diff --git a/include/EverCrypt_AEAD.h b/include/EverCrypt_AEAD.h index 5d52493b..865a0877 100644 --- a/include/EverCrypt_AEAD.h +++ b/include/EverCrypt_AEAD.h @@ -37,8 +37,6 @@ extern "C" { #include "Hacl_Spec.h" #include "EverCrypt_Error.h" -#include "EverCrypt_Chacha20Poly1305.h" -#include "EverCrypt_AutoConfig2.h" typedef struct EverCrypt_AEAD_state_s_s EverCrypt_AEAD_state_s; diff --git a/include/EverCrypt_Chacha20Poly1305.h b/include/EverCrypt_Chacha20Poly1305.h index bd59e48b..10d4f755 100644 --- a/include/EverCrypt_Chacha20Poly1305.h +++ b/include/EverCrypt_Chacha20Poly1305.h @@ -35,11 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" -#include "EverCrypt_AutoConfig2.h" - void EverCrypt_Chacha20Poly1305_aead_encrypt( uint8_t *k, diff --git a/include/EverCrypt_Curve25519.h b/include/EverCrypt_Curve25519.h index d295461c..85387d4c 100644 --- a/include/EverCrypt_Curve25519.h +++ b/include/EverCrypt_Curve25519.h @@ -35,10 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_Curve25519_51.h" -#include "EverCrypt_AutoConfig2.h" - /** Calculate a public point from a secret/private key. diff --git a/include/EverCrypt_DRBG.h b/include/EverCrypt_DRBG.h index b3161bfe..7f2184d1 100644 --- a/include/EverCrypt_DRBG.h +++ b/include/EverCrypt_DRBG.h @@ -35,9 +35,7 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Lib_RandomBuffer_System.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_HMAC_DRBG.h" typedef Spec_Hash_Definitions_hash_alg EverCrypt_DRBG_supported_alg; @@ -53,6 +51,13 @@ extern uint32_t EverCrypt_DRBG_max_additional_input_length; uint32_t EverCrypt_DRBG_min_length(Spec_Hash_Definitions_hash_alg a); +#define EverCrypt_DRBG_SHA1_s 0 +#define EverCrypt_DRBG_SHA2_256_s 1 +#define EverCrypt_DRBG_SHA2_384_s 2 +#define EverCrypt_DRBG_SHA2_512_s 3 + +typedef uint8_t EverCrypt_DRBG_state_s_tags; + typedef struct EverCrypt_DRBG_state_s_s EverCrypt_DRBG_state_s; bool diff --git a/include/EverCrypt_Ed25519.h b/include/EverCrypt_Ed25519.h index 8a3a192e..412e59e7 100644 --- a/include/EverCrypt_Ed25519.h +++ b/include/EverCrypt_Ed25519.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Ed25519.h" - void EverCrypt_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key); void EverCrypt_Ed25519_expand_keys(uint8_t *expanded_keys, uint8_t *private_key); diff --git a/include/EverCrypt_HMAC.h b/include/EverCrypt_HMAC.h index 7d1da14d..f8973928 100644 --- a/include/EverCrypt_HMAC.h +++ b/include/EverCrypt_HMAC.h @@ -36,17 +36,11 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" -#include "Hacl_Hash_Blake2s.h" -#include "Hacl_Hash_Blake2b.h" bool EverCrypt_HMAC_is_supported_alg(Spec_Hash_Definitions_hash_alg uu___); typedef Spec_Hash_Definitions_hash_alg EverCrypt_HMAC_supported_alg; -extern void (*EverCrypt_HMAC_hash_256)(uint8_t *x0, uint8_t *x1, uint32_t x2); - void EverCrypt_HMAC_compute( Spec_Hash_Definitions_hash_alg a, diff --git a/include/EverCrypt_Hash.h b/include/EverCrypt_Hash.h index b35dcf5f..38fb9e9f 100644 --- a/include/EverCrypt_Hash.h +++ b/include/EverCrypt_Hash.h @@ -36,27 +36,30 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA3.h" -#include "Hacl_Hash_SHA2.h" -#include "Hacl_Hash_Blake2s_Simd128.h" -#include "Hacl_Hash_Blake2s.h" -#include "Hacl_Hash_Blake2b_Simd256.h" -#include "Hacl_Hash_Blake2b.h" #include "EverCrypt_Error.h" -#include "EverCrypt_AutoConfig2.h" + +#define EverCrypt_Hash_MD5_s 0 +#define EverCrypt_Hash_SHA1_s 1 +#define EverCrypt_Hash_SHA2_224_s 2 +#define EverCrypt_Hash_SHA2_256_s 3 +#define EverCrypt_Hash_SHA2_384_s 4 +#define EverCrypt_Hash_SHA2_512_s 5 +#define EverCrypt_Hash_SHA3_224_s 6 +#define EverCrypt_Hash_SHA3_256_s 7 +#define EverCrypt_Hash_SHA3_384_s 8 +#define EverCrypt_Hash_SHA3_512_s 9 +#define EverCrypt_Hash_Blake2S_s 10 +#define EverCrypt_Hash_Blake2S_128_s 11 +#define EverCrypt_Hash_Blake2B_s 12 +#define EverCrypt_Hash_Blake2B_256_s 13 + +typedef uint8_t EverCrypt_Hash_state_s_tags; typedef struct EverCrypt_Hash_state_s_s EverCrypt_Hash_state_s; uint32_t EverCrypt_Hash_Incremental_hash_len(Spec_Hash_Definitions_hash_alg a); -typedef struct EverCrypt_Hash_Incremental_state_t_s -{ - EverCrypt_Hash_state_s *block_state; - uint8_t *buf; - uint64_t total_len; -} -EverCrypt_Hash_Incremental_state_t; +typedef struct EverCrypt_Hash_Incremental_state_t_s EverCrypt_Hash_Incremental_state_t; /** Allocate initial state for the agile hash. The argument `a` stands for the diff --git a/include/EverCrypt_Poly1305.h b/include/EverCrypt_Poly1305.h index fba04059..d8ca2f6b 100644 --- a/include/EverCrypt_Poly1305.h +++ b/include/EverCrypt_Poly1305.h @@ -35,11 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_MAC_Poly1305_Simd256.h" -#include "Hacl_MAC_Poly1305_Simd128.h" -#include "Hacl_MAC_Poly1305.h" -#include "EverCrypt_AutoConfig2.h" - void EverCrypt_Poly1305_mac(uint8_t *output, uint8_t *input, uint32_t input_len, uint8_t *key); #if defined(__cplusplus) diff --git a/include/Hacl_AEAD_Chacha20Poly1305.h b/include/Hacl_AEAD_Chacha20Poly1305.h index 2a8daa75..9c926cea 100644 --- a/include/Hacl_AEAD_Chacha20Poly1305.h +++ b/include/Hacl_AEAD_Chacha20Poly1305.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Chacha20.h" - /** Encrypt a message `input` with key `key`. diff --git a/include/Hacl_AEAD_Chacha20Poly1305_Simd128.h b/include/Hacl_AEAD_Chacha20Poly1305_Simd128.h index de26c907..a452dcab 100644 --- a/include/Hacl_AEAD_Chacha20Poly1305_Simd128.h +++ b/include/Hacl_AEAD_Chacha20Poly1305_Simd128.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Chacha20_Vec128.h" - /** Encrypt a message `input` with key `key`. diff --git a/include/Hacl_AEAD_Chacha20Poly1305_Simd256.h b/include/Hacl_AEAD_Chacha20Poly1305_Simd256.h index 0abcdc59..81968f05 100644 --- a/include/Hacl_AEAD_Chacha20Poly1305_Simd256.h +++ b/include/Hacl_AEAD_Chacha20Poly1305_Simd256.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Chacha20_Vec256.h" - /** Encrypt a message `input` with key `key`. diff --git a/include/Hacl_Bignum.h b/include/Hacl_Bignum.h index 82b96225..f66f1561 100644 --- a/include/Hacl_Bignum.h +++ b/include/Hacl_Bignum.h @@ -35,7 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" #include "lib_intrinsics.h" typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_s diff --git a/include/Hacl_Bignum256.h b/include/Hacl_Bignum256.h index 72eea53e..1fbeca93 100644 --- a/include/Hacl_Bignum256.h +++ b/include/Hacl_Bignum256.h @@ -35,7 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" #include "Hacl_Bignum.h" /******************************************************************************* diff --git a/include/Hacl_Bignum32.h b/include/Hacl_Bignum32.h index 84a839a9..709f22d9 100644 --- a/include/Hacl_Bignum32.h +++ b/include/Hacl_Bignum32.h @@ -56,9 +56,18 @@ of `len` unsigned 32-bit integers, i.e. uint32_t[len]. /** Write `a + b mod 2 ^ (32 * len)` in `res`. - This functions returns the carry. - - The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] + This function returns the carry. + + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly equal memory + location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[out] res Points to `len` number of limbs where the carry is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. */ uint32_t Hacl_Bignum32_add(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); @@ -67,82 +76,134 @@ Write `a - b mod 2 ^ (32 * len)` in `res`. This functions returns the carry. - The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[out] res Points to `len` number of limbs where the carry is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. */ uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); /** Write `(a + b) mod n` in `res`. - The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • a < n - • b < n + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `res`. + @param[out] res Points to `len` number of limbs where the result is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `a < n` + - `b < n` */ void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); /** Write `(a - b) mod n` in `res`. - The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • a < n - • b < n + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `res`. + @param[out] res Points to `len` number of limbs where the result is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `a < n` + - `b < n` */ void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); /** Write `a * b` in `res`. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. - The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `b` and `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a` and `res`. + @param[out] res Points to `2*len` number of limbs where the result is written, i.e. `uint32_t[2*len]`. + Must be disjoint from the memory locations of `a` and `b`. */ void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); /** Write `a * a` in `res`. - The argument a is meant to be `len` limbs in size, i.e. uint32_t[len]. - The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `2*len` number of limbs where the result is written, i.e. `uint32_t[2*len]`. + Must be disjoint from the memory location of `a`. */ void Hacl_Bignum32_sqr(uint32_t len, uint32_t *a, uint32_t *res); /** Write `a mod n` in `res`. - The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. - The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • 1 < n - • n % 2 = 1 + @param[in] a Points to `2*len` number of limbs, i.e. `uint32_t[2*len]`. Must be + disjoint from the memory location of `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `n`. + + @return `false` if any precondition is violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `1 < n` + - `n % 2 = 1` */ bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); /** Write `a ^ b mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - The function is *NOT* constant-time on the argument b. See the - mod_exp_consttime_* functions for constant-time variants. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • b < pow2 bBits - • a < n + This function is *NOT* constant-time on the argument `b`. See the + `mod_exp_consttime_*` functions for constant-time variants. + + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `n`. + + @return `false` if any preconditions are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` + - `b < pow2 bBits` + - `a < n` */ bool Hacl_Bignum32_mod_exp_vartime( @@ -157,22 +218,30 @@ Hacl_Bignum32_mod_exp_vartime( /** Write `a ^ b mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - This function is constant-time over its argument b, at the cost of a slower - execution time than mod_exp_vartime. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • b < pow2 bBits - • a < n + This function is constant-time over its argument `b`, at the cost of a slower + execution time than `mod_exp_vartime_*`. + + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `n`. + + @return `false` if any preconditions are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` + - `b < pow2 bBits` + - `a < n` */ bool Hacl_Bignum32_mod_exp_consttime( @@ -187,18 +256,23 @@ Hacl_Bignum32_mod_exp_consttime( /** Write `a ^ (-1) mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n is a prime - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • 0 < a - • a < n + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a` and `n`. + + @return `false` if any preconditions (except the precondition: `n` is a prime) + are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n` is a prime + - `n % 2 = 1` + - `1 < n` + - `0 < a` + - `a < n` */ bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); @@ -212,15 +286,16 @@ Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint /** Heap-allocate and initialize a montgomery context. - The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n % 2 = 1 - • 1 < n + @param n Points to `len` number of limbs, i.e. `uint32_t[len]`. - The caller will need to call Hacl_Bignum32_mont_ctx_free on the return value - to avoid memory leaks. + @return A pointer to an allocated and initialized Montgomery context is returned. + Clients will need to call `Hacl_Bignum32_mont_ctx_free` on the return value to + avoid memory leaks. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` */ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum32_mont_ctx_init(uint32_t len, uint32_t *n); @@ -228,16 +303,18 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 /** Deallocate the memory previously allocated by Hacl_Bignum32_mont_ctx_init. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + @param k Points to a Montgomery context obtained through `Hacl_Bignum32_mont_ctx_init`. */ void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); /** Write `a mod n` in `res`. - The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. - The outparam res is meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `2*len` number of limbs, i.e. `uint32_t[2*len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a`. */ void Hacl_Bignum32_mod_precomp( @@ -249,21 +326,25 @@ Hacl_Bignum32_mod_precomp( /** Write `a ^ b mod n` in `res`. - The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - The function is *NOT* constant-time on the argument b. See the - mod_exp_consttime_* functions for constant-time variants. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • b < pow2 bBits - • a < n + This function is *NOT* constant-time on the argument `b`. See the + `mod_exp_consttime_*` functions for constant-time variants. + + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `b < pow2 bBits` + - `a < n` */ void Hacl_Bignum32_mod_exp_vartime_precomp( @@ -277,21 +358,25 @@ Hacl_Bignum32_mod_exp_vartime_precomp( /** Write `a ^ b mod n` in `res`. - The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - This function is constant-time over its argument b, at the cost of a slower - execution time than mod_exp_vartime_*. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • b < pow2 bBits - • a < n + execution time than `mod_exp_vartime_*`. + + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `b < pow2 bBits` + - `a < n` */ void Hacl_Bignum32_mod_exp_consttime_precomp( @@ -305,14 +390,17 @@ Hacl_Bignum32_mod_exp_consttime_precomp( /** Write `a ^ (-1) mod n` in `res`. - The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n is a prime - • 0 < a - • a < n + @param[in] k Points to a Montgomery context obtained through `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n` is a prime + - `0 < a` + - `a < n` */ void Hacl_Bignum32_mod_inv_prime_vartime_precomp( @@ -330,42 +418,48 @@ Hacl_Bignum32_mod_inv_prime_vartime_precomp( /** Load a bid-endian bignum from memory. - The argument b points to `len` bytes of valid memory. - The function returns a heap-allocated bignum of size sufficient to hold the - result of loading b, or NULL if either the allocation failed, or the amount of - required memory would exceed 4GB. - - If the return value is non-null, clients must eventually call free(3) on it to - avoid memory leaks. + @param len Size of `b` as number of bytes. + @param b Points to `len` number of bytes, i.e. `uint8_t[len]`. + + @return A heap-allocated bignum of size sufficient to hold the result of + loading `b`. Otherwise, `NULL`, if either the allocation failed, or the amount + of required memory would exceed 4GB. Clients must `free(3)` any non-null return + value to avoid memory leaks. */ uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b); /** Load a little-endian bignum from memory. - The argument b points to `len` bytes of valid memory. - The function returns a heap-allocated bignum of size sufficient to hold the - result of loading b, or NULL if either the allocation failed, or the amount of - required memory would exceed 4GB. - - If the return value is non-null, clients must eventually call free(3) on it to - avoid memory leaks. + @param len Size of `b` as number of bytes. + @param b Points to `len` number of bytes, i.e. `uint8_t[len]`. + + @return A heap-allocated bignum of size sufficient to hold the result of + loading `b`. Otherwise, `NULL`, if either the allocation failed, or the amount + of required memory would exceed 4GB. Clients must `free(3)` any non-null return + value to avoid memory leaks. */ uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b); /** Serialize a bignum into big-endian memory. - The argument b points to a bignum of ⌈len / 4⌉ size. - The outparam res points to `len` bytes of valid memory. + @param[in] len Size of `b` as number of bytes. + @param[in] b Points to a bignum of `ceil(len/4)` size. Must be disjoint from + the memory location of `res`. + @param[out] res Points to `len` number of bytes, i.e. `uint8_t[len]`. Must be + disjoint from the memory location of `b`. */ void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res); /** Serialize a bignum into little-endian memory. - The argument b points to a bignum of ⌈len / 4⌉ size. - The outparam res points to `len` bytes of valid memory. + @param[in] len Size of `b` as number of bytes. + @param[in] b Points to a bignum of `ceil(len/4)` size. Must be disjoint from + the memory location of `res`. + @param[out] res Points to `len` number of bytes, i.e. `uint8_t[len]`. Must be + disjoint from the memory location of `b`. */ void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res); @@ -378,14 +472,22 @@ void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res); /** Returns 2^32 - 1 if a < b, otherwise returns 0. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + @param len Number of limbs. + @param a Points to `len` number of limbs, i.e. `uint32_t[len]`. + @param b Points to `len` number of limbs, i.e. `uint32_t[len]`. + + @return `2^32 - 1` if `a < b`, otherwise, `0`. */ uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b); /** Returns 2^32 - 1 if a = b, otherwise returns 0. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + @param len Number of limbs. + @param a Points to `len` number of limbs, i.e. `uint32_t[len]`. + @param b Points to `len` number of limbs, i.e. `uint32_t[len]`. + + @return `2^32 - 1` if a = b, otherwise, `0`. */ uint32_t Hacl_Bignum32_eq_mask(uint32_t len, uint32_t *a, uint32_t *b); diff --git a/include/Hacl_Bignum4096.h b/include/Hacl_Bignum4096.h index 8f7ffb7c..cf785250 100644 --- a/include/Hacl_Bignum4096.h +++ b/include/Hacl_Bignum4096.h @@ -35,7 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" #include "Hacl_Bignum.h" /******************************************************************************* diff --git a/include/Hacl_Bignum64.h b/include/Hacl_Bignum64.h index 6261d82a..63e450af 100644 --- a/include/Hacl_Bignum64.h +++ b/include/Hacl_Bignum64.h @@ -35,7 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" #include "Hacl_Bignum.h" typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum64_pbn_mont_ctx_u64; diff --git a/include/Hacl_Curve25519_51.h b/include/Hacl_Curve25519_51.h index a5a08720..c0299bbb 100644 --- a/include/Hacl_Curve25519_51.h +++ b/include/Hacl_Curve25519_51.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" - /** Compute the scalar multiple of a point. diff --git a/include/Hacl_Curve25519_64.h b/include/Hacl_Curve25519_64.h index 5152fbb8..23ca4bd2 100644 --- a/include/Hacl_Curve25519_64.h +++ b/include/Hacl_Curve25519_64.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" - /** Compute the scalar multiple of a point. diff --git a/include/Hacl_EC_Ed25519.h b/include/Hacl_EC_Ed25519.h index 27999fa2..875384be 100644 --- a/include/Hacl_EC_Ed25519.h +++ b/include/Hacl_EC_Ed25519.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" - /******************************************************************************* Verified field arithmetic modulo p = 2^255 - 19. diff --git a/include/Hacl_Ed25519.h b/include/Hacl_Ed25519.h index f0dc31e2..804fed01 100644 --- a/include/Hacl_Ed25519.h +++ b/include/Hacl_Ed25519.h @@ -35,10 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" - /******************************************************************************** Verified C library for EdDSA signing and verification on the edwards25519 curve. ********************************************************************************/ diff --git a/include/Hacl_FFDHE.h b/include/Hacl_FFDHE.h index f195142e..5a798539 100644 --- a/include/Hacl_FFDHE.h +++ b/include/Hacl_FFDHE.h @@ -36,7 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Spec.h" -#include "Hacl_Krmllib.h" uint32_t Hacl_FFDHE_ffdhe_len(Spec_FFDHE_ffdhe_alg a); diff --git a/include/Hacl_Frodo1344.h b/include/Hacl_Frodo1344.h index 9fca4c82..cc3c2bf1 100644 --- a/include/Hacl_Frodo1344.h +++ b/include/Hacl_Frodo1344.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Hash_SHA3.h" - extern uint32_t Hacl_Frodo1344_crypto_bytes; extern uint32_t Hacl_Frodo1344_crypto_publickeybytes; diff --git a/include/Hacl_Frodo64.h b/include/Hacl_Frodo64.h index 05aecb59..02ea2e08 100644 --- a/include/Hacl_Frodo64.h +++ b/include/Hacl_Frodo64.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Hash_SHA3.h" - /* this variant is used only for testing purposes! */ diff --git a/include/Hacl_Frodo640.h b/include/Hacl_Frodo640.h index 10c9bd47..a6d58075 100644 --- a/include/Hacl_Frodo640.h +++ b/include/Hacl_Frodo640.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Hash_SHA3.h" - extern uint32_t Hacl_Frodo640_crypto_bytes; extern uint32_t Hacl_Frodo640_crypto_publickeybytes; diff --git a/include/Hacl_Frodo976.h b/include/Hacl_Frodo976.h index c2d5f84f..c361e81b 100644 --- a/include/Hacl_Frodo976.h +++ b/include/Hacl_Frodo976.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Hash_SHA3.h" - extern uint32_t Hacl_Frodo976_crypto_bytes; extern uint32_t Hacl_Frodo976_crypto_publickeybytes; diff --git a/include/Hacl_GenericField64.h b/include/Hacl_GenericField64.h index 90a56a64..fc96a148 100644 --- a/include/Hacl_GenericField64.h +++ b/include/Hacl_GenericField64.h @@ -35,7 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" #include "Hacl_Bignum.h" typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_GenericField64_pbn_mont_ctx_u64; diff --git a/include/Hacl_HKDF.h b/include/Hacl_HKDF.h index c13c648f..67b71a5a 100644 --- a/include/Hacl_HKDF.h +++ b/include/Hacl_HKDF.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_HMAC.h" - /** Expand pseudorandom key to desired length. diff --git a/include/Hacl_HKDF_Blake2b_256.h b/include/Hacl_HKDF_Blake2b_256.h index 202fd236..b7950f14 100644 --- a/include/Hacl_HKDF_Blake2b_256.h +++ b/include/Hacl_HKDF_Blake2b_256.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_HMAC_Blake2b_256.h" - /** Expand pseudorandom key to desired length. diff --git a/include/Hacl_HKDF_Blake2s_128.h b/include/Hacl_HKDF_Blake2s_128.h index df4cfcf6..df8c1e5f 100644 --- a/include/Hacl_HKDF_Blake2s_128.h +++ b/include/Hacl_HKDF_Blake2s_128.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_HMAC_Blake2s_128.h" - /** Expand pseudorandom key to desired length. diff --git a/include/Hacl_HMAC.h b/include/Hacl_HMAC.h index e1dc04f2..fe966525 100644 --- a/include/Hacl_HMAC.h +++ b/include/Hacl_HMAC.h @@ -35,10 +35,20 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" -#include "Hacl_Hash_Blake2s.h" -#include "Hacl_Hash_Blake2b.h" +/** +Write the HMAC-MD5 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 byte. +`dst` must point to 16 bytes of memory. +*/ +void +Hacl_HMAC_compute_md5( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); /** Write the HMAC-SHA-1 MAC of a message (`data`) by using a key (`key`) into `dst`. @@ -55,6 +65,21 @@ Hacl_HMAC_compute_sha1( uint32_t data_len ); +/** +Write the HMAC-SHA-2-224 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 bytes. +`dst` must point to 28 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha2_224( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + /** Write the HMAC-SHA-2-256 MAC of a message (`data`) by using a key (`key`) into `dst`. @@ -100,6 +125,66 @@ Hacl_HMAC_compute_sha2_512( uint32_t data_len ); +/** +Write the HMAC-SHA-3-224 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 144 bytes. +`dst` must point to 28 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_224( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +/** +Write the HMAC-SHA-3-256 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 136 bytes. +`dst` must point to 32 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +/** +Write the HMAC-SHA-3-384 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 104 bytes. +`dst` must point to 48 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +/** +Write the HMAC-SHA-3-512 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 72 bytes. +`dst` must point to 64 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + /** Write the HMAC-BLAKE2s MAC of a message (`data`) by using a key (`key`) into `dst`. diff --git a/include/Hacl_HMAC_Blake2b_256.h b/include/Hacl_HMAC_Blake2b_256.h index d8f3e9e1..3528c2c7 100644 --- a/include/Hacl_HMAC_Blake2b_256.h +++ b/include/Hacl_HMAC_Blake2b_256.h @@ -35,9 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_Blake2b_Simd256.h" - /** Write the HMAC-BLAKE2b MAC of a message (`data`) by using a key (`key`) into `dst`. diff --git a/include/Hacl_HMAC_Blake2s_128.h b/include/Hacl_HMAC_Blake2s_128.h index 5ff79038..67aec1af 100644 --- a/include/Hacl_HMAC_Blake2s_128.h +++ b/include/Hacl_HMAC_Blake2s_128.