| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Aug 2018 20:52:37 +0800
From: kbuild test robot <lkp@...el.com>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: kbuild-all@...org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, davem@...emloft.net,
"Jason A. Donenfeld" <Jason@...c4.com>,
Greg KH <gregkh@...uxfoundation.org>
Subject: Re: [PATCH v2 17/17] net: WireGuard secure network tunnel
Hi Jason,
I love your patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on v4.19-rc1 next-20180827]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Jason-A-Donenfeld/WireGuard-Secure-Network-Tunnel/20180827-073051
config: um-allmodconfig (attached as .config)
compiler: gcc-7 (Debian 7.3.0-16) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=um
All error/warnings (new ones prefixed by >>):
In file included from lib/zinc/chacha20/chacha20-x86_64-glue.h:8:0,
from <command-line>:0:
>> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration
extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit);
^~~~~~~~~~~
In file included from include/linux/compiler_types.h:64:0,
from <command-line>:0:
arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has':
>> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability'
[cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3])
^
include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto'
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
^
In file included from <command-line>:0:0:
At top level:
lib/zinc/chacha20/chacha20-x86_64-glue.h:27:13: warning: 'chacha20_use_avx512vl' defined but not used [-Wunused-variable]
static bool chacha20_use_avx512vl __ro_after_init;
^~~~~~~~~~~~~~~~~~~~~
lib/zinc/chacha20/chacha20-x86_64-glue.h:26:13: warning: 'chacha20_use_avx512' defined but not used [-Wunused-variable]
static bool chacha20_use_avx512 __ro_after_init;
^~~~~~~~~~~~~~~~~~~
lib/zinc/chacha20/chacha20-x86_64-glue.h:25:13: warning: 'chacha20_use_avx2' defined but not used [-Wunused-variable]
static bool chacha20_use_avx2 __ro_after_init;
^~~~~~~~~~~~~~~~~
lib/zinc/chacha20/chacha20-x86_64-glue.h:24:13: warning: 'chacha20_use_ssse3' defined but not used [-Wunused-variable]
static bool chacha20_use_ssse3 __ro_after_init;
^~~~~~~~~~~~~~~~~~
--
In file included from lib/zinc/poly1305/poly1305-x86_64-glue.h:8:0,
from <command-line>:0:
>> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration
extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit);
^~~~~~~~~~~
In file included from include/linux/compiler_types.h:64:0,
from <command-line>:0:
arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has':
>> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability'
[cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3])
^
include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto'
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
^
In file included from <command-line>:0:0:
At top level:
lib/zinc/poly1305/poly1305-x86_64-glue.h:28:13: warning: 'poly1305_use_avx512' defined but not used [-Wunused-variable]
static bool poly1305_use_avx512 __ro_after_init;
^~~~~~~~~~~~~~~~~~~
lib/zinc/poly1305/poly1305-x86_64-glue.h:27:13: warning: 'poly1305_use_avx2' defined but not used [-Wunused-variable]
static bool poly1305_use_avx2 __ro_after_init;
^~~~~~~~~~~~~~~~~
lib/zinc/poly1305/poly1305-x86_64-glue.h:26:13: warning: 'poly1305_use_avx' defined but not used [-Wunused-variable]
static bool poly1305_use_avx __ro_after_init;
^~~~~~~~~~~~~~~~
--
In file included from lib/zinc/curve25519/curve25519-x86_64-glue.h:7:0,
from <command-line>:0:
>> arch/x86/include/asm/cpufeature.h:49:41: error: 'NBUGINTS' undeclared here (not in a function)
extern const char * const x86_bug_flags[NBUGINTS*32];
^~~~~~~~
>> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration
extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit);
^~~~~~~~~~~
In file included from include/linux/compiler_types.h:64:0,
from <command-line>:0:
arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has':
>> arch/x86/include/asm/cpufeature.h:196:24: error: 'X86_FEATURE_ALWAYS' undeclared (first use in this function)
[always] "i" (X86_FEATURE_ALWAYS),
^
include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto'
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
^
arch/x86/include/asm/cpufeature.h:196:24: note: each undeclared identifier is reported only once for each function it appears in
[always] "i" (X86_FEATURE_ALWAYS),
^
include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto'
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
^
>> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability'
[cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3])
^
include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto'
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
^
In file included from lib/zinc/curve25519/curve25519-x86_64-glue.h:10:0,
from <command-line>:0:
lib/zinc/curve25519/curve25519-x86_64.h: In function 'inv_eltfp25519_1w_adx':
>> lib/zinc/curve25519/curve25519-x86_64.h:1543:2: error: implicit declaration of function 'memzero_explicit' [-Werror=implicit-function-declaration]
memzero_explicit(&m, sizeof(m));
^~~~~~~~~~~~~~~~
In file included from lib/zinc/curve25519/curve25519-x86_64-glue.h:10:0,
from <command-line>:0:
lib/zinc/curve25519/curve25519-x86_64.h: In function 'curve25519_adx':
>> lib/zinc/curve25519/curve25519-x86_64.h:1706:2: error: implicit declaration of function 'memcpy'; did you mean 'pte_copy'? [-Werror=implicit-function-declaration]
memcpy(m.private, private_key, sizeof(m.private));
^~~~~~
pte_copy
In file included from <command-line>:0:0:
lib/zinc/curve25519/curve25519-x86_64-glue.h: At top level:
>> lib/zinc/curve25519/curve25519-x86_64-glue.h:12:33: error: expected '=', ',', ';', 'asm' or '__attribute__' before '__ro_after_init'
static bool curve25519_use_bmi2 __ro_after_init;
^~~~~~~~~~~~~~~
lib/zinc/curve25519/curve25519-x86_64-glue.h:13:32: error: expected '=', ',', ';', 'asm' or '__attribute__' before '__ro_after_init'
static bool curve25519_use_adx __ro_after_init;
^~~~~~~~~~~~~~~
>> lib/zinc/curve25519/curve25519-x86_64-glue.h:15:13: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'curve25519_fpu_init'
void __init curve25519_fpu_init(void)
^~~~~~~~~~~~~~~~~~~
In file included from <command-line>:0:0:
lib/zinc/curve25519/curve25519-x86_64-glue.h: In function 'curve25519_arch':
>> lib/zinc/curve25519/curve25519-x86_64-glue.h:23:6: error: 'curve25519_use_adx' undeclared (first use in this function); did you mean 'curve25519_adx'?
