Lines Matching refs:ret

49 	int ret;  in _bip0340_hash()  local
52 MUST_HAVE((h_ctx != NULL), ret, err); in _bip0340_hash()
54 ret = hash_mapping_callbacks_sanity_check(hm); EG(ret, err); in _bip0340_hash()
56 ret = hm->hfunc_init(h_ctx); EG(ret, err); in _bip0340_hash()
57 ret = hm->hfunc_update(h_ctx, tag, tag_len); EG(ret, err); in _bip0340_hash()
58 ret = hm->hfunc_finalize(h_ctx, hash); EG(ret, err); in _bip0340_hash()
61 ret = hm->hfunc_init(h_ctx); EG(ret, err); in _bip0340_hash()
62 ret = hm->hfunc_update(h_ctx, hash, hm->digest_size); EG(ret, err); in _bip0340_hash()
63 ret = hm->hfunc_update(h_ctx, hash, hm->digest_size); EG(ret, err); in _bip0340_hash()
64 ret = hm->hfunc_update(h_ctx, m, m_len); EG(ret, err); in _bip0340_hash()
66 ret = 0; in _bip0340_hash()
68 return ret; in _bip0340_hash()
78 int ret, isodd, isone; in _bip0340_set_scalar() local
81 ret = prj_pt_check_initialized(P); EG(ret, err); in _bip0340_set_scalar()
86 ret = nn_isone(&(P->Z.fp_val), &isone); EG(ret, err); in _bip0340_set_scalar()
87 MUST_HAVE((isone), ret, err); in _bip0340_set_scalar()
90 ret = nn_isodd(&(P->Y.fp_val), &isodd); EG(ret, err); in _bip0340_set_scalar()
96 ret = nn_mod_neg(scalar, scalar, q); EG(ret, err); in _bip0340_set_scalar()
100 return ret; in _bip0340_set_scalar()
110 int ret; in bip0340_init_pub_key() local
112 MUST_HAVE((out_pub != NULL), ret, err); in bip0340_init_pub_key()
115 ret = local_memset(out_pub, 0, sizeof(ec_pub_key)); EG(ret, err); in bip0340_init_pub_key()
117 ret = priv_key_check_initialized_and_type(in_priv, BIP0340); EG(ret, err); in bip0340_init_pub_key()
122 ret = prj_pt_mul_blind(&(out_pub->y), &(in_priv->x), G); EG(ret, err); in bip0340_init_pub_key()
129 return ret; in bip0340_init_pub_key()
138 int ret; in bip0340_siglen() local
140 MUST_HAVE((siglen != NULL), ret, err); in bip0340_siglen()
144 ret, err); in bip0340_siglen()
147 ret = 0; in bip0340_siglen()
150 return ret; in bip0340_siglen()
175 int ret, cmp, iszero; in _bip0340_sign() local
190 MUST_HAVE((key_pair != NULL) && (sig != NULL) && (adata == NULL), ret, err); in _bip0340_sign()
193 MUST_HAVE((sig_type == BIP0340), ret, err); in _bip0340_sign()
196 ret = key_pair_check_initialized_and_type(key_pair, BIP0340); EG(ret, err); in _bip0340_sign()
199 ret = get_hash_by_type(hash_type, &hm); EG(ret, err); in _bip0340_sign()
200 MUST_HAVE((hm != NULL), ret, err); in _bip0340_sign()
201 ret = hash_mapping_callbacks_sanity_check(hm); EG(ret, err); in _bip0340_sign()
216 ret = prj_pt_copy(&Y, &(pub_key->y)); EG(ret, err); in _bip0340_sign()
217 ret = prj_pt_unique(&Y, &Y); EG(ret, err); in _bip0340_sign()
219 ret = nn_init(&d, 0); EG(ret, err); in _bip0340_sign()
220 ret = nn_copy(&d, &(priv_key->x)); EG(ret, err); in _bip0340_sign()
225 MUST_HAVE((siglen == BIP0340_SIGLEN(p_bit_len, q_bit_len)), ret, err); in _bip0340_sign()
226 MUST_HAVE((p_len == BIP0340_R_LEN(p_bit_len)), ret, err); in _bip0340_sign()
227 MUST_HAVE((q_len == BIP0340_S_LEN(q_bit_len)), ret, err); in _bip0340_sign()
230 ret = nn_iszero(&d, &iszero); EG(ret, err); in _bip0340_sign()
231 ret = nn_cmp(&d, q, &cmp); EG(ret, err); in _bip0340_sign()
232 MUST_HAVE((!iszero) && (cmp < 0), ret, err); in _bip0340_sign()
235 ret = _bip0340_set_scalar(&d, q, &Y); EG(ret, err); in _bip0340_sign()
246 MUST_HAVE((rand == nn_get_random_mod), ret, err); in _bip0340_sign()
