]> git.pld-linux.org Git - packages/cross-gcc.git/blame - gcc49-libgo-p224.patch
projects / packages / cross-gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- unconditional noarch subpackages
[packages/cross-gcc.git] / gcc49-libgo-p224.patch
CommitLineData
b5b0b447
ER		 1--- libgo/Makefile.am.jj 2014-01-08 13:53:06.000000000 +0100
2+++ libgo/Makefile.am 2014-03-05 15:20:09.938466093 +0100
3@@ -1133,7 +1133,6 @@ go_crypto_ecdsa_files = \
4 go/crypto/ecdsa/ecdsa.go
5 go_crypto_elliptic_files = \
6 go/crypto/elliptic/elliptic.go \
7- go/crypto/elliptic/p224.go \
8 go/crypto/elliptic/p256.go
9 go_crypto_hmac_files = \
10 go/crypto/hmac/hmac.go
11--- libgo/Makefile.in.jj 2014-01-08 13:53:06.000000000 +0100
12+++ libgo/Makefile.in 2014-03-05 15:20:20.372465471 +0100
13@@ -1291,7 +1291,6 @@ go_crypto_ecdsa_files = \
14
15 go_crypto_elliptic_files = \
16 go/crypto/elliptic/elliptic.go \
17- go/crypto/elliptic/p224.go \
18 go/crypto/elliptic/p256.go
19
20 go_crypto_hmac_files = \
21--- libgo/go/crypto/elliptic/elliptic.go.jj 2013-11-07 11:59:09.000000000 +0100
22+++ libgo/go/crypto/elliptic/elliptic.go 2014-03-05 15:21:04.186462859 +0100
23@@ -326,7 +326,6 @@ var p384 *CurveParams
24 var p521 *CurveParams
25
26 func initAll() {
27- initP224()
28 initP256()
29 initP384()
30 initP521()
31--- libgo/go/crypto/elliptic/elliptic_test.go.jj 2013-11-07 11:59:09.000000000 +0100
32+++ libgo/go/crypto/elliptic/elliptic_test.go 2014-03-05 15:46:03.739373453 +0100
33@@ -5,26 +5,16 @@
34 package elliptic
35
36 import (
37- "crypto/rand"
38- "encoding/hex"
39- "fmt"
40 "math/big"
41 "testing"
42 )
43
44-func TestOnCurve(t *testing.T) {
45- p224 := P224()
46- if !p224.IsOnCurve(p224.Params().Gx, p224.Params().Gy) {
47- t.Errorf("FAIL")
48- }
49-}
50-
51 type baseMultTest struct {
52 k string
53 x, y string
54 }
55
56-var p224BaseMultTests = []baseMultTest{
57+var p256BaseMultTests = []baseMultTest{
58 {
59 "1",
60 "b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21",
61@@ -287,47 +277,12 @@ var p224BaseMultTests = []baseMultTest{
62 },
63 }
64
65-func TestBaseMult(t *testing.T) {
66- p224 := P224()
67- for i, e := range p224BaseMultTests {
68- k, ok := new(big.Int).SetString(e.k, 10)
69- if !ok {
70- t.Errorf("%d: bad value for k: %s", i, e.k)
71- }
72- x, y := p224.ScalarBaseMult(k.Bytes())
73- if fmt.Sprintf("%x", x) != e.x || fmt.Sprintf("%x", y) != e.y {
74- t.Errorf("%d: bad output for k=%s: got (%x, %x), want (%s, %s)", i, e.k, x, y, e.x, e.y)
75- }
76- if testing.Short() && i > 5 {
77- break
78- }
79- }
80-}
81-
82-func TestGenericBaseMult(t *testing.T) {
83- // We use the P224 CurveParams directly in order to test the generic implementation.
84- p224 := P224().Params()
85- for i, e := range p224BaseMultTests {
86- k, ok := new(big.Int).SetString(e.k, 10)
87- if !ok {
88- t.Errorf("%d: bad value for k: %s", i, e.k)
89- }
90- x, y := p224.ScalarBaseMult(k.Bytes())
91- if fmt.Sprintf("%x", x) != e.x || fmt.Sprintf("%x", y) != e.y {
92- t.Errorf("%d: bad output for k=%s: got (%x, %x), want (%s, %s)", i, e.k, x, y, e.x, e.y)
93- }
94- if testing.Short() && i > 5 {
95- break
96- }
97- }
98-}
99-
100 func TestP256BaseMult(t *testing.T) {
101 p256 := P256()
102 p256Generic := p256.Params()
103
104- scalars := make([]*big.Int, 0, len(p224BaseMultTests)+1)
105- for _, e := range p224BaseMultTests {
106+ scalars := make([]*big.Int, 0, len(p256BaseMultTests)+1)
107+ for _, e := range p256BaseMultTests {
108 k, _ := new(big.Int).SetString(e.k, 10)
109 scalars = append(scalars, k)
110 }
111@@ -352,7 +307,7 @@ func TestP256Mult(t *testing.T) {
112 p256 := P256()
113 p256Generic := p256.Params()
114
115- for i, e := range p224BaseMultTests {
116+ for i, e := range p256BaseMultTests {
117 x, _ := new(big.Int).SetString(e.x, 16)
118 y, _ := new(big.Int).SetString(e.y, 16)
119 k, _ := new(big.Int).SetString(e.k, 10)
120@@ -373,7 +328,6 @@ func TestInfinity(t *testing.T) {
121 name string
122 curve Curve
123 }{
124- {"p224", P224()},
125 {"p256", P256()},
126 }
127
128@@ -406,53 +360,13 @@ func TestInfinity(t *testing.T) {
129 }
130 }
131
132-func BenchmarkBaseMult(b *testing.B) {
133- b.ResetTimer()
134- p224 := P224()
135- e := p224BaseMultTests[25]
136- k, _ := new(big.Int).SetString(e.k, 10)
137- b.StartTimer()
138- for i := 0; i < b.N; i++ {
139- p224.ScalarBaseMult(k.Bytes())
140- }
141-}
142-
143 func BenchmarkBaseMultP256(b *testing.B) {
144 b.ResetTimer()
145 p256 := P256()
146- e := p224BaseMultTests[25]
147+ e := p256BaseMultTests[25]
148 k, _ := new(big.Int).SetString(e.k, 10)
149 b.StartTimer()
150 for i := 0; i < b.N; i++ {
151 p256.ScalarBaseMult(k.Bytes())
152 }
153 }
154-
155-func TestMarshal(t *testing.T) {
156- p224 := P224()
157- _, x, y, err := GenerateKey(p224, rand.Reader)
158- if err != nil {
159- t.Error(err)
160- return
161- }
162- serialized := Marshal(p224, x, y)
163- xx, yy := Unmarshal(p224, serialized)
164- if xx == nil {
165- t.Error("failed to unmarshal")
166- return
167- }
168- if xx.Cmp(x) != 0 || yy.Cmp(y) != 0 {
169- t.Error("unmarshal returned different values")
170- return
171- }
172-}
173-
174-func TestP224Overflow(t *testing.T) {
175- // This tests for a specific bug in the P224 implementation.