if (curve25519_use_adx) {
^~~~~~~~~~~~~~~~~~
curve25519_adx
>> lib/zinc/curve25519/curve25519-x86_64-glue.h:26:13: error: 'curve25519_use_bmi2' undeclared (first use in this function); did you mean 'curve25519_use_adx'?
} else if (curve25519_use_bmi2) {
^~~~~~~~~~~~~~~~~~~
curve25519_use_adx
lib/zinc/curve25519/curve25519-x86_64-glue.h: In function 'curve25519_base_arch':
lib/zinc/curve25519/curve25519-x86_64-glue.h:35:6: error: 'curve25519_use_adx' undeclared (first use in this function); did you mean 'curve25519_adx'?
if (curve25519_use_adx) {
^~~~~~~~~~~~~~~~~~
curve25519_adx
lib/zinc/curve25519/curve25519-x86_64-glue.h:38:13: error: 'curve25519_use_bmi2' undeclared (first use in this function); did you mean 'curve25519_use_adx'?
} else if (curve25519_use_bmi2) {
^~~~~~~~~~~~~~~~~~~
curve25519_use_adx
In file included from arch/x86/include/asm/string.h:5:0,
from include/linux/string.h:20,
from lib/zinc/curve25519/curve25519.c:9:
arch/x86/include/asm/string_64.h: At top level:
>> arch/x86/include/asm/string_64.h:32:14: error: conflicting types for 'memcpy'
extern void *memcpy(void *to, const void *from, size_t len);
^~~~~~
In file included from lib/zinc/curve25519/curve25519-x86_64-glue.h:10:0,
from <command-line>:0:
lib/zinc/curve25519/curve25519-x86_64.h:1706:2: note: previous implicit declaration of 'memcpy' was here
memcpy(m.private, private_key, sizeof(m.private));
^~~~~~
In file included from lib/zinc/curve25519/curve25519.c:9:0:
>> include/linux/string.h:216:6: warning: conflicting types for 'memzero_explicit'
void memzero_explicit(void *s, size_t count);
^~~~~~~~~~~~~~~~
In file included from lib/zinc/curve25519/curve25519-x86_64-glue.h:10:0,
from <command-line>:0:
lib/zinc/curve25519/curve25519-x86_64.h:1543:2: note: previous implicit declaration of 'memzero_explicit' was here
memzero_explicit(&m, sizeof(m));
^~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
--
In file included from lib/zinc/blake2s/blake2s-x86_64-glue.h:7:0,
from <command-line>:0:
>> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration
extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit);
^~~~~~~~~~~
In file included from include/linux/compiler_types.h:64:0,
from <command-line>:0:
arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has':
>> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability'
[cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3])
^
include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto'
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
^
In file included from <command-line>:0:0:
At top level:
lib/zinc/blake2s/blake2s-x86_64-glue.h:20:13: warning: 'blake2s_use_avx512' defined but not used [-Wunused-variable]
static bool blake2s_use_avx512 __ro_after_init;
^~~~~~~~~~~~~~~~~~
lib/zinc/blake2s/blake2s-x86_64-glue.h:19:13: warning: 'blake2s_use_avx' defined but not used [-Wunused-variable]
static bool blake2s_use_avx __ro_after_init;
^~~~~~~~~~~~~~~
--
In file included from lib//zinc/chacha20/chacha20-x86_64-glue.h:8:0,
from <command-line>:0:
>> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration
extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit);
^~~~~~~~~~~
In file included from include/linux/compiler_types.h:64:0,
from <command-line>:0:
arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has':
>> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability'
[cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3])
^
include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto'
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
^
In file included from <command-line>:0:0:
At top level:
lib//zinc/chacha20/chacha20-x86_64-glue.h:27:13: warning: 'chacha20_use_avx512vl' defined but not used [-Wunused-variable]
static bool chacha20_use_avx512vl __ro_after_init;
^~~~~~~~~~~~~~~~~~~~~
lib//zinc/chacha20/chacha20-x86_64-glue.h:26:13: warning: 'chacha20_use_avx512' defined but not used [-Wunused-variable]
static bool chacha20_use_avx512 __ro_after_init;
^~~~~~~~~~~~~~~~~~~
lib//zinc/chacha20/chacha20-x86_64-glue.h:25:13: warning: 'chacha20_use_avx2' defined but not used [-Wunused-variable]
static bool chacha20_use_avx2 __ro_after_init;
^~~~~~~~~~~~~~~~~
lib//zinc/chacha20/chacha20-x86_64-glue.h:24:13: warning: 'chacha20_use_ssse3' defined but not used [-Wunused-variable]
static bool chacha20_use_ssse3 __ro_after_init;
^~~~~~~~~~~~~~~~~~
--
In file included from lib//zinc/poly1305/poly1305-x86_64-glue.h:8:0,
from <command-line>:0:
>> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration
extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit);
^~~~~~~~~~~
In file included from include/linux/compiler_types.h:64:0,
from <command-line>:0:
arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has':
>> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability'
[cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3])
^
include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto'
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
^
In file included from <command-line>:0:0:
At top level:
lib//zinc/poly1305/poly1305-x86_64-glue.h:28:13: warning: 'poly1305_use_avx512' defined but not used [-Wunused-variable]
static bool poly1305_use_avx512 __ro_after_init;
^~~~~~~~~~~~~~~~~~~
lib//zinc/poly1305/poly1305-x86_64-glue.h:27:13: warning: 'poly1305_use_avx2' defined but not used [-Wunused-variable]
static bool poly1305_use_avx2 __ro_after_init;
^~~~~~~~~~~~~~~~~
lib//zinc/poly1305/poly1305-x86_64-glue.h:26:13: warning: 'poly1305_use_avx' defined but not used [-Wunused-variable]
static bool poly1305_use_avx __ro_after_init;
^~~~~~~~~~~~~~~~
--
In file included from lib//zinc/curve25519/curve25519-x86_64-glue.h:7:0,
from <command-line>:0:
>> arch/x86/include/asm/cpufeature.h:49:41: error: 'NBUGINTS' undeclared here (not in a function)
extern const char * const x86_bug_flags[NBUGINTS*32];
^~~~~~~~
>> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration
extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit);
^~~~~~~~~~~
In file included from include/linux/compiler_types.h:64:0,
from <command-line>:0:
arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has':
>> arch/x86/include/asm/cpufeature.h:196:24: error: 'X86_FEATURE_ALWAYS' undeclared (first use in this function)
[always] "i" (X86_FEATURE_ALWAYS),
^
include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto'
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
^
arch/x86/include/asm/cpufeature.h:196:24: note: each undeclared identifier is reported only once for each function it appears in
[always] "i" (X86_FEATURE_ALWAYS),
^
include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto'
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
^
>> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability'
[cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3])
^
include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto'
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
^
In file included from lib//zinc/curve25519/curve25519-x86_64-glue.h:10:0,
from <command-line>:0:
lib//zinc/curve25519/curve25519-x86_64.h: In function 'inv_eltfp25519_1w_adx':
lib//zinc/curve25519/curve25519-x86_64.h:1543:2: error: implicit declaration of function 'memzero_explicit' [-Werror=implicit-function-declaration]
memzero_explicit(&m, sizeof(m));
^~~~~~~~~~~~~~~~
In file included from lib//zinc/curve25519/curve25519-x86_64-glue.h:10:0,
from <command-line>:0:
lib//zinc/curve25519/curve25519-x86_64.h: In function 'curve25519_adx':
lib//zinc/curve25519/curve25519-x86_64.h:1706:2: error: implicit declaration of function 'memcpy'; did you mean 'pte_copy'? [-Werror=implicit-function-declaration]
memcpy(m.private, private_key, sizeof(m.private));
^~~~~~
pte_copy
In file included from <command-line>:0:0:
lib//zinc/curve25519/curve25519-x86_64-glue.h: At top level:
lib//zinc/curve25519/curve25519-x86_64-glue.h:12:33: error: expected '=', ',', ';', 'asm' or '__attribute__' before '__ro_after_init'
static bool curve25519_use_bmi2 __ro_after_init;
^~~~~~~~~~~~~~~
lib//zinc/curve25519/curve25519-x86_64-glue.h:13:32: error: expected '=', ',', ';', 'asm' or '__attribute__' before '__ro_after_init'
static bool curve25519_use_adx __ro_after_init;
^~~~~~~~~~~~~~~
lib//zinc/curve25519/curve25519-x86_64-glue.h:15:13: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'curve25519_fpu_init'
void __init curve25519_fpu_init(void)
^~~~~~~~~~~~~~~~~~~
In file included from <command-line>:0:0:
lib//zinc/curve25519/curve25519-x86_64-glue.h: In function 'curve25519_arch':
lib//zinc/curve25519/curve25519-x86_64-glue.h:23:6: error: 'curve25519_use_adx' undeclared (first use in this function); did you mean 'curve25519_adx'?
if (curve25519_use_adx) {
^~~~~~~~~~~~~~~~~~
curve25519_adx
lib//zinc/curve25519/curve25519-x86_64-glue.h:26:13: error: 'curve25519_use_bmi2' undeclared (first use in this function); did you mean 'curve25519_use_adx'?
} else if (curve25519_use_bmi2) {
^~~~~~~~~~~~~~~~~~~
curve25519_use_adx
lib//zinc/curve25519/curve25519-x86_64-glue.h: In function 'curve25519_base_arch':
lib//zinc/curve25519/curve25519-x86_64-glue.h:35:6: error: 'curve25519_use_adx' undeclared (first use in this function); did you mean 'curve25519_adx'?
if (curve25519_use_adx) {
^~~~~~~~~~~~~~~~~~
curve25519_adx
lib//zinc/curve25519/curve25519-x86_64-glue.h:38:13: error: 'curve25519_use_bmi2' undeclared (first use in this function); did you mean 'curve25519_use_adx'?
