diff options
| author |   Samuel Neves <sneves@dei.uc.pt> | 2018-07-28 05:31:10 +0100 |
|---|---|---|
| committer |   Jason A. Donenfeld <Jason@zx2c4.com> | 2018-07-28 14:47:25 +0200 |
| commit | a8f5432437ff1d176697a950d40ddb20eede13c0 (patch) | |
| tree | 00e4ebdb13a249a0846bcd8190052f0651a2967c /src/crypto | |
| parent | qemu: update musl and kernel (diff) | |
| download | wireguard-monolithic-historical-a8f5432437ff1d176697a950d40ddb20eede13c0.tar.xz wireguard-monolithic-historical-a8f5432437ff1d176697a950d40ddb20eede13c0.zip | |
curve25519-x86_64: tighten the x25519 assembly
The wide multiplication by 38 in mul_a24_eltfp25519_1w is redundant:
(2^256-1) * 121666 / 2^256 is at most 121665, and therefore a 64-bit
multiplication can never overflow.
Change inspired by Andy Polyakov's OpenSSL implementation.
Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
Diffstat (limited to 'src/crypto')
| -rw-r--r-- | src/crypto/curve25519-x86_64.h | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/crypto/curve25519-x86_64.h b/src/crypto/curve25519-x86_64.h index a4c958a..fba4f00 100644 --- a/src/crypto/curve25519-x86_64.h +++ b/src/crypto/curve25519-x86_64.h @@ -1493,9 +1493,9 @@ static __always_inline void mul_a24_eltfp25519_1w(u64 *const c, const u64 *const /**************************/ "adcq $0, %%rcx ;" "movl $38, %%edx ;" /* 2*c = 38 = 2^256 mod 2^255-19*/ - "mulx %%rcx, %%rax, %%rcx ;" - "addq %%rax, %%r8 ;" - "adcq %%rcx, %%r9 ;" + "imul %%rdx, %%rcx ;" + "addq %%rcx, %%r8 ;" + "adcq $0, %%r9 ;" "movq %%r9, 8(%0) ;" "adcq $0, %%r10 ;" "movq %%r10, 16(%0) ;" |