1 // SPDX-License-Identifier: GPL-2.0 OR MIT
4  * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
25 	return xnx - (u64)1U;  in eq_mask()
33 	u64 x_sub_y = x - y;  in gte_mask()
38 	return x_xor_q_ - (u64)1U;  in gte_mask()
41 /* Computes the addition of four-element f1 with value in f2
42  * and returns the carry (if any) */
48 		/* Clear registers to propagate the carry bit */  in add_scalar()
65 		/* Return the carry bit in a register */  in add_scalar()
90 		/* Step 1: Compute carry*38 */  in fadd()
95 		/* Step 2: Add carry*38 to the original sum */  in fadd()
105 		/* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */  in fadd()
119 		/* Compute the raw subtraction of f1-f2 */  in fsub()
131 		/* Step 1: Compute carry*38 */  in fsub()
136 		/* Step 2: Subtract carry*38 from the original difference */  in fsub()
142 		/* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */  in fsub()
157 /* Computes a field multiplication: out <- f1 * f2
158  * Uses the 8-element buffer tmp for intermediate results */
163 		/* Compute the raw multiplication: tmp <- src1 * src2 */  in fmul()
252 		/* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */  in fmul()
270 		/* Step 2: Fold the carry back into dst */  in fmul()
279 		/* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */  in fmul()
291  *   out[0] <- f1[0] * f2[0]
292  *   out[1] <- f1[1] * f2[1]
293  * Uses the 16-element buffer tmp for intermediate results: */
298 		/* Compute the raw multiplication tmp[0] <- f1[0] * f2[0] */  in fmul2()
381 		/* Compute the raw multiplication tmp[1] <- f1[1] * f2[1] */  in fmul2()
470 		/* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */  in fmul2()
488 		/* Step 2: Fold the carry back into dst */  in fmul2()
497 		/* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */  in fmul2()
503 		/* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */  in fmul2()
521 		/* Step 2: Fold the carry back into dst */  in fmul2()
530 		/* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */  in fmul2()
541 /* Computes the field multiplication of four-element f1 with value in f2
561 		/* Step 1: Compute carry*38 */  in fmul_scalar()
565 		/* Step 2: Fold the carry back into dst */  in fmul_scalar()
574 		/* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */  in fmul_scalar()
585 /* Computes p1 <- bit ? p2 : p1 in constant time */
668 /* Computes the square of a field element: out <- f * f
669  * Uses the 8-element buffer tmp for intermediate results */
673 		/* Compute the raw multiplication: tmp <- f * f */  in fsqr()
693 		/* Step 2: Compute two parallel carry chains */  in fsqr()
739 		/* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */  in fsqr()
757 		/* Step 2: Fold the carry back into dst */  in fsqr()
766 		/* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */  in fsqr()
778  *   out[0] <- f[0] * f[0]
779  *   out[1] <- f[1] * f[1]
780  * Uses the 16-element buffer tmp for intermediate results */
802 		/* Step 2: Compute two parallel carry chains */  in fsqr2()
860 		/* Step 2: Compute two parallel carry chains */  in fsqr2()
904 		/* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */  in fsqr2()
922 		/* Step 2: Fold the carry back into dst */  in fsqr2()
931 		/* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */  in fsqr2()
937 		/* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */  in fsqr2()
955 		/* Step 2: Fold the carry back into dst */  in fsqr2()
964 		/* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */  in fsqr2()
1095 			u64 bit = (u64)(key[((u32)253U - i) / (u32)8U] >> ((u32)253U - i) % (u32)8U & (u8)1U);  in montgomery_ladder()
1119 	for (i = (u32)0U; i < n1 - (u32)1U; i = i + (u32)1U)  in fsquare_times()
1197 	f0_ = f0 - (mask & (u64)0xffffffffffffffedU);  in store_felem()
1198 	f1_ = f1 - (mask & (u64)0xffffffffffffffffU);  in store_felem()
1199 	f2_ = f2 - (mask & (u64)0xffffffffffffffffU);  in store_felem()
1200 	f3_ = f3 - (mask & (u64)0x7fffffffffffffffU);  in store_felem()
1265  * ec = EllipticCurve(GF(2^255 - 19), [0, 486662, 0, 1, 0])
1266  * p_minus_s = (ec.lift_x(9) - ec.lift_x(1))[0]
1271  * 	l = (p[0] + p[2]) / (p[0] - p[2])
1568 			k = (64 * i + j - 3);  in curve25519_ever64_base()
1626 		return -EINVAL;  in curve25519_set_secret()
1637 	if (req->src)  in curve25519_generate_public_key()
1638 		return -EINVAL;  in curve25519_generate_public_key()
1642 	/* might want less than we've got */  in curve25519_generate_public_key()
1643 	nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len);  in curve25519_generate_public_key()
1644 	copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst,  in curve25519_generate_public_key()
1648 		return -EINVAL;  in curve25519_generate_public_key()
1660 	if (!req->src)  in curve25519_compute_shared_secret()
1661 		return -EINVAL;  in curve25519_compute_shared_secret()
1663 	copied = sg_copy_to_buffer(req->src,  in curve25519_compute_shared_secret()
1664 				   sg_nents_for_len(req->src,  in curve25519_compute_shared_secret()
1668 		return -EINVAL;  in curve25519_compute_shared_secret()
1672 	/* might want less than we've got */  in curve25519_compute_shared_secret()
1673 	nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len);  in curve25519_compute_shared_secret()
1674 	copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst,  in curve25519_compute_shared_secret()
1678 		return -EINVAL;  in curve25519_compute_shared_secret()
1689 	.base.cra_driver_name	= "curve25519-x86",
1722 MODULE_ALIAS_CRYPTO("curve25519-x86");