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Hash_Blake2s_Simd128.h" - /** Write the HMAC-BLAKE2s MAC of a message (`data`) by using a key (`key`) into `dst`. diff --git a/include/Hacl_HMAC_DRBG.h b/include/Hacl_HMAC_DRBG.h index 2d86b02f..0f78d67e 100644 --- a/include/Hacl_HMAC_DRBG.h +++ b/include/Hacl_HMAC_DRBG.h @@ -36,7 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_HMAC.h" typedef Spec_Hash_Definitions_hash_alg Hacl_HMAC_DRBG_supported_alg; diff --git a/include/Hacl_HPKE_Curve51_CP128_SHA256.h b/include/Hacl_HPKE_Curve51_CP128_SHA256.h index a46db470..1f19f45c 100644 --- a/include/Hacl_HPKE_Curve51_CP128_SHA256.h +++ b/include/Hacl_HPKE_Curve51_CP128_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" uint32_t Hacl_HPKE_Curve51_CP128_SHA256_setupBaseS( diff --git a/include/Hacl_HPKE_Curve51_CP128_SHA512.h b/include/Hacl_HPKE_Curve51_CP128_SHA512.h index 89091754..4b4f205c 100644 --- a/include/Hacl_HPKE_Curve51_CP128_SHA512.h +++ b/include/Hacl_HPKE_Curve51_CP128_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" uint32_t Hacl_HPKE_Curve51_CP128_SHA512_setupBaseS( diff --git a/include/Hacl_HPKE_Curve51_CP256_SHA256.h b/include/Hacl_HPKE_Curve51_CP256_SHA256.h index 83ba2adb..b5ee166a 100644 --- a/include/Hacl_HPKE_Curve51_CP256_SHA256.h +++ b/include/Hacl_HPKE_Curve51_CP256_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" uint32_t Hacl_HPKE_Curve51_CP256_SHA256_setupBaseS( diff --git a/include/Hacl_HPKE_Curve51_CP256_SHA512.h b/include/Hacl_HPKE_Curve51_CP256_SHA512.h index 1a796ab7..2ec66992 100644 --- a/include/Hacl_HPKE_Curve51_CP256_SHA512.h +++ b/include/Hacl_HPKE_Curve51_CP256_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" uint32_t Hacl_HPKE_Curve51_CP256_SHA512_setupBaseS( diff --git a/include/Hacl_HPKE_Curve51_CP32_SHA256.h b/include/Hacl_HPKE_Curve51_CP32_SHA256.h index d249ba05..c02d614f 100644 --- a/include/Hacl_HPKE_Curve51_CP32_SHA256.h +++ b/include/Hacl_HPKE_Curve51_CP32_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" uint32_t Hacl_HPKE_Curve51_CP32_SHA256_setupBaseS( diff --git a/include/Hacl_HPKE_Curve51_CP32_SHA512.h b/include/Hacl_HPKE_Curve51_CP32_SHA512.h index ddc00da3..1225f895 100644 --- a/include/Hacl_HPKE_Curve51_CP32_SHA512.h +++ b/include/Hacl_HPKE_Curve51_CP32_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" uint32_t Hacl_HPKE_Curve51_CP32_SHA512_setupBaseS( diff --git a/include/Hacl_HPKE_Curve64_CP128_SHA256.h b/include/Hacl_HPKE_Curve64_CP128_SHA256.h index fda63e52..e1cc95d8 100644 --- a/include/Hacl_HPKE_Curve64_CP128_SHA256.h +++ b/include/Hacl_HPKE_Curve64_CP128_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" uint32_t Hacl_HPKE_Curve64_CP128_SHA256_setupBaseS( diff --git a/include/Hacl_HPKE_Curve64_CP128_SHA512.h b/include/Hacl_HPKE_Curve64_CP128_SHA512.h index c8b06ca8..e67c439d 100644 --- a/include/Hacl_HPKE_Curve64_CP128_SHA512.h +++ b/include/Hacl_HPKE_Curve64_CP128_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" uint32_t Hacl_HPKE_Curve64_CP128_SHA512_setupBaseS( diff --git a/include/Hacl_HPKE_Curve64_CP256_SHA256.h b/include/Hacl_HPKE_Curve64_CP256_SHA256.h index 2da8dbcf..9302eed0 100644 --- a/include/Hacl_HPKE_Curve64_CP256_SHA256.h +++ b/include/Hacl_HPKE_Curve64_CP256_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" uint32_t Hacl_HPKE_Curve64_CP256_SHA256_setupBaseS( diff --git a/include/Hacl_HPKE_Curve64_CP256_SHA512.h b/include/Hacl_HPKE_Curve64_CP256_SHA512.h index 87d919e1..40dcb5b3 100644 --- a/include/Hacl_HPKE_Curve64_CP256_SHA512.h +++ b/include/Hacl_HPKE_Curve64_CP256_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" uint32_t Hacl_HPKE_Curve64_CP256_SHA512_setupBaseS( diff --git a/include/Hacl_HPKE_Curve64_CP32_SHA256.h b/include/Hacl_HPKE_Curve64_CP32_SHA256.h index bd4b9b59..f63f16d9 100644 --- a/include/Hacl_HPKE_Curve64_CP32_SHA256.h +++ b/include/Hacl_HPKE_Curve64_CP32_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" uint32_t Hacl_HPKE_Curve64_CP32_SHA256_setupBaseS( diff --git a/include/Hacl_HPKE_Curve64_CP32_SHA512.h b/include/Hacl_HPKE_Curve64_CP32_SHA512.h index 0d2bb8f0..54e0ea9e 100644 --- a/include/Hacl_HPKE_Curve64_CP32_SHA512.h +++ b/include/Hacl_HPKE_Curve64_CP32_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" uint32_t Hacl_HPKE_Curve64_CP32_SHA512_setupBaseS( diff --git a/include/Hacl_HPKE_P256_CP128_SHA256.h b/include/Hacl_HPKE_P256_CP128_SHA256.h index c76a100d..d87c3b00 100644 --- a/include/Hacl_HPKE_P256_CP128_SHA256.h +++ b/include/Hacl_HPKE_P256_CP128_SHA256.h @@ -36,8 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" uint32_t Hacl_HPKE_P256_CP128_SHA256_setupBaseS( diff --git a/include/Hacl_HPKE_P256_CP256_SHA256.h b/include/Hacl_HPKE_P256_CP256_SHA256.h index 4a33eb8a..cf2f3a7a 100644 --- a/include/Hacl_HPKE_P256_CP256_SHA256.h +++ b/include/Hacl_HPKE_P256_CP256_SHA256.h @@ -36,8 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" uint32_t Hacl_HPKE_P256_CP256_SHA256_setupBaseS( diff --git a/include/Hacl_HPKE_P256_CP32_SHA256.h b/include/Hacl_HPKE_P256_CP32_SHA256.h index 2818abed..d23743ad 100644 --- a/include/Hacl_HPKE_P256_CP32_SHA256.h +++ b/include/Hacl_HPKE_P256_CP32_SHA256.h @@ -36,8 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" uint32_t Hacl_HPKE_P256_CP32_SHA256_setupBaseS( diff --git a/include/Hacl_Hash_Blake2b.h b/include/Hacl_Hash_Blake2b.h index 3403fc83..a1c03f75 100644 --- a/include/Hacl_Hash_Blake2b.h +++ b/include/Hacl_Hash_Blake2b.h @@ -36,7 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" typedef struct Hacl_Hash_Blake2b_blake2_params_s { @@ -53,28 +52,30 @@ typedef struct Hacl_Hash_Blake2b_blake2_params_s } Hacl_Hash_Blake2b_blake2_params; -typedef struct K____uint64_t___uint64_t__s +typedef struct Hacl_Hash_Blake2b_index_s { - uint64_t *fst; - uint64_t *snd; + uint8_t key_length; + uint8_t digest_length; + bool last_node; } -K____uint64_t___uint64_t_; +Hacl_Hash_Blake2b_index; -typedef struct Hacl_Hash_Blake2b_block_state_t_s -{ - uint8_t fst; - uint8_t snd; - K____uint64_t___uint64_t_ thd; -} -Hacl_Hash_Blake2b_block_state_t; +#define HACL_HASH_BLAKE2B_BLOCK_BYTES (128U) -typedef struct Hacl_Hash_Blake2b_state_t_s -{ - Hacl_Hash_Blake2b_block_state_t block_state; - uint8_t *buf; - uint64_t total_len; -} -Hacl_Hash_Blake2b_state_t; +#define HACL_HASH_BLAKE2B_OUT_BYTES (64U) + +#define HACL_HASH_BLAKE2B_KEY_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SALT_BYTES (16U) + +#define HACL_HASH_BLAKE2B_PERSONAL_BYTES (16U) + +typedef Hacl_Streaming_Blake2_Types_block_state_blake2b_32 Hacl_Hash_Blake2b_block_state_t; + +typedef Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 +Hacl_Hash_Blake2b_optional_block_state_t; + +typedef struct Hacl_Hash_Blake2b_state_t_s Hacl_Hash_Blake2b_state_t; /** General-purpose allocation function that gives control over all @@ -92,7 +93,11 @@ The caller must satisfy the following requirements. */ Hacl_Hash_Blake2b_state_t -*Hacl_Hash_Blake2b_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k); +*Hacl_Hash_Blake2b_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +); /** Specialized allocation function that picks default values for all @@ -116,7 +121,7 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc(void); /** General-purpose re-initialization function with parameters and -key. You cannot change digest_length or key_length, meaning those values in +key. You cannot change digest_length, key_length, or last_node, meaning those values in the parameters object must be the same as originally decided via one of the malloc functions. All other values of the parameter can be changed. The behavior is unspecified if you violate this precondition. @@ -159,10 +164,14 @@ at least `digest_length` bytes, where `digest_length` was determined by your choice of `malloc` function. Concretely, if you used `malloc` or `malloc_with_key`, then the expected length is 32 for S, or 64 for B (default digest length). If you used `malloc_with_params_and_key`, then the expected -length is whatever you chose for the `digest_length` field of your -parameters. +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_info(Hacl_Hash_Blake2b_state_t *s); /** Free state function when there is no key @@ -198,10 +207,10 @@ Hacl_Hash_Blake2b_hash_with_key( Write the BLAKE2b digest of message `input` using key `key` and parameters `params` into `output`. The `key` array must be of length `params.key_length`. The `output` array must be of length -`params.digest_length`. +`params.digest_length`. */ void -Hacl_Hash_Blake2b_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/Hacl_Hash_Blake2b_Simd256.h b/include/Hacl_Hash_Blake2b_Simd256.h index af309dc8..cce86c81 100644 --- a/include/Hacl_Hash_Blake2b_Simd256.h +++ b/include/Hacl_Hash_Blake2b_Simd256.h @@ -36,62 +36,76 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" #include "Hacl_Hash_Blake2b.h" #include "libintvector.h" -typedef struct K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256__s -{ - Lib_IntVector_Intrinsics_vec256 *fst; - Lib_IntVector_Intrinsics_vec256 *snd; -} -K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_; +#define HACL_HASH_BLAKE2B_SIMD256_BLOCK_BYTES (128U) -typedef struct Hacl_Hash_Blake2b_Simd256_block_state_t_s -{ - uint8_t fst; - uint8_t snd; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ thd; -} +#define HACL_HASH_BLAKE2B_SIMD256_OUT_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SIMD256_KEY_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SIMD256_SALT_BYTES (16U) + +#define HACL_HASH_BLAKE2B_SIMD256_PERSONAL_BYTES (16U) + +typedef Hacl_Streaming_Blake2_Types_block_state_blake2b_256 Hacl_Hash_Blake2b_Simd256_block_state_t; -typedef struct Hacl_Hash_Blake2b_Simd256_state_t_s -{ - Hacl_Hash_Blake2b_Simd256_block_state_t block_state; - uint8_t *buf; - uint64_t total_len; -} -Hacl_Hash_Blake2b_Simd256_state_t; +typedef Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256 +Hacl_Hash_Blake2b_Simd256_optional_block_state_t; + +typedef struct Hacl_Hash_Blake2b_Simd256_state_t_s Hacl_Hash_Blake2b_Simd256_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (256 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 256 for S, 64 for B. +- The digest_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (256 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_key0(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( @@ -101,21 +115,27 @@ Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2b_Simd256_update( @@ -125,10 +145,19 @@ Hacl_Hash_Blake2b_Simd256_update( ); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 256 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_256_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_Simd256_info(Hacl_Hash_Blake2b_Simd256_state_t *s); /** Free state function when there is no key @@ -136,7 +165,7 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_copy(Hacl_Hash_Blake2b_Simd256_state_t *state); @@ -161,8 +190,14 @@ Hacl_Hash_Blake2b_Simd256_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2b digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_Simd256_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/Hacl_Hash_Blake2s.h b/include/Hacl_Hash_Blake2s.h index ac783473..e78f30ff 100644 --- a/include/Hacl_Hash_Blake2s.h +++ b/include/Hacl_Hash_Blake2s.h @@ -38,54 +38,71 @@ extern "C" { #include "Hacl_Streaming_Types.h" #include "Hacl_Hash_Blake2b.h" -typedef struct K____uint32_t___uint32_t__s -{ - uint32_t *fst; - uint32_t *snd; -} -K____uint32_t___uint32_t_; +#define HACL_HASH_BLAKE2S_BLOCK_BYTES (64U) -typedef struct Hacl_Hash_Blake2s_block_state_t_s -{ - uint8_t fst; - uint8_t snd; - K____uint32_t___uint32_t_ thd; -} -Hacl_Hash_Blake2s_block_state_t; +#define HACL_HASH_BLAKE2S_OUT_BYTES (32U) -typedef struct Hacl_Hash_Blake2s_state_t_s -{ - Hacl_Hash_Blake2s_block_state_t block_state; - uint8_t *buf; - uint64_t total_len; -} -Hacl_Hash_Blake2s_state_t; +#define HACL_HASH_BLAKE2S_KEY_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SALT_BYTES (8U) + +#define HACL_HASH_BLAKE2S_PERSONAL_BYTES (8U) + +typedef Hacl_Streaming_Blake2_Types_block_state_blake2s_32 Hacl_Hash_Blake2s_block_state_t; + +typedef Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 +Hacl_Hash_Blake2s_optional_block_state_t; + +typedef struct Hacl_Hash_Blake2s_state_t_s Hacl_Hash_Blake2s_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (32 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 32 for S, 64 for B. +- The digest_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t -*Hacl_Hash_Blake2s_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k); +*Hacl_Hash_Blake2s_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (32 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key_and_params( @@ -95,28 +112,44 @@ Hacl_Hash_Blake2s_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint32_t chunk_len); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 32 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_info(Hacl_Hash_Blake2s_state_t *s); /** Free state function when there is no key @@ -124,7 +157,7 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_copy(Hacl_Hash_Blake2s_state_t *state); @@ -148,8 +181,14 @@ Hacl_Hash_Blake2s_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/Hacl_Hash_Blake2s_Simd128.h b/include/Hacl_Hash_Blake2s_Simd128.h index d725ee86..53769719 100644 --- a/include/Hacl_Hash_Blake2s_Simd128.h +++ b/include/Hacl_Hash_Blake2s_Simd128.h @@ -39,58 +39,73 @@ extern "C" { #include "Hacl_Hash_Blake2b.h" #include "libintvector.h" -typedef struct K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128__s -{ - Lib_IntVector_Intrinsics_vec128 *fst; - Lib_IntVector_Intrinsics_vec128 *snd; -} -K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_; +#define HACL_HASH_BLAKE2S_SIMD128_BLOCK_BYTES (64U) -typedef struct Hacl_Hash_Blake2s_Simd128_block_state_t_s -{ - uint8_t fst; - uint8_t snd; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ thd; -} +#define HACL_HASH_BLAKE2S_SIMD128_OUT_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SIMD128_KEY_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SIMD128_SALT_BYTES (8U) + +#define HACL_HASH_BLAKE2S_SIMD128_PERSONAL_BYTES (8U) + +typedef Hacl_Streaming_Blake2_Types_block_state_blake2s_128 Hacl_Hash_Blake2s_Simd128_block_state_t; -typedef struct Hacl_Hash_Blake2s_Simd128_state_t_s -{ - Hacl_Hash_Blake2s_Simd128_block_state_t block_state; - uint8_t *buf; - uint64_t total_len; -} -Hacl_Hash_Blake2s_Simd128_state_t; +typedef Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128 +Hacl_Hash_Blake2s_Simd128_optional_block_state_t; + +typedef struct Hacl_Hash_Blake2s_Simd128_state_t_s Hacl_Hash_Blake2s_Simd128_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (128 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 128 for S, 64 for B. +- The digest_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (128 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_key0(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( @@ -100,21 +115,27 @@ Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_Simd128_update( @@ -124,10 +145,19 @@ Hacl_Hash_Blake2s_Simd128_update( ); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 128 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_128_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_Simd128_info(Hacl_Hash_Blake2s_Simd128_state_t *s); /** Free state function when there is no key @@ -135,7 +165,7 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_copy(Hacl_Hash_Blake2s_Simd128_state_t *state); @@ -160,8 +190,14 @@ Hacl_Hash_Blake2s_Simd128_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_Simd128_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/Hacl_Hash_SHA2.h b/include/Hacl_Hash_SHA2.h index d17eab94..3bede75b 100644 --- a/include/Hacl_Hash_SHA2.h +++ b/include/Hacl_Hash_SHA2.h @@ -36,7 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" typedef Hacl_Streaming_MD_state_32 Hacl_Hash_SHA2_state_t_224; diff --git a/include/Hacl_Hash_SHA3.h b/include/Hacl_Hash_SHA3.h index 8fb78fcd..9a1ffd19 100644 --- a/include/Hacl_Hash_SHA3.h +++ b/include/Hacl_Hash_SHA3.h @@ -44,13 +44,7 @@ typedef struct Hacl_Hash_SHA3_hash_buf_s } Hacl_Hash_SHA3_hash_buf; -typedef struct Hacl_Hash_SHA3_state_t_s -{ - Hacl_Hash_SHA3_hash_buf block_state; - uint8_t *buf; - uint64_t total_len; -} -Hacl_Hash_SHA3_state_t; +typedef struct Hacl_Hash_SHA3_state_t_s Hacl_Hash_SHA3_state_t; Spec_Hash_Definitions_hash_alg Hacl_Hash_SHA3_get_alg(Hacl_Hash_SHA3_state_t *s); @@ -117,7 +111,7 @@ void Hacl_Hash_SHA3_state_free(uint64_t *s); Absorb number of input blocks and write the output state This function is intended to receive a hash state and input buffer. - It prcoesses an input of multiple of 168-bytes (SHAKE128 block size), + It processes an input of multiple of 168-bytes (SHAKE128 block size), any additional bytes of final partial block are ignored. The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] @@ -131,14 +125,14 @@ Hacl_Hash_SHA3_shake128_absorb_nblocks(uint64_t *state, uint8_t *input, uint32_t Absorb a final partial block of input and write the output state This function is intended to receive a hash state and input buffer. - It prcoesses a sequence of bytes at end of input buffer that is less + It processes a sequence of bytes at end of input buffer that is less than 168-bytes (SHAKE128 block size), any bytes of full blocks at start of input buffer are ignored. The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] The argument `input` (IN) points to `inputByteLen` bytes of valid memory, i.e., uint8_t[inputByteLen] - + Note: Full size of input buffer must be passed to `inputByteLen` including the number of full-block bytes at start of input buffer that are ignored */ diff --git a/include/Hacl_Hash_SHA3_Simd256.h b/include/Hacl_Hash_SHA3_Simd256.h index 617e8e34..72162d43 100644 --- a/include/Hacl_Hash_SHA3_Simd256.h +++ b/include/Hacl_Hash_SHA3_Simd256.h @@ -139,12 +139,12 @@ void Hacl_Hash_SHA3_Simd256_state_free(Lib_IntVector_Intrinsics_vec256 *s); Absorb number of blocks of 4 input buffers and write the output states This function is intended to receive a quadruple hash state and 4 input buffers. - It prcoesses an inputs of multiple of 168-bytes (SHAKE128 block size), + It processes an inputs of multiple of 168-bytes (SHAKE128 block size), any additional bytes of final partial block for each buffer are ignored. The argument `state` (IN/OUT) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] */ void @@ -161,15 +161,15 @@ Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks( Absorb a final partial blocks of 4 input buffers and write the output states This function is intended to receive a quadruple hash state and 4 input buffers. - It prcoesses a sequence of bytes at end of each input buffer that is less + It processes a sequence of bytes at end of each input buffer that is less than 168-bytes (SHAKE128 block size), any bytes of full blocks at start of input buffers are ignored. The argument `state` (IN/OUT) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] - + Note: Full size of input buffers must be passed to `inputByteLen` including the number of full-block bytes at start of each input buffer that are ignored */ @@ -192,7 +192,7 @@ Squeeze a quadruple hash state to 4 output buffers The argument `state` (IN) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `output0/output1/output2/output3` (OUT) point to `outputByteLen` bytes + The arguments `output0/output1/output2/output3` (OUT) point to `outputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] */ void diff --git a/include/Hacl_K256_ECDSA.h b/include/Hacl_K256_ECDSA.h index efc99f9c..baae0d7b 100644 --- a/include/Hacl_K256_ECDSA.h +++ b/include/Hacl_K256_ECDSA.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" #include "lib_intrinsics.h" /******************************************************************************* diff --git a/include/Hacl_MAC_Poly1305.h b/include/Hacl_MAC_Poly1305.h index 95ac4be2..3c59e265 100644 --- a/include/Hacl_MAC_Poly1305.h +++ b/include/Hacl_MAC_Poly1305.h @@ -36,16 +36,8 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" -typedef struct Hacl_MAC_Poly1305_state_t_s -{ - uint64_t *block_state; - uint8_t *buf; - uint64_t total_len; - uint8_t *p_key; -} -Hacl_MAC_Poly1305_state_t; +typedef struct Hacl_MAC_Poly1305_state_t_s Hacl_MAC_Poly1305_state_t; Hacl_MAC_Poly1305_state_t *Hacl_MAC_Poly1305_malloc(uint8_t *key); diff --git a/include/Hacl_MAC_Poly1305_Simd128.h b/include/Hacl_MAC_Poly1305_Simd128.h index 9b69ebd4..bb50b8ad 100644 --- a/include/Hacl_MAC_Poly1305_Simd128.h +++ b/include/Hacl_MAC_Poly1305_Simd128.h @@ -38,14 +38,7 @@ extern "C" { #include "Hacl_Streaming_Types.h" #include "libintvector.h" -typedef struct Hacl_MAC_Poly1305_Simd128_state_t_s -{ - Lib_IntVector_Intrinsics_vec128 *block_state; - uint8_t *buf; - uint64_t total_len; - uint8_t *p_key; -} -Hacl_MAC_Poly1305_Simd128_state_t; +typedef struct Hacl_MAC_Poly1305_Simd128_state_t_s Hacl_MAC_Poly1305_Simd128_state_t; Hacl_MAC_Poly1305_Simd128_state_t *Hacl_MAC_Poly1305_Simd128_malloc(uint8_t *key); diff --git a/include/Hacl_MAC_Poly1305_Simd256.h b/include/Hacl_MAC_Poly1305_Simd256.h index 89f4a104..f0e4d43d 100644 --- a/include/Hacl_MAC_Poly1305_Simd256.h +++ b/include/Hacl_MAC_Poly1305_Simd256.h @@ -38,14 +38,7 @@ extern "C" { #include "Hacl_Streaming_Types.h" #include "libintvector.h" -typedef struct Hacl_MAC_Poly1305_Simd256_state_t_s -{ - Lib_IntVector_Intrinsics_vec256 *block_state; - uint8_t *buf; - uint64_t total_len; - uint8_t *p_key; -} -Hacl_MAC_Poly1305_Simd256_state_t; +typedef struct Hacl_MAC_Poly1305_Simd256_state_t_s Hacl_MAC_Poly1305_Simd256_state_t; Hacl_MAC_Poly1305_Simd256_state_t *Hacl_MAC_Poly1305_Simd256_malloc(uint8_t *key); diff --git a/include/Hacl_NaCl.h b/include/Hacl_NaCl.h index a3ca6804..fce69753 100644 --- a/include/Hacl_NaCl.h +++ b/include/Hacl_NaCl.h @@ -35,10 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Salsa20.h" -#include "Hacl_MAC_Poly1305.h" -#include "Hacl_Curve25519_51.h" - /** Encrypt a message with a key and nonce. diff --git a/include/Hacl_P256.h b/include/Hacl_P256.h index 5b2a43ec..c9ef7b40 100644 --- a/include/Hacl_P256.h +++ b/include/Hacl_P256.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" #include "lib_intrinsics.h" diff --git a/include/Hacl_RSAPSS.h b/include/Hacl_RSAPSS.h index 90bd69ce..9853af68 100644 --- a/include/Hacl_RSAPSS.h +++ b/include/Hacl_RSAPSS.h @@ -36,8 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" /** Sign a message `msg` and write the signature to `sgnt`. diff --git a/include/Hacl_SHA2_Vec128.h b/include/Hacl_SHA2_Vec128.h index c5df2075..5118cd36 100644 --- a/include/Hacl_SHA2_Vec128.h +++ b/include/Hacl_SHA2_Vec128.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_SHA2_Types.h" - void Hacl_SHA2_Vec128_sha224_4( uint8_t *dst0, diff --git a/include/Hacl_SHA2_Vec256.h b/include/Hacl_SHA2_Vec256.h index 7e41314a..dba3600a 100644 --- a/include/Hacl_SHA2_Vec256.h +++ b/include/Hacl_SHA2_Vec256.h @@ -35,9 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_SHA2_Types.h" -#include "Hacl_Krmllib.h" - void Hacl_SHA2_Vec256_sha224_8( uint8_t *dst0, diff --git a/include/Hacl_Spec.h b/include/Hacl_Spec.h index 0b45a29e..5e753cda 100644 --- a/include/Hacl_Spec.h +++ b/include/Hacl_Spec.h @@ -43,6 +43,12 @@ extern "C" { typedef uint8_t Spec_FFDHE_ffdhe_alg; +#define Spec_Cipher_Expansion_Hacl_CHACHA20 0 +#define Spec_Cipher_Expansion_Vale_AES128 1 +#define Spec_Cipher_Expansion_Vale_AES256 2 + +typedef uint8_t Spec_Cipher_Expansion_impl; + #define Spec_Agile_AEAD_AES128_GCM 0 #define Spec_Agile_AEAD_AES256_GCM 1 #define Spec_Agile_AEAD_CHACHA20_POLY1305 2 diff --git a/include/Hacl_Streaming_HMAC.h b/include/Hacl_Streaming_HMAC.h new file mode 100644 index 00000000..25806b9c --- /dev/null +++ b/include/Hacl_Streaming_HMAC.h @@ -0,0 +1,150 @@ +/* MIT License + * + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_HMAC_H +#define __Hacl_Streaming_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/internal/types.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + +#include "Hacl_Streaming_Types.h" + +#define Hacl_Agile_Hash_MD5 0 +#define Hacl_Agile_Hash_SHA1 1 +#define Hacl_Agile_Hash_SHA2_224 2 +#define Hacl_Agile_Hash_SHA2_256 3 +#define Hacl_Agile_Hash_SHA2_384 4 +#define Hacl_Agile_Hash_SHA2_512 5 +#define Hacl_Agile_Hash_SHA3_224 6 +#define Hacl_Agile_Hash_SHA3_256 7 +#define Hacl_Agile_Hash_SHA3_384 8 +#define Hacl_Agile_Hash_SHA3_512 9 +#define Hacl_Agile_Hash_Blake2S_32 10 +#define Hacl_Agile_Hash_Blake2S_128 11 +#define Hacl_Agile_Hash_Blake2B_32 12 +#define Hacl_Agile_Hash_Blake2B_256 13 + +typedef uint8_t Hacl_Agile_Hash_impl; + +#define Hacl_Agile_Hash_MD5_s 0 +#define Hacl_Agile_Hash_SHA1_s 1 +#define Hacl_Agile_Hash_SHA2_224_s 2 +#define Hacl_Agile_Hash_SHA2_256_s 3 +#define Hacl_Agile_Hash_SHA2_384_s 4 +#define Hacl_Agile_Hash_SHA2_512_s 5 +#define Hacl_Agile_Hash_SHA3_224_s 6 +#define Hacl_Agile_Hash_SHA3_256_s 7 +#define Hacl_Agile_Hash_SHA3_384_s 8 +#define Hacl_Agile_Hash_SHA3_512_s 9 +#define Hacl_Agile_Hash_Blake2S_s 10 +#define Hacl_Agile_Hash_Blake2S_128_s 11 +#define Hacl_Agile_Hash_Blake2B_s 12 +#define Hacl_Agile_Hash_Blake2B_256_s 13 + +typedef uint8_t Hacl_Agile_Hash_state_s_tags; + +typedef struct Hacl_Agile_Hash_state_s_s Hacl_Agile_Hash_state_s; + +typedef struct Hacl_Streaming_HMAC_Definitions_index_s +{ + Hacl_Agile_Hash_impl fst; + uint32_t snd; +} +Hacl_Streaming_HMAC_Definitions_index; + +typedef struct Hacl_Streaming_HMAC_Definitions_two_state_s +{ + uint32_t fst; + Hacl_Agile_Hash_state_s *snd; + Hacl_Agile_Hash_state_s *thd; +} +Hacl_Streaming_HMAC_Definitions_two_state; + +Hacl_Agile_Hash_state_s +*Hacl_Streaming_HMAC_s1( + Hacl_Streaming_HMAC_Definitions_index i, + Hacl_Streaming_HMAC_Definitions_two_state s +); + +Hacl_Agile_Hash_state_s +*Hacl_Streaming_HMAC_s2( + Hacl_Streaming_HMAC_Definitions_index i, + Hacl_Streaming_HMAC_Definitions_two_state s +); + +Hacl_Streaming_HMAC_Definitions_index +Hacl_Streaming_HMAC_index_of_state(Hacl_Streaming_HMAC_Definitions_two_state s); + +typedef struct Hacl_Streaming_HMAC_agile_state_s Hacl_Streaming_HMAC_agile_state; + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_malloc_( + Hacl_Agile_Hash_impl impl, + uint8_t *key, + uint32_t key_length, + Hacl_Streaming_HMAC_agile_state **dst +); + +Hacl_Streaming_HMAC_Definitions_index +Hacl_Streaming_HMAC_get_impl(Hacl_Streaming_HMAC_agile_state *s); + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_reset( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *key, + uint32_t key_length +); + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_update( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *chunk, + uint32_t chunk_len +); + +void +Hacl_Streaming_HMAC_digest( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *output, + uint32_t digest_length +); + +void Hacl_Streaming_HMAC_free(Hacl_Streaming_HMAC_agile_state *state); + +Hacl_Streaming_HMAC_agile_state +*Hacl_Streaming_HMAC_copy(Hacl_Streaming_HMAC_agile_state *state); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_HMAC_H_DEFINED +#endif diff --git a/include/Hacl_Streaming_Types.h b/include/Hacl_Streaming_Types.h index 513f7464..f98bc9d2 100644 --- a/include/Hacl_Streaming_Types.h +++ b/include/Hacl_Streaming_Types.h @@ -35,6 +35,8 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" +#include "libintvector.h" + #define Spec_Hash_Definitions_SHA2_224 0 #define Spec_Hash_Definitions_SHA2_256 1 #define Spec_Hash_Definitions_SHA2_384 2 @@ -52,28 +54,116 @@ extern "C" { typedef uint8_t Spec_Hash_Definitions_hash_alg; -#define Hacl_Streaming_Types_Success 0 -#define Hacl_Streaming_Types_InvalidAlgorithm 1 -#define Hacl_Streaming_Types_InvalidLength 2 -#define Hacl_Streaming_Types_MaximumLengthExceeded 3 +typedef struct Hacl_Streaming_MD_state_32_s Hacl_Streaming_MD_state_32; -typedef uint8_t Hacl_Streaming_Types_error_code; +typedef struct Hacl_Streaming_MD_state_64_s Hacl_Streaming_MD_state_64; + +typedef struct K____uint64_t___uint64_t__s +{ + uint64_t *fst; + uint64_t *snd; +} +K____uint64_t___uint64_t_; + +typedef struct Hacl_Streaming_Blake2_Types_block_state_blake2b_32_s +{ + uint8_t fst; + uint8_t snd; + bool thd; + K____uint64_t___uint64_t_ f3; +} +Hacl_Streaming_Blake2_Types_block_state_blake2b_32; + +#define Hacl_Streaming_Blake2_Types_None 0 +#define Hacl_Streaming_Blake2_Types_Some 1 + +typedef uint8_t Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags; + +typedef struct Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_s +{ + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags tag; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 v; +} +Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32; + +typedef struct K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256__s +{ + Lib_IntVector_Intrinsics_vec256 *fst; + Lib_IntVector_Intrinsics_vec256 *snd; +} +K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_; + +typedef struct Hacl_Streaming_Blake2_Types_block_state_blake2b_256_s +{ + uint8_t fst; + uint8_t snd; + bool thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ f3; +} +Hacl_Streaming_Blake2_Types_block_state_blake2b_256; -typedef struct Hacl_Streaming_MD_state_32_s +typedef struct Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256_s { - uint32_t *block_state; - uint8_t *buf; - uint64_t total_len; + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags tag; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 v; } -Hacl_Streaming_MD_state_32; +Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256; -typedef struct Hacl_Streaming_MD_state_64_s +typedef struct K____uint32_t___uint32_t__s { - uint64_t *block_state; - uint8_t *buf; - uint64_t total_len; + uint32_t *fst; + uint32_t *snd; } -Hacl_Streaming_MD_state_64; +K____uint32_t___uint32_t_; + +typedef struct Hacl_Streaming_Blake2_Types_block_state_blake2s_32_s +{ + uint8_t fst; + uint8_t snd; + bool thd; + K____uint32_t___uint32_t_ f3; +} +Hacl_Streaming_Blake2_Types_block_state_blake2s_32; + +typedef struct Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32_s +{ + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags tag; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 v; +} +Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32; + +typedef struct K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128__s +{ + Lib_IntVector_Intrinsics_vec128 *fst; + Lib_IntVector_Intrinsics_vec128 *snd; +} +K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_; + +typedef struct Hacl_Streaming_Blake2_Types_block_state_blake2s_128_s +{ + uint8_t fst; + uint8_t snd; + bool thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ f3; +} +Hacl_Streaming_Blake2_Types_block_state_blake2s_128; + +typedef struct Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128_s +{ + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags tag; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 v; +} +Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128; + +#define Hacl_Streaming_Types_Success 0 +#define Hacl_Streaming_Types_InvalidAlgorithm 1 +#define Hacl_Streaming_Types_InvalidLength 2 +#define Hacl_Streaming_Types_MaximumLengthExceeded 3 +#define Hacl_Streaming_Types_OutOfMemory 4 + +typedef uint8_t Hacl_Streaming_Types_error_code; + +typedef K____uint64_t___uint64_t_ Hacl_Streaming_Types_two_pointers; #if defined(__cplusplus) } diff --git a/include/internal/EverCrypt_AEAD.h b/include/internal/EverCrypt_AEAD.h new file mode 100644 index 00000000..7a17f42d --- /dev/null +++ b/include/internal/EverCrypt_AEAD.h @@ -0,0 +1,58 @@ +/* MIT License + * + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_EverCrypt_AEAD_H +#define __internal_EverCrypt_AEAD_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "Hacl_Spec.h" +#include "../EverCrypt_AEAD.h" + +/** +Both encryption and decryption require a state that holds the key. +The state may be reused as many times as desired. +*/ +typedef struct EverCrypt_AEAD_state_s_s +{ + Spec_Cipher_Expansion_impl impl; + uint8_t *ek; +} +EverCrypt_AEAD_state_s; + +/** +Both encryption and decryption require a state that holds the key. +The state may be reused as many times as desired. +*/ +bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s projectee); + +#if defined(__cplusplus) +} +#endif + +#define __internal_EverCrypt_AEAD_H_DEFINED +#endif diff --git a/include/internal/EverCrypt_DRBG.h b/include/internal/EverCrypt_DRBG.h new file mode 100644 index 00000000..1863a8ee --- /dev/null +++ b/include/internal/EverCrypt_DRBG.h @@ -0,0 +1,78 @@ +/* MIT License + * + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_EverCrypt_DRBG_H +#define __internal_EverCrypt_DRBG_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "Hacl_HMAC_DRBG.h" +#include "../EverCrypt_DRBG.h" + +typedef struct EverCrypt_DRBG_state_s_s +{ + EverCrypt_DRBG_state_s_tags tag; + union { + Hacl_HMAC_DRBG_state case_SHA1_s; + Hacl_HMAC_DRBG_state case_SHA2_256_s; + Hacl_HMAC_DRBG_state case_SHA2_384_s; + Hacl_HMAC_DRBG_state case_SHA2_512_s; + } + ; +} +EverCrypt_DRBG_state_s; + +bool +EverCrypt_DRBG_uu___is_SHA1_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_256_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_384_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +bool +EverCrypt_DRBG_uu___is_SHA2_512_s( + Spec_Hash_Definitions_hash_alg uu___, + EverCrypt_DRBG_state_s projectee +); + +#if defined(__cplusplus) +} +#endif + +#define __internal_EverCrypt_DRBG_H_DEFINED +#endif diff --git a/include/internal/EverCrypt_HMAC.h b/include/internal/EverCrypt_HMAC.h index debea462..3020f50c 100644 --- a/include/internal/EverCrypt_HMAC.h +++ b/include/internal/EverCrypt_HMAC.h @@ -30,18 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Hash_SHA2.h" -#include "internal/Hacl_Hash_SHA1.h" -#include "internal/Hacl_Hash_Blake2s.h" -#include "internal/Hacl_Hash_Blake2b.h" -#include "internal/Hacl_HMAC.h" -#include "internal/EverCrypt_Hash.h" #include "../EverCrypt_HMAC.h" void diff --git a/include/internal/EverCrypt_Hash.h b/include/internal/EverCrypt_Hash.h index cd706161..cc06729d 100644 --- a/include/internal/EverCrypt_Hash.h +++ b/include/internal/EverCrypt_Hash.h @@ -30,25 +30,41 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Vale.h" -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Hash_SHA3.h" -#include "internal/Hacl_Hash_SHA2.h" -#include "internal/Hacl_Hash_SHA1.h" -#include "internal/Hacl_Hash_MD5.h" -#include "internal/Hacl_Hash_Blake2s_Simd128.h" -#include "internal/Hacl_Hash_Blake2s.h" -#include "internal/Hacl_Hash_Blake2b_Simd256.h" -#include "internal/Hacl_Hash_Blake2b.h" #include "../EverCrypt_Hash.h" +typedef struct EverCrypt_Hash_state_s_s +{ + EverCrypt_Hash_state_s_tags tag; + union { + uint32_t *case_MD5_s; + uint32_t *case_SHA1_s; + uint32_t *case_SHA2_224_s; + uint32_t *case_SHA2_256_s; + uint64_t *case_SHA2_384_s; + uint64_t *case_SHA2_512_s; + uint64_t *case_SHA3_224_s; + uint64_t *case_SHA3_256_s; + uint64_t *case_SHA3_384_s; + uint64_t *case_SHA3_512_s; + uint32_t *case_Blake2S_s; + Lib_IntVector_Intrinsics_vec128 *case_Blake2S_128_s; + uint64_t *case_Blake2B_s; + Lib_IntVector_Intrinsics_vec256 *case_Blake2B_256_s; + } + ; +} +EverCrypt_Hash_state_s; + void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n); +typedef struct EverCrypt_Hash_Incremental_state_t_s +{ + EverCrypt_Hash_state_s *block_state; + uint8_t *buf; + uint64_t total_len; +} +EverCrypt_Hash_Incremental_state_t; + void EverCrypt_Hash_Incremental_hash_256(uint8_t *output, uint8_t *input, uint32_t input_len); #if defined(__cplusplus) diff --git a/include/internal/Hacl_Bignum.h b/include/internal/Hacl_Bignum.h index 4b31236d..b2f7fc24 100644 --- a/include/internal/Hacl_Bignum.h +++ b/include/internal/Hacl_Bignum.h @@ -30,15 +30,7 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Bignum_Base.h" #include "../Hacl_Bignum.h" -#include "lib_intrinsics.h" void Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32( diff --git a/include/internal/Hacl_Bignum25519_51.h b/include/internal/Hacl_Bignum25519_51.h index 4678f8a0..d81cff48 100644 --- a/include/internal/Hacl_Bignum25519_51.h +++ b/include/internal/Hacl_Bignum25519_51.