248 ret = nn_init(&e, 0); EG(ret, err); in _bip0340_sign()
249 ret = nn_one(&e); EG(ret, err); in _bip0340_sign()
250 ret = nn_lshift(&e, &e, (bitcnt_t)(8 * q_len)); EG(ret, err); in _bip0340_sign()
254 ret = rand(&k, &e); EG(ret, err); in _bip0340_sign()
257 MUST_HAVE((siglen >= q_len), ret, err); in _bip0340_sign()
258 ret = nn_export_to_buf(&sig[0], q_len, &k); EG(ret, err); in _bip0340_sign()
261 ret = _bip0340_hash((const u8*)BIP0340_AUX, sizeof(BIP0340_AUX) - 1, in _bip0340_sign()
262 &sig[0], q_len, hm, &h_ctx); EG(ret, err); in _bip0340_sign()
263 ret = hm->hfunc_finalize(&h_ctx, buff); EG(ret, err); in _bip0340_sign()
265 ret = nn_export_to_buf(&sig[0], q_len, &d); EG(ret, err); in _bip0340_sign()
271 ret = _bip0340_hash((const u8*)BIP0340_NONCE, sizeof(BIP0340_NONCE) - 1, in _bip0340_sign()
272 &sig[0], q_len, hm, &h_ctx); EG(ret, err); in _bip0340_sign()
278 ret = _bip0340_hash((const u8*)BIP0340_NONCE, sizeof(BIP0340_NONCE) - 1, in _bip0340_sign()
279 &buff[0], hm->digest_size, hm, &h_ctx); EG(ret, err); in _bip0340_sign()
281 ret = fp_export_to_buf(&sig[0], p_len, &(Y.X)); EG(ret, err); in _bip0340_sign()
282 ret = hm->hfunc_update(&h_ctx, &sig[0], p_len); EG(ret, err); in _bip0340_sign()
283 ret = hm->hfunc_update(&h_ctx, m, mlen); EG(ret, err); in _bip0340_sign()
284 ret = hm->hfunc_finalize(&h_ctx, buff); EG(ret, err); in _bip0340_sign()
287 ret = nn_init_from_buf(&k, buff, hm->digest_size); EG(ret, err); in _bip0340_sign()
288 ret = nn_mod(&k, &k, q); EG(ret, err); in _bip0340_sign()
293 ret = nn_iszero(&k, &iszero); EG(ret, err); in _bip0340_sign()
294 MUST_HAVE((!iszero), ret, err); in _bip0340_sign()
299 ret = prj_pt_mul_blind(&kG, &k, G); EG(ret, err); in _bip0340_sign()
301 ret = prj_pt_mul(&kG, &k, G); EG(ret, err); in _bip0340_sign()
303 ret = prj_pt_unique(&kG, &kG); EG(ret, err); in _bip0340_sign()
308 ret = _bip0340_set_scalar(&k, q, &kG); EG(ret, err); in _bip0340_sign()
312 ret = fp_export_to_buf(&sig[0], p_len, &(kG.X)); EG(ret, err); in _bip0340_sign()
313 ret = _bip0340_hash((const u8*)BIP0340_CHALLENGE, sizeof(BIP0340_CHALLENGE) - 1, in _bip0340_sign()
314 &sig[0], p_len, hm, &h_ctx); EG(ret, err); in _bip0340_sign()
316 ret = fp_export_to_buf(&sig[0], p_len, &(Y.X)); EG(ret, err); in _bip0340_sign()
317 ret = hm->hfunc_update(&h_ctx, &sig[0], p_len); EG(ret, err); in _bip0340_sign()
319 ret = hm->hfunc_update(&h_ctx, m, mlen); EG(ret, err); in _bip0340_sign()
320 ret = hm->hfunc_finalize(&h_ctx, buff); EG(ret, err); in _bip0340_sign()
321 ret = nn_init_from_buf(&e, buff, hm->digest_size); EG(ret, err); in _bip0340_sign()
322 ret = nn_mod(&e, &e, q); EG(ret, err); in _bip0340_sign()
327 ret = fp_export_to_buf(&sig[0], p_len, &(kG.X)); EG(ret, err); in _bip0340_sign()
331 ret = nn_get_random_mod(&b, q); EG(ret, err); in _bip0340_sign()
337 ret = nn_mod_mul(&e, &e, &b, q); EG(ret, err); in _bip0340_sign()
339 ret = nn_mod_mul(&k, &k, &b, q); EG(ret, err); in _bip0340_sign()
342 ret = nn_mod_mul(&e, &e, &d, q); EG(ret, err); in _bip0340_sign()
343 ret = nn_mod_add(&e, &k, &e, q); EG(ret, err); in _bip0340_sign()
350 ret = nn_modinv_fermat(&binv, &b, q); EG(ret, err); in _bip0340_sign()
351 ret = nn_mod_mul(&e, &e, &binv, q); EG(ret, err); in _bip0340_sign()
356 ret = nn_export_to_buf(&sig[p_len], q_len, &e); EG(ret, err); in _bip0340_sign()
