Hi Jason, I love your patch! Yet something to improve: [auto build test ERROR on linus/master] [also build test ERROR on v4.19-rc1 next-20180827] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Jason-A-Donenfeld/WireGuard-Secure-Network-Tunnel/20180827-073051 config: um-allmodconfig (attached as .config) compiler: gcc-7 (Debian 7.3.0-16) 7.3.0 reproduce: # save the attached .config to linux build tree make ARCH=um All error/warnings (new ones prefixed by >>): In file included from lib/zinc/chacha20/chacha20-x86_64-glue.h:8:0, from :0: >> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit); ^~~~~~~~~~~ In file included from include/linux/compiler_types.h:64:0, from :0: arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has': >> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability' [cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3]) ^ include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto' #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ^ In file included from :0:0: At top level: lib/zinc/chacha20/chacha20-x86_64-glue.h:27:13: warning: 'chacha20_use_avx512vl' defined but not used [-Wunused-variable] static bool chacha20_use_avx512vl __ro_after_init; ^~~~~~~~~~~~~~~~~~~~~ lib/zinc/chacha20/chacha20-x86_64-glue.h:26:13: warning: 'chacha20_use_avx512' defined but not used [-Wunused-variable] static bool chacha20_use_avx512 __ro_after_init; ^~~~~~~~~~~~~~~~~~~ lib/zinc/chacha20/chacha20-x86_64-glue.h:25:13: warning: 'chacha20_use_avx2' defined but not used [-Wunused-variable] static bool chacha20_use_avx2 __ro_after_init; ^~~~~~~~~~~~~~~~~ lib/zinc/chacha20/chacha20-x86_64-glue.h:24:13: warning: 'chacha20_use_ssse3' defined but not used [-Wunused-variable] static bool chacha20_use_ssse3 __ro_after_init; ^~~~~~~~~~~~~~~~~~ -- In file included from lib/zinc/poly1305/poly1305-x86_64-glue.h:8:0, from :0: >> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit); ^~~~~~~~~~~ In file included from include/linux/compiler_types.h:64:0, from :0: arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has': >> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability' [cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3]) ^ include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto' #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ^ In file included from :0:0: At top level: lib/zinc/poly1305/poly1305-x86_64-glue.h:28:13: warning: 'poly1305_use_avx512' defined but not used [-Wunused-variable] static bool poly1305_use_avx512 __ro_after_init; ^~~~~~~~~~~~~~~~~~~ lib/zinc/poly1305/poly1305-x86_64-glue.h:27:13: warning: 'poly1305_use_avx2' defined but not used [-Wunused-variable] static bool poly1305_use_avx2 __ro_after_init; ^~~~~~~~~~~~~~~~~ lib/zinc/poly1305/poly1305-x86_64-glue.h:26:13: warning: 'poly1305_use_avx' defined but not used [-Wunused-variable] static bool poly1305_use_avx __ro_after_init; ^~~~~~~~~~~~~~~~ -- In file included from lib/zinc/curve25519/curve25519-x86_64-glue.h:7:0, from :0: >> arch/x86/include/asm/cpufeature.h:49:41: error: 'NBUGINTS' undeclared here (not in a function) extern const char * const x86_bug_flags[NBUGINTS*32]; ^~~~~~~~ >> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit); ^~~~~~~~~~~ In file included from include/linux/compiler_types.h:64:0, from :0: arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has': >> arch/x86/include/asm/cpufeature.h:196:24: error: 'X86_FEATURE_ALWAYS' undeclared (first use in this function) [always] "i" (X86_FEATURE_ALWAYS), ^ include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto' #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ^ arch/x86/include/asm/cpufeature.h:196:24: note: each undeclared identifier is reported only once for each function it appears in [always] "i" (X86_FEATURE_ALWAYS), ^ include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto' #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ^ >> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability' [cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3]) ^ include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto' #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ^ In file included from lib/zinc/curve25519/curve25519-x86_64-glue.h:10:0, from :0: lib/zinc/curve25519/curve25519-x86_64.h: In function 'inv_eltfp25519_1w_adx': >> lib/zinc/curve25519/curve25519-x86_64.h:1543:2: error: implicit declaration of function 'memzero_explicit' [-Werror=implicit-function-declaration] memzero_explicit(&m, sizeof(m)); ^~~~~~~~~~~~~~~~ In file included from lib/zinc/curve25519/curve25519-x86_64-glue.h:10:0, from :0: lib/zinc/curve25519/curve25519-x86_64.h: In function 'curve25519_adx': >> lib/zinc/curve25519/curve25519-x86_64.h:1706:2: error: implicit declaration of function 'memcpy'; did you mean 'pte_copy'? [-Werror=implicit-function-declaration] memcpy(m.private, private_key, sizeof(m.private)); ^~~~~~ pte_copy In file included from :0:0: lib/zinc/curve25519/curve25519-x86_64-glue.h: At top level: >> lib/zinc/curve25519/curve25519-x86_64-glue.h:12:33: error: expected '=', ',', ';', 'asm' or '__attribute__' before '__ro_after_init' static bool curve25519_use_bmi2 __ro_after_init; ^~~~~~~~~~~~~~~ lib/zinc/curve25519/curve25519-x86_64-glue.h:13:32: error: expected '=', ',', ';', 'asm' or '__attribute__' before '__ro_after_init' static bool curve25519_use_adx __ro_after_init; ^~~~~~~~~~~~~~~ >> lib/zinc/curve25519/curve25519-x86_64-glue.h:15:13: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'curve25519_fpu_init' void __init curve25519_fpu_init(void) ^~~~~~~~~~~~~~~~~~~ In file included from :0:0: lib/zinc/curve25519/curve25519-x86_64-glue.h: In function 'curve25519_arch': >> lib/zinc/curve25519/curve25519-x86_64-glue.h:23:6: error: 'curve25519_use_adx' undeclared (first use in this function); did you mean 'curve25519_adx'? if (curve25519_use_adx) { ^~~~~~~~~~~~~~~~~~ curve25519_adx >> lib/zinc/curve25519/curve25519-x86_64-glue.h:26:13: error: 'curve25519_use_bmi2' undeclared (first use in this function); did you mean 'curve25519_use_adx'? } else if (curve25519_use_bmi2) { ^~~~~~~~~~~~~~~~~~~ curve25519_use_adx lib/zinc/curve25519/curve25519-x86_64-glue.h: In function 'curve25519_base_arch': lib/zinc/curve25519/curve25519-x86_64-glue.h:35:6: error: 'curve25519_use_adx' undeclared (first use in this function); did you mean 'curve25519_adx'? if (curve25519_use_adx) { ^~~~~~~~~~~~~~~~~~ curve25519_adx lib/zinc/curve25519/curve25519-x86_64-glue.h:38:13: error: 'curve25519_use_bmi2' undeclared (first use in this function); did you mean 'curve25519_use_adx'? } else if (curve25519_use_bmi2) { ^~~~~~~~~~~~~~~~~~~ curve25519_use_adx In file included from arch/x86/include/asm/string.h:5:0, from include/linux/string.h:20, from lib/zinc/curve25519/curve25519.c:9: arch/x86/include/asm/string_64.h: At top level: >> arch/x86/include/asm/string_64.h:32:14: error: conflicting types for 'memcpy' extern void *memcpy(void *to, const void *from, size_t len); ^~~~~~ In file included from lib/zinc/curve25519/curve25519-x86_64-glue.h:10:0, from :0: lib/zinc/curve25519/curve25519-x86_64.h:1706:2: note: previous implicit declaration of 'memcpy' was here memcpy(m.private, private_key, sizeof(m.private)); ^~~~~~ In file included from lib/zinc/curve25519/curve25519.c:9:0: >> include/linux/string.h:216:6: warning: conflicting types for 'memzero_explicit' void memzero_explicit(void *s, size_t count); ^~~~~~~~~~~~~~~~ In file included from lib/zinc/curve25519/curve25519-x86_64-glue.h:10:0, from :0: lib/zinc/curve25519/curve25519-x86_64.h:1543:2: note: previous implicit declaration of 'memzero_explicit' was here memzero_explicit(&m, sizeof(m)); ^~~~~~~~~~~~~~~~ cc1: some warnings being treated as errors -- In file included from lib/zinc/blake2s/blake2s-x86_64-glue.h:7:0, from :0: >> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit); ^~~~~~~~~~~ In file included from include/linux/compiler_types.h:64:0, from :0: arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has': >> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability' [cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3]) ^ include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto' #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ^ In file included from :0:0: At top level: lib/zinc/blake2s/blake2s-x86_64-glue.h:20:13: warning: 'blake2s_use_avx512' defined but not used [-Wunused-variable] static bool blake2s_use_avx512 __ro_after_init; ^~~~~~~~~~~~~~~~~~ lib/zinc/blake2s/blake2s-x86_64-glue.h:19:13: warning: 'blake2s_use_avx' defined but not used [-Wunused-variable] static bool blake2s_use_avx __ro_after_init; ^~~~~~~~~~~~~~~ -- In file included from lib//zinc/chacha20/chacha20-x86_64-glue.h:8:0, from :0: >> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit); ^~~~~~~~~~~ In file included from include/linux/compiler_types.h:64:0, from :0: arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has': >> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability' [cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3]) ^ include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto' #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ^ In file included from :0:0: At top level: lib//zinc/chacha20/chacha20-x86_64-glue.h:27:13: warning: 'chacha20_use_avx512vl' defined but not used [-Wunused-variable] static bool chacha20_use_avx512vl __ro_after_init; ^~~~~~~~~~~~~~~~~~~~~ lib//zinc/chacha20/chacha20-x86_64-glue.h:26:13: warning: 'chacha20_use_avx512' defined but not used [-Wunused-variable] static bool chacha20_use_avx512 __ro_after_init; ^~~~~~~~~~~~~~~~~~~ lib//zinc/chacha20/chacha20-x86_64-glue.h:25:13: warning: 'chacha20_use_avx2' defined but not used [-Wunused-variable] static bool chacha20_use_avx2 __ro_after_init; ^~~~~~~~~~~~~~~~~ lib//zinc/chacha20/chacha20-x86_64-glue.h:24:13: warning: 'chacha20_use_ssse3' defined but not used [-Wunused-variable] static bool chacha20_use_ssse3 __ro_after_init; ^~~~~~~~~~~~~~~~~~ -- In file included from lib//zinc/poly1305/poly1305-x86_64-glue.h:8:0, from :0: >> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit); ^~~~~~~~~~~ In file included from include/linux/compiler_types.h:64:0, from :0: arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has': >> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability' [cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3]) ^ include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto' #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ^ In file included from :0:0: At top level: lib//zinc/poly1305/poly1305-x86_64-glue.h:28:13: warning: 'poly1305_use_avx512' defined but not used [-Wunused-variable] static bool poly1305_use_avx512 __ro_after_init; ^~~~~~~~~~~~~~~~~~~ lib//zinc/poly1305/poly1305-x86_64-glue.h:27:13: warning: 'poly1305_use_avx2' defined but not used [-Wunused-variable] static bool poly1305_use_avx2 __ro_after_init; ^~~~~~~~~~~~~~~~~ lib//zinc/poly1305/poly1305-x86_64-glue.h:26:13: warning: 'poly1305_use_avx' defined but not used [-Wunused-variable] static bool poly1305_use_avx __ro_after_init; ^~~~~~~~~~~~~~~~ -- In file included from lib//zinc/curve25519/curve25519-x86_64-glue.h:7:0, from :0: >> arch/x86/include/asm/cpufeature.h:49:41: error: 'NBUGINTS' undeclared here (not in a function) extern const char * const x86_bug_flags[NBUGINTS*32]; ^~~~~~~~ >> arch/x86/include/asm/cpufeature.h:134:34: warning: 'struct cpuinfo_x86' declared inside parameter list will not be visible outside of this definition or declaration extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit); ^~~~~~~~~~~ In file included from include/linux/compiler_types.h:64:0, from :0: arch/x86/include/asm/cpufeature.h: In function '_static_cpu_has': >> arch/x86/include/asm/cpufeature.h:196:24: error: 'X86_FEATURE_ALWAYS' undeclared (first use in this function) [always] "i" (X86_FEATURE_ALWAYS), ^ include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto' #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ^ arch/x86/include/asm/cpufeature.h:196:24: note: each undeclared identifier is reported only once for each function it appears in [always] "i" (X86_FEATURE_ALWAYS), ^ include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto' #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ^ >> arch/x86/include/asm/cpufeature.h:198:52: error: 'struct cpuinfo_um' has no member named 'x86_capability' [cap_byte] "m" (((const char *)boot_cpu_data.x86_capability)[bit >> 3]) ^ include/linux/compiler-gcc.h:182:47: note: in definition of macro 'asm_volatile_goto' #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0) ^ In file included from lib//zinc/curve25519/curve25519-x86_64-glue.h:10:0, from :0: lib//zinc/curve25519/curve25519-x86_64.h: In function 'inv_eltfp25519_1w_adx': lib//zinc/curve25519/curve25519-x86_64.h:1543:2: error: implicit declaration of function 'memzero_explicit' [-Werror=implicit-function-declaration] memzero_explicit(&m, sizeof(m)); ^~~~~~~~~~~~~~~~ In file included from lib//zinc/curve25519/curve25519-x86_64-glue.h:10:0, from :0: lib//zinc/curve25519/curve25519-x86_64.h: In function 'curve25519_adx': lib//zinc/curve25519/curve25519-x86_64.h:1706:2: error: implicit declaration of function 'memcpy'; did you mean 'pte_copy'? [-Werror=implicit-function-declaration] memcpy(m.private, private_key, sizeof(m.private)); ^~~~~~ pte_copy In file included from :0:0: lib//zinc/curve25519/curve25519-x86_64-glue.h: At top level: lib//zinc/curve25519/curve25519-x86_64-glue.h:12:33: error: expected '=', ',', ';', 'asm' or '__attribute__' before '__ro_after_init' static bool curve25519_use_bmi2 __ro_after_init; ^~~~~~~~~~~~~~~ lib//zinc/curve25519/curve25519-x86_64-glue.h:13:32: error: expected '=', ',', ';', 'asm' or '__attribute__' before '__ro_after_init' static bool curve25519_use_adx __ro_after_init; ^~~~~~~~~~~~~~~ lib//zinc/curve25519/curve25519-x86_64-glue.h:15:13: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'curve25519_fpu_init' void __init curve25519_fpu_init(void) ^~~~~~~~~~~~~~~~~~~ In file included from :0:0: lib//zinc/curve25519/curve25519-x86_64-glue.h: In function 'curve25519_arch': lib//zinc/curve25519/curve25519-x86_64-glue.h:23:6: error: 'curve25519_use_adx' undeclared (first use in this function); did you mean 'curve25519_adx'? if (curve25519_use_adx) { ^~~~~~~~~~~~~~~~~~ curve25519_adx lib//zinc/curve25519/curve25519-x86_64-glue.h:26:13: error: 'curve25519_use_bmi2' undeclared (first use in this function); did you mean 'curve25519_use_adx'? } else if (curve25519_use_bmi2) { ^~~~~~~~~~~~~~~~~~~ curve25519_use_adx lib//zinc/curve25519/curve25519-x86_64-glue.h: In function 'curve25519_base_arch': lib//zinc/curve25519/curve25519-x86_64-glue.h:35:6: error: 'curve25519_use_adx' undeclared (first use in this function); did you mean 'curve25519_adx'? if (curve25519_use_adx) { ^~~~~~~~~~~~~~~~~~ curve25519_adx lib//zinc/curve25519/curve25519-x86_64-glue.h:38:13: error: 'curve25519_use_bmi2' undeclared (first use in this function); did you mean 'curve25519_use_adx'? } else if (curve25519_use_bmi2) { ^~~~~~~~~~~~~~~~~~~ curve25519_use_adx In file included from arch/x86/include/asm/string.h:5:0, from include/linux/string.h:20, from lib//zinc/curve25519/curve25519.c:9: arch/x86/include/asm/string_64.h: At top level: >> arch/x86/include/asm/string_64.h:32:14: error: conflicting types for 'memcpy' extern void *memcpy(void *to, const void *from, size_t len); ^~~~~~ In file included from lib//zinc/curve25519/curve25519-x86_64-glue.h:10:0, from :0: lib//zinc/curve25519/curve25519-x86_64.h:1706:2: note: previous implicit declaration of 'memcpy' was here memcpy(m.private, private_key, sizeof(m.private)); ^~~~~~ In file included from lib//zinc/curve25519/curve25519.c:9:0: >> include/linux/string.h:216:6: warning: conflicting types for 'memzero_explicit' void memzero_explicit(void *s, size_t count); ^~~~~~~~~~~~~~~~ In file included from lib//zinc/curve25519/curve25519-x86_64-glue.h:10:0, from :0: lib//zinc/curve25519/curve25519-x86_64.h:1543:2: note: previous implicit declaration of 'memzero_explicit' was here memzero_explicit(&m, sizeof(m)); ^~~~~~~~~~~~~~~~ cc1: some warnings being treated as errors .. vim +/memzero_explicit +1543 lib/zinc/curve25519/curve25519-x86_64.h 468c57c7 Jason A. Donenfeld 2018-08-24 1498 468c57c7 Jason A. Donenfeld 2018-08-24 1499 static void inv_eltfp25519_1w_adx(u64 *const c, const u64 *const a) 468c57c7 Jason A. Donenfeld 2018-08-24 1500 { 468c57c7 Jason A. Donenfeld 2018-08-24 1501 struct { 468c57c7 Jason A. Donenfeld 2018-08-24 1502 eltfp25519_1w_buffer buffer; 468c57c7 Jason A. Donenfeld 2018-08-24 1503 eltfp25519_1w x0, x1, x2; 468c57c7 Jason A. Donenfeld 2018-08-24 1504 } __aligned(32) m; 468c57c7 Jason A. Donenfeld 2018-08-24 1505 u64 *T[4]; 468c57c7 Jason A. Donenfeld 2018-08-24 1506 468c57c7 Jason A. Donenfeld 2018-08-24 1507 T[0] = m.x0; 468c57c7 Jason A. Donenfeld 2018-08-24 1508 T[1] = c; /* x^(-1) */ 468c57c7 Jason A. Donenfeld 2018-08-24 1509 T[2] = m.x1; 468c57c7 Jason A. Donenfeld 2018-08-24 1510 T[3] = m.x2; 468c57c7 Jason A. Donenfeld 2018-08-24 1511 468c57c7 Jason A. Donenfeld 2018-08-24 1512 copy_eltfp25519_1w(T[1], a); 468c57c7 Jason A. Donenfeld 2018-08-24 1513 sqrn_eltfp25519_1w_adx(T[1], 1); 468c57c7 Jason A. Donenfeld 2018-08-24 1514 copy_eltfp25519_1w(T[2], T[1]); 468c57c7 Jason A. Donenfeld 2018-08-24 1515 sqrn_eltfp25519_1w_adx(T[2], 2); 468c57c7 Jason A. Donenfeld 2018-08-24 1516 mul_eltfp25519_1w_adx(T[0], a, T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1517 mul_eltfp25519_1w_adx(T[1], T[1], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1518 copy_eltfp25519_1w(T[2], T[1]); 468c57c7 Jason A. Donenfeld 2018-08-24 1519 sqrn_eltfp25519_1w_adx(T[2], 1); 468c57c7 Jason A. Donenfeld 2018-08-24 1520 mul_eltfp25519_1w_adx(T[0], T[0], T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1521 copy_eltfp25519_1w(T[2], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1522 sqrn_eltfp25519_1w_adx(T[2], 5); 468c57c7 Jason A. Donenfeld 2018-08-24 1523 