Initial adaptations for Curve25519 code.

 *

 * The field functions are shared by Ed25519 and X25519 where possible. */

#include <openssl/curve25519.h>

#include <string.h>

#include <openssl/cpu.h>

#include <openssl/mem.h>

#include <openssl/rand.h>

#include <openssl/sha.h>

#include "internal.h"

#include "ec_lcl.h"

/* fe means field element. Here the field is \Z/(2^255-19). An element t,

  fe_mul(out, t1, t0);

}

#if 0 /* Ed25519 code: not used yet */

/* h = -f

 *

 * Preconditions:

 *

 * Preconditions: b in {0,1}. */

static void fe_cmov(fe f, const fe g, unsigned b) {

  size_t i;

  b = 0-b;

  unsigned i;

  for (i = 0; i < 10; i++) {

    int32_t x = f[i] ^ g[i];

    x &= b;

 *    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */

static int fe_isnonzero(const fe f) {

  uint8_t s[32];

  fe_tobytes(s, f);

  static const uint8_t zero[32] = {0};

  fe_tobytes(s, f);

  return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;

}

  return CRYPTO_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;

}

#endif  /* Ed25519 */

#if defined(BORINGSSL_X25519_X86_64)

 *

 * Preconditions: b in {0,1}. */

static void fe_cswap(fe f, fe g, unsigned int b) {

  size_t i;

  b = 0-b;

  unsigned i;

  for (i = 0; i < 10; i++) {

    int32_t x = f[i] ^ g[i];

    x &= b;

                                       const uint8_t scalar[32],

                                       const uint8_t point[32]) {

  fe x1, x2, z2, x3, z3, tmp0, tmp1;

  uint8_t e[32];

  unsigned swap = 0;

  int pos;

  memcpy(e, scalar, 32);

  e[0] &= 248;

  e[31] &= 127;

  fe_copy(x3, x1);

  fe_1(z3);

  unsigned swap = 0;

  int pos;

  for (pos = 254; pos >= 0; --pos) {

    unsigned b = 1 & (e[pos / 8] >> (pos & 7));

    swap ^= b;

#endif  /* BORINGSSL_X25519_X86_64 */

#if 0

void X25519_keypair(uint8_t out_public_value[32], uint8_t out_private_key[32]) {

  RAND_bytes(out_private_key, 32);

  X25519_public_from_private(out_public_value, out_private_key);

}

#endif

int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],

           const uint8_t peer_public_value[32]) {

  static const uint8_t kZeros[32] = {0};

  return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0;

}

#if 0

#if defined(BORINGSSL_X25519_X86_64)

/* When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with

void X25519_public_from_private(uint8_t out_public_value[32],

                                const uint8_t private_key[32]) {

  uint8_t e[32];

  ge_p3 A;

  fe zplusy, zminusy, zminusy_inv;

#if defined(BORINGSSL_X25519_NEON)

  if (CRYPTO_is_NEON_capable()) {

    static const uint8_t kMongomeryBasePoint[32] = {9};

  }

#endif

  uint8_t e[32];

  memcpy(e, private_key, 32);

  e[0] &= 248;

  e[31] &= 127;

  e[31] |= 64;

  ge_p3 A;

  ge_scalarmult_base(&A, e);

  /* We only need the u-coordinate of the curve25519 point. The map is

   * u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y). */

  fe zplusy, zminusy, zminusy_inv;

  fe_add(zplusy, A.Z, A.Y);

  fe_sub(zminusy, A.Z, A.Y);

  fe_invert(zminusy_inv, zminusy);

}

#endif  /* BORINGSSL_X25519_X86_64 */

#endif