diff --git a/build.rs b/build.rs index f7b94108b7..2f4aec058b 100644 --- a/build.rs +++ b/build.rs @@ -39,7 +39,6 @@ const RING_SRCS: &[(&[&str], &str)] = &[ (&[], "crypto/fipsmodule/bn/montgomery.c"), (&[], "crypto/fipsmodule/bn/montgomery_inv.c"), (&[], "crypto/fipsmodule/ec/ecp_nistz.c"), - (&[], "crypto/fipsmodule/ec/gfp_p256.c"), (&[], "crypto/fipsmodule/ec/gfp_p384.c"), (&[], "crypto/fipsmodule/ec/p256.c"), (&[], "crypto/limbs/limbs.c"), @@ -966,7 +965,6 @@ fn prefix_all_symbols(pp: char, prefix_prefix: &str, prefix: &str) -> String { "p384_point_add", "p384_point_double", "p384_point_mul", - "p384_scalar_mul_mont", "openssl_poly1305_neon2_addmulmod", "openssl_poly1305_neon2_blocks", "sha256_block_data_order", diff --git a/crypto/fipsmodule/ec/gfp_p256.c b/crypto/fipsmodule/ec/gfp_p256.c deleted file mode 100644 index d82938ed52..0000000000 --- a/crypto/fipsmodule/ec/gfp_p256.c +++ /dev/null @@ -1,54 +0,0 @@ -/* Copyright 2016 Brian Smith. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#include "./p256_shared.h" - -#include "../../limbs/limbs.h" - -#if !defined(OPENSSL_USE_NISTZ256) - -typedef Limb ScalarMont[P256_LIMBS]; -typedef Limb Scalar[P256_LIMBS]; - -#include "../bn/internal.h" - -static const BN_ULONG N[P256_LIMBS] = { -#if defined(OPENSSL_64_BIT) - 0xf3b9cac2fc632551, 0xbce6faada7179e84, 0xffffffffffffffff, 0xffffffff00000000 -#else - 0xfc632551, 0xf3b9cac2, 0xa7179e84, 0xbce6faad, 0xffffffff, 0xffffffff, 0, - 0xffffffff -#endif -}; - -static const BN_ULONG N_N0[] = { - BN_MONT_CTX_N0(0xccd1c8aa, 0xee00bc4f) -}; - -void p256_scalar_mul_mont(ScalarMont r, const ScalarMont a, - const ScalarMont b) { - /* XXX: Inefficient. TODO: optimize with dedicated multiplication routine. */ - bn_mul_mont(r, a, b, N, N_N0, P256_LIMBS); -} - -/* XXX: Inefficient. TODO: optimize with dedicated squaring routine. */ -void p256_scalar_sqr_rep_mont(ScalarMont r, const ScalarMont a, Limb rep) { - dev_assert_secret(rep >= 1); - p256_scalar_mul_mont(r, a, a); - for (Limb i = 1; i < rep; ++i) { - p256_scalar_mul_mont(r, r, r); - } -} - -#endif diff --git a/crypto/fipsmodule/ec/gfp_p384.c b/crypto/fipsmodule/ec/gfp_p384.c index 90065eaeb0..594b2138ec 100644 --- a/crypto/fipsmodule/ec/gfp_p384.c +++ b/crypto/fipsmodule/ec/gfp_p384.c @@ -39,16 +39,6 @@ static const BN_ULONG Q[P384_LIMBS] = { #endif }; -static const BN_ULONG N[P384_LIMBS] = { -#if defined(OPENSSL_64_BIT) - 0xecec196accc52973, 0x581a0db248b0a77a, 0xc7634d81f4372ddf, 0xffffffffffffffff, - 0xffffffffffffffff, 0xffffffffffffffff -#else - 0xccc52973, 0xecec196a, 0x48b0a77a, 0x581a0db2, 0xf4372ddf, 0xc7634d81, - 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff -#endif -}; - static const BN_ULONG ONE[P384_LIMBS] = { #if defined(OPENSSL_64_BIT) 0xffffffff00000001, 0xffffffff, 1, 0, 0 @@ -71,10 +61,6 @@ static const BN_ULONG Q_N0[] = { BN_MONT_CTX_N0(1, 1) }; -static const BN_ULONG N_N0[] = { - BN_MONT_CTX_N0(0x6ed46089, 0xe88fdc45) -}; - /* XXX: MSVC for x86 warns when it fails to inline these functions it should * probably inline. */ #if defined(_MSC_VER) && !defined(__clang__) && defined(OPENSSL_X86) @@ -212,13 +198,6 @@ void p384_elem_neg(Elem r, const Elem a) { } -void p384_scalar_mul_mont(ScalarMont r, const ScalarMont a, - const ScalarMont b) { - /* XXX: Inefficient. TODO: Add dedicated multiplication routine. */ - bn_mul_mont(r, a, b, N, N_N0, P384_LIMBS); -} - - /* TODO(perf): Optimize this. */ static void p384_point_select_w5(P384_POINT *out, diff --git a/mk/generate_curves.py b/mk/generate_curves.py index 60c6884d20..c817fc90f0 100644 --- a/mk/generate_curves.py +++ b/mk/generate_curves.py @@ -209,6 +209,8 @@ p%(bits)d_elem_mul_mont(r, a, a); } +mul_mont! { p%(bits)s_scalar_mul_mont(n0: 0x_6ed46089_e88fdc45; modulus: &COMMON_OPS.n) } + prefixed_extern! { fn p%(bits)s_elem_mul_mont( r: *mut Limb, // [COMMON_OPS.num_limbs] @@ -227,12 +229,6 @@ p_x: *const Limb, // [COMMON_OPS.num_limbs] p_y: *const Limb, // [COMMON_OPS.num_limbs] ); - - fn p%(bits)s_scalar_mul_mont( - r: *mut Limb, // [COMMON_OPS.num_limbs] - a: *const Limb, // [COMMON_OPS.num_limbs] - b: *const Limb, // [COMMON_OPS.num_limbs] - ); }""" @@ -323,6 +319,7 @@ def generate_rs(g, out_dir): "q_minus_n" : q - n, "oneRR_mod_n": rr(n), "n_minus_2": n_minus_2, + "n_n0": format_n0_rs(n), } out_path = os.path.join(out_dir, "%s.rs" % name) @@ -359,10 +356,6 @@ def generate_rs(g, out_dir): %(q)s }; -static const BN_ULONG N[P%(bits)d_LIMBS] = { -%(n)s -}; - static const BN_ULONG ONE[P%(bits)d_LIMBS] = { %(q_one)s }; @@ -375,10 +368,6 @@ def generate_rs(g, out_dir): %(q_n0)s }; -static const BN_ULONG N_N0[] = { - %(n_n0)s -}; - """ # Given a number |x|, return a generator of a sequence |a| such that @@ -417,12 +406,18 @@ def format_big_int(x, limb_count): %s #endif""" % (big, small) -def format_n0(p): +def format_n0_c(p): value = modinv(-p, 2**64) hi = value // (2**32) lo = value % (2**32) return "BN_MONT_CTX_N0(%s, %s)" % (format_limb(hi), format_limb(lo)) +def format_n0_rs(p): + value = modinv(-p, 2**64) + hi = value // (2**32) + lo = value % (2**32) + return "0x_%08x_%08x" % (hi, lo) + def const(value): return lambda _limb_bits: value @@ -438,11 +433,9 @@ def generate_c(g, out_dir): output = c_template % { "bits": q.bit_length(), "q" : format_big_int(const(q), big_int_limbs(q)), - "q_n0": format_n0(q), + "q_n0": format_n0_c(q), "q_one" : format_big_int(lambda limb_bits: to_montgomery_value(1, q, limb_bits), big_int_limbs(q)), "q_plus_1_shr_1": format_big_int(const((q + 1) >> 1), big_int_limbs(q)), - "n" : format_big_int(const(n), big_int_limbs(q)), - "n_n0": format_n0(n), } out_path = os.path.join(out_dir, "gfp_%s.c" % name) diff --git a/src/arithmetic/montgomery.rs b/src/arithmetic/montgomery.rs index a155ec36bc..ff0ac787b8 100644 --- a/src/arithmetic/montgomery.rs +++ b/src/arithmetic/montgomery.rs @@ -120,7 +120,7 @@ use crate::{bssl, c, limb::Limb}; // TODO: Stop calling this from C and un-export it. #[allow(deprecated)] prefixed_export! { - pub(super) unsafe fn bn_mul_mont( + pub unsafe fn bn_mul_mont( r: *mut Limb, a: *const Limb, b: *const Limb, @@ -226,7 +226,7 @@ prefixed_extern! { ))] prefixed_extern! { // `r` and/or 'a' and/or 'b' may alias. - pub(super) fn bn_mul_mont( + pub fn bn_mul_mont( r: *mut Limb, a: *const Limb, b: *const Limb, diff --git a/src/ec/suite_b/ops.rs b/src/ec/suite_b/ops.rs index eeb15fe8da..b1ea5bbee9 100644 --- a/src/ec/suite_b/ops.rs +++ b/src/ec/suite_b/ops.rs @@ -687,22 +687,10 @@ mod tests { }) } - #[test] - fn p256_scalar_square_test() { - prefixed_extern! { - fn p256_scalar_sqr_rep_mont(r: *mut Limb, a: *const Limb, rep: Limb); - } - scalar_square_test( - &p256::SCALAR_OPS, - p256_scalar_sqr_rep_mont, - test_file!