OpenCoverage

scalar.c

Absolute File Name:

/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/ec/curve448/scalar.c

Source code

Switch to Preprocessed file

Line Source Count

1 /* -

4 * -

5 * Licensed under the OpenSSL license (the "License"). You may not use -

6 * this file except in compliance with the License. You can obtain a copy -

7 * in the file LICENSE in the source distribution or at -

8 * https://www.openssl.org/source/license.html -

9 * -

10 * Originally written by Mike Hamburg -

11 */ -

12 #include <openssl/crypto.h> -

13 -

14 #include "word.h" -

15 #include "point_448.h" -

16 -

17 static const c448_word_t MONTGOMERY_FACTOR = (c448_word_t) 0x3bd440fae918bc5; -

18 static const curve448_scalar_t sc_p = { -

19 { -

20 { -

21 SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), -

22 SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), -

23 SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), -

24 SC_LIMB(0x3fffffffffffffff) -

25 } -

26 } -

27 }, sc_r2 = { -

28 { -

29 { -

30 -

31 SC_LIMB(0xe3539257049b9b60), SC_LIMB(0x7af32c4bc1b195d9), -

32 SC_LIMB(0x0d66de2388ea1859), SC_LIMB(0xae17cf725ee4d838), -

33 SC_LIMB(0x1a9cc14ba3c47c44), SC_LIMB(0x2052bcb7e4d070af), -

34 SC_LIMB(0x3402a939f823b729) -

35 } -

36 } -

37 }; -

38 -

39 #define WBITS C448_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */ -

40 -

41 const curve448_scalar_t curve448_scalar_one = {{{1}}}; -

42 const curve448_scalar_t curve448_scalar_zero = {{{0}}}; -

43 -

44 /* -

45 * {extra,accum} - sub +? p -

46 * Must have extra <= 1 -

47 */ -

48 static void sc_subx(curve448_scalar_t out, -

49 const c448_word_t accum[C448_SCALAR_LIMBS], -

50 const curve448_scalar_t sub, -

51 const curve448_scalar_t p, c448_word_t extra) -

52 { -

53 c448_dsword_t chain = 0; -

54 unsigned int i; -

55 c448_word_t borrow; -

56 -

for (i = 0; i < C448_SCALAR_LIMBS; i++) {

i < ((446-1)/64 +1)	Description
TRUE	evaluated 7588 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 1084 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

1084-7588

58 chain = (chain + accum[i]) - sub->limb[i]; -

59 out->limb[i] = (c448_word_t)chain; -

60 chain >>= WBITS; -

}

executed 7588 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

7588

62 borrow = (c448_word_t)chain + extra; /* = 0 or -1 */ -

63 -

64 chain = 0; -

for (i = 0; i < C448_SCALAR_LIMBS; i++) {

i < ((446-1)/64 +1)	Description
TRUE	evaluated 7588 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 1084 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

1084-7588

66 chain = (chain + out->limb[i]) + (p->limb[i] & borrow); -

67 out->limb[i] = (c448_word_t)chain; -

68 chain >>= WBITS; -

}

executed 7588 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

7588

}

executed 1084 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

1084

71 -

72 static void sc_montmul(curve448_scalar_t out, const curve448_scalar_t a, -

73 const curve448_scalar_t b) -

74 { -

75 unsigned int i, j; -

76 c448_word_t accum[C448_SCALAR_LIMBS + 1] = { 0 }; -

77 c448_word_t hi_carry = 0; -

78 -

for (i = 0; i < C448_SCALAR_LIMBS; i++) {

i < ((446-1)/64 +1)	Description
TRUE	evaluated 5166 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 738 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

738-5166

80 c448_word_t mand = a->limb[i]; -

81 const c448_word_t *mier = b->limb; -

82 -

83 c448_dword_t chain = 0; -

for (j = 0; j < C448_SCALAR_LIMBS; j++) {

j < ((446-1)/64 +1)	Description
TRUE	evaluated 36162 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 5166 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

5166-36162

85 chain += ((c448_dword_t) mand) * mier[j] + accum[j]; -

86 accum[j] = (c448_word_t)chain; -

87 chain >>= WBITS; -

}

executed 36162 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

36162

89 accum[j] = (c448_word_t)chain; -

90 -

91 mand = accum[0] * MONTGOMERY_FACTOR; -

92 chain = 0; -

93 mier = sc_p->limb; -

for (j = 0; j < C448_SCALAR_LIMBS; j++) {

j < ((446-1)/64 +1)	Description
TRUE	evaluated 36162 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 5166 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

5166-36162

95 chain += (c448_dword_t) mand *mier[j] + accum[j]; -

if (j)

j	Description
TRUE	evaluated 30996 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 5166 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

5166-30996

accum[j - 1] = (c448_word_t)chain;

executed 30996 times by 2 tests: accum[j - 1] = (c448_word_t)chain;

Executed by:

curve448_internal_test
libcrypto.so.1.1

30996

98 chain >>= WBITS; -

}

executed 36162 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

36162

100 chain += accum[j]; -

101 chain += hi_carry; -

102 accum[j - 1] = (c448_word_t)chain; -

103 hi_carry = chain >> WBITS; -

104

}

executed 5166 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

5166

105 -

106 sc_subx(out, accum, sc_p, sc_p, hi_carry); -

107

}

executed 738 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

738

108 -

109 void curve448_scalar_mul(curve448_scalar_t out, const curve448_scalar_t a, -

110 const curve448_scalar_t b) -

111 { -

112 sc_montmul(out, a, b); -

113 sc_montmul(out, out, sc_r2); -

114

}

executed 274 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

274

115 -

116 void curve448_scalar_sub(curve448_scalar_t out, const curve448_scalar_t a, -

117 const curve448_scalar_t b) -

118 { -

119 sc_subx(out, a->limb, b, sc_p, 0); -

120

}

executed 9 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

121 -

122 void curve448_scalar_add(curve448_scalar_t out, const curve448_scalar_t a, -

123 const curve448_scalar_t b) -

124 { -

125 c448_dword_t chain = 0; -

126 unsigned int i; -

127 -

128

for (i = 0; i < C448_SCALAR_LIMBS; i++) {

i < ((446-1)/64 +1)	Description
TRUE	evaluated 2359 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 337 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

337-2359

129 chain = (chain + a->limb[i]) + b->limb[i]; -

130 out->limb[i] = (c448_word_t)chain; -

131 chain >>= WBITS; -

132

}

executed 2359 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

2359

133 sc_subx(out, out->limb, sc_p, sc_p, (c448_word_t)chain); -

134

}

executed 337 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

337

135 -

136 static ossl_inline void scalar_decode_short(curve448_scalar_t s, -

137 const unsigned char *ser, -

138 size_t nbytes) -

139 { -

140 size_t i, j, k = 0; -

141 -

142

for (i = 0; i < C448_SCALAR_LIMBS; i++) {

i < ((446-1)/64 +1)	Description
TRUE	evaluated 2660 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 380 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

380-2660

143 c448_word_t out = 0; -

144 -

145

for (j = 0; j < sizeof(c448_word_t) && k < nbytes; j++, k++)

j < sizeof(c448_word_t)	Description
TRUE	evaluated 15051 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 1743 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

k < nbytes	Description
TRUE	evaluated 14134 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 917 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

917-15051

146

out |= ((c448_word_t) ser[k]) << (8 * j);

executed 14134 times by 2 tests: out |= ((c448_word_t) ser[k]) << (8 * j);

Executed by:

curve448_internal_test
libcrypto.so.1.1

14134

147 s->limb[i] = out; -

148

}

executed 2660 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

2660

149

}

executed 380 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

380

150 -

151 c448_error_t curve448_scalar_decode( -

152 curve448_scalar_t s, -

153 const unsigned char ser[C448_SCALAR_BYTES]) -

154 { -

155 unsigned int i; -

156 c448_dsword_t accum = 0; -

157 -

158 scalar_decode_short(s, ser, C448_SCALAR_BYTES); -

159

for (i = 0; i < C448_SCALAR_LIMBS; i++)

i < ((446-1)/64 +1)	Description
TRUE	evaluated 1330 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 190 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

190-1330

160

accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;

executed 1330 times by 2 tests: accum = (accum + s->limb[i] - sc_p->limb[i]) >> 64;

Executed by:

curve448_internal_test
libcrypto.so.1.1

1330

161 /* Here accum == 0 or -1 */ -

162 -

163 curve448_scalar_mul(s, s, curve448_scalar_one); /* ham-handed reduce */ -

164 -

165

return c448_succeed_if(~word_is_zero((uint32_t)accum));

executed 190 times by 2 tests: return c448_succeed_if(~constant_time_is_zero_32((uint32_t)accum));

Executed by:

curve448_internal_test
libcrypto.so.1.1

190

166 } -

167 -

168 void curve448_scalar_destroy(curve448_scalar_t scalar) -

169 { -

170 OPENSSL_cleanse(scalar, sizeof(curve448_scalar_t)); -

171

}

executed 459 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

459

172 -

173 void curve448_scalar_decode_long(curve448_scalar_t s, -

174 const unsigned char *ser, size_t ser_len) -

175 { -

176 size_t i; -

177 curve448_scalar_t t1, t2; -

178 -

179

if (ser_len == 0) {

ser_len == 0	Description
TRUE	never evaluated
FALSE	evaluated 190 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

0-190

180 curve448_scalar_copy(s, curve448_scalar_zero); -

181

return;

never executed: return;

182 } -

183 -

184 i = ser_len - (ser_len % C448_SCALAR_BYTES); -

185

if (i == ser_len)

i == ser_len	Description
TRUE	evaluated 59 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 131 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

59-131

186

i -= C448_SCALAR_BYTES;

executed 59 times by 1 test: i -= 56;

Executed by:

libcrypto.so.1.1

187 -

188 scalar_decode_short(t1, &ser[i], ser_len - i); -

189 -

190

if (ser_len == sizeof(curve448_scalar_t)) {

ser_len == siz...e448_scalar_t)	Description
TRUE	evaluated 59 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 131 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

59-131

191 assert(i == 0); -

192 /* ham-handed reduce */ -

193 curve448_scalar_mul(s, t1, curve448_scalar_one); -

194 curve448_scalar_destroy(t1); -

195

return;

executed 59 times by 1 test: return;

Executed by:

libcrypto.so.1.1

196 } -

197 -

198

while (i) {

i	Description
TRUE	evaluated 190 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 131 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

131-190

199 i -= C448_SCALAR_BYTES; -

200 sc_montmul(t1, t1, sc_r2); -

201 (void)curve448_scalar_decode(t2, ser + i); -

202 curve448_scalar_add(t1, t1, t2); -

203

}

executed 190 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

190

204 -

205 curve448_scalar_copy(s, t1); -

206 curve448_scalar_destroy(t1); -

207 curve448_scalar_destroy(t2); -

208

}

executed 131 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

131

209 -

210 void curve448_scalar_encode(unsigned char ser[C448_SCALAR_BYTES], -

211 const curve448_scalar_t s) -

212 { -

213 unsigned int i, j, k = 0; -

214 -

215

for (i = 0; i < C448_SCALAR_LIMBS; i++) {

i < ((446-1)/64 +1)	Description
TRUE	evaluated 175 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 25 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

25-175

216

for (j = 0; j < sizeof(c448_word_t); j++, k++)

j < sizeof(c448_word_t)	Description
TRUE	evaluated 1400 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 175 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

175-1400

217

ser[k] = s->limb[i] >> (8 * j);

executed 1400 times by 2 tests: ser[k] = s->limb[i] >> (8 * j);

Executed by:

curve448_internal_test
libcrypto.so.1.1

1400

218

}

executed 175 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

175

219

}

executed 25 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

220 -

221 void curve448_scalar_halve(curve448_scalar_t out, const curve448_scalar_t a) -

222 { -

223 c448_word_t mask = 0 - (a->limb[0] & 1); -

224 c448_dword_t chain = 0; -

225 unsigned int i; -

226 -

227

for (i = 0; i < C448_SCALAR_LIMBS; i++) {

i < ((446-1)/64 +1)	Description
TRUE	evaluated 2149 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 307 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

307-2149

228 chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask); -

229 out->limb[i] = (c448_word_t)chain; -

230 chain >>= C448_WORD_BITS; -

231

}

executed 2149 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

2149

232

for (i = 0; i < C448_SCALAR_LIMBS - 1; i++)

i < ((446-1)/64 +1) - 1	Description
TRUE	evaluated 1842 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1
FALSE	evaluated 307 times by 2 tests Evaluated by: curve448_internal_test libcrypto.so.1.1

307-1842

233

out->limb[i] = out->limb[i] >> 1 | out->limb[i + 1] << (WBITS - 1);

executed 1842 times by 2 tests: out->limb[i] = out->limb[i] >> 1 | out->limb[i + 1] << (64 - 1);

Executed by:

curve448_internal_test
libcrypto.so.1.1

1842

234 out->limb[i] = out->limb[i] >> 1 | (c448_word_t)(chain << (WBITS - 1)); -

235

}

executed 307 times by 2 tests: end of block

Executed by:

curve448_internal_test
libcrypto.so.1.1

307

Source code

Switch to Preprocessed file

Generated by Squish Coco 4.2.2