ec/ecp_nistp*.c: sanitize for undefined/implmentation-specific behaviour.

typedef uint8_t u8;

typedef uint64_t u64;

typedef int64_t s64;

/******************************************************************************/

/*-

typedef uint8_t u8;

typedef uint32_t u32;

typedef uint64_t u64;

typedef int64_t s64;

/*

 * The underlying field. P256 operates over GF(2^256-2^224+2^192+2^96-1). We

{

    felem tmp;

    u64 a, b, mask;

    s64 high, low;

    u64 high, low;

    static const u64 kPrime3Test = 0x7fffffff00000001ul; /* 2^63 - 2^32 + 1 */

    /* Carry 2->3 */

     * In order to make space in tmp[3] for the carry from 2 -> 3, we

     * conditionally subtract kPrime if tmp[3] is large enough.

     */

    high = tmp[3] >> 64;

    high = (u64)(tmp[3] >> 64);

    /* As tmp[3] < 2^65, high is either 1 or 0 */

    high <<= 63;

    high >>= 63;

    high = 0 - high;

    /*-

     * high is:

     *   all ones   if the high word of tmp[3] is 1

     *   all zeros  if the high word of tmp[3] if 0 */

    low = tmp[3];

    mask = low >> 63;

     *   all zeros  if the high word of tmp[3] if 0

     */

    low = (u64)tmp[3];

    mask = 0 - (low >> 63);

    /*-

     * mask is:

     *   all ones   if the MSB of low is 1

     *   all zeros  if the MSB of low if 0 */

     *   all zeros  if the MSB of low if 0

     */

    low &= bottom63bits;

    low -= kPrime3Test;

    /* if low was greater than kPrime3Test then the MSB is zero */

    low = ~low;

    low >>= 63;

    low = 0 - (low >> 63);

    /*-

     * low is:

     *   all ones   if low was > kPrime3Test

     *   all zeros  if low was <= kPrime3Test */

     *   all zeros  if low was <= kPrime3Test

     */

    mask = (mask & low) | high;

    tmp[0] -= mask & kPrime[0];

    tmp[1] -= mask & kPrime[1];

        equal &= equal << 4;

        equal &= equal << 2;

        equal &= equal << 1;

        equal = ((s64) equal) >> 63;

        equal = 0 - (equal >> 63);

        all_equal_so_far &= equal;

    }

    is_zero &= is_zero << 4;

    is_zero &= is_zero << 2;

    is_zero &= is_zero << 1;

    is_zero = ((s64) is_zero) >> 63;

    is_zero = 0 - (is_zero >> 63);

    is_p = (small[0] ^ kPrime[0]) |

        (small[1] ^ kPrime[1]) |

    is_p &= is_p << 4;

    is_p &= is_p << 2;

    is_p &= is_p << 1;

    is_p = ((s64) is_p) >> 63;

    is_p = 0 - (is_p >> 63);

    is_zero |= is_p;

typedef uint8_t u8;

typedef uint64_t u64;

typedef int64_t s64;

/*

 * The underlying field. P521 operates over GF(2^521-1). We can serialise an

     * We know that ftmp[i] < 2^63, therefore the only way that the top bit

     * can be set is if is_zero was 0 before the decrement.

     */

    is_zero = ((s64) is_zero) >> 63;

    is_zero = 0 - (is_zero >> 63);

    is_p = ftmp[0] ^ kPrime[0];

    is_p |= ftmp[1] ^ kPrime[1];

    is_p |= ftmp[8] ^ kPrime[8];

    is_p--;

    is_p = ((s64) is_p) >> 63;

    is_p = 0 - (is_p >> 63);

    is_zero |= is_p;

    return is_zero;

    is_p &= is_p << 4;

    is_p &= is_p << 2;

    is_p &= is_p << 1;

    is_p = ((s64) is_p) >> 63;

    is_p = 0 - (is_p >> 63);

    is_p = ~is_p;

    /* is_p is 0 iff |out| == 2^521-1 and all ones otherwise */

    is_greater |= is_greater << 4;

    is_greater |= is_greater << 2;

    is_greater |= is_greater << 1;

    is_greater = ((s64) is_greater) >> 63;

    is_greater = 0 - (is_greater >> 63);

    out[0] -= kPrime[0] & is_greater;

    out[1] -= kPrime[1] & is_greater;