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - #include "internal/Hacl_Krmllib.h" #include "Hacl_Krmllib.h" diff --git a/include/internal/Hacl_Bignum_Base.h b/include/internal/Hacl_Bignum_Base.h index f2e282f4..630b7a30 100644 --- a/include/internal/Hacl_Bignum_Base.h +++ b/include/internal/Hacl_Bignum_Base.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - #include "internal/Hacl_Krmllib.h" #include "Hacl_Krmllib.h" #include "lib_intrinsics.h" diff --git a/include/internal/Hacl_Bignum_K256.h b/include/internal/Hacl_Bignum_K256.h index fe72fffe..e0b89e96 100644 --- a/include/internal/Hacl_Bignum_K256.h +++ b/include/internal/Hacl_Bignum_K256.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - #include "internal/Hacl_Krmllib.h" #include "Hacl_Krmllib.h" @@ -70,11 +65,7 @@ static inline bool Hacl_K256_Field_is_felem_lt_prime_minus_order_vartime(uint64_ uint64_t f2 = f[2U]; uint64_t f3 = f[3U]; uint64_t f4 = f[4U]; - if (f4 > 0ULL) - { - return false; - } - if (f3 > 0ULL) + if (f4 > 0ULL || f3 > 0ULL) { return false; } diff --git a/include/internal/Hacl_Chacha20.h b/include/internal/Hacl_Chacha20.h index 3722a30d..a37c4d82 100644 --- a/include/internal/Hacl_Chacha20.h +++ b/include/internal/Hacl_Chacha20.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - #include "../Hacl_Chacha20.h" extern const uint32_t Hacl_Impl_Chacha20_Vec_chacha20_constants[4U]; diff --git a/include/internal/Hacl_Curve25519_51.h b/include/internal/Hacl_Curve25519_51.h index 975793d8..385fb9bf 100644 --- a/include/internal/Hacl_Curve25519_51.h +++ b/include/internal/Hacl_Curve25519_51.h @@ -30,13 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Bignum25519_51.h" #include "../Hacl_Curve25519_51.h" void diff --git a/include/internal/Hacl_Ed25519.h b/include/internal/Hacl_Ed25519.h index 1f4c90a6..ea2f3183 100644 --- a/include/internal/Hacl_Ed25519.h +++ b/include/internal/Hacl_Ed25519.h @@ -30,17 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Hash_SHA2.h" -#include "internal/Hacl_Ed25519_PrecompTable.h" -#include "internal/Hacl_Curve25519_51.h" -#include "internal/Hacl_Bignum_Base.h" -#include "internal/Hacl_Bignum25519_51.h" #include "../Hacl_Ed25519.h" void Hacl_Bignum25519_reduce_513(uint64_t *a); diff --git a/include/internal/Hacl_Ed25519_PrecompTable.h b/include/internal/Hacl_Ed25519_PrecompTable.h index a20cd912..0eb746cc 100644 --- a/include/internal/Hacl_Ed25519_PrecompTable.h +++ b/include/internal/Hacl_Ed25519_PrecompTable.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - static const uint64_t Hacl_Ed25519_PrecompTable_precomp_basepoint_table_w4[320U] = diff --git a/include/internal/Hacl_Frodo_KEM.h b/include/internal/Hacl_Frodo_KEM.h index 34b1816a..16b02a49 100644 --- a/include/internal/Hacl_Frodo_KEM.h +++ b/include/internal/Hacl_Frodo_KEM.h @@ -30,14 +30,8 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - #include "internal/Hacl_Spec.h" #include "internal/Hacl_Krmllib.h" -#include "Lib_RandomBuffer_System.h" #include "Hacl_Krmllib.h" #include "Hacl_Hash_SHA3.h" diff --git a/include/internal/Hacl_HMAC.h b/include/internal/Hacl_HMAC.h index ad344c4c..7de09dde 100644 --- a/include/internal/Hacl_HMAC.h +++ b/include/internal/Hacl_HMAC.h @@ -30,16 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Hash_SHA2.h" -#include "internal/Hacl_Hash_SHA1.h" -#include "internal/Hacl_Hash_Blake2s.h" -#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_HMAC.h" typedef struct K___uint32_t_uint32_t_s diff --git a/include/internal/Hacl_Hash_Blake2b.h b/include/internal/Hacl_Hash_Blake2b.h index 6928d205..100df350 100644 --- a/include/internal/Hacl_Hash_Blake2b.h +++ b/include/internal/Hacl_Hash_Blake2b.h @@ -30,20 +30,15 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_Impl_Blake2_Constants.h" +#include "Hacl_Streaming_Types.h" #include "../Hacl_Hash_Blake2b.h" -typedef struct Hacl_Hash_Blake2b_index_s +typedef struct Hacl_Hash_Blake2b_params_and_key_s { - uint8_t key_length; - uint8_t digest_length; + Hacl_Hash_Blake2b_blake2_params *fst; + uint8_t *snd; } -Hacl_Hash_Blake2b_index; +Hacl_Hash_Blake2b_params_and_key; void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); @@ -62,6 +57,7 @@ Hacl_Hash_Blake2b_update_last( uint32_t len, uint64_t *wv, uint64_t *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d @@ -69,12 +65,13 @@ Hacl_Hash_Blake2b_update_last( void Hacl_Hash_Blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash); -typedef struct K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t__s +typedef struct Hacl_Hash_Blake2b_state_t_s { - Hacl_Hash_Blake2b_blake2_params *fst; - uint8_t *snd; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state; + uint8_t *buf; + uint64_t total_len; } -K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_; +Hacl_Hash_Blake2b_state_t; #if defined(__cplusplus) } diff --git a/include/internal/Hacl_Hash_Blake2b_Simd256.h b/include/internal/Hacl_Hash_Blake2b_Simd256.h index 4dd986b2..b830ee2c 100644 --- a/include/internal/Hacl_Hash_Blake2b_Simd256.h +++ b/include/internal/Hacl_Hash_Blake2b_Simd256.h @@ -30,15 +30,8 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_Impl_Blake2_Constants.h" -#include "internal/Hacl_Hash_Blake2b.h" +#include "Hacl_Streaming_Types.h" #include "../Hacl_Hash_Blake2b_Simd256.h" -#include "libintvector.h" void Hacl_Hash_Blake2b_Simd256_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn); @@ -58,6 +51,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d @@ -84,6 +78,14 @@ Hacl_Hash_Blake2b_Simd256_store_state256b_to_state32( Lib_IntVector_Intrinsics_vec256 *Hacl_Hash_Blake2b_Simd256_malloc_with_key(void); +typedef struct Hacl_Hash_Blake2b_Simd256_state_t_s +{ + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Hash_Blake2b_Simd256_state_t; + #if defined(__cplusplus) } #endif diff --git a/include/internal/Hacl_Hash_Blake2s.h b/include/internal/Hacl_Hash_Blake2s.h index eccd92de..5e2b035c 100644 --- a/include/internal/Hacl_Hash_Blake2s.h +++ b/include/internal/Hacl_Hash_Blake2s.h @@ -30,13 +30,7 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_Impl_Blake2_Constants.h" -#include "internal/Hacl_Hash_Blake2b.h" +#include "Hacl_Streaming_Types.h" #include "../Hacl_Hash_Blake2s.h" void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn); @@ -56,6 +50,7 @@ Hacl_Hash_Blake2s_update_last( uint32_t len, uint32_t *wv, uint32_t *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d @@ -63,6 +58,14 @@ Hacl_Hash_Blake2s_update_last( void Hacl_Hash_Blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash); +typedef struct Hacl_Hash_Blake2s_state_t_s +{ + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Hash_Blake2s_state_t; + #if defined(__cplusplus) } #endif diff --git a/include/internal/Hacl_Hash_Blake2s_Simd128.h b/include/internal/Hacl_Hash_Blake2s_Simd128.h index 2c422949..78e8e9bc 100644 --- a/include/internal/Hacl_Hash_Blake2s_Simd128.h +++ b/include/internal/Hacl_Hash_Blake2s_Simd128.h @@ -30,15 +30,8 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_Impl_Blake2_Constants.h" -#include "internal/Hacl_Hash_Blake2b.h" +#include "Hacl_Streaming_Types.h" #include "../Hacl_Hash_Blake2s_Simd128.h" -#include "libintvector.h" void Hacl_Hash_Blake2s_Simd128_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn); @@ -58,6 +51,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d @@ -84,6 +78,14 @@ Hacl_Hash_Blake2s_Simd128_load_state128s_from_state32( Lib_IntVector_Intrinsics_vec128 *Hacl_Hash_Blake2s_Simd128_malloc_with_key(void); +typedef struct Hacl_Hash_Blake2s_Simd128_state_t_s +{ + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Hash_Blake2s_Simd128_state_t; + #if defined(__cplusplus) } #endif diff --git a/include/internal/Hacl_Hash_MD5.h b/include/internal/Hacl_Hash_MD5.h index dd77aaf1..3e8c3775 100644 --- a/include/internal/Hacl_Hash_MD5.h +++ b/include/internal/Hacl_Hash_MD5.h @@ -30,11 +30,7 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - +#include "Hacl_Streaming_Types.h" #include "../Hacl_Hash_MD5.h" void Hacl_Hash_MD5_init(uint32_t *s); diff --git a/include/internal/Hacl_Hash_SHA1.h b/include/internal/Hacl_Hash_SHA1.h index ed53be55..e67c3319 100644 --- a/include/internal/Hacl_Hash_SHA1.h +++ b/include/internal/Hacl_Hash_SHA1.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - #include "../Hacl_Hash_SHA1.h" void Hacl_Hash_SHA1_init(uint32_t *s); diff --git a/include/internal/Hacl_Hash_SHA2.h b/include/internal/Hacl_Hash_SHA2.h index 7dade3f3..004156f8 100644 --- a/include/internal/Hacl_Hash_SHA2.h +++ b/include/internal/Hacl_Hash_SHA2.h @@ -30,12 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_Krmllib.h" #include "../Hacl_Hash_SHA2.h" static const @@ -123,6 +117,8 @@ void Hacl_Hash_SHA2_sha256_finish(uint32_t *st, uint8_t *h); void Hacl_Hash_SHA2_sha224_init(uint32_t *hash); +void Hacl_Hash_SHA2_sha224_update_nblocks(uint32_t len, uint8_t *b, uint32_t *st); + void Hacl_Hash_SHA2_sha224_update_last(uint64_t totlen, uint32_t len, uint8_t *b, uint32_t *st); diff --git a/include/internal/Hacl_Hash_SHA3.h b/include/internal/Hacl_Hash_SHA3.h index a82af4bd..4e2a5f8f 100644 --- a/include/internal/Hacl_Hash_SHA3.h +++ b/include/internal/Hacl_Hash_SHA3.h @@ -30,11 +30,7 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - +#include "Hacl_Streaming_Types.h" #include "../Hacl_Hash_SHA3.h" extern const uint32_t Hacl_Hash_SHA3_keccak_rotc[24U]; @@ -43,6 +39,8 @@ extern const uint32_t Hacl_Hash_SHA3_keccak_piln[24U]; extern const uint64_t Hacl_Hash_SHA3_keccak_rndc[24U]; +void Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_hash_alg a, uint64_t *s); + void Hacl_Hash_SHA3_update_multi_sha3( Spec_Hash_Definitions_hash_alg a, @@ -59,6 +57,20 @@ Hacl_Hash_SHA3_update_last_sha3( uint32_t input_len ); +typedef struct Hacl_Hash_SHA3_state_t_s +{ + Hacl_Hash_SHA3_hash_buf block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Hash_SHA3_state_t; + +#define FStar_Pervasives_Native_None 0 +#define FStar_Pervasives_Native_Some 1 + +typedef uint8_t +FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags; + #if defined(__cplusplus) } #endif diff --git a/include/internal/Hacl_Impl_Blake2_Constants.h b/include/internal/Hacl_Impl_Blake2_Constants.h index fb3a045c..f9780c9b 100644 --- a/include/internal/Hacl_Impl_Blake2_Constants.h +++ b/include/internal/Hacl_Impl_Blake2_Constants.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - static const uint32_t Hacl_Hash_Blake2b_sigmaTable[160U] = diff --git a/include/internal/Hacl_Impl_FFDHE_Constants.h b/include/internal/Hacl_Impl_FFDHE_Constants.h index 80cbdd52..00963a01 100644 --- a/include/internal/Hacl_Impl_FFDHE_Constants.h +++ b/include/internal/Hacl_Impl_FFDHE_Constants.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - static const uint8_t Hacl_Impl_FFDHE_Constants_ffdhe_g2[1U] = { 0x02U }; static const diff --git a/include/internal/Hacl_K256_ECDSA.h b/include/internal/Hacl_K256_ECDSA.h index 5acd511c..b506f335 100644 --- a/include/internal/Hacl_K256_ECDSA.h +++ b/include/internal/Hacl_K256_ECDSA.h @@ -30,17 +30,7 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_K256_PrecompTable.h" -#include "internal/Hacl_Bignum_K256.h" -#include "internal/Hacl_Bignum_Base.h" #include "../Hacl_K256_ECDSA.h" -#include "lib_intrinsics.h" void Hacl_Impl_K256_Point_make_point_at_inf(uint64_t *p); diff --git a/include/internal/Hacl_K256_PrecompTable.h b/include/internal/Hacl_K256_PrecompTable.h index ff15f1c9..7415d20f 100644 --- a/include/internal/Hacl_K256_PrecompTable.h +++ b/include/internal/Hacl_K256_PrecompTable.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - static const uint64_t Hacl_K256_PrecompTable_precomp_basepoint_table_w4[240U] = diff --git a/include/internal/Hacl_Krmllib.h b/include/internal/Hacl_Krmllib.h index 70c84916..00770ff2 100644 --- a/include/internal/Hacl_Krmllib.h +++ b/include/internal/Hacl_Krmllib.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - #include "../Hacl_Krmllib.h" static KRML_NOINLINE uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b); diff --git a/include/internal/Hacl_MAC_Poly1305.h b/include/internal/Hacl_MAC_Poly1305.h index 29e1734a..1d4c072d 100644 --- a/include/internal/Hacl_MAC_Poly1305.h +++ b/include/internal/Hacl_MAC_Poly1305.h @@ -30,17 +30,29 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - +#include "internal/Hacl_Hash_SHA3.h" #include "../Hacl_MAC_Poly1305.h" void Hacl_MAC_Poly1305_poly1305_init(uint64_t *ctx, uint8_t *key); void Hacl_MAC_Poly1305_poly1305_finish(uint8_t *tag, uint8_t *key, uint64_t *ctx); +typedef struct Hacl_MAC_Poly1305_state_t_s +{ + uint64_t *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_MAC_Poly1305_state_t; + +typedef struct FStar_Pervasives_Native_option___uint8_t__s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + uint8_t *v; +} +FStar_Pervasives_Native_option___uint8_t_; + #if defined(__cplusplus) } #endif diff --git a/include/internal/Hacl_MAC_Poly1305_Simd128.h b/include/internal/Hacl_MAC_Poly1305_Simd128.h index fe120e43..56e9c014 100644 --- a/include/internal/Hacl_MAC_Poly1305_Simd128.h +++ b/include/internal/Hacl_MAC_Poly1305_Simd128.h @@ -30,13 +30,7 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - #include "../Hacl_MAC_Poly1305_Simd128.h" -#include "libintvector.h" void Hacl_MAC_Poly1305_Simd128_load_acc2(Lib_IntVector_Intrinsics_vec128 *acc, uint8_t *b); @@ -56,6 +50,15 @@ Hacl_MAC_Poly1305_Simd128_poly1305_finish( Lib_IntVector_Intrinsics_vec128 *ctx ); +typedef struct Hacl_MAC_Poly1305_Simd128_state_t_s +{ + Lib_IntVector_Intrinsics_vec128 *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_MAC_Poly1305_Simd128_state_t; + #if defined(__cplusplus) } #endif diff --git a/include/internal/Hacl_MAC_Poly1305_Simd256.h b/include/internal/Hacl_MAC_Poly1305_Simd256.h index 7bf106c1..5bb30f21 100644 --- a/include/internal/Hacl_MAC_Poly1305_Simd256.h +++ b/include/internal/Hacl_MAC_Poly1305_Simd256.h @@ -30,13 +30,7 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - #include "../Hacl_MAC_Poly1305_Simd256.h" -#include "libintvector.h" void Hacl_MAC_Poly1305_Simd256_load_acc4(Lib_IntVector_Intrinsics_vec256 *acc, uint8_t *b); @@ -56,6 +50,15 @@ Hacl_MAC_Poly1305_Simd256_poly1305_finish( Lib_IntVector_Intrinsics_vec256 *ctx ); +typedef struct Hacl_MAC_Poly1305_Simd256_state_t_s +{ + Lib_IntVector_Intrinsics_vec256 *block_state; + uint8_t *buf; + uint64_t total_len; + uint8_t *p_key; +} +Hacl_MAC_Poly1305_Simd256_state_t; + #if defined(__cplusplus) } #endif diff --git a/include/internal/Hacl_P256.h b/include/internal/Hacl_P256.h index 7c606ab6..01d90ebb 100644 --- a/include/internal/Hacl_P256.h +++ b/include/internal/Hacl_P256.h @@ -30,16 +30,7 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -#include "internal/Hacl_P256_PrecompTable.h" -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Bignum_Base.h" #include "../Hacl_P256.h" -#include "lib_intrinsics.h" bool Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_key); diff --git a/include/internal/Hacl_P256_PrecompTable.h b/include/internal/Hacl_P256_PrecompTable.h index c852ef8c..06408c38 100644 --- a/include/internal/Hacl_P256_PrecompTable.h +++ b/include/internal/Hacl_P256_PrecompTable.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - static const uint64_t Hacl_P256_PrecompTable_precomp_basepoint_table_w4[192U] = diff --git a/include/internal/Hacl_SHA2_Types.h b/include/internal/Hacl_SHA2_Types.h index dcb276aa..85137fcf 100644 --- a/include/internal/Hacl_SHA2_Types.h +++ b/include/internal/Hacl_SHA2_Types.h @@ -30,11 +30,6 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - #include "../Hacl_SHA2_Types.h" typedef struct Hacl_Hash_SHA2_uint8_5p_s diff --git a/include/internal/Hacl_Spec.h b/include/internal/Hacl_Spec.h index fee56d84..9b2e829b 100644 --- a/include/internal/Hacl_Spec.h +++ b/include/internal/Hacl_Spec.h @@ -30,19 +30,8 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - #include "../Hacl_Spec.h" -#define Spec_Cipher_Expansion_Hacl_CHACHA20 0 -#define Spec_Cipher_Expansion_Vale_AES128 1 -#define Spec_Cipher_Expansion_Vale_AES256 2 - -typedef uint8_t Spec_Cipher_Expansion_impl; - #define Spec_Frodo_Params_SHAKE128 0 #define Spec_Frodo_Params_AES128 1 diff --git a/include/internal/Hacl_Streaming_HMAC.h b/include/internal/Hacl_Streaming_HMAC.h new file mode 100644 index 00000000..5e11cabd --- /dev/null +++ b/include/internal/Hacl_Streaming_HMAC.h @@ -0,0 +1,71 @@ +/* MIT License + * + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Streaming_HMAC_H +#define __internal_Hacl_Streaming_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "../Hacl_Streaming_HMAC.h" + +typedef struct Hacl_Agile_Hash_state_s_s +{ + Hacl_Agile_Hash_state_s_tags tag; + union { + uint32_t *case_MD5_s; + uint32_t *case_SHA1_s; + uint32_t *case_SHA2_224_s; + uint32_t *case_SHA2_256_s; + uint64_t *case_SHA2_384_s; + uint64_t *case_SHA2_512_s; + uint64_t *case_SHA3_224_s; + uint64_t *case_SHA3_256_s; + uint64_t *case_SHA3_384_s; + uint64_t *case_SHA3_512_s; + uint32_t *case_Blake2S_s; + Lib_IntVector_Intrinsics_vec128 *case_Blake2S_128_s; + uint64_t *case_Blake2B_s; + Lib_IntVector_Intrinsics_vec256 *case_Blake2B_256_s; + } + ; +} +Hacl_Agile_Hash_state_s; + +typedef struct Hacl_Streaming_HMAC_agile_state_s +{ + Hacl_Streaming_HMAC_Definitions_two_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_HMAC_agile_state; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Streaming_HMAC_H_DEFINED +#endif diff --git a/include/internal/Hacl_Streaming_Types.h b/include/internal/Hacl_Streaming_Types.h new file mode 100644 index 00000000..767c574c --- /dev/null +++ b/include/internal/Hacl_Streaming_Types.h @@ -0,0 +1,77 @@ +/* MIT License + * + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Streaming_Types_H +#define __internal_Hacl_Streaming_Types_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "../Hacl_Streaming_Types.h" + +typedef struct Hacl_Streaming_MD_state_32_s +{ + uint32_t *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_MD_state_32; + +typedef struct Hacl_Streaming_MD_state_64_s +{ + uint64_t *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_MD_state_64; + +#define Hacl_Streaming_Types_None 0 +#define Hacl_Streaming_Types_Some 1 + +typedef uint8_t Hacl_Streaming_Types_optional_32_tags; + +typedef struct Hacl_Streaming_Types_optional_32_s +{ + Hacl_Streaming_Types_optional_32_tags tag; + uint32_t *v; +} +Hacl_Streaming_Types_optional_32; + +typedef struct Hacl_Streaming_Types_optional_64_s +{ + Hacl_Streaming_Types_optional_32_tags tag; + uint64_t *v; +} +Hacl_Streaming_Types_optional_64; + +typedef Hacl_Streaming_Types_optional_32_tags Hacl_Streaming_Types_optional_unit; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Streaming_Types_H_DEFINED +#endif diff --git a/include/internal/Vale.h b/include/internal/Vale.h index bc5b8d4a..7b24f3db 100644 --- a/include/internal/Vale.h +++ b/include/internal/Vale.h @@ -30,10 +30,7 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" +#include "libintvector.h" extern uint64_t add_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); @@ -41,8 +38,6 @@ extern uint64_t fadd_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); extern uint64_t sha256_update(uint32_t *x0, uint8_t *x1, uint64_t x2, uint32_t *x3); -extern uint64_t x64_poly1305(uint8_t *x0, uint8_t *x1, uint64_t x2, uint64_t x3); - extern uint64_t check_aesni(void); extern uint64_t check_sha(void); @@ -183,6 +178,8 @@ extern uint64_t fmul_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); extern uint64_t fsub_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); +extern uint64_t x64_poly1305(uint8_t *x0, uint8_t *x1, uint64_t x2, uint64_t x3); + #if defined(__cplusplus) } #endif diff --git a/include/libintvector.h b/include/libintvector.h index 99d11336..11e914f7 100644 --- a/include/libintvector.h +++ b/include/libintvector.h @@ -19,7 +19,7 @@ #define Lib_IntVector_Intrinsics_bit_mask64(x) -((x) & 1) -#if defined(__x86_64__) || defined(_M_X64) +#if defined(__x86_64__) || defined(_M_X64) || defined(__i386__) || defined(_M_IX86) #if defined(HACL_CAN_COMPILE_VEC128) diff --git a/include/msvc/EverCrypt_AEAD.h b/include/msvc/EverCrypt_AEAD.h index 5d52493b..865a0877 100644 --- a/include/msvc/EverCrypt_AEAD.h +++ b/include/msvc/EverCrypt_AEAD.h @@ -37,8 +37,6 @@ extern "C" { #include "Hacl_Spec.h" #include "EverCrypt_Error.h" -#include "EverCrypt_Chacha20Poly1305.h" -#include "EverCrypt_AutoConfig2.h" typedef struct EverCrypt_AEAD_state_s_s EverCrypt_AEAD_state_s; diff --git a/include/msvc/EverCrypt_Chacha20Poly1305.h b/include/msvc/EverCrypt_Chacha20Poly1305.h index bd59e48b..10d4f755 100644 --- a/include/msvc/EverCrypt_Chacha20Poly1305.h +++ b/include/msvc/EverCrypt_Chacha20Poly1305.h @@ -35,11 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" -#include "EverCrypt_AutoConfig2.h" - void EverCrypt_Chacha20Poly1305_aead_encrypt( uint8_t *k, diff --git a/include/msvc/EverCrypt_Curve25519.h b/include/msvc/EverCrypt_Curve25519.h index d295461c..85387d4c 100644 --- a/include/msvc/EverCrypt_Curve25519.h +++ b/include/msvc/EverCrypt_Curve25519.h @@ -35,10 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_Curve25519_51.h" -#include "EverCrypt_AutoConfig2.h" - /** Calculate a public point from a secret/private key. diff --git a/include/msvc/EverCrypt_DRBG.h b/include/msvc/EverCrypt_DRBG.h index b3161bfe..c45b542b 100644 --- a/include/msvc/EverCrypt_DRBG.h +++ b/include/msvc/EverCrypt_DRBG.h @@ -35,9 +35,7 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Lib_RandomBuffer_System.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_HMAC_DRBG.h" typedef Spec_Hash_Definitions_hash_alg EverCrypt_DRBG_supported_alg; diff --git a/include/msvc/EverCrypt_Ed25519.h b/include/msvc/EverCrypt_Ed25519.h index 8a3a192e..412e59e7 100644 --- a/include/msvc/EverCrypt_Ed25519.h +++ b/include/msvc/EverCrypt_Ed25519.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Ed25519.h" - void EverCrypt_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key); void EverCrypt_Ed25519_expand_keys(uint8_t *expanded_keys, uint8_t *private_key); diff --git a/include/msvc/EverCrypt_HMAC.h b/include/msvc/EverCrypt_HMAC.h index 7d1da14d..f8973928 100644 --- a/include/msvc/EverCrypt_HMAC.h +++ b/include/msvc/EverCrypt_HMAC.h @@ -36,17 +36,11 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" -#include "Hacl_Hash_Blake2s.h" -#include "Hacl_Hash_Blake2b.h" bool EverCrypt_HMAC_is_supported_alg(Spec_Hash_Definitions_hash_alg uu___); typedef Spec_Hash_Definitions_hash_alg EverCrypt_HMAC_supported_alg; -extern void (*EverCrypt_HMAC_hash_256)(uint8_t *x0, uint8_t *x1, uint32_t x2); - void EverCrypt_HMAC_compute( Spec_Hash_Definitions_hash_alg a, diff --git a/include/msvc/EverCrypt_Hash.h b/include/msvc/EverCrypt_Hash.h index b35dcf5f..0d7d6c69 100644 --- a/include/msvc/EverCrypt_Hash.h +++ b/include/msvc/EverCrypt_Hash.h @@ -36,15 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA3.h" -#include "Hacl_Hash_SHA2.h" -#include "Hacl_Hash_Blake2s_Simd128.h" -#include "Hacl_Hash_Blake2s.h" -#include "Hacl_Hash_Blake2b_Simd256.h" -#include "Hacl_Hash_Blake2b.h" #include "EverCrypt_Error.h" -#include "EverCrypt_AutoConfig2.h" typedef struct EverCrypt_Hash_state_s_s EverCrypt_Hash_state_s; diff --git a/include/msvc/EverCrypt_Poly1305.h b/include/msvc/EverCrypt_Poly1305.h index fba04059..d8ca2f6b 100644 --- a/include/msvc/EverCrypt_Poly1305.h +++ b/include/msvc/EverCrypt_Poly1305.h @@ -35,11 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_MAC_Poly1305_Simd256.h" -#include "Hacl_MAC_Poly1305_Simd128.h" -#include "Hacl_MAC_Poly1305.h" -#include "EverCrypt_AutoConfig2.h" - void EverCrypt_Poly1305_mac(uint8_t *output, uint8_t *input, uint32_t input_len, uint8_t *key); #if defined(__cplusplus) diff --git a/include/msvc/Hacl_AEAD_Chacha20Poly1305.h b/include/msvc/Hacl_AEAD_Chacha20Poly1305.h index 2a8daa75..9c926cea 100644 --- a/include/msvc/Hacl_AEAD_Chacha20Poly1305.h +++ b/include/msvc/Hacl_AEAD_Chacha20Poly1305.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Chacha20.h" - /** Encrypt a message `input` with key `key`. diff --git a/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd128.h b/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd128.h index de26c907..a452dcab 100644 --- a/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd128.h +++ b/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd128.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Chacha20_Vec128.h" - /** Encrypt a message `input` with key `key`. diff --git a/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd256.h b/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd256.h index 0abcdc59..81968f05 100644 --- a/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd256.h +++ b/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd256.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Chacha20_Vec256.h" - /** Encrypt a message `input` with key `key`. diff --git a/include/msvc/Hacl_Bignum.h b/include/msvc/Hacl_Bignum.h index 82b96225..f66f1561 100644 --- a/include/msvc/Hacl_Bignum.h +++ b/include/msvc/Hacl_Bignum.h @@ -35,7 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" #include "lib_intrinsics.h" typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_s diff --git a/include/msvc/Hacl_Bignum256.h b/include/msvc/Hacl_Bignum256.h index 72eea53e..1fbeca93 100644 --- a/include/msvc/Hacl_Bignum256.h +++ b/include/msvc/Hacl_Bignum256.h @@ -35,7 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" #include "Hacl_Bignum.h" /******************************************************************************* diff --git a/include/msvc/Hacl_Bignum32.h b/include/msvc/Hacl_Bignum32.h index 84a839a9..709f22d9 100644 --- a/include/msvc/Hacl_Bignum32.h +++ b/include/msvc/Hacl_Bignum32.h @@ -56,9 +56,18 @@ of `len` unsigned 32-bit integers, i.e. uint32_t[len]. /** Write `a + b mod 2 ^ (32 * len)` in `res`. - This functions returns the carry. - - The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] + This function returns the carry. + + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly equal memory + location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[out] res Points to `len` number of limbs where the carry is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. */ uint32_t Hacl_Bignum32_add(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); @@ -67,82 +76,134 @@ Write `a - b mod 2 ^ (32 * len)` in `res`. This functions returns the carry. - The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[out] res Points to `len` number of limbs where the carry is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. */ uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); /** Write `(a + b) mod n` in `res`. - The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • a < n - • b < n + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `res`. + @param[out] res Points to `len` number of limbs where the result is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `a < n` + - `b < n` */ void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); /** Write `(a - b) mod n` in `res`. - The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • a < n - • b < n + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `res`. + @param[out] res Points to `len` number of limbs where the result is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `a < n` + - `b < n` */ void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res); /** Write `a * b` in `res`. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. - The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `b` and `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a` and `res`. + @param[out] res Points to `2*len` number of limbs where the result is written, i.e. `uint32_t[2*len]`. + Must be disjoint from the memory locations of `a` and `b`. */ void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res); /** Write `a * a` in `res`. - The argument a is meant to be `len` limbs in size, i.e. uint32_t[len]. - The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `2*len` number of limbs where the result is written, i.e. `uint32_t[2*len]`. + Must be disjoint from the memory location of `a`. */ void Hacl_Bignum32_sqr(uint32_t len, uint32_t *a, uint32_t *res); /** Write `a mod n` in `res`. - The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. - The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • 1 < n - • n % 2 = 1 + @param[in] a Points to `2*len` number of limbs, i.e. `uint32_t[2*len]`. Must be + disjoint from the memory location of `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `n`. + + @return `false` if any precondition is violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `1 < n` + - `n % 2 = 1` */ bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); /** Write `a ^ b mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - The function is *NOT* constant-time on the argument b. See the - mod_exp_consttime_* functions for constant-time variants. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • b < pow2 bBits - • a < n + This function is *NOT* constant-time on the argument `b`. See the + `mod_exp_consttime_*` functions for constant-time variants. + + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `n`. + + @return `false` if any preconditions are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` + - `b < pow2 bBits` + - `a < n` */ bool Hacl_Bignum32_mod_exp_vartime( @@ -157,22 +218,30 @@ Hacl_Bignum32_mod_exp_vartime( /** Write `a ^ b mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - This function is constant-time over its argument b, at the cost of a slower - execution time than mod_exp_vartime. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • b < pow2 bBits - • a < n + This function is constant-time over its argument `b`, at the cost of a slower + execution time than `mod_exp_vartime_*`. + + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `n`. + + @return `false` if any preconditions are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` + - `b < pow2 bBits` + - `a < n` */ bool Hacl_Bignum32_mod_exp_consttime( @@ -187,18 +256,23 @@ Hacl_Bignum32_mod_exp_consttime( /** Write `a ^ (-1) mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n is a prime - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • 0 < a - • a < n + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a` and `n`. + + @return `false` if any preconditions (except the precondition: `n` is a prime) + are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n` is a prime + - `n % 2 = 1` + - `1 < n` + - `0 < a` + - `a < n` */ bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); @@ -212,15 +286,16 @@ Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint /** Heap-allocate and initialize a montgomery context. - The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n % 2 = 1 - • 1 < n + @param n Points to `len` number of limbs, i.e. `uint32_t[len]`. - The caller will need to call Hacl_Bignum32_mont_ctx_free on the return value - to avoid memory leaks. + @return A pointer to an allocated and initialized Montgomery context is returned. + Clients will need to call `Hacl_Bignum32_mont_ctx_free` on the return value to + avoid memory leaks. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` */ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum32_mont_ctx_init(uint32_t len, uint32_t *n); @@ -228,16 +303,18 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 /** Deallocate the memory previously allocated by Hacl_Bignum32_mont_ctx_init. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + @param k Points to a Montgomery context obtained through `Hacl_Bignum32_mont_ctx_init`. */ void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k); /** Write `a mod n` in `res`. - The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. - The outparam res is meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `2*len` number of limbs, i.e. `uint32_t[2*len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a`. */ void Hacl_Bignum32_mod_precomp( @@ -249,21 +326,25 @@ Hacl_Bignum32_mod_precomp( /** Write `a ^ b mod n` in `res`. - The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - The function is *NOT* constant-time on the argument b. See the - mod_exp_consttime_* functions for constant-time variants. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • b < pow2 bBits - • a < n + This function is *NOT* constant-time on the argument `b`. See the + `mod_exp_consttime_*` functions for constant-time variants. + + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `b < pow2 bBits` + - `a < n` */ void Hacl_Bignum32_mod_exp_vartime_precomp( @@ -277,21 +358,25 @@ Hacl_Bignum32_mod_exp_vartime_precomp( /** Write `a ^ b mod n` in `res`. - The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - This function is constant-time over its argument b, at the cost of a slower - execution time than mod_exp_vartime_*. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • b < pow2 bBits - • a < n + execution time than `mod_exp_vartime_*`. + + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `b < pow2 bBits` + - `a < n` */ void Hacl_Bignum32_mod_exp_consttime_precomp( @@ -305,14 +390,17 @@ Hacl_Bignum32_mod_exp_consttime_precomp( /** Write `a ^ (-1) mod n` in `res`. - The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n is a prime - • 0 < a - • a < n + @param[in] k Points to a Montgomery context obtained through `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n` is a prime + - `0 < a` + - `a < n` */ void Hacl_Bignum32_mod_inv_prime_vartime_precomp( @@ -330,42 +418,48 @@ Hacl_Bignum32_mod_inv_prime_vartime_precomp( /** Load a bid-endian bignum from memory. - The argument b points to `len` bytes of valid memory. - The function returns a heap-allocated bignum of size sufficient to hold the - result of loading b, or NULL if either the allocation failed, or the amount of - required memory would exceed 4GB. - - If the return value is non-null, clients must eventually call free(3) on it to - avoid memory leaks. + @param len Size of `b` as number of bytes. + @param b Points to `len` number of bytes, i.e. `uint8_t[len]`. + + @return A heap-allocated bignum of size sufficient to hold the result of + loading `b`. Otherwise, `NULL`, if either the allocation failed, or the amount + of required memory would exceed 4GB. Clients must `free(3)` any non-null return + value to avoid memory leaks. */ uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b); /** Load a little-endian bignum from memory. - The argument b points to `len` bytes of valid memory. - The function returns a heap-allocated bignum of size sufficient to hold the - result of loading b, or NULL if either the allocation failed, or the amount of - required memory would exceed 4GB. - - If the return value is non-null, clients must eventually call free(3) on it to - avoid memory leaks. + @param len Size of `b` as number of bytes. + @param b Points to `len` number of bytes, i.e. `uint8_t[len]`. + + @return A heap-allocated bignum of size sufficient to hold the result of + loading `b`. Otherwise, `NULL`, if either the allocation failed, or the amount + of required memory would exceed 4GB. Clients must `free(3)` any non-null return + value to avoid memory leaks. */ uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b); /** Serialize a bignum into big-endian memory. - The argument b points to a bignum of ⌈len / 4⌉ size. - The outparam res points to `len` bytes of valid memory. + @param[in] len Size of `b` as number of bytes. + @param[in] b Points to a bignum of `ceil(len/4)` size. Must be disjoint from + the memory location of `res`. + @param[out] res Points to `len` number of bytes, i.e. `uint8_t[len]`. Must be + disjoint from the memory location of `b`. */ void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res); /** Serialize a bignum into little-endian memory. - The argument b points to a bignum of ⌈len / 4⌉ size. - The outparam res points to `len` bytes of valid memory. + @param[in] len Size of `b` as number of bytes. + @param[in] b Points to a bignum of `ceil(len/4)` size. Must be disjoint from + the memory location of `res`. + @param[out] res Points to `len` number of bytes, i.e. `uint8_t[len]`. Must be + disjoint from the memory location of `b`. */ void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res); @@ -378,14 +472,22 @@ void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res); /** Returns 2^32 - 1 if a < b, otherwise returns 0. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + @param len Number of limbs. + @param a Points to `len` number of limbs, i.e. `uint32_t[len]`. + @param b Points to `len` number of limbs, i.e. `uint32_t[len]`. + + @return `2^32 - 1` if `a < b`, otherwise, `0`. */ uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b); /** Returns 2^32 - 1 if a = b, otherwise returns 0. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + @param len Number of limbs. + @param a Points to `len` number of limbs, i.e. `uint32_t[len]`. + @param b Points to `len` number of limbs, i.e. `uint32_t[len]`. + + @return `2^32 - 1` if a = b, otherwise, `0`. */ uint32_t Hacl_Bignum32_eq_mask(uint32_t len, uint32_t *a, uint32_t *b); diff --git a/include/msvc/Hacl_Bignum4096.h b/include/msvc/Hacl_Bignum4096.h index 8f7ffb7c..cf785250 100644 --- a/include/msvc/Hacl_Bignum4096.h +++ b/include/msvc/Hacl_Bignum4096.h @@ -35,7 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" #include "Hacl_Bignum.h" /******************************************************************************* diff --git a/include/msvc/Hacl_Bignum64.h b/include/msvc/Hacl_Bignum64.h index 6261d82a..63e450af 100644 --- a/include/msvc/Hacl_Bignum64.h +++ b/include/msvc/Hacl_Bignum64.h @@ -35,7 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" #include "Hacl_Bignum.h" typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum64_pbn_mont_ctx_u64; diff --git a/include/msvc/Hacl_Curve25519_51.h b/include/msvc/Hacl_Curve25519_51.h index a5a08720..c0299bbb 100644 --- a/include/msvc/Hacl_Curve25519_51.h +++ b/include/msvc/Hacl_Curve25519_51.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" - /** Compute the scalar multiple of a point. diff --git a/include/msvc/Hacl_Curve25519_64.h b/include/msvc/Hacl_Curve25519_64.h index 5152fbb8..23ca4bd2 100644 --- a/include/msvc/Hacl_Curve25519_64.h +++ b/include/msvc/Hacl_Curve25519_64.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" - /** Compute the scalar multiple of a point. diff --git a/include/msvc/Hacl_EC_Ed25519.h b/include/msvc/Hacl_EC_Ed25519.h index 27999fa2..875384be 100644 --- a/include/msvc/Hacl_EC_Ed25519.h +++ b/include/msvc/Hacl_EC_Ed25519.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" - /******************************************************************************* Verified field arithmetic modulo p = 2^255 - 19. diff --git a/include/msvc/Hacl_Ed25519.h b/include/msvc/Hacl_Ed25519.h index f0dc31e2..804fed01 100644 --- a/include/msvc/Hacl_Ed25519.h +++ b/include/msvc/Hacl_Ed25519.h @@ -35,10 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" - /******************************************************************************** Verified C library for EdDSA signing and verification on the edwards25519 curve. ********************************************************************************/ diff --git a/include/msvc/Hacl_FFDHE.h b/include/msvc/Hacl_FFDHE.h index f195142e..5a798539 100644 --- a/include/msvc/Hacl_FFDHE.h +++ b/include/msvc/Hacl_FFDHE.h @@ -36,7 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Spec.h" -#include "Hacl_Krmllib.h" uint32_t Hacl_FFDHE_ffdhe_len(Spec_FFDHE_ffdhe_alg a); diff --git a/include/msvc/Hacl_Frodo1344.h b/include/msvc/Hacl_Frodo1344.h index 9fca4c82..cc3c2bf1 100644 --- a/include/msvc/Hacl_Frodo1344.h +++ b/include/msvc/Hacl_Frodo1344.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Hash_SHA3.h" - extern uint32_t Hacl_Frodo1344_crypto_bytes; extern uint32_t Hacl_Frodo1344_crypto_publickeybytes; diff --git a/include/msvc/Hacl_Frodo64.h b/include/msvc/Hacl_Frodo64.h index 05aecb59..02ea2e08 100644 --- a/include/msvc/Hacl_Frodo64.h +++ b/include/msvc/Hacl_Frodo64.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Hash_SHA3.h" - /* this variant is used only for testing purposes! */ diff --git a/include/msvc/Hacl_Frodo640.h b/include/msvc/Hacl_Frodo640.h index 10c9bd47..a6d58075 100644 --- a/include/msvc/Hacl_Frodo640.h +++ b/include/msvc/Hacl_Frodo640.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Hash_SHA3.h" - extern uint32_t Hacl_Frodo640_crypto_bytes; extern uint32_t Hacl_Frodo640_crypto_publickeybytes; diff --git a/include/msvc/Hacl_Frodo976.h b/include/msvc/Hacl_Frodo976.h index c2d5f84f..c361e81b 100644 --- a/include/msvc/Hacl_Frodo976.h +++ b/include/msvc/Hacl_Frodo976.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Hash_SHA3.h" - extern uint32_t Hacl_Frodo976_crypto_bytes; extern uint32_t Hacl_Frodo976_crypto_publickeybytes; diff --git a/include/msvc/Hacl_GenericField64.h b/include/msvc/Hacl_GenericField64.h index 90a56a64..fc96a148 100644 --- a/include/msvc/Hacl_GenericField64.h +++ b/include/msvc/Hacl_GenericField64.h @@ -35,7 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" #include "Hacl_Bignum.h" typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_GenericField64_pbn_mont_ctx_u64; diff --git a/include/msvc/Hacl_HKDF.h b/include/msvc/Hacl_HKDF.h index c13c648f..67b71a5a 100644 --- a/include/msvc/Hacl_HKDF.h +++ b/include/msvc/Hacl_HKDF.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_HMAC.h" - /** Expand pseudorandom key to desired length. diff --git a/include/msvc/Hacl_HKDF_Blake2b_256.h b/include/msvc/Hacl_HKDF_Blake2b_256.h index 202fd236..b7950f14 100644 --- a/include/msvc/Hacl_HKDF_Blake2b_256.h +++ b/include/msvc/Hacl_HKDF_Blake2b_256.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_HMAC_Blake2b_256.h" - /** Expand pseudorandom key to desired length. diff --git a/include/msvc/Hacl_HKDF_Blake2s_128.h b/include/msvc/Hacl_HKDF_Blake2s_128.h index df4cfcf6..df8c1e5f 100644 --- a/include/msvc/Hacl_HKDF_Blake2s_128.h +++ b/include/msvc/Hacl_HKDF_Blake2s_128.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_HMAC_Blake2s_128.h" - /** Expand pseudorandom key to desired length. diff --git a/include/msvc/Hacl_HMAC.h b/include/msvc/Hacl_HMAC.h index e1dc04f2..fe966525 100644 --- a/include/msvc/Hacl_HMAC.h +++ b/include/msvc/Hacl_HMAC.h @@ -35,10 +35,20 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" -#include "Hacl_Hash_Blake2s.h" -#include "Hacl_Hash_Blake2b.h" +/** +Write the HMAC-MD5 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 byte. +`dst` must point to 16 bytes of memory. +*/ +void +Hacl_HMAC_compute_md5( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); /** Write the HMAC-SHA-1 MAC of a message (`data`) by using a key (`key`) into `dst`. @@ -55,6 +65,21 @@ Hacl_HMAC_compute_sha1( uint32_t data_len ); +/** +Write the HMAC-SHA-2-224 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 bytes. +`dst` must point to 28 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha2_224( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + /** Write the HMAC-SHA-2-256 MAC of a message (`data`) by using a key (`key`) into `dst`. @@ -100,6 +125,66 @@ Hacl_HMAC_compute_sha2_512( uint32_t data_len ); +/** +Write the HMAC-SHA-3-224 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 144 bytes. +`dst` must point to 28 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_224( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +/** +Write the HMAC-SHA-3-256 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 136 bytes. +`dst` must point to 32 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_256( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +/** +Write the HMAC-SHA-3-384 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 104 bytes. +`dst` must point to 48 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + +/** +Write the HMAC-SHA-3-512 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 72 bytes. +`dst` must point to 64 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +); + /** Write the HMAC-BLAKE2s MAC of a message (`data`) by using a key (`key`) into `dst`. diff --git a/include/msvc/Hacl_HMAC_Blake2b_256.h b/include/msvc/Hacl_HMAC_Blake2b_256.h index d8f3e9e1..3528c2c7 100644 --- a/include/msvc/Hacl_HMAC_Blake2b_256.h +++ b/include/msvc/Hacl_HMAC_Blake2b_256.h @@ -35,9 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_Blake2b_Simd256.h" - /** Write the HMAC-BLAKE2b MAC of a message (`data`) by using a key (`key`) into `dst`. diff --git a/include/msvc/Hacl_HMAC_Blake2s_128.h b/include/msvc/Hacl_HMAC_Blake2s_128.h index 5ff79038..67aec1af 100644 --- a/include/msvc/Hacl_HMAC_Blake2s_128.h +++ b/include/msvc/Hacl_HMAC_Blake2s_128.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Hash_Blake2s_Simd128.h" - /** Write the HMAC-BLAKE2s MAC of a message (`data`) by using a key (`key`) into `dst`. diff --git a/include/msvc/Hacl_HMAC_DRBG.h b/include/msvc/Hacl_HMAC_DRBG.h index 2d86b02f..0f78d67e 100644 --- a/include/msvc/Hacl_HMAC_DRBG.h +++ b/include/msvc/Hacl_HMAC_DRBG.h @@ -36,7 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_HMAC.h" typedef Spec_Hash_Definitions_hash_alg Hacl_HMAC_DRBG_supported_alg; diff --git a/include/msvc/Hacl_HPKE_Curve51_CP128_SHA256.h b/include/msvc/Hacl_HPKE_Curve51_CP128_SHA256.h index a46db470..1f19f45c 100644 --- a/include/msvc/Hacl_HPKE_Curve51_CP128_SHA256.h +++ b/include/msvc/Hacl_HPKE_Curve51_CP128_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" uint32_t Hacl_HPKE_Curve51_CP128_SHA256_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_Curve51_CP128_SHA512.h b/include/msvc/Hacl_HPKE_Curve51_CP128_SHA512.h index 89091754..4b4f205c 100644 --- a/include/msvc/Hacl_HPKE_Curve51_CP128_SHA512.h +++ b/include/msvc/Hacl_HPKE_Curve51_CP128_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" uint32_t Hacl_HPKE_Curve51_CP128_SHA512_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_Curve51_CP256_SHA256.h b/include/msvc/Hacl_HPKE_Curve51_CP256_SHA256.h index 83ba2adb..b5ee166a 100644 --- a/include/msvc/Hacl_HPKE_Curve51_CP256_SHA256.h +++ b/include/msvc/Hacl_HPKE_Curve51_CP256_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" uint32_t Hacl_HPKE_Curve51_CP256_SHA256_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_Curve51_CP256_SHA512.h b/include/msvc/Hacl_HPKE_Curve51_CP256_SHA512.h index 1a796ab7..2ec66992 100644 --- a/include/msvc/Hacl_HPKE_Curve51_CP256_SHA512.h +++ b/include/msvc/Hacl_HPKE_Curve51_CP256_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" uint32_t Hacl_HPKE_Curve51_CP256_SHA512_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_Curve51_CP32_SHA256.h b/include/msvc/Hacl_HPKE_Curve51_CP32_SHA256.h index d249ba05..c02d614f 100644 --- a/include/msvc/Hacl_HPKE_Curve51_CP32_SHA256.h +++ b/include/msvc/Hacl_HPKE_Curve51_CP32_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" uint32_t Hacl_HPKE_Curve51_CP32_SHA256_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_Curve51_CP32_SHA512.h b/include/msvc/Hacl_HPKE_Curve51_CP32_SHA512.h index ddc00da3..1225f895 100644 --- a/include/msvc/Hacl_HPKE_Curve51_CP32_SHA512.h +++ b/include/msvc/Hacl_HPKE_Curve51_CP32_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_51.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" uint32_t Hacl_HPKE_Curve51_CP32_SHA512_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_Curve64_CP128_SHA256.h b/include/msvc/Hacl_HPKE_Curve64_CP128_SHA256.h index fda63e52..e1cc95d8 100644 --- a/include/msvc/Hacl_HPKE_Curve64_CP128_SHA256.h +++ b/include/msvc/Hacl_HPKE_Curve64_CP128_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" uint32_t Hacl_HPKE_Curve64_CP128_SHA256_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_Curve64_CP128_SHA512.h b/include/msvc/Hacl_HPKE_Curve64_CP128_SHA512.h index c8b06ca8..e67c439d 100644 --- a/include/msvc/Hacl_HPKE_Curve64_CP128_SHA512.h +++ b/include/msvc/Hacl_HPKE_Curve64_CP128_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" uint32_t Hacl_HPKE_Curve64_CP128_SHA512_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_Curve64_CP256_SHA256.h b/include/msvc/Hacl_HPKE_Curve64_CP256_SHA256.h index 2da8dbcf..9302eed0 100644 --- a/include/msvc/Hacl_HPKE_Curve64_CP256_SHA256.h +++ b/include/msvc/Hacl_HPKE_Curve64_CP256_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" uint32_t Hacl_HPKE_Curve64_CP256_SHA256_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_Curve64_CP256_SHA512.h b/include/msvc/Hacl_HPKE_Curve64_CP256_SHA512.h index 87d919e1..40dcb5b3 100644 --- a/include/msvc/Hacl_HPKE_Curve64_CP256_SHA512.h +++ b/include/msvc/Hacl_HPKE_Curve64_CP256_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" uint32_t Hacl_HPKE_Curve64_CP256_SHA512_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_Curve64_CP32_SHA256.h b/include/msvc/Hacl_HPKE_Curve64_CP32_SHA256.h index bd4b9b59..f63f16d9 100644 --- a/include/msvc/Hacl_HPKE_Curve64_CP32_SHA256.h +++ b/include/msvc/Hacl_HPKE_Curve64_CP32_SHA256.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" uint32_t Hacl_HPKE_Curve64_CP32_SHA256_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_Curve64_CP32_SHA512.h b/include/msvc/Hacl_HPKE_Curve64_CP32_SHA512.h index 0d2bb8f0..54e0ea9e 100644 --- a/include/msvc/Hacl_HPKE_Curve64_CP32_SHA512.h +++ b/include/msvc/Hacl_HPKE_Curve64_CP32_SHA512.h @@ -36,9 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_Curve25519_64.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" uint32_t Hacl_HPKE_Curve64_CP32_SHA512_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_P256_CP128_SHA256.h b/include/msvc/Hacl_HPKE_P256_CP128_SHA256.h index c76a100d..d87c3b00 100644 --- a/include/msvc/Hacl_HPKE_P256_CP128_SHA256.h +++ b/include/msvc/Hacl_HPKE_P256_CP128_SHA256.h @@ -36,8 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" uint32_t Hacl_HPKE_P256_CP128_SHA256_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_P256_CP256_SHA256.h b/include/msvc/Hacl_HPKE_P256_CP256_SHA256.h index 4a33eb8a..cf2f3a7a 100644 --- a/include/msvc/Hacl_HPKE_P256_CP256_SHA256.h +++ b/include/msvc/Hacl_HPKE_P256_CP256_SHA256.h @@ -36,8 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" uint32_t Hacl_HPKE_P256_CP256_SHA256_setupBaseS( diff --git a/include/msvc/Hacl_HPKE_P256_CP32_SHA256.h b/include/msvc/Hacl_HPKE_P256_CP32_SHA256.h index 2818abed..d23743ad 100644 --- a/include/msvc/Hacl_HPKE_P256_CP32_SHA256.h +++ b/include/msvc/Hacl_HPKE_P256_CP32_SHA256.h @@ -36,8 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" -#include "Hacl_HKDF.h" -#include "Hacl_AEAD_Chacha20Poly1305.h" uint32_t Hacl_HPKE_P256_CP32_SHA256_setupBaseS( diff --git a/include/msvc/Hacl_Hash_Blake2b.h b/include/msvc/Hacl_Hash_Blake2b.h index 3403fc83..4a7d91a5 100644 --- a/include/msvc/Hacl_Hash_Blake2b.h +++ b/include/msvc/Hacl_Hash_Blake2b.h @@ -36,7 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" typedef struct Hacl_Hash_Blake2b_blake2_params_s { @@ -53,24 +52,32 @@ typedef struct Hacl_Hash_Blake2b_blake2_params_s } Hacl_Hash_Blake2b_blake2_params; -typedef struct K____uint64_t___uint64_t__s +typedef struct Hacl_Hash_Blake2b_index_s { - uint64_t *fst; - uint64_t *snd; + uint8_t key_length; + uint8_t digest_length; + bool last_node; } -K____uint64_t___uint64_t_; +Hacl_Hash_Blake2b_index; -typedef struct Hacl_Hash_Blake2b_block_state_t_s -{ - uint8_t fst; - uint8_t snd; - K____uint64_t___uint64_t_ thd; -} -Hacl_Hash_Blake2b_block_state_t; +#define HACL_HASH_BLAKE2B_BLOCK_BYTES (128U) + +#define HACL_HASH_BLAKE2B_OUT_BYTES (64U) + +#define HACL_HASH_BLAKE2B_KEY_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SALT_BYTES (16U) + +#define HACL_HASH_BLAKE2B_PERSONAL_BYTES (16U) + +typedef Hacl_Streaming_Blake2_Types_block_state_blake2b_32 Hacl_Hash_Blake2b_block_state_t; + +typedef Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 +Hacl_Hash_Blake2b_optional_block_state_t; typedef struct Hacl_Hash_Blake2b_state_t_s { - Hacl_Hash_Blake2b_block_state_t block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state; uint8_t *buf; uint64_t total_len; } @@ -92,7 +99,11 @@ The caller must satisfy the following requirements. */ Hacl_Hash_Blake2b_state_t -*Hacl_Hash_Blake2b_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k); +*Hacl_Hash_Blake2b_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +); /** Specialized allocation function that picks default values for all @@ -116,7 +127,7 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc(void); /** General-purpose re-initialization function with parameters and -key. You cannot change digest_length or key_length, meaning those values in +key. You cannot change digest_length, key_length, or last_node, meaning those values in the parameters object must be the same as originally decided via one of the malloc functions. All other values of the parameter can be changed. The behavior is unspecified if you violate this precondition. @@ -159,10 +170,14 @@ at least `digest_length` bytes, where `digest_length` was determined by your choice of `malloc` function. Concretely, if you used `malloc` or `malloc_with_key`, then the expected length is 32 for S, or 64 for B (default digest length). If you used `malloc_with_params_and_key`, then the expected -length is whatever you chose for the `digest_length` field of your -parameters. +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_info(Hacl_Hash_Blake2b_state_t *s); /** Free state function when there is no key @@ -198,10 +213,10 @@ Hacl_Hash_Blake2b_hash_with_key( Write the BLAKE2b digest of message `input` using key `key` and parameters `params` into `output`. The `key` array must be of length `params.key_length`. The `output` array must be of length -`params.digest_length`. +`params.digest_length`. */ void -Hacl_Hash_Blake2b_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/msvc/Hacl_Hash_Blake2b_Simd256.h b/include/msvc/Hacl_Hash_Blake2b_Simd256.h index af309dc8..cf944ccf 100644 --- a/include/msvc/Hacl_Hash_Blake2b_Simd256.h +++ b/include/msvc/Hacl_Hash_Blake2b_Simd256.h @@ -36,62 +36,82 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" #include "Hacl_Hash_Blake2b.h" #include "libintvector.h" -typedef struct K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256__s -{ - Lib_IntVector_Intrinsics_vec256 *fst; - Lib_IntVector_Intrinsics_vec256 *snd; -} -K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_; +#define HACL_HASH_BLAKE2B_SIMD256_BLOCK_BYTES (128U) -typedef struct Hacl_Hash_Blake2b_Simd256_block_state_t_s -{ - uint8_t fst; - uint8_t snd; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ thd; -} +#define HACL_HASH_BLAKE2B_SIMD256_OUT_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SIMD256_KEY_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SIMD256_SALT_BYTES (16U) + +#define HACL_HASH_BLAKE2B_SIMD256_PERSONAL_BYTES (16U) + +typedef Hacl_Streaming_Blake2_Types_block_state_blake2b_256 Hacl_Hash_Blake2b_Simd256_block_state_t; +typedef Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256 +Hacl_Hash_Blake2b_Simd256_optional_block_state_t; + typedef struct Hacl_Hash_Blake2b_Simd256_state_t_s { - Hacl_Hash_Blake2b_Simd256_block_state_t block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state; uint8_t *buf; uint64_t total_len; } Hacl_Hash_Blake2b_Simd256_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (256 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 256 for S, 64 for B. +- The digest_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (256 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_key0(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( @@ -101,21 +121,27 @@ Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2b_Simd256_update( @@ -125,10 +151,19 @@ Hacl_Hash_Blake2b_Simd256_update( ); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 256 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_256_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_Simd256_info(Hacl_Hash_Blake2b_Simd256_state_t *s); /** Free state function when there is no key @@ -136,7 +171,7 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_copy(Hacl_Hash_Blake2b_Simd256_state_t *state); @@ -161,8 +196,14 @@ Hacl_Hash_Blake2b_Simd256_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2b digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_Simd256_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/msvc/Hacl_Hash_Blake2s.h b/include/msvc/Hacl_Hash_Blake2s.h index ac783473..42482487 100644 --- a/include/msvc/Hacl_Hash_Blake2s.h +++ b/include/msvc/Hacl_Hash_Blake2s.h @@ -38,54 +38,77 @@ extern "C" { #include "Hacl_Streaming_Types.h" #include "Hacl_Hash_Blake2b.h" -typedef struct K____uint32_t___uint32_t__s -{ - uint32_t *fst; - uint32_t *snd; -} -K____uint32_t___uint32_t_; +#define HACL_HASH_BLAKE2S_BLOCK_BYTES (64U) -typedef struct Hacl_Hash_Blake2s_block_state_t_s -{ - uint8_t fst; - uint8_t snd; - K____uint32_t___uint32_t_ thd; -} -Hacl_Hash_Blake2s_block_state_t; +#define HACL_HASH_BLAKE2S_OUT_BYTES (32U) + +#define HACL_HASH_BLAKE2S_KEY_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SALT_BYTES (8U) + +#define HACL_HASH_BLAKE2S_PERSONAL_BYTES (8U) + +typedef Hacl_Streaming_Blake2_Types_block_state_blake2s_32 Hacl_Hash_Blake2s_block_state_t; + +typedef Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 +Hacl_Hash_Blake2s_optional_block_state_t; typedef struct