OpenCoverage

ec2_mult.c

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/libressl/src/crypto/ec/ec2_mult.c
Source codeSwitch to Preprocessed file
LineSourceCount
1/* $OpenBSD: ec2_mult.c,v 1.13 2018/07/23 18:24:22 tb Exp $ */-
2/* ====================================================================-
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.-
4 *-
5 * The Elliptic Curve Public-Key Crypto Library (ECC Code) included-
6 * herein is developed by SUN MICROSYSTEMS, INC., and is contributed-
7 * to the OpenSSL project.-
8 *-
9 * The ECC Code is licensed pursuant to the OpenSSL open source-
10 * license provided below.-
11 *-
12 * The software is originally written by Sheueling Chang Shantz and-
13 * Douglas Stebila of Sun Microsystems Laboratories.-
14 *-
15 */-
16/* ====================================================================-
17 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.-
18 *-
19 * Redistribution and use in source and binary forms, with or without-
20 * modification, are permitted provided that the following conditions-
21 * are met:-
22 *-
23 * 1. Redistributions of source code must retain the above copyright-
24 * notice, this list of conditions and the following disclaimer.-
25 *-
26 * 2. Redistributions in binary form must reproduce the above copyright-
27 * notice, this list of conditions and the following disclaimer in-
28 * the documentation and/or other materials provided with the-
29 * distribution.-
30 *-
31 * 3. All advertising materials mentioning features or use of this-
32 * software must display the following acknowledgment:-
33 * "This product includes software developed by the OpenSSL Project-
34 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"-
35 *-
36 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to-
37 * endorse or promote products derived from this software without-
38 * prior written permission. For written permission, please contact-
39 * openssl-core@openssl.org.-
40 *-
41 * 5. Products derived from this software may not be called "OpenSSL"-
42 * nor may "OpenSSL" appear in their names without prior written-
43 * permission of the OpenSSL Project.-
44 *-
45 * 6. Redistributions of any form whatsoever must retain the following-
46 * acknowledgment:-
47 * "This product includes software developed by the OpenSSL Project-
48 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"-
49 *-
50 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY-
51 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE-
52 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR-
53 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR-
54 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,-
55 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT-
56 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;-
57 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)-
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,-
59 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)-
60 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED-
61 * OF THE POSSIBILITY OF SUCH DAMAGE.-
62 * ====================================================================-
63 *-
64 * This product includes cryptographic software written by Eric Young-
65 * (eay@cryptsoft.com). This product includes software written by Tim-
66 * Hudson (tjh@cryptsoft.com).-
67 *-
68 */-
69-
70#include <openssl/opensslconf.h>-
71-
72#include <openssl/err.h>-
73-
74#include "bn_lcl.h"-
75#include "ec_lcl.h"-
76-
77#ifndef OPENSSL_NO_EC2M-
78-
79-
80/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery projective-
81 * coordinates.-
82 * Uses algorithm Mdouble in appendix of-
83 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over-
84 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).-
85 * modified to not require precomputation of c=b^{2^{m-1}}.-
86 */-
87static int-
88gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx)-
89{-
90 BIGNUM *t1;-
91 int ret = 0;-
92-
93 /* Since Mdouble is static we can guarantee that ctx != NULL. */-
94 BN_CTX_start(ctx);-
95 if ((t1 = BN_CTX_get(ctx)) == NULL)