mul_eltfp25519_1w_adx(T[0], T[0], T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1524 copy_eltfp25519_1w(T[2], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1525 sqrn_eltfp25519_1w_adx(T[2], 10); 468c57c7 Jason A. Donenfeld 2018-08-24 1526 mul_eltfp25519_1w_adx(T[2], T[2], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1527 copy_eltfp25519_1w(T[3], T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1528 sqrn_eltfp25519_1w_adx(T[3], 20); 468c57c7 Jason A. Donenfeld 2018-08-24 1529 mul_eltfp25519_1w_adx(T[3], T[3], T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1530 sqrn_eltfp25519_1w_adx(T[3], 10); 468c57c7 Jason A. Donenfeld 2018-08-24 1531 mul_eltfp25519_1w_adx(T[3], T[3], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1532 copy_eltfp25519_1w(T[0], T[3]); 468c57c7 Jason A. Donenfeld 2018-08-24 1533 sqrn_eltfp25519_1w_adx(T[0], 50); 468c57c7 Jason A. Donenfeld 2018-08-24 1534 mul_eltfp25519_1w_adx(T[0], T[0], T[3]); 468c57c7 Jason A. Donenfeld 2018-08-24 1535 copy_eltfp25519_1w(T[2], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1536 sqrn_eltfp25519_1w_adx(T[2], 100); 468c57c7 Jason A. Donenfeld 2018-08-24 1537 mul_eltfp25519_1w_adx(T[2], T[2], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1538 sqrn_eltfp25519_1w_adx(T[2], 50); 468c57c7 Jason A. Donenfeld 2018-08-24 1539 mul_eltfp25519_1w_adx(T[2], T[2], T[3]); 468c57c7 Jason A. Donenfeld 2018-08-24 1540 sqrn_eltfp25519_1w_adx(T[2], 5); 468c57c7 Jason A. Donenfeld 2018-08-24 1541 mul_eltfp25519_1w_adx(T[1], T[1], T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1542 468c57c7 Jason A. Donenfeld 2018-08-24 @1543 memzero_explicit(&m, sizeof(m)); 468c57c7 Jason A. Donenfeld 2018-08-24 1544 } 468c57c7 Jason A. Donenfeld 2018-08-24 1545 468c57c7 Jason A. Donenfeld 2018-08-24 1546 static void inv_eltfp25519_1w_bmi2(u64 *const c, const u64 *const a) 468c57c7 Jason A. Donenfeld 2018-08-24 1547 { 468c57c7 Jason A. Donenfeld 2018-08-24 1548 struct { 468c57c7 Jason A. Donenfeld 2018-08-24 1549 eltfp25519_1w_buffer buffer; 468c57c7 Jason A. Donenfeld 2018-08-24 1550 eltfp25519_1w x0, x1, x2; 468c57c7 Jason A. Donenfeld 2018-08-24 1551 } __aligned(32) m; 468c57c7 Jason A. Donenfeld 2018-08-24 1552 u64 *T[5]; 468c57c7 Jason A. Donenfeld 2018-08-24 1553 468c57c7 Jason A. Donenfeld 2018-08-24 1554 T[0] = m.x0; 468c57c7 Jason A. Donenfeld 2018-08-24 1555 T[1] = c; /* x^(-1) */ 468c57c7 Jason A. Donenfeld 2018-08-24 1556 T[2] = m.x1; 468c57c7 Jason A. Donenfeld 2018-08-24 1557 T[3] = m.x2; 468c57c7 Jason A. Donenfeld 2018-08-24 1558 468c57c7 Jason A. Donenfeld 2018-08-24 1559 copy_eltfp25519_1w(T[1], a); 468c57c7 Jason A. Donenfeld 2018-08-24 1560 sqrn_eltfp25519_1w_bmi2(T[1], 1); 468c57c7 Jason A. Donenfeld 2018-08-24 1561 copy_eltfp25519_1w(T[2], T[1]); 468c57c7 Jason A. Donenfeld 2018-08-24 1562 sqrn_eltfp25519_1w_bmi2(T[2], 2); 468c57c7 Jason A. Donenfeld 2018-08-24 1563 mul_eltfp25519_1w_bmi2(T[0], a, T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1564 mul_eltfp25519_1w_bmi2(T[1], T[1], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1565 copy_eltfp25519_1w(T[2], T[1]); 468c57c7 Jason A. Donenfeld 2018-08-24 1566 sqrn_eltfp25519_1w_bmi2(T[2], 1); 468c57c7 Jason A. Donenfeld 2018-08-24 1567 mul_eltfp25519_1w_bmi2(T[0], T[0], T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1568 copy_eltfp25519_1w(T[2], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1569 sqrn_eltfp25519_1w_bmi2(T[2], 5); 468c57c7 Jason A. Donenfeld 2018-08-24 1570 mul_eltfp25519_1w_bmi2(T[0], T[0], T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1571 copy_eltfp25519_1w(T[2], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1572 sqrn_eltfp25519_1w_bmi2(T[2], 10); 468c57c7 Jason A. Donenfeld 2018-08-24 1573 mul_eltfp25519_1w_bmi2(T[2], T[2], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1574 copy_eltfp25519_1w(T[3], T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1575 sqrn_eltfp25519_1w_bmi2(T[3], 20); 468c57c7 Jason A. Donenfeld 2018-08-24 1576 mul_eltfp25519_1w_bmi2(T[3], T[3], T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1577 sqrn_eltfp25519_1w_bmi2(T[3], 10); 468c57c7 Jason A. Donenfeld 2018-08-24 1578 mul_eltfp25519_1w_bmi2(T[3], T[3], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1579 copy_eltfp25519_1w(T[0], T[3]); 468c57c7 Jason A. Donenfeld 2018-08-24 1580 sqrn_eltfp25519_1w_bmi2(T[0], 50); 468c57c7 Jason A. Donenfeld 2018-08-24 1581 mul_eltfp25519_1w_bmi2(T[0], T[0], T[3]); 468c57c7 Jason A. Donenfeld 2018-08-24 1582 