Hacl_Hash_Blake2s_state_t_s { - Hacl_Hash_Blake2s_block_state_t block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state; uint8_t *buf; uint64_t total_len; } Hacl_Hash_Blake2s_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (32 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 32 for S, 64 for B. +- The digest_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t -*Hacl_Hash_Blake2s_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k); +*Hacl_Hash_Blake2s_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (32 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key_and_params( @@ -95,28 +118,44 @@ Hacl_Hash_Blake2s_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint32_t chunk_len); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 32 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_info(Hacl_Hash_Blake2s_state_t *s); /** Free state function when there is no key @@ -124,7 +163,7 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_copy(Hacl_Hash_Blake2s_state_t *state); @@ -148,8 +187,14 @@ Hacl_Hash_Blake2s_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/msvc/Hacl_Hash_Blake2s_Simd128.h b/include/msvc/Hacl_Hash_Blake2s_Simd128.h index d725ee86..b2b9f0ff 100644 --- a/include/msvc/Hacl_Hash_Blake2s_Simd128.h +++ b/include/msvc/Hacl_Hash_Blake2s_Simd128.h @@ -39,58 +39,79 @@ extern "C" { #include "Hacl_Hash_Blake2b.h" #include "libintvector.h" -typedef struct K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128__s -{ - Lib_IntVector_Intrinsics_vec128 *fst; - Lib_IntVector_Intrinsics_vec128 *snd; -} -K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_; +#define HACL_HASH_BLAKE2S_SIMD128_BLOCK_BYTES (64U) -typedef struct Hacl_Hash_Blake2s_Simd128_block_state_t_s -{ - uint8_t fst; - uint8_t snd; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ thd; -} +#define HACL_HASH_BLAKE2S_SIMD128_OUT_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SIMD128_KEY_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SIMD128_SALT_BYTES (8U) + +#define HACL_HASH_BLAKE2S_SIMD128_PERSONAL_BYTES (8U) + +typedef Hacl_Streaming_Blake2_Types_block_state_blake2s_128 Hacl_Hash_Blake2s_Simd128_block_state_t; +typedef Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128 +Hacl_Hash_Blake2s_Simd128_optional_block_state_t; + typedef struct Hacl_Hash_Blake2s_Simd128_state_t_s { - Hacl_Hash_Blake2s_Simd128_block_state_t block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state; uint8_t *buf; uint64_t total_len; } Hacl_Hash_Blake2s_Simd128_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (128 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 128 for S, 64 for B. +- The digest_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (128 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_key0(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( @@ -100,21 +121,27 @@ Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_Simd128_update( @@ -124,10 +151,19 @@ Hacl_Hash_Blake2s_Simd128_update( ); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 128 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_128_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_Simd128_info(Hacl_Hash_Blake2s_Simd128_state_t *s); /** Free state function when there is no key @@ -135,7 +171,7 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_copy(Hacl_Hash_Blake2s_Simd128_state_t *state); @@ -160,8 +196,14 @@ Hacl_Hash_Blake2s_Simd128_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_Simd128_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/msvc/Hacl_Hash_SHA2.h b/include/msvc/Hacl_Hash_SHA2.h index d17eab94..3bede75b 100644 --- a/include/msvc/Hacl_Hash_SHA2.h +++ b/include/msvc/Hacl_Hash_SHA2.h @@ -36,7 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" typedef Hacl_Streaming_MD_state_32 Hacl_Hash_SHA2_state_t_224; diff --git a/include/msvc/Hacl_Hash_SHA3.h b/include/msvc/Hacl_Hash_SHA3.h index 8fb78fcd..18f23d8d 100644 --- a/include/msvc/Hacl_Hash_SHA3.h +++ b/include/msvc/Hacl_Hash_SHA3.h @@ -117,7 +117,7 @@ void Hacl_Hash_SHA3_state_free(uint64_t *s); Absorb number of input blocks and write the output state This function is intended to receive a hash state and input buffer. - It prcoesses an input of multiple of 168-bytes (SHAKE128 block size), + It processes an input of multiple of 168-bytes (SHAKE128 block size), any additional bytes of final partial block are ignored. The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] @@ -131,14 +131,14 @@ Hacl_Hash_SHA3_shake128_absorb_nblocks(uint64_t *state, uint8_t *input, uint32_t Absorb a final partial block of input and write the output state This function is intended to receive a hash state and input buffer. - It prcoesses a sequence of bytes at end of input buffer that is less + It processes a sequence of bytes at end of input buffer that is less than 168-bytes (SHAKE128 block size), any bytes of full blocks at start of input buffer are ignored. The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] The argument `input` (IN) points to `inputByteLen` bytes of valid memory, i.e., uint8_t[inputByteLen] - + Note: Full size of input buffer must be passed to `inputByteLen` including the number of full-block bytes at start of input buffer that are ignored */ diff --git a/include/msvc/Hacl_Hash_SHA3_Simd256.h b/include/msvc/Hacl_Hash_SHA3_Simd256.h index 617e8e34..72162d43 100644 --- a/include/msvc/Hacl_Hash_SHA3_Simd256.h +++ b/include/msvc/Hacl_Hash_SHA3_Simd256.h @@ -139,12 +139,12 @@ void Hacl_Hash_SHA3_Simd256_state_free(Lib_IntVector_Intrinsics_vec256 *s); Absorb number of blocks of 4 input buffers and write the output states This function is intended to receive a quadruple hash state and 4 input buffers. - It prcoesses an inputs of multiple of 168-bytes (SHAKE128 block size), + It processes an inputs of multiple of 168-bytes (SHAKE128 block size), any additional bytes of final partial block for each buffer are ignored. The argument `state` (IN/OUT) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] */ void @@ -161,15 +161,15 @@ Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks( Absorb a final partial blocks of 4 input buffers and write the output states This function is intended to receive a quadruple hash state and 4 input buffers. - It prcoesses a sequence of bytes at end of each input buffer that is less + It processes a sequence of bytes at end of each input buffer that is less than 168-bytes (SHAKE128 block size), any bytes of full blocks at start of input buffers are ignored. The argument `state` (IN/OUT) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] - + Note: Full size of input buffers must be passed to `inputByteLen` including the number of full-block bytes at start of each input buffer that are ignored */ @@ -192,7 +192,7 @@ Squeeze a quadruple hash state to 4 output buffers The argument `state` (IN) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `output0/output1/output2/output3` (OUT) point to `outputByteLen` bytes + The arguments `output0/output1/output2/output3` (OUT) point to `outputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] */ void diff --git a/include/msvc/Hacl_K256_ECDSA.h b/include/msvc/Hacl_K256_ECDSA.h index efc99f9c..baae0d7b 100644 --- a/include/msvc/Hacl_K256_ECDSA.h +++ b/include/msvc/Hacl_K256_ECDSA.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" #include "lib_intrinsics.h" /******************************************************************************* diff --git a/include/msvc/Hacl_MAC_Poly1305.h b/include/msvc/Hacl_MAC_Poly1305.h index 95ac4be2..c737848c 100644 --- a/include/msvc/Hacl_MAC_Poly1305.h +++ b/include/msvc/Hacl_MAC_Poly1305.h @@ -36,7 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" typedef struct Hacl_MAC_Poly1305_state_t_s { diff --git a/include/msvc/Hacl_NaCl.h b/include/msvc/Hacl_NaCl.h index a3ca6804..fce69753 100644 --- a/include/msvc/Hacl_NaCl.h +++ b/include/msvc/Hacl_NaCl.h @@ -35,10 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Salsa20.h" -#include "Hacl_MAC_Poly1305.h" -#include "Hacl_Curve25519_51.h" - /** Encrypt a message with a key and nonce. diff --git a/include/msvc/Hacl_P256.h b/include/msvc/Hacl_P256.h index 5b2a43ec..c9ef7b40 100644 --- a/include/msvc/Hacl_P256.h +++ b/include/msvc/Hacl_P256.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" #include "lib_intrinsics.h" diff --git a/include/msvc/Hacl_RSAPSS.h b/include/msvc/Hacl_RSAPSS.h index 90bd69ce..9853af68 100644 --- a/include/msvc/Hacl_RSAPSS.h +++ b/include/msvc/Hacl_RSAPSS.h @@ -36,8 +36,6 @@ extern "C" { #include "krml/internal/target.h" #include "Hacl_Streaming_Types.h" -#include "Hacl_Krmllib.h" -#include "Hacl_Hash_SHA2.h" /** Sign a message `msg` and write the signature to `sgnt`. diff --git a/include/msvc/Hacl_SHA2_Vec128.h b/include/msvc/Hacl_SHA2_Vec128.h index c5df2075..5118cd36 100644 --- a/include/msvc/Hacl_SHA2_Vec128.h +++ b/include/msvc/Hacl_SHA2_Vec128.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_SHA2_Types.h" - void Hacl_SHA2_Vec128_sha224_4( uint8_t *dst0, diff --git a/include/msvc/Hacl_SHA2_Vec256.h b/include/msvc/Hacl_SHA2_Vec256.h index 7e41314a..dba3600a 100644 --- a/include/msvc/Hacl_SHA2_Vec256.h +++ b/include/msvc/Hacl_SHA2_Vec256.h @@ -35,9 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "Hacl_SHA2_Types.h" -#include "Hacl_Krmllib.h" - void Hacl_SHA2_Vec256_sha224_8( uint8_t *dst0, diff --git a/include/msvc/Hacl_Streaming_HMAC.h b/include/msvc/Hacl_Streaming_HMAC.h new file mode 100644 index 00000000..9158c32b --- /dev/null +++ b/include/msvc/Hacl_Streaming_HMAC.h @@ -0,0 +1,139 @@ +/* MIT License + * + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_HMAC_H +#define __Hacl_Streaming_HMAC_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/internal/types.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + +#include "Hacl_Streaming_Types.h" + +#define Hacl_Agile_Hash_MD5 0 +#define Hacl_Agile_Hash_SHA1 1 +#define Hacl_Agile_Hash_SHA2_224 2 +#define Hacl_Agile_Hash_SHA2_256 3 +#define Hacl_Agile_Hash_SHA2_384 4 +#define Hacl_Agile_Hash_SHA2_512 5 +#define Hacl_Agile_Hash_SHA3_224 6 +#define Hacl_Agile_Hash_SHA3_256 7 +#define Hacl_Agile_Hash_SHA3_384 8 +#define Hacl_Agile_Hash_SHA3_512 9 +#define Hacl_Agile_Hash_Blake2S_32 10 +#define Hacl_Agile_Hash_Blake2S_128 11 +#define Hacl_Agile_Hash_Blake2B_32 12 +#define Hacl_Agile_Hash_Blake2B_256 13 + +typedef uint8_t Hacl_Agile_Hash_impl; + +typedef struct Hacl_Agile_Hash_state_s_s Hacl_Agile_Hash_state_s; + +typedef struct Hacl_Streaming_HMAC_Definitions_index_s +{ + Hacl_Agile_Hash_impl fst; + uint32_t snd; +} +Hacl_Streaming_HMAC_Definitions_index; + +typedef struct Hacl_Streaming_HMAC_Definitions_two_state_s +{ + uint32_t fst; + Hacl_Agile_Hash_state_s *snd; + Hacl_Agile_Hash_state_s *thd; +} +Hacl_Streaming_HMAC_Definitions_two_state; + +Hacl_Agile_Hash_state_s +*Hacl_Streaming_HMAC_s1( + Hacl_Streaming_HMAC_Definitions_index i, + Hacl_Streaming_HMAC_Definitions_two_state s +); + +Hacl_Agile_Hash_state_s +*Hacl_Streaming_HMAC_s2( + Hacl_Streaming_HMAC_Definitions_index i, + Hacl_Streaming_HMAC_Definitions_two_state s +); + +Hacl_Streaming_HMAC_Definitions_index +Hacl_Streaming_HMAC_index_of_state(Hacl_Streaming_HMAC_Definitions_two_state s); + +typedef struct Hacl_Streaming_HMAC_agile_state_s +{ + Hacl_Streaming_HMAC_Definitions_two_state block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_HMAC_agile_state; + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_malloc_( + Hacl_Agile_Hash_impl impl, + uint8_t *key, + uint32_t key_length, + Hacl_Streaming_HMAC_agile_state **dst +); + +Hacl_Streaming_HMAC_Definitions_index +Hacl_Streaming_HMAC_get_impl(Hacl_Streaming_HMAC_agile_state *s); + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_reset( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *key, + uint32_t key_length +); + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_update( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *chunk, + uint32_t chunk_len +); + +void +Hacl_Streaming_HMAC_digest( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *output, + uint32_t digest_length +); + +void Hacl_Streaming_HMAC_free(Hacl_Streaming_HMAC_agile_state *state); + +Hacl_Streaming_HMAC_agile_state +*Hacl_Streaming_HMAC_copy(Hacl_Streaming_HMAC_agile_state *state); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_HMAC_H_DEFINED +#endif diff --git a/include/msvc/Hacl_Streaming_Types.h b/include/msvc/Hacl_Streaming_Types.h index 513f7464..19e3d228 100644 --- a/include/msvc/Hacl_Streaming_Types.h +++ b/include/msvc/Hacl_Streaming_Types.h @@ -35,6 +35,8 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" +#include "libintvector.h" + #define Spec_Hash_Definitions_SHA2_224 0 #define Spec_Hash_Definitions_SHA2_256 1 #define Spec_Hash_Definitions_SHA2_384 2 @@ -52,13 +54,6 @@ extern "C" { typedef uint8_t Spec_Hash_Definitions_hash_alg; -#define Hacl_Streaming_Types_Success 0 -#define Hacl_Streaming_Types_InvalidAlgorithm 1 -#define Hacl_Streaming_Types_InvalidLength 2 -#define Hacl_Streaming_Types_MaximumLengthExceeded 3 - -typedef uint8_t Hacl_Streaming_Types_error_code; - typedef struct Hacl_Streaming_MD_state_32_s { uint32_t *block_state; @@ -75,6 +70,113 @@ typedef struct Hacl_Streaming_MD_state_64_s } Hacl_Streaming_MD_state_64; +typedef struct K____uint64_t___uint64_t__s +{ + uint64_t *fst; + uint64_t *snd; +} +K____uint64_t___uint64_t_; + +typedef struct Hacl_Streaming_Blake2_Types_block_state_blake2b_32_s +{ + uint8_t fst; + uint8_t snd; + bool thd; + K____uint64_t___uint64_t_ f3; +} +Hacl_Streaming_Blake2_Types_block_state_blake2b_32; + +#define Hacl_Streaming_Blake2_Types_None 0 +#define Hacl_Streaming_Blake2_Types_Some 1 + +typedef uint8_t Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags; + +typedef struct Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_s +{ + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags tag; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 v; +} +Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32; + +typedef struct K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256__s +{ + Lib_IntVector_Intrinsics_vec256 *fst; + Lib_IntVector_Intrinsics_vec256 *snd; +} +K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_; + +typedef struct Hacl_Streaming_Blake2_Types_block_state_blake2b_256_s +{ + uint8_t fst; + uint8_t snd; + bool thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ f3; +} +Hacl_Streaming_Blake2_Types_block_state_blake2b_256; + +typedef struct Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256_s +{ + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags tag; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 v; +} +Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256; + +typedef struct K____uint32_t___uint32_t__s +{ + uint32_t *fst; + uint32_t *snd; +} +K____uint32_t___uint32_t_; + +typedef struct Hacl_Streaming_Blake2_Types_block_state_blake2s_32_s +{ + uint8_t fst; + uint8_t snd; + bool thd; + K____uint32_t___uint32_t_ f3; +} +Hacl_Streaming_Blake2_Types_block_state_blake2s_32; + +typedef struct Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32_s +{ + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags tag; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 v; +} +Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32; + +typedef struct K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128__s +{ + Lib_IntVector_Intrinsics_vec128 *fst; + Lib_IntVector_Intrinsics_vec128 *snd; +} +K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_; + +typedef struct Hacl_Streaming_Blake2_Types_block_state_blake2s_128_s +{ + uint8_t fst; + uint8_t snd; + bool thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ f3; +} +Hacl_Streaming_Blake2_Types_block_state_blake2s_128; + +typedef struct Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128_s +{ + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags tag; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 v; +} +Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128; + +#define Hacl_Streaming_Types_Success 0 +#define Hacl_Streaming_Types_InvalidAlgorithm 1 +#define Hacl_Streaming_Types_InvalidLength 2 +#define Hacl_Streaming_Types_MaximumLengthExceeded 3 +#define Hacl_Streaming_Types_OutOfMemory 4 + +typedef uint8_t Hacl_Streaming_Types_error_code; + +typedef K____uint64_t___uint64_t_ Hacl_Streaming_Types_two_pointers; + #if defined(__cplusplus) } #endif diff --git a/include/msvc/internal/EverCrypt_HMAC.h b/include/msvc/internal/EverCrypt_HMAC.h index debea462..7290f61a 100644 --- a/include/msvc/internal/EverCrypt_HMAC.h +++ b/include/msvc/internal/EverCrypt_HMAC.h @@ -35,13 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Hash_SHA2.h" -#include "internal/Hacl_Hash_SHA1.h" -#include "internal/Hacl_Hash_Blake2s.h" -#include "internal/Hacl_Hash_Blake2b.h" -#include "internal/Hacl_HMAC.h" -#include "internal/EverCrypt_Hash.h" #include "../EverCrypt_HMAC.h" void diff --git a/include/msvc/internal/EverCrypt_Hash.h b/include/msvc/internal/EverCrypt_Hash.h index cd706161..2f316292 100644 --- a/include/msvc/internal/EverCrypt_Hash.h +++ b/include/msvc/internal/EverCrypt_Hash.h @@ -35,16 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Vale.h" -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Hash_SHA3.h" -#include "internal/Hacl_Hash_SHA2.h" -#include "internal/Hacl_Hash_SHA1.h" -#include "internal/Hacl_Hash_MD5.h" -#include "internal/Hacl_Hash_Blake2s_Simd128.h" -#include "internal/Hacl_Hash_Blake2s.h" -#include "internal/Hacl_Hash_Blake2b_Simd256.h" -#include "internal/Hacl_Hash_Blake2b.h" #include "../EverCrypt_Hash.h" void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n); diff --git a/include/msvc/internal/Hacl_Bignum.h b/include/msvc/internal/Hacl_Bignum.h index 4b31236d..6454c881 100644 --- a/include/msvc/internal/Hacl_Bignum.h +++ b/include/msvc/internal/Hacl_Bignum.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Bignum_Base.h" #include "../Hacl_Bignum.h" #include "lib_intrinsics.h" diff --git a/include/msvc/internal/Hacl_Bignum_K256.h b/include/msvc/internal/Hacl_Bignum_K256.h index fe72fffe..d8212bab 100644 --- a/include/msvc/internal/Hacl_Bignum_K256.h +++ b/include/msvc/internal/Hacl_Bignum_K256.h @@ -70,11 +70,7 @@ static inline bool Hacl_K256_Field_is_felem_lt_prime_minus_order_vartime(uint64_ uint64_t f2 = f[2U]; uint64_t f3 = f[3U]; uint64_t f4 = f[4U]; - if (f4 > 0ULL) - { - return false; - } - if (f3 > 0ULL) + if (f4 > 0ULL || f3 > 0ULL) { return false; } diff --git a/include/msvc/internal/Hacl_Curve25519_51.h b/include/msvc/internal/Hacl_Curve25519_51.h index 975793d8..76e58a98 100644 --- a/include/msvc/internal/Hacl_Curve25519_51.h +++ b/include/msvc/internal/Hacl_Curve25519_51.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Bignum25519_51.h" #include "../Hacl_Curve25519_51.h" void diff --git a/include/msvc/internal/Hacl_Ed25519.h b/include/msvc/internal/Hacl_Ed25519.h index 1f4c90a6..de57c5bc 100644 --- a/include/msvc/internal/Hacl_Ed25519.h +++ b/include/msvc/internal/Hacl_Ed25519.h @@ -35,12 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Hash_SHA2.h" -#include "internal/Hacl_Ed25519_PrecompTable.h" -#include "internal/Hacl_Curve25519_51.h" -#include "internal/Hacl_Bignum_Base.h" -#include "internal/Hacl_Bignum25519_51.h" #include "../Hacl_Ed25519.h" void Hacl_Bignum25519_reduce_513(uint64_t *a); diff --git a/include/msvc/internal/Hacl_Frodo_KEM.h b/include/msvc/internal/Hacl_Frodo_KEM.h index c03a1b03..c31c777b 100644 --- a/include/msvc/internal/Hacl_Frodo_KEM.h +++ b/include/msvc/internal/Hacl_Frodo_KEM.h @@ -37,7 +37,6 @@ extern "C" { #include "internal/Hacl_Spec.h" #include "internal/Hacl_Krmllib.h" -#include "Lib_RandomBuffer_System.h" #include "Hacl_Krmllib.h" #include "Hacl_Hash_SHA3.h" diff --git a/include/msvc/internal/Hacl_HMAC.h b/include/msvc/internal/Hacl_HMAC.h index ad344c4c..ad29d507 100644 --- a/include/msvc/internal/Hacl_HMAC.h +++ b/include/msvc/internal/Hacl_HMAC.h @@ -35,11 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Hash_SHA2.h" -#include "internal/Hacl_Hash_SHA1.h" -#include "internal/Hacl_Hash_Blake2s.h" -#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_HMAC.h" typedef struct K___uint32_t_uint32_t_s diff --git a/include/msvc/internal/Hacl_Hash_Blake2b.h b/include/msvc/internal/Hacl_Hash_Blake2b.h index 6928d205..25448339 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2b.h +++ b/include/msvc/internal/Hacl_Hash_Blake2b.h @@ -35,15 +35,14 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_Impl_Blake2_Constants.h" #include "../Hacl_Hash_Blake2b.h" -typedef struct Hacl_Hash_Blake2b_index_s +typedef struct Hacl_Hash_Blake2b_params_and_key_s { - uint8_t key_length; - uint8_t digest_length; + Hacl_Hash_Blake2b_blake2_params *fst; + uint8_t *snd; } -Hacl_Hash_Blake2b_index; +Hacl_Hash_Blake2b_params_and_key; void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); @@ -62,6 +61,7 @@ Hacl_Hash_Blake2b_update_last( uint32_t len, uint64_t *wv, uint64_t *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d @@ -69,13 +69,6 @@ Hacl_Hash_Blake2b_update_last( void Hacl_Hash_Blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash); -typedef struct K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t__s -{ - Hacl_Hash_Blake2b_blake2_params *fst; - uint8_t *snd; -} -K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_; - #if defined(__cplusplus) } #endif diff --git a/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h b/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h index 4dd986b2..90217118 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h +++ b/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_Impl_Blake2_Constants.h" -#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2b_Simd256.h" #include "libintvector.h" @@ -58,6 +56,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d diff --git a/include/msvc/internal/Hacl_Hash_Blake2s.h b/include/msvc/internal/Hacl_Hash_Blake2s.h index eccd92de..00a71f63 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2s.h +++ b/include/msvc/internal/Hacl_Hash_Blake2s.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_Impl_Blake2_Constants.h" -#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s.h" void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn); @@ -56,6 +54,7 @@ Hacl_Hash_Blake2s_update_last( uint32_t len, uint32_t *wv, uint32_t *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d diff --git a/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h b/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h index 2c422949..38060392 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h +++ b/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h @@ -35,8 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_Impl_Blake2_Constants.h" -#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s_Simd128.h" #include "libintvector.h" @@ -58,6 +56,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d diff --git a/include/msvc/internal/Hacl_Hash_MD5.h b/include/msvc/internal/Hacl_Hash_MD5.h index dd77aaf1..7fe71a49 100644 --- a/include/msvc/internal/Hacl_Hash_MD5.h +++ b/include/msvc/internal/Hacl_Hash_MD5.h @@ -35,6 +35,7 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" +#include "Hacl_Streaming_Types.h" #include "../Hacl_Hash_MD5.h" void Hacl_Hash_MD5_init(uint32_t *s); diff --git a/include/msvc/internal/Hacl_Hash_SHA2.h b/include/msvc/internal/Hacl_Hash_SHA2.h index 7dade3f3..98498ee9 100644 --- a/include/msvc/internal/Hacl_Hash_SHA2.h +++ b/include/msvc/internal/Hacl_Hash_SHA2.h @@ -35,7 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_Krmllib.h" #include "../Hacl_Hash_SHA2.h" static const @@ -123,6 +122,8 @@ void Hacl_Hash_SHA2_sha256_finish(uint32_t *st, uint8_t *h); void Hacl_Hash_SHA2_sha224_init(uint32_t *hash); +void Hacl_Hash_SHA2_sha224_update_nblocks(uint32_t len, uint8_t *b, uint32_t *st); + void Hacl_Hash_SHA2_sha224_update_last(uint64_t totlen, uint32_t len, uint8_t *b, uint32_t *st); diff --git a/include/msvc/internal/Hacl_Hash_SHA3.h b/include/msvc/internal/Hacl_Hash_SHA3.h index a82af4bd..3f596412 100644 --- a/include/msvc/internal/Hacl_Hash_SHA3.h +++ b/include/msvc/internal/Hacl_Hash_SHA3.h @@ -35,6 +35,7 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" +#include "Hacl_Streaming_Types.h" #include "../Hacl_Hash_SHA3.h" extern const uint32_t Hacl_Hash_SHA3_keccak_rotc[24U]; @@ -43,6 +44,8 @@ extern const uint32_t Hacl_Hash_SHA3_keccak_piln[24U]; extern const uint64_t Hacl_Hash_SHA3_keccak_rndc[24U]; +void Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_hash_alg a, uint64_t *s); + void Hacl_Hash_SHA3_update_multi_sha3( Spec_Hash_Definitions_hash_alg a, @@ -59,6 +62,12 @@ Hacl_Hash_SHA3_update_last_sha3( uint32_t input_len ); +#define FStar_Pervasives_Native_None 0 +#define FStar_Pervasives_Native_Some 1 + +typedef uint8_t +FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags; + #if defined(__cplusplus) } #endif diff --git a/include/msvc/internal/Hacl_K256_ECDSA.h b/include/msvc/internal/Hacl_K256_ECDSA.h index 5acd511c..77638019 100644 --- a/include/msvc/internal/Hacl_K256_ECDSA.h +++ b/include/msvc/internal/Hacl_K256_ECDSA.h @@ -35,10 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_K256_PrecompTable.h" -#include "internal/Hacl_Bignum_K256.h" -#include "internal/Hacl_Bignum_Base.h" #include "../Hacl_K256_ECDSA.h" #include "lib_intrinsics.h" diff --git a/include/msvc/internal/Hacl_MAC_Poly1305.h b/include/msvc/internal/Hacl_MAC_Poly1305.h index 29e1734a..86cdc4fc 100644 --- a/include/msvc/internal/Hacl_MAC_Poly1305.h +++ b/include/msvc/internal/Hacl_MAC_Poly1305.h @@ -35,12 +35,20 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" +#include "internal/Hacl_Hash_SHA3.h" #include "../Hacl_MAC_Poly1305.h" void Hacl_MAC_Poly1305_poly1305_init(uint64_t *ctx, uint8_t *key); void Hacl_MAC_Poly1305_poly1305_finish(uint8_t *tag, uint8_t *key, uint64_t *ctx); +typedef struct FStar_Pervasives_Native_option___uint8_t__s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + uint8_t *v; +} +FStar_Pervasives_Native_option___uint8_t_; + #if defined(__cplusplus) } #endif diff --git a/include/msvc/internal/Hacl_P256.h b/include/msvc/internal/Hacl_P256.h index 7c606ab6..9d5b3562 100644 --- a/include/msvc/internal/Hacl_P256.h +++ b/include/msvc/internal/Hacl_P256.h @@ -35,9 +35,6 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" -#include "internal/Hacl_P256_PrecompTable.h" -#include "internal/Hacl_Krmllib.h" -#include "internal/Hacl_Bignum_Base.h" #include "../Hacl_P256.h" #include "lib_intrinsics.h" diff --git a/include/msvc/internal/Hacl_Streaming_Types.h b/include/msvc/internal/Hacl_Streaming_Types.h new file mode 100644 index 00000000..9fe43000 --- /dev/null +++ b/include/msvc/internal/Hacl_Streaming_Types.h @@ -0,0 +1,67 @@ +/* MIT License + * + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Streaming_Types_H +#define __internal_Hacl_Streaming_Types_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/internal/types.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + +#include "../Hacl_Streaming_Types.h" +#include "libintvector.h" + +#define Hacl_Streaming_Types_None 0 +#define Hacl_Streaming_Types_Some 1 + +typedef uint8_t Hacl_Streaming_Types_optional_32_tags; + +typedef struct Hacl_Streaming_Types_optional_32_s +{ + Hacl_Streaming_Types_optional_32_tags tag; + uint32_t *v; +} +Hacl_Streaming_Types_optional_32; + +typedef struct Hacl_Streaming_Types_optional_64_s +{ + Hacl_Streaming_Types_optional_32_tags tag; + uint64_t *v; +} +Hacl_Streaming_Types_optional_64; + +typedef Hacl_Streaming_Types_optional_32_tags Hacl_Streaming_Types_optional_unit; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Streaming_Types_H_DEFINED +#endif diff --git a/include/msvc/libintvector.h b/include/msvc/libintvector.h index 99d11336..11e914f7 100644 --- a/include/msvc/libintvector.h +++ b/include/msvc/libintvector.h @@ -19,7 +19,7 @@ #define Lib_IntVector_Intrinsics_bit_mask64(x) -((x) & 1) -#if defined(__x86_64__) || defined(_M_X64) +#if defined(__x86_64__) || defined(_M_X64) || defined(__i386__) || defined(_M_IX86) #if defined(HACL_CAN_COMPILE_VEC128) diff --git a/karamel/include/krml/c_endianness.h b/karamel/include/krml/c_endianness.h index 21d7e1b4..937d8d10 100644 --- a/karamel/include/krml/c_endianness.h +++ b/karamel/include/krml/c_endianness.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ #ifndef __KRML_ENDIAN_H #define __KRML_ENDIAN_H diff --git a/karamel/include/krml/internal/builtin.h b/karamel/include/krml/internal/builtin.h index 6098f30b..bb47d64d 100644 --- a/karamel/include/krml/internal/builtin.h +++ b/karamel/include/krml/internal/builtin.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ #ifndef __KRML_BUILTIN_H #define __KRML_BUILTIN_H diff --git a/karamel/include/krml/internal/callconv.h b/karamel/include/krml/internal/callconv.h index aeca0ba7..4bc0f878 100644 --- a/karamel/include/krml/internal/callconv.h +++ b/karamel/include/krml/internal/callconv.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ #ifndef __KRML_CALLCONV_H #define __KRML_CALLCONV_H diff --git a/karamel/include/krml/internal/compat.h b/karamel/include/krml/internal/compat.h index b557bbc1..f206520f 100644 --- a/karamel/include/krml/internal/compat.h +++ b/karamel/include/krml/internal/compat.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ #ifndef KRML_COMPAT_H #define KRML_COMPAT_H diff --git a/karamel/include/krml/internal/debug.h b/karamel/include/krml/internal/debug.h index 786db147..97f06995 100644 --- a/karamel/include/krml/internal/debug.h +++ b/karamel/include/krml/internal/debug.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ #ifndef __KRML_DEBUG_H #define __KRML_DEBUG_H diff --git a/karamel/include/krml/internal/target.h b/karamel/include/krml/internal/target.h index d4252a10..f385010d 100644 --- a/karamel/include/krml/internal/target.h +++ b/karamel/include/krml/internal/target.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ #ifndef __KRML_TARGET_H #define __KRML_TARGET_H @@ -19,6 +19,20 @@ # define inline __inline__ #endif +/* There is no support for aligned_alloc() in macOS before Catalina, so + * let's make a macro to use _mm_malloc() and _mm_free() functions + * from mm_malloc.h. */ +#if defined(__APPLE__) && defined(__MACH__) +# include +# if defined(MAC_OS_X_VERSION_MIN_REQUIRED) && \ + (MAC_OS_X_VERSION_MIN_REQUIRED < 101500) +# include +# define LEGACY_MACOS +# else +# undef LEGACY_MACOS +#endif +#endif + /******************************************************************************/ /* Macros that KaRaMeL will generate. */ /******************************************************************************/ @@ -69,11 +83,21 @@ # endif #endif +#ifndef KRML_ATTRIBUTE_TARGET +# if defined(__GNUC__) +# define KRML_ATTRIBUTE_TARGET(x) __attribute__((target(x))) +# else +# define KRML_ATTRIBUTE_TARGET(x) +# endif +#endif + #ifndef KRML_NOINLINE # if defined(_MSC_VER) # define KRML_NOINLINE __declspec(noinline) # elif defined (__GNUC__) # define KRML_NOINLINE __attribute__((noinline,unused)) +# elif defined (__SUNPRO_C) +# define KRML_NOINLINE __attribute__((noinline)) # else # define KRML_NOINLINE # warning "The KRML_NOINLINE macro is not defined for this toolchain!" @@ -82,6 +106,20 @@ # endif #endif +#ifndef KRML_MUSTINLINE +# if defined(_MSC_VER) +# define KRML_MUSTINLINE inline __forceinline +# elif defined (__GNUC__) +# define KRML_MUSTINLINE inline __attribute__((always_inline)) +# elif defined (__SUNPRO_C) +# define KRML_MUSTINLINE inline __attribute__((always_inline)) +# else +# define KRML_MUSTINLINE inline +# warning "The KRML_MUSTINLINE macro defaults to plain inline for this toolchain!" +# warning "Please locate target.h and try to fill it out with a suitable definition for this compiler." +# endif +#endif + #ifndef KRML_PRE_ALIGN # ifdef _MSC_VER # define KRML_PRE_ALIGN(X) __declspec(align(X)) @@ -109,6 +147,8 @@ defined(_MSC_VER) || \ (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) # define KRML_ALIGNED_MALLOC(X, Y) _aligned_malloc(Y, X) +# elif defined(LEGACY_MACOS) +# define KRML_ALIGNED_MALLOC(X, Y) _mm_malloc(Y, X) # else # define KRML_ALIGNED_MALLOC(X, Y) aligned_alloc(X, Y) # endif @@ -126,6 +166,8 @@ defined(_MSC_VER) || \ (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) # define KRML_ALIGNED_FREE(X) _aligned_free(X) +# elif defined(LEGACY_MACOS) +# define KRML_ALIGNED_FREE(X) _mm_free(X) # else # define KRML_ALIGNED_FREE(X) free(X) # endif @@ -191,6 +233,8 @@ inline static int32_t krml_time(void) { #elif defined(__GNUC__) /* deprecated attribute is not defined in GCC < 4.5. */ # define KRML_DEPRECATED(x) +#elif defined(__SUNPRO_C) +# define KRML_DEPRECATED(x) __attribute__((deprecated(x))) #elif defined(_MSC_VER) # define KRML_DEPRECATED(x) __declspec(deprecated(x)) #endif diff --git a/karamel/include/krml/internal/types.h b/karamel/include/krml/internal/types.h index e41b39be..31476313 100644 --- a/karamel/include/krml/internal/types.h +++ b/karamel/include/krml/internal/types.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ #ifndef KRML_TYPES_H #define KRML_TYPES_H diff --git a/karamel/include/krml/internal/wasmsupport.h b/karamel/include/krml/internal/wasmsupport.h index b44fa3f7..5aba9756 100644 --- a/karamel/include/krml/internal/wasmsupport.h +++ b/karamel/include/krml/internal/wasmsupport.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ /* This file is automatically included when compiling with -wasm -d force-c */ #define WasmSupport_check_buffer_size(X) diff --git a/karamel/include/krml/lowstar_endianness.h b/karamel/include/krml/lowstar_endianness.h index 1aa2ccd6..af6b882c 100644 --- a/karamel/include/krml/lowstar_endianness.h +++ b/karamel/include/krml/lowstar_endianness.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ #ifndef __LOWSTAR_ENDIANNESS_H #define __LOWSTAR_ENDIANNESS_H diff --git a/karamel/krmllib/dist/minimal/FStar_UInt128.h b/karamel/krmllib/dist/minimal/FStar_UInt128.h index ecc90213..be32ad9b 100644 --- a/karamel/krmllib/dist/minimal/FStar_UInt128.h +++ b/karamel/krmllib/dist/minimal/FStar_UInt128.h @@ -1,6 +1,6 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. + Licensed under the Apache 2.0 and MIT Licenses. */ diff --git a/karamel/krmllib/dist/minimal/FStar_UInt128_Verified.h b/karamel/krmllib/dist/minimal/FStar_UInt128_Verified.h index 9e4e2290..d4a90220 100644 --- a/karamel/krmllib/dist/minimal/FStar_UInt128_Verified.h +++ b/karamel/krmllib/dist/minimal/FStar_UInt128_Verified.h @@ -1,6 +1,6 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. + Licensed under the Apache 2.0 and MIT Licenses. */ diff --git a/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h b/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h index 56a2454f..39ac471f 100644 --- a/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h +++ b/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h @@ -1,6 +1,6 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. + Licensed under the Apache 2.0 and MIT Licenses. */ diff --git a/karamel/krmllib/dist/minimal/LowStar_Endianness.h b/karamel/krmllib/dist/minimal/LowStar_Endianness.h index e851c15c..f95743d4 100644 --- a/karamel/krmllib/dist/minimal/LowStar_Endianness.h +++ b/karamel/krmllib/dist/minimal/LowStar_Endianness.h @@ -1,6 +1,6 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. + Licensed under the Apache 2.0 and MIT Licenses. */ diff --git a/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h b/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h index ae109004..10a4dc1a 100644 --- a/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h +++ b/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ /******************************************************************************/ /* Machine integers (128-bit arithmetic) */ diff --git a/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h b/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h index 6ff658f5..89bbc159 100644 --- a/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h +++ b/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ /* This file was generated by KaRaMeL * then hand-edited to use MSVC intrinsics KaRaMeL invocation: diff --git a/karamel/krmllib/dist/minimal/fstar_uint128_struct_endianness.h b/karamel/krmllib/dist/minimal/fstar_uint128_struct_endianness.h index e2b6d628..bb736add 100644 --- a/karamel/krmllib/dist/minimal/fstar_uint128_struct_endianness.h +++ b/karamel/krmllib/dist/minimal/fstar_uint128_struct_endianness.h @@ -1,5 +1,5 @@ /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ + Licensed under the Apache 2.0 and MIT Licenses. */ #ifndef FSTAR_UINT128_STRUCT_ENDIANNESS_H #define FSTAR_UINT128_STRUCT_ENDIANNESS_H diff --git a/ocaml/ctypes.depend b/ocaml/ctypes.depend index d94fad90..b73b8058 100644 --- a/ocaml/ctypes.depend +++ b/ocaml/ctypes.depend @@ -1,4 +1,4 @@ -CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2b_stubs.cmx lib/Hacl_Hash_Blake2b_bindings.cmx lib/Hacl_Hash_Blake2s_stubs.cmx lib/Hacl_Hash_Blake2s_bindings.cmx lib/Hacl_Hash_Blake2b_Simd256_stubs.cmx lib/Hacl_Hash_Blake2b_Simd256_bindings.cmx lib/Hacl_Hash_Blake2s_Simd128_stubs.cmx lib/Hacl_Hash_Blake2s_Simd128_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/Hacl_Hash_SHA3_Simd256_stubs.cmx lib/Hacl_Hash_SHA3_Simd256_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_MAC_Poly1305_stubs.cmx lib/Hacl_MAC_Poly1305_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmx lib/Hacl_MAC_Poly1305_Simd128_stubs.cmx lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmx lib/Hacl_MAC_Poly1305_Simd256_stubs.cmx lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx +CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2b_stubs.cmx lib/Hacl_Hash_Blake2b_bindings.cmx lib/Hacl_Hash_Blake2s_stubs.cmx lib/Hacl_Hash_Blake2s_bindings.cmx lib/Hacl_Hash_Blake2b_Simd256_stubs.cmx lib/Hacl_Hash_Blake2b_Simd256_bindings.cmx lib/Hacl_Hash_Blake2s_Simd128_stubs.cmx lib/Hacl_Hash_Blake2s_Simd128_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/Hacl_Hash_SHA3_Simd256_stubs.cmx lib/Hacl_Hash_SHA3_Simd256_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_MAC_Poly1305_stubs.cmx lib/Hacl_MAC_Poly1305_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmx lib/Hacl_MAC_Poly1305_Simd128_stubs.cmx lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmx lib/Hacl_MAC_Poly1305_Simd256_stubs.cmx lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_Streaming_HMAC_stubs.cmx lib/Hacl_Streaming_HMAC_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Streaming_Types_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmo: lib_gen/Hacl_Streaming_Types_gen.cmx: lib/Hacl_Streaming_Types_bindings.cmx @@ -27,10 +27,18 @@ lib/Hacl_Hash_Base_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_ lib/Hacl_Hash_Base_bindings.cmo: lib/Hacl_Streaming_Types_bindings.cmo lib/Hacl_Streaming_Types_stubs.cmo lib_gen/Hacl_Hash_Base_gen.cmx: lib/Hacl_Hash_Base_bindings.cmx lib_gen/Hacl_Hash_Base_gen.exe: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_c_stubs.o lib/Hacl_Hash_Base_bindings.cmx lib_gen/Hacl_Hash_Base_gen.cmx +lib/Hacl_Hash_MD5_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx +lib/Hacl_Hash_MD5_bindings.cmo: lib/Hacl_Streaming_Types_bindings.cmo lib/Hacl_Streaming_Types_stubs.cmo +lib_gen/Hacl_Hash_MD5_gen.cmx: lib/Hacl_Hash_MD5_bindings.cmx +lib_gen/Hacl_Hash_MD5_gen.exe: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_c_stubs.o lib/Hacl_Hash_MD5_bindings.cmx lib_gen/Hacl_Hash_MD5_gen.cmx lib/Hacl_Hash_SHA1_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmo: lib/Hacl_Streaming_Types_bindings.cmo lib/Hacl_Streaming_Types_stubs.cmo lib_gen/Hacl_Hash_SHA1_gen.cmx: lib/Hacl_Hash_SHA1_bindings.cmx lib_gen/Hacl_Hash_SHA1_gen.exe: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_c_stubs.o lib/Hacl_Hash_SHA1_bindings.cmx lib_gen/Hacl_Hash_SHA1_gen.cmx +lib/Hacl_Hash_SHA3_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx +lib/Hacl_Hash_SHA3_bindings.cmo: lib/Hacl_Streaming_Types_bindings.cmo lib/Hacl_Streaming_Types_stubs.cmo +lib_gen/Hacl_Hash_SHA3_gen.cmx: lib/Hacl_Hash_SHA3_bindings.cmx +lib_gen/Hacl_Hash_SHA3_gen.exe: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_c_stubs.o lib/Hacl_Hash_SHA3_bindings.cmx lib_gen/Hacl_Hash_SHA3_gen.cmx lib/Hacl_Hash_SHA2_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmo: lib/Hacl_Streaming_Types_bindings.cmo lib/Hacl_Streaming_Types_stubs.cmo lib_gen/Hacl_Hash_SHA2_gen.cmx: lib/Hacl_Hash_SHA2_bindings.cmx @@ -47,10 +55,6 @@ lib/Hacl_HMAC_Blake2b_256_bindings.cmx: lib/Hacl_HMAC_Blake2b_256_bindings.cmo: lib_gen/Hacl_HMAC_Blake2b_256_gen.cmx: lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib_gen/Hacl_HMAC_Blake2b_256_gen.exe: lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib_gen/Hacl_HMAC_Blake2b_256_gen.cmx -lib/Hacl_Hash_SHA3_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx -lib/Hacl_Hash_SHA3_bindings.cmo: lib/Hacl_Streaming_Types_bindings.cmo lib/Hacl_Streaming_Types_stubs.cmo -lib_gen/Hacl_Hash_SHA3_gen.cmx: lib/Hacl_Hash_SHA3_bindings.cmx -lib_gen/Hacl_Hash_SHA3_gen.exe: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_c_stubs.o lib/Hacl_Hash_SHA3_bindings.cmx lib_gen/Hacl_Hash_SHA3_gen.cmx lib/Hacl_SHA2_Types_bindings.cmx: lib/Hacl_SHA2_Types_bindings.cmo: lib_gen/Hacl_SHA2_Types_gen.cmx: lib/Hacl_SHA2_Types_bindings.cmx @@ -59,10 +63,6 @@ lib/Hacl_Hash_SHA3_Simd256_bindings.cmx: lib/Hacl_Hash_SHA3_Simd256_bindings.cmo: lib_gen/Hacl_Hash_SHA3_Simd256_gen.cmx: lib/Hacl_Hash_SHA3_Simd256_bindings.cmx lib_gen/Hacl_Hash_SHA3_Simd256_gen.exe: lib/Hacl_Hash_SHA3_Simd256_bindings.cmx lib_gen/Hacl_Hash_SHA3_Simd256_gen.cmx -lib/Hacl_Hash_MD5_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx -lib/Hacl_Hash_MD5_bindings.cmo: lib/Hacl_Streaming_Types_bindings.cmo lib/Hacl_Streaming_Types_stubs.cmo -lib_gen/Hacl_Hash_MD5_gen.cmx: lib/Hacl_Hash_MD5_bindings.cmx -lib_gen/Hacl_Hash_MD5_gen.exe: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_c_stubs.o lib/Hacl_Hash_MD5_bindings.cmx lib_gen/Hacl_Hash_MD5_gen.cmx lib/EverCrypt_Error_bindings.cmx: lib/EverCrypt_Error_bindings.cmo: lib_gen/EverCrypt_Error_gen.cmx: lib/EverCrypt_Error_bindings.cmx @@ -111,10 +111,10 @@ lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmx: lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmo: lib_gen/Hacl_AEAD_Chacha20Poly1305_gen.cmx: lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmx lib_gen/Hacl_AEAD_Chacha20Poly1305_gen.exe: lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmx lib_gen/Hacl_AEAD_Chacha20Poly1305_gen.cmx -lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx: -lib/Hacl_MAC_Poly1305_Simd128_bindings.cmo: +lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx +lib/Hacl_MAC_Poly1305_Simd128_bindings.cmo: lib/Hacl_Streaming_Types_bindings.cmo lib/Hacl_Streaming_Types_stubs.cmo lib_gen/Hacl_MAC_Poly1305_Simd128_gen.cmx: lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx -lib_gen/Hacl_MAC_Poly1305_Simd128_gen.exe: lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx lib_gen/Hacl_MAC_Poly1305_Simd128_gen.cmx +lib_gen/Hacl_MAC_Poly1305_Simd128_gen.exe: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_c_stubs.o lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx lib_gen/Hacl_MAC_Poly1305_Simd128_gen.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx: lib/Hacl_Chacha20_Vec128_bindings.cmo: lib_gen/Hacl_Chacha20_Vec128_gen.cmx: lib/Hacl_Chacha20_Vec128_bindings.cmx @@ -123,10 +123,10 @@ lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmx: lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmo: lib_gen/Hacl_AEAD_Chacha20Poly1305_Simd128_gen.cmx: lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmx lib_gen/Hacl_AEAD_Chacha20Poly1305_Simd128_gen.exe: lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmx lib_gen/Hacl_AEAD_Chacha20Poly1305_Simd128_gen.cmx -lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx: -lib/Hacl_MAC_Poly1305_Simd256_bindings.cmo: +lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx +lib/Hacl_MAC_Poly1305_Simd256_bindings.cmo: lib/Hacl_Streaming_Types_bindings.cmo lib/Hacl_Streaming_Types_stubs.cmo lib_gen/Hacl_MAC_Poly1305_Simd256_gen.cmx: lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx -lib_gen/Hacl_MAC_Poly1305_Simd256_gen.exe: lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx lib_gen/Hacl_MAC_Poly1305_Simd256_gen.cmx +lib_gen/Hacl_MAC_Poly1305_Simd256_gen.exe: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_c_stubs.o lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx lib_gen/Hacl_MAC_Poly1305_Simd256_gen.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx: lib/Hacl_Chacha20_Vec256_bindings.cmo: lib_gen/Hacl_Chacha20_Vec256_gen.cmx: lib/Hacl_Chacha20_Vec256_bindings.cmx @@ -163,6 +163,10 @@ lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmo: lib_gen/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_gen.cmx: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib_gen/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_gen.exe: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib_gen/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_gen.cmx +lib/Hacl_Streaming_HMAC_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx +lib/Hacl_Streaming_HMAC_bindings.cmo: lib/Hacl_Streaming_Types_bindings.cmo lib/Hacl_Streaming_Types_stubs.cmo +lib_gen/Hacl_Streaming_HMAC_gen.cmx: lib/Hacl_Streaming_HMAC_bindings.cmx +lib_gen/Hacl_Streaming_HMAC_gen.exe: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_c_stubs.o lib/Hacl_Streaming_HMAC_bindings.cmx lib_gen/Hacl_Streaming_HMAC_gen.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx: lib/Hacl_IntTypes_Intrinsics_bindings.cmo: lib_gen/Hacl_IntTypes_Intrinsics_gen.cmx: lib/Hacl_IntTypes_Intrinsics_bindings.cmx @@ -295,14 +299,14 @@ lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx: lib/Hacl_HPKE_Interface_Hacl_Imp lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmo: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmo lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmo lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.cmx: lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.exe: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_c_stubs.o lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.cmx -lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx -lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmo: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmo lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmo -lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx: lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx -lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.exe: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_c_stubs.o lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx lib/EverCrypt_Poly1305_bindings.cmx: lib/EverCrypt_Poly1305_bindings.cmo: lib_gen/EverCrypt_Poly1305_gen.cmx: lib/EverCrypt_Poly1305_bindings.cmx lib_gen/EverCrypt_Poly1305_gen.exe: lib/EverCrypt_Poly1305_bindings.cmx lib_gen/EverCrypt_Poly1305_gen.cmx +lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx +lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmo: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmo lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmo +lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx: lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx +lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.exe: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_c_stubs.o lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmo: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmo lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmo lib_gen/Hacl_HPKE_Curve51_CP32_SHA512_gen.cmx: lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx diff --git a/ocaml/lib/EverCrypt_DRBG_bindings.ml b/ocaml/lib/EverCrypt_DRBG_bindings.ml index 72d0736b..9f4543d7 100644 --- a/ocaml/lib/EverCrypt_DRBG_bindings.ml +++ b/ocaml/lib/EverCrypt_DRBG_bindings.ml @@ -22,12 +22,17 @@ module Bindings(F:Cstubs.FOREIGN) = let everCrypt_DRBG_min_length = foreign "EverCrypt_DRBG_min_length" (spec_Hash_Definitions_hash_alg @-> (returning uint32_t)) - type state_s_tags = Unsigned.UInt8.t - let state_s_tags = typedef uint8_t "state_s_tags" - let state_s_tags_SHA1_s = Unsigned.UInt8.of_int 0 - let state_s_tags_SHA2_256_s = Unsigned.UInt8.of_int 1 - let state_s_tags_SHA2_384_s = Unsigned.UInt8.of_int 2 - let state_s_tags_SHA2_512_s = Unsigned.UInt8.of_int 3 + type everCrypt_DRBG_state_s_tags = Unsigned.UInt8.t + let everCrypt_DRBG_state_s_tags = + typedef uint8_t "EverCrypt_DRBG_state_s_tags" + let everCrypt_DRBG_state_s_tags_EverCrypt_DRBG_SHA1_s = + Unsigned.UInt8.of_int 0 + let everCrypt_DRBG_state_s_tags_EverCrypt_DRBG_SHA2_256_s = + Unsigned.UInt8.of_int 1 + let everCrypt_DRBG_state_s_tags_EverCrypt_DRBG_SHA2_384_s = + Unsigned.UInt8.of_int 2 + let everCrypt_DRBG_state_s_tags_EverCrypt_DRBG_SHA2_512_s = + Unsigned.UInt8.of_int 3 type everCrypt_DRBG_state_s = [ `everCrypt_DRBG_state_s ] structure let (everCrypt_DRBG_state_s : [ `everCrypt_DRBG_state_s ] structure typ) = structure "EverCrypt_DRBG_state_s_s" diff --git a/ocaml/lib/EverCrypt_HMAC_bindings.ml b/ocaml/lib/EverCrypt_HMAC_bindings.ml index b96d1d0c..8394a13d 100644 --- a/ocaml/lib/EverCrypt_HMAC_bindings.ml +++ b/ocaml/lib/EverCrypt_HMAC_bindings.ml @@ -11,9 +11,6 @@ module Bindings(F:Cstubs.FOREIGN) = type everCrypt_HMAC_supported_alg = spec_Hash_Definitions_hash_alg let everCrypt_HMAC_supported_alg = typedef spec_Hash_Definitions_hash_alg "EverCrypt_HMAC_supported_alg" - let everCrypt_HMAC_hash_256 = - foreign "EverCrypt_HMAC_hash_256" - (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))) let everCrypt_HMAC_compute_sha1 = foreign "EverCrypt_HMAC_compute_sha1" (ocaml_bytes @-> diff --git a/ocaml/lib/EverCrypt_Hash_bindings.ml b/ocaml/lib/EverCrypt_Hash_bindings.ml index a22cfdab..defc078a 100644 --- a/ocaml/lib/EverCrypt_Hash_bindings.ml +++ b/ocaml/lib/EverCrypt_Hash_bindings.ml @@ -8,22 +8,37 @@ module Bindings(F:Cstubs.FOREIGN) = module EverCrypt_Error_applied = (EverCrypt_Error_bindings.Bindings)(EverCrypt_Error_stubs) open EverCrypt_Error_applied - type state_s_tags = Unsigned.UInt8.t - let state_s_tags = typedef uint8_t "state_s_tags" - let state_s_tags_MD5_s = Unsigned.UInt8.of_int 0 - let state_s_tags_SHA1_s = Unsigned.UInt8.of_int 1 - let state_s_tags_SHA2_224_s = Unsigned.UInt8.of_int 2 - let state_s_tags_SHA2_256_s = Unsigned.UInt8.of_int 3 - let state_s_tags_SHA2_384_s = Unsigned.UInt8.of_int 4 - let state_s_tags_SHA2_512_s = Unsigned.UInt8.of_int 5 - let state_s_tags_SHA3_224_s = Unsigned.UInt8.of_int 6 - let state_s_tags_SHA3_256_s = Unsigned.UInt8.of_int 7 - let state_s_tags_SHA3_384_s = Unsigned.UInt8.of_int 8 - let state_s_tags_SHA3_512_s = Unsigned.UInt8.of_int 9 - let state_s_tags_Blake2S_s = Unsigned.UInt8.of_int 10 - let state_s_tags_Blake2S_128_s = Unsigned.UInt8.of_int 11 - let state_s_tags_Blake2B_s = Unsigned.UInt8.of_int 12 - let state_s_tags_Blake2B_256_s = Unsigned.UInt8.of_int 13 + type everCrypt_Hash_state_s_tags = Unsigned.UInt8.t + let everCrypt_Hash_state_s_tags = + typedef uint8_t "EverCrypt_Hash_state_s_tags" + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_MD5_s = + Unsigned.UInt8.of_int 0 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA1_s = + Unsigned.UInt8.of_int 1 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA2_224_s = + Unsigned.UInt8.of_int 2 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA2_256_s = + Unsigned.UInt8.of_int 3 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA2_384_s = + Unsigned.UInt8.of_int 4 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA2_512_s = + Unsigned.UInt8.of_int 5 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA3_224_s = + Unsigned.UInt8.of_int 6 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA3_256_s = + Unsigned.UInt8.of_int 7 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA3_384_s = + Unsigned.UInt8.of_int 8 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_SHA3_512_s = + Unsigned.UInt8.of_int 9 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_Blake2S_s = + Unsigned.UInt8.of_int 10 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_Blake2S_128_s = + Unsigned.UInt8.of_int 11 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_Blake2B_s = + Unsigned.UInt8.of_int 12 + let everCrypt_Hash_state_s_tags_EverCrypt_Hash_Blake2B_256_s = + Unsigned.UInt8.of_int 13 type everCrypt_Hash_state_s = [ `everCrypt_Hash_state_s ] structure let (everCrypt_Hash_state_s : [ `everCrypt_Hash_state_s ] structure typ) = structure "EverCrypt_Hash_state_s_s" @@ -38,14 +53,6 @@ module Bindings(F:Cstubs.FOREIGN) = let (everCrypt_Hash_Incremental_state_t : [ `everCrypt_Hash_Incremental_state_t ] structure typ) = structure "EverCrypt_Hash_Incremental_state_t_s" - let everCrypt_Hash_Incremental_state_t_block_state = - field everCrypt_Hash_Incremental_state_t "block_state" - (ptr everCrypt_Hash_state_s) - let everCrypt_Hash_Incremental_state_t_buf = - field everCrypt_Hash_Incremental_state_t "buf" (ptr uint8_t) - let everCrypt_Hash_Incremental_state_t_total_len = - field everCrypt_Hash_Incremental_state_t "total_len" uint64_t - let _ = seal everCrypt_Hash_Incremental_state_t let everCrypt_Hash_Incremental_malloc = foreign "EverCrypt_Hash_Incremental_malloc" (spec_Hash_Definitions_hash_alg @-> diff --git a/ocaml/lib/Hacl_HMAC_bindings.ml b/ocaml/lib/Hacl_HMAC_bindings.ml index 725d49b5..869e5c19 100644 --- a/ocaml/lib/Hacl_HMAC_bindings.ml +++ b/ocaml/lib/Hacl_HMAC_bindings.ml @@ -2,11 +2,21 @@ open Ctypes module Bindings(F:Cstubs.FOREIGN) = struct open F + let hacl_HMAC_compute_md5 = + foreign "Hacl_HMAC_compute_md5" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) let hacl_HMAC_compute_sha1 = foreign "Hacl_HMAC_compute_sha1" (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HMAC_compute_sha2_224 = + foreign "Hacl_HMAC_compute_sha2_224" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) let hacl_HMAC_compute_sha2_256 = foreign "Hacl_HMAC_compute_sha2_256" (ocaml_bytes @-> @@ -22,6 +32,26 @@ module Bindings(F:Cstubs.FOREIGN) = (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HMAC_compute_sha3_224 = + foreign "Hacl_HMAC_compute_sha3_224" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HMAC_compute_sha3_256 = + foreign "Hacl_HMAC_compute_sha3_256" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HMAC_compute_sha3_384 = + foreign "Hacl_HMAC_compute_sha3_384" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) + let hacl_HMAC_compute_sha3_512 = + foreign "Hacl_HMAC_compute_sha3_512" + (ocaml_bytes @-> + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void)))))) let hacl_HMAC_compute_blake2s_32 = foreign "Hacl_HMAC_compute_blake2s_32" (ocaml_bytes @-> diff --git a/ocaml/lib/Hacl_Hash_Blake2b_Simd256_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2b_Simd256_bindings.ml index 1c132a7a..b6ea990b 100644 --- a/ocaml/lib/Hacl_Hash_Blake2b_Simd256_bindings.ml +++ b/ocaml/lib/Hacl_Hash_Blake2b_Simd256_bindings.ml @@ -8,6 +8,56 @@ module Bindings(F:Cstubs.FOREIGN) = module Hacl_Hash_Blake2b_applied = (Hacl_Hash_Blake2b_bindings.Bindings)(Hacl_Hash_Blake2b_stubs) open Hacl_Hash_Blake2b_applied + type hacl_Hash_Blake2b_Simd256_state_t = + [ `hacl_Hash_Blake2b_Simd256_state_t ] structure + let (hacl_Hash_Blake2b_Simd256_state_t : + [ `hacl_Hash_Blake2b_Simd256_state_t ] structure typ) = + structure "Hacl_Hash_Blake2b_Simd256_state_t_s" + let hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key = + foreign "Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key" + ((ptr hacl_Hash_Blake2b_blake2_params) @-> + (bool @-> + (ocaml_bytes @-> + (returning (ptr hacl_Hash_Blake2b_Simd256_state_t))))) + let hacl_Hash_Blake2b_Simd256_malloc_with_key0 = + foreign "Hacl_Hash_Blake2b_Simd256_malloc_with_key0" + (ocaml_bytes @-> + (uint8_t @-> (returning (ptr hacl_Hash_Blake2b_Simd256_state_t)))) + let hacl_Hash_Blake2b_Simd256_malloc = + foreign "Hacl_Hash_Blake2b_Simd256_malloc" + (void @-> (returning (ptr hacl_Hash_Blake2b_Simd256_state_t))) + let hacl_Hash_Blake2b_Simd256_reset_with_key_and_params = + foreign "Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params" + ((ptr hacl_Hash_Blake2b_Simd256_state_t) @-> + ((ptr hacl_Hash_Blake2b_blake2_params) @-> + (ocaml_bytes @-> (returning void)))) + let hacl_Hash_Blake2b_Simd256_reset_with_key = + foreign "Hacl_Hash_Blake2b_Simd256_reset_with_key" + ((ptr hacl_Hash_Blake2b_Simd256_state_t) @-> + (ocaml_bytes @-> (returning void))) + let hacl_Hash_Blake2b_Simd256_reset = + foreign "Hacl_Hash_Blake2b_Simd256_reset" + ((ptr hacl_Hash_Blake2b_Simd256_state_t) @-> (returning void)) + let hacl_Hash_Blake2b_Simd256_update = + foreign "Hacl_Hash_Blake2b_Simd256_update" + ((ptr hacl_Hash_Blake2b_Simd256_state_t) @-> + (ocaml_bytes @-> + (uint32_t @-> (returning hacl_Streaming_Types_error_code)))) + let hacl_Hash_Blake2b_Simd256_digest = + foreign "Hacl_Hash_Blake2b_Simd256_digest" + ((ptr hacl_Hash_Blake2b_Simd256_state_t) @-> + (ocaml_bytes @-> (returning uint8_t))) + let hacl_Hash_Blake2b_Simd256_info = + foreign "Hacl_Hash_Blake2b_Simd256_info" + ((ptr hacl_Hash_Blake2b_Simd256_state_t) @-> + (returning hacl_Hash_Blake2b_index)) + let hacl_Hash_Blake2b_Simd256_free = + foreign "Hacl_Hash_Blake2b_Simd256_free" + ((ptr hacl_Hash_Blake2b_Simd256_state_t) @-> (returning void)) + let hacl_Hash_Blake2b_Simd256_copy = + foreign "Hacl_Hash_Blake2b_Simd256_copy" + ((ptr hacl_Hash_Blake2b_Simd256_state_t) @-> + (returning (ptr hacl_Hash_Blake2b_Simd256_state_t))) let hacl_Hash_Blake2b_Simd256_hash_with_key = foreign "Hacl_Hash_Blake2b_Simd256_hash_with_key" (ocaml_bytes @-> @@ -15,8 +65,8 @@ module Bindings(F:Cstubs.FOREIGN) = (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))))) - let hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas = - foreign "Hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas" + let hacl_Hash_Blake2b_Simd256_hash_with_key_and_params = + foreign "Hacl_Hash_Blake2b_Simd256_hash_with_key_and_params" (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> diff --git a/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml index 7ba4fcf6..3831f129 100644 --- a/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml +++ b/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml @@ -39,50 +39,45 @@ module Bindings(F:Cstubs.FOREIGN) = field hacl_Hash_Blake2b_index "key_length" uint8_t let hacl_Hash_Blake2b_index_digest_length = field hacl_Hash_Blake2b_index "digest_length" uint8_t + let hacl_Hash_Blake2b_index_last_node = + field hacl_Hash_Blake2b_index "last_node" bool let _ = seal hacl_Hash_Blake2b_index + type hacl_Hash_Blake2b_params_and_key = + [ `hacl_Hash_Blake2b_params_and_key ] structure + let (hacl_Hash_Blake2b_params_and_key : + [ `hacl_Hash_Blake2b_params_and_key ] structure typ) = + structure "Hacl_Hash_Blake2b_params_and_key_s" + let hacl_Hash_Blake2b_params_and_key_fst = + field hacl_Hash_Blake2b_params_and_key "fst" + (ptr hacl_Hash_Blake2b_blake2_params) + let hacl_Hash_Blake2b_params_and_key_snd = + field hacl_Hash_Blake2b_params_and_key "snd" (ptr uint8_t) + let _ = seal hacl_Hash_Blake2b_params_and_key let hacl_Hash_Blake2b_init = foreign "Hacl_Hash_Blake2b_init" ((ptr uint64_t) @-> (uint32_t @-> (uint32_t @-> (returning void)))) let hacl_Hash_Blake2b_finish = foreign "Hacl_Hash_Blake2b_finish" (uint32_t @-> (ocaml_bytes @-> ((ptr uint64_t) @-> (returning void)))) - type k____uint64_t___uint64_t_ = [ `k____uint64_t___uint64_t_ ] structure - let (k____uint64_t___uint64_t_ : - [ `k____uint64_t___uint64_t_ ] structure typ) = - structure "K____uint64_t___uint64_t__s" - let k____uint64_t___uint64_t__fst = - field k____uint64_t___uint64_t_ "fst" (ptr uint64_t) - let k____uint64_t___uint64_t__snd = - field k____uint64_t___uint64_t_ "snd" (ptr uint64_t) - let _ = seal k____uint64_t___uint64_t_ type hacl_Hash_Blake2b_block_state_t = - [ `hacl_Hash_Blake2b_block_state_t ] structure - let (hacl_Hash_Blake2b_block_state_t : - [ `hacl_Hash_Blake2b_block_state_t ] structure typ) = - structure "Hacl_Hash_Blake2b_block_state_t_s" - let hacl_Hash_Blake2b_block_state_t_fst = - field hacl_Hash_Blake2b_block_state_t "fst" uint8_t - let hacl_Hash_Blake2b_block_state_t_snd = - field hacl_Hash_Blake2b_block_state_t "snd" uint8_t - let hacl_Hash_Blake2b_block_state_t_thd = - field hacl_Hash_Blake2b_block_state_t "thd" k____uint64_t___uint64_t_ - let _ = seal hacl_Hash_Blake2b_block_state_t + hacl_Streaming_Blake2_Types_block_state_blake2b_32 + let hacl_Hash_Blake2b_block_state_t = + typedef hacl_Streaming_Blake2_Types_block_state_blake2b_32 + "Hacl_Hash_Blake2b_block_state_t" + type hacl_Hash_Blake2b_optional_block_state_t = + hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 + let hacl_Hash_Blake2b_optional_block_state_t = + typedef hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 + "Hacl_Hash_Blake2b_optional_block_state_t" type hacl_Hash_Blake2b_state_t = [ `hacl_Hash_Blake2b_state_t ] structure let (hacl_Hash_Blake2b_state_t : [ `hacl_Hash_Blake2b_state_t ] structure typ) = structure "Hacl_Hash_Blake2b_state_t_s" - let hacl_Hash_Blake2b_state_t_block_state = - field hacl_Hash_Blake2b_state_t "block_state" - hacl_Hash_Blake2b_block_state_t - let hacl_Hash_Blake2b_state_t_buf = - field hacl_Hash_Blake2b_state_t "buf" (ptr uint8_t) - let hacl_Hash_Blake2b_state_t_total_len = - field hacl_Hash_Blake2b_state_t "total_len" uint64_t - let _ = seal hacl_Hash_Blake2b_state_t let hacl_Hash_Blake2b_malloc_with_params_and_key = foreign "Hacl_Hash_Blake2b_malloc_with_params_and_key" ((ptr hacl_Hash_Blake2b_blake2_params) @-> - (ocaml_bytes @-> (returning (ptr hacl_Hash_Blake2b_state_t)))) + (bool @-> + (ocaml_bytes @-> (returning (ptr hacl_Hash_Blake2b_state_t))))) let hacl_Hash_Blake2b_malloc_with_key = foreign "Hacl_Hash_Blake2b_malloc_with_key" (ocaml_bytes @-> @@ -110,7 +105,11 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Hash_Blake2b_digest = foreign "Hacl_Hash_Blake2b_digest" ((ptr hacl_Hash_Blake2b_state_t) @-> - (ocaml_bytes @-> (returning void))) + (ocaml_bytes @-> (returning uint8_t))) + let hacl_Hash_Blake2b_info = + foreign "Hacl_Hash_Blake2b_info" + ((ptr hacl_Hash_Blake2b_state_t) @-> + (returning hacl_Hash_Blake2b_index)) let hacl_Hash_Blake2b_free = foreign "Hacl_Hash_Blake2b_free" ((ptr hacl_Hash_Blake2b_state_t) @-> (returning void)) @@ -125,8 +124,8 @@ module Bindings(F:Cstubs.FOREIGN) = (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))))) - let hacl_Hash_Blake2b_hash_with_key_and_paramas = - foreign "Hacl_Hash_Blake2b_hash_with_key_and_paramas" + let hacl_Hash_Blake2b_hash_with_key_and_params = + foreign "Hacl_Hash_Blake2b_hash_with_key_and_params" (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> diff --git a/ocaml/lib/Hacl_Hash_Blake2s_Simd128_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2s_Simd128_bindings.ml index 6533ddbc..7ca26d4d 100644 --- a/ocaml/lib/Hacl_Hash_Blake2s_Simd128_bindings.ml +++ b/ocaml/lib/Hacl_Hash_Blake2s_Simd128_bindings.ml @@ -8,6 +8,56 @@ module Bindings(F:Cstubs.FOREIGN) = module Hacl_Hash_Blake2b_applied = (Hacl_Hash_Blake2b_bindings.Bindings)(Hacl_Hash_Blake2b_stubs) open Hacl_Hash_Blake2b_applied + type hacl_Hash_Blake2s_Simd128_state_t = + [ `hacl_Hash_Blake2s_Simd128_state_t ] structure + let (hacl_Hash_Blake2s_Simd128_state_t : + [ `hacl_Hash_Blake2s_Simd128_state_t ] structure typ) = + structure "Hacl_Hash_Blake2s_Simd128_state_t_s" + let hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key = + foreign "Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key" + ((ptr hacl_Hash_Blake2b_blake2_params) @-> + (bool @-> + (ocaml_bytes @-> + (returning (ptr hacl_Hash_Blake2s_Simd128_state_t))))) + let hacl_Hash_Blake2s_Simd128_malloc_with_key0 = + foreign "Hacl_Hash_Blake2s_Simd128_malloc_with_key0" + (ocaml_bytes @-> + (uint8_t @-> (returning (ptr hacl_Hash_Blake2s_Simd128_state_t)))) + let hacl_Hash_Blake2s_Simd128_malloc = + foreign "Hacl_Hash_Blake2s_Simd128_malloc" + (void @-> (returning (ptr hacl_Hash_Blake2s_Simd128_state_t))) + let hacl_Hash_Blake2s_Simd128_reset_with_key_and_params = + foreign "Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params" + ((ptr hacl_Hash_Blake2s_Simd128_state_t) @-> + ((ptr hacl_Hash_Blake2b_blake2_params) @-> + (ocaml_bytes @-> (returning void)))) + let hacl_Hash_Blake2s_Simd128_reset_with_key = + foreign "Hacl_Hash_Blake2s_Simd128_reset_with_key" + ((ptr hacl_Hash_Blake2s_Simd128_state_t) @-> + (ocaml_bytes @-> (returning void))) + let hacl_Hash_Blake2s_Simd128_reset = + foreign "Hacl_Hash_Blake2s_Simd128_reset" + ((ptr hacl_Hash_Blake2s_Simd128_state_t) @-> (returning void)) + let hacl_Hash_Blake2s_Simd128_update = + foreign "Hacl_Hash_Blake2s_Simd128_update" + ((ptr hacl_Hash_Blake2s_Simd128_state_t) @-> + (ocaml_bytes @-> + (uint32_t @-> (returning hacl_Streaming_Types_error_code)))) + let hacl_Hash_Blake2s_Simd128_digest = + foreign "Hacl_Hash_Blake2s_Simd128_digest" + ((ptr hacl_Hash_Blake2s_Simd128_state_t) @-> + (ocaml_bytes @-> (returning uint8_t))) + let hacl_Hash_Blake2s_Simd128_info = + foreign "Hacl_Hash_Blake2s_Simd128_info" + ((ptr hacl_Hash_Blake2s_Simd128_state_t) @-> + (returning hacl_Hash_Blake2b_index)) + let hacl_Hash_Blake2s_Simd128_free = + foreign "Hacl_Hash_Blake2s_Simd128_free" + ((ptr hacl_Hash_Blake2s_Simd128_state_t) @-> (returning void)) + let hacl_Hash_Blake2s_Simd128_copy = + foreign "Hacl_Hash_Blake2s_Simd128_copy" + ((ptr hacl_Hash_Blake2s_Simd128_state_t) @-> + (returning (ptr hacl_Hash_Blake2s_Simd128_state_t))) let hacl_Hash_Blake2s_Simd128_hash_with_key = foreign "Hacl_Hash_Blake2s_Simd128_hash_with_key" (ocaml_bytes @-> @@ -15,8 +65,8 @@ module Bindings(F:Cstubs.FOREIGN) = (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))))) - let hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas = - foreign "Hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas" + let hacl_Hash_Blake2s_Simd128_hash_with_key_and_params = + foreign "Hacl_Hash_Blake2s_Simd128_hash_with_key_and_params" (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> diff --git a/ocaml/lib/Hacl_Hash_Blake2s_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2s_bindings.ml index f6c93e89..d8d34ec7 100644 --- a/ocaml/lib/Hacl_Hash_Blake2s_bindings.ml +++ b/ocaml/lib/Hacl_Hash_Blake2s_bindings.ml @@ -23,48 +23,31 @@ module Bindings(F:Cstubs.FOREIGN) = (uint32_t @-> ((ptr uint32_t) @-> ((ptr uint32_t) @-> - (uint64_t @-> - (uint32_t @-> (ocaml_bytes @-> (returning void))))))) + (bool @-> + (uint64_t @-> + (uint32_t @-> (ocaml_bytes @-> (returning void)))))))) let hacl_Hash_Blake2s_finish = foreign "Hacl_Hash_Blake2s_finish" (uint32_t @-> (ocaml_bytes @-> ((ptr uint32_t) @-> (returning void)))) - type k____uint32_t___uint32_t_ = [ `k____uint32_t___uint32_t_ ] structure - let (k____uint32_t___uint32_t_ : - [ `k____uint32_t___uint32_t_ ] structure typ) = - structure "K____uint32_t___uint32_t__s" - let k____uint32_t___uint32_t__fst = - field k____uint32_t___uint32_t_ "fst" (ptr uint32_t) - let k____uint32_t___uint32_t__snd = - field k____uint32_t___uint32_t_ "snd" (ptr uint32_t) - let _ = seal k____uint32_t___uint32_t_ type hacl_Hash_Blake2s_block_state_t = - [ `hacl_Hash_Blake2s_block_state_t ] structure - let (hacl_Hash_Blake2s_block_state_t : - [ `hacl_Hash_Blake2s_block_state_t ] structure typ) = - structure "Hacl_Hash_Blake2s_block_state_t_s" - let hacl_Hash_Blake2s_block_state_t_fst = - field hacl_Hash_Blake2s_block_state_t "fst" uint8_t - let hacl_Hash_Blake2s_block_state_t_snd = - field hacl_Hash_Blake2s_block_state_t "snd" uint8_t - let hacl_Hash_Blake2s_block_state_t_thd = - field hacl_Hash_Blake2s_block_state_t "thd" k____uint32_t___uint32_t_ - let _ = seal hacl_Hash_Blake2s_block_state_t + hacl_Streaming_Blake2_Types_block_state_blake2s_32 + let hacl_Hash_Blake2s_block_state_t = + typedef hacl_Streaming_Blake2_Types_block_state_blake2s_32 + "Hacl_Hash_Blake2s_block_state_t" + type hacl_Hash_Blake2s_optional_block_state_t = + hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 + let hacl_Hash_Blake2s_optional_block_state_t = + typedef hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 + "Hacl_Hash_Blake2s_optional_block_state_t" type hacl_Hash_Blake2s_state_t = [ `hacl_Hash_Blake2s_state_t ] structure let (hacl_Hash_Blake2s_state_t : [ `hacl_Hash_Blake2s_state_t ] structure typ) = structure "Hacl_Hash_Blake2s_state_t_s" - let hacl_Hash_Blake2s_state_t_block_state = - field hacl_Hash_Blake2s_state_t "block_state" - hacl_Hash_Blake2s_block_state_t - let hacl_Hash_Blake2s_state_t_buf = - field hacl_Hash_Blake2s_state_t "buf" (ptr uint8_t) - let hacl_Hash_Blake2s_state_t_total_len = - field hacl_Hash_Blake2s_state_t "total_len" uint64_t - let _ = seal hacl_Hash_Blake2s_state_t let hacl_Hash_Blake2s_malloc_with_params_and_key = foreign "Hacl_Hash_Blake2s_malloc_with_params_and_key" ((ptr hacl_Hash_Blake2b_blake2_params) @-> - (ocaml_bytes @-> (returning (ptr hacl_Hash_Blake2s_state_t)))) + (bool @-> + (ocaml_bytes @-> (returning (ptr hacl_Hash_Blake2s_state_t))))) let hacl_Hash_Blake2s_malloc_with_key = foreign "Hacl_Hash_Blake2s_malloc_with_key" (ocaml_bytes @-> @@ -92,7 +75,11 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Hash_Blake2s_digest = foreign "Hacl_Hash_Blake2s_digest" ((ptr hacl_Hash_Blake2s_state_t) @-> - (ocaml_bytes @-> (returning void))) + (ocaml_bytes @-> (returning uint8_t))) + let hacl_Hash_Blake2s_info = + foreign "Hacl_Hash_Blake2s_info" + ((ptr hacl_Hash_Blake2s_state_t) @-> + (returning hacl_Hash_Blake2b_index)) let hacl_Hash_Blake2s_free = foreign "Hacl_Hash_Blake2s_free" ((ptr hacl_Hash_Blake2s_state_t) @-> (returning void)) @@ -107,8 +94,8 @@ module Bindings(F:Cstubs.FOREIGN) = (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))))) - let hacl_Hash_Blake2s_hash_with_key_and_paramas = - foreign "Hacl_Hash_Blake2s_hash_with_key_and_paramas" + let hacl_Hash_Blake2s_hash_with_key_and_params = + foreign "Hacl_Hash_Blake2s_hash_with_key_and_params" (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> diff --git a/ocaml/lib/Hacl_Hash_SHA2_bindings.ml b/ocaml/lib/Hacl_Hash_SHA2_bindings.ml index f0573724..7475a850 100644 --- a/ocaml/lib/Hacl_Hash_SHA2_bindings.ml +++ b/ocaml/lib/Hacl_Hash_SHA2_bindings.ml @@ -22,6 +22,9 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Hash_SHA2_sha224_init = foreign "Hacl_Hash_SHA2_sha224_init" ((ptr uint32_t) @-> (returning void)) + let hacl_Hash_SHA2_sha224_update_nblocks = + foreign "Hacl_Hash_SHA2_sha224_update_nblocks" + (uint32_t @-> (ocaml_bytes @-> ((ptr uint32_t) @-> (returning void)))) let hacl_Hash_SHA2_sha224_update_last = foreign "Hacl_Hash_SHA2_sha224_update_last" (uint64_t @-> diff --git a/ocaml/lib/Hacl_Hash_SHA3_bindings.ml b/ocaml/lib/Hacl_Hash_SHA3_bindings.ml index dd900903..9f5ebd60 100644 --- a/ocaml/lib/Hacl_Hash_SHA3_bindings.ml +++ b/ocaml/lib/Hacl_Hash_SHA3_bindings.ml @@ -5,6 +5,10 @@ module Bindings(F:Cstubs.FOREIGN) = module Hacl_Streaming_Types_applied = (Hacl_Streaming_Types_bindings.Bindings)(Hacl_Streaming_Types_stubs) open Hacl_Streaming_Types_applied + let hacl_Hash_SHA3_init_ = + foreign "Hacl_Hash_SHA3_init_" + (spec_Hash_Definitions_hash_alg @-> + ((ptr uint64_t) @-> (returning void))) let hacl_Hash_SHA3_update_multi_sha3 = foreign "Hacl_Hash_SHA3_update_multi_sha3" (spec_Hash_Definitions_hash_alg @-> @@ -27,13 +31,6 @@ module Bindings(F:Cstubs.FOREIGN) = type hacl_Hash_SHA3_state_t = [ `hacl_Hash_SHA3_state_t ] structure let (hacl_Hash_SHA3_state_t : [ `hacl_Hash_SHA3_state_t ] structure typ) = structure "Hacl_Hash_SHA3_state_t_s" - let hacl_Hash_SHA3_state_t_block_state = - field hacl_Hash_SHA3_state_t "block_state" hacl_Hash_SHA3_hash_buf - let hacl_Hash_SHA3_state_t_buf = - field hacl_Hash_SHA3_state_t "buf" (ptr uint8_t) - let hacl_Hash_SHA3_state_t_total_len = - field hacl_Hash_SHA3_state_t "total_len" uint64_t - let _ = seal hacl_Hash_SHA3_state_t let hacl_Hash_SHA3_get_alg = foreign "Hacl_Hash_SHA3_get_alg" ((ptr hacl_Hash_SHA3_state_t) @-> diff --git a/ocaml/lib/Hacl_MAC_Poly1305_Simd128_bindings.ml b/ocaml/lib/Hacl_MAC_Poly1305_Simd128_bindings.ml index df327a3d..da0fc8ce 100644 --- a/ocaml/lib/Hacl_MAC_Poly1305_Simd128_bindings.ml +++ b/ocaml/lib/Hacl_MAC_Poly1305_Simd128_bindings.ml @@ -2,6 +2,33 @@ open Ctypes module Bindings(F:Cstubs.FOREIGN) = struct open F + module Hacl_Streaming_Types_applied = + (Hacl_Streaming_Types_bindings.Bindings)(Hacl_Streaming_Types_stubs) + open Hacl_Streaming_Types_applied + type hacl_MAC_Poly1305_Simd128_state_t = + [ `hacl_MAC_Poly1305_Simd128_state_t ] structure + let (hacl_MAC_Poly1305_Simd128_state_t : + [ `hacl_MAC_Poly1305_Simd128_state_t ] structure typ) = + structure "Hacl_MAC_Poly1305_Simd128_state_t_s" + let hacl_MAC_Poly1305_Simd128_malloc = + foreign "Hacl_MAC_Poly1305_Simd128_malloc" + (ocaml_bytes @-> (returning (ptr hacl_MAC_Poly1305_Simd128_state_t))) + let hacl_MAC_Poly1305_Simd128_reset = + foreign "Hacl_MAC_Poly1305_Simd128_reset" + ((ptr hacl_MAC_Poly1305_Simd128_state_t) @-> + (ocaml_bytes @-> (returning void))) + let hacl_MAC_Poly1305_Simd128_update = + foreign "Hacl_MAC_Poly1305_Simd128_update" + ((ptr hacl_MAC_Poly1305_Simd128_state_t) @-> + (ocaml_bytes @-> + (uint32_t @-> (returning hacl_Streaming_Types_error_code)))) + let hacl_MAC_Poly1305_Simd128_digest = + foreign "Hacl_MAC_Poly1305_Simd128_digest" + ((ptr hacl_MAC_Poly1305_Simd128_state_t) @-> + (ocaml_bytes @-> (returning void))) + let hacl_MAC_Poly1305_Simd128_free = + foreign "Hacl_MAC_Poly1305_Simd128_free" + ((ptr hacl_MAC_Poly1305_Simd128_state_t) @-> (returning void)) let hacl_MAC_Poly1305_Simd128_mac = foreign "Hacl_MAC_Poly1305_Simd128_mac" (ocaml_bytes @-> diff --git a/ocaml/lib/Hacl_MAC_Poly1305_Simd256_bindings.ml b/ocaml/lib/Hacl_MAC_Poly1305_Simd256_bindings.ml index 3f1cd147..29347484 100644 --- a/ocaml/lib/Hacl_MAC_Poly1305_Simd256_bindings.ml +++ b/ocaml/lib/Hacl_MAC_Poly1305_Simd256_bindings.ml @@ -2,6 +2,33 @@ open Ctypes module Bindings(F:Cstubs.FOREIGN) = struct open F + module Hacl_Streaming_Types_applied = + (Hacl_Streaming_Types_bindings.Bindings)(Hacl_Streaming_Types_stubs) + open Hacl_Streaming_Types_applied + type hacl_MAC_Poly1305_Simd256_state_t = + [ `hacl_MAC_Poly1305_Simd256_state_t ] structure + let (hacl_MAC_Poly1305_Simd256_state_t : + [ `hacl_MAC_Poly1305_Simd256_state_t ] structure typ) = + structure "Hacl_MAC_Poly1305_Simd256_state_t_s" + let hacl_MAC_Poly1305_Simd256_malloc = + foreign "Hacl_MAC_Poly1305_Simd256_malloc" + (ocaml_bytes @-> (returning (ptr hacl_MAC_Poly1305_Simd256_state_t))) + let hacl_MAC_Poly1305_Simd256_reset = + foreign "Hacl_MAC_Poly1305_Simd256_reset" + ((ptr hacl_MAC_Poly1305_Simd256_state_t) @-> + (ocaml_bytes @-> (returning void))) + let hacl_MAC_Poly1305_Simd256_update = + foreign "Hacl_MAC_Poly1305_Simd256_update" + ((ptr hacl_MAC_Poly1305_Simd256_state_t) @-> + (ocaml_bytes @-> + (uint32_t @-> (returning hacl_Streaming_Types_error_code)))) + let hacl_MAC_Poly1305_Simd256_digest = + foreign "Hacl_MAC_Poly1305_Simd256_digest" + ((ptr hacl_MAC_Poly1305_Simd256_state_t) @-> + (ocaml_bytes @-> (returning void))) + let hacl_MAC_Poly1305_Simd256_free = + foreign "Hacl_MAC_Poly1305_Simd256_free" + ((ptr hacl_MAC_Poly1305_Simd256_state_t) @-> (returning void)) let hacl_MAC_Poly1305_Simd256_mac = foreign "Hacl_MAC_Poly1305_Simd256_mac" (ocaml_bytes @-> diff --git a/ocaml/lib/Hacl_MAC_Poly1305_bindings.ml b/ocaml/lib/Hacl_MAC_Poly1305_bindings.ml index 57414abf..74d365c7 100644 --- a/ocaml/lib/Hacl_MAC_Poly1305_bindings.ml +++ b/ocaml/lib/Hacl_MAC_Poly1305_bindings.ml @@ -16,15 +16,6 @@ module Bindings(F:Cstubs.FOREIGN) = let (hacl_MAC_Poly1305_state_t : [ `hacl_MAC_Poly1305_state_t ] structure typ) = structure "Hacl_MAC_Poly1305_state_t_s" - let hacl_MAC_Poly1305_state_t_block_state = - field hacl_MAC_Poly1305_state_t "block_state" (ptr uint64_t) - let hacl_MAC_Poly1305_state_t_buf = - field hacl_MAC_Poly1305_state_t "buf" (ptr uint8_t) - let hacl_MAC_Poly1305_state_t_total_len = - field hacl_MAC_Poly1305_state_t "total_len" uint64_t - let hacl_MAC_Poly1305_state_t_p_key = - field hacl_MAC_Poly1305_state_t "p_key" (ptr uint8_t) - let _ = seal hacl_MAC_Poly1305_state_t let hacl_MAC_Poly1305_malloc = foreign "Hacl_MAC_Poly1305_malloc" (ocaml_bytes @-> (returning (ptr hacl_MAC_Poly1305_state_t))) diff --git a/ocaml/lib/Hacl_Streaming_HMAC_bindings.ml b/ocaml/lib/Hacl_Streaming_HMAC_bindings.ml new file mode 100644 index 00000000..25f4ca8b --- /dev/null +++ b/ocaml/lib/Hacl_Streaming_HMAC_bindings.ml @@ -0,0 +1,146 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + module Hacl_Streaming_Types_applied = + (Hacl_Streaming_Types_bindings.Bindings)(Hacl_Streaming_Types_stubs) + open Hacl_Streaming_Types_applied + type hacl_Agile_Hash_impl = Unsigned.UInt8.t + let hacl_Agile_Hash_impl = typedef uint8_t "Hacl_Agile_Hash_impl" + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_MD5 = Unsigned.UInt8.of_int 0 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_SHA1 = Unsigned.UInt8.of_int 1 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_SHA2_224 = + Unsigned.UInt8.of_int 2 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_SHA2_256 = + Unsigned.UInt8.of_int 3 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_SHA2_384 = + Unsigned.UInt8.of_int 4 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_SHA2_512 = + Unsigned.UInt8.of_int 5 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_SHA3_224 = + Unsigned.UInt8.of_int 6 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_SHA3_256 = + Unsigned.UInt8.of_int 7 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_SHA3_384 = + Unsigned.UInt8.of_int 8 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_SHA3_512 = + Unsigned.UInt8.of_int 9 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_Blake2S_32 = + Unsigned.UInt8.of_int 10 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_Blake2S_128 = + Unsigned.UInt8.of_int 11 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_Blake2B_32 = + Unsigned.UInt8.of_int 12 + let hacl_Agile_Hash_impl_Hacl_Agile_Hash_Blake2B_256 = + Unsigned.UInt8.of_int 13 + type hacl_Agile_Hash_state_s_tags = Unsigned.UInt8.t + let hacl_Agile_Hash_state_s_tags = + typedef uint8_t "Hacl_Agile_Hash_state_s_tags" + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_MD5_s = + Unsigned.UInt8.of_int 0 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_SHA1_s = + Unsigned.UInt8.of_int 1 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_SHA2_224_s = + Unsigned.UInt8.of_int 2 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_SHA2_256_s = + Unsigned.UInt8.of_int 3 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_SHA2_384_s = + Unsigned.UInt8.of_int 4 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_SHA2_512_s = + Unsigned.UInt8.of_int 5 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_SHA3_224_s = + Unsigned.UInt8.of_int 6 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_SHA3_256_s = + Unsigned.UInt8.of_int 7 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_SHA3_384_s = + Unsigned.UInt8.of_int 8 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_SHA3_512_s = + Unsigned.UInt8.of_int 9 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_Blake2S_s = + Unsigned.UInt8.of_int 10 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_Blake2S_128_s = + Unsigned.UInt8.of_int 11 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_Blake2B_s = + Unsigned.UInt8.of_int 12 + let hacl_Agile_Hash_state_s_tags_Hacl_Agile_Hash_Blake2B_256_s = + Unsigned.UInt8.of_int 13 + type hacl_Agile_Hash_state_s = [ `hacl_Agile_Hash_state_s ] structure + let (hacl_Agile_Hash_state_s : + [ `hacl_Agile_Hash_state_s ] structure typ) = + structure "Hacl_Agile_Hash_state_s_s" + type hacl_Streaming_HMAC_Definitions_index = + [ `hacl_Streaming_HMAC_Definitions_index ] structure + let (hacl_Streaming_HMAC_Definitions_index : + [ `hacl_Streaming_HMAC_Definitions_index ] structure typ) = + structure "Hacl_Streaming_HMAC_Definitions_index_s" + let hacl_Streaming_HMAC_Definitions_index_fst = + field hacl_Streaming_HMAC_Definitions_index "fst" hacl_Agile_Hash_impl + let hacl_Streaming_HMAC_Definitions_index_snd = + field hacl_Streaming_HMAC_Definitions_index "snd" uint32_t + let _ = seal hacl_Streaming_HMAC_Definitions_index + type hacl_Streaming_HMAC_Definitions_two_state = + [ `hacl_Streaming_HMAC_Definitions_two_state ] structure + let (hacl_Streaming_HMAC_Definitions_two_state : + [ `hacl_Streaming_HMAC_Definitions_two_state ] structure typ) = + structure "Hacl_Streaming_HMAC_Definitions_two_state_s" + let hacl_Streaming_HMAC_Definitions_two_state_fst = + field hacl_Streaming_HMAC_Definitions_two_state "fst" uint32_t + let hacl_Streaming_HMAC_Definitions_two_state_snd = + field hacl_Streaming_HMAC_Definitions_two_state "snd" + (ptr hacl_Agile_Hash_state_s) + let hacl_Streaming_HMAC_Definitions_two_state_thd = + field hacl_Streaming_HMAC_Definitions_two_state "thd" + (ptr hacl_Agile_Hash_state_s) + let _ = seal hacl_Streaming_HMAC_Definitions_two_state + let hacl_Streaming_HMAC_s1 = + foreign "Hacl_Streaming_HMAC_s1" + (hacl_Streaming_HMAC_Definitions_index @-> + (hacl_Streaming_HMAC_Definitions_two_state @-> + (returning (ptr hacl_Agile_Hash_state_s)))) + let hacl_Streaming_HMAC_s2 = + foreign "Hacl_Streaming_HMAC_s2" + (hacl_Streaming_HMAC_Definitions_index @-> + (hacl_Streaming_HMAC_Definitions_two_state @-> + (returning (ptr hacl_Agile_Hash_state_s)))) + let hacl_Streaming_HMAC_index_of_state = + foreign "Hacl_Streaming_HMAC_index_of_state" + (hacl_Streaming_HMAC_Definitions_two_state @-> + (returning hacl_Streaming_HMAC_Definitions_index)) + type hacl_Streaming_HMAC_agile_state = + [ `hacl_Streaming_HMAC_agile_state ] structure + let (hacl_Streaming_HMAC_agile_state : + [ `hacl_Streaming_HMAC_agile_state ] structure typ) = + structure "Hacl_Streaming_HMAC_agile_state_s" + let hacl_Streaming_HMAC_malloc_ = + foreign "Hacl_Streaming_HMAC_malloc_" + (hacl_Agile_Hash_impl @-> + (ocaml_bytes @-> + (uint32_t @-> + ((ptr (ptr hacl_Streaming_HMAC_agile_state)) @-> + (returning hacl_Streaming_Types_error_code))))) + let hacl_Streaming_HMAC_get_impl = + foreign "Hacl_Streaming_HMAC_get_impl" + ((ptr hacl_Streaming_HMAC_agile_state) @-> + (returning hacl_Streaming_HMAC_Definitions_index)) + let hacl_Streaming_HMAC_reset = + foreign "Hacl_Streaming_HMAC_reset" + ((ptr hacl_Streaming_HMAC_agile_state) @-> + (ocaml_bytes @-> + (uint32_t @-> (returning hacl_Streaming_Types_error_code)))) + let hacl_Streaming_HMAC_update = + foreign "Hacl_Streaming_HMAC_update" + ((ptr hacl_Streaming_HMAC_agile_state) @-> + (ocaml_bytes @-> + (uint32_t @-> (returning hacl_Streaming_Types_error_code)))) + let hacl_Streaming_HMAC_digest = + foreign "Hacl_Streaming_HMAC_digest" + ((ptr hacl_Streaming_HMAC_agile_state) @-> + (ocaml_bytes @-> (uint32_t @-> (returning void)))) + let hacl_Streaming_HMAC_free = + foreign "Hacl_Streaming_HMAC_free" + ((ptr hacl_Streaming_HMAC_agile_state) @-> (returning void)) + let hacl_Streaming_HMAC_copy = + foreign "Hacl_Streaming_HMAC_copy" + ((ptr hacl_Streaming_HMAC_agile_state) @-> + (returning (ptr hacl_Streaming_HMAC_agile_state))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Streaming_Types_bindings.ml b/ocaml/lib/Hacl_Streaming_Types_bindings.ml index c5ed0e7c..83a36c6a 100644 --- a/ocaml/lib/Hacl_Streaming_Types_bindings.ml +++ b/ocaml/lib/Hacl_Streaming_Types_bindings.ml @@ -2,6 +2,105 @@ open Ctypes module Bindings(F:Cstubs.FOREIGN) = struct open F + type hacl_Streaming_MD_state_32 = + [ `hacl_Streaming_MD_state_32 ] structure + let (hacl_Streaming_MD_state_32 : + [ `hacl_Streaming_MD_state_32 ] structure typ) = + structure "Hacl_Streaming_MD_state_32_s" + type hacl_Streaming_MD_state_64 = + [ `hacl_Streaming_MD_state_64 ] structure + let (hacl_Streaming_MD_state_64 : + [ `hacl_Streaming_MD_state_64 ] structure typ) = + structure "Hacl_Streaming_MD_state_64_s" + type k____uint64_t___uint64_t_ = [ `k____uint64_t___uint64_t_ ] structure + let (k____uint64_t___uint64_t_ : + [ `k____uint64_t___uint64_t_ ] structure typ) = + structure "K____uint64_t___uint64_t__s" + let k____uint64_t___uint64_t__fst = + field k____uint64_t___uint64_t_ "fst" (ptr uint64_t) + let k____uint64_t___uint64_t__snd = + field k____uint64_t___uint64_t_ "snd" (ptr uint64_t) + let _ = seal k____uint64_t___uint64_t_ + type hacl_Streaming_Blake2_Types_block_state_blake2b_32 = + [ `hacl_Streaming_Blake2_Types_block_state_blake2b_32 ] structure + let (hacl_Streaming_Blake2_Types_block_state_blake2b_32 : + [ `hacl_Streaming_Blake2_Types_block_state_blake2b_32 ] structure typ) + = structure "Hacl_Streaming_Blake2_Types_block_state_blake2b_32_s" + let hacl_Streaming_Blake2_Types_block_state_blake2b_32_fst = + field hacl_Streaming_Blake2_Types_block_state_blake2b_32 "fst" uint8_t + let hacl_Streaming_Blake2_Types_block_state_blake2b_32_snd = + field hacl_Streaming_Blake2_Types_block_state_blake2b_32 "snd" uint8_t + let hacl_Streaming_Blake2_Types_block_state_blake2b_32_thd = + field hacl_Streaming_Blake2_Types_block_state_blake2b_32 "thd" bool + let hacl_Streaming_Blake2_Types_block_state_blake2b_32_f3 = + field hacl_Streaming_Blake2_Types_block_state_blake2b_32 "f3" + k____uint64_t___uint64_t_ + let _ = seal hacl_Streaming_Blake2_Types_block_state_blake2b_32 + type hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags = + Unsigned.UInt8.t + let hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags = + typedef uint8_t + "Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags" + let hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags_Hacl_Streaming_Blake2_Types_None + = Unsigned.UInt8.of_int 0 + let hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags_Hacl_Streaming_Blake2_Types_Some + = Unsigned.UInt8.of_int 1 + type hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 = + [ `hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 ] + structure + let (hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 : + [ `hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 ] + structure typ) + = + structure + "Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_s" + let hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tag = + field hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 "tag" + hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags + let hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_v = + field hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 "v" + hacl_Streaming_Blake2_Types_block_state_blake2b_32 + let _ = seal hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 + type k____uint32_t___uint32_t_ = [ `k____uint32_t___uint32_t_ ] structure + let (k____uint32_t___uint32_t_ : + [ `k____uint32_t___uint32_t_ ] structure typ) = + structure "K____uint32_t___uint32_t__s" + let k____uint32_t___uint32_t__fst = + field k____uint32_t___uint32_t_ "fst" (ptr uint32_t) + let k____uint32_t___uint32_t__snd = + field k____uint32_t___uint32_t_ "snd" (ptr uint32_t) + let _ = seal k____uint32_t___uint32_t_ + type hacl_Streaming_Blake2_Types_block_state_blake2s_32 = + [ `hacl_Streaming_Blake2_Types_block_state_blake2s_32 ] structure + let (hacl_Streaming_Blake2_Types_block_state_blake2s_32 : + [ `hacl_Streaming_Blake2_Types_block_state_blake2s_32 ] structure typ) + = structure "Hacl_Streaming_Blake2_Types_block_state_blake2s_32_s" + let hacl_Streaming_Blake2_Types_block_state_blake2s_32_fst = + field hacl_Streaming_Blake2_Types_block_state_blake2s_32 "fst" uint8_t + let hacl_Streaming_Blake2_Types_block_state_blake2s_32_snd = + field hacl_Streaming_Blake2_Types_block_state_blake2s_32 "snd" uint8_t + let hacl_Streaming_Blake2_Types_block_state_blake2s_32_thd = + field hacl_Streaming_Blake2_Types_block_state_blake2s_32 "thd" bool + let hacl_Streaming_Blake2_Types_block_state_blake2s_32_f3 = + field hacl_Streaming_Blake2_Types_block_state_blake2s_32 "f3" + k____uint32_t___uint32_t_ + let _ = seal hacl_Streaming_Blake2_Types_block_state_blake2s_32 + type hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 = + [ `hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 ] + structure + let (hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 : + [ `hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 ] + structure typ) + = + structure + "Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32_s" + let hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32_tag = + field hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 "tag" + hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags + let hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32_v = + field hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 "v" + hacl_Streaming_Blake2_Types_block_state_blake2s_32 + let _ = seal hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 type hacl_Streaming_Types_error_code = Unsigned.UInt8.t let hacl_Streaming_Types_error_code = typedef uint8_t "Hacl_Streaming_Types_error_code" @@ -13,30 +112,45 @@ module Bindings(F:Cstubs.FOREIGN) = Unsigned.UInt8.of_int 2 let hacl_Streaming_Types_error_code_Hacl_Streaming_Types_MaximumLengthExceeded = Unsigned.UInt8.of_int 3 - type hacl_Streaming_MD_state_32 = - [ `hacl_Streaming_MD_state_32 ] structure - let (hacl_Streaming_MD_state_32 : - [ `hacl_Streaming_MD_state_32 ] structure typ) = - structure "Hacl_Streaming_MD_state_32_s" - let hacl_Streaming_MD_state_32_block_state = - field hacl_Streaming_MD_state_32 "block_state" (ptr uint32_t) - let hacl_Streaming_MD_state_32_buf = - field hacl_Streaming_MD_state_32 "buf" (ptr uint8_t) - let hacl_Streaming_MD_state_32_total_len = - field hacl_Streaming_MD_state_32 "total_len" uint64_t - let _ = seal hacl_Streaming_MD_state_32 - type hacl_Streaming_MD_state_64 = - [ `hacl_Streaming_MD_state_64 ] structure - let (hacl_Streaming_MD_state_64 : - [ `hacl_Streaming_MD_state_64 ] structure typ) = - structure "Hacl_Streaming_MD_state_64_s" - let hacl_Streaming_MD_state_64_block_state = - field hacl_Streaming_MD_state_64 "block_state" (ptr uint64_t) - let hacl_Streaming_MD_state_64_buf = - field hacl_Streaming_MD_state_64 "buf" (ptr uint8_t) - let hacl_Streaming_MD_state_64_total_len = - field hacl_Streaming_MD_state_64 "total_len" uint64_t - let _ = seal hacl_Streaming_MD_state_64 + let hacl_Streaming_Types_error_code_Hacl_Streaming_Types_OutOfMemory = + Unsigned.UInt8.of_int 4 + type hacl_Streaming_Types_optional_32_tags = Unsigned.UInt8.t + let hacl_Streaming_Types_optional_32_tags = + typedef uint8_t "Hacl_Streaming_Types_optional_32_tags" + let hacl_Streaming_Types_optional_32_tags_Hacl_Streaming_Types_None = + Unsigned.UInt8.of_int 0 + let hacl_Streaming_Types_optional_32_tags_Hacl_Streaming_Types_Some = + Unsigned.UInt8.of_int 1 + type hacl_Streaming_Types_optional_32 = + [ `hacl_Streaming_Types_optional_32 ] structure + let (hacl_Streaming_Types_optional_32 : + [ `hacl_Streaming_Types_optional_32 ] structure typ) = + structure "Hacl_Streaming_Types_optional_32_s" + let hacl_Streaming_Types_optional_32_tag = + field hacl_Streaming_Types_optional_32 "tag" + hacl_Streaming_Types_optional_32_tags + let hacl_Streaming_Types_optional_32_v = + field hacl_Streaming_Types_optional_32 "v" (ptr uint32_t) + let _ = seal hacl_Streaming_Types_optional_32 + type hacl_Streaming_Types_optional_64 = + [ `hacl_Streaming_Types_optional_64 ] structure + let (hacl_Streaming_Types_optional_64 : + [ `hacl_Streaming_Types_optional_64 ] structure typ) = + structure "Hacl_Streaming_Types_optional_64_s" + let hacl_Streaming_Types_optional_64_tag = + field hacl_Streaming_Types_optional_64 "tag" + hacl_Streaming_Types_optional_32_tags + let hacl_Streaming_Types_optional_64_v = + field hacl_Streaming_Types_optional_64 "v" (ptr uint64_t) + let _ = seal hacl_Streaming_Types_optional_64 + type hacl_Streaming_Types_optional_unit = + hacl_Streaming_Types_optional_32_tags + let hacl_Streaming_Types_optional_unit = + typedef hacl_Streaming_Types_optional_32_tags + "Hacl_Streaming_Types_optional_unit" + type hacl_Streaming_Types_two_pointers = k____uint64_t___uint64_t_ + let hacl_Streaming_Types_two_pointers = + typedef k____uint64_t___uint64_t_ "Hacl_Streaming_Types_two_pointers" type spec_Hash_Definitions_hash_alg = Unsigned.UInt8.t let spec_Hash_Definitions_hash_alg = typedef uint8_t "Spec_Hash_Definitions_hash_alg" diff --git a/ocaml/lib_gen/EverCrypt_AEAD_gen.ml b/ocaml/lib_gen/EverCrypt_AEAD_gen.ml index 714911c1..b6e302ae 100644 --- a/ocaml/lib_gen/EverCrypt_AEAD_gen.ml +++ b/ocaml/lib_gen/EverCrypt_AEAD_gen.ml @@ -5,6 +5,7 @@ let _ = (module EverCrypt_AEAD_bindings.Bindings)); Format.set_formatter_out_channel (open_out_bin "lib/EverCrypt_AEAD_c_stubs.c")); - Format.printf "#include \"EverCrypt_AEAD.h\"\n"); + Format.printf + "#include \"EverCrypt_AEAD.h\"\n#include \"internal/EverCrypt_AEAD.h\"\n"); Cstubs.write_c Format.std_formatter ~prefix:"" (module EverCrypt_AEAD_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/EverCrypt_DRBG_gen.ml b/ocaml/lib_gen/EverCrypt_DRBG_gen.ml index 8c38844e..bc0d3287 100644 --- a/ocaml/lib_gen/EverCrypt_DRBG_gen.ml +++ b/ocaml/lib_gen/EverCrypt_DRBG_gen.ml @@ -5,6 +5,7 @@ let _ = (module EverCrypt_DRBG_bindings.Bindings)); Format.set_formatter_out_channel (open_out_bin "lib/EverCrypt_DRBG_c_stubs.c")); - Format.printf "#include \"EverCrypt_DRBG.h\"\n"); + Format.printf + "#include \"EverCrypt_DRBG.h\"\n#include \"internal/EverCrypt_DRBG.h\"\n"); Cstubs.write_c Format.std_formatter ~prefix:"" (module EverCrypt_DRBG_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Streaming_HMAC_gen.ml b/ocaml/lib_gen/Hacl_Streaming_HMAC_gen.ml new file mode 100644 index 00000000..bd027594 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Streaming_HMAC_gen.ml @@ -0,0 +1,11 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_HMAC_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Streaming_HMAC_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Streaming_HMAC_c_stubs.c")); + Format.printf + "#include \"Hacl_Streaming_HMAC.h\"\n#include \"internal/Hacl_Streaming_HMAC.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Streaming_HMAC_bindings.Bindings) \ No newline at end of file diff --git a/ocaml/lib_gen/Hacl_Streaming_Types_gen.ml b/ocaml/lib_gen/Hacl_Streaming_Types_gen.ml index 2708c955..0b9aac32 100644 --- a/ocaml/lib_gen/Hacl_Streaming_Types_gen.ml +++ b/ocaml/lib_gen/Hacl_Streaming_Types_gen.ml @@ -5,6 +5,7 @@ let _ = (module Hacl_Streaming_Types_bindings.Bindings)); Format.set_formatter_out_channel (open_out_bin "lib/Hacl_Streaming_Types_c_stubs.c")); - Format.printf "#include \"Hacl_Streaming_Types.h\"\n"); + Format.printf + "#include \"Hacl_Streaming_Types.h\"\n#include \"internal/Hacl_Streaming_Types.h\"\n"); Cstubs.write_c Format.std_formatter ~prefix:"" (module Hacl_Streaming_Types_bindings.Bindings) \ No newline at end of file diff --git a/src/EverCrypt_AEAD.c b/src/EverCrypt_AEAD.c index b0fb4826..cdb3f404 100644 --- a/src/EverCrypt_AEAD.c +++ b/src/EverCrypt_AEAD.c @@ -23,23 +23,15 @@ */ -#include "EverCrypt_AEAD.h" +#include "internal/EverCrypt_AEAD.h" +#include "Hacl_Spec.h" +#include "EverCrypt_Error.h" +#include "EverCrypt_Chacha20Poly1305.h" +#include "EverCrypt_AutoConfig2.h" #include "internal/Vale.h" -#include "internal/Hacl_Spec.h" #include "config.h" -/** -Both encryption and decryption require a state that holds the key. -The state may be reused as many times as desired. -*/ -typedef struct EverCrypt_AEAD_state_s_s -{ - Spec_Cipher_Expansion_impl impl; - uint8_t *ek; -} -EverCrypt_AEAD_state_s; - /** Both encryption and decryption require a state that holds the key. The state may be reused as many times as desired. @@ -89,7 +81,10 @@ create_in_chacha20_poly1305(EverCrypt_AEAD_state_s **dst, uint8_t *k) uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); - p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }); + if (p != NULL) + { + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }); + } memcpy(ek, k, 32U * sizeof (uint8_t)); dst[0U] = p; return EverCrypt_Error_Success; @@ -115,7 +110,10 @@ create_in_aes128_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) aes128_keyhash_init(keys_b, hkeys_b); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); - p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }); + if (p != NULL) + { + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }); + } *dst = p; return EverCrypt_Error_Success; } @@ -145,7 +143,10 @@ create_in_aes256_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) aes256_keyhash_init(keys_b, hkeys_b); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); - p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }); + if (p != NULL) + { + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }); + } *dst = p; return EverCrypt_Error_Success; } @@ -538,26 +539,27 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( KRML_MAYBE_UNUSED_VAR(cipher); KRML_MAYBE_UNUSED_VAR(tag); #if HACL_CAN_COMPILE_VALE - uint8_t ek[480U] = { 0U }; - uint8_t *keys_b0 = ek; - uint8_t *hkeys_b0 = ek + 176U; + uint8_t ek0[480U] = { 0U }; + uint8_t *keys_b0 = ek0; + uint8_t *hkeys_b0 = ek0 + 176U; aes128_key_expansion(k, keys_b0); aes128_keyhash_init(keys_b0, hkeys_b0); - EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek0 }; EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; if (s == NULL) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); + r = EverCrypt_Error_InvalidKey; } else if (iv_len == 0U) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); + r = EverCrypt_Error_InvalidIVLength; } else { - uint8_t *ek0 = (*s).ek; - uint8_t *scratch_b = ek0 + 304U; - uint8_t *ek1 = ek0; + uint8_t *ek = (*s).ek; + uint8_t *scratch_b = ek + 304U; + uint8_t *ek1 = ek; uint8_t *keys_b = ek1; uint8_t *hkeys_b = ek1 + 176U; uint8_t tmp_iv[16U] = { 0U }; @@ -637,8 +639,9 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( memcpy(cipher + (uint32_t)(uint64_t)plain_len / 16U * 16U, inout_b, (uint32_t)(uint64_t)plain_len % 16U * sizeof (uint8_t)); - KRML_HOST_IGNORE(EverCrypt_Error_Success); + r = EverCrypt_Error_Success; } + KRML_MAYBE_UNUSED_VAR(r); return EverCrypt_Error_Success; #else KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", @@ -680,26 +683,27 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( KRML_MAYBE_UNUSED_VAR(cipher); KRML_MAYBE_UNUSED_VAR(tag); #if HACL_CAN_COMPILE_VALE - uint8_t ek[544U] = { 0U }; - uint8_t *keys_b0 = ek; - uint8_t *hkeys_b0 = ek + 240U; + uint8_t ek0[544U] = { 0U }; + uint8_t *keys_b0 = ek0; + uint8_t *hkeys_b0 = ek0 + 240U; aes256_key_expansion(k, keys_b0); aes256_keyhash_init(keys_b0, hkeys_b0); - EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek0 }; EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; if (s == NULL) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); + r = EverCrypt_Error_InvalidKey; } else if (iv_len == 0U) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); + r = EverCrypt_Error_InvalidIVLength; } else { - uint8_t *ek0 = (*s).ek; - uint8_t *scratch_b = ek0 + 368U; - uint8_t *ek1 = ek0; + uint8_t *ek = (*s).ek; + uint8_t *scratch_b = ek + 368U; + uint8_t *ek1 = ek; uint8_t *keys_b = ek1; uint8_t *hkeys_b = ek1 + 240U; uint8_t tmp_iv[16U] = { 0U }; @@ -779,8 +783,9 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( memcpy(cipher + (uint32_t)(uint64_t)plain_len / 16U * 16U, inout_b, (uint32_t)(uint64_t)plain_len % 16U * sizeof (uint8_t)); - KRML_HOST_IGNORE(EverCrypt_Error_Success); + r = EverCrypt_Error_Success; } + KRML_MAYBE_UNUSED_VAR(r); return EverCrypt_Error_Success; #else KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", @@ -821,26 +826,27 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) { - uint8_t ek[480U] = { 0U }; - uint8_t *keys_b0 = ek; - uint8_t *hkeys_b0 = ek + 176U; + uint8_t ek0[480U] = { 0U }; + uint8_t *keys_b0 = ek0; + uint8_t *hkeys_b0 = ek0 + 176U; aes128_key_expansion(k, keys_b0); aes128_keyhash_init(keys_b0, hkeys_b0); - EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek0 }; EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; if (s == NULL) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); + r = EverCrypt_Error_InvalidKey; } else if (iv_len == 0U) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); + r = EverCrypt_Error_InvalidIVLength; } else { - uint8_t *ek0 = (*s).ek; - uint8_t *scratch_b = ek0 + 304U; - uint8_t *ek1 = ek0; + uint8_t *ek = (*s).ek; + uint8_t *scratch_b = ek + 304U; + uint8_t *ek1 = ek; uint8_t *keys_b = ek1; uint8_t *hkeys_b = ek1 + 176U; uint8_t tmp_iv[16U] = { 0U }; @@ -920,8 +926,9 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( memcpy(cipher + (uint32_t)(uint64_t)plain_len / 16U * 16U, inout_b, (uint32_t)(uint64_t)plain_len % 16U * sizeof (uint8_t)); - KRML_HOST_IGNORE(EverCrypt_Error_Success); + r = EverCrypt_Error_Success; } + KRML_MAYBE_UNUSED_VAR(r); return EverCrypt_Error_Success; } return EverCrypt_Error_UnsupportedAlgorithm; @@ -960,26 +967,27 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) { - uint8_t ek[544U] = { 0U }; - uint8_t *keys_b0 = ek; - uint8_t *hkeys_b0 = ek + 240U; + uint8_t ek0[544U] = { 0U }; + uint8_t *keys_b0 = ek0; + uint8_t *hkeys_b0 = ek0 + 240U; aes256_key_expansion(k, keys_b0); aes256_keyhash_init(keys_b0, hkeys_b0); - EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek0 }; EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; if (s == NULL) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); + r = EverCrypt_Error_InvalidKey; } else if (iv_len == 0U) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); + r = EverCrypt_Error_InvalidIVLength; } else { - uint8_t *ek0 = (*s).ek; - uint8_t *scratch_b = ek0 + 368U; - uint8_t *ek1 = ek0; + uint8_t *ek = (*s).ek; + uint8_t *scratch_b = ek + 368U; + uint8_t *ek1 = ek; uint8_t *keys_b = ek1; uint8_t *hkeys_b = ek1 + 240U; uint8_t tmp_iv[16U] = { 0U }; @@ -1059,8 +1067,9 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( memcpy(cipher + (uint32_t)(uint64_t)plain_len / 16U * 16U, inout_b, (uint32_t)(uint64_t)plain_len % 16U * sizeof (uint8_t)); - KRML_HOST_IGNORE(EverCrypt_Error_Success); + r = EverCrypt_Error_Success; } + KRML_MAYBE_UNUSED_VAR(r); return EverCrypt_Error_Success; } return EverCrypt_Error_UnsupportedAlgorithm; diff --git a/src/EverCrypt_Chacha20Poly1305.c b/src/EverCrypt_Chacha20Poly1305.c index e762f031..ed855681 100644 --- a/src/EverCrypt_Chacha20Poly1305.c +++ b/src/EverCrypt_Chacha20Poly1305.c @@ -25,6 +25,10 @@ #include "EverCrypt_Chacha20Poly1305.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" +#include "EverCrypt_AutoConfig2.h" #include "config.h" void diff --git a/src/EverCrypt_Curve25519.c b/src/EverCrypt_Curve25519.c index 202f58c1..669cc5d8 100644 --- a/src/EverCrypt_Curve25519.c +++ b/src/EverCrypt_Curve25519.c @@ -25,6 +25,9 @@ #include "EverCrypt_Curve25519.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Curve25519_51.h" +#include "EverCrypt_AutoConfig2.h" #include "config.h" /** diff --git a/src/EverCrypt_DRBG.c b/src/EverCrypt_DRBG.c index a831a5b5..5e725c96 100644 --- a/src/EverCrypt_DRBG.c +++ b/src/EverCrypt_DRBG.c @@ -23,8 +23,11 @@ */ -#include "EverCrypt_DRBG.h" +#include "internal/EverCrypt_DRBG.h" +#include "Lib_RandomBuffer_System.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_HMAC_DRBG.h" #include "internal/EverCrypt_HMAC.h" #include "lib_memzero0.h" @@ -66,26 +69,6 @@ uint32_t EverCrypt_DRBG_min_length(Spec_Hash_Definitions_hash_alg a) } } -#define SHA1_s 0 -#define SHA2_256_s 1 -#define SHA2_384_s 2 -#define SHA2_512_s 3 - -typedef uint8_t state_s_tags; - -typedef struct EverCrypt_DRBG_state_s_s -{ - state_s_tags tag; - union { - Hacl_HMAC_DRBG_state case_SHA1_s; - Hacl_HMAC_DRBG_state case_SHA2_256_s; - Hacl_HMAC_DRBG_state case_SHA2_384_s; - Hacl_HMAC_DRBG_state case_SHA2_512_s; - } - ; -} -EverCrypt_DRBG_state_s; - bool EverCrypt_DRBG_uu___is_SHA1_s( Spec_Hash_Definitions_hash_alg uu___, @@ -93,7 +76,7 @@ EverCrypt_DRBG_uu___is_SHA1_s( ) { KRML_MAYBE_UNUSED_VAR(uu___); - if (projectee.tag == SHA1_s) + if (projectee.tag == EverCrypt_DRBG_SHA1_s) { return true; } @@ -107,7 +90,7 @@ EverCrypt_DRBG_uu___is_SHA2_256_s( ) { KRML_MAYBE_UNUSED_VAR(uu___); - if (projectee.tag == SHA2_256_s) + if (projectee.tag == EverCrypt_DRBG_SHA2_256_s) { return true; } @@ -121,7 +104,7 @@ EverCrypt_DRBG_uu___is_SHA2_384_s( ) { KRML_MAYBE_UNUSED_VAR(uu___); - if (projectee.tag == SHA2_384_s) + if (projectee.tag == EverCrypt_DRBG_SHA2_384_s) { return true; } @@ -135,7 +118,7 @@ EverCrypt_DRBG_uu___is_SHA2_512_s( ) { KRML_MAYBE_UNUSED_VAR(uu___); - if (projectee.tag == SHA2_512_s) + if (projectee.tag == EverCrypt_DRBG_SHA2_512_s) { return true; } @@ -152,11 +135,14 @@ EverCrypt_DRBG_state_s *EverCrypt_DRBG_create_in(Spec_Hash_Definitions_hash_alg uint8_t *k = (uint8_t *)KRML_HOST_CALLOC(20U, sizeof (uint8_t)); uint8_t *v = (uint8_t *)KRML_HOST_CALLOC(20U, sizeof (uint8_t)); uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); - ctr[0U] = 1U; + if (ctr != NULL) + { + ctr[0U] = 1U; + } st = ( (EverCrypt_DRBG_state_s){ - .tag = SHA1_s, + .tag = EverCrypt_DRBG_SHA1_s, { .case_SHA1_s = { .k = k, .v = v, .reseed_counter = ctr } } } ); @@ -167,11 +153,14 @@ EverCrypt_DRBG_state_s *EverCrypt_DRBG_create_in(Spec_Hash_Definitions_hash_alg uint8_t *k = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); uint8_t *v = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); - ctr[0U] = 1U; + if (ctr != NULL) + { + ctr[0U] = 1U; + } st = ( (EverCrypt_DRBG_state_s){ - .tag = SHA2_256_s, + .tag = EverCrypt_DRBG_SHA2_256_s, { .case_SHA2_256_s = { .k = k, .v = v, .reseed_counter = ctr } } } ); @@ -182,11 +171,14 @@ EverCrypt_DRBG_state_s *EverCrypt_DRBG_create_in(Spec_Hash_Definitions_hash_alg uint8_t *k = (uint8_t *)KRML_HOST_CALLOC(48U, sizeof (uint8_t)); uint8_t *v = (uint8_t *)KRML_HOST_CALLOC(48U, sizeof (uint8_t)); uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); - ctr[0U] = 1U; + if (ctr != NULL) + { + ctr[0U] = 1U; + } st = ( (EverCrypt_DRBG_state_s){ - .tag = SHA2_384_s, + .tag = EverCrypt_DRBG_SHA2_384_s, { .case_SHA2_384_s = { .k = k, .v = v, .reseed_counter = ctr } } } ); @@ -197,11 +189,14 @@ EverCrypt_DRBG_state_s *EverCrypt_DRBG_create_in(Spec_Hash_Definitions_hash_alg uint8_t *k = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); uint8_t *v = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); - ctr[0U] = 1U; + if (ctr != NULL) + { + ctr[0U] = 1U; + } st = ( (EverCrypt_DRBG_state_s){ - .tag = SHA2_512_s, + .tag = EverCrypt_DRBG_SHA2_512_s, { .case_SHA2_512_s = { .k = k, .v = v, .reseed_counter = ctr } } } ); @@ -215,7 +210,10 @@ EverCrypt_DRBG_state_s *EverCrypt_DRBG_create_in(Spec_Hash_Definitions_hash_alg } EverCrypt_DRBG_state_s *buf = (EverCrypt_DRBG_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_DRBG_state_s)); - buf[0U] = st; + if (buf != NULL) + { + buf[0U] = st; + } return buf; } @@ -271,7 +269,7 @@ instantiate_sha1( personalization_string, personalization_string_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA1_s) + if (st_s.tag == EverCrypt_DRBG_SHA1_s) { scrut = st_s.case_SHA1_s; } @@ -359,7 +357,7 @@ instantiate_sha2_256( personalization_string, personalization_string_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_256_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) { scrut = st_s.case_SHA2_256_s; } @@ -447,7 +445,7 @@ instantiate_sha2_384( personalization_string, personalization_string_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_384_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) { scrut = st_s.case_SHA2_384_s; } @@ -535,7 +533,7 @@ instantiate_sha2_512( personalization_string, personalization_string_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_512_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) { scrut = st_s.case_SHA2_512_s; } @@ -616,7 +614,7 @@ reseed_sha1( additional_input, additional_input_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA1_s) + if (st_s.tag == EverCrypt_DRBG_SHA1_s) { scrut = st_s.case_SHA1_s; } @@ -695,7 +693,7 @@ reseed_sha2_256( additional_input, additional_input_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_256_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) { scrut = st_s.case_SHA2_256_s; } @@ -774,7 +772,7 @@ reseed_sha2_384( additional_input, additional_input_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_384_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) { scrut = st_s.case_SHA2_384_s; } @@ -853,7 +851,7 @@ reseed_sha2_512( additional_input, additional_input_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_512_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) { scrut = st_s.case_SHA2_512_s; } @@ -949,7 +947,7 @@ generate_sha1( additional_input, additional_input_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA1_s) + if (st_s.tag == EverCrypt_DRBG_SHA1_s) { scrut = st_s.case_SHA1_s; } @@ -1008,7 +1006,7 @@ generate_sha1( } EverCrypt_DRBG_state_s st_s = *st; Hacl_HMAC_DRBG_state ite; - if (st_s.tag == SHA1_s) + if (st_s.tag == EverCrypt_DRBG_SHA1_s) { ite = st_s.case_SHA1_s; } @@ -1021,7 +1019,7 @@ generate_sha1( return false; } Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA1_s) + if (st_s.tag == EverCrypt_DRBG_SHA1_s) { scrut = st_s.case_SHA1_s; } @@ -1162,7 +1160,7 @@ generate_sha2_256( additional_input, additional_input_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_256_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) { scrut = st_s.case_SHA2_256_s; } @@ -1221,7 +1219,7 @@ generate_sha2_256( } EverCrypt_DRBG_state_s st_s = *st; Hacl_HMAC_DRBG_state ite; - if (st_s.tag == SHA2_256_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) { ite = st_s.case_SHA2_256_s; } @@ -1234,7 +1232,7 @@ generate_sha2_256( return false; } Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_256_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) { scrut = st_s.case_SHA2_256_s; } @@ -1375,7 +1373,7 @@ generate_sha2_384( additional_input, additional_input_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_384_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) { scrut = st_s.case_SHA2_384_s; } @@ -1434,7 +1432,7 @@ generate_sha2_384( } EverCrypt_DRBG_state_s st_s = *st; Hacl_HMAC_DRBG_state ite; - if (st_s.tag == SHA2_384_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) { ite = st_s.case_SHA2_384_s; } @@ -1447,7 +1445,7 @@ generate_sha2_384( return false; } Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_384_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) { scrut = st_s.case_SHA2_384_s; } @@ -1588,7 +1586,7 @@ generate_sha2_512( additional_input, additional_input_len * sizeof (uint8_t)); Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_512_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) { scrut = st_s.case_SHA2_512_s; } @@ -1647,7 +1645,7 @@ generate_sha2_512( } EverCrypt_DRBG_state_s st_s = *st; Hacl_HMAC_DRBG_state ite; - if (st_s.tag == SHA2_512_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) { ite = st_s.case_SHA2_512_s; } @@ -1660,7 +1658,7 @@ generate_sha2_512( return false; } Hacl_HMAC_DRBG_state scrut; - if (st_s.tag == SHA2_512_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) { scrut = st_s.case_SHA2_512_s; } @@ -1759,7 +1757,7 @@ static void uninstantiate_sha1(EverCrypt_DRBG_state_s *st) { EverCrypt_DRBG_state_s st_s = *st; Hacl_HMAC_DRBG_state s; - if (st_s.tag == SHA1_s) + if (st_s.tag == EverCrypt_DRBG_SHA1_s) { s = st_s.case_SHA1_s; } @@ -1783,7 +1781,7 @@ static void uninstantiate_sha2_256(EverCrypt_DRBG_state_s *st) { EverCrypt_DRBG_state_s st_s = *st; Hacl_HMAC_DRBG_state s; - if (st_s.tag == SHA2_256_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_256_s) { s = st_s.case_SHA2_256_s; } @@ -1807,7 +1805,7 @@ static void uninstantiate_sha2_384(EverCrypt_DRBG_state_s *st) { EverCrypt_DRBG_state_s st_s = *st; Hacl_HMAC_DRBG_state s; - if (st_s.tag == SHA2_384_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_384_s) { s = st_s.case_SHA2_384_s; } @@ -1831,7 +1829,7 @@ static void uninstantiate_sha2_512(EverCrypt_DRBG_state_s *st) { EverCrypt_DRBG_state_s st_s = *st; Hacl_HMAC_DRBG_state s; - if (st_s.tag == SHA2_512_s) + if (st_s.tag == EverCrypt_DRBG_SHA2_512_s) { s = st_s.case_SHA2_512_s; } @@ -1868,19 +1866,19 @@ EverCrypt_DRBG_instantiate( ) { EverCrypt_DRBG_state_s scrut = *st; - if (scrut.tag == SHA1_s) + if (scrut.tag == EverCrypt_DRBG_SHA1_s) { return instantiate_sha1(st, personalization_string, personalization_string_len); } - if (scrut.tag == SHA2_256_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) { return instantiate_sha2_256(st, personalization_string, personalization_string_len); } - if (scrut.tag == SHA2_384_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) { return instantiate_sha2_384(st, personalization_string, personalization_string_len); } - if (scrut.tag == SHA2_512_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) { return instantiate_sha2_512(st, personalization_string, personalization_string_len); } @@ -1908,19 +1906,19 @@ EverCrypt_DRBG_reseed( ) { EverCrypt_DRBG_state_s scrut = *st; - if (scrut.tag == SHA1_s) + if (scrut.tag == EverCrypt_DRBG_SHA1_s) { return reseed_sha1(st, additional_input, additional_input_len); } - if (scrut.tag == SHA2_256_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) { return reseed_sha2_256(st, additional_input, additional_input_len); } - if (scrut.tag == SHA2_384_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) { return reseed_sha2_384(st, additional_input, additional_input_len); } - if (scrut.tag == SHA2_512_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) { return reseed_sha2_512(st, additional_input, additional_input_len); } @@ -1952,19 +1950,19 @@ EverCrypt_DRBG_generate( ) { EverCrypt_DRBG_state_s scrut = *st; - if (scrut.tag == SHA1_s) + if (scrut.tag == EverCrypt_DRBG_SHA1_s) { return generate_sha1(output, st, n, additional_input, additional_input_len); } - if (scrut.tag == SHA2_256_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) { return generate_sha2_256(output, st, n, additional_input, additional_input_len); } - if (scrut.tag == SHA2_384_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) { return generate_sha2_384(output, st, n, additional_input, additional_input_len); } - if (scrut.tag == SHA2_512_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) { return generate_sha2_512(output, st, n, additional_input, additional_input_len); } @@ -1983,22 +1981,22 @@ Uninstantiate and free the DRBG. void EverCrypt_DRBG_uninstantiate(EverCrypt_DRBG_state_s *st) { EverCrypt_DRBG_state_s scrut = *st; - if (scrut.tag == SHA1_s) + if (scrut.tag == EverCrypt_DRBG_SHA1_s) { uninstantiate_sha1(st); return; } - if (scrut.tag == SHA2_256_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_256_s) { uninstantiate_sha2_256(st); return; } - if (scrut.tag == SHA2_384_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_384_s) { uninstantiate_sha2_384(st); return; } - if (scrut.tag == SHA2_512_s) + if (scrut.tag == EverCrypt_DRBG_SHA2_512_s) { uninstantiate_sha2_512(st); return; diff --git a/src/EverCrypt_Ed25519.c b/src/EverCrypt_Ed25519.c index 8a5c88c0..42d73f82 100644 --- a/src/EverCrypt_Ed25519.c +++ b/src/EverCrypt_Ed25519.c @@ -25,6 +25,8 @@ #include "EverCrypt_Ed25519.h" +#include "Hacl_Ed25519.h" + void EverCrypt_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key) { Hacl_Ed25519_secret_to_public(public_key, private_key); diff --git a/src/EverCrypt_HKDF.c b/src/EverCrypt_HKDF.c index 773f86b8..96488db8 100644 --- a/src/EverCrypt_HKDF.c +++ b/src/EverCrypt_HKDF.c @@ -25,6 +25,7 @@ #include "EverCrypt_HKDF.h" +#include "Hacl_Streaming_Types.h" #include "internal/EverCrypt_HMAC.h" static void diff --git a/src/EverCrypt_HMAC.c b/src/EverCrypt_HMAC.c index 90bcaaac..52362a5c 100644 --- a/src/EverCrypt_HMAC.c +++ b/src/EverCrypt_HMAC.c @@ -25,6 +25,11 @@ #include "internal/EverCrypt_HMAC.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_Blake2s.h" +#include "Hacl_Hash_Blake2b.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Hash_SHA2.h" #include "internal/Hacl_Hash_SHA1.h" @@ -68,10 +73,6 @@ bool EverCrypt_HMAC_is_supported_alg(Spec_Hash_Definitions_hash_alg uu___) } } -void -(*EverCrypt_HMAC_hash_256)(uint8_t *x0, uint8_t *x1, uint32_t x2) = - EverCrypt_Hash_Incremental_hash_256; - void EverCrypt_HMAC_compute_sha1( uint8_t *dst, @@ -81,10 +82,8 @@ EverCrypt_HMAC_compute_sha1( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -105,19 +104,17 @@ EverCrypt_HMAC_compute_sha1( { Hacl_Hash_SHA1_hash_oneshot(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -189,10 +186,8 @@ EverCrypt_HMAC_compute_sha2_256( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -211,21 +206,19 @@ EverCrypt_HMAC_compute_sha2_256( } else { - EverCrypt_HMAC_hash_256(nkey, key, key_len); + EverCrypt_Hash_Incremental_hash_256(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -311,10 +304,8 @@ EverCrypt_HMAC_compute_sha2_384( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -335,19 +326,17 @@ EverCrypt_HMAC_compute_sha2_384( { Hacl_Hash_SHA2_hash_384(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -441,10 +430,8 @@ EverCrypt_HMAC_compute_sha2_512( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -465,19 +452,17 @@ EverCrypt_HMAC_compute_sha2_512( { Hacl_Hash_SHA2_hash_512(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -571,10 +556,8 @@ EverCrypt_HMAC_compute_blake2s( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -595,19 +578,17 @@ EverCrypt_HMAC_compute_blake2s( { Hacl_Hash_Blake2s_hash_with_key(nkey, 32U, key, key_len, NULL, 0U); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -620,7 +601,7 @@ EverCrypt_HMAC_compute_blake2s( if (data_len == 0U) { uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_Blake2s_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); } else { @@ -655,6 +636,7 @@ EverCrypt_HMAC_compute_blake2s( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -693,6 +675,7 @@ EverCrypt_HMAC_compute_blake2s( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -708,10 +691,8 @@ EverCrypt_HMAC_compute_blake2b( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -732,19 +713,17 @@ EverCrypt_HMAC_compute_blake2b( { Hacl_Hash_Blake2b_hash_with_key(nkey, 64U, key, key_len, NULL, 0U); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -757,7 +736,13 @@ EverCrypt_HMAC_compute_blake2b( if (data_len == 0U) { uint64_t wv[16U] = { 0U }; - Hacl_Hash_Blake2b_update_last(128U, wv, s0, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); + Hacl_Hash_Blake2b_update_last(128U, + wv, + s0, + false, + FStar_UInt128_uint64_to_uint128(0ULL), + 128U, + ipad); } else { @@ -792,6 +777,7 @@ EverCrypt_HMAC_compute_blake2b( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -831,6 +817,7 @@ EverCrypt_HMAC_compute_blake2b( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/EverCrypt_Hash.c b/src/EverCrypt_Hash.c index bfafa9be..38f3c129