176- p224 := P224()
177- pointData, _ := hex.DecodeString("049B535B45FB0A2072398A6831834624C7E32CCFD5A4B933BCEAF77F1DD945E08BBE5178F5EDF5E733388F196D2A631D2E075BB16CBFEEA15B")
178- x, y := Unmarshal(p224, pointData)
179- if !p224.IsOnCurve(x, y) {
180- t.Error("P224 failed to validate a correct point")
181- }
182-}
183--- libgo/go/crypto/ecdsa/ecdsa_test.go.jj 2012-11-15 18:26:56.000000000 +0100
184+++ libgo/go/crypto/ecdsa/ecdsa_test.go 2014-03-05 15:26:38.461442929 +0100
185@@ -33,7 +33,6 @@ func testKeyGeneration(t *testing.T, c e
186 }
187
188 func TestKeyGeneration(t *testing.T) {
189- testKeyGeneration(t, elliptic.P224(), "p224")
190 if testing.Short() {
191 return
192 }
193@@ -63,7 +62,6 @@ func testSignAndVerify(t *testing.T, c e
194 }
195
196 func TestSignAndVerify(t *testing.T) {
197- testSignAndVerify(t, elliptic.P224(), "p224")
198 if testing.Short() {
199 return
200 }
201@@ -129,8 +127,6 @@ func TestVectors(t *testing.T) {
202 parts := strings.SplitN(line, ",", 2)
203
204 switch parts[0] {
205- case "P-224":
206- pub.Curve = elliptic.P224()
207 case "P-256":
208 pub.Curve = elliptic.P256()
209 case "P-384":
210--- libgo/go/crypto/x509/x509.go.jj 2013-11-07 11:59:09.000000000 +0100
211+++ libgo/go/crypto/x509/x509.go 2014-03-05 15:27:37.022439437 +0100
212@@ -305,9 +305,6 @@ func getPublicKeyAlgorithmFromOID(oid as
213
214 // RFC 5480, 2.1.1.1. Named Curve
215 //
216-// secp224r1 OBJECT IDENTIFIER ::= {
217-// iso(1) identified-organization(3) certicom(132) curve(0) 33 }
218-//
219 // secp256r1 OBJECT IDENTIFIER ::= {
220 // iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
221 // prime(1) 7 }
222@@ -320,7 +317,6 @@ func getPublicKeyAlgorithmFromOID(oid as
223 //
224 // NB: secp256r1 is equivalent to prime256v1
225 var (
226- oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
227 oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
228 oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
229 oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
230@@ -328,8 +324,6 @@ var (
231
232 func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
233 switch {
234- case oid.Equal(oidNamedCurveP224):
235- return elliptic.P224()
236 case oid.Equal(oidNamedCurveP256):
237 return elliptic.P256()
238 case oid.Equal(oidNamedCurveP384):
239@@ -342,8 +336,6 @@ func namedCurveFromOID(oid asn1.ObjectId
240
241 func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
242 switch curve {
243- case elliptic.P224():
244- return oidNamedCurveP224, true
245 case elliptic.P256():
246 return oidNamedCurveP256, true
247 case elliptic.P384():
248@@ -1373,7 +1365,7 @@ func CreateCertificate(rand io.Reader, t
249 hashFunc = crypto.SHA1
250 case *ecdsa.PrivateKey:
251 switch priv.Curve {
252- case elliptic.P224(), elliptic.P256():
253+ case elliptic.P256():
254 hashFunc = crypto.SHA256
255 signatureAlgorithm.Algorithm = oidSignatureECDSAWithSHA256
256 case elliptic.P384():
257--- libgo/go/crypto/elliptic/p224.go.jj 2012-11-15 18:26:57.000000000 +0100
258+++ libgo/go/crypto/elliptic/p224.go 2014-03-05 15:30:01.189430842 +0100
259@@ -1,765 +0,0 @@
260-// Copyright 2012 The Go Authors. All rights reserved.
261-// Use of this source code is governed by a BSD-style
262-// license that can be found in the LICENSE file.
263-
264-package elliptic
265-
266-// This is a constant-time, 32-bit implementation of P224. See FIPS 186-3,
267-// section D.2.2.
268-//
269-// See http://www.imperialviolet.org/2010/12/04/ecc.html ([1]) for background.