(t1 = BN_CTX_g...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
96 goto err;
never executed: goto err;
0
97-
98 if (!group->meth->field_sqr(group, x, x, ctx))
!group->meth->...up, x, x, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
99 goto err;
never executed: goto err;
0
100 if (!group->meth->field_sqr(group, t1, z, ctx))
!group->meth->...p, t1, z, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
101 goto err;
never executed: goto err;
0
102 if (!group->meth->field_mul(group, z, x, t1, ctx))
!group->meth->...z, x, t1, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
103 goto err;
never executed: goto err;
0
104 if (!group->meth->field_sqr(group, x, x, ctx))
!group->meth->...up, x, x, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
105 goto err;
never executed: goto err;
0
106 if (!group->meth->field_sqr(group, t1, t1, ctx))
!group->meth->..., t1, t1, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
107 goto err;
never executed: goto err;
0
108 if (!group->meth->field_mul(group, t1, &group->b, t1, ctx))
!group->meth->...p->b, t1, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
109 goto err;
never executed: goto err;
0
110 if (!BN_GF2m_add(x, x, t1))
!BN_GF2m_add(x, x, t1)Description
TRUEnever evaluated
FALSEnever evaluated
0
111 goto err;
never executed: goto err;
0
112-
113 ret = 1;-
114-
115 err:
code before this statement never executed: err:
0
116 BN_CTX_end(ctx);-
117 return ret;
never executed: return ret;
0
118}-
119-
120/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in Montgomery-
121 * projective coordinates.-
122 * Uses algorithm Madd in appendix of-
123 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over-
124 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).-
125 */-
126static int-
127gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1,-
128 const BIGNUM *x2, const BIGNUM *z2, BN_CTX *ctx)-
129{-
130 BIGNUM *t1, *t2;-
131 int ret = 0;-
132-
133 /* Since Madd is static we can guarantee that ctx != NULL. */-
134 BN_CTX_start(ctx);-
135 if ((t1 = BN_CTX_get(ctx)) == NULL)
(t1 = BN_CTX_g...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
136 goto err;
never executed: goto err;
0
137 if ((t2 = BN_CTX_get(ctx)) == NULL)
(t2 = BN_CTX_g...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
138 goto err;
never executed: goto err;
0
139-
140 if (!BN_copy(t1, x))
!BN_copy(t1, x)Description
TRUEnever evaluated
FALSEnever evaluated
0
141 goto err;
never executed: goto err;
0
142 if (!group->meth->field_mul(group, x1, x1, z2, ctx))
!group->meth->..., x1, z2, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
143 goto err;
never executed: goto err;
0
144 if (!group->meth->field_mul(group, z1, z1, x2, ctx))
!group->meth->..., z1, x2, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
145 goto err;
never executed: goto err;
0
146 if (!group->meth->field_mul(group, t2, x1, z1, ctx))
!group->meth->..., x1, z1, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
147 goto err;
never executed: goto err;
0
148 if (!BN_GF2m_add(z1, z1, x1))
!BN_GF2m_add(z1, z1, x1)Description
TRUEnever evaluated
FALSEnever evaluated
0
149 goto err;
never executed: goto err;
0
150 if (!group->meth->field_sqr(group, z1, z1, ctx))
!group->meth->..., z1, z1, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
151 goto err;
never executed: goto err;
0
152 if (!group->meth->field_mul(group, x1, z1, t1, ctx))
!group->meth->..., z1, t1, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
153 goto err;
never executed: goto err;
0
154 if (!BN_GF2m_add(x1, x1, t2))
!BN_GF2m_add(x1, x1, t2)Description
TRUEnever evaluated
FALSEnever evaluated
0
155 goto err;
never executed: goto err;
0
156-
157 ret = 1;-
158-
159 err:
code before this statement never executed: err:
0
160 BN_CTX_end(ctx);-
161 return ret;
never executed: return ret;
0
162}-
163-
164/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2)-
165 * using Montgomery point multiplication algorithm Mxy() in appendix of-
166 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over-
167 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).-