370 return ret; in _bip0340_sign()
375 #define BIP0340_VERIFY_CHECK_INITIALIZED(A, ret, err) \ argument
377 ((A)->magic == BIP0340_VERIFY_MAGIC), ret, err)
388 int ret, cmp; in _bip0340_verify_init() local
396 ret = sig_verify_check_initialized(ctx); EG(ret, err); in _bip0340_verify_init()
399 ret = pub_key_check_initialized_and_type(ctx->pub_key, BIP0340); EG(ret, err); in _bip0340_verify_init()
401 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in _bip0340_verify_init()
402 MUST_HAVE((sig != NULL), ret, err); in _bip0340_verify_init()
405 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _bip0340_verify_init()
416 MUST_HAVE((siglen == BIP0340_SIGLEN(p_bit_len, q_bit_len)), ret, err); in _bip0340_verify_init()
417 MUST_HAVE((p_len == BIP0340_R_LEN(p_bit_len)), ret, err); in _bip0340_verify_init()
418 MUST_HAVE((q_len == BIP0340_S_LEN(q_bit_len)), ret, err); in _bip0340_verify_init()
423 ret = prj_pt_copy(&Y, &(ctx->pub_key->y)); EG(ret, err); in _bip0340_verify_init()
424 ret = prj_pt_unique(&Y, &Y); EG(ret, err); in _bip0340_verify_init()
427 ret = fp_init(rx, ctx->pub_key->params->ec_curve.a.ctx); EG(ret, err); in _bip0340_verify_init()
428 ret = fp_import_from_buf(rx, &sig[0], p_len); EG(ret, err); in _bip0340_verify_init()
429 ret = nn_init_from_buf(s, &sig[p_len], q_len); EG(ret, err); in _bip0340_verify_init()
430 ret = nn_cmp(s, q, &cmp); EG(ret, err); in _bip0340_verify_init()
431 MUST_HAVE((cmp < 0), ret, err); in _bip0340_verify_init()
437 ret = _bip0340_hash((const u8*)BIP0340_CHALLENGE, sizeof(BIP0340_CHALLENGE) - 1, in _bip0340_verify_init()
439 &(ctx->verify_data.bip0340.h_ctx)); EG(ret, err); in _bip0340_verify_init()
440 ret = fp_export_to_buf(&Pubx[0], p_len, &(Y.X)); EG(ret, err); in _bip0340_verify_init()
441 ret = ctx->h->hfunc_update(&(ctx->verify_data.bip0340.h_ctx), &Pubx[0], p_len); EG(ret, err); in _bip0340_verify_init()
442 ret = local_memset(Pubx, 0, sizeof(Pubx)); EG(ret, err); in _bip0340_verify_init()
453 if (ret && (ctx != NULL)) { in _bip0340_verify_init()
463 return ret; in _bip0340_verify_init()
473 int ret; in _bip0340_verify_update() local
481 ret = sig_verify_check_initialized(ctx); EG(ret, err); in _bip0340_verify_update()
482 BIP0340_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.bip0340), ret, err); in _bip0340_verify_update()
485 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _bip0340_verify_update()
486 ret = ctx->h->hfunc_update(&(ctx->verify_data.bip0340.h_ctx), chunk, in _bip0340_verify_update()
490 return ret; in _bip0340_verify_update()
506 int ret, iszero, isodd, cmp; in _bip0340_verify_finalize() local
508 ret = sig_verify_check_initialized(ctx); EG(ret, err); in _bip0340_verify_finalize()
509 BIP0340_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.bip0340), ret, err); in _bip0340_verify_finalize()
512 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _bip0340_verify_finalize()
515 ret = local_memset(&sG, 0, sizeof(prj_pt)); EG(ret, err); in _bip0340_verify_finalize()
516 ret = local_memset(&eY, 0, sizeof(prj_pt)); EG(ret, err); in _bip0340_verify_finalize()
528 ret = prj_pt_copy(&Y, &(ctx->pub_key->y)); EG(ret, err); in _bip0340_verify_finalize()
529 ret = prj_pt_unique(&Y, &Y); EG(ret, err); in _bip0340_verify_finalize()
532 ret = ctx->h->hfunc_finalize(&(ctx->verify_data.bip0340.h_ctx), in _bip0340_verify_finalize()
