diff --git a/src/libsodium/crypto_scalarmult/curve25519/donna_c64/api.h b/src/libsodium/crypto_scalarmult/curve25519/donna_c64/api.h deleted file mode 100644 index 60339596..00000000 --- a/src/libsodium/crypto_scalarmult/curve25519/donna_c64/api.h +++ /dev/null @@ -1,2 +0,0 @@ -#define CRYPTO_BYTES 32 -#define CRYPTO_SCALARBYTES 32 diff --git a/src/libsodium/crypto_scalarmult/curve25519/donna_c64/base.c b/src/libsodium/crypto_scalarmult/curve25519/donna_c64/base.c deleted file mode 100644 index f33419e8..00000000 --- a/src/libsodium/crypto_scalarmult/curve25519/donna_c64/base.c +++ /dev/null @@ -1,8 +0,0 @@ -#include "crypto_scalarmult.h" - -static const unsigned char basepoint[32] = {9}; - -int crypto_scalarmult_base(unsigned char *q,const unsigned char *n) -{ - return crypto_scalarmult(q, n, basepoint); -} diff --git a/src/libsodium/crypto_scalarmult/curve25519/donna_c64/implementors b/src/libsodium/crypto_scalarmult/curve25519/donna_c64/implementors deleted file mode 100644 index 0ce43280..00000000 --- a/src/libsodium/crypto_scalarmult/curve25519/donna_c64/implementors +++ /dev/null @@ -1 +0,0 @@ -Adam Langley (Google) diff --git a/src/libsodium/crypto_scalarmult/curve25519/donna_c64/smult.c b/src/libsodium/crypto_scalarmult/curve25519/donna_c64/smult.c deleted file mode 100644 index 72fe5d15..00000000 --- a/src/libsodium/crypto_scalarmult/curve25519/donna_c64/smult.c +++ /dev/null @@ -1,477 +0,0 @@ -/* Copyright 2008, Google Inc. - * All rights reserved. - * - * Code released into the public domain. - * - * curve25519-donna: Curve25519 elliptic curve, public key function - * - * http://code.google.com/p/curve25519-donna/ - * - * Adam Langley - * - * Derived from public domain C code by Daniel J. Bernstein - * - * More information about curve25519 can be found here - * http://cr.yp.to/ecdh.html - * - * djb's sample implementation of curve25519 is written in a special assembly - * language called qhasm and uses the floating point registers. - * - * This is, almost, a clean room reimplementation from the curve25519 paper. It - * uses many of the tricks described therein. Only the crecip function is taken - * from the sample implementation. - */ - -#include -#include -#include "crypto_scalarmult.h" - -typedef uint8_t u8; -typedef uint64_t felem; -// This is a special gcc mode for 128-bit integers. It's implemented on 64-bit -// platforms only as far as I know. -typedef unsigned uint128_t __attribute__((mode(TI))); - -/* Sum two numbers: output += in */ -static void fsum(felem *output, const felem *in) { - unsigned i; - for (i = 0; i < 5; ++i) output[i] += in[i]; -} - -/* Find the difference of two numbers: output = in - output - * (note the order of the arguments!) - */ -static void fdifference_backwards(felem *ioutput, const felem *iin) { - static const int64_t twotothe51 = ((int64_t) 1) << 51; - const int64_t *in = (const int64_t *) iin; - int64_t *out = (int64_t *) ioutput; - - out[0] = in[0] - out[0]; - out[1] = in[1] - out[1]; - out[2] = in[2] - out[2]; - out[3] = in[3] - out[3]; - out[4] = in[4] - out[4]; - - // An