270-
271-import (
272- "math/big"
273-)
274-
275-var p224 p224Curve
276-
277-type p224Curve struct {
278- *CurveParams
279- gx, gy, b p224FieldElement
280-}
281-
282-func initP224() {
283- // See FIPS 186-3, section D.2.2
284- p224.CurveParams = new(CurveParams)
285- p224.P, _ = new(big.Int).SetString("26959946667150639794667015087019630673557916260026308143510066298881", 10)
286- p224.N, _ = new(big.Int).SetString("26959946667150639794667015087019625940457807714424391721682722368061", 10)
287- p224.B, _ = new(big.Int).SetString("b4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4", 16)
288- p224.Gx, _ = new(big.Int).SetString("b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21", 16)
289- p224.Gy, _ = new(big.Int).SetString("bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34", 16)
290- p224.BitSize = 224
291-
292- p224FromBig(&p224.gx, p224.Gx)
293- p224FromBig(&p224.gy, p224.Gy)
294- p224FromBig(&p224.b, p224.B)
295-}
296-
297-// P224 returns a Curve which implements P-224 (see FIPS 186-3, section D.2.2)
298-func P224() Curve {
299- initonce.Do(initAll)
300- return p224
301-}
302-
303-func (curve p224Curve) Params() *CurveParams {
304- return curve.CurveParams
305-}
306-
307-func (curve p224Curve) IsOnCurve(bigX, bigY *big.Int) bool {
308- var x, y p224FieldElement
309- p224FromBig(&x, bigX)
310- p224FromBig(&y, bigY)
311-
312- // y² = x³ - 3x + b
313- var tmp p224LargeFieldElement
314- var x3 p224FieldElement
315- p224Square(&x3, &x, &tmp)
316- p224Mul(&x3, &x3, &x, &tmp)
317-
318- for i := 0; i < 8; i++ {
319- x[i] *= 3
320- }
321- p224Sub(&x3, &x3, &x)
322- p224Reduce(&x3)
323- p224Add(&x3, &x3, &curve.b)
324- p224Contract(&x3, &x3)
325-
326- p224Square(&y, &y, &tmp)
327- p224Contract(&y, &y)
328-
329- for i := 0; i < 8; i++ {
330- if y[i] != x3[i] {
331- return false
332- }
333- }
334- return true
335-}
336-
337-func (p224Curve) Add(bigX1, bigY1, bigX2, bigY2 *big.Int) (x, y *big.Int) {
338- var x1, y1, z1, x2, y2, z2, x3, y3, z3 p224FieldElement
339-
340- p224FromBig(&x1, bigX1)
341- p224FromBig(&y1, bigY1)
342- if bigX1.Sign() != 0 || bigY1.Sign() != 0 {
343- z1[0] = 1
344- }
345- p224FromBig(&x2, bigX2)
346- p224FromBig(&y2, bigY2)
347- if bigX2.Sign() != 0 || bigY2.Sign() != 0 {
348- z2[0] = 1
349- }
350-
351- p224AddJacobian(&x3, &y3, &z3, &x1, &y1, &z1, &x2, &y2, &z2)
352- return p224ToAffine(&x3, &y3, &z3)
353-}
354-
355-func (p224Curve) Double(bigX1, bigY1 *big.Int) (x, y *big.Int) {
356- var x1, y1, z1, x2, y2, z2 p224FieldElement
357-
358- p224FromBig(&x1, bigX1)
359- p224FromBig(&y1, bigY1)
360- z1[0] = 1
361-
362- p224DoubleJacobian(&x2, &y2, &z2, &x1, &y1, &z1)
363- return p224ToAffine(&x2, &y2, &z2)
364-}
365-
366-func (p224Curve) ScalarMult(bigX1, bigY1 *big.Int, scalar []byte) (x, y *big.Int) {
367- var x1, y1, z1, x2, y2, z2 p224FieldElement
368-
369- p224FromBig(&x1, bigX1)
370- p224FromBig(&y1, bigY1)
371- z1[0] = 1
372-
373- p224ScalarMult(&x2, &y2, &z2, &x1, &y1, &z1, scalar)
374- return p224ToAffine(&x2, &y2, &z2)
375-}
376-
377-func (curve p224Curve) ScalarBaseMult(scalar []byte) (x, y *big.Int) {
378- var z1, x2, y2, z2 p224FieldElement
379-
380- z1[0] = 1
381- p224ScalarMult(&x2, &y2, &z2, &curve.gx, &curve.gy, &z1, scalar)
382- return p224ToAffine(&x2, &y2, &z2)
383-}
384-
385-// Field element functions.
386-//
387-// The field that we're dealing with is ℤ/pℤ where p = 2**224 - 2**96 + 1.
388-//
389-// Field elements are represented by a FieldElement, which is a typedef to an
390-// array of 8 uint32's. The value of a FieldElement, a, is:
391-// a[0] + 2**28·a[1] + 2**56·a[1] + ... + 2**196·a[7]
392-//
393-// Using 28-bit limbs means that there's only 4 bits of headroom, which is less
394-// than we would really like. But it has the useful feature that we hit 2**224
395-// exactly, making the reflections during a reduce much nicer.
396-type p224FieldElement [8]uint32
397-
398-// p224P is the order of the field, represented as a p224FieldElement.
399-var p224P = [8]uint32{1, 0, 0, 0xffff000, 0xfffffff, 0xfffffff, 0xfffffff, 0xfffffff}
400-
401-// p224IsZero returns 1 if a == 0 mod p and 0 otherwise.
402-//
403-// a[i] < 2**29
404-func p224IsZero(a *p224FieldElement) uint32 {
405- // Since a p224FieldElement contains 224 bits there are two possible
406- // representations of 0: 0 and p.
407- var minimal p224FieldElement
408- p224Contract(&minimal, a)
409-
410- var isZero, isP uint32
411- for i, v := range minimal {
412- isZero |= v
413- isP |= v - p224P[i]
414- }
415-
416- // If either isZero or isP is 0, then we should return 1.