533 &e_buf[0]); EG(ret, err); in _bip0340_verify_finalize()
534 ret = nn_init_from_buf(&e, e_buf, hsize); EG(ret, err); in _bip0340_verify_finalize()
535 ret = nn_mod(&e, &e, q); EG(ret, err); in _bip0340_verify_finalize()
540 ret = prj_pt_mul(&sG, s, G); EG(ret, err); in _bip0340_verify_finalize()
541 ret = nn_mod_neg(&e, &e, q); EG(ret, err); /* compute -e = (q - e) mod q */ in _bip0340_verify_finalize()
543 ret = nn_isodd(&(Y.Y.fp_val), &isodd); EG(ret, err); in _bip0340_verify_finalize()
546 ret = fp_neg(&(Y.Y), &(Y.Y)); EG(ret, err); in _bip0340_verify_finalize()
548 ret = prj_pt_mul(&eY, &e, &Y); EG(ret, err); in _bip0340_verify_finalize()
549 ret = prj_pt_add(&sG, &sG, &eY); EG(ret, err); in _bip0340_verify_finalize()
550 ret = prj_pt_unique(&sG, &sG); EG(ret, err); in _bip0340_verify_finalize()
555 ret = prj_pt_iszero(&sG, &iszero); EG(ret, err); in _bip0340_verify_finalize()
556 MUST_HAVE((!iszero), ret, err); in _bip0340_verify_finalize()
559 ret = nn_isodd(&(sG.Y.fp_val), &isodd); EG(ret, err); in _bip0340_verify_finalize()
560 MUST_HAVE((!isodd), ret, err); in _bip0340_verify_finalize()
563 ret = nn_cmp(&(r->fp_val), &(sG.X.fp_val), &cmp); EG(ret, err); in _bip0340_verify_finalize()
564 ret = (cmp == 0) ? 0 : -1; in _bip0340_verify_finalize()
586 return ret; in _bip0340_verify_finalize()
659 int ret; in _bip0340_chacha20_block() local
664 MUST_HAVE((stream != NULL), ret, err); in _bip0340_chacha20_block()
665 MUST_HAVE((stream_len <= CHACHA20_MAX_ASKED_LEN), ret, err); in _bip0340_chacha20_block()
682 ret = local_memcpy(initial_state, state, sizeof(state)); EG(ret, err); in _bip0340_chacha20_block()
691 ret = local_memcpy(stream, &state[0], stream_len); in _bip0340_chacha20_block()
694 return ret; in _bip0340_chacha20_block()
700 int ret; in _bip0340_compute_batch_csprng_one_scalar() local
704 MUST_HAVE((seedlen == SHA256_DIGEST_SIZE) && (scalar_len <= CHACHA20_MAX_ASKED_LEN), ret, err); in _bip0340_compute_batch_csprng_one_scalar()
708 ret = local_memset(nonce, 0, sizeof(nonce)); EG(ret, err); in _bip0340_compute_batch_csprng_one_scalar()
711 ret = _bip0340_chacha20_block(seed, nonce, num, scalar, scalar_len); in _bip0340_compute_batch_csprng_one_scalar()
714 return ret; in _bip0340_compute_batch_csprng_one_scalar()
723 int ret, iszero, cmp; in _bip0340_compute_batch_csprng_scalars() local
726 MUST_HAVE((seed != NULL) && (scalar != NULL) && (num != NULL) && (a != NULL), ret, err); in _bip0340_compute_batch_csprng_scalars()
727 MUST_HAVE((scalar_len >= q_len), ret, err); in _bip0340_compute_batch_csprng_scalars()
732 MUST_HAVE((*num) < 0xffffffff, ret, err); in _bip0340_compute_batch_csprng_scalars()
734 ret = _bip0340_compute_batch_csprng_one_scalar(seed, seedlen, in _bip0340_compute_batch_csprng_scalars()
736 (*num)); EG(ret, err); in _bip0340_compute_batch_csprng_scalars()
745 ret = nn_init_from_buf(a, scalar, q_len); EG(ret, err); in _bip0340_compute_batch_csprng_scalars()
747 ret = nn_iszero(a, &iszero); EG(ret, err); in _bip0340_compute_batch_csprng_scalars()
748 ret = nn_cmp(a, q, &cmp); EG(ret, err); in _bip0340_compute_batch_csprng_scalars()
753 ret = 0; in _bip0340_compute_batch_csprng_scalars()
755 return ret; in _bip0340_compute_batch_csprng_scalars()
763 int ret; in _bip0340_compute_batch_csprng_seed() local
771 ret = local_memset(Pubx, 0, sizeof(Pubx)); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