("ops/p256_scalar_square_tests.txt"), - ); - } - // XXX: There's no `p384_scalar_square_test()` because there's no dedicated // `p384_scalar_sqr_rep_mont()`. - fn scalar_square_test( + pub(super) fn scalar_square_test( ops: &ScalarOps, sqr_rep: unsafe extern "C" fn(r: *mut Limb, a: *const Limb, rep: Limb), test_file: test::File, @@ -1154,5 +1142,7 @@ mod tests { } mod elem; +#[macro_use] +mod boilerplate; pub mod p256; pub mod p384; diff --git a/src/ec/suite_b/ops/boilerplate.rs b/src/ec/suite_b/ops/boilerplate.rs new file mode 100644 index 0000000000..b870795f80 --- /dev/null +++ b/src/ec/suite_b/ops/boilerplate.rs @@ -0,0 +1,20 @@ +macro_rules! mul_mont { + { $visibility:vis $name:ident(n0: $n0:expr; modulus: $modulus:expr) } => { + $visibility unsafe extern "C" fn $name( + r: *mut crate::limb::Limb, // [COMMON_OPS.num_limbs] + a: *const crate::limb::Limb, // [COMMON_OPS.num_limbs] + b: *const crate::limb::Limb, // [COMMON_OPS.num_limbs] + ) { + use crate::arithmetic::montgomery::{bn_mul_mont, N0}; + static N_N0: N0 = N0::precalculated($n0); + bn_mul_mont( + r, + a, + b, + $modulus.limbs.as_ptr(), + &N_N0, + COMMON_OPS.num_limbs, + ) + } + } +} diff --git a/src/ec/suite_b/ops/p256.rs b/src/ec/suite_b/ops/p256.rs index 92bd3c9612..2e8e4525ad 100644 --- a/src/ec/suite_b/ops/p256.rs +++ b/src/ec/suite_b/ops/p256.rs @@ -307,21 +307,52 @@ prefixed_extern! { p_x: *const Limb, // [COMMON_OPS.num_limbs] p_y: *const Limb, // [COMMON_OPS.num_limbs] ); +} - fn p256_scalar_mul_mont( - r: *mut Limb, // [COMMON_OPS.num_limbs] - a: *const Limb, // [COMMON_OPS.num_limbs] - b: *const Limb, // [COMMON_OPS.num_limbs] - ); - fn p256_scalar_sqr_rep_mont( - r: *mut Limb, // [COMMON_OPS.num_limbs] - a: *const Limb, // [COMMON_OPS.num_limbs] +#[cfg(any(target_arch = "aarch64", target_arch = "x86_64"))] +mod scalar_ops { + use crate::limb::Limb; + + prefixed_extern! { + pub(super) fn p256_scalar_mul_mont( + r: *mut Limb, // [COMMON_OPS.num_limbs] + a: *const Limb, // [COMMON_OPS.num_limbs] + b: *const Limb, // [COMMON_OPS.num_limbs] + ); + pub(super) fn p256_scalar_sqr_rep_mont( + r: *mut Limb, // [COMMON_OPS.num_limbs] + a: *const Limb, // [COMMON_OPS.num_limbs] + rep: Limb, + ); + } +} + +#[cfg(not(any(target_arch = "aarch64", target_arch = "x86_64")))] +mod scalar_ops { + use super::COMMON_OPS; + use crate::limb::Limb; + + mul_mont! { pub(super) p256_scalar_mul_mont(n0: 0x_ccd1c8aa_ee00bc4f; modulus: &COMMON_OPS.n) } + + pub(super) unsafe extern "C" fn p256_scalar_sqr_rep_mont( + r: *mut Limb, + a: *const Limb, rep: Limb, - ); + ) { + debug_assert!(rep >= 1); + p256_scalar_mul_mont(r, a, a); + for _ in 1..rep { + p256_scalar_mul_mont(r, r, r); + } + } } +use scalar_ops::*; + #[cfg(test)] mod tests { + use super::{super::tests::scalar_square_test, *}; + #[cfg(any(target_arch = "aarch64", target_arch = "x86_64"))] #[test] fn p256_point_mul_base_vartime_test() { @@ -332,4 +363,13 @@ mod tests { test_file!("p256_point_mul_base_tests.txt"), ); } + + #[test] + fn p256_scalar_square_test() { + scalar_square_test( + &p256::SCALAR_OPS, + p256_scalar_sqr_rep_mont, + test_file!("p256_scalar_square_tests.txt"), + ); + } } diff --git a/src/ec/suite_b/ops/p384.rs b/src/ec/suite_b/ops/p384.rs index 369db2b289..d971ffb9c0 100644 --- a/src/ec/suite_b/ops/p384.rs +++ b/src/ec/suite_b/ops/p384.rs @@ -278,6 +278,8 @@ unsafe extern "C" fn p384_elem_sqr_mont( p384_elem_mul_mont(r, a, a); } +mul_mont! { p384_scalar_mul_mont(n0: 0x_6ed46089_e88fdc45; modulus: &COMMON_OPS.n) } + prefixed_extern! { fn p384_elem_mul_mont( r: *mut Limb, // [COMMON_OPS.num_limbs] @@ -296,10 +298,4 @@ prefixed_extern! { p_x: *const Limb, // [COMMON_OPS.num_limbs] p_y: *const Limb, // [COMMON_OPS.num_limbs] ); - - fn p384_scalar_mul_mont( - r: *mut Limb, // [COMMON_OPS.num_limbs] - a: *const Limb, // [COMMON_OPS.num_limbs] - b: *const Limb, // [COMMON_OPS.num_limbs] - ); }