417- isZero |= isZero >> 16
418- isZero |= isZero >> 8
419- isZero |= isZero >> 4
420- isZero |= isZero >> 2
421- isZero |= isZero >> 1
422-
423- isP |= isP >> 16
424- isP |= isP >> 8
425- isP |= isP >> 4
426- isP |= isP >> 2
427- isP |= isP >> 1
428-
429- // For isZero and isP, the LSB is 0 iff all the bits are zero.
430- result := isZero & isP
431- result = (^result) & 1
432-
433- return result
434-}
435-
436-// p224Add computes *out = a+b
437-//
438-// a[i] + b[i] < 2**32
439-func p224Add(out, a, b *p224FieldElement) {
440- for i := 0; i < 8; i++ {
441- out[i] = a[i] + b[i]
442- }
443-}
444-
445-const two31p3 = 1<<31 + 1<<3
446-const two31m3 = 1<<31 - 1<<3
447-const two31m15m3 = 1<<31 - 1<<15 - 1<<3
448-
449-// p224ZeroModP31 is 0 mod p where bit 31 is set in all limbs so that we can
450-// subtract smaller amounts without underflow. See the section "Subtraction" in
451-// [1] for reasoning.
452-var p224ZeroModP31 = []uint32{two31p3, two31m3, two31m3, two31m15m3, two31m3, two31m3, two31m3, two31m3}
453-
454-// p224Sub computes *out = a-b
455-//
456-// a[i], b[i] < 2**30
457-// out[i] < 2**32
458-func p224Sub(out, a, b *p224FieldElement) {
459- for i := 0; i < 8; i++ {
460- out[i] = a[i] + p224ZeroModP31[i] - b[i]
461- }
462-}
463-
464-// LargeFieldElement also represents an element of the field. The limbs are
465-// still spaced 28-bits apart and in little-endian order. So the limbs are at
466-// 0, 28, 56, ..., 392 bits, each 64-bits wide.
467-type p224LargeFieldElement [15]uint64
468-
469-const two63p35 = 1<<63 + 1<<35
470-const two63m35 = 1<<63 - 1<<35
471-const two63m35m19 = 1<<63 - 1<<35 - 1<<19
472-
473-// p224ZeroModP63 is 0 mod p where bit 63 is set in all limbs. See the section
474-// "Subtraction" in [1] for why.
475-var p224ZeroModP63 = [8]uint64{two63p35, two63m35, two63m35, two63m35, two63m35m19, two63m35, two63m35, two63m35}
476-
477-const bottom12Bits = 0xfff
478-const bottom28Bits = 0xfffffff
479-
480-// p224Mul computes *out = a*b
481-//
482-// a[i] < 2**29, b[i] < 2**30 (or vice versa)
483-// out[i] < 2**29
484-func p224Mul(out, a, b *p224FieldElement, tmp *p224LargeFieldElement) {
485- for i := 0; i < 15; i++ {
486- tmp[i] = 0
487- }
488-
489- for i := 0; i < 8; i++ {
490- for j := 0; j < 8; j++ {
491- tmp[i+j] += uint64(a[i]) * uint64(b[j])
492- }
493- }
494-
495- p224ReduceLarge(out, tmp)
496-}
497-
498-// Square computes *out = a*a
499-//
500-// a[i] < 2**29
501-// out[i] < 2**29
502-func p224Square(out, a *p224FieldElement, tmp *p224LargeFieldElement) {
503- for i := 0; i < 15; i++ {
504- tmp[i] = 0
505- }
506-
507- for i := 0; i < 8; i++ {
508- for j := 0; j <= i; j++ {
509- r := uint64(a[i]) * uint64(a[j])
510- if i == j {
511- tmp[i+j] += r
512- } else {
513- tmp[i+j] += r << 1
514- }
515- }
516- }
517-
518- p224ReduceLarge(out, tmp)
519-}
520-
521-// ReduceLarge converts a p224LargeFieldElement to a p224FieldElement.
522-//
523-// in[i] < 2**62
524-func p224ReduceLarge(out *p224FieldElement, in *p224LargeFieldElement) {
525- for i := 0; i < 8; i++ {
526- in[i] += p224ZeroModP63[i]
527- }
528-
529- // Eliminate the coefficients at 2**224 and greater.
530- for i := 14; i >= 8; i-- {
531- in[i-8] -= in[i]
532- in[i-5] += (in[i] & 0xffff) << 12
533- in[i-4] += in[i] >> 16
534- }
535- in[8] = 0
536- // in[0..8] < 2**64
537-
538- // As the values become small enough, we start to store them in |out|
539- // and use 32-bit operations.
540- for i := 1; i < 8; i++ {
541- in[i+1] += in[i] >> 28
542- out[i] = uint32(in[i] & bottom28Bits)
543- }
544- in[0] -= in[8]
545- out[3] += uint32(in[8]&0xffff) << 12
546- out[4] += uint32(in[8] >> 16)
547- // in[0] < 2**64
548- // out[3] < 2**29
549- // out[4] < 2**29
550- // out[1,2,5..7] < 2**28
551-
552- out[0] = uint32(in[0] & bottom28Bits)
553- out[1] += uint32((in[0] >> 28) & bottom28Bits)
554- out[2] += uint32(in[0] >> 56)
555- // out[0] < 2**28
556- // out[1..4] < 2**29
557- // out[5..7] < 2**28
558-}
559-
560-// Reduce reduces the coefficients of a to smaller bounds.
561-//
562-// On entry: a[i] < 2**31 + 2**30
563-// On exit: a[i] < 2**29
564-func p224Reduce(a *p224FieldElement) {
565- for i := 0; i < 7; i++ {
566- a[i+1] += a[i] >> 28
567- a[i] &= bottom28Bits
568- }
569- top := a[7] >> 28
570- a[7] &= bottom28Bits
571-
572- // top < 2**4
573- mask := top
574- mask |= mask >> 2
575- mask |= mask >> 1
576- mask <<= 31
577- mask = uint32(int32(mask) >> 31)
578- // Mask is all ones if top != 0, all zero otherwise
579-
580- a[0] -= top
581- a[3] += top << 12
582-
583- // We may have just made a[0] negative but, if we did, then we must
584- // have added something to a[3], this it's > 2**12. Therefore we can
585- // carry down to a[0].
586- a[3] -= 1 & mask
587- a[2] += mask & (1<<28 - 1)
588- a[1] += mask & (1<<28 - 1)
589- a[0] += mask & (1 << 28)
590-}
591-
592-// p224Invert calculates *out = in**-1 by computing in**(2**224 - 2**96 - 1),
593-// i.e. Fermat's little theorem.
594-func p224Invert(out, in *p224FieldElement) {
595- var f1, f2, f3, f4 p224FieldElement
596- var c p224LargeFieldElement
597-
598- p224Square(&f1, in, &c) // 2
599- p224Mul(&f1, &f1, in, &c) // 2**2 - 1
600- p224Square(&f1, &f1, &c) // 2**3 - 2
601- p224Mul(&f1, &f1, in, &c) // 2**3 - 1
602- p224Square(&f2, &f1, &c) // 2**4 - 2
603- p224Square(&f2, &f2, &c) // 2**5 - 4
604- p224Square(&f2, &f2, &c) // 2**6 - 8
605- p224Mul(&f1, &f1, &f2, &c) // 2**6 - 1
606- p224Square(&f2, &f1, &c) // 2**7 - 2
607- for i := 0; i < 5; i++ { // 2**12 - 2**6
608- p224Square(&f2, &f2, &c)
609- }
610- p224Mul(&f2, &f2, &f1, &c) // 2**12 - 1
611- p224Square(&f3, &f2, &c) // 2**13 - 2
612- for i := 0; i < 11; i++ { // 2**24 - 2**12
613- p224Square(&f3, &f3, &c)
614- }
615- p224Mul(&f2, &f3, &f2, &c) // 2**24 - 1
616- p224Square(&f3, &f2, &c) // 2**25 - 2
617- for i := 0; i < 23; i++ { // 2**48 - 2**24
618- p224Square(&f3, &f3, &c)
619- }
620- p224Mul(&f3, &f3, &f2, &c) // 2**48 - 1
621- p224Square(&f4, &f3, &c) // 2**49 - 2
622- for i := 0; i < 47; i++ { // 2**96 - 2**48
623- p224Square(&f4, &f4, &c)
624- }
625- p224Mul(&f3, &f3, &f4, &c) // 2**96 - 1
626- p224Square(&f4, &f3, &c) // 2**97 - 2
627- for i := 0; i < 23; i++ { // 2**120 - 2**24
628- p224Square(&f4, &f4, &c)
629- }
630- p224Mul(&f2, &f4, &f2, &c) // 2**120 - 1
631- for i := 0; i < 6; i++ { // 2**126 - 2**6
632- p224Square(&f2, &f2, &c)
633- }
634- p224Mul(&f1, &f1, &f2, &c) // 2**126 - 1
635- p224Square(&f1, &f1, &c) // 2**127 - 2
636- p224Mul(&f1, &f1, in, &c) // 2**127 - 1
637- for i := 0; i < 97; i++ { // 2**224 - 2**97
638- p224Square(&f1, &f1, &c)
639- }
640- p224Mul(out, &f1, &f3, &c) // 2**224 - 2**96 - 1
641-}
642-
643-// p224Contract converts a FieldElement to its unique, minimal form.
644-//
645-// On entry, in[i] < 2**29
646-// On exit, in[i] < 2**28
647-func p224Contract(out, in *p224FieldElement) {
648- copy(out[:], in[:])
649-
650- for i := 0; i < 7; i++ {
651- out[i+1] += out[i] >> 28
652- out[i] &= bottom28Bits
653- }
654- top := out[7] >> 28
655- out[7] &= bottom28Bits
656-
657- out[0] -= top
658- out[3] += top << 12
659-
660- // We may just have made out[i] negative. So we carry down. If we made
661- // out[0] negative then we know that out[3] is sufficiently positive
662- // because we just added to it.
663- for i := 0; i < 3; i++ {
664- mask := uint32(int32(out[i]) >> 31)
665- out[i] += (1 << 28) & mask
666- out[i+1] -= 1 & mask
667- }
668-
669- // We might have pushed out[3] over 2**28 so we perform another, partial,
670- // carry chain.
671- for i := 3; i < 7; i++ {
672- out[i+1] += out[i] >> 28
673- out[i] &= bottom28Bits
674- }
675- top = out[7] >> 28
676- out[7] &= bottom28Bits
677-
678- // Eliminate top while maintaining the same value mod p.
679- out[0] -= top
680- out[3] += top << 12
681-
682- // There are two cases to consider for out[3]:
683- // 1) The first time that we eliminated top, we didn't push out[3] over
684- // 2**28. In this case, the partial carry chain didn't change any values
685- // and top is zero.
686- // 2) We did push out[3] over 2**28 the first time that we eliminated top.
687- // The first value of top was in [0..16), therefore, prior to eliminating
688- // the first top, 0xfff1000 <= out[3] <= 0xfffffff. Therefore, after
689- // overflowing and being reduced by the second carry chain, out[3] <=
690- // 0xf000. Thus it cannot have overflowed when we eliminated top for the
691- // second time.
692-
693- // Again, we may just have made out[0] negative, so do the same carry down.
694- // As before, if we made out[0] negative then we know that out[3] is
695- // sufficiently positive.
696- for i := 0; i < 3; i++ {
697- mask := uint32(int32(out[i]) >> 31)
698- out[i] += (1 << 28) & mask
699- out[i+1] -= 1 & mask
700- }
701-
702- // Now we see if the value is >= p and, if so, subtract p.
703-
704- // First we build a mask from the top four limbs, which must all be
705- // equal to bottom28Bits if the whole value is >= p. If top4AllOnes
706- // ends up with any zero bits in the bottom 28 bits, then this wasn't
707- // true.
708- top4AllOnes := uint32(0xffffffff)
709- for i := 4; i < 8; i++ {
710- top4AllOnes &= out[i]
711- }
712- top4AllOnes |= 0xf0000000
713- // Now we replicate any zero bits to all the bits in top4AllOnes.
714- top4AllOnes &= top4AllOnes >> 16
715- top4AllOnes &= top4AllOnes >> 8
716- top4AllOnes &= top4AllOnes >> 4
717- top4AllOnes &= top4AllOnes >> 2
718- top4AllOnes &= top4AllOnes >> 1
719- top4AllOnes = uint32(int32(top4AllOnes<<31) >> 31)
720-
721- // Now we test whether the bottom three limbs are non-zero.
722- bottom3NonZero := out[0] | out[1] | out[2]
723- bottom3NonZero |= bottom3NonZero >> 16
724- bottom3NonZero |= bottom3NonZero >> 8
725- bottom3NonZero |= bottom3NonZero >> 4
726- bottom3NonZero |= bottom3NonZero >> 2
727- bottom3NonZero |= bottom3NonZero >> 1
728- bottom3NonZero = uint32(int32(bottom3NonZero<<31) >> 31)
729-
730- // Everything depends on the value of out[3].
731- // If it's > 0xffff000 and top4AllOnes != 0 then the whole value is >= p
732- // If it's = 0xffff000 and top4AllOnes != 0 and bottom3NonZero != 0,
733- // then the whole value is >= p
734- // If it's < 0xffff000, then the whole value is < p
735- n := out[3] - 0xffff000
736- out3Equal := n
737- out3Equal |= out3Equal >> 16
738- out3Equal |= out3Equal >> 8
739- out3Equal |= out3Equal >> 4
740- out3Equal |= out3Equal >> 2
741- out3Equal |= out3Equal >> 1
742- out3Equal = ^uint32(int32(out3Equal<<31) >> 31)
743-
744- // If out[3] > 0xffff000 then n's MSB will be zero.
745- out3GT := ^uint32(int32(n) >> 31)
746-
747- mask := top4AllOnes & ((out3Equal & bottom3NonZero) | out3GT)
748- out[0] -= 1 & mask
749- out[3] -= 0xffff000 & mask
750- out[4] -= 0xfffffff & mask
751- out[5] -= 0xfffffff & mask
752- out[6] -= 0xfffffff & mask
753- out[7] -= 0xfffffff & mask
754-}
755-
756-// Group element functions.
757-//
758-// These functions deal with group elements. The group is an elliptic curve
759-// group with a = -3 defined in FIPS 186-3, section D.2.2.
760-
761-// p224AddJacobian computes *out = a+b where a != b.
762-func p224AddJacobian(x3, y3, z3, x1, y1, z1, x2, y2, z2 *p224FieldElement) {
763- // See http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-p224Add-2007-bl
764- var z1z1, z2z2, u1, u2, s1, s2, h, i, j, r, v p224FieldElement
765- var c p224LargeFieldElement
766-
767- z1IsZero := p224IsZero(z1)
768- z2IsZero := p224IsZero(z2)
769-
770- // Z1Z1 = Z1²
771- p224Square(&z1z1, z1, &c)
772- // Z2Z2 = Z2²
773- p224Square(&z2z2, z2, &c)
774- // U1 = X1*Z2Z2
775- p224Mul(&u1, x1, &z2z2, &c)
776- // U2 = X2*Z1Z1
777- p224Mul(&u2, x2, &z1z1, &c)
778- // S1 = Y1*Z2*Z2Z2
779- p224Mul(&s1, z2, &z2z2, &c)
780- p224Mul(&s1, y1, &s1, &c)
781- // S2 = Y2*Z1*Z1Z1
782- p224Mul(&s2, z1, &z1z1, &c)
783- p224Mul(&s2, y2, &s2, &c)
784- // H = U2-U1
785- p224Sub(&h, &u2, &u1)
786- p224Reduce(&h)
787- xEqual := p224IsZero(&h)
788- // I = (2*H)²
789- for j := 0; j < 8; j++ {
790- i[j] = h[j] << 1
791- }
792- p224Reduce(&i)
793- p224Square(&i, &i, &c)
794- // J = H*I
795- p224Mul(&j, &h, &i, &c)
796- // r = 2*(S2-S1)
797- p224Sub(&r, &s2, &s1)
798- p224Reduce(&r)
799- yEqual := p224IsZero(&r)
800- if xEqual == 1 && yEqual == 1 && z1IsZero == 0 && z2IsZero == 0 {
801- p224DoubleJacobian(x3, y3, z3, x1, y1, z1)
802- return
803- }
804- for i := 0; i < 8; i++ {
805- r[i] <<= 1
806- }
807- p224Reduce(&r)
808- // V = U1*I
809- p224Mul(&v, &u1, &i, &c)
810- // Z3 = ((Z1+Z2)²-Z1Z1-Z2Z2)*H
811- p224Add(&z1z1, &z1z1, &z2z2)
812- p224Add(&z2z2, z1, z2)
813- p224Reduce(&z2z2)
814- p224Square(&z2z2, &z2z2, &c)
815- p224Sub(z3, &z2z2, &z1z1)
816- p224Reduce(z3)
817- p224Mul(z3, z3, &h, &c)
818- // X3 = r²-J-2*V
819- for i := 0; i < 8; i++ {
820- z1z1[i] = v[i] << 1
821- }
822- p224Add(&z1z1, &j, &z1z1)
823- p224Reduce(&z1z1)
824- p224Square(x3, &r, &c)
825- p224Sub(x3, x3, &z1z1)
826- p224Reduce(x3)
827- // Y3 = r*(V-X3)-2*S1*J
828- for i := 0; i < 8; i++ {
829- s1[i] <<= 1
830- }
831- p224Mul(&s1, &s1, &j, &c)
832- p224Sub(&z1z1, &v, x3)
833- p224Reduce(&z1z1)
834- p224Mul(&z1z1, &z1z1, &r, &c)
835- p224Sub(y3, &z1z1, &s1)
836- p224Reduce(y3)
837-
838- p224CopyConditional(x3, x2, z1IsZero)
839- p224CopyConditional(x3, x1, z2IsZero)
840- p224CopyConditional(y3, y2, z1IsZero)
841- p224CopyConditional(y3, y1, z2IsZero)
842- p224CopyConditional(z3, z2, z1IsZero)
843- p224CopyConditional(z3, z1, z2IsZero)
844-}
845-
846-// p224DoubleJacobian computes *out = a+a.