copy_eltfp25519_1w(T[2], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1583 sqrn_eltfp25519_1w_bmi2(T[2], 100); 468c57c7 Jason A. Donenfeld 2018-08-24 1584 mul_eltfp25519_1w_bmi2(T[2], T[2], T[0]); 468c57c7 Jason A. Donenfeld 2018-08-24 1585 sqrn_eltfp25519_1w_bmi2(T[2], 50); 468c57c7 Jason A. Donenfeld 2018-08-24 1586 mul_eltfp25519_1w_bmi2(T[2], T[2], T[3]); 468c57c7 Jason A. Donenfeld 2018-08-24 1587 sqrn_eltfp25519_1w_bmi2(T[2], 5); 468c57c7 Jason A. Donenfeld 2018-08-24 1588 mul_eltfp25519_1w_bmi2(T[1], T[1], T[2]); 468c57c7 Jason A. Donenfeld 2018-08-24 1589 468c57c7 Jason A. Donenfeld 2018-08-24 1590 memzero_explicit(&m, sizeof(m)); 468c57c7 Jason A. Donenfeld 2018-08-24 1591 } 468c57c7 Jason A. Donenfeld 2018-08-24 1592 468c57c7 Jason A. Donenfeld 2018-08-24 1593 /* Given c, a 256-bit number, fred_eltfp25519_1w updates c 468c57c7 Jason A. Donenfeld 2018-08-24 1594 * with a number such that 0 <= C < 2**255-19. 468c57c7 Jason A. Donenfeld 2018-08-24 1595 */ 468c57c7 Jason A. Donenfeld 2018-08-24 1596 static __always_inline void fred_eltfp25519_1w(u64 *const c) 468c57c7 Jason A. Donenfeld 2018-08-24 1597 { 468c57c7 Jason A. Donenfeld 2018-08-24 1598 u64 tmp0 = 38, tmp1 = 19; 468c57c7 Jason A. Donenfeld 2018-08-24 1599 asm volatile( 468c57c7 Jason A. Donenfeld 2018-08-24 1600 "btrq $63, %3 ;" /* Put bit 255 in carry flag and clear */ 468c57c7 Jason A. Donenfeld 2018-08-24 1601 "cmovncl %k5, %k4 ;" /* c[255] ? 38 : 19 */ 468c57c7 Jason A. Donenfeld 2018-08-24 1602 468c57c7 Jason A. Donenfeld 2018-08-24 1603 /* Add either 19 or 38 to c */ 468c57c7 Jason A. Donenfeld 2018-08-24 1604 "addq %4, %0 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1605 "adcq $0, %1 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1606 "adcq $0, %2 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1607 "adcq $0, %3 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1608 468c57c7 Jason A. Donenfeld 2018-08-24 1609 /* Test for bit 255 again; only triggered on overflow modulo 2^255-19 */ 468c57c7 Jason A. Donenfeld 2018-08-24 1610 "movl $0, %k4 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1611 "cmovnsl %k5, %k4 ;" /* c[255] ? 0 : 19 */ 468c57c7 Jason A. Donenfeld 2018-08-24 1612 "btrq $63, %3 ;" /* Clear bit 255 */ 468c57c7 Jason A. Donenfeld 2018-08-24 1613 468c57c7 Jason A. Donenfeld 2018-08-24 1614 /* Subtract 19 if necessary */ 468c57c7 Jason A. Donenfeld 2018-08-24 1615 "subq %4, %0 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1616 "sbbq $0, %1 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1617 "sbbq $0, %2 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1618 "sbbq $0, %3 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1619 468c57c7 Jason A. Donenfeld 2018-08-24 1620 : "+r"(c[0]), "+r"(c[1]), "+r"(c[2]), "+r"(c[3]), "+r"(tmp0), "+r"(tmp1) 468c57c7 Jason A. Donenfeld 2018-08-24 1621 : 468c57c7 Jason A. Donenfeld 2018-08-24 1622 : "memory", "cc"); 468c57c7 Jason A. Donenfeld 2018-08-24 1623 } 468c57c7 Jason A. Donenfeld 2018-08-24 1624 468c57c7 Jason A. Donenfeld 2018-08-24 1625 static __always_inline void cswap(u8 bit, u64 *const px, u64 *const py) 468c57c7 Jason A. Donenfeld 2018-08-24 1626 { 468c57c7 Jason A. Donenfeld 2018-08-24 1627 u64 temp; 468c57c7 Jason A. Donenfeld 2018-08-24 1628 asm volatile( 468c57c7 Jason A. Donenfeld 2018-08-24 1629 "test %9, %9 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1630 "movq %0, %8 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1631 "cmovnzq %4, %0 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1632 "cmovnzq %8, %4 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1633 "movq %1, %8 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1634 "cmovnzq %5, %1 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1635 "cmovnzq %8, %5 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1636 "movq %2, %8 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1637 "cmovnzq %6, %2 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1638 "cmovnzq %8, %6 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1639 "movq %3, %8 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1640 "cmovnzq %7, %3 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1641 "cmovnzq %8, %7 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1642 : "+r"(px[0]), "+r"(px[1]), "+r"(px[2]), "+r"(px[3]), 468c57c7 Jason A. Donenfeld 2018-08-24 1643 "+r"(py[0]), "+r"(py[1]), "+r"(py[2]), "+r"(py[3]), 468c57c7 Jason A. Donenfeld 2018-08-24 1644 "=r"(temp) 468c57c7 Jason A. Donenfeld 2018-08-24 1645 : "r"(bit) 468c57c7 Jason A. Donenfeld 2018-08-24 1646 : "cc" 468c57c7 Jason A. Donenfeld 2018-08-24 1647 ); 468c57c7 Jason A. Donenfeld 2018-08-24 1648 } 468c57c7 Jason A. Donenfeld 2018-08-24 1649 468c57c7 Jason A. Donenfeld 2018-08-24 1650 static __always_inline void cselect(u8 bit, u64 *const px, const u64 *const py) 468c57c7 Jason A. Donenfeld 2018-08-24 1651 { 468c57c7 Jason A. Donenfeld 2018-08-24 1652 asm volatile( 468c57c7 Jason A. Donenfeld 2018-08-24 1653 "test %4, %4 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1654 "cmovnzq %5, %0 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1655 "cmovnzq %6, %1 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1656 "cmovnzq %7, %2 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1657 "cmovnzq %8, %3 ;" 468c57c7 Jason A. Donenfeld 2018-08-24 1658 : "+r"(px[0]), "+r"(px[1]), "+r"(px[2]), "+r"(px[3]) 468c57c7 Jason A. Donenfeld 2018-08-24 1659 : "r"(bit), "rm"(py[0]), "rm"(py[1]), "rm"(py[2]), "rm"(py[3]) 468c57c7 Jason A. Donenfeld 2018-08-24 1660 : "cc" 468c57c7 Jason A. Donenfeld 2018-08-24 1661 ); 468c57c7 Jason A. Donenfeld 2018-08-24 1662 } 468c57c7 Jason A. Donenfeld 2018-08-24 1663 468c57c7 Jason A. Donenfeld 2018-08-24 1664 static __always_inline void clamp_secret(u8 secret[CURVE25519_POINT_SIZE]) 468c57c7 Jason A. Donenfeld 2018-08-24 1665 { 468c57c7 Jason A. Donenfeld 2018-08-24 1666 secret[0] &= 248; 468c57c7 Jason A. Donenfeld 2018-08-24 1667 secret[31] &= 127; 468c57c7 Jason A. Donenfeld 2018-08-24 1668 secret[31] |= 64; 468c57c7 Jason A. Donenfeld 2018-08-24 1669 } 468c57c7 Jason A. Donenfeld 2018-08-24 1670 468c57c7 Jason A. Donenfeld 2018-08-24 1671 static void curve25519_adx(u8 shared[CURVE25519_POINT_SIZE], const u8 private_key[CURVE25519_POINT_SIZE], const u8 session_key[CURVE25519_POINT_SIZE]) 468c57c7 Jason A. Donenfeld 2018-08-24 1672 { 468c57c7 Jason A. Donenfeld 2018-08-24 1673 struct { 468c57c7 Jason A. Donenfeld 2018-08-24 1674 u64 buffer[4 * NUM_WORDS_ELTFP25519]; 468c57c7 Jason A. Donenfeld 2018-08-24 1675 u64 coordinates[4 * NUM_WORDS_ELTFP25519]; 468c57c7 Jason A. Donenfeld 2018-08-24 1676 u64 workspace[6 * NUM_WORDS_ELTFP25519]; 468c57c7 Jason A. Donenfeld 2018-08-24 1677 u8 session[CURVE25519_POINT_SIZE]; 468c57c7 Jason A. Donenfeld 2018-08-24 1678 u8 private[CURVE25519_POINT_SIZE]; 468c57c7 Jason A. Donenfeld 2018-08-24 1679 } __aligned(32) m; 468c57c7 Jason A. Donenfeld 2018-08-24 1680 468c57c7 Jason A. Donenfeld 2018-08-24 1681 int i = 0, j = 0; 468c57c7 Jason A. Donenfeld 2018-08-24 1682 u64 prev = 0; 468c57c7 Jason A. Donenfeld 2018-08-24 1683 u64 *const X1 = (u64 *)m.session; 468c57c7 Jason A. Donenfeld 2018-08-24 1684 u64 *const key = (u64 *)m.private; 468c57c7 Jason A. Donenfeld 2018-08-24 1685 u64 *const Px = m.coordinates + 0; 468c57c7 Jason A. Donenfeld 2018-08-24 1686 u64 *const Pz = m.coordinates + 4; 468c57c7 Jason A. Donenfeld 2018-08-24 1687 u64 *const Qx = m.coordinates + 8; 468c57c7 Jason A. Donenfeld 2018-08-24 1688 u64 *const Qz = m.coordinates + 12; 468c57c7 Jason A. Donenfeld 2018-08-24 1689 u64 *const X2 = Qx; 468c57c7 Jason A. Donenfeld 2018-08-24 1690 u64 *const Z2 = Qz; 468c57c7 Jason A. Donenfeld 2018-08-24 1691 u64 *const X3 = Px; 468c57c7 Jason A. Donenfeld 2018-08-24 1692 u64 *const Z3 = Pz; 468c57c7 Jason A. Donenfeld 2018-08-24 1693 u64 *const X2Z2 = Qx; 468c57c7 Jason A. Donenfeld 2018-08-24 1694 u64 *const X3Z3 = Px; 468c57c7 Jason A. Donenfeld 2018-08-24 1695 468c57c7 Jason A. Donenfeld 2018-08-24 1696 u64 *const A = m.workspace + 0; 468c57c7 Jason A. Donenfeld 2018-08-24 1697 u64 *const B = m.workspace + 4; 468c57c7 Jason A. Donenfeld 2018-08-24 1698 u64 *const D = m.workspace + 8; 468c57c7 Jason A. Donenfeld 2018-08-24 1699 u64 *const C = m.workspace + 12; 468c57c7 Jason A. Donenfeld 2018-08-24 1700 u64 *const DA = m.workspace + 16; 468c57c7 Jason A. Donenfeld 2018-08-24 1701 u64 *const CB = m.workspace + 20; 468c57c7 Jason A. Donenfeld 2018-08-24 1702 u64 *const AB = A; 468c57c7 Jason A. Donenfeld 2018-08-24 1703 u64 *const DC = D; 468c57c7 Jason A. Donenfeld 2018-08-24 1704 u64 *const DACB = DA; 468c57c7 Jason A. Donenfeld 2018-08-24 1705 468c57c7 Jason A. Donenfeld 2018-08-24 @1706 memcpy(m.private, private_key, sizeof(m.private)); 468c57c7 Jason A. Donenfeld 2018-08-24 1707 memcpy(m.session, session_key, sizeof(m.session)); 468c57c7 Jason A. Donenfeld 2018-08-24 1708 468c57c7 Jason A. Donenfeld 2018-08-24 1709 clamp_secret(m.private); 468c57c7 Jason A. Donenfeld 2018-08-24 1710 468c57c7 