

126 -

127 gf_sub_nr(b, d->y, d->x); -

128 gf_mul(a, e->b, b); -

129 gf_add_RAW(b, d->x, d->y); -

130 gf_mul(d->y, e->a, b); -

131 gf_mul(d->x, e->c, d->t); -

132 gf_add_RAW(c, a, d->y); -

133 gf_sub_nr(b, d->y, a); -

134 gf_add_RAW(d->y, d->z, d->x); -

135 gf_sub_nr(a, d->z, d->x); -

136 gf_mul(d->z, a, d->y); -

137 gf_mul(d->x, d->y, b); -

138 gf_mul(d->y, a, c); -

139

if (!before_double

!before_double	Description
TRUE	evaluated 54 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 525 times by 1 test Evaluated by: libcrypto.so.1.1

)

54-525

140

gf_mul(d->t, b, c);

executed 54 times by 1 test: gf_mul(d->t, b, c);

Executed by:

libcrypto.so.1.1

141

}

executed 579 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

579

142 -

143 static void add_pniels_to_pt(curve448_point_t p, const pniels_t pn, -

144 int before_double) -

145 { -

146 gf L0; -

147 -

148 gf_mul(L0, p->z, pn->z); -

149 gf_copy(p->z, L0); -

150 add_niels_to_pt(p, pn->n, before_double); -

151

}

executed 379 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

379

152 -

153 static void sub_pniels_from_pt(curve448_point_t p, const pniels_t pn, -

154 int before_double) -

155 { -

156 gf L0; -

157 -

158 gf_mul(L0, p->z, pn->z); -

159 gf_copy(p->z, L0); -

160 sub_niels_from_pt(p, pn->n, before_double); -

161

}

executed 350 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

350

162 -

163 c448_bool_t curve448_point_eq(const curve448_point_t p, -

164 const curve448_point_t q) -

165 { -

166 mask_t succ; -

167 gf a, b; -

168 -

169 -

170 gf_mul(a, p->y, q->x); -

171 gf_mul(b, q->y, p->x); -

172 succ = gf_eq(a, b); -

173 -

174

return

executed 9 times by 1 test: return mask_to_bool(succ);

Executed by:

libcrypto.so.1.1

mask_to_bool(succ);

executed 9 times by 1 test: return mask_to_bool(succ);

Executed by:

libcrypto.so.1.1

175 } -

176 -

177 c448_bool_t curve448_point_valid(const curve448_point_t p) -

178 { -

179 mask_t out; -

180 gf a, b, c; -

181 -

182 gf_mul(a, p->x, p->y); -

183 gf_mul(b, p->z, p->t); -

184 out = gf_eq(a, b); -

185 gf_sqr(a, p->x); -

186 gf_sqr(b, p->y); -

187 gf_sub(a, b, a); -

188 gf_sqr(b, p->t); -

189 gf_mulw(c, b, ((-39081) - 1)); -

190 gf_sqr(b, p->z); -

191 gf_add(b, b, c); -

192 out &= gf_eq(a, b); -

193 out &= ~gf_eq(p->z, ZERO); -

194

return

never executed: return mask_to_bool(out);

mask_to_bool(out);

never executed: return mask_to_bool(out);

195 } -

196 -

197 static inline void constant_time_lookup_niels(niels_s * __restrict__ ni, -

198 const niels_t * table, -

199 int nelts, int idx) -

200 { -

201 constant_time_lookup(ni, table, sizeof(niels_s), nelts, idx); -

202

}

executed 10980 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

10980

203 -

204 void curve448_precomputed_scalarmul(curve448_point_t out, -

205 const curve448_precomputed_s * table, -

206 const curve448_scalar_t scalar) -

207 { -

208 unsigned int i, j, k; -

209 const unsigned int n = 5, t = 5, s = 18; -

210 niels_t ni; -

211 curve448_scalar_t scalar1x; -

212 -

213 curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment); -

214 curve448_scalar_halve(scalar1x, scalar1x); -

215 -

216

for (i = s; i > 0

i > 0	Description
TRUE	evaluated 2196 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 122 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

; i--) {

122-2196

217

if (i != s

i != s	Description
TRUE	evaluated 2074 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 122 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