847-func p224DoubleJacobian(x3, y3, z3, x1, y1, z1 *p224FieldElement) {
848- var delta, gamma, beta, alpha, t p224FieldElement
849- var c p224LargeFieldElement
850-
851- p224Square(&delta, z1, &c)
852- p224Square(&gamma, y1, &c)
853- p224Mul(&beta, x1, &gamma, &c)
854-
855- // alpha = 3*(X1-delta)*(X1+delta)
856- p224Add(&t, x1, &delta)
857- for i := 0; i < 8; i++ {
858- t[i] += t[i] << 1
859- }
860- p224Reduce(&t)
861- p224Sub(&alpha, x1, &delta)
862- p224Reduce(&alpha)
863- p224Mul(&alpha, &alpha, &t, &c)
864-
865- // Z3 = (Y1+Z1)²-gamma-delta
866- p224Add(z3, y1, z1)
867- p224Reduce(z3)
868- p224Square(z3, z3, &c)
869- p224Sub(z3, z3, &gamma)
870- p224Reduce(z3)
871- p224Sub(z3, z3, &delta)
872- p224Reduce(z3)
873-
874- // X3 = alpha²-8*beta
875- for i := 0; i < 8; i++ {
876- delta[i] = beta[i] << 3
877- }
878- p224Reduce(&delta)
879- p224Square(x3, &alpha, &c)
880- p224Sub(x3, x3, &delta)
881- p224Reduce(x3)
882-
883- // Y3 = alpha*(4*beta-X3)-8*gamma²
884- for i := 0; i < 8; i++ {
885- beta[i] <<= 2
886- }
887- p224Sub(&beta, &beta, x3)
888- p224Reduce(&beta)
889- p224Square(&gamma, &gamma, &c)
890- for i := 0; i < 8; i++ {
891- gamma[i] <<= 3
892- }
893- p224Reduce(&gamma)
894- p224Mul(y3, &alpha, &beta, &c)
895- p224Sub(y3, y3, &gamma)
896- p224Reduce(y3)
897-}
898-
899-// p224CopyConditional sets *out = *in iff the least-significant-bit of control
900-// is true, and it runs in constant time.
901-func p224CopyConditional(out, in *p224FieldElement, control uint32) {
902- control <<= 31
903- control = uint32(int32(control) >> 31)
904-
905- for i := 0; i < 8; i++ {
906- out[i] ^= (out[i] ^ in[i]) & control
907- }
908-}
909-
910-func p224ScalarMult(outX, outY, outZ, inX, inY, inZ *p224FieldElement, scalar []byte) {
911- var xx, yy, zz p224FieldElement
912- for i := 0; i < 8; i++ {
913- outX[i] = 0
914- outY[i] = 0
915- outZ[i] = 0
916- }
917-
918- for _, byte := range scalar {
919- for bitNum := uint(0); bitNum < 8; bitNum++ {
920- p224DoubleJacobian(outX, outY, outZ, outX, outY, outZ)
921- bit := uint32((byte >> (7 - bitNum)) & 1)
922- p224AddJacobian(&xx, &yy, &zz, inX, inY, inZ, outX, outY, outZ)
923- p224CopyConditional(outX, &xx, bit)
924- p224CopyConditional(outY, &yy, bit)
925- p224CopyConditional(outZ, &zz, bit)
926- }
927- }
928-}
929-
930-// p224ToAffine converts from Jacobian to affine form.
931-func p224ToAffine(x, y, z *p224FieldElement) (*big.Int, *big.Int) {
932- var zinv, zinvsq, outx, outy p224FieldElement
933- var tmp p224LargeFieldElement
934-
935- if isPointAtInfinity := p224IsZero(z); isPointAtInfinity == 1 {
936- return new(big.Int), new(big.Int)
937- }
938-
939- p224Invert(&zinv, z)
940- p224Square(&zinvsq, &zinv, &tmp)
941- p224Mul(x, x, &zinvsq, &tmp)
942- p224Mul(&zinvsq, &zinvsq, &zinv, &tmp)
943- p224Mul(y, y, &zinvsq, &tmp)
944-
945- p224Contract(&outx, x)
946- p224Contract(&outy, y)
947- return p224ToBig(&outx), p224ToBig(&outy)
948-}
949-
950-// get28BitsFromEnd returns the least-significant 28 bits from buf>>shift,
951-// where buf is interpreted as a big-endian number.
952-func get28BitsFromEnd(buf []byte, shift uint) (uint32, []byte) {
953- var ret uint32
954-
955- for i := uint(0); i < 4; i++ {
956- var b byte
957- if l := len(buf); l > 0 {
958- b = buf[l-1]
959- // We don't remove the byte if we're about to return and we're not
960- // reading all of it.
961- if i != 3 || shift == 4 {
962- buf = buf[:l-1]
963- }
964- }
965- ret |= uint32(b) << (8 * i) >> shift
966- }
967- ret &= bottom28Bits
968- return ret, buf
969-}
970-
971-// p224FromBig sets *out = *in.
972-func p224FromBig(out *p224FieldElement, in *big.Int) {
973- bytes := in.Bytes()
974- out[0], bytes = get28BitsFromEnd(bytes, 0)
975- out[1], bytes = get28BitsFromEnd(bytes, 4)
976- out[2], bytes = get28BitsFromEnd(bytes, 0)
977- out[3], bytes = get28BitsFromEnd(bytes, 4)
978- out[4], bytes = get28BitsFromEnd(bytes, 0)
979- out[5], bytes = get28BitsFromEnd(bytes, 4)
980- out[6], bytes = get28BitsFromEnd(bytes, 0)
981- out[7], bytes = get28BitsFromEnd(bytes, 4)
982-}
983-
984-// p224ToBig returns in as a big.Int.
985-func p224ToBig(in *p224FieldElement) *big.Int {
986- var buf [28]byte
987- buf[27] = byte(in[0])
988- buf[26] = byte(in[0] >> 8)
989- buf[25] = byte(in[0] >> 16)
990- buf[24] = byte(((in[0] >> 24) & 0x0f) | (in[1]<<4)&0xf0)
991-
992- buf[23] = byte(in[1] >> 4)
993- buf[22] = byte(in[1] >> 12)
994- buf[21] = byte(in[1] >> 20)
995-
996- buf[20] = byte(in[2])
997- buf[19] = byte(in[2] >> 8)
998- buf[18] = byte(in[2] >> 16)
999- buf[17] = byte(((in[2] >> 24) & 0x0f) | (in[3]<<4)&0xf0)
1000-
1001- buf[16] = byte(in[3] >> 4)
1002- buf[15] = byte(in[3] >> 12)
1003- buf[14] = byte(in[3] >> 20)
1004-
1005- buf[13] = byte(in[4])
1006- buf[12] = byte(in[4] >> 8)
1007- buf[11] = byte(in[4] >> 16)
1008- buf[10] = byte(((in[4] >> 24) & 0x0f) | (in[5]<<4)&0xf0)
1009-
1010- buf[9] = byte(in[5] >> 4)
1011- buf[8] = byte(in[5] >> 12)
1012- buf[7] = byte(in[5] >> 20)
1013-
1014- buf[6] = byte(in[6])
1015- buf[5] = byte(in[6] >> 8)
1016- buf[4] = byte(in[6] >> 16)
1017- buf[3] = byte(((in[6] >> 24) & 0x0f) | (in[7]<<4)&0xf0)
1018-
1019- buf[2] = byte(in[7] >> 4)
1020- buf[1] = byte(in[7] >> 12)
1021- buf[0] = byte(in[7] >> 20)
1022-
1023- return new(big.Int).SetBytes(buf[:])
1024-}
1025--- libgo/go/crypto/elliptic/p224_test.go.jj 2012-11-15 18:26:57.000000000 +0100
1026+++ libgo/go/crypto/elliptic/p224_test.go 2014-03-05 15:29:58.743430988 +0100
1027@@ -1,47 +0,0 @@
1028-// Copyright 2012 The Go Authors. All rights reserved.
1029-// Use of this source code is governed by a BSD-style
1030-// license that can be found in the LICENSE file.
1031-
1032-package elliptic
1033-
1034-import (
1035- "math/big"
1036- "testing"
1037-)
1038-
1039-var toFromBigTests = []string{
1040- "0",
1041- "1",
1042- "23",
1043- "b70e0cb46bb4bf7f321390b94a03c1d356c01122343280d6105c1d21",
1044- "706a46d476dcb76798e6046d89474788d164c18032d268fd10704fa6",
1045-}
1046-
1047-func p224AlternativeToBig(in *p224FieldElement) *big.Int {
1048- ret := new(big.Int)
1049- tmp := new(big.Int)
1050-
1051- for i := uint(0); i < 8; i++ {
1052- tmp.SetInt64(int64(in[i]))
1053- tmp.Lsh(tmp, 28*i)
1054- ret.Add(ret, tmp)
1055- }
1056- ret.Mod(ret, p224.P)
1057- return ret
1058-}
1059-
1060-func TestToFromBig(t *testing.T) {
1061- for i, test := range toFromBigTests {
1062- n, _ := new(big.Int).SetString(test, 16)
1063- var x p224FieldElement
1064- p224FromBig(&x, n)
1065- m := p224ToBig(&x)
1066- if n.Cmp(m) != 0 {
1067- t.Errorf("#%d: %x != %x", i, n, m)
1068- }
1069- q := p224AlternativeToBig(&x)
1070- if n.Cmp(q) != 0 {
1071- t.Errorf("#%d: %x != %x (alternative)", i, n, m)
1072- }
1073- }
1074-}
1075--- libgo/go/crypto/elliptic/p256.go.jj 2013-11-07 11:59:09.000000000 +0100
1076+++ libgo/go/crypto/elliptic/p256.go 2014-03-05 15:34:31.910414701 +0100
1077@@ -233,6 +233,8 @@ func p256ReduceCarry(inout *[p256Limbs]u
1078 inout[7] += carry << 25
1079 }
1080
1081+const bottom28Bits = 0xfffffff
1082+
1083 // p256Sum sets out = in+in2.
1084 //
1085 // On entry, in[i]+in2[i] must not overflow a 32-bit word.
1086@@ -265,6 +267,7 @@ const (
1087 two31m2 = 1<<31 - 1<<2
1088 two31p24m2 = 1<<31 + 1<<24 - 1<<2
1089 two30m27m2 = 1<<30 - 1<<27 - 1<<2
1090+ two31m3 = 1<<31 - 1<<3
1091 )
1092
1093 // p256Zero31 is 0 mod p.
Cross C compiler
This page took 1.534991 seconds and 4 git commands to generate.