Jason A. Donenfeld 2018-08-24 1711 /* As in the draft: 468c57c7 Jason A. Donenfeld 2018-08-24 1712 * When receiving such an array, implementations of curve25519 468c57c7 Jason A. Donenfeld 2018-08-24 1713 * MUST mask the most-significant bit in the final byte. This 468c57c7 Jason A. Donenfeld 2018-08-24 1714 * is done to preserve compatibility with point formats which 468c57c7 Jason A. Donenfeld 2018-08-24 1715 * reserve the sign bit for use in other protocols and to 468c57c7 Jason A. Donenfeld 2018-08-24 1716 * increase resistance to implementation fingerprinting 468c57c7 Jason A. Donenfeld 2018-08-24 1717 */ 468c57c7 Jason A. Donenfeld 2018-08-24 1718 m.session[CURVE25519_POINT_SIZE - 1] &= (1 << (255 % 8)) - 1; 468c57c7 Jason A. Donenfeld 2018-08-24 1719 468c57c7 Jason A. Donenfeld 2018-08-24 1720 copy_eltfp25519_1w(Px, X1); 468c57c7 Jason A. Donenfeld 2018-08-24 1721 setzero_eltfp25519_1w(Pz); 468c57c7 Jason A. Donenfeld 2018-08-24 1722 setzero_eltfp25519_1w(Qx); 468c57c7 Jason A. Donenfeld 2018-08-24 1723 setzero_eltfp25519_1w(Qz); 468c57c7 Jason A. Donenfeld 2018-08-24 1724 468c57c7 Jason A. Donenfeld 2018-08-24 1725 Pz[0] = 1; 468c57c7 Jason A. Donenfeld 2018-08-24 1726 Qx[0] = 1; 468c57c7 Jason A. Donenfeld 2018-08-24 1727 468c57c7 Jason A. Donenfeld 2018-08-24 1728 /* main-loop */ 468c57c7 Jason A. Donenfeld 2018-08-24 1729 prev = 0; 468c57c7 Jason A. Donenfeld 2018-08-24 1730 j = 62; 468c57c7 Jason A. Donenfeld 2018-08-24 1731 for (i = 3; i >= 0; --i) { 468c57c7 Jason A. Donenfeld 2018-08-24 1732 while (j >= 0) { 468c57c7 Jason A. Donenfeld 2018-08-24 1733 u64 bit = (key[i] >> j) & 0x1; 468c57c7 Jason A. Donenfeld 2018-08-24 1734 u64 swap = bit ^ prev; 468c57c7 Jason A. Donenfeld 2018-08-24 1735 prev = bit; 468c57c7 Jason A. Donenfeld 2018-08-24 1736 468c57c7 Jason A. Donenfeld 2018-08-24 1737 add_eltfp25519_1w_adx(A, X2, Z2); /* A = (X2+Z2) */ 468c57c7 Jason A. Donenfeld 2018-08-24 1738 sub_eltfp25519_1w(B, X2, Z2); /* B = (X2-Z2) */ 468c57c7 Jason A. Donenfeld 2018-08-24 1739 add_eltfp25519_1w_adx(C, X3, Z3); /* C = (X3+Z3) */ 468c57c7 Jason A. Donenfeld 2018-08-24 1740 sub_eltfp25519_1w(D, X3, Z3); /* D = (X3-Z3) */ 468c57c7 Jason A. Donenfeld 2018-08-24 1741 mul_eltfp25519_2w_adx(DACB, AB, DC); /* [DA|CB] = [A|B]*[D|C] */ 468c57c7 Jason A. Donenfeld 2018-08-24 1742 468c57c7 Jason A. Donenfeld 2018-08-24 1743 cselect(swap, A, C); 468c57c7 Jason A. Donenfeld 2018-08-24 1744 cselect(swap, B, D); 468c57c7 Jason A. Donenfeld 2018-08-24 1745 468c57c7 Jason A. Donenfeld 2018-08-24 1746 sqr_eltfp25519_2w_adx(AB); /* [AA|BB] = [A^2|B^2] */ 468c57c7 Jason A. Donenfeld 2018-08-24 1747 add_eltfp25519_1w_adx(X3, DA, CB); /* X3 = (DA+CB) */ 468c57c7 Jason A. Donenfeld 2018-08-24 1748 sub_eltfp25519_1w(Z3, DA, CB); /* Z3 = (DA-CB) */ 468c57c7 Jason A. Donenfeld 2018-08-24 1749 sqr_eltfp25519_2w_adx(X3Z3); /* [X3|Z3] = [(DA+CB)|(DA+CB)]^2 */ 468c57c7 Jason A. Donenfeld 2018-08-24 1750 468c57c7 Jason A. Donenfeld 2018-08-24 1751 copy_eltfp25519_1w(X2, B); /* X2 = B^2 */ 468c57c7 Jason A. Donenfeld 2018-08-24 1752 sub_eltfp25519_1w(Z2, A, B); /* Z2 = E = AA-BB */ 468c57c7 Jason A. Donenfeld 2018-08-24 1753 468c57c7 Jason A. Donenfeld 2018-08-24 1754 mul_a24_eltfp25519_1w(B, Z2); /* B = a24*E */ 468c57c7 Jason A. Donenfeld 2018-08-24 1755 add_eltfp25519_1w_adx(B, B, X2); /* B = a24*E+B */ 468c57c7 Jason A. Donenfeld 2018-08-24 1756 mul_eltfp25519_2w_adx(X2Z2, X2Z2, AB); /* [X2|Z2] = [B|E]*[A|a24*E+B] */ 468c57c7 Jason A. Donenfeld 2018-08-24 1757 mul_eltfp25519_1w_adx(Z3, Z3, X1); /* Z3 = Z3*X1 */ 468c57c7 Jason A. Donenfeld 2018-08-24 1758 --j; 468c57c7 Jason A. Donenfeld 2018-08-24 1759 } 468c57c7 Jason A. Donenfeld 2018-08-24 1760 j = 63; 468c57c7 Jason A. Donenfeld 2018-08-24 1761 } 468c57c7 Jason A. Donenfeld 2018-08-24 1762 468c57c7 Jason A. Donenfeld 2018-08-24 1763 inv_eltfp25519_1w_adx(A, Qz); 468c57c7 Jason A. Donenfeld 2018-08-24 1764 mul_eltfp25519_1w_adx((u64 *)shared, Qx, A); 468c57c7 Jason A. Donenfeld 2018-08-24 1765 fred_eltfp25519_1w((u64 *)shared); 468c57c7 Jason A. Donenfeld 2018-08-24 1766 468c57c7 Jason A. Donenfeld 2018-08-24 1767 memzero_explicit(&m, sizeof(m)); 468c57c7 Jason A. Donenfeld 2018-08-24 1768 } 468c57c7 Jason A. Donenfeld 2018-08-24 1769 :::::: The code at line 1543 was first introduced by commit :::::: 468c57c74ac7091c9c04ab2acccf68fe300cd9bc zinc: Curve25519 x86_64 implementation :::::: TO: Jason A. Donenfeld :::::: CC: 0day robot --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation