2  *  Copyright (C) 2017 - This file is part of libecc project
7  *      Jean-Pierre FLORI <jean-pierre.flori@ssi.gouv.fr>
37  * above wlen is made of zero words. The function does NOT check
44  * (error in -Werror) is triggered at compilation time.
52 	for (i = A->wlen; i < NN_MAX_WORD_LEN; i++) {  in __nn_is_wlen_consistent()
53 		val |= (A)->val[i];  in __nn_is_wlen_consistent()
60  * Verify that pointed nn has already been initialized. This function
61  * should be used as a safety net in all function before using a nn
62  * received as parameter. Returns 0 on success, -1 on error.
69 	MUST_HAVE((A->magic == NN_MAGIC), ret, err);  in nn_check_initialized()
70 	MUST_HAVE((A->wlen <= NN_MAX_WORD_LEN), ret, err);  in nn_check_initialized()
82  * on success, -1 on error.
91 	A->wlen = (u8)BYTE_LEN_WORDS(len);  in nn_init()
92 	A->magic = NN_MAGIC;  in nn_init()
95 		A->val[i] = WORD(0);  in nn_init()
107  * given pointer is NULL or does not point to an initialized nn, the function
112 	if ((A != NULL) && (A->magic == NN_MAGIC)) {  in nn_uninit()
116 			A->val[i] = WORD(0);  in nn_uninit()
119 		A->wlen = 0;  in nn_uninit()
120 		A->magic = WORD(0);  in nn_uninit()
127  * Set current value of pointed initialized nn to 0. Returns 0 on success, -1
143  * on success, -1 on error.
151 	A->val[0] = val;  in nn_set_word_value()
152 	A->wlen = 1;  in nn_set_word_value()
159  * Set current value of pointed initialized nn to 1. Returns 0 on success, -1
169  * if 'cnd' is not zero. Nothing is done otherwise. Returns 0 on success, -1
176 	word_t mask = WORD_MASK_IFNOTZERO(cnd);  in nn_cnd_swap()  local
185 	MUST_HAVE((in1->wlen <= NN_MAX_WORD_LEN), ret, err);  in nn_cnd_swap()
186 	MUST_HAVE((in2->wlen <= NN_MAX_WORD_LEN), ret, err);  in nn_cnd_swap()
188 	len = (in1->wlen >= in2->wlen) ? in1->wlen : in2->wlen;  in nn_cnd_swap()
191 	 * weight as proposed in Algorithm 4 of "Nonce@once: A Single-Trace  in nn_cnd_swap()
192 	 * EM Side Channel Attack on Several Constant-Time Elliptic  in nn_cnd_swap()
200 		t = ((in1->val[i] ^ in2->val[i]) & mask) ^ r_mask;  in nn_cnd_swap()
201 		in1->val[i] ^= ((t & local_mask) ^ (r_mask & local_mask));  in nn_cnd_swap()
202 		in2->val[i] ^= ((t & local_mask) ^ (r_mask & local_mask));  in nn_cnd_swap()
205 	t = (word_t)(((in1->wlen ^ in2->wlen) & mask) ^ r_mask);  in nn_cnd_swap()
206 	in1->wlen ^= (u8)(t ^ r_mask);  in nn_cnd_swap()
207 	in2->wlen ^= (u8)(t ^ r_mask);  in nn_cnd_swap()
219  * Returns 0 on success, -1 on error.
228 	MUST_HAVE((A->wlen <= NN_MAX_WORD_LEN), ret, err);  in nn_set_wlen()
232 		A->val[i] = (word_t)(A->val[i] & WORD_MASK_IFZERO((i >= new_wlen)));  in nn_set_wlen()
235 	A->wlen = new_wlen;  in nn_set_wlen()
242  * The function tests if given nn value is zero. The result of the test is given
243  * using 'iszero' out parameter (1 if nn is zero, 0 if it is not). The function
244  * returns 0 on success, -1 on error. 'iszero' is not meaningfull on error.
253 	MUST_HAVE((A->wlen <= NN_MAX_WORD_LEN), ret, err);  in nn_iszero()
258 		int mask = ((i < A->wlen) ? 1 : 0);  in nn_iszero()  local
259 		notzero |= ((A->val[i] != 0) & mask);  in nn_iszero()
269  * The function tests if given nn value is one. The result of the test is given
270  * using 'isone' out parameter (1 if nn is one, 0 if it is not). The function
271  * returns 0 on success, -1 on error. 'isone' is not meaningfull on error.
280 	MUST_HAVE(!(A->wlen > NN_MAX_WORD_LEN), ret, err);  in nn_isone()
284 	notone = (A->val[0] != 1);  in nn_isone()
286 		int mask = ((i < A->wlen) ? 1 : 0);  in nn_isone()  local
287 		notone |= ((A->val[i] != 0) & mask);  in nn_isone()
297  * The function tests if given nn value is odd. The result of the test is given
298  * using 'isodd' out parameter (1 if nn is odd, 0 if it is not). The function
299  * returns 0 on success, -1 on error. 'isodd' is not meaningfull on error.
308 	*isodd = (A->wlen != 0) && (A->val[0] & 1);  in nn_isodd()
317  * when provided nn is valid. The function returns 0 on success and provides
318  * the comparison value in 'cmp' parameter. -1 is returned on error, in which
324 	word_t mask;  in nn_cmp_word()  local
331 	if (in->wlen == 0) {  in nn_cmp_word()
332 		*cmp = -(w != 0);  in nn_cmp_word()
339 	 * of those is non-zero.  in nn_cmp_word()
341 	for (i = (u8)(in->wlen - 1); i > 0; i--) {  in nn_cmp_word()
342 		tmp |= (in->val[i] != 0);  in nn_cmp_word()
351 	mask = WORD_MASK_IFZERO(tmp);  in nn_cmp_word()
352 	tmp += (int)(((word_t)(in->val[i] > w)) & (mask));  in nn_cmp_word()
353 	tmp -= (int)(((word_t)(in->val[i] < w)) & (mask));  in nn_cmp_word()
363  * function returns 0 on success and provides the comparison value in
364  * 'cmp' parameter (0 if A == B, -1 if A < B, +1 if A > B). -1 is returned
371 	int tmp, mask, ret, i;  in nn_cmp()  local
378 	cmp_len = (A->wlen >= B->wlen) ? A->wlen : B->wlen;  in nn_cmp()
381 	for (i = (cmp_len - 1); i >= 0; i--) {	/* ok even if cmp_len is 0 */  in nn_cmp()
382 		mask = !(tmp & 0x1);  in nn_cmp()
383 		tmp += ((A->val[i] > B->val[i]) & mask);  in nn_cmp()
384 		tmp -= ((A->val[i] < B->val[i]) & mask);  in nn_cmp()
395  * be (manually) initialized by the function. 'src_nn' must have been
396  * initialized prior to the call. The function returns 0 on success, -1 on error.
409 		dst_nn->val[i] = src_nn->val[i];  in nn_copy()
412 	dst_nn->wlen = src_nn->wlen;  in nn_copy()
413 	dst_nn->magic = NN_MAGIC;  in nn_copy()
421  * The function is *not constant time*, i.e. it depends on the input value.
422  * The function returns 0 on sucess, -1 on error.
430 	while ((in1->wlen > 0) && (in1->val[in1->wlen - 1] == 0)) {  in nn_normalize()
431 		in1->wlen--;  in nn_normalize()
440  * endian) order to host order. 'val' needs not point to a word-aligned region.
441  * The function returns 0 on success, -1 on error. On success, the result is
462 			res_buf[i] = val[WORD_BYTES - i - 1];  in _ntohw()
463 			res_buf[WORD_BYTES - i - 1] = tmp;  in _ntohw()
476 /* Same as previous function but from host to network byte order. */
484  * which will be initialized by the function (i.e. given nn need not be
485  * initialized). The function then imports value (expected to be in big
486  * endian) from given buffer 'buf' of length 'buflen' into it. The function
488  * The function returns 0 on success, -1 on error.
499 	ret = local_memset(tmp, 0, (u32)(NN_MAX_BYTE_LEN - buflen)); EG(ret, err);  in nn_init_from_buf()
500 	ret = local_memcpy(tmp + NN_MAX_BYTE_LEN - buflen, buf, buflen); EG(ret, err);  in nn_init_from_buf()
505 		u16 buf_pos = (u16)((NN_MAX_WORD_LEN - wpos - 1) * WORD_BYTES);  in nn_init_from_buf()
506 		ret = _ntohw(tmp + buf_pos, &(out_nn->val[wpos])); EG(ret, err);  in nn_init_from_buf()
519  * MSB bytes are simply lost in exported buffer. The function returns 0
520  * on success, -1 on error.
544 	for (i = 0; remain && (i < in_nn->wlen); i++) {  in nn_export_to_buf()
548 		ret = _htonw((const u8 *)&in_nn->val[i], &val); EG(ret, err);  in nn_export_to_buf()
550 		dst_word_ptr = (buf + buflen - (i * wb) - copylen);  in nn_export_to_buf()
551 		src_word_ptr = (u8 *)(&val) + wb - copylen;  in nn_export_to_buf()
556 		remain = (u16)(remain - copylen);  in nn_export_to_buf()
565  * function copies the value of element at position idx (idx < tabsize)
573  * Returns 0 on success, -1 on error.
580 	word_t mask;  in nn_tabselect()  local
591 	out->wlen = 0;  in nn_tabselect()
597 		mask = WORD_MASK_IFNOTZERO(idx == k);  in nn_tabselect()
599 		out->wlen = (u8)(out->wlen | ((tab[k]->wlen) & mask));  in nn_tabselect()
602 			out->val[i] |= (tab[k]->val[i] & mask);  in nn_tabselect()