} else if (curve25519_use_bmi2) {
^~~~~~~~~~~~~~~~~~~
curve25519_use_adx
In file included from arch/x86/include/asm/string.h:5:0,
from include/linux/string.h:20,
from lib//zinc/curve25519/curve25519.c:9:
arch/x86/include/asm/string_64.h: At top level:
>> arch/x86/include/asm/string_64.h:32:14: error: conflicting types for 'memcpy'
extern void *memcpy(void *to, const void *from, size_t len);
^~~~~~
In file included from lib//zinc/curve25519/curve25519-x86_64-glue.h:10:0,
from <command-line>:0:
lib//zinc/curve25519/curve25519-x86_64.h:1706:2: note: previous implicit declaration of 'memcpy' was here
memcpy(m.private, private_key, sizeof(m.private));
^~~~~~
In file included from lib//zinc/curve25519/curve25519.c:9:0:
>> include/linux/string.h:216:6: warning: conflicting types for 'memzero_explicit'
void memzero_explicit(void *s, size_t count);
^~~~~~~~~~~~~~~~
In file included from lib//zinc/curve25519/curve25519-x86_64-glue.h:10:0,
from <command-line>:0:
lib//zinc/curve25519/curve25519-x86_64.h:1543:2: note: previous implicit declaration of 'memzero_explicit' was here
memzero_explicit(&m, sizeof(m));
^~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
..
vim +/memzero_explicit +1543 lib/zinc/curve25519/curve25519-x86_64.h
468c57c7 Jason A. Donenfeld 2018-08-24 1498
468c57c7 Jason A. Donenfeld 2018-08-24 1499 static void inv_eltfp25519_1w_adx(u64 *const c, const u64 *const a)
468c57c7 Jason A. Donenfeld 2018-08-24 1500 {
468c57c7 Jason A. Donenfeld 2018-08-24 1501 struct {
468c57c7 Jason A. Donenfeld 2018-08-24 1502 eltfp25519_1w_buffer buffer;
468c57c7 Jason A. Donenfeld 2018-08-24 1503 eltfp25519_1w x0, x1, x2;
468c57c7 Jason A. Donenfeld 2018-08-24 1504 } __aligned(32) m;
468c57c7 Jason A. Donenfeld 2018-08-24 1505 u64 *T[4];
468c57c7 Jason A. Donenfeld 2018-08-24 1506
468c57c7 Jason A. Donenfeld 2018-08-24 1507 T[0] = m.x0;
468c57c7 Jason A. Donenfeld 2018-08-24 1508 T[1] = c; /* x^(-1) */
468c57c7 Jason A. Donenfeld 2018-08-24 1509 T[2] = m.x1;
468c57c7 Jason A. Donenfeld 2018-08-24 1510 T[3] = m.x2;
468c57c7 Jason A. Donenfeld 2018-08-24 1511
468c57c7 Jason A. Donenfeld 2018-08-24 1512 copy_eltfp25519_1w(T[1], a);
468c57c7 Jason A. Donenfeld 2018-08-24 1513 sqrn_eltfp25519_1w_adx(T[1], 1);
468c57c7 Jason A. Donenfeld 2018-08-24 1514 copy_eltfp25519_1w(T[2], T[1]);
468c57c7 Jason A. Donenfeld 2018-08-24 1515 sqrn_eltfp25519_1w_adx(T[2], 2);
468c57c7 Jason A. Donenfeld 2018-08-24 1516 mul_eltfp25519_1w_adx(T[0], a, T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1517 mul_eltfp25519_1w_adx(T[1], T[1], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1518 copy_eltfp25519_1w(T[2], T[1]);
468c57c7 Jason A. Donenfeld 2018-08-24 1519 sqrn_eltfp25519_1w_adx(T[2], 1);
468c57c7 Jason A. Donenfeld 2018-08-24 1520 mul_eltfp25519_1w_adx(T[0], T[0], T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1521 copy_eltfp25519_1w(T[2], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1522 sqrn_eltfp25519_1w_adx(T[2], 5);
468c57c7 Jason A. Donenfeld 2018-08-24 1523 mul_eltfp25519_1w_adx(T[0], T[0], T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1524 copy_eltfp25519_1w(T[2], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1525 sqrn_eltfp25519_1w_adx(T[2], 10);
468c57c7 Jason A. Donenfeld 2018-08-24 1526 mul_eltfp25519_1w_adx(T[2], T[2], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1527 copy_eltfp25519_1w(T[3], T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1528 sqrn_eltfp25519_1w_adx(T[3], 20);
468c57c7 Jason A. Donenfeld 2018-08-24 1529 mul_eltfp25519_1w_adx(T[3], T[3], T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1530 sqrn_eltfp25519_1w_adx(T[3], 10);
468c57c7 Jason A. Donenfeld 2018-08-24 1531 mul_eltfp25519_1w_adx(T[3], T[3], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1532 copy_eltfp25519_1w(T[0], T[3]);
468c57c7 Jason A. Donenfeld 2018-08-24 1533 sqrn_eltfp25519_1w_adx(T[0], 50);
468c57c7 Jason A. Donenfeld 2018-08-24 1534 mul_eltfp25519_1w_adx(T[0], T[0], T[3]);
468c57c7 Jason A. Donenfeld 2018-08-24 1535 copy_eltfp25519_1w(T[2], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1536 sqrn_eltfp25519_1w_adx(T[2], 100);
468c57c7 Jason A. Donenfeld 2018-08-24 1537 mul_eltfp25519_1w_adx(T[2], T[2], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1538 sqrn_eltfp25519_1w_adx(T[2], 50);
468c57c7 Jason A. Donenfeld 2018-08-24 1539 mul_eltfp25519_1w_adx(T[2], T[2], T[3]);
468c57c7 Jason A. Donenfeld 2018-08-24 1540 sqrn_eltfp25519_1w_adx(T[2], 5);
468c57c7 Jason A. Donenfeld 2018-08-24 1541 mul_eltfp25519_1w_adx(T[1], T[1], T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1542
468c57c7 Jason A. Donenfeld 2018-08-24 @1543 memzero_explicit(&m, sizeof(m));
468c57c7 Jason A. Donenfeld 2018-08-24 1544 }
468c57c7 Jason A. Donenfeld 2018-08-24 1545
468c57c7 Jason A. Donenfeld 2018-08-24 1546 static void inv_eltfp25519_1w_bmi2(u64 *const c, const u64 *const a)
468c57c7 Jason A. Donenfeld 2018-08-24 1547 {
468c57c7 Jason A. Donenfeld 2018-08-24 1548 struct {
468c57c7 Jason A. Donenfeld 2018-08-24 1549 eltfp25519_1w_buffer buffer;
468c57c7 Jason A. Donenfeld 2018-08-24 1550 eltfp25519_1w x0, x1, x2;
468c57c7 Jason A. Donenfeld 2018-08-24 1551 } __aligned(32) m;
468c57c7 Jason A. Donenfeld 2018-08-24 1552 u64 *T[5];
468c57c7 Jason A. Donenfeld 2018-08-24 1553
468c57c7 Jason A. Donenfeld 2018-08-24 1554 T[0] = m.x0;
468c57c7 Jason A. Donenfeld 2018-08-24 1555 T[1] = c; /* x^(-1) */
468c57c7 Jason A. Donenfeld 2018-08-24 1556 T[2] = m.x1;
468c57c7 Jason A. Donenfeld 2018-08-24 1557 T[3] = m.x2;
468c57c7 Jason A. Donenfeld 2018-08-24 1558
468c57c7 Jason A. Donenfeld 2018-08-24 1559 copy_eltfp25519_1w(T[1], a);
468c57c7 Jason A. Donenfeld 2018-08-24 1560 sqrn_eltfp25519_1w_bmi2(T[1], 1);
468c57c7 Jason A. Donenfeld 2018-08-24 1561 copy_eltfp25519_1w(T[2], T[1]);
468c57c7 Jason A. Donenfeld 2018-08-24 1562 sqrn_eltfp25519_1w_bmi2(T[2], 2);
468c57c7 Jason A. Donenfeld 2018-08-24 1563 mul_eltfp25519_1w_bmi2(T[0], a, T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1564 mul_eltfp25519_1w_bmi2(T[1], T[1], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1565 copy_eltfp25519_1w(T[2], T[1]);
468c57c7 Jason A. Donenfeld 2018-08-24 1566 sqrn_eltfp25519_1w_bmi2(T[2], 1);
468c57c7 Jason A. Donenfeld 2018-08-24 1567 mul_eltfp25519_1w_bmi2(T[0], T[0], T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1568 copy_eltfp25519_1w(T[2], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1569 sqrn_eltfp25519_1w_bmi2(T[2], 5);
468c57c7 Jason A. Donenfeld 2018-08-24 1570 mul_eltfp25519_1w_bmi2(T[0], T[0], T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1571 copy_eltfp25519_1w(T[2], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1572 sqrn_eltfp25519_1w_bmi2(T[2], 10);
468c57c7 Jason A. Donenfeld 2018-08-24 1573 mul_eltfp25519_1w_bmi2(T[2], T[2], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1574 copy_eltfp25519_1w(T[3], T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1575 sqrn_eltfp25519_1w_bmi2(T[3], 20);
468c57c7 Jason A. Donenfeld 2018-08-24 1576 mul_eltfp25519_1w_bmi2(T[3], T[3], T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1577 sqrn_eltfp25519_1w_bmi2(T[3], 10);
468c57c7 Jason A. Donenfeld 2018-08-24 1578 mul_eltfp25519_1w_bmi2(T[3], T[3], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1579 copy_eltfp25519_1w(T[0], T[3]);
468c57c7 Jason A. Donenfeld 2018-08-24 1580 sqrn_eltfp25519_1w_bmi2(T[0], 50);
468c57c7 Jason A. Donenfeld 2018-08-24 1581 mul_eltfp25519_1w_bmi2(T[0], T[0], T[3]);
468c57c7 Jason A. Donenfeld 2018-08-24 1582 copy_eltfp25519_1w(T[2], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1583 sqrn_eltfp25519_1w_bmi2(T[2], 100);
468c57c7 Jason A. Donenfeld 2018-08-24 1584 mul_eltfp25519_1w_bmi2(T[2], T[2], T[0]);
468c57c7 Jason A. Donenfeld 2018-08-24 1585 sqrn_eltfp25519_1w_bmi2(T[2], 50);
468c57c7 Jason A. Donenfeld 2018-08-24 1586 mul_eltfp25519_1w_bmi2(T[2], T[2], T[3]);
468c57c7 Jason A. Donenfeld 2018-08-24 1587 sqrn_eltfp25519_1w_bmi2(T[2], 5);
468c57c7 Jason A. Donenfeld 2018-08-24 1588 mul_eltfp25519_1w_bmi2(T[1], T[1], T[2]);
468c57c7 Jason A. Donenfeld 2018-08-24 1589
468c57c7 Jason A. Donenfeld 2018-08-24 1590 memzero_explicit(&m, sizeof(m));
468c57c7 Jason A. Donenfeld 2018-08-24 1591 }
468c57c7 Jason A. Donenfeld 2018-08-24 1592
468c57c7 Jason A. Donenfeld 2018-08-24 1593 /* Given c, a 256-bit number, fred_eltfp25519_1w updates c
468c57c7 Jason A. Donenfeld 2018-08-24 1594 * with a number such that 0 <= C < 2**255-19.