)

122-2074

218

point_double_internal(out, out, 0);

executed 2074 times by 2 tests: point_double_internal(out, out, 0);

Executed by:

curve448_internal_test
libcrypto.so.1.1

2074

219 -

220

for (j = 0; j < n

j < n	Description
TRUE	evaluated 10980 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 2196 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

; j++) {

2196-10980

221 int tab = 0; -

222 mask_t invert; -

223 -

224

for (k = 0; k < t

k < t	Description
TRUE	evaluated 54900 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 10980 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

; k++) {

10980-54900

225 unsigned int bit = (i - 1) + s * (k + j * t); -

226 -

227

if (bit < 446

bit < 446	Description
TRUE	evaluated 54412 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 488 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

)

488-54412

228

tab |=

executed 54412 times by 2 tests: tab |= (scalar1x->limb[bit / 64] >> (bit % 64) & 1) << k;

Executed by:

curve448_internal_test
libcrypto.so.1.1

54412

229

(scalar1x->limb[bit / 64] >> (bit % 64) & 1) << k;

executed 54412 times by 2 tests: tab |= (scalar1x->limb[bit / 64] >> (bit % 64) & 1) << k;

Executed by:

curve448_internal_test
libcrypto.so.1.1

54412

230

}

executed 54900 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

54900

231 -

232 invert = (tab >> (t - 1)) - 1; -

233 tab ^= invert; -

234 tab &= (1 << (t - 1)) - 1; -

235 -

236 constant_time_lookup_niels(ni, &table->table[j << (t - 1)], -

237 1 << (t - 1), tab); -

238 -

239 cond_neg_niels(ni, invert); -

240

if ((

(i != s)	Description
TRUE	evaluated 10370 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 610 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

i != s)

(i != s)	Description
TRUE	evaluated 10370 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 610 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

|| j != 0

j != 0	Description
TRUE	evaluated 488 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 122 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

)

122-10370

241

add_niels_to_pt(out, ni, j == n - 1 && i != 1);

executed 10858 times by 2 tests: add_niels_to_pt(out, ni, j == n - 1 && i != 1);

Executed by:

curve448_internal_test
libcrypto.so.1.1

10858

242 else -

243

niels_to_pt(out, ni);

executed 122 times by 2 tests: niels_to_pt(out, ni);

Executed by:

curve448_internal_test
libcrypto.so.1.1

122

244 } -

245

}

executed 2196 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

2196

246 -

247 OPENSSL_cleanse(ni, sizeof(ni)); -

248 OPENSSL_cleanse(scalar1x, sizeof(scalar1x)); -

249

}

executed 122 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

122

250 -

251 void curve448_point_mul_by_ratio_and_encode_like_eddsa( -

252 uint8_t enc[57], -

253 const curve448_point_t p) -

254 { -

255 gf x, y, z, t; -

256 curve448_point_t q; -

257 -

258 -

259 curve448_point_copy(q, p); -

260 -

261 { -

262 -

263 gf u; -

264 -

265 gf_sqr(x, q->x); -

266 gf_sqr(t, q->y); -

267 gf_add(u, x, t); -

268 gf_add(z, q->y, q->x); -

269 gf_sqr(y, z); -

270 gf_sub(y, y, u); -

271 gf_sub(z, t, x); -

272 gf_sqr(x, q->z); -

273 gf_add(t, x, x); -

274 gf_sub(t, t, z); -

275 gf_mul(x, t, y); -

276 gf_mul(y, z, u); -

277 gf_mul(z, u, t); -

278 OPENSSL_cleanse(u, sizeof(u)); -

279 } -

280 -

281 -

282 gf_invert(z, z, 1); -

283 gf_mul(t, x, z); -

284 gf_mul(x, y, z); -

285 -

286 -

287 enc[57 - 1] = 0; -

288 gf_serialize(enc, x, 1); -

289 enc[57 - 1] |= 0x80 & gf_lobit(t); -

290 -

291 OPENSSL_cleanse(x, sizeof(x)); -

292 OPENSSL_cleanse(y, sizeof(y)); -

293 OPENSSL_cleanse(z, sizeof(z)); -

294 OPENSSL_cleanse(t, sizeof(t)); -

295 curve448_point_destroy(q); -

296

}

executed 63 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

297 -

298 c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( -

299 curve448_point_t p, -

300 const uint8_t enc[57]) -

301 { -

302 uint8_t enc2[57]; -

303 mask_t low; -

304 mask_t succ; -

305 -

306 memcpy(enc2, enc, sizeof(enc2)); -

307 -

308 low = ~constant_time_is_zero_32(enc2[57 - 1] & 0x80); -

309 enc2[57 - 1] &= ~0x80; -

310 -

311 succ = gf_deserialize(p->y, enc2, 1, 0); -

312 succ &= constant_time_is_zero_32(enc2[57 - 1]); -

313 -

314 gf_sqr(p->x, p->y); -

315 gf_sub(p->z, ONE, p->x); -

316 gf_mulw(p->t, p->x, (-39081)); -

317 gf_sub(p->t, ONE, p->t); -

318 -

319 gf_mul(p->x, p->z, p->t); -

320 succ &= gf_isr(p->t, p->x); -

321 -

322 gf_mul(p->x, p->t, p->z); -

323 gf_cond_neg(p->x, gf_lobit(p->x) ^ low); -

324 gf_copy(p->z, ONE); -

325 -

326 { -

327 gf a, b, c, d; -

328 -

329 -

330 gf_sqr(c, p->x); -

331 gf_sqr(a, p->y); -

332 gf_add(d, c, a); -

333 gf_add(p->t, p->y, p->x); -

334 gf_sqr(b, p->t); -

335 gf_sub(b, b, d); -

336 gf_sub(p->t, a, c); -

337 gf_sqr(p->x, p->z); -

338 gf_add(p->z, p->x, p->x); -

339 gf_sub(a, p->z, d); -

340 gf_mul(p->x, a, b); -

341 gf_mul(p->z, p->t, a); -

342 gf_mul(p->y, p->t, d); -

343 gf_mul(p->t, b, d); -

344 OPENSSL_cleanse(a, sizeof(a)); -

345 OPENSSL_cleanse(b, sizeof(b)); -

346 OPENSSL_cleanse(c, sizeof(c)); -

347 OPENSSL_cleanse(d, sizeof(d)); -

348 } -

349 -

350 OPENSSL_cleanse(enc2, sizeof(enc2)); -

351 -

352 ((void) (0)) -

353 ; -

354 -

355

return

executed 18 times by 1 test: return c448_succeed_if(mask_to_bool(succ));

Executed by:

libcrypto.so.1.1

c448_succeed_if(mask_to_bool(succ));

executed 18 times by 1 test: return c448_succeed_if(mask_to_bool(succ));

Executed by:

libcrypto.so.1.1

356 } -

357 -

358 c448_error_t x448_int(uint8_t out[56], -

359 const uint8_t base[56], -

360 const uint8_t scalar[56]) -

361 { -

362 gf x1, x2, z2, x3, z3, t1, t2; -

363 int t; -

364 mask_t swap = 0; -

365 mask_t nz; -

366 -

367 (void)gf_deserialize(x1, base, 1, 0); -

368 gf_copy(x2, ONE); -

369 gf_copy(z2, ZERO); -

370 gf_copy(x3, x1); -

371 gf_copy(z3, ONE); -

372 -

373

for (t = 448 - 1; t >= 0

t >= 0	Description
TRUE	evaluated 454272 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 1014 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

; t--) {

1014-454272

374 uint8_t sb = scalar[t / 8]; -

375 mask_t k_t; -

376 -

377 -

378

if (t / 8 == 0

t / 8 == 0	Description
TRUE	evaluated 8112 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 446160 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

)

8112-446160

379

sb &= -(uint8_t)4;

executed 8112 times by 2 tests: sb &= -(uint8_t)4;

Executed by:

curve448_internal_test
libcrypto.so.1.1

8112

380

else if (t == 448 - 1

t == 448 - 1	Description
TRUE	evaluated 1014 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 445146 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

)

1014-445146

381

sb = -1;

executed 1014 times by 2 tests: sb = -1;