arithmetic shift right of 63 places turns a positive number to 0 and a - // negative number to all 1's. This gives us a bitmask that lets us avoid - // side-channel prone branches. - int64_t t; - -#define NEGCHAIN(a,b) \ - t = out[a] >> 63; \ - out[a] += twotothe51 & t; \ - out[b] -= 1 & t; - -#define NEGCHAIN19(a,b) \ - t = out[a] >> 63; \ - out[a] += twotothe51 & t; \ - out[b] -= 19 & t; - - NEGCHAIN(0, 1); - NEGCHAIN(1, 2); - NEGCHAIN(2, 3); - NEGCHAIN(3, 4); - NEGCHAIN19(4, 0); - NEGCHAIN(0, 1); - NEGCHAIN(1, 2); - NEGCHAIN(2, 3); - NEGCHAIN(3, 4); -} - -/* Multiply a number by a scalar: output = in * scalar */ -static void fscalar_product(felem *output, const felem *in, const felem scalar) { - uint128_t a; - - a = ((uint128_t) in[0]) * scalar; - output[0] = a & 0x7ffffffffffff; - - a = ((uint128_t) in[1]) * scalar + (a >> 51); - output[1] = a & 0x7ffffffffffff; - - a = ((uint128_t) in[2]) * scalar + (a >> 51); - output[2] = a & 0x7ffffffffffff; - - a = ((uint128_t) in[3]) * scalar + (a >> 51); - output[3] = a & 0x7ffffffffffff; - - a = ((uint128_t) in[4]) * scalar + (a >> 51); - output[4] = a & 0x7ffffffffffff; - - output[0] += (a >> 51) * 19; -} - -/* Multiply two numbers: output = in2 * in - * - * output must be distinct to both inputs. The inputs are reduced coefficient - * form, the output is not. - */ -static void fmul(felem *output, const felem *in2, const felem *in) { - uint128_t t[9]; - - t[0] = ((uint128_t) in[0]) * in2[0]; - t[1] = ((uint128_t) in[0]) * in2[1] + - ((uint128_t) in[1]) * in2[0]; - t[2] = ((uint128_t) in[0]) * in2[2] + - ((uint128_t) in[2]) * in2[0] + - ((uint128_t) in[1]) * in2[1]; - t[3] = ((uint128_t) in[0]) * in2[3] + - ((uint128_t) in[3]) * in2[0] + - ((uint128_t) in[1]) * in2[2] + - ((uint128_t) in[2]) * in2[1]; - t[4] = ((uint128_t) in[0]) * in2[4] + - ((uint128_t) in[4]) * in2[0] + - ((uint128_t) in[3]) * in2[1] + - ((uint128_t) in[1]) * in2[3] + - ((uint128_t) in[2]) * in2[2]; - t[5] = ((uint128_t) in[4]) * in2[1] + - ((uint128_t) in[1]) * in2[4] + - ((uint128_t) in[2]) * in2[3] + - ((uint128_t) in[3]) * in2[2]; - t[6] = ((uint128_t) in[4]) * in2[2] + - ((uint128_t) in[2]) * in2[4] + - ((uint128_t) in[3]) * in2[3]; - t[7] = ((uint128_t) in[3]) * in2[4] + - ((uint128_t) in[4]) * in2[3]; - t[8] = ((uint128_t) in[4]) * in2[4]; - - t[0] += t[5] * 19; - t[1] += t[6] * 19; - t[2] += t[7] * 19; - t[3] += t[8] * 19; - - t[1] += t[0] >> 51; - t[0] &= 0x7ffffffffffff; - t[2] += t[1] >> 51; - t[1] &= 0x7ffffffffffff; - t[3] += t[2] >> 51; - t[2] &= 0x7ffffffffffff; - t[4] += t[3] >> 51; - t[3] &= 0x7ffffffffffff; - t[0] += 19 * (t[4] >> 51); - t[4] &= 0x7ffffffffffff; - t[1] += t[0] >> 51; - t[0] &= 0x7ffffffffffff; - t[2] += t[1] >> 51; - t[1] &= 0x7ffffffffffff; - - output[0] = t[0]; - output[1] = t[1]; - output[2] = t[2]; - output[3] = t[3]; - output[4] = t[4]; -} - -static void -fsquare(felem *output, const felem *in) { - uint128_t t[9]; - - t[0] = ((uint128_t) in[0]) * in[0]; - t[1] = ((uint128_t) in[0]) * in[1] * 2; - t[2] = ((uint128_t) in[0]) * in[2] * 2 + - ((uint128_t) in[1]) * in[1]; - t[3] = ((uint128_t) in[0]) * in[3] * 2 + - ((uint128_t) in[1]) * in[2] * 2; - t[4] = ((uint128_t) in[0]) * in[4] * 2 + - ((uint128_t) in[3]) * in[1] * 2 + - ((uint128_t) in[2]) * in[2]; - t[5] = ((uint128_t) in[4]) * in[1] * 2 + - ((uint128_t) in[2]) * in[3] * 2; - t[6] = ((uint128_t) in[4]) * in[2] * 2 + - ((uint128_t) in[3]) * in[3]; - t[7] = ((uint128_t) in[3]) * in[4] * 2; - t[8] = ((uint128_t) in[4]) * in[4]; - - t[0] += t[5] * 19; - t[1] += t[6] * 19; - t[2] += t[7] * 19; - t[3] += t[8] * 19; - - t[1] += t[0] >> 51; - t[0] &= 0x7ffffffffffff; - t[2] += t[1] >> 51; - t[1] &= 0x7ffffffffffff; - t[3] += t[2] >> 51; - t[2] &= 0x7ffffffffffff; - t[4] += t[3] >> 51; - t[3] &= 0x7ffffffffffff; - t[0] += 19 * (t[4] >> 51); - t[4] &= 0x7ffffffffffff; - t[1] += t[0] >> 51; - t[0] &= 0x7ffffffffffff; - - output[0] = t[0]; - output[1] = t[1]; - output[2] = t[2]; - output[3] = t[3]; - output[4] = t[4]; -} - -/* Take a little-endian, 32-byte number and expand it into polynomial form */ -static void -fexpand(felem *output, const u8 *in) { - output[0] = *((const uint64_t *)(in)) & 0x7ffffffffffff; - output[1] = (*((const uint64_t *)(in+6)) >> 3) & 0x7ffffffffffff; - output[2] = (*((const uint64_t *)(in+12)) >> 6) & 0x7ffffffffffff; - output[3] = (*((const uint64_t *)(in+19)) >> 1) & 0x7ffffffffffff; - output[4] = (*((const uint64_t *)(in+25)) >> 4) & 0x7ffffffffffff; -} - -/* Take a fully reduced polynomial form number and contract it into a - * little-endian, 32-byte array - */ -static void -fcontract(u8 *output, const felem *input) { - uint128_t t[5]; - - t[0] = input[0]; - t[1] = input[1]; - t[2] = input[2]; - t[3] = input[3]; - t[4] = input[4]; - - t[1] += t[0] >> 51; t[0] &= 0x7ffffffffffff; - t[2] += t[1] >> 51; t[1] &= 0x7ffffffffffff; - t[3] += t[2] >> 51; t[2] &= 0x7ffffffffffff; - t[4] += t[3] >> 51; t[3] &= 0x7ffffffffffff; - t[0] += 19 * (t[4] >> 51); t[4] &= 0x7ffffffffffff; - - t[1] += t[0] >> 51; t[0] &= 0x7ffffffffffff; - t[2] += t[1] >> 51; t[1] &= 0x7ffffffffffff; - t[3] += t[2] >> 51; t[2] &= 0x7ffffffffffff; - t[4] += t[3] >> 51; t[3] &= 0x7ffffffffffff; - t[0] += 19 * (t[4] >> 51); t[4] &= 0x7ffffffffffff; - - /* now t is between 0 and 2^255-1, properly carried. */ - /* case 1: between 0 and 2^255-20. case 2: between 2^255-19 and 2^255-1. */ - - t[0] += 19; - - t[1] += t[0] >> 51; t[0] &= 0x7ffffffffffff; - t[2] += t[1] >> 51; t[1] &= 0x7ffffffffffff; - t[3] += t[2] >> 51; t[2] &= 0x7ffffffffffff; - t[4] += t[3] >> 51; t[3] &= 0x7ffffffffffff; - t[0] += 19 * (t[4] >> 51); t[4] &= 0x7ffffffffffff; - - /* now between 19 and 2^255-1 in both cases, and offset by 19. */ - - t[0] += 0x8000000000000 - 19; - t[1] += 0x8000000000000 - 1; - t[2] += 0x8000000000000 - 1; - t[3] += 0x8000000000000 - 1; - t[4] += 0x8000000000000 - 1; - - /* now between 2^255 and 2^256-20, and offset by 2^255. */ - - t[1] += t[0] >> 51; t[0] &= 0x7ffffffffffff; - t[2] += t[1] >> 51; t[1] &= 0x7ffffffffffff; - t[3] += t[2] >> 51; t[2] &= 0x7ffffffffffff; - t[4] += t[3] >> 51; t[3] &= 0x7ffffffffffff; - t[4] &= 0x7ffffffffffff; - - *((uint64_t *)(output)) = t[0] | (t[1] << 51); - *((uint64_t *)(output+8)) = (t[1] >> 13) | (t[2] << 38); - *((uint64_t *)(output+16)) = (t[2] >> 26) | (t[3] << 25); - *((uint64_t *)(output+24)) = (t[3] >> 39) | (t[4] << 12); -} - -/* Input: Q, Q', Q-Q' - * Output: 2Q, Q+Q' - * - * x2 z3: long form - * x3 z3: long form - * x z: short form, destroyed - * xprime zprime: short form, destroyed - * qmqp: short form, preserved - */ -static void -fmonty(felem *x2, felem *z2, /* output 2Q */ - felem *x3, felem *z3, /* output Q + Q' */ - felem *x, felem *z, /* input Q */ - felem *xprime, felem *zprime, /* input Q' */ - const felem *qmqp /* input Q - Q' */) { - felem origx[5], origxprime[5], zzz[5], xx[5], zz[5], xxprime[5], - zzprime[5], zzzprime[5]; - - memcpy(origx, x, 5 * sizeof(felem)); - fsum(x, z); - fdifference_backwards(z, origx); // does x - z - - memcpy(origxprime, xprime, sizeof(felem) * 5); - fsum(xprime, zprime); - fdifference_backwards(zprime, origxprime); - fmul(xxprime, xprime, z); - fmul(zzprime, x, zprime); - memcpy(origxprime, xxprime, sizeof(felem) * 5); - fsum(xxprime, zzprime); - fdifference_backwards(zzprime, origxprime); - fsquare(x3, xxprime); - fsquare(zzzprime, zzprime); - fmul(z3, zzzprime, qmqp); - - fsquare(xx, x); - fsquare(zz, z); - fmul(x2, xx, zz); - fdifference_backwards(zz, xx); // does zz = xx - zz - fscalar_product(zzz, zz, 121665); - fsum(zzz, xx); - fmul(z2, zz, zzz); -} - -// ----------------------------------------------------------------------------- -// Maybe swap the contents of two felem arrays (@a and @b), each @len elements -// long. Perform the swap iff @swap is non-zero. -// -// This function performs the swap without leaking any side-channel -// information. -// ----------------------------------------------------------------------------- -static void -swap_conditional(felem *a, felem *b, unsigned len, felem iswap) { - unsigned i; - const felem swap = -iswap; - - for (i = 0; i < len; ++i) { - const felem x = swap & (a[i] ^ b[i]); - a[i] ^= x; - b[i] ^= x; - } -} - -/* Calculates nQ where Q is the x-coordinate of a point on the curve - * - * resultx/resultz: the x coordinate of the resulting curve point (short form) - * n: a little endian, 32-byte number - * q: a point of the curve (short form) - */ -static void -cmult(felem *resultx, felem *resultz, const u8 *n, const felem *q) { - felem a[5] = {0}, b[5] = {1}, c[5] = {1}, d[5] = {0}; - felem *nqpqx = a, *nqpqz = b, *nqx = c, *nqz = d, *t; - felem e[5] = {0}, f[5] = {1}, g[5] = {0}, h[5] = {1}; - felem *nqpqx2 = e, *nqpqz2 = f, *nqx2 = g, *nqz2 = h; - - unsigned i, j; - - memcpy(nqpqx, q, sizeof(felem) * 5); - - for (i = 0; i < 32; ++i) { - u8 byte = n[31 - i]; - for (j = 0; j < 8; ++j) { - const felem bit = byte >> 7; - - swap_conditional(nqx, nqpqx, 5, bit); - swap_conditional(nqz, nqpqz, 5, bit); - fmonty(nqx2, nqz2, - nqpqx2, nqpqz2, - nqx, nqz, - nqpqx, nqpqz, - q); - swap_conditional(nqx2, nqpqx2, 5, bit); - swap_conditional(nqz2, nqpqz2, 5, bit); - - t = nqx; - nqx = nqx2; - nqx2 = t; - t = nqz; - nqz = nqz2; - nqz2 = t; - t = nqpqx; - nqpqx = nqpqx2; - nqpqx2 = t; - t = nqpqz; - nqpqz = nqpqz2; - nqpqz2 = t; - - byte <<= 1; - } - } - - memcpy(resultx, nqx, sizeof(felem) * 5); - memcpy(resultz, nqz, sizeof(felem) * 5); -} - -// ----------------------------------------------------------------------------- -// Shamelessly copied from djb's code -// ----------------------------------------------------------------------------- -static void -crecip(felem *out, const felem *z) { - felem z2[5]; - felem z9[5]; - felem z11[5]; - felem z2_5_0[5]; - felem z2_10_0[5]; - felem z2_20_0[5]; - felem z2_50_0[5]; - felem z2_100_0[5]; - felem t0[5]; - felem t1[5]; - int i; - - /* 2 */ fsquare(z2,z); - /* 4 */ fsquare(t1,z2); - /* 8 */ fsquare(t0,t1); - /* 9 */ fmul(z9,t0,z); - /* 11 */ fmul(z11,z9,z2); - /* 22 */ fsquare(t0,z11); - /* 2^5 - 2^0 = 31 */ fmul(z2_5_0,t0,z9); - - /* 2^6 - 2^1 */ fsquare(t0,z2_5_0); - /* 2^7 - 2^2 */ fsquare(t1,t0); - /* 2^8 - 2^3 */ fsquare(t0,t1); - /* 2^9 - 2^4 */ fsquare(t1,t0); - /* 2^10 - 2^5 */ fsquare(t0,t1); - /* 2^10 - 2^0 */ fmul(z2_10_0,t0,z2_5_0); - - /* 2^11 - 2^1 */ fsquare(t0,z2_10_0); - /* 2^12 - 2^2 */ fsquare(t1,t0); - /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fsquare(t0,t1); fsquare(t1,t0); } - /* 2^20 - 2^0 */ fmul(z2_20_0,t1,z2_10_0); - - /* 2^21 - 2^1 */ fsquare(t0,z2_20_0); - /* 2^22 - 2^2 */ fsquare(t1,t0); - /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fsquare(t0,t1); fsquare(t1,t0); } - /* 2^40 - 2^0 */ fmul(t0,t1,z2_20_0); - - /* 2^41 - 2^1 */ fsquare(t1,t0); - /* 2^42 - 2^2 */ fsquare(t0,t1); - /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fsquare(t1,t0); fsquare(t0,t1); } - /* 2^50 - 2^0 */ fmul(z2_50_0,t0,z2_10_0); - - /* 2^51 - 2^1 */ fsquare(t0,z2_50_0); - /* 2^52 - 2^2 */ fsquare(t1,t0); - /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fsquare(t0,t1); fsquare(t1,t0); } - /* 2^100 - 2^0 */ fmul(z2_100_0,t1,z2_50_0); - - /* 2^101 - 2^1 */ fsquare(t1,z2_100_0); - /* 2^102 - 2^2 */ fsquare(t0,t1); - /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fsquare(t1,t0); fsquare(t0,t1); } - /* 2^200 - 2^0 */ fmul(t1,t0,z2_100_0); - - /* 2^201 - 2^1 */ fsquare(t0,t1); - /* 2^202 - 2^2 */ fsquare(t1,t0); - /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fsquare(t0,t1); fsquare(t1,t0); } - /* 2^250 - 2^0 */ fmul(t0,t1,z2_50_0); - - /* 2^251 - 2^1 */ fsquare(t1,t0); - /* 2^252 - 2^2 */ fsquare(t0,t1); - /* 2^253 - 2^3 */ fsquare(t1,t0); - /* 2^254 - 2^4 */ fsquare(t0,t1); - /* 2^255 - 2^5 */ fsquare(t1,t0); - /* 2^255 - 21 */ fmul(out,t1,z11); -} - -int -crypto_scalarmult(u8 *mypublic, const u8 *secret, const u8 *basepoint) { - felem bp[5], x[5], z[5], zmone[5]; - unsigned char e[32]; - int i; - for (i = 0;i < 32;++i) e[i] = secret[i]; - e[0] &= 248; - e[31] &= 127; - e[31] |= 64; - fexpand(bp, basepoint); - cmult(x, z, e, bp); - crecip(zmone, z); - fmul(z, x, zmone); - fcontract(mypublic, z); - return 0; -}