776 ret = get_hash_by_type(SHA256, &hm); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
777 MUST_HAVE((hm != NULL), ret, err); in _bip0340_compute_batch_csprng_seed()
779 MUST_HAVE((seedlen == hm->digest_size), ret, err); in _bip0340_compute_batch_csprng_seed()
783 ret = hm->hfunc_init(&h_ctx); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
785 ret = fp_export_to_buf(&Pubx[0], p_len, &(pub_keys[i]->y.X)); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
786 ret = hm->hfunc_update(&h_ctx, &Pubx[0], p_len); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
789 ret = hm->hfunc_update(&h_ctx, m[i], m_len[i]); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
792 ret = hm->hfunc_update(&h_ctx, s[i], s_len[i]); EG(ret, err); in _bip0340_compute_batch_csprng_seed()
794 ret = hm->hfunc_finalize(&h_ctx, seed); in _bip0340_compute_batch_csprng_seed()
797 return ret; in _bip0340_compute_batch_csprng_seed()
821 int ret, iszero, isodd, cmp; in _bip0340_verify_batch_no_memory() local
843 MUST_HAVE((s != NULL) && (pub_keys != NULL) && (m != NULL), ret, err); in _bip0340_verify_batch_no_memory()
845 MUST_HAVE((num > 0), ret, err); in _bip0340_verify_batch_no_memory()
848 ret = local_memset(hash, 0, sizeof(hash)); EG(ret, err); in _bip0340_verify_batch_no_memory()
849 ret = local_memset(Pubx, 0, sizeof(Pubx)); EG(ret, err); in _bip0340_verify_batch_no_memory()
850 ret = local_memset(chacha20_seed, 0,sizeof(chacha20_seed)); EG(ret, err); in _bip0340_verify_batch_no_memory()
851 ret = local_memset(chacha20_scalar, 0,sizeof(chacha20_scalar)); EG(ret, err); in _bip0340_verify_batch_no_memory()
854 MUST_HAVE((pub_key0 != NULL), ret, err); in _bip0340_verify_batch_no_memory()
857 ret = get_hash_by_type(hash_type, &hm); EG(ret, err); in _bip0340_verify_batch_no_memory()
859 MUST_HAVE((hm != NULL), ret, err); in _bip0340_verify_batch_no_memory()
865 ret = pub_key_check_initialized_and_type(pub_keys[i], BIP0340); EG(ret, err); in _bip0340_verify_batch_no_memory()
871 MUST_HAVE((pub_key->params) == (pub_key0->params), ret, err); in _bip0340_verify_batch_no_memory()
886 MUST_HAVE((siglen == BIP0340_SIGLEN(p_bit_len, q_bit_len)), ret, err); in _bip0340_verify_batch_no_memory()
887 MUST_HAVE((siglen == (BIP0340_R_LEN(p_bit_len) + BIP0340_S_LEN(q_bit_len))), ret, err); in _bip0340_verify_batch_no_memory()
890 MUST_HAVE((key_type == sig_type), ret, err); in _bip0340_verify_batch_no_memory()
894 ret = nn_init(&S_sum, 0); EG(ret, err); in _bip0340_verify_batch_no_memory()
895 ret = prj_pt_init(&R_sum, shortw_curve); EG(ret, err); in _bip0340_verify_batch_no_memory()
896 ret = prj_pt_zero(&R_sum); EG(ret, err); in _bip0340_verify_batch_no_memory()
897 ret = prj_pt_init(&P_sum, shortw_curve); EG(ret, err); in _bip0340_verify_batch_no_memory()
898 ret = prj_pt_zero(&P_sum); EG(ret, err); in _bip0340_verify_batch_no_memory()
899 ret = prj_pt_init(&Tmp, shortw_curve); EG(ret, err); in _bip0340_verify_batch_no_memory()
900 ret = nn_init(&e, 0); EG(ret, err); in _bip0340_verify_batch_no_memory()
901 ret = nn_init(&a, 0); EG(ret, err); in _bip0340_verify_batch_no_memory()
903 ret = _bip0340_compute_batch_csprng_seed(s, s_len, pub_keys, m, m_len, num, in _bip0340_verify_batch_no_memory()
905 sizeof(chacha20_seed)); EG(ret, err); in _bip0340_verify_batch_no_memory()
909 ret = _bip0340_compute_batch_csprng_scalars(chacha20_seed, sizeof(chacha20_seed), in _bip0340_verify_batch_no_memory()
912 q_bit_len, q_len, &a); EG(ret, err); in _bip0340_verify_batch_no_memory()
917 ret = fp_init(&rx, pub_key->params->ec_curve.a.ctx); EG(ret, err); in _bip0340_verify_batch_no_memory()
918 ret = fp_import_from_buf(&rx, &sig[0], p_len); EG(ret, err); in _bip0340_verify_batch_no_memory()
919 ret = nn_init_from_buf(&S, &sig[p_len], q_len); EG(ret, err); in _bip0340_verify_batch_no_memory()
920 ret = nn_cmp(&S, q, &cmp); EG(ret, err); in _bip0340_verify_batch_no_memory()
921 MUST_HAVE((cmp < 0), ret, err); in _bip0340_verify_batch_no_memory()
930 ret = nn_mod_mul(&S, &a, &S, q); EG(ret, err); in _bip0340_verify_batch_no_memory()
932 ret = nn_mod_add(&S_sum, &S_sum, &S, q); EG(ret, err); in _bip0340_verify_batch_no_memory()
937 ret = fp_copy(&(R->X), &rx); EG(ret, err); in _bip0340_verify_batch_no_memory()
938 ret = aff_pt_y_from_x(&(R->Y), &(R->Z), &rx, shortw_curve); EG(ret, err); in _bip0340_verify_batch_no_memory()
940 ret = nn_isodd(&(R->Y.fp_val), &isodd); EG(ret, err); in _bip0340_verify_batch_no_memory()
942 ret = fp_copy(&(R->Y), &(R->Z)); EG(ret, err); in _bip0340_verify_batch_no_memory()
944 ret = fp_one(&(R->Z)); EG(ret, err); in _bip0340_verify_batch_no_memory()
947 ret = _prj_pt_unprotected_mult(R, &a, R); EG(ret, err); in _bip0340_verify_batch_no_memory()
950 ret = prj_pt_add(&R_sum, &R_sum, R); EG(ret, err); in _bip0340_verify_batch_no_memory()
959 ret = prj_pt_copy(Y, pub_key_y); EG(ret, err); in _bip0340_verify_batch_no_memory()
960 ret = prj_pt_unique(Y, Y); EG(ret, err); in _bip0340_verify_batch_no_memory()
962 ret = nn_isodd(&(Y->Y.fp_val), &isodd); EG(ret, err); in _bip0340_verify_batch_no_memory()
965 ret = fp_neg(&(Y->Y), &(Y->Y)); EG(ret, err); in _bip0340_verify_batch_no_memory()
969 ret = _bip0340_hash((const u8*)BIP0340_CHALLENGE, sizeof(BIP0340_CHALLENGE) - 1, in _bip0340_verify_batch_no_memory()
971 &h_ctx); EG(ret, err); in _bip0340_verify_batch_no_memory()
972 ret = fp_export_to_buf(&Pubx[0], p_len, &(Y->X)); EG(ret, err); in _bip0340_verify_batch_no_memory()
973 ret = hm->hfunc_update(&h_ctx, &Pubx[0], p_len); EG(ret, err); in _bip0340_verify_batch_no_memory()
974 ret = hm->hfunc_update(&h_ctx, m[i], m_len[i]); EG(ret, err); in _bip0340_verify_batch_no_memory()
975 ret = hm->hfunc_finalize(&h_ctx, hash); EG(ret, err); in _bip0340_verify_batch_no_memory()
977 ret = nn_init_from_buf(&e, hash, hsize); EG(ret, err); in _bip0340_verify_batch_no_memory()
978 ret = nn_mod(&e, &e, q); EG(ret, err); in _bip0340_verify_batch_no_memory()
984 ret = nn_mod_mul(&e, &e, &a, q); EG(ret, err); in _bip0340_verify_batch_no_memory()
986 ret = _prj_pt_unprotected_mult(Y, &e, Y); EG(ret, err); in _bip0340_verify_batch_no_memory()
989 ret = prj_pt_add(&P_sum, &P_sum, Y); EG(ret, err); in _bip0340_verify_batch_no_memory()
993 MUST_HAVE((q != NULL) && (G != NULL), ret, err); in _bip0340_verify_batch_no_memory()
996 ret = nn_mod_neg(&S_sum, &S_sum, q); EG(ret, err); /* -S_sum = q - S_sum*/ in _bip0340_verify_batch_no_memory()
997 ret = _prj_pt_unprotected_mult(&Tmp, &S_sum, G); EG(ret, err); in _bip0340_verify_batch_no_memory()
999 ret = prj_pt_add(&Tmp, &Tmp, &R_sum); EG(ret, err); in _bip0340_verify_batch_no_memory()
1000 ret = prj_pt_add(&Tmp, &Tmp, &P_sum); EG(ret, err); in _bip0340_verify_batch_no_memory()
1002 ret = prj_pt_iszero(&Tmp, &iszero); EG(ret, err); in _bip0340_verify_batch_no_memory()
1003 ret = (iszero == 1) ? 0 : -1; in _bip0340_verify_batch_no_memory()
1024 return ret; in _bip0340_verify_batch_no_memory()
1041 int ret, iszero, isodd, cmp; in _bip0340_verify_batch() local
1065 MUST_HAVE((s != NULL) && (pub_keys != NULL) && (m != NULL), ret, err); in _bip0340_verify_batch()
1067 MUST_HAVE((scratch_pad_area_len != NULL), ret, err); in _bip0340_verify_batch()
1068 MUST_HAVE(((2 * num) >= num), ret, err); in _bip0340_verify_batch()
1069 MUST_HAVE(((2 * num) + 1) >= num, ret, err); in _bip0340_verify_batch()
1072 ret = local_memset(hash, 0, sizeof(hash)); EG(ret, err); in _bip0340_verify_batch()
1073 ret = local_memset(Pubx, 0, sizeof(Pubx)); EG(ret, err); in _bip0340_verify_batch()
1074 ret = local_memset(chacha20_seed, 0,sizeof(chacha20_seed)); EG(ret, err); in _bip0340_verify_batch()
1075 ret = local_memset(chacha20_scalar, 0,sizeof(chacha20_scalar)); EG(ret, err); in _bip0340_verify_batch()
1085 ret = 0; in _bip0340_verify_batch()
1089ret = _bip0340_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type, in _bip0340_verify_batch()
1090 … hash_type, adata, adata_len); EG(ret, err); in _bip0340_verify_batch()
1096 MUST_HAVE((expected_len < 0xffffffff), ret, err); in _bip0340_verify_batch()
1103 ret = 0; in _bip0340_verify_batch()
1107 MUST_HAVE((*scratch_pad_area_len) >= expected_len, ret, err); in _bip0340_verify_batch()
1111 MUST_HAVE((pub_key0 != NULL), ret, err); in _bip0340_verify_batch()
1114 ret = get_hash_by_type(hash_type, &hm); EG(ret, err); in _bip0340_verify_batch()
1116 MUST_HAVE((hm != NULL), ret, err); in _bip0340_verify_batch()
1122 ret = pub_key_check_initialized_and_type(pub_keys[i], BIP0340); EG(ret, err); in _bip0340_verify_batch()
1128 MUST_HAVE((pub_key->params) == (pub_key0->params), ret, err); in _bip0340_verify_batch()
1143 MUST_HAVE((siglen == BIP0340_SIGLEN(p_bit_len, q_bit_len)), ret, err); in _bip0340_verify_batch()
1144 MUST_HAVE((siglen == (BIP0340_R_LEN(p_bit_len) + BIP0340_S_LEN(q_bit_len))), ret, err); in _bip0340_verify_batch()
1147 MUST_HAVE((key_type == sig_type), ret, err); in _bip0340_verify_batch()
1151 ret = nn_init(&a, 0); EG(ret, err); in _bip0340_verify_batch()
1152 ret = nn_init(&elements[(2 * num)].number, 0); EG(ret, err); in _bip0340_verify_batch()
1153 ret = prj_pt_copy(&elements[(2 * num)].point, G); EG(ret, err); in _bip0340_verify_batch()
1155 ret = _bip0340_compute_batch_csprng_seed(s, s_len, pub_keys, m, m_len, num, in _bip0340_verify_batch()
1157 sizeof(chacha20_seed)); EG(ret, err); in _bip0340_verify_batch()
1161 ret = _bip0340_compute_batch_csprng_scalars(chacha20_seed, sizeof(chacha20_seed), in _bip0340_verify_batch()
1164 q_bit_len, q_len, &a); EG(ret, err); in _bip0340_verify_batch()
1169 ret = fp_init(&rx, pub_key->params->ec_curve.a.ctx); EG(ret, err); in _bip0340_verify_batch()
1170 ret = fp_import_from_buf(&rx, &sig[0], p_len); EG(ret, err); in _bip0340_verify_batch()
1171 ret = nn_init_from_buf(&S, &sig[p_len], q_len); EG(ret, err); in _bip0340_verify_batch()
1172 ret = nn_cmp(&S, q, &cmp); EG(ret, err); in _bip0340_verify_batch()
1173 MUST_HAVE((cmp < 0), ret, err); in _bip0340_verify_batch()
1182 ret = nn_mod_mul(&S, &a, &S, q); EG(ret, err); in _bip0340_verify_batch()
