Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/contrib/bearssl/src/ec/ec_prime_i31.c
39507 views
1
/*

2
 * Copyright (c) 2016 Thomas Pornin <[email protected]>

3
 *

4
 * Permission is hereby granted, free of charge, to any person obtaining 

5
 * a copy of this software and associated documentation files (the

6
 * "Software"), to deal in the Software without restriction, including

7
 * without limitation the rights to use, copy, modify, merge, publish,

8
 * distribute, sublicense, and/or sell copies of the Software, and to

9
 * permit persons to whom the Software is furnished to do so, subject to

10
 * the following conditions:

11
 *

12
 * The above copyright notice and this permission notice shall be 

13
 * included in all copies or substantial portions of the Software.

14
 *

15
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 

16
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

17
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 

18
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS

19
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

20
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN

21
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

22
 * SOFTWARE.

23
 */

24


25
#include "inner.h"

26


27
/*

28
 * Parameters for supported curves (field modulus, and 'b' equation

29
 * parameter; both values use the 'i31' format, and 'b' is in Montgomery

30
 * representation).

31
 */

32


33
static const uint32_t P256_P[] = {

34
	0x00000108,

35
	0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x00000007,

36
	0x00000000, 0x00000000, 0x00000040, 0x7FFFFF80,

37
	0x000000FF

38
};

39


40
static const uint32_t P256_R2[] = {

41
	0x00000108,

42
	0x00014000, 0x00018000, 0x00000000, 0x7FF40000,

43
	0x7FEFFFFF, 0x7FF7FFFF, 0x7FAFFFFF, 0x005FFFFF,

44
	0x00000000

45
};

46


47
static const uint32_t P256_B[] = {

48
	0x00000108,

49
	0x6FEE1803, 0x6229C4BD, 0x21B139BE, 0x327150AA,

50
	0x3567802E, 0x3F7212ED, 0x012E4355, 0x782DD38D,

51
	0x0000000E

52
};

53


54
static const uint32_t P384_P[] = {

55
	0x0000018C,

56
	0x7FFFFFFF, 0x00000001, 0x00000000, 0x7FFFFFF8,

57
	0x7FFFFFEF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,

58
	0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,

59
	0x00000FFF

60
};

61


62
static const uint32_t P384_R2[] = {

63
	0x0000018C,

64
	0x00000000, 0x00000080, 0x7FFFFE00, 0x000001FF,

65
	0x00000800, 0x00000000, 0x7FFFE000, 0x00001FFF,

66
	0x00008000, 0x00008000, 0x00000000, 0x00000000,

67
	0x00000000

68
};

69


70
static const uint32_t P384_B[] = {

71
	0x0000018C,

72
	0x6E666840, 0x070D0392, 0x5D810231, 0x7651D50C,

73
	0x17E218D6, 0x1B192002, 0x44EFE441, 0x3A524E2B,

74
	0x2719BA5F, 0x41F02209, 0x36C5643E, 0x5813EFFE,

75
	0x000008A5

76
};

77


78
static const uint32_t P521_P[] = {

79
	0x00000219,

80
	0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,

81
	0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,

82
	0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,

83
	0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF, 0x7FFFFFFF,

84
	0x01FFFFFF

85
};

86


87
static const uint32_t P521_R2[] = {

88
	0x00000219,

89
	0x00001000, 0x00000000, 0x00000000, 0x00000000,

90
	0x00000000, 0x00000000, 0x00000000, 0x00000000,

91
	0x00000000, 0x00000000, 0x00000000, 0x00000000,

92
	0x00000000, 0x00000000, 0x00000000, 0x00000000,

93
	0x00000000

94
};

95


96
static const uint32_t P521_B[] = {

97
	0x00000219,

98
	0x540FC00A, 0x228FEA35, 0x2C34F1EF, 0x67BF107A,

99
	0x46FC1CD5, 0x1605E9DD, 0x6937B165, 0x272A3D8F,

100
	0x42785586, 0x44C8C778, 0x15F3B8B4, 0x64B73366,

101
	0x03BA8B69, 0x0D05B42A, 0x21F929A2, 0x2C31C393,

102
	0x00654FAE

103
};

104


105
typedef struct {

106
	const uint32_t *p;

107
	const uint32_t *b;

108
	const uint32_t *R2;

109
	uint32_t p0i;

110
	size_t point_len;

111
} curve_params;

112


113
static inline const curve_params *

114
id_to_curve(int curve)

115
{

116
	static const curve_params pp[] = {

117
		{ P256_P, P256_B, P256_R2, 0x00000001,  65 },

118
		{ P384_P, P384_B, P384_R2, 0x00000001,  97 },

119
		{ P521_P, P521_B, P521_R2, 0x00000001, 133 }

120
	};

121


122
	return &pp[curve - BR_EC_secp256r1];

123
}

124


125
#define I31_LEN   ((BR_MAX_EC_SIZE + 61) / 31)

126


127
/*

128
 * Type for a point in Jacobian coordinates:

129
 * -- three values, x, y and z, in Montgomery representation

130
 * -- affine coordinates are X = x / z^2 and Y = y / z^3

131
 * -- for the point at infinity, z = 0

132
 */

133
typedef struct {

134
	uint32_t c[3][I31_LEN];

135
} jacobian;

136


137
/*

138
 * We use a custom interpreter that uses a dozen registers, and

139
 * only six operations:

140
 *    MSET(d, a)       copy a into d

141
 *    MADD(d, a)       d = d+a (modular)

142
 *    MSUB(d, a)       d = d-a (modular)

143
 *    MMUL(d, a, b)    d = a*b (Montgomery multiplication)

144
 *    MINV(d, a, b)    invert d modulo p; a and b are used as scratch registers

145
 *    MTZ(d)           clear return value if d = 0

146
 * Destination of MMUL (d) must be distinct from operands (a and b).

147
 * There is no such constraint for MSUB and MADD.

148
 *

149
 * Registers include the operand coordinates, and temporaries.

150
 */

151
#define MSET(d, a)      (0x0000 + ((d) << 8) + ((a) << 4))

152
#define MADD(d, a)      (0x1000 + ((d) << 8) + ((a) << 4))

153
#define MSUB(d, a)      (0x2000 + ((d) << 8) + ((a) << 4))

154
#define MMUL(d, a, b)   (0x3000 + ((d) << 8) + ((a) << 4) + (b))

155
#define MINV(d, a, b)   (0x4000 + ((d) << 8) + ((a) << 4) + (b))

156
#define MTZ(d)          (0x5000 + ((d) << 8))

157
#define ENDCODE         0

158


159
/*

160
 * Registers for the input operands.

161
 */

162
#define P1x    0

163
#define P1y    1

164
#define P1z    2

165
#define P2x    3

166
#define P2y    4

167
#define P2z    5

168


169
/*

170
 * Alternate names for the first input operand.

171
 */

172
#define Px     0

173
#define Py     1

174
#define Pz     2

175


176
/*

177
 * Temporaries.

178
 */

179
#define t1     6

180
#define t2     7

181
#define t3     8

182
#define t4     9

183
#define t5    10

184
#define t6    11

185
#define t7    12

186


187
/*

188
 * Extra scratch registers available when there is no second operand (e.g.

189
 * for "double" and "affine").

190
 */

191
#define t8     3

192
#define t9     4

193
#define t10    5

194


195
/*

196
 * Doubling formulas are:

197
 *

198
 *   s = 4*x*y^2

199
 *   m = 3*(x + z^2)*(x - z^2)

200
 *   x' = m^2 - 2*s

201
 *   y' = m*(s - x') - 8*y^4

202
 *   z' = 2*y*z

203
 *

204
 * If y = 0 (P has order 2) then this yields infinity (z' = 0), as it

205
 * should. This case should not happen anyway, because our curves have

206
 * prime order, and thus do not contain any point of order 2.

207
 *

208
 * If P is infinity (z = 0), then again the formulas yield infinity,

209
 * which is correct. Thus, this code works for all points.

210
 *

211
 * Cost: 8 multiplications

212
 */

213
static const uint16_t code_double[] = {

214
	/*

215
	 * Compute z^2 (in t1).

216
	 */

217
	MMUL(t1, Pz, Pz),

218


219
	/*

220
	 * Compute x-z^2 (in t2) and then x+z^2 (in t1).

221
	 */

222
	MSET(t2, Px),

223
	MSUB(t2, t1),

224
	MADD(t1, Px),

225


226
	/*

227
	 * Compute m = 3*(x+z^2)*(x-z^2) (in t1).

228
	 */

229
	MMUL(t3, t1, t2),

230
	MSET(t1, t3),

231
	MADD(t1, t3),

232
	MADD(t1, t3),

233


234
	/*

235
	 * Compute s = 4*x*y^2 (in t2) and 2*y^2 (in t3).

236
	 */

237
	MMUL(t3, Py, Py),

238
	MADD(t3, t3),

239
	MMUL(t2, Px, t3),

240
	MADD(t2, t2),

241


242
	/*

243
	 * Compute x' = m^2 - 2*s.

244
	 */

245
	MMUL(Px, t1, t1),

246
	MSUB(Px, t2),

247
	MSUB(Px, t2),

248


249
	/*

250
	 * Compute z' = 2*y*z.

251
	 */

252
	MMUL(t4, Py, Pz),

253
	MSET(Pz, t4),

254
	MADD(Pz, t4),

255


256
	/*

257
	 * Compute y' = m*(s - x') - 8*y^4. Note that we already have

258
	 * 2*y^2 in t3.

259
	 */

260
	MSUB(t2, Px),

261
	MMUL(Py, t1, t2),

262
	MMUL(t4, t3, t3),

263
	MSUB(Py, t4),

264
	MSUB(Py, t4),

265


266
	ENDCODE

267
};

268


269
/*

270
 * Addtions formulas are:

271
 *

272
 *   u1 = x1 * z2^2

273
 *   u2 = x2 * z1^2

274
 *   s1 = y1 * z2^3

275
 *   s2 = y2 * z1^3

276
 *   h = u2 - u1

277
 *   r = s2 - s1

278
 *   x3 = r^2 - h^3 - 2 * u1 * h^2

279
 *   y3 = r * (u1 * h^2 - x3) - s1 * h^3

280
 *   z3 = h * z1 * z2

281
 *

282
 * If both P1 and P2 are infinity, then z1 == 0 and z2 == 0, implying that

283
 * z3 == 0, so the result is correct.

284
 * If either of P1 or P2 is infinity, but not both, then z3 == 0, which is

285
 * not correct.

286
 * h == 0 only if u1 == u2; this happens in two cases:

287
 * -- if s1 == s2 then P1 and/or P2 is infinity, or P1 == P2

288
 * -- if s1 != s2 then P1 + P2 == infinity (but neither P1 or P2 is infinity)

289
 *

290
 * Thus, the following situations are not handled correctly:

291
 * -- P1 = 0 and P2 != 0

292
 * -- P1 != 0 and P2 = 0

293
 * -- P1 = P2

294
 * All other cases are properly computed. However, even in "incorrect"

295
 * situations, the three coordinates still are properly formed field

296
 * elements.

297
 *

298
 * The returned flag is cleared if r == 0. This happens in the following

299
 * cases:

300
 * -- Both points are on the same horizontal line (same Y coordinate).

301
 * -- Both points are infinity.

302
 * -- One point is infinity and the other is on line Y = 0.

303
 * The third case cannot happen with our curves (there is no valid point

304
 * on line Y = 0 since that would be a point of order 2). If the two

305
 * source points are non-infinity, then remains only the case where the

306
 * two points are on the same horizontal line.

307
 *

308
 * This allows us to detect the "P1 == P2" case, assuming that P1 != 0 and

309
 * P2 != 0:

310
 * -- If the returned value is not the point at infinity, then it was properly

311
 * computed.

312
 * -- Otherwise, if the returned flag is 1, then P1+P2 = 0, and the result

313
 * is indeed the point at infinity.

314
 * -- Otherwise (result is infinity, flag is 0), then P1 = P2 and we should

315
 * use the 'double' code.

316
 *

317
 * Cost: 16 multiplications

318
 */

319
static const uint16_t code_add[] = {

320
	/*

321
	 * Compute u1 = x1*z2^2 (in t1) and s1 = y1*z2^3 (in t3).

322
	 */

323
	MMUL(t3, P2z, P2z),

324
	MMUL(t1, P1x, t3),

325
	MMUL(t4, P2z, t3),

326
	MMUL(t3, P1y, t4),

327


328
	/*

329
	 * Compute u2 = x2*z1^2 (in t2) and s2 = y2*z1^3 (in t4).

330
	 */

331
	MMUL(t4, P1z, P1z),

332
	MMUL(t2, P2x, t4),

333
	MMUL(t5, P1z, t4),

334
	MMUL(t4, P2y, t5),

335


336
	/*

337
	 * Compute h = u2 - u1 (in t2) and r = s2 - s1 (in t4).

338
	 */

339
	MSUB(t2, t1),

340
	MSUB(t4, t3),

341


342
	/*

343
	 * Report cases where r = 0 through the returned flag.

344
	 */

345
	MTZ(t4),

346


347
	/*

348
	 * Compute u1*h^2 (in t6) and h^3 (in t5).

349
	 */

350
	MMUL(t7, t2, t2),

351
	MMUL(t6, t1, t7),

352
	MMUL(t5, t7, t2),

353


354
	/*

355
	 * Compute x3 = r^2 - h^3 - 2*u1*h^2.

356
	 * t1 and t7 can be used as scratch registers.

357
	 */

358
	MMUL(P1x, t4, t4),

359
	MSUB(P1x, t5),

360
	MSUB(P1x, t6),

361
	MSUB(P1x, t6),

362


363
	/*

364
	 * Compute y3 = r*(u1*h^2 - x3) - s1*h^3.

365
	 */

366
	MSUB(t6, P1x),

367
	MMUL(P1y, t4, t6),

368
	MMUL(t1, t5, t3),

369
	MSUB(P1y, t1),

370


371
	/*

372
	 * Compute z3 = h*z1*z2.

373
	 */

374
	MMUL(t1, P1z, P2z),

375
	MMUL(P1z, t1, t2),

376


377
	ENDCODE

378
};

379


380
/*

381
 * Check that the point is on the curve. This code snippet assumes the

382
 * following conventions:

383
 * -- Coordinates x and y have been freshly decoded in P1 (but not

384
 * converted to Montgomery coordinates yet).

385
 * -- P2x, P2y and P2z are set to, respectively, R^2, b*R and 1.

386
 */

387
static const uint16_t code_check[] = {

388


389
	/* Convert x and y to Montgomery representation. */

390
	MMUL(t1, P1x, P2x),

391
	MMUL(t2, P1y, P2x),

392
	MSET(P1x, t1),

393
	MSET(P1y, t2),

394


395
	/* Compute x^3 in t1. */

396
	MMUL(t2, P1x, P1x),

397
	MMUL(t1, P1x, t2),

398


399
	/* Subtract 3*x from t1. */

400
	MSUB(t1, P1x),

401
	MSUB(t1, P1x),

402
	MSUB(t1, P1x),

403


404
	/* Add b. */

405
	MADD(t1, P2y),

406


407
	/* Compute y^2 in t2. */

408
	MMUL(t2, P1y, P1y),

409


410
	/* Compare y^2 with x^3 - 3*x + b; they must match. */

411
	MSUB(t1, t2),

412
	MTZ(t1),

413


414
	/* Set z to 1 (in Montgomery representation). */

415
	MMUL(P1z, P2x, P2z),

416


417
	ENDCODE

418
};

419


420
/*

421
 * Conversion back to affine coordinates. This code snippet assumes that

422
 * the z coordinate of P2 is set to 1 (not in Montgomery representation).

423
 */

424
static const uint16_t code_affine[] = {

425


426
	/* Save z*R in t1. */

427
	MSET(t1, P1z),

428


429
	/* Compute z^3 in t2. */

430
	MMUL(t2, P1z, P1z),

431
	MMUL(t3, P1z, t2),

432
	MMUL(t2, t3, P2z),

433


434
	/* Invert to (1/z^3) in t2. */

435
	MINV(t2, t3, t4),

436


437
	/* Compute y. */

438
	MSET(t3, P1y),

439
	MMUL(P1y, t2, t3),

440


441
	/* Compute (1/z^2) in t3. */

442
	MMUL(t3, t2, t1),

443


444
	/* Compute x. */

445
	MSET(t2, P1x),

446
	MMUL(P1x, t2, t3),

447


448
	ENDCODE

449
};

450


451
static uint32_t

452
run_code(jacobian *P1, const jacobian *P2,

453
	const curve_params *cc, const uint16_t *code)

454
{

455
	uint32_t r;

456
	uint32_t t[13][I31_LEN];

457
	size_t u;

458


459
	r = 1;

460


461
	/*

462
	 * Copy the two operands in the dedicated registers.

463
	 */

464
	memcpy(t[P1x], P1->c, 3 * I31_LEN * sizeof(uint32_t));

465
	memcpy(t[P2x], P2->c, 3 * I31_LEN * sizeof(uint32_t));

466


467
	/*

468
	 * Run formulas.

469
	 */

470
	for (u = 0;; u ++) {

471
		unsigned op, d, a, b;

472


473
		op = code[u];

474
		if (op == 0) {

475
			break;

476
		}

477
		d = (op >> 8) & 0x0F;

478
		a = (op >> 4) & 0x0F;

479
		b = op & 0x0F;

480
		op >>= 12;

481
		switch (op) {

482
			uint32_t ctl;

483
			size_t plen;

484
			unsigned char tp[(BR_MAX_EC_SIZE + 7) >> 3];

485


486
		case 0:

487
			memcpy(t[d], t[a], I31_LEN * sizeof(uint32_t));

488
			break;

489
		case 1:

490
			ctl = br_i31_add(t[d], t[a], 1);

491
			ctl |= NOT(br_i31_sub(t[d], cc->p, 0));

492
			br_i31_sub(t[d], cc->p, ctl);

493
			break;

494
		case 2:

495
			br_i31_add(t[d], cc->p, br_i31_sub(t[d], t[a], 1));

496
			break;

497
		case 3:

498
			br_i31_montymul(t[d], t[a], t[b], cc->p, cc->p0i);

499
			break;

500
		case 4:

501
			plen = (cc->p[0] - (cc->p[0] >> 5) + 7) >> 3;

502
			br_i31_encode(tp, plen, cc->p);

503
			tp[plen - 1] -= 2;

504
			br_i31_modpow(t[d], tp, plen,

505
				cc->p, cc->p0i, t[a], t[b]);

506
			break;

507
		default:

508
			r &= ~br_i31_iszero(t[d]);

509
			break;

510
		}

511
	}

512


513
	/*

514
	 * Copy back result.

515
	 */

516
	memcpy(P1->c, t[P1x], 3 * I31_LEN * sizeof(uint32_t));

517
	return r;

518
}

519


520
static void

521
set_one(uint32_t *x, const uint32_t *p)

522
{

523
	size_t plen;

524


525
	plen = (p[0] + 63) >> 5;

526
	memset(x, 0, plen * sizeof *x);

527
	x[0] = p[0];

528
	x[1] = 0x00000001;

529
}

530


531
static void

532
point_zero(jacobian *P, const curve_params *cc)

533
{

534
	memset(P, 0, sizeof *P);

535
	P->c[0][0] = P->c[1][0] = P->c[2][0] = cc->p[0];

536
}

537


538
static inline void

539
point_double(jacobian *P, const curve_params *cc)

540
{

541
	run_code(P, P, cc, code_double);

542
}

543


544
static inline uint32_t

545
point_add(jacobian *P1, const jacobian *P2, const curve_params *cc)

546
{

547
	return run_code(P1, P2, cc, code_add);

548
}

549


550
static void

551
point_mul(jacobian *P, const unsigned char *x, size_t xlen,

552
	const curve_params *cc)

553
{

554
	/*

555
	 * We do a simple double-and-add ladder with a 2-bit window

556
	 * to make only one add every two doublings. We thus first

557
	 * precompute 2P and 3P in some local buffers.

558
	 *

559
	 * We always perform two doublings and one addition; the

560
	 * addition is with P, 2P and 3P and is done in a temporary

561
	 * array.

562
	 *

563
	 * The addition code cannot handle cases where one of the

564
	 * operands is infinity, which is the case at the start of the

565
	 * ladder. We therefore need to maintain a flag that controls

566
	 * this situation.

567
	 */

568
	uint32_t qz;

569
	jacobian P2, P3, Q, T, U;

570


571
	memcpy(&P2, P, sizeof P2);

572
	point_double(&P2, cc);

573
	memcpy(&P3, P, sizeof P3);

574
	point_add(&P3, &P2, cc);

575


576
	point_zero(&Q, cc);

577
	qz = 1;

578
	while (xlen -- > 0) {

579
		int k;

580


581
		for (k = 6; k >= 0; k -= 2) {

582
			uint32_t bits;

583
			uint32_t bnz;

584


585
			point_double(&Q, cc);

586
			point_double(&Q, cc);

587
			memcpy(&T, P, sizeof T);

588
			memcpy(&U, &Q, sizeof U);

589
			bits = (*x >> k) & (uint32_t)3;

590
			bnz = NEQ(bits, 0);

591
			CCOPY(EQ(bits, 2), &T, &P2, sizeof T);

592
			CCOPY(EQ(bits, 3), &T, &P3, sizeof T);

593
			point_add(&U, &T, cc);

594
			CCOPY(bnz & qz, &Q, &T, sizeof Q);

595
			CCOPY(bnz & ~qz, &Q, &U, sizeof Q);

596
			qz &= ~bnz;

597
		}

598
		x ++;

599
	}

600
	memcpy(P, &Q, sizeof Q);

601
}

602


603
/*

604
 * Decode point into Jacobian coordinates. This function does not support

605
 * the point at infinity. If the point is invalid then this returns 0, but

606
 * the coordinates are still set to properly formed field elements.

607
 */

608
static uint32_t

609
point_decode(jacobian *P, const void *src, size_t len, const curve_params *cc)

610
{

611
	/*

612
	 * Points must use uncompressed format:

613
	 * -- first byte is 0x04;

614
	 * -- coordinates X and Y use unsigned big-endian, with the same

615
	 *    length as the field modulus.

616
	 *

617
	 * We don't support hybrid format (uncompressed, but first byte

618
	 * has value 0x06 or 0x07, depending on the least significant bit

619
	 * of Y) because it is rather useless, and explicitly forbidden

620
	 * by PKIX (RFC 5480, section 2.2).

621
	 *

622
	 * We don't support compressed format either, because it is not

623
	 * much used in practice (there are or were patent-related

624
	 * concerns about point compression, which explains the lack of

625
	 * generalised support). Also, point compression support would

626
	 * need a bit more code.

627
	 */

628
	const unsigned char *buf;

629
	size_t plen, zlen;

630
	uint32_t r;

631
	jacobian Q;

632


633
	buf = src;

634
	point_zero(P, cc);

635
	plen = (cc->p[0] - (cc->p[0] >> 5) + 7) >> 3;

636
	if (len != 1 + (plen << 1)) {

637
		return 0;

638
	}

639
	r = br_i31_decode_mod(P->c[0], buf + 1, plen, cc->p);

640
	r &= br_i31_decode_mod(P->c[1], buf + 1 + plen, plen, cc->p);

641


642
	/*

643
	 * Check first byte.

644
	 */

645
	r &= EQ(buf[0], 0x04);

646
	/* obsolete

647
	r &= EQ(buf[0], 0x04) | (EQ(buf[0] & 0xFE, 0x06)

648
		& ~(uint32_t)(buf[0] ^ buf[plen << 1]));

649
	*/

650


651
	/*

652
	 * Convert coordinates and check that the point is valid.

653
	 */

654
	zlen = ((cc->p[0] + 63) >> 5) * sizeof(uint32_t);

655
	memcpy(Q.c[0], cc->R2, zlen);

656
	memcpy(Q.c[1], cc->b, zlen);

657
	set_one(Q.c[2], cc->p);

658
	r &= ~run_code(P, &Q, cc, code_check);

659
	return r;

660
}

661


662
/*

663
 * Encode a point. This method assumes that the point is correct and is

664
 * not the point at infinity. Encoded size is always 1+2*plen, where

665
 * plen is the field modulus length, in bytes.

666
 */

667
static void

668
point_encode(void *dst, const jacobian *P, const curve_params *cc)

669
{

670
	unsigned char *buf;

671
	uint32_t xbl;

672
	size_t plen;

673
	jacobian Q, T;

674


675
	buf = dst;

676
	xbl = cc->p[0];

677
	xbl -= (xbl >> 5);

678
	plen = (xbl + 7) >> 3;

679
	buf[0] = 0x04;

680
	memcpy(&Q, P, sizeof *P);

681
	set_one(T.c[2], cc->p);

682
	run_code(&Q, &T, cc, code_affine);

683
	br_i31_encode(buf + 1, plen, Q.c[0]);

684
	br_i31_encode(buf + 1 + plen, plen, Q.c[1]);

685
}

686


687
static const br_ec_curve_def *

688
id_to_curve_def(int curve)

689
{

690
	switch (curve) {

691
	case BR_EC_secp256r1:

692
		return &br_secp256r1;

693
	case BR_EC_secp384r1:

694
		return &br_secp384r1;

695
	case BR_EC_secp521r1:

696
		return &br_secp521r1;

697
	}

698
	return NULL;

699
}

700


701
static const unsigned char *

702
api_generator(int curve, size_t *len)

703
{

704
	const br_ec_curve_def *cd;

705


706
	cd = id_to_curve_def(curve);

707
	*len = cd->generator_len;

708
	return cd->generator;

709
}

710


711
static const unsigned char *

712
api_order(int curve, size_t *len)

713
{

714
	const br_ec_curve_def *cd;

715


716
	cd = id_to_curve_def(curve);

717
	*len = cd->order_len;

718
	return cd->order;

719
}

720


721
static size_t

722
api_xoff(int curve, size_t *len)

723
{

724
	api_generator(curve, len);

725
	*len >>= 1;

726
	return 1;

727
}

728


729
static uint32_t

730
api_mul(unsigned char *G, size_t Glen,

731
	const unsigned char *x, size_t xlen, int curve)

732
{

733
	uint32_t r;

734
	const curve_params *cc;

735
	jacobian P;

736


737
	cc = id_to_curve(curve);

738
	if (Glen != cc->point_len) {

739
		return 0;

740
	}

741
	r = point_decode(&P, G, Glen, cc);

742
	point_mul(&P, x, xlen, cc);

743
	point_encode(G, &P, cc);

744
	return r;

745
}

746


747
static size_t

748
api_mulgen(unsigned char *R,

749
	const unsigned char *x, size_t xlen, int curve)

750
{

751
	const unsigned char *G;

752
	size_t Glen;

753


754
	G = api_generator(curve, &Glen);

755
	memcpy(R, G, Glen);

756
	api_mul(R, Glen, x, xlen, curve);

757
	return Glen;

758
}

759


760
static uint32_t

761
api_muladd(unsigned char *A, const unsigned char *B, size_t len,

762
	const unsigned char *x, size_t xlen,

763
	const unsigned char *y, size_t ylen, int curve)

764
{

765
	uint32_t r, t, z;

766
	const curve_params *cc;

767
	jacobian P, Q;

768


769
	/*

770
	 * TODO: see about merging the two ladders. Right now, we do

771
	 * two independent point multiplications, which is a bit

772
	 * wasteful of CPU resources (but yields short code).

773
	 */

774


775
	cc = id_to_curve(curve);

776
	if (len != cc->point_len) {

777
		return 0;

778
	}

779
	r = point_decode(&P, A, len, cc);

780
	if (B == NULL) {

781
		size_t Glen;

782


783
		B = api_generator(curve, &Glen);

784
	}

785
	r &= point_decode(&Q, B, len, cc);

786
	point_mul(&P, x, xlen, cc);

787
	point_mul(&Q, y, ylen, cc);

788


789
	/*

790
	 * We want to compute P+Q. Since the base points A and B are distinct

791
	 * from infinity, and the multipliers are non-zero and lower than the

792
	 * curve order, then we know that P and Q are non-infinity. This

793
	 * leaves two special situations to test for:

794
	 * -- If P = Q then we must use point_double().

795
	 * -- If P+Q = 0 then we must report an error.

796
	 */

797
	t = point_add(&P, &Q, cc);

798
	point_double(&Q, cc);

799
	z = br_i31_iszero(P.c[2]);

800


801
	/*

802
	 * If z is 1 then either P+Q = 0 (t = 1) or P = Q (t = 0). So we

803
	 * have the following:

804
	 *

805
	 *   z = 0, t = 0   return P (normal addition)

806
	 *   z = 0, t = 1   return P (normal addition)

807
	 *   z = 1, t = 0   return Q (a 'double' case)

808
	 *   z = 1, t = 1   report an error (P+Q = 0)

809
	 */

810
	CCOPY(z & ~t, &P, &Q, sizeof Q);

811
	point_encode(A, &P, cc);

812
	r &= ~(z & t);

813


814
	return r;

815
}

816


817
/* see bearssl_ec.h */

818
const br_ec_impl br_ec_prime_i31 = {

819
	(uint32_t)0x03800000,

820
	&api_generator,

821
	&api_order,

822
	&api_xoff,

823
	&api_mul,

824
	&api_mulgen,

825
	&api_muladd

826
};

827


828