Executed by:

curve448_internal_test
libcrypto.so.1.1

1014

382 -

383 k_t = (sb >> (t % 8)) & 1; -

384 k_t = 0 - k_t; -

385 -

386 swap ^= k_t; -

387 gf_cond_swap(x2, x3, swap); -

388 gf_cond_swap(z2, z3, swap); -

389 swap = k_t; -

390 -

391 -

392 -

393 -

394 -

395 -

396 gf_add_RAW(t1, x2, z2); -

397 gf_sub_nr(t2, x2, z2); -

398 gf_sub_nr(z2, x3, z3); -

399 gf_mul(x2, t1, z2); -

400 gf_add_RAW(z2, z3, x3); -

401 gf_mul(x3, t2, z2); -

402 gf_sub_nr(z3, x2, x3); -

403 gf_sqr(z2, z3); -

404 gf_mul(z3, x1, z2); -

405 gf_add_RAW(z2, x2, x3); -

406 gf_sqr(x3, z2); -

407 -

408 gf_sqr(z2, t1); -

409 gf_sqr(t1, t2); -

410 gf_mul(x2, z2, t1); -

411 gf_sub_nr(t2, z2, t1); -

412 -

413 gf_mulw(t1, t2, -(-39081)); -

414 gf_add_RAW(t1, t1, z2); -

415 gf_mul(z2, t2, t1); -

416

}

executed 454272 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

454272

417 -

418 -

419 gf_cond_swap(x2, x3, swap); -

420 gf_cond_swap(z2, z3, swap); -

421 gf_invert(z2, z2, 0); -

422 gf_mul(x1, x2, z2); -

423 gf_serialize(out, x1, 1); -

424 nz = ~gf_eq(x1, ZERO); -

425 -

426 OPENSSL_cleanse(x1, sizeof(x1)); -

427 OPENSSL_cleanse(x2, sizeof(x2)); -

428 OPENSSL_cleanse(z2, sizeof(z2)); -

429 OPENSSL_cleanse(x3, sizeof(x3)); -

430 OPENSSL_cleanse(z3, sizeof(z3)); -

431 OPENSSL_cleanse(t1, sizeof(t1)); -

432 OPENSSL_cleanse(t2, sizeof(t2)); -

433 -

434

return

executed 1014 times by 2 tests: return c448_succeed_if(mask_to_bool(nz));

Executed by:

curve448_internal_test
libcrypto.so.1.1

c448_succeed_if(mask_to_bool(nz));

executed 1014 times by 2 tests: return c448_succeed_if(mask_to_bool(nz));

Executed by:

curve448_internal_test
libcrypto.so.1.1

1014

435 } -

436 -

437 void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t -

438 out[56], -

439 const curve448_point_t p) -

440 { -

441 curve448_point_t q; -

442 -

443 curve448_point_copy(q, p); -

444 gf_invert(q->t, q->x, 0); -

445 gf_mul(q->z, q->t, q->y); -

446 gf_sqr(q->y, q->z); -

447 gf_serialize(out, q->y, 1); -

448 curve448_point_destroy(q); -

449

}

executed 59 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

450 -

451 void x448_derive_public_key(uint8_t out[56], -

452 const uint8_t scalar[56]) -

453 { -

454 -

455 uint8_t scalar2[56]; -

456 curve448_scalar_t the_scalar; -

457 curve448_point_t p; -

458 unsigned int i; -

459 -

460 memcpy(scalar2, scalar, sizeof(scalar2)); -

461 scalar2[0] &= -(uint8_t)4; -

462 -

463 scalar2[56 - 1] &= ~((0u - 1u) << ((448 + 7) % 8)); -

464 scalar2[56 - 1] |= 1 << ((448 + 7) % 8); -

465 -

466 curve448_scalar_decode_long(the_scalar, scalar2, sizeof(scalar2)); -

467 -

468 -

469

for (i = 1; i < 2

i < 2	Description
TRUE	evaluated 59 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 59 times by 1 test Evaluated by: libcrypto.so.1.1

; i <<= 1)

470

curve448_scalar_halve(the_scalar, the_scalar);

executed 59 times by 1 test: curve448_scalar_halve(the_scalar, the_scalar);

Executed by:

libcrypto.so.1.1

471 -

472 curve448_precomputed_scalarmul(p, curve448_precomputed_base, the_scalar); -

473 curve448_point_mul_by_ratio_and_encode_like_x448(out, p); -

474 curve448_point_destroy(p); -

475

}

executed 59 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

476 -

477 -

478 struct smvt_control { -

479 int power, addend; -

480 }; -

481 static int recode_wnaf(struct smvt_control *control, -

482 -

483 const curve448_scalar_t scalar, -

484 unsigned int table_bits) -

485 { -

486 unsigned int table_size = 446 / (table_bits + 1) + 3; -

487 int position = table_size - 1; -

488 uint64_t current = scalar->limb[0] & 0xFFFF; -

489 uint32_t mask = (1 << (table_bits + 1)) - 1; -

490 unsigned int w; -

491 const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2; -

492 unsigned int n, i; -

493 -

494 -

495 control[position].power = -1; -

496 control[position].addend = 0; -

497 position--; -

498 -

499 -

500 -

501 -

502 -

503 -

504 -

505

for (w = 1; w < (446 - 1) / 16 + 3

w < (446 - 1) / 16 + 3	Description
TRUE	evaluated 522 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 18 times by 1 test Evaluated by: libcrypto.so.1.1

; w++) {

18-522

506

if (w < (446 - 1) / 16 + 1

w < (446 - 1) / 16 + 1	Description
TRUE	evaluated 486 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 36 times by 1 test Evaluated by: libcrypto.so.1.1

) {

36-486

507 -

508 current += (uint32_t)((scalar->limb[w / B_OVER_16] -

509 >> (16 * (w % B_OVER_16))) << 16); -

510

}

executed 486 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

486

511 -

512

while (current & 0xFFFF

current & 0xFFFF	Description
TRUE	evaluated 1185 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 522 times by 1 test Evaluated by: libcrypto.so.1.1

) {

522-1185

513 uint32_t pos = __builtin_ctz((uint32_t)current); -

514 uint32_t odd = (uint32_t)current >> pos; -

515 int32_t delta = odd & mask; -

516 -

517 -

518 ((void) (0)) -

519 ; -

520

if (odd & (1 << (table_bits + 1))

odd & (1 << (table_bits + 1))	Description
TRUE	evaluated 579 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 606 times by 1 test Evaluated by: libcrypto.so.1.1

)

579-606

521

delta -= (1 << (table_bits + 1));

executed 579 times by 1 test: delta -= (1 << (table_bits + 1));

Executed by:

libcrypto.so.1.1

579

522 current -= delta * (1 << pos); -

523 control[position].power = pos + 16 * (w - 1); -

524 control[position].addend = delta; -

525 position--; -

526

}

executed 1185 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1185

527 current >>= 16; -

528

}

executed 522 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

522

529 -

530 ((void) (0)) -

531 ; -

532 -

533 position++; -

534 n = table_size - position; -

535

for (i = 0; i < n

i < n	Description
TRUE	evaluated 1203 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 18 times by 1 test Evaluated by: libcrypto.so.1.1

; i++)

18-1203

536

control[i] = control[i + position];

executed 1203 times by 1 test: control[i] = control[i + position];

Executed by:

libcrypto.so.1.1

1203

537 -

538

return

executed 18 times by 1 test: return n - 1;

Executed by:

libcrypto.so.1.1

n - 1;

executed 18 times by 1 test: return n - 1;

Executed by:

libcrypto.so.1.1

539 } -

540 -

541 static void prepare_wnaf_table(pniels_t * output, -

542 const curve448_point_t working, -

543 unsigned int tbits) -

544 { -

545 curve448_point_t tmp; -

546 int i; -

547 pniels_t twop; -

548 -

549 pt_to_pniels(output[0], working); -

550 -

551

if (tbits == 0

tbits == 0	Description
TRUE	never evaluated
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

)

0-9

552

return;

never executed: return;

553 -

554 curve448_point_double(tmp, working); -

555 pt_to_pniels(twop, tmp); -

556 -

557 add_pniels_to_pt(tmp, output[0], 0); -

558 pt_to_pniels(output[1], tmp); -

559 -

560

for (i = 2; i < 1 << tbits

i < 1 << tbits	Description
TRUE	evaluated 54 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

; i++) {

9-54

561 add_pniels_to_pt(tmp, twop, 0); -

562 pt_to_pniels(output[i], tmp); -

563

}

executed 54 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

564 -

565 curve448_point_destroy(tmp); -

566 OPENSSL_cleanse(twop, sizeof(twop)); -

567

}

executed 9 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

568 -

569 void curve448_base_double_scalarmul_non_secret(curve448_point_t combo, -

570 const curve448_scalar_t scalar1, -

571 const curve448_point_t base2, -

572 const curve448_scalar_t scalar2) -

573 { -

574 const int table_bits_var = 3; -

575 const int table_bits_pre = 5; -

576 struct smvt_control control_var[446 / -

577 (3 + 1) + 3]; -

578 struct smvt_control control_pre[446 / -

579 (5 + 1) + 3]; -

580 int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre); -

581 int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var); -

582 pniels_t precmp_var[1 << 3]; -

583 int contp = 0, contv = 0, i; -

584 -

585 prepare_wnaf_table(precmp_var, base2, table_bits_var); -

586 i = control_var[0].power; -

587 -

588

if (i < 0

i < 0	Description
TRUE	never evaluated
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

) {

0-9

589 curve448_point_copy(combo, curve448_point_identity); -

590

return;

never executed: return;

591 } -

592

if (i > control_pre[0].power

i > control_pre[0].power	Description
TRUE	evaluated 5 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1

) {

4-5

593 pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]); -

594 contv++; -

595

}

executed 5 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

else if (i == control_pre[0].power

i == control_pre[0].power	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

&& i >= 0

i >= 0	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

) {

0-5

596 pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]); -

597 add_niels_to_pt(combo, curve448_wnaf_base[control_pre[0].addend >> 1], -

598 i); -

599 contv++; -

600 contp++; -

601

}

executed 1 time by 1 test: end of block

Executed by:

libcrypto.so.1.1

else {

602 i = control_pre[0].power; -

603 niels_to_pt(combo, curve448_wnaf_base[control_pre[0].addend >> 1]); -

604 contp++; -

605

}

executed 3 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

606 -

607

for (i--; i >= 0

i >= 0	Description
TRUE	evaluated 4008 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

; i--) {

9-4008

608 int cv = (i == control_var[contv].power); -

609 int cp = (i == control_pre[contp].power); -

610 -

611 point_double_internal(combo, combo, i && !(cv || cp)); -

612 -

613

if (cv

cv	Description
TRUE	evaluated 666 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3342 times by 1 test Evaluated by: libcrypto.so.1.1

) {

666-3342

614 -

615 ((void) (0)) -

616 ; -

617 -

618

if (control_var[contv].addend > 0

control_var[contv].addend > 0	Description
TRUE	evaluated 316 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 350 times by 1 test Evaluated by: libcrypto.so.1.1

)

316-350

619

add_pniels_to_pt(combo,

executed 316 times by 1 test: add_pniels_to_pt(combo, precmp_var[control_var[contv].addend >> 1], i && !cp);

Executed by:

libcrypto.so.1.1

316

620

precmp_var[control_var[contv].addend >> 1],

executed 316 times by 1 test: add_pniels_to_pt(combo, precmp_var[control_var[contv].addend >> 1], i && !cp);

Executed by:

libcrypto.so.1.1

316

621

i && !cp);

executed 316 times by 1 test: add_pniels_to_pt(combo, precmp_var[control_var[contv].addend >> 1], i && !cp);

Executed by:

libcrypto.so.1.1

316

622 else -

623

sub_pniels_from_pt(combo,

executed 350 times by 1 test: sub_pniels_from_pt(combo, precmp_var[(-control_var[contv].addend) >> 1], i && !cp);

Executed by:

libcrypto.so.1.1

350

624

precmp_var[(-control_var[contv].addend)

executed 350 times by 1 test: sub_pniels_from_pt(combo, precmp_var[(-control_var[contv].addend) >> 1], i && !cp);

Executed by:

libcrypto.so.1.1

350

625

>> 1], i && !cp);

executed 350 times by 1 test: sub_pniels_from_pt(combo, precmp_var[(-control_var[contv].addend) >> 1], i && !cp);

Executed by:

libcrypto.so.1.1

350

626 contv++; -

627

}

executed 666 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

666

628 -

629

if (cp

cp	Description
TRUE	evaluated 509 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3499 times by 1 test Evaluated by: libcrypto.so.1.1

) {

509-3499

630 -

631 ((void) (0)) -

632 ; -

633 -

634

if (control_pre[contp].addend > 0

control_pre[contp].addend > 0	Description
TRUE	evaluated 280 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 229 times by 1 test Evaluated by: libcrypto.so.1.1

)

229-280

635

add_niels_to_pt(combo,

executed 280 times by 1 test: add_niels_to_pt(combo, curve448_wnaf_base[control_pre[contp].addend >> 1], i);

Executed by:

libcrypto.so.1.1

280

636

curve448_wnaf_base[control_pre[contp].addend

executed 280 times by 1 test: add_niels_to_pt(combo, curve448_wnaf_base[control_pre[contp].addend >> 1], i);

Executed by:

libcrypto.so.1.1

280

637

>> 1], i);

executed 280 times by 1 test: add_niels_to_pt(combo, curve448_wnaf_base[control_pre[contp].addend >> 1], i);

Executed by:

libcrypto.so.1.1

280

638 else -

639

sub_niels_from_pt(combo,

executed 229 times by 1 test: sub_niels_from_pt(combo, curve448_wnaf_base[(-control_pre [contp].addend) >> 1], i);

Executed by:

libcrypto.so.1.1

229

640

curve448_wnaf_base[(-control_pre

executed 229 times by 1 test: sub_niels_from_pt(combo, curve448_wnaf_base[(-control_pre [contp].addend) >> 1], i);

Executed by:

libcrypto.so.1.1

229

641

[contp].addend) >> 1], i);

executed 229 times by 1 test: sub_niels_from_pt(combo, curve448_wnaf_base[(-control_pre [contp].addend) >> 1], i);

Executed by:

libcrypto.so.1.1

229

642 contp++; -

643

}

executed 509 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

509

644

}

executed 4008 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

4008

645 -

646 -

647 OPENSSL_cleanse(control_var, sizeof(control_var)); -

648 OPENSSL_cleanse(control_pre, sizeof(control_pre)); -

649 OPENSSL_cleanse(precmp_var, sizeof(precmp_var)); -

650 -

651 -

652 ((void) (0)) -

653 ; -

654 (void)ncb_var; -

655 -

656 ((void) (0)) -

657 ; -

658 (void)ncb_pre; -

659

}

executed 9 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

660 -

661 void curve448_point_destroy(curve448_point_t point) -

662 { -

663 OPENSSL_cleanse(point, sizeof(curve448_point_t)); -

664

}

executed 253 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

253

665 -

666 int X448(uint8_t out_shared_key[56], const uint8_t private_key[56], -

667 const uint8_t peer_public_value[56]) -

668 { -

669

return

executed 1014 times by 2 tests: return x448_int(out_shared_key, peer_public_value, private_key) == C448_SUCCESS;

Executed by:

curve448_internal_test
libcrypto.so.1.1

x448_int(out_shared_key, peer_public_value, private_key)

executed 1014 times by 2 tests: return x448_int(out_shared_key, peer_public_value, private_key) == C448_SUCCESS;

Executed by:

curve448_internal_test
libcrypto.so.1.1

1014

670

== C448_SUCCESS;

executed 1014 times by 2 tests: return x448_int(out_shared_key, peer_public_value, private_key) == C448_SUCCESS;

Executed by:

curve448_internal_test
libcrypto.so.1.1

1014

671 } -

672 -

673 void X448_public_from_private(uint8_t out_public_value[56], -

674 const uint8_t private_key[56]) -

675 { -

676 x448_derive_public_key(out_public_value, private_key); -

677

}

executed 59 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

Switch to Source code

Preprocessed file

Generated by Squish Coco 4.2.2