1184 ret = nn_mod_add(&elements[(2 * num)].number, &elements[(2 * num)].number, in _bip0340_verify_batch()
1185 &S, q); EG(ret, err); in _bip0340_verify_batch()
1190 ret = prj_pt_init(R, shortw_curve); EG(ret, err); in _bip0340_verify_batch()
1192 ret = fp_copy(&(R->X), &rx); EG(ret, err); in _bip0340_verify_batch()
1193 ret = aff_pt_y_from_x(&(R->Y), &(R->Z), &rx, shortw_curve); EG(ret, err); in _bip0340_verify_batch()
1195 ret = nn_isodd(&(R->Y.fp_val), &isodd); EG(ret, err); in _bip0340_verify_batch()
1197 ret = fp_copy(&(R->Y), &(R->Z)); EG(ret, err); in _bip0340_verify_batch()
1199 ret = fp_one(&(R->Z)); EG(ret, err); in _bip0340_verify_batch()
1202 ret = nn_init(&elements[i].number, 0); EG(ret, err); in _bip0340_verify_batch()
1203 ret = nn_copy(&elements[i].number, &a); EG(ret, err); in _bip0340_verify_batch()
1206 ret = nn_init(&elements[i].number, 0); EG(ret, err); in _bip0340_verify_batch()
1207 ret = nn_one(&elements[i].number); EG(ret, err); in _bip0340_verify_batch()
1217 ret = prj_pt_copy(Y, pub_key_y); EG(ret, err); in _bip0340_verify_batch()
1218 ret = prj_pt_unique(Y, Y); EG(ret, err); in _bip0340_verify_batch()
1220 ret = nn_isodd(&(Y->Y.fp_val), &isodd); EG(ret, err); in _bip0340_verify_batch()
1223 ret = fp_neg(&(Y->Y), &(Y->Y)); EG(ret, err); in _bip0340_verify_batch()
1229 ret = nn_init(e, 0); EG(ret, err); in _bip0340_verify_batch()
1230 ret = _bip0340_hash((const u8*)BIP0340_CHALLENGE, sizeof(BIP0340_CHALLENGE) - 1, in _bip0340_verify_batch()
1232 &h_ctx); EG(ret, err); in _bip0340_verify_batch()
1233 ret = fp_export_to_buf(&Pubx[0], p_len, &(Y->X)); EG(ret, err); in _bip0340_verify_batch()
1234 ret = hm->hfunc_update(&h_ctx, &Pubx[0], p_len); EG(ret, err); in _bip0340_verify_batch()
1235 ret = hm->hfunc_update(&h_ctx, m[i], m_len[i]); EG(ret, err); in _bip0340_verify_batch()
1236 ret = hm->hfunc_finalize(&h_ctx, hash); EG(ret, err); in _bip0340_verify_batch()
1238 ret = nn_init_from_buf(e, hash, hsize); EG(ret, err); in _bip0340_verify_batch()
1239 ret = nn_mod(e, e, q); EG(ret, err); in _bip0340_verify_batch()
1245 ret = nn_mod_mul(e, e, &a, q); EG(ret, err); in _bip0340_verify_batch()
1250 MUST_HAVE((q != NULL) && (G != NULL) && (q_bit_len != 0), ret, err); in _bip0340_verify_batch()
1254 ret = ec_verify_bos_coster(elements, (2 * num) + 1, q_bit_len); in _bip0340_verify_batch()
1255 if(ret){ in _bip0340_verify_batch()
1256 if(ret == -2){ in _bip0340_verify_batch()
1260ret = _bip0340_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type, in _bip0340_verify_batch()
1261 … hash_type, adata, adata_len); EG(ret, err); in _bip0340_verify_batch()
1270 ret = prj_pt_iszero(&elements[elements[0].index].point, &iszero); EG(ret, err); in _bip0340_verify_batch()
1271 ret = iszero ? 0 : -1; in _bip0340_verify_batch()
1293 return ret; in _bip0340_verify_batch()
1301 int ret; in bip0340_verify_batch() local
1304 MUST_HAVE((scratch_pad_area_len != NULL), ret, err); in bip0340_verify_batch()
1305 ret = _bip0340_verify_batch(s, s_len, pub_keys, m, m_len, num, sig_type, in bip0340_verify_batch()
1307 scratch_pad_area, scratch_pad_area_len); EG(ret, err); in bip0340_verify_batch()
1311 ret = _bip0340_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type, in bip0340_verify_batch()
1312 hash_type, adata, adata_len); EG(ret, err); in bip0340_verify_batch()
1316 return ret; in bip0340_verify_batch()