OpenCoverage

ec_mult.c

Absolute File Name:

/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/ec/ec_mult.c

Source code

Switch to Preprocessed file

Line Source Count

1 /* -

4 * -

5 * Licensed under the OpenSSL license (the "License"). You may not use -

6 * this file except in compliance with the License. You can obtain a copy -

7 * in the file LICENSE in the source distribution or at -

8 * https://www.openssl.org/source/license.html -

9 */ -

10 -

11 #include <string.h> -

12 #include <openssl/err.h> -

13 -

14 #include "internal/cryptlib.h" -

15 #include "internal/bn_int.h" -

16 #include "ec_lcl.h" -

17 #include "internal/refcount.h" -

18 -

19 /* -

20 * This file implements the wNAF-based interleaving multi-exponentiation method -

21 * Formerly at: -

22 * http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp -

23 * You might now find it here: -

24 * http://link.springer.com/chapter/10.1007%2F3-540-45537-X_13 -

25 * http://www.bmoeller.de/pdf/TI-01-08.multiexp.pdf -

26 * For multiplication with precomputation, we use wNAF splitting, formerly at: -

27 * http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#fastexp -

28 */ -

29 -

30 /* structure for precomputed multiples of the generator */ -

31 struct ec_pre_comp_st { -

32 const EC_GROUP *group; /* parent EC_GROUP object */ -

33 size_t blocksize; /* block size for wNAF splitting */ -

34 size_t numblocks; /* max. number of blocks for which we have -

35 * precomputation */ -

36 size_t w; /* window size */ -

37 EC_POINT **points; /* array with pre-calculated multiples of -

38 * generator: 'num' pointers to EC_POINT -

39 * objects followed by a NULL */ -

40 size_t num; /* numblocks * 2^(w-1) */ -

41 CRYPTO_REF_COUNT references; -

42 CRYPTO_RWLOCK *lock; -

43 }; -

44 -

45 static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group) -

46 { -

47 EC_PRE_COMP *ret = NULL; -

48 -

if (!group)

!group	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

return NULL;

never executed: return ((void *)0) ;

51 -

52 ret = OPENSSL_zalloc(sizeof(*ret)); -

if (ret == NULL) {

ret == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

54 ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); -

return ret;

never executed: return ret;

56 } -

57 -

58 ret->group = group; -

59 ret->blocksize = 8; /* default */ -

60 ret->w = 4; /* default */ -

61 ret->references = 1; -

62 -

63 ret->lock = CRYPTO_THREAD_lock_new(); -

if (ret->lock == NULL) {

ret->lock == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

65 ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); -

66 OPENSSL_free(ret); -

return NULL;

never executed: return ((void *)0) ;

68 } -

return ret;

executed 45 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

70 } -

71 -

72 EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_COMP *pre) -

73 { -

74 int i; -

if (pre != NULL)

pre != ((void *)0)	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

CRYPTO_UP_REF(&pre->references, &i, pre->lock);

executed 6 times by 1 test: CRYPTO_UP_REF(&pre->references, &i, pre->lock);

Executed by:

libcrypto.so.1.1

return pre;

executed 6 times by 1 test: return pre;

Executed by:

libcrypto.so.1.1

78 } -

79 -

80 void EC_ec_pre_comp_free(EC_PRE_COMP *pre) -

81 { -

82 int i; -

83 -

if (pre == NULL)

pre == ((void *)0)	Description
TRUE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 51 times by 1 test Evaluated by: libcrypto.so.1.1

45-51

return;

executed 45 times by 1 test: return;

Executed by:

libcrypto.so.1.1

86 -

87 CRYPTO_DOWN_REF(&pre->references, &i, pre->lock); -

88 REF_PRINT_COUNT("EC_ec", pre); -

if (i > 0)

i > 0	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

6-45

return;

executed 6 times by 1 test: return;

Executed by:

libcrypto.so.1.1

91 REF_ASSERT_ISNT(i < 0); -

92 -

if (pre->points != NULL) {

pre->points != ((void *)0)	Description
TRUE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-45

94 EC_POINT **pts; -

95 -

for (pts = pre->points; *pts != NULL; pts++)

pts != ((void )0)	Description
TRUE	evaluated 10992 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

45-10992

EC_POINT_free(*pts);

executed 10992 times by 1 test: EC_POINT_free(*pts);

Executed by:

libcrypto.so.1.1

10992

98 OPENSSL_free(pre->points); -

}

executed 45 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

100 CRYPTO_THREAD_lock_free(pre->lock); -

101 OPENSSL_free(pre); -

102

}

executed 45 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

103 -

104 #define EC_POINT_BN_set_flags(P, flags) do { \ -

105 BN_set_flags((P)->X, (flags)); \ -

106 BN_set_flags((P)->Y, (flags)); \ -

107 BN_set_flags((P)->Z, (flags)); \ -

108 } while(0) -

109 -

110 /*- -

111 * This functions computes a single point multiplication over the EC group, -

112 * using, at a high level, a Montgomery ladder with conditional swaps, with -

113 * various timing attack defenses. -

114 * -

115 * It performs either a fixed point multiplication -

116 * (scalar * generator) -

117 * when point is NULL, or a variable point multiplication -

118 * (scalar * point) -

119 * when point is not NULL. -

120 * -

121 * `scalar` cannot be NULL and should be in the range [0,n) otherwise all -

122 * constant time bets are off (where n is the cardinality of the EC group). -

123 * -

124 * This function expects `group->order` and `group->cardinality` to be well -

125 * defined and non-zero: it fails with an error code otherwise. -

126 * -

127 * NB: This says nothing about the constant-timeness of the ladder step -

128 * implementation (i.e., the default implementation is based on EC_POINT_add and -

129 * EC_POINT_dbl, which of course are not constant time themselves) or the -

130 * underlying multiprecision arithmetic. -

131 * -

132 * The product is stored in `r`. -

133 * -

134 * This is an internal function: callers are in charge of ensuring that the -

135 * input parameters `group`, `r`, `scalar` and `ctx` are not NULL. -

136 * -

137 * Returns 1 on success, 0 otherwise. -

138 */ -

139 int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, -

140 const BIGNUM *scalar, const EC_POINT *point, -

141 BN_CTX *ctx) -

142 { -

143 int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; -

144 EC_POINT *p = NULL; -

145 EC_POINT *s = NULL; -

146 BIGNUM *k = NULL; -

147 BIGNUM *lambda = NULL; -

148 BIGNUM *cardinality = NULL; -

149 int ret = 0; -

150 -

151 /* early exit if the input point is the point at infinity */ -

152

if (point != NULL && EC_POINT_is_at_infinity(group, point))

point != ((void *)0)	Description
TRUE	evaluated 2075 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 2062 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

EC_POINT_is_at...(group, point)	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2068 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

7-2075

153

return EC_POINT_set_to_infinity(group, r);

executed 7 times by 1 test: return EC_POINT_set_to_infinity(group, r);

Executed by:

libcrypto.so.1.1

154 -

155

if (BN_is_zero(group->order)) {

BN_is_zero(group->order)	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

156 ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_UNKNOWN_ORDER); -

157

return 0;

never executed: return 0;

158 } -

159

if (BN_is_zero(group->cofactor)) {

BN_is_zero(group->cofactor)	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

160 ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_UNKNOWN_COFACTOR); -

161

return 0;

never executed: return 0;

162 } -

163 -

164 BN_CTX_start(ctx); -

165 -

166

if (((p = EC_POINT_new(group)) == NULL)

((p = EC_POINT... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

167

|| ((s = EC_POINT_new(group)) == NULL)) {

((s = EC_POINT... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

168 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_MALLOC_FAILURE); -

169

goto err;

never executed: goto err;

170 } -

171 -

172

if (point == NULL) {

point == ((void *)0)	Description
TRUE	evaluated 2062 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 2068 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

2062-2068

173

if (!EC_POINT_copy(p, group->generator)) {

!EC_POINT_copy...up->generator)	Description
TRUE	never evaluated
FALSE	evaluated 2062 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-2062

174 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_EC_LIB); -

175

goto err;

never executed: goto err;

176 } -

177

} else {

executed 2062 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

2062

178

if (!EC_POINT_copy(p, point)) {

!EC_POINT_copy(p, point)	Description
TRUE	never evaluated
FALSE	evaluated 2068 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-2068

179 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_EC_LIB); -

180

goto err;

never executed: goto err;

181 } -

182

}

executed 2068 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

2068

183 -

184 EC_POINT_BN_set_flags(p, BN_FLG_CONSTTIME); -

185 EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME); -

186 EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); -

187 -

188 cardinality = BN_CTX_get(ctx); -

189 lambda = BN_CTX_get(ctx); -

190 k = BN_CTX_get(ctx); -

191

if (k == NULL) {

k == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

192 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_MALLOC_FAILURE); -

193

goto err;

never executed: goto err;

194 } -

195 -

196

if (!BN_mul(cardinality, group->order, group->cofactor, ctx)) {

!BN_mul(cardin...cofactor, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

197 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); -

198

goto err;

never executed: goto err;

199 } -

200 -

201 /* -

202 * Group cardinalities are often on a word boundary. -

203 * So when we pad the scalar, some timing diff might -

204 * pop if it needs to be expanded due to carries. -

205 * So expand ahead of time. -

206 */ -

207 cardinality_bits = BN_num_bits(cardinality); -

208 group_top = bn_get_top(cardinality); -

209

if ((bn_wexpand(k, group_top + 1) == NULL)

(bn_wexpand(k,... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

210

|| (bn_wexpand(lambda, group_top + 1) == NULL)) {

(bn_wexpand(la... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

211 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); -

212

goto err;

never executed: goto err;

213 } -

214 -

215

if (!BN_copy(k, scalar)) {

!BN_copy(k, scalar)	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

216 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); -

217

goto err;

never executed: goto err;

218 } -

219 -

220 BN_set_flags(k, BN_FLG_CONSTTIME); -

221 -

222

if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) {

(BN_num_bits(k...dinality_bits)	Description
TRUE	evaluated 415 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3715 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

(BN_is_negative(k))	Description
TRUE	evaluated 194 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3521 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

194-3715

223 /*- -

224 * this is an unusual input, and we don't guarantee -

225 * constant-timeness -

226 */ -

227

if (!BN_nnmod(k, k, cardinality, ctx)) {

!BN_nnmod(k, k...dinality, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 609 times by 1 test Evaluated by: libcrypto.so.1.1

0-609

228 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); -

229

goto err;

never executed: goto err;

230 } -

231

}

executed 609 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

609

232 -

233

if (!BN_add(lambda, k, cardinality)) {

!BN_add(lambda..., cardinality)	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

234 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); -

235

goto err;

never executed: goto err;

236 } -

237 BN_set_flags(lambda, BN_FLG_CONSTTIME); -

238

if (!BN_add(k, lambda, cardinality)) {

!BN_add(k, lam..., cardinality)	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

239 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); -

240

goto err;

never executed: goto err;

241 } -

242 /* -

243 * lambda := scalar + cardinality -

244 * k := scalar + 2*cardinality -

245 */ -

246 kbit = BN_is_bit_set(lambda, cardinality_bits); -

247 BN_consttime_swap(kbit, k, lambda, group_top + 1); -

248 -

249 group_top = bn_get_top(group->field); -

250

if ((bn_wexpand(s->X, group_top) == NULL)

(bn_wexpand(s-... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

251

|| (bn_wexpand(s->Y, group_top) == NULL)

(bn_wexpand(s-... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

252

|| (bn_wexpand(s->Z, group_top) == NULL)

(bn_wexpand(s-... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

253

|| (bn_wexpand(r->X, group_top) == NULL)

(bn_wexpand(r-... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

254

|| (bn_wexpand(r->Y, group_top) == NULL)

(bn_wexpand(r-... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

255

|| (bn_wexpand(r->Z, group_top) == NULL)

(bn_wexpand(r-... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

256

|| (bn_wexpand(p->X, group_top) == NULL)

(bn_wexpand(p-... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

257

|| (bn_wexpand(p->Y, group_top) == NULL)

(bn_wexpand(p-... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

258

|| (bn_wexpand(p->Z, group_top) == NULL)) {

(bn_wexpand(p-... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

259 ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); -

260

goto err;

never executed: goto err;

261 } -

262 -

263 /*- -

264 * Apply coordinate blinding for EC_POINT. -

265 * -

266 * The underlying EC_METHOD can optionally implement this function: -

267 * ec_point_blind_coordinates() returns 0 in case of errors or 1 on -

268 * success or if coordinate blinding is not implemented for this -

269 * group. -

270 */ -

271

if (!ec_point_blind_coordinates(group, p, ctx)) {

!ec_point_blin...group, p, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

272 ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_POINT_COORDINATES_BLIND_FAILURE); -

273

goto err;

never executed: goto err;

274 } -

275 -

276 /* Initialize the Montgomery ladder */ -

277

if (!ec_point_ladder_pre(group, r, s, p, ctx)) {

!ec_point_ladd... r, s, p, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

278 ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_LADDER_PRE_FAILURE); -

279

goto err;

never executed: goto err;

280 } -

281 -

282 /* top bit is a 1, in a fixed pos */ -

283 pbit = 1; -

284 -

285 #define EC_POINT_CSWAP(c, a, b, w, t) do { \ -

286 BN_consttime_swap(c, (a)->X, (b)->X, w); \ -

287 BN_consttime_swap(c, (a)->Y, (b)->Y, w); \ -

288 BN_consttime_swap(c, (a)->Z, (b)->Z, w); \ -

289 t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ -

290 (a)->Z_is_one ^= (t); \ -

291 (b)->Z_is_one ^= (t); \ -

292 } while(0) -

293 -

294 /*- -

295 * The ladder step, with branches, is -

296 * -

297 * k[i] == 0: S = add(R, S), R = dbl(R) -

298 * k[i] == 1: R = add(S, R), S = dbl(S) -

299 * -

300 * Swapping R, S conditionally on k[i] leaves you with state -

301 * -

302 * k[i] == 0: T, U = R, S -

303 * k[i] == 1: T, U = S, R -

304 * -

305 * Then perform the ECC ops. -

306 * -

307 * U = add(T, U) -

308 * T = dbl(T) -

309 * -

310 * Which leaves you with state -

311 * -

312 * k[i] == 0: U = add(R, S), T = dbl(R) -

313 * k[i] == 1: U = add(S, R), T = dbl(S) -

314 * -

315 * Swapping T, U conditionally on k[i] leaves you with state -

316 * -

317 * k[i] == 0: R, S = T, U -

318 * k[i] == 1: R, S = U, T -

319 * -

320 * Which leaves you with state -

321 * -

322 * k[i] == 0: S = add(R, S), R = dbl(R) -

323 * k[i] == 1: R = add(S, R), S = dbl(S) -

324 * -

325 * So we get the same logic, but instead of a branch it's a -

326 * conditional swap, followed by ECC ops, then another conditional swap. -

327 * -

328 * Optimization: The end of iteration i and start of i-1 looks like -

329 * -

330 * ... -

331 * CSWAP(k[i], R, S) -

332 * ECC -

333 * CSWAP(k[i], R, S) -

334 * (next iteration) -

335 * CSWAP(k[i-1], R, S) -

336 * ECC -

337 * CSWAP(k[i-1], R, S) -

338 * ... -

339 * -

340 * So instead of two contiguous swaps, you can merge the condition -

341 * bits and do a single swap. -

342 * -

343 * k[i] k[i-1] Outcome -

344 * 0 0 No Swap -

345 * 0 1 Swap -

346 * 1 0 Swap -

347 * 1 1 No Swap -

348 * -

349 * This is XOR. pbit tracks the previous bit of k. -

350 */ -

351 -

352

for (i = cardinality_bits - 1; i >= 0; i--) {

i >= 0	Description
TRUE	evaluated 1193659 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

4130-1193659

353 kbit = BN_is_bit_set(k, i) ^ pbit; -

354 EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); -

355 -

356 /* Perform a single step of the Montgomery ladder */ -

357

if (!ec_point_ladder_step(group, r, s, p, ctx)) {

!ec_point_ladd... r, s, p, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 1193659 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-1193659

358 ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_LADDER_STEP_FAILURE); -

359

goto err;

never executed: goto err;

360 } -

361 /* -

362 * pbit logic merges this cswap with that of the -

363 * next iteration -

364 */ -

365 pbit ^= kbit; -

366

}

executed 1193659 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

1193659

367 /* one final cswap to move the right value into r */ -

368 EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); -

369 #undef EC_POINT_CSWAP -

370 -

371 /* Finalize ladder (and recover full point coordinates) */ -

372

if (!ec_point_ladder_post(group, r, s, p, ctx)) {

!ec_point_ladd... r, s, p, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 4130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-4130

373 ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_LADDER_POST_FAILURE); -

374

goto err;

never executed: goto err;

375 } -

376 -

377 ret = 1; -

378 -

379

err:

code before this statement executed 4130 times by 2 tests: err:

Executed by:

libcrypto.so.1.1
sm2_internal_test

4130

380 EC_POINT_free(p); -

381 EC_POINT_free(s); -

382 BN_CTX_end(ctx); -

383 -

384

return ret;

executed 4130 times by 2 tests: return ret;

Executed by:

libcrypto.so.1.1
sm2_internal_test

4130

385 } -

386 -

387 #undef EC_POINT_BN_set_flags -

388 -

389 /* -

390 * TODO: table should be optimised for the wNAF-based implementation, -

391 * sometimes smaller windows will give better performance (thus the -

392 * boundaries should be increased) -

393 */ -

394 #define EC_window_bits_for_scalar_size(b) \ -

395 ((size_t) \ -

396 ((b) >= 2000 ? 6 : \ -

397 (b) >= 800 ? 5 : \ -

398 (b) >= 300 ? 4 : \ -

399 (b) >= 70 ? 3 : \ -

400 (b) >= 20 ? 2 : \ -

401 1)) -

402 -

403 /*- -

404 * Compute -

405 * \sum scalars[i]*points[i], -

406 * also including -

407 * scalar*generator -

408 * in the addition if scalar != NULL -

409 */ -

410 int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, -

411 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], -

412 BN_CTX *ctx) -

413 { -

414 const EC_POINT *generator = NULL; -

415 EC_POINT *tmp = NULL; -

416 size_t totalnum; -

417 size_t blocksize = 0, numblocks = 0; /* for wNAF splitting */ -

418 size_t pre_points_per_block = 0; -

419 size_t i, j; -

420 int k; -

421 int r_is_inverted = 0; -

422 int r_is_at_infinity = 1; -

423 size_t *wsize = NULL; /* individual window sizes */ -

424 signed char **wNAF = NULL; /* individual wNAFs */ -

425 size_t *wNAF_len = NULL; -

426 size_t max_len = 0; -

427 size_t num_val; -

428 EC_POINT **val = NULL; /* precomputation */ -

429 EC_POINT **v; -

430 EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' or -

431 * 'pre_comp->points' */ -

432 const EC_PRE_COMP *pre_comp = NULL; -

433 int num_scalar = 0; /* flag: will be set to 1 if 'scalar' must be -

434 * treated like other scalars, i.e. -

435 * precomputation is not available */ -

436 int ret = 0; -

437 -

438

if (!BN_is_zero(group->order) && !BN_is_zero(group->cofactor)) {

!BN_is_zero(group->order)	Description
TRUE	evaluated 2741 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	never evaluated

!BN_is_zero(group->cofactor)	Description
TRUE	evaluated 2709 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 32 times by 1 test Evaluated by: libcrypto.so.1.1

0-2741

439 /*- -

440 * Handle the common cases where the scalar is secret, enforcing a -

441 * scalar multiplication implementation based on a Montgomery ladder, -

442 * with various timing attack defenses. -

443 */ -

444

if ((scalar != NULL) && (num == 0)) {

(scalar != ((void *)0) )	Description
TRUE	evaluated 1461 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 1248 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

(num == 0)	Description
TRUE	evaluated 1157 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 304 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

304-1461

445 /*- -

446 * In this case we want to compute scalar * GeneratorPoint: this -

447 * codepath is reached most prominently by (ephemeral) key -

448 * generation of EC cryptosystems (i.e. ECDSA keygen and sign setup, -

449 * ECDH keygen/first half), where the scalar is always secret. This -

450 * is why we ignore if BN_FLG_CONSTTIME is actually set and we -

451 * always call the ladder version. -

452 */ -

453

return ec_scalar_mul_ladder(group, r, scalar, NULL, ctx);

executed 1157 times by 2 tests: return ec_scalar_mul_ladder(group, r, scalar, ((void *)0) , ctx);

Executed by:

libcrypto.so.1.1
sm2_internal_test

1157

454 } -

455

if ((scalar == NULL) && (num == 1)) {

(scalar == ((void *)0) )	Description
TRUE	evaluated 1248 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 304 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

(num == 1)	Description
TRUE	evaluated 854 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 394 times by 1 test Evaluated by: libcrypto.so.1.1

304-1248

456 /*- -

457 * In this case we want to compute scalar * VariablePoint: this -

458 * codepath is reached most prominently by the second half of ECDH, -

459 * where the secret scalar is multiplied by the peer's public point. -

460 * To protect the secret scalar, we ignore if BN_FLG_CONSTTIME is -

461 * actually set and we always call the ladder version. -

462 */ -

463

return ec_scalar_mul_ladder(group, r, scalars[0], points[0], ctx);

executed 854 times by 2 tests: return ec_scalar_mul_ladder(group, r, scalars[0], points[0], ctx);

Executed by:

libcrypto.so.1.1
sm2_internal_test

854

464 } -

465

}

executed 698 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

698

466 -

467

if (scalar != NULL) {

scalar != ((void *)0)	Description
TRUE	evaluated 336 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 394 times by 1 test Evaluated by: libcrypto.so.1.1

336-394

468 generator = EC_GROUP_get0_generator(group); -

469

if (generator == NULL) {

generator == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 336 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-336

470 ECerr(EC_F_EC_WNAF_MUL, EC_R_UNDEFINED_GENERATOR); -

471

goto err;

never executed: goto err;

472 } -

473 -

474 /* look if we can use precomputed multiples of generator */ -

475 -

476 pre_comp = group->pre_comp.ec; -

477

if (pre_comp && pre_comp->numblocks

pre_comp	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 335 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

pre_comp->numblocks	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-335

478

&& (EC_POINT_cmp(group, generator, pre_comp->points[0], ctx) ==

(EC_POINT_cmp(...0], ctx) == 0)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1

479

0)) {

(EC_POINT_cmp(...0], ctx) == 0)	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1

480 blocksize = pre_comp->blocksize; -

481 -

482 /* -

483 * determine maximum number of blocks that wNAF splitting may -

484 * yield (NB: maximum wNAF length is bit length plus one) -

485 */ -

486 numblocks = (BN_num_bits(scalar) / blocksize) + 1; -

487 -

488 /* -

489 * we cannot use more blocks than we have precomputation for -

490 */ -

491

if (numblocks > pre_comp->numblocks)

numblocks > pr...omp->numblocks	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

492

numblocks = pre_comp->numblocks;

never executed: numblocks = pre_comp->numblocks;

493 -

494 pre_points_per_block = (size_t)1 << (pre_comp->w - 1); -

495 -

496 /* check that pre_comp looks sane */ -

497

if (pre_comp->num != (pre_comp->numblocks * pre_points_per_block)) {

pre_comp->num ...nts_per_block)	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

498 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); -

499

goto err;

never executed: goto err;

500 } -

501

} else {

executed 1 time by 1 test: end of block

Executed by:

libcrypto.so.1.1

502 /* can't use precomputation */ -

503 pre_comp = NULL; -

504 numblocks = 1; -

505 num_scalar = 1; /* treat 'scalar' like 'num'-th element of -

506 * 'scalars' */ -

507

}

executed 335 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

335

508 } -

509 -

510 totalnum = num + numblocks; -

511 -

512 wsize = OPENSSL_malloc(totalnum * sizeof(wsize[0])); -

513 wNAF_len = OPENSSL_malloc(totalnum * sizeof(wNAF_len[0])); -

514 /* include space for pivot */ -

515 wNAF = OPENSSL_malloc((totalnum + 1) * sizeof(wNAF[0])); -

516 val_sub = OPENSSL_malloc(totalnum * sizeof(val_sub[0])); -

517 -

518 /* Ensure wNAF is initialised in case we end up going to err */ -

519

if (wNAF != NULL)

wNAF != ((void *)0)	Description
TRUE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	never evaluated

0-730

520

wNAF[0] = NULL; /* preliminary pivot */

executed 730 times by 2 tests: wNAF[0] = ((void *)0) ;

Executed by:

libcrypto.so.1.1
sm2_internal_test

730

521 -

522

if (wsize == NULL || wNAF_len == NULL || wNAF == NULL || val_sub == NULL) {

wsize == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

wNAF_len == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

wNAF == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

val_sub == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-730

523 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE); -

524

goto err;

never executed: goto err;

525 } -

526 -

527 /* -

528 * num_val will be the total number of temporarily precomputed points -

529 */ -

530 num_val = 0; -

531 -

532

for (i = 0; i < num + num_scalar; i++) {

i < num + num_scalar	Description
TRUE	evaluated 2208 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

730-2208

533 size_t bits; -

534 -

535

bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);

i < num	Description
TRUE	evaluated 1873 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 335 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

335-1873

536

wsize[i] = EC_window_bits_for_scalar_size(bits);

(bits) >= 2000	Description
TRUE	never evaluated
FALSE	evaluated 2208 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

(bits) >= 800	Description
TRUE	evaluated 78 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 2130 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

(bits) >= 300	Description
TRUE	evaluated 825 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1305 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

(bits) >= 70	Description
TRUE	evaluated 848 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 457 times by 1 test Evaluated by: libcrypto.so.1.1

(bits) >= 20	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 454 times by 1 test Evaluated by: libcrypto.so.1.1

0-2208

537 num_val += (size_t)1 << (wsize[i] - 1); -

538 wNAF[i + 1] = NULL; /* make sure we always have a pivot */ -

539 wNAF[i] = -

540 bn_compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], -

541 &wNAF_len[i]); -

542

if (wNAF[i] == NULL)

wNAF[i] == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 2208 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-2208

543

goto err;

never executed: goto err;

544

if (wNAF_len[i] > max_len)

wNAF_len[i] > max_len	Description
TRUE	evaluated 1096 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 1112 times by 1 test Evaluated by: libcrypto.so.1.1

1096-1112

545

max_len = wNAF_len[i];

executed 1096 times by 2 tests: max_len = wNAF_len[i];

Executed by:

libcrypto.so.1.1
sm2_internal_test

1096

546

}

executed 2208 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

2208

547 -

548

if (numblocks) {

numblocks	Description
TRUE	evaluated 336 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 394 times by 1 test Evaluated by: libcrypto.so.1.1

336-394

549 /* we go here iff scalar != NULL */ -

550 -

551

if (pre_comp == NULL) {

pre_comp == ((void *)0)	Description
TRUE	evaluated 335 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-335

552

if (num_scalar != 1) {

num_scalar != 1	Description
TRUE	never evaluated
FALSE	evaluated 335 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-335

553 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); -

554

goto err;

never executed: goto err;

555 } -

556 /* we have already generated a wNAF for 'scalar' */ -

557

} else {

executed 335 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

335

558 signed char *tmp_wNAF = NULL; -

559 size_t tmp_len = 0; -

560 -

561

if (num_scalar != 0) {

num_scalar != 0	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

562 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); -

563

goto err;

never executed: goto err;

564 } -

565 -

566 /* -

567 * use the window size for which we have precomputation -

568 */ -

569 wsize[num] = pre_comp->w; -

570 tmp_wNAF = bn_compute_wNAF(scalar, wsize[num], &tmp_len); -

571

if (!tmp_wNAF)

!tmp_wNAF	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

572

goto err;

never executed: goto err;

573 -

574

if (tmp_len <= max_len) {

tmp_len <= max_len	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

575 /* -

576 * One of the other wNAFs is at least as long as the wNAF -

577 * belonging to the generator, so wNAF splitting will not buy -

578 * us anything. -

579 */ -

580 -

581 numblocks = 1; -

582 totalnum = num + 1; /* don't use wNAF splitting */ -

583 wNAF[num] = tmp_wNAF; -

584 wNAF[num + 1] = NULL; -

585 wNAF_len[num] = tmp_len; -

586 /* -

587 * pre_comp->points starts with the points that we need here: -

588 */ -

589 val_sub[num] = pre_comp->points; -

590

} else {

never executed: end of block

591 /* -

592 * don't include tmp_wNAF directly into wNAF array - use wNAF -

593 * splitting and include the blocks -

594 */ -

595 -

596 signed char *pp; -

597 EC_POINT **tmp_points; -

598 -

599

if (tmp_len < numblocks * blocksize) {

tmp_len < numb...ks * blocksize	Description
TRUE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-1

600 /* -

601 * possibly we can do with fewer blocks than estimated -

602 */ -

603 numblocks = (tmp_len + blocksize - 1) / blocksize; -

604

if (numblocks > pre_comp->numblocks) {

numblocks > pr...omp->numblocks	Description
TRUE	never evaluated
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

0-1

605 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); -

606 OPENSSL_free(tmp_wNAF); -

607

goto err;

never executed: goto err;

608 } -

609 totalnum = num + numblocks; -

610

}

executed 1 time by 1 test: end of block

Executed by:

libcrypto.so.1.1

611 -

612 /* split wNAF in 'numblocks' parts */ -

613 pp = tmp_wNAF; -

614 tmp_points = pre_comp->points; -

615 -

616

for (i = num; i < totalnum; i++) {

i < totalnum	Description
TRUE	evaluated 66 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-66

617

if (i < totalnum - 1) {

i < totalnum - 1	Description
TRUE	evaluated 65 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-65

618 wNAF_len[i] = blocksize; -

619

if (tmp_len < blocksize) {

tmp_len < blocksize	Description
TRUE	never evaluated
FALSE	evaluated 65 times by 1 test Evaluated by: libcrypto.so.1.1

0-65

620 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); -

621 OPENSSL_free(tmp_wNAF); -

622

goto err;

never executed: goto err;

623 } -

624 tmp_len -= blocksize; -

625

} else

executed 65 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

626 /* -

627 * last block gets whatever is left (this could be -

628 * more or less than 'blocksize'!) -

629 */ -

630

wNAF_len[i] = tmp_len;

executed 1 time by 1 test: wNAF_len[i] = tmp_len;

Executed by:

libcrypto.so.1.1

631 -

632 wNAF[i + 1] = NULL; -

633 wNAF[i] = OPENSSL_malloc(wNAF_len[i]); -

634

if (wNAF[i] == NULL) {

wNAF[i] == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 66 times by 1 test Evaluated by: libcrypto.so.1.1

0-66

635 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE); -

636 OPENSSL_free(tmp_wNAF); -

637

goto err;

never executed: goto err;

638 } -

639 memcpy(wNAF[i], pp, wNAF_len[i]); -

640

if (wNAF_len[i] > max_len)

wNAF_len[i] > max_len	Description
TRUE	never evaluated
FALSE	evaluated 66 times by 1 test Evaluated by: libcrypto.so.1.1

0-66

641

max_len = wNAF_len[i];

never executed: max_len = wNAF_len[i];

642 -

643

if (*tmp_points == NULL) {

tmp_points == ((void )0)	Description
TRUE	never evaluated
FALSE	evaluated 66 times by 1 test Evaluated by: libcrypto.so.1.1

0-66

644 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); -

645 OPENSSL_free(tmp_wNAF); -

646

goto err;

never executed: goto err;

647 } -

648 val_sub[i] = tmp_points; -

649 tmp_points += pre_points_per_block; -

650 pp += blocksize; -

651

}

executed 66 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

652 OPENSSL_free(tmp_wNAF); -

653

}

executed 1 time by 1 test: end of block

Executed by:

libcrypto.so.1.1

654 } -

655 } -

656 -

657 /* -

658 * All points we precompute now go into a single array 'val'. -

659 * 'val_sub[i]' is a pointer to the subarray for the i-th point, or to a -

660 * subarray of 'pre_comp->points' if we already have precomputation. -

661 */ -

662 val = OPENSSL_malloc((num_val + 1) * sizeof(val[0])); -

663

if (val == NULL) {

val == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-730

664 ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE); -

665

goto err;

never executed: goto err;

666 } -

667 val[num_val] = NULL; /* pivot element */ -

668 -

669 /* allocate points for precomputation */ -

670 v = val; -

671

for (i = 0; i < num + num_scalar; i++) {

i < num + num_scalar	Description
TRUE	evaluated 2208 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

730-2208

672 val_sub[i] = v; -

673

for (j = 0; j < ((size_t)1 << (wsize[i] - 1)); j++) {

j < ((size_t)1...wsize[i] - 1))	Description
TRUE	evaluated 11700 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 2208 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

2208-11700

674 *v = EC_POINT_new(group); -

675

if (*v == NULL)

v == ((void )0)	Description
TRUE	never evaluated
FALSE	evaluated 11700 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-11700

676

goto err;

never executed: goto err;

677 v++; -

678

}

executed 11700 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

11700

679

}

executed 2208 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

2208

680

if (!(v == val + num_val)) {

!(v == val + num_val)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-730

681 ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); -

682

goto err;

never executed: goto err;

683 } -

684 -

685

if ((tmp = EC_POINT_new(group)) == NULL)

(tmp = EC_POIN...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-730

686

goto err;

never executed: goto err;

687 -

688 /*- -

689 * prepare precomputed values: -

690 * val_sub[i][0] := points[i] -

691 * val_sub[i][1] := 3 * points[i] -

692 * val_sub[i][2] := 5 * points[i] -

693 * ... -

694 */ -

695

for (i = 0; i < num + num_scalar; i++) {

i < num + num_scalar	Description
TRUE	evaluated 2208 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

730-2208

696

if (i < num) {

i < num	Description
TRUE	evaluated 1873 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 335 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

335-1873

697

if (!EC_POINT_copy(val_sub[i][0], points[i]))

!EC_POINT_copy...0], points[i])	Description
TRUE	never evaluated
FALSE	evaluated 1873 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-1873

698

goto err;

never executed: goto err;

699

} else {

executed 1873 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

1873

700

if (!EC_POINT_copy(val_sub[i][0], generator))

!EC_POINT_copy...0], generator)	Description
TRUE	never evaluated
FALSE	evaluated 335 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-335

701

goto err;

never executed: goto err;

702

}

executed 335 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

335

703 -

704

if (wsize[i] > 1) {

wsize[i] > 1	Description
TRUE	evaluated 1754 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 454 times by 1 test Evaluated by: libcrypto.so.1.1

454-1754

705

if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx))

!EC_POINT_dbl(...ub[i][0], ctx)	Description
TRUE	never evaluated
FALSE	evaluated 1754 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-1754

706

goto err;

never executed: goto err;

707

for (j = 1; j < ((size_t)1 << (wsize[i] - 1)); j++) {

j < ((size_t)1...wsize[i] - 1))	Description
TRUE	evaluated 9492 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 1754 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

1754-9492

708

if (!EC_POINT_add

!EC_POINT_add ... 1], tmp, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 9492 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-9492

709

(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx))

!EC_POINT_add ... 1], tmp, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 9492 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-9492

710

goto err;

never executed: goto err;

711

}

executed 9492 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

9492

712

}

executed 1754 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

1754

713

}

executed 2208 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

2208

714 -

715

if (!EC_POINTs_make_affine(group, num_val, val, ctx))

!EC_POINTs_mak...val, val, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-730

716

goto err;

never executed: goto err;

717 -

718 r_is_at_infinity = 1; -

719 -

720

for (k = max_len - 1; k >= 0; k--) {

k >= 0	Description
TRUE	evaluated 190855 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

730-190855

721

if (!r_is_at_infinity) {

!r_is_at_infinity	Description
TRUE	evaluated 190125 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

730-190125

722

if (!EC_POINT_dbl(group, r, r, ctx))

!EC_POINT_dbl(...up, r, r, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 190125 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-190125

723

goto err;

never executed: goto err;

724

}

executed 190125 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

190125

725 -

726

for (i = 0; i < totalnum; i++) {

i < totalnum	Description
TRUE	evaluated 799546 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 190855 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

190855-799546

727

if (wNAF_len[i] > (size_t)k) {

wNAF_len[i] > (size_t)k	Description
TRUE	evaluated 610225 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 189321 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

189321-610225

728 int digit = wNAF[i][k]; -

729 int is_neg; -

730 -

731

if (digit) {

digit	Description
TRUE	evaluated 89410 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 520815 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

89410-520815

732 is_neg = digit < 0; -

733 -

734

if (is_neg)

is_neg	Description
TRUE	evaluated 43884 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 45526 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

43884-45526

735

digit = -digit;

executed 43884 times by 2 tests: digit = -digit;

Executed by:

libcrypto.so.1.1
sm2_internal_test

43884

736 -

737

if (is_neg != r_is_inverted) {

is_neg != r_is_inverted	Description
TRUE	evaluated 26339 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 63071 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

26339-63071

738

if (!r_is_at_infinity) {

!r_is_at_infinity	Description
TRUE	evaluated 26337 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1

2-26337

739

if (!EC_POINT_invert(group, r, ctx))

!EC_POINT_inve...group, r, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 26337 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-26337

740

goto err;

never executed: goto err;

741

}

executed 26337 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

26337

742 r_is_inverted = !r_is_inverted; -

743

}

executed 26339 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

26339

744 -

745 /* digit > 0 */ -

746 -

747

if (r_is_at_infinity) {

r_is_at_infinity	Description
TRUE	evaluated 727 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 88683 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

727-88683

748

if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))

!EC_POINT_copy...][digit >> 1])	Description
TRUE	never evaluated
FALSE	evaluated 727 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-727

749

goto err;

never executed: goto err;

750 r_is_at_infinity = 0; -

751

} else {

executed 727 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

727

752

if (!EC_POINT_add

!EC_POINT_add ...it >> 1], ctx)	Description
TRUE	never evaluated
FALSE	evaluated 88683 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-88683

753

(group, r, r, val_sub[i][digit >> 1], ctx))

!EC_POINT_add ...it >> 1], ctx)	Description
TRUE	never evaluated
FALSE	evaluated 88683 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

0-88683

754

goto err;

never executed: goto err;

755

}

executed 88683 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

88683

756 } -

757

}

executed 610225 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

610225

758

}

executed 799546 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

799546

759

}

executed 190855 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

190855

760 -

761

if (r_is_at_infinity) {

r_is_at_infinity	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 727 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

3-727

762

if (!EC_POINT_set_to_infinity(group, r))

!EC_POINT_set_...nity(group, r)	Description
TRUE	never evaluated
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

0-3

763

goto err;

never executed: goto err;

764

} else {

executed 3 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

765

if (r_is_inverted)

r_is_inverted	Description
TRUE	evaluated 263 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 464 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

263-464

766

if (!EC_POINT_invert(group, r, ctx))

!EC_POINT_inve...group, r, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 263 times by 1 test Evaluated by: libcrypto.so.1.1

0-263

767

goto err;

never executed: goto err;

768

}

executed 727 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

727

769 -

770 ret = 1; -

771 -

772

err:

code before this statement executed 730 times by 2 tests: err:

Executed by:

libcrypto.so.1.1
sm2_internal_test

730

773 EC_POINT_free(tmp); -

774 OPENSSL_free(wsize); -

775 OPENSSL_free(wNAF_len); -

776

if (wNAF != NULL) {

wNAF != ((void *)0)	Description
TRUE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	never evaluated

0-730

777 signed char **w; -

778 -

779

for (w = wNAF; *w != NULL; w++)

w != ((void )0)	Description
TRUE	evaluated 2274 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

730-2274

780

OPENSSL_free(*w);

executed 2274 times by 2 tests: CRYPTO_free(*w, __FILE__, 780);

Executed by:

libcrypto.so.1.1
sm2_internal_test

2274

781 -

782 OPENSSL_free(wNAF); -

783

}

executed 730 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

730

784

if (val != NULL) {

val != ((void *)0)	Description
TRUE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	never evaluated

0-730

785

for (v = val; *v != NULL; v++)

v != ((void )0)	Description
TRUE	evaluated 11700 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test
FALSE	evaluated 730 times by 2 tests Evaluated by: libcrypto.so.1.1 sm2_internal_test

730-11700

786

EC_POINT_clear_free(*v);

executed 11700 times by 2 tests: EC_POINT_clear_free(*v);

Executed by:

libcrypto.so.1.1
sm2_internal_test

11700

787 -

788 OPENSSL_free(val); -

789

}

executed 730 times by 2 tests: end of block

Executed by:

libcrypto.so.1.1
sm2_internal_test

730

790 OPENSSL_free(val_sub); -

791

return ret;

executed 730 times by 2 tests: return ret;

Executed by:

libcrypto.so.1.1
sm2_internal_test

730

792 } -

793 -

794 /*- -

795 * ec_wNAF_precompute_mult() -

796 * creates an EC_PRE_COMP object with preprecomputed multiples of the generator -

797 * for use with wNAF splitting as implemented in ec_wNAF_mul(). -

798 * -

799 * 'pre_comp->points' is an array of multiples of the generator -

800 * of the following form: -

801 * points[0] = generator; -

802 * points[1] = 3 * generator; -

803 * ... -

804 * points[2^(w-1)-1] = (2^(w-1)-1) * generator; -

805 * points[2^(w-1)] = 2^blocksize * generator; -

806 * points[2^(w-1)+1] = 3 * 2^blocksize * generator; -

807 * ... -

808 * points[2^(w-1)*(numblocks-1)-1] = (2^(w-1)) * 2^(blocksize*(numblocks-2)) * generator -

809 * points[2^(w-1)*(numblocks-1)] = 2^(blocksize*(numblocks-1)) * generator -

810 * ... -

811 * points[2^(w-1)*numblocks-1] = (2^(w-1)) * 2^(blocksize*(numblocks-1)) * generator -

812 * points[2^(w-1)*numblocks] = NULL -

813 */ -

814 int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) -

815 { -

816 const EC_POINT *generator; -

817 EC_POINT *tmp_point = NULL, *base = NULL, **var; -

818 BN_CTX *new_ctx = NULL; -

819 const BIGNUM *order; -

820 size_t i, bits, w, pre_points_per_block, blocksize, numblocks, num; -

821 EC_POINT **points = NULL; -

822 EC_PRE_COMP *pre_comp; -

823 int ret = 0; -

824 -

825 /* if there is an old EC_PRE_COMP object, throw it away */ -

826 EC_pre_comp_free(group); -

827

if ((pre_comp = ec_pre_comp_new(group)) == NULL)

(pre_comp = ec...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

828

return 0;

never executed: return 0;

829 -

830 generator = EC_GROUP_get0_generator(group); -

831

if (generator == NULL) {

generator == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

832 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR); -

833

goto err;

never executed: goto err;

834 } -

835 -

836

if (ctx == NULL) {

ctx == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

837 ctx = new_ctx = BN_CTX_new(); -

838

if (ctx == NULL)

ctx == ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

839

goto err;

never executed: goto err;

840

}

never executed: end of block

841 -

842 BN_CTX_start(ctx); -

843 -

844 order = EC_GROUP_get0_order(group); -

845

if (order == NULL)

order == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

846

goto err;

never executed: goto err;

847

if (BN_is_zero(order)) {

BN_is_zero(order)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

848 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER); -

849

goto err;

never executed: goto err;

850 } -

851 -

852 bits = BN_num_bits(order); -

853 /* -

854 * The following parameters mean we precompute (approximately) one point -

855 * per bit. TBD: The combination 8, 4 is perfect for 160 bits; for other -

856 * bit lengths, other parameter combinations might provide better -

857 * efficiency. -

858 */ -

859 blocksize = 8; -

860 w = 4; -

861

if (EC_window_bits_for_scalar_size(bits) > w) {

((size_t) ((bi... ? 2 : 1)) > w	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

(bits) >= 2000	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

(bits) >= 800	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

(bits) >= 300	Description
TRUE	evaluated 10 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 35 times by 1 test Evaluated by: libcrypto.so.1.1

(bits) >= 70	Description
TRUE	evaluated 35 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

(bits) >= 20	Description
TRUE	never evaluated
FALSE	never evaluated

0-45

862 /* let's not make the window too small ... */ -

863

w = EC_window_bits_for_scalar_size(bits);

(bits) >= 2000	Description
TRUE	never evaluated
FALSE	never evaluated

(bits) >= 800	Description
TRUE	never evaluated
FALSE	never evaluated

(bits) >= 300	Description
TRUE	never evaluated
FALSE	never evaluated

(bits) >= 70	Description
TRUE	never evaluated
FALSE	never evaluated

(bits) >= 20	Description
TRUE	never evaluated
FALSE	never evaluated

864

}

never executed: end of block

865 -

866 numblocks = (bits + blocksize - 1) / blocksize; /* max. number of blocks -

867 * to use for wNAF -

868 * splitting */ -

869 -

870 pre_points_per_block = (size_t)1 << (w - 1); -

871 num = pre_points_per_block * numblocks; /* number of points to compute -

872 * and store */ -

873 -

874 points = OPENSSL_malloc(sizeof(*points) * (num + 1)); -

875

if (points == NULL) {

points == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

876 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE); -

877

goto err;

never executed: goto err;

878 } -

879 -

880 var = points; -

881 var[num] = NULL; /* pivot */ -

882

for (i = 0; i < num; i++) {

i < num	Description
TRUE	evaluated 10992 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

45-10992

883

if ((var[i] = EC_POINT_new(group)) == NULL) {

(var[i] = EC_P...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 10992 times by 1 test Evaluated by: libcrypto.so.1.1

0-10992

884 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE); -

885

goto err;

never executed: goto err;

886 } -

887

}

executed 10992 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

10992

888 -

889

if ((tmp_point = EC_POINT_new(group)) == NULL

(tmp_point = E...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

890

|| (base = EC_POINT_new(group)) == NULL) {

(base = EC_POI...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

891 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE); -

892

goto err;

never executed: goto err;

893 } -

894 -

895

if (!EC_POINT_copy(base, generator))

!EC_POINT_copy...se, generator)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

896

goto err;

never executed: goto err;

897 -

898 /* do the precomputation */ -

899

for (i = 0; i < numblocks; i++) {

i < numblocks	Description
TRUE	evaluated 1374 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

45-1374

900 size_t j; -

901 -

902

if (!EC_POINT_dbl(group, tmp_point, base, ctx))

!EC_POINT_dbl(...nt, base, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 1374 times by 1 test Evaluated by: libcrypto.so.1.1

0-1374

903

goto err;

never executed: goto err;

904 -

905

if (!EC_POINT_copy(*var++, base))

!EC_POINT_copy(*var++, base)	Description
TRUE	never evaluated
FALSE	evaluated 1374 times by 1 test Evaluated by: libcrypto.so.1.1

0-1374

906

goto err;

never executed: goto err;

907 -

908

for (j = 1; j < pre_points_per_block; j++, var++) {

j < pre_points_per_block	Description
TRUE	evaluated 9618 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1374 times by 1 test Evaluated by: libcrypto.so.1.1

1374-9618

909 /* -

910 * calculate odd multiples of the current base point -

911 */ -

912

if (!EC_POINT_add(group, *var, tmp_point, *(var - 1), ctx))

!EC_POINT_add(...var - 1), ctx)	Description
TRUE	never evaluated
FALSE	evaluated 9618 times by 1 test Evaluated by: libcrypto.so.1.1

0-9618

913

goto err;

never executed: goto err;

914

}

executed 9618 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

9618

915 -

916

if (i < numblocks - 1) {

i < numblocks - 1	Description
TRUE	evaluated 1329 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

45-1329

917 /* -

918 * get the next base (multiply current one by 2^blocksize) -

919 */ -

920 size_t k; -

921 -

922

if (blocksize <= 2) {

blocksize <= 2	Description
TRUE	never evaluated
FALSE	evaluated 1329 times by 1 test Evaluated by: libcrypto.so.1.1

0-1329

923 ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_INTERNAL_ERROR); -

924

goto err;

never executed: goto err;

925 } -

926 -

927

if (!EC_POINT_dbl(group, base, tmp_point, ctx))

!EC_POINT_dbl(...mp_point, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 1329 times by 1 test Evaluated by: libcrypto.so.1.1

0-1329

928

goto err;

never executed: goto err;

929

for (k = 2; k < blocksize; k++) {

k < blocksize	Description
TRUE	evaluated 7974 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1329 times by 1 test Evaluated by: libcrypto.so.1.1

1329-7974

930

if (!EC_POINT_dbl(group, base, base, ctx))

!EC_POINT_dbl(...se, base, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 7974 times by 1 test Evaluated by: libcrypto.so.1.1

0-7974

931

goto err;

never executed: goto err;

932

}

executed 7974 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

7974

933

}

executed 1329 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1329

934

}

executed 1374 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

1374

935 -

936

if (!EC_POINTs_make_affine(group, num, points, ctx))

!EC_POINTs_mak..., points, ctx)	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

937

goto err;

never executed: goto err;

938 -

939 pre_comp->group = group; -

940 pre_comp->blocksize = blocksize; -

941 pre_comp->numblocks = numblocks; -

942 pre_comp->w = w; -

943 pre_comp->points = points; -

944 points = NULL; -

945 pre_comp->num = num; -

946 SETPRECOMP(group, ec, pre_comp); -

947 pre_comp = NULL; -

948 ret = 1; -

949 -

950

err:

code before this statement executed 45 times by 1 test: err:

Executed by:

libcrypto.so.1.1

951

if (ctx != NULL)

ctx != ((void *)0)	Description
TRUE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-45

952

BN_CTX_end(ctx);

executed 45 times by 1 test: BN_CTX_end(ctx);

Executed by:

libcrypto.so.1.1

953 BN_CTX_free(new_ctx); -

954 EC_ec_pre_comp_free(pre_comp); -

955

if (points) {

points	Description
TRUE	never evaluated
FALSE	evaluated 45 times by 1 test Evaluated by: libcrypto.so.1.1

0-45

956 EC_POINT **p; -

957 -

958

for (p = points; *p != NULL; p++)

p != ((void )0)	Description
TRUE	never evaluated
FALSE	never evaluated

959

EC_POINT_free(*p);

never executed: EC_POINT_free(*p);

960 OPENSSL_free(points); -

961

}

never executed: end of block

962 EC_POINT_free(tmp_point); -

963 EC_POINT_free(base); -

964

return ret;

executed 45 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

965 } -

966 -

967 int ec_wNAF_have_precompute_mult(const EC_GROUP *group) -

968 { -

969

return HAVEPRECOMP(group, ec);

never executed: return group->pre_comp_type == PCT_ec && group->pre_comp.ec != ((void *)0) ;

group->pre_comp_type == PCT_ec	Description
TRUE	never evaluated
FALSE	never evaluated

group->pre_com...!= ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

970 } -

Source code

Switch to Preprocessed file

Generated by Squish Coco 4.2.2