168 * Returns:-
169 * 0 on error-
170 * 1 if return value should be the point at infinity-
171 * 2 otherwise-
172 */-
173static int-
174gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1,-
175 BIGNUM *z1, BIGNUM *x2, BIGNUM *z2, BN_CTX *ctx)-
176{-
177 BIGNUM *t3, *t4, *t5;-
178 int ret = 0;-
179-
180 if (BN_is_zero(z1)) {
((z1)->top == 0)Description
TRUEnever evaluated
FALSEnever evaluated
0
181 BN_zero(x2);-
182 BN_zero(z2);-
183 return 1;
never executed: return 1;
0
184 }-
185 if (BN_is_zero(z2)) {
((z2)->top == 0)Description
TRUEnever evaluated
FALSEnever evaluated
0
186 if (!BN_copy(x2, x))
!BN_copy(x2, x)Description
TRUEnever evaluated
FALSEnever evaluated
0
187 return 0;
never executed: return 0;
0
188 if (!BN_GF2m_add(z2, x, y))
!BN_GF2m_add(z2, x, y)Description
TRUEnever evaluated
FALSEnever evaluated
0
189 return 0;
never executed: return 0;
0
190 return 2;
never executed: return 2;
0
191 }-
192 /* Since Mxy is static we can guarantee that ctx != NULL. */-
193 BN_CTX_start(ctx);-
194 if ((t3 = BN_CTX_get(ctx)) == NULL)
(t3 = BN_CTX_g...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
195 goto err;
never executed: goto err;
0
196 if ((t4 = BN_CTX_get(ctx)) == NULL)
(t4 = BN_CTX_g...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
197 goto err;
never executed: goto err;
0
198 if ((t5 = BN_CTX_get(ctx)) == NULL)
(t5 = BN_CTX_g...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
199 goto err;
never executed: goto err;
0
200-
201 if (!BN_one(t5))
!(BN_set_word((t5),1))Description
TRUEnever evaluated
FALSEnever evaluated
0
202 goto err;
never executed: goto err;
0
203-
204 if (!group->meth->field_mul(group, t3, z1, z2, ctx))
!group->meth->..., z1, z2, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
205 goto err;
never executed: goto err;
0
206-
207 if (!group->meth->field_mul(group, z1, z1, x, ctx))
!group->meth->...1, z1, x, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
208 goto err;
never executed: goto err;
0
209 if (!BN_GF2m_add(z1, z1, x1))
!BN_GF2m_add(z1, z1, x1)Description
TRUEnever evaluated
FALSEnever evaluated
0
210 goto err;
never executed: goto err;
0
211 if (!group->meth->field_mul(group, z2, z2, x, ctx))
!group->meth->...2, z2, x, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
212 goto err;
never executed: goto err;
0
213 if (!group->meth->field_mul(group, x1, z2, x1, ctx))
!group->meth->..., z2, x1, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
214 goto err;
never executed: goto err;
0
215 if (!BN_GF2m_add(z2, z2, x2))
!BN_GF2m_add(z2, z2, x2)Description
TRUEnever evaluated
FALSEnever evaluated
0
216 goto err;
never executed: goto err;
0
217-
218 if (!group->meth->field_mul(group, z2, z2, z1, ctx))
!group->meth->..., z2, z1, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
219 goto err;
never executed: goto err;
0
220 if (!group->meth->field_sqr(group, t4, x, ctx))
!group->meth->...p, t4, x, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
221 goto err;
never executed: goto err;
0
222 if (!BN_GF2m_add(t4, t4, y))
!BN_GF2m_add(t4, t4, y)Description
TRUEnever evaluated
FALSEnever evaluated
0
223 goto err;
never executed: goto err;
0
224 if (!group->meth->field_mul(group, t4, t4, t3, ctx))
!group->meth->..., t4, t3, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
225 goto err;
never executed: goto err;
0
226 if (!BN_GF2m_add(t4, t4, z2))
!BN_GF2m_add(t4, t4, z2)Description
TRUEnever evaluated
FALSEnever evaluated
0
227 goto err;
never executed: goto err;
0
228-
229 if (!group->meth->field_mul(group, t3, t3, x, ctx))
!group->meth->...3, t3, x, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
230 goto err;
never executed: goto err;
0
231 if (!group->meth->field_div(group, t3, t5, t3, ctx))
!group->meth->..., t5, t3, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
232 goto err;
never executed: goto err;
0
233 if (!group->meth->field_mul(group, t4, t3, t4, ctx))
!group->meth->..., t3, t4, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
234 goto err;
never executed: goto err;
0
235 if (!group->meth->field_mul(group, x2, x1, t3, ctx))
!group->meth->..., x1, t3, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
236 goto err;
never executed: goto err;
0
237 if (!BN_GF2m_add(z2, x2, x))
!BN_GF2m_add(z2, x2, x)Description
TRUEnever evaluated
FALSEnever evaluated
0
238 goto err;
never executed: goto err;
0
239-
240 if (!group->meth->field_mul(group, z2, z2, t4, ctx))
!group->meth->..., z2, t4, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
241 goto err;
never executed: goto err;
0
242 if (!BN_GF2m_add(z2, z2, y))
!BN_GF2m_add(z2, z2, y)Description
TRUEnever evaluated
FALSEnever evaluated
0
243 goto err;
never executed: goto err;
0
244-
245 ret = 2;-
246-
247 err:
code before this statement never executed: err:
0
248 BN_CTX_end(ctx);-
249 return ret;
never executed: return ret;
0
250}-
251-
252-
253/* Computes scalar*point and stores the result in r.-
254 * point can not equal r.-
255 * Uses a modified algorithm 2P of-
256 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over-
257 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).-
258 *-
259 * To protect against side-channel attack the function uses constant time swap,-
260 * avoiding conditional branches.-
261 */-
262static int-
263ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,-
264 const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx)-
265{-
266 BIGNUM *x1, *x2, *z1, *z2;-
267 int ret = 0, i;-
268 BN_ULONG mask, word;-
269-
270 if (r == point) {
r == pointDescription
TRUEnever evaluated
FALSEnever evaluated
0
271 ECerror(EC_R_INVALID_ARGUMENT);-
272 return 0;
never executed: return 0;
0
273 }-
274 /* if result should be point at infinity */-
275 if ((scalar == NULL) || BN_is_zero(scalar) || (point == NULL) ||
(scalar == ((void *)0) )Description
TRUEnever evaluated
FALSEnever evaluated
((scalar)->top == 0)Description
TRUEnever evaluated
FALSEnever evaluated
(point == ((void *)0) )Description
TRUEnever evaluated
FALSEnever evaluated
0
276 EC_POINT_is_at_infinity(group, point) > 0) {
EC_POINT_is_at...up, point) > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
277 return EC_POINT_set_to_infinity(group, r);
never executed: return EC_POINT_set_to_infinity(group, r);
0
278 }-
279 /* only support affine coordinates */-
280 if (!point->Z_is_one)
!point->Z_is_oneDescription
TRUEnever evaluated
FALSEnever evaluated
0
281 return 0;
never executed: return 0;
0
282-
283 /* Since point_multiply is static we can guarantee that ctx != NULL. */-
284 BN_CTX_start(ctx);-
285 if ((x1 = BN_CTX_get(ctx)) == NULL)
(x1 = BN_CTX_g...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
286 goto err;
never executed: goto err;
0
287 if ((z1 = BN_CTX_get(ctx)) == NULL)
(z1 = BN_CTX_g...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
288 goto err;
never executed: goto err;
0
289-
290 x2 = &r->X;-
291 z2 = &r->Y;-
292-
293 if (!bn_wexpand(x1, group->field.top))
!(((group->fie...->field.top)))Description
TRUEnever evaluated
FALSEnever evaluated
((group->field...<= (x1)->dmax)Description
TRUEnever evaluated
FALSEnever evaluated
0
294 goto err;
never executed: goto err;
0
295 if (!bn_wexpand(z1, group->field.top))
!(((group->fie...->field.top)))Description
TRUEnever evaluated
FALSEnever evaluated
((group->field...<= (z1)->dmax)Description
TRUEnever evaluated
FALSEnever evaluated
0
296 goto err;
never executed: goto err;
0
297 if (!bn_wexpand(x2, group->field.top))
!(((group->fie...->field.top)))Description
TRUEnever evaluated
FALSEnever evaluated
((group->field...<= (x2)->dmax)Description
TRUEnever evaluated
FALSEnever evaluated
0
298 goto err;
never executed: goto err;
0
299 if (!bn_wexpand(z2, group->field.top))
!(((group->fie...->field.top)))Description
TRUEnever evaluated
FALSEnever evaluated
((group->field...<= (z2)->dmax)Description
TRUEnever evaluated
FALSEnever evaluated
0
300 goto err;
never executed: goto err;
0
301-
302 if (!BN_GF2m_mod_arr(x1, &point->X, group->poly))
!BN_GF2m_mod_a..., group->poly)Description
TRUEnever evaluated
FALSEnever evaluated
0
303 goto err; /* x1 = x */
never executed: goto err;
0
304 if (!BN_one(z1))
!(BN_set_word((z1),1))Description
TRUEnever evaluated
FALSEnever evaluated
0
305 goto err; /* z1 = 1 */
never executed: goto err;
0
306 if (!group->meth->field_sqr(group, z2, x1, ctx))
!group->meth->..., z2, x1, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
307 goto err; /* z2 = x1^2 = x^2 */
never executed: goto err;
0
308 if (!group->meth->field_sqr(group, x2, z2, ctx))
!group->meth->..., x2, z2, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
309 goto err;
never executed: goto err;
0
310 if (!BN_GF2m_add(x2, x2, &group->b))
!BN_GF2m_add(x...x2, &group->b)Description
TRUEnever evaluated
FALSEnever evaluated
0
311 goto err; /* x2 = x^4 + b */
never executed: goto err;
0
312-
313 /* find top most bit and go one past it */-
314 i = scalar->top - 1;-
315 mask = BN_TBIT;-
316 word = scalar->d[i];-
317 while (!(word & mask))
!(word & mask)Description
TRUEnever evaluated
FALSEnever evaluated
0
318 mask >>= 1;
never executed: mask >>= 1;
0
319 mask >>= 1;-
320 /* if top most bit was at word break, go to next word */-
321 if (!mask) {
!maskDescription
TRUEnever evaluated
FALSEnever evaluated
0
322 i--;-
323 mask = BN_TBIT;-
324 }
never executed: end of block
0
325 for (; i >= 0; i--) {
i >= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
326 word = scalar->d[i];-
327 while (mask) {
maskDescription
TRUEnever evaluated
FALSEnever evaluated
0
328 if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
!BN_swap_ct(wo...up->field.top)Description
TRUEnever evaluated
FALSEnever evaluated
0
329 goto err;
never executed: goto err;
0
330 if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
!BN_swap_ct(wo...up->field.top)Description
TRUEnever evaluated
FALSEnever evaluated
0
331 goto err;
never executed: goto err;
0
332 if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx))
!gf2m_Madd(gro..., x1, z1, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
333 goto err;
never executed: goto err;
0
334 if (!gf2m_Mdouble(group, x1, z1, ctx))
!gf2m_Mdouble(..., x1, z1, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
335 goto err;
never executed: goto err;
0
336 if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
!BN_swap_ct(wo...up->field.top)Description
TRUEnever evaluated
FALSEnever evaluated
0
337 goto err;
never executed: goto err;
0
338 if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
!BN_swap_ct(wo...up->field.top)Description
TRUEnever evaluated
FALSEnever evaluated
0
339 goto err;
never executed: goto err;
0
340 mask >>= 1;-
341 }
never executed: end of block
0
342 mask = BN_TBIT;-
343 }
never executed: end of block
0
344-
345 /* convert out of "projective" coordinates */-
346 i = gf2m_Mxy(group, &point->X, &point->Y, x1, z1, x2, z2, ctx);-
347 if (i == 0)
i == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
348 goto err;
never executed: goto err;
0
349 else if (i == 1) {
i == 1Description
TRUEnever evaluated
FALSEnever evaluated
0
350 if (!EC_POINT_set_to_infinity(group, r))
!EC_POINT_set_...nity(group, r)Description
TRUEnever evaluated
FALSEnever evaluated
0
351 goto err;
never executed: goto err;
0
352 } else {
never executed: end of block
0
353 if (!BN_one(&r->Z))
!(BN_set_word((&r->Z),1))Description
TRUEnever evaluated
FALSEnever evaluated
0
354 goto err;
never executed: goto err;
0
355 r->Z_is_one = 1;-
356 }
never executed: end of block
0
357-
358 /* GF(2^m) field elements should always have BIGNUM::neg = 0 */-
359 BN_set_negative(&r->X, 0);-
360 BN_set_negative(&r->Y, 0);-
361-
362 ret = 1;-
363-
364 err:
code before this statement never executed: err:
0
365 BN_CTX_end(ctx);-
366 return ret;
never executed: return ret;
0
367}-
368-
369-
370/* Computes the sum-
371 * scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1]-
372 * gracefully ignoring NULL scalar values.-
373 */-
374int-
375ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,-
376 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)-
377{-
378 BN_CTX *new_ctx = NULL;-
379 int ret = 0;-
380 size_t i;-
381 EC_POINT *p = NULL;-
382 EC_POINT *acc = NULL;-
383-
384 if (ctx == NULL) {
ctx == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
385 ctx = new_ctx = BN_CTX_new();-
386 if (ctx == NULL)
ctx == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
387 return 0;
never executed: return 0;
0
388 }
never executed: end of block
0
389 /*-
390 * This implementation is more efficient than the wNAF implementation-
391 * for 2 or fewer points. Use the ec_wNAF_mul implementation for 3-
392 * or more points, or if we can perform a fast multiplication based-
393 * on precomputation.-
394 */-
395 if ((scalar && (num > 1)) || (num > 2) ||
scalarDescription
TRUEnever evaluated
FALSEnever evaluated
(num > 1)Description
TRUEnever evaluated
FALSEnever evaluated
(num > 2)Description
TRUEnever evaluated
FALSEnever evaluated
0
396 (num == 0 && EC_GROUP_have_precompute_mult(group))) {
num == 0Description
TRUEnever evaluated
FALSEnever evaluated
EC_GROUP_have_...te_mult(group)Description
TRUEnever evaluated
FALSEnever evaluated
0
397 ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);-
398 goto err;
never executed: goto err;
0
399 }-
400 if ((p = EC_POINT_new(group)) == NULL)
(p = EC_POINT_...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
401 goto err;
never executed: goto err;
0
402 if ((acc = EC_POINT_new(group)) == NULL)
(acc = EC_POIN...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
403 goto err;
never executed: goto err;
0
404-
405 if (!EC_POINT_set_to_infinity(group, acc))
!EC_POINT_set_...ty(group, acc)Description
TRUEnever evaluated
FALSEnever evaluated
0
406 goto err;
never executed: goto err;
0
407-
408 if (scalar) {
scalarDescription
TRUEnever evaluated
FALSEnever evaluated
0
409 if (!ec_GF2m_montgomery_point_multiply(group, p, scalar, group->generator, ctx))
!ec_GF2m_montg...enerator, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
410 goto err;
never executed: goto err;
0
411 if (BN_is_negative(scalar))
((scalar)->neg != 0)Description
TRUEnever evaluated
FALSEnever evaluated
0
412 if (!group->meth->invert(group, p, ctx))
!group->meth->...group, p, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
413 goto err;
never executed: goto err;
0
414 if (!group->meth->add(group, acc, acc, p, ctx))
!group->meth->..., acc, p, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
415 goto err;
never executed: goto err;
0
416 }
never executed: end of block
0
417 for (i = 0; i < num; i++) {
i < numDescription
TRUEnever evaluated
FALSEnever evaluated
0
418 if (!ec_GF2m_montgomery_point_multiply(group, p, scalars[i], points[i], ctx))
!ec_GF2m_montg...oints[i], ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
419 goto err;
never executed: goto err;
0
420 if (BN_is_negative(scalars[i]))
((scalars[i])->neg != 0)Description
TRUEnever evaluated
FALSEnever evaluated
0
421 if (!group->meth->invert(group, p, ctx))
!group->meth->...group, p, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
422 goto err;
never executed: goto err;
0
423 if (!group->meth->add(group, acc, acc, p, ctx))
!group->meth->..., acc, p, ctx)Description
TRUEnever evaluated
FALSEnever evaluated
0
424 goto err;
never executed: goto err;
0
425 }
never executed: end of block
0
426-
427 if (!EC_POINT_copy(r, acc))
!EC_POINT_copy(r, acc)Description
TRUEnever evaluated
FALSEnever evaluated
0
428 goto err;
never executed: goto err;
0
429-
430 ret = 1;-
431-
432 err:
code before this statement never executed: err:
0
433 EC_POINT_free(p);-
434 EC_POINT_free(acc);-
435 BN_CTX_free(new_ctx);-
436 return ret;
never executed: return ret;
0
437}-
438-
439-
440/* Precomputation for point multiplication: fall back to wNAF methods-
441 * because ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate */-
442-
443int-
444ec_GF2m_precompute_mult(EC_GROUP * group, BN_CTX * ctx)-
445{-
446 return ec_wNAF_precompute_mult(group, ctx);
executed 10 times by 1 test: return ec_wNAF_precompute_mult(group, ctx);
Executed by:
  • ectest
10
447}-
448-
449int-
450ec_GF2m_have_precompute_mult(const EC_GROUP * group)-
451{-
452 return ec_wNAF_have_precompute_mult(group);
never executed: return ec_wNAF_have_precompute_mult(group);
0
453}-
454-
455#endif-
Source codeSwitch to Preprocessed file
Generated by Squish Coco 4.2.2