468c57c7 Jason A. Donenfeld 2018-08-24 1595 */
468c57c7 Jason A. Donenfeld 2018-08-24 1596 static __always_inline void fred_eltfp25519_1w(u64 *const c)
468c57c7 Jason A. Donenfeld 2018-08-24 1597 {
468c57c7 Jason A. Donenfeld 2018-08-24 1598 u64 tmp0 = 38, tmp1 = 19;
468c57c7 Jason A. Donenfeld 2018-08-24 1599 asm volatile(
468c57c7 Jason A. Donenfeld 2018-08-24 1600 "btrq $63, %3 ;" /* Put bit 255 in carry flag and clear */
468c57c7 Jason A. Donenfeld 2018-08-24 1601 "cmovncl %k5, %k4 ;" /* c[255] ? 38 : 19 */
468c57c7 Jason A. Donenfeld 2018-08-24 1602
468c57c7 Jason A. Donenfeld 2018-08-24 1603 /* Add either 19 or 38 to c */
468c57c7 Jason A. Donenfeld 2018-08-24 1604 "addq %4, %0 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1605 "adcq $0, %1 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1606 "adcq $0, %2 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1607 "adcq $0, %3 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1608
468c57c7 Jason A. Donenfeld 2018-08-24 1609 /* Test for bit 255 again; only triggered on overflow modulo 2^255-19 */
468c57c7 Jason A. Donenfeld 2018-08-24 1610 "movl $0, %k4 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1611 "cmovnsl %k5, %k4 ;" /* c[255] ? 0 : 19 */
468c57c7 Jason A. Donenfeld 2018-08-24 1612 "btrq $63, %3 ;" /* Clear bit 255 */
468c57c7 Jason A. Donenfeld 2018-08-24 1613
468c57c7 Jason A. Donenfeld 2018-08-24 1614 /* Subtract 19 if necessary */
468c57c7 Jason A. Donenfeld 2018-08-24 1615 "subq %4, %0 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1616 "sbbq $0, %1 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1617 "sbbq $0, %2 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1618 "sbbq $0, %3 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1619
468c57c7 Jason A. Donenfeld 2018-08-24 1620 : "+r"(c[0]), "+r"(c[1]), "+r"(c[2]), "+r"(c[3]), "+r"(tmp0), "+r"(tmp1)
468c57c7 Jason A. Donenfeld 2018-08-24 1621 :
468c57c7 Jason A. Donenfeld 2018-08-24 1622 : "memory", "cc");
468c57c7 Jason A. Donenfeld 2018-08-24 1623 }
468c57c7 Jason A. Donenfeld 2018-08-24 1624
468c57c7 Jason A. Donenfeld 2018-08-24 1625 static __always_inline void cswap(u8 bit, u64 *const px, u64 *const py)
468c57c7 Jason A. Donenfeld 2018-08-24 1626 {
468c57c7 Jason A. Donenfeld 2018-08-24 1627 u64 temp;
468c57c7 Jason A. Donenfeld 2018-08-24 1628 asm volatile(
468c57c7 Jason A. Donenfeld 2018-08-24 1629 "test %9, %9 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1630 "movq %0, %8 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1631 "cmovnzq %4, %0 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1632 "cmovnzq %8, %4 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1633 "movq %1, %8 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1634 "cmovnzq %5, %1 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1635 "cmovnzq %8, %5 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1636 "movq %2, %8 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1637 "cmovnzq %6, %2 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1638 "cmovnzq %8, %6 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1639 "movq %3, %8 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1640 "cmovnzq %7, %3 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1641 "cmovnzq %8, %7 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1642 : "+r"(px[0]), "+r"(px[1]), "+r"(px[2]), "+r"(px[3]),
468c57c7 Jason A. Donenfeld 2018-08-24 1643 "+r"(py[0]), "+r"(py[1]), "+r"(py[2]), "+r"(py[3]),
468c57c7 Jason A. Donenfeld 2018-08-24 1644 "=r"(temp)
468c57c7 Jason A. Donenfeld 2018-08-24 1645 : "r"(bit)
468c57c7 Jason A. Donenfeld 2018-08-24 1646 : "cc"
468c57c7 Jason A. Donenfeld 2018-08-24 1647 );
468c57c7 Jason A. Donenfeld 2018-08-24 1648 }
468c57c7 Jason A. Donenfeld 2018-08-24 1649
468c57c7 Jason A. Donenfeld 2018-08-24 1650 static __always_inline void cselect(u8 bit, u64 *const px, const u64 *const py)
468c57c7 Jason A. Donenfeld 2018-08-24 1651 {
468c57c7 Jason A. Donenfeld 2018-08-24 1652 asm volatile(
468c57c7 Jason A. Donenfeld 2018-08-24 1653 "test %4, %4 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1654 "cmovnzq %5, %0 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1655 "cmovnzq %6, %1 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1656 "cmovnzq %7, %2 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1657 "cmovnzq %8, %3 ;"
468c57c7 Jason A. Donenfeld 2018-08-24 1658 : "+r"(px[0]), "+r"(px[1]), "+r"(px[2]), "+r"(px[3])
468c57c7 Jason A. Donenfeld 2018-08-24 1659 : "r"(bit), "rm"(py[0]), "rm"(py[1]), "rm"(py[2]), "rm"(py[3])
468c57c7 Jason A. Donenfeld 2018-08-24 1660 : "cc"
468c57c7 Jason A. Donenfeld 2018-08-24 1661 );
468c57c7 Jason A. Donenfeld 2018-08-24 1662 }
468c57c7 Jason A. Donenfeld 2018-08-24 1663
468c57c7 Jason A. Donenfeld 2018-08-24 1664 static __always_inline void clamp_secret(u8 secret[CURVE25519_POINT_SIZE])
468c57c7 Jason A. Donenfeld 2018-08-24 1665 {
468c57c7 Jason A. Donenfeld 2018-08-24 1666 secret[0] &= 248;
468c57c7 Jason A. Donenfeld 2018-08-24 1667 secret[31] &= 127;
468c57c7 Jason A. Donenfeld 2018-08-24 1668 secret[31] |= 64;
468c57c7 Jason A. Donenfeld 2018-08-24 1669 }
468c57c7 Jason A. Donenfeld 2018-08-24 1670
468c57c7 Jason A. Donenfeld 2018-08-24 1671 static void curve25519_adx(u8 shared[CURVE25519_POINT_SIZE], const u8 private_key[CURVE25519_POINT_SIZE], const u8 session_key[CURVE25519_POINT_SIZE])
468c57c7 Jason A. Donenfeld 2018-08-24 1672 {
468c57c7 Jason A. Donenfeld 2018-08-24 1673 struct {
468c57c7 Jason A. Donenfeld 2018-08-24 1674 u64 buffer[4 * NUM_WORDS_ELTFP25519];
468c57c7 Jason A. Donenfeld 2018-08-24 1675 u64 coordinates[4 * NUM_WORDS_ELTFP25519];
468c57c7 Jason A. Donenfeld 2018-08-24 1676 u64 workspace[6 * NUM_WORDS_ELTFP25519];
468c57c7 Jason A. Donenfeld 2018-08-24 1677 u8 session[CURVE25519_POINT_SIZE];
468c57c7 Jason A. Donenfeld 2018-08-24 1678 u8 private[CURVE25519_POINT_SIZE];
468c57c7 Jason A. Donenfeld 2018-08-24 1679 } __aligned(32) m;
468c57c7 Jason A. Donenfeld 2018-08-24 1680
468c57c7 Jason A. Donenfeld 2018-08-24 1681 int i = 0, j = 0;
468c57c7 Jason A. Donenfeld 2018-08-24 1682 u64 prev = 0;
468c57c7 Jason A. Donenfeld 2018-08-24 1683 u64 *const X1 = (u64 *)m.session;
468c57c7 Jason A. Donenfeld 2018-08-24 1684 u64 *const key = (u64 *)m.private;
468c57c7 Jason A. Donenfeld 2018-08-24 1685 u64 *const Px = m.coordinates + 0;
468c57c7 Jason A. Donenfeld 2018-08-24 1686 u64 *const Pz = m.coordinates + 4;
468c57c7 Jason A. Donenfeld 2018-08-24 1687 u64 *const Qx = m.coordinates + 8;
468c57c7 Jason A. Donenfeld 2018-08-24 1688 u64 *const Qz = m.coordinates + 12;
468c57c7 Jason A. Donenfeld 2018-08-24 1689 u64 *const X2 = Qx;
468c57c7 Jason A. Donenfeld 2018-08-24 1690 u64 *const Z2 = Qz;
468c57c7 Jason A. Donenfeld 2018-08-24 1691 u64 *const X3 = Px;
468c57c7 Jason A. Donenfeld 2018-08-24 1692 u64 *const Z3 = Pz;
468c57c7 Jason A. Donenfeld 2018-08-24 1693 u64 *const X2Z2 = Qx;
468c57c7 Jason A. Donenfeld 2018-08-24 1694 u64 *const X3Z3 = Px;
468c57c7 Jason A. Donenfeld 2018-08-24 1695
468c57c7 Jason A. Donenfeld 2018-08-24 1696 u64 *const A = m.workspace + 0;
468c57c7 Jason A. Donenfeld 2018-08-24 1697 u64 *const B = m.workspace + 4;
468c57c7 Jason A. Donenfeld 2018-08-24 1698 u64 *const D = m.workspace + 8;
468c57c7 Jason A. Donenfeld 2018-08-24 1699 u64 *const C = m.workspace + 12;
468c57c7 Jason A. Donenfeld 2018-08-24 1700 u64 *const DA = m.workspace + 16;
468c57c7 Jason A. Donenfeld 2018-08-24 1701 u64 *const CB = m.workspace + 20;
468c57c7 Jason A. Donenfeld 2018-08-24 1702 u64 *const AB = A;
468c57c7 Jason A. Donenfeld 2018-08-24 1703 u64 *const DC = D;
468c57c7 Jason A. Donenfeld 2018-08-24 1704 u64 *const DACB = DA;
468c57c7 Jason A. Donenfeld 2018-08-24 1705
468c57c7 Jason A. Donenfeld 2018-08-24 @1706 memcpy(m.private, private_key, sizeof(m.private));
468c57c7 Jason A. Donenfeld 2018-08-24 1707 memcpy(m.session, session_key, sizeof(m.session));
468c57c7 Jason A. Donenfeld 2018-08-24 1708
468c57c7 Jason A. Donenfeld 2018-08-24 1709 clamp_secret(m.private);
468c57c7 Jason A. Donenfeld 2018-08-24 1710
468c57c7 Jason A. Donenfeld 2018-08-24 1711 /* As in the draft:
468c57c7 Jason A. Donenfeld 2018-08-24 1712 * When receiving such an array, implementations of curve25519
468c57c7 Jason A. Donenfeld 2018-08-24 1713 * MUST mask the most-significant bit in the final byte. This
468c57c7 Jason A. Donenfeld 2018-08-24 1714 * is done to preserve compatibility with point formats which
468c57c7 Jason A. Donenfeld 2018-08-24 1715 * reserve the sign bit for use in other protocols and to
468c57c7 Jason A. Donenfeld 2018-08-24 1716 * increase resistance to implementation fingerprinting
468c57c7 Jason A. Donenfeld 2018-08-24 1717 */
468c57c7 Jason A. Donenfeld 2018-08-24 1718 m.session[CURVE25519_POINT_SIZE - 1] &= (1 << (255 % 8)) - 1;
468c57c7 Jason A. Donenfeld 2018-08-24 1719
468c57c7 Jason A. Donenfeld 2018-08-24 1720 copy_eltfp25519_1w(Px, X1);
468c57c7 Jason A. Donenfeld 2018-08-24 1721 setzero_eltfp25519_1w(Pz);
468c57c7 Jason A. Donenfeld 2018-08-24 1722 setzero_eltfp25519_1w(Qx);
468c57c7 Jason A. Donenfeld 2018-08-24 1723 setzero_eltfp25519_1w(Qz);
468c57c7 Jason A. Donenfeld 2018-08-24 1724
468c57c7 Jason A. Donenfeld 2018-08-24 1725 Pz[0] = 1;
468c57c7 Jason A. Donenfeld 2018-08-24 1726 Qx[0] = 1;
468c57c7 Jason A. Donenfeld 2018-08-24 1727
468c57c7 Jason A. Donenfeld 2018-08-24 1728 /* main-loop */
468c57c7 Jason A. Donenfeld 2018-08-24 1729 prev = 0;
468c57c7 Jason A. Donenfeld 2018-08-24 1730 j = 62;
468c57c7 Jason A. Donenfeld 2018-08-24 1731 for (i = 3; i >= 0; --i) {
468c57c7 Jason A. Donenfeld 2018-08-24 1732 while (j >= 0) {
468c57c7 Jason A. Donenfeld 2018-08-24 1733 u64 bit = (key[i] >> j) & 0x1;
468c57c7 Jason A. Donenfeld 2018-08-24 1734 u64 swap = bit ^ prev;
468c57c7 Jason A. Donenfeld 2018-08-24 1735 prev = bit;
468c57c7 Jason A. Donenfeld 2018-08-24 1736
468c57c7 Jason A. Donenfeld 2018-08-24 1737 add_eltfp25519_1w_adx(A, X2, Z2); /* A = (X2+Z2) */
468c57c7 Jason A. Donenfeld 2018-08-24 1738 sub_eltfp25519_1w(B, X2, Z2); /* B = (X2-Z2) */
468c57c7 Jason A. Donenfeld 2018-08-24 1739 add_eltfp25519_1w_adx(C, X3, Z3); /* C = (X3+Z3) */
468c57c7 Jason A. Donenfeld 2018-08-24 1740 sub_eltfp25519_1w(D, X3, Z3); /* D = (X3-Z3) */
468c57c7 Jason A. Donenfeld 2018-08-24 1741 mul_eltfp25519_2w_adx(DACB, AB, DC); /* [DA|CB] = [A|B]*[D|C] */
468c57c7 Jason A. Donenfeld 2018-08-24 1742
468c57c7 Jason A. Donenfeld 2018-08-24 1743 cselect(swap, A, C);
468c57c7 Jason A. Donenfeld 2018-08-24 1744 cselect(swap, B, D);
468c57c7 Jason A. Donenfeld 2018-08-24 1745
468c57c7 Jason A. Donenfeld 2018-08-24 1746 sqr_eltfp25519_2w_adx(AB); /* [AA|BB] = [A^2|B^2] */
468c57c7 Jason A. Donenfeld 2018-08-24 1747 add_eltfp25519_1w_adx(X3, DA, CB); /* X3 = (DA+CB) */
468c57c7 Jason A. Donenfeld 2018-08-24 1748 sub_eltfp25519_1w(Z3, DA, CB); /* Z3 = (DA-CB) */
468c57c7 Jason A. Donenfeld 2018-08-24 1749 sqr_eltfp25519_2w_adx(X3Z3); /* [X3|Z3] = [(DA+CB)|(DA+CB)]^2 */
468c57c7 Jason A. Donenfeld 2018-08-24 1750
468c57c7 Jason A. Donenfeld 2018-08-24 1751 copy_eltfp25519_1w(X2, B); /* X2 = B^2 */
468c57c7 Jason A. Donenfeld 2018-08-24 1752 sub_eltfp25519_1w(Z2, A, B); /* Z2 = E = AA-BB */
468c57c7 Jason A. Donenfeld 2018-08-24 1753
468c57c7 Jason A. Donenfeld 2018-08-24 1754 mul_a24_eltfp25519_1w(B, Z2); /* B = a24*E */
468c57c7 Jason A. Donenfeld 2018-08-24 1755 add_eltfp25519_1w_adx(B, B, X2); /* B = a24*E+B */
468c57c7 Jason A. Donenfeld 2018-08-24 1756 mul_eltfp25519_2w_adx(X2Z2, X2Z2, AB); /* [X2|Z2] = [B|E]*[A|a24*E+B] */
468c57c7 Jason A. Donenfeld 2018-08-24 1757 mul_eltfp25519_1w_adx(Z3, Z3, X1); /* Z3 = Z3*X1 */
468c57c7 Jason A. Donenfeld 2018-08-24 1758 --j;
468c57c7 Jason A. Donenfeld 2018-08-24 1759 }
468c57c7 Jason A. Donenfeld 2018-08-24 1760 j = 63;
468c57c7 Jason A. Donenfeld 2018-08-24 1761 }
468c57c7 Jason A. Donenfeld 2018-08-24 1762
468c57c7 Jason A. Donenfeld 2018-08-24 1763 inv_eltfp25519_1w_adx(A, Qz);
468c57c7 Jason A. Donenfeld 2018-08-24 1764 mul_eltfp25519_1w_adx((u64 *)shared, Qx, A);
468c57c7 Jason A. Donenfeld 2018-08-24 1765 fred_eltfp25519_1w((u64 *)shared);
468c57c7 Jason A. Donenfeld 2018-08-24 1766
468c57c7 Jason A. Donenfeld 2018-08-24 1767 memzero_explicit(&m, sizeof(m));
468c57c7 Jason A. Donenfeld 2018-08-24 1768 }
468c57c7 Jason A. Donenfeld 2018-08-24 1769
:::::: The code at line 1543 was first introduced by commit
:::::: 468c57c74ac7091c9c04ab2acccf68fe300cd9bc zinc: Curve25519 x86_64 implementation
:::::: TO: Jason A. Donenfeld <Jason@...c4.com>
:::::: CC: 0day robot <lkp@...el.com>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
Download attachment ".config.gz" of type "application/gzip" (20207 bytes)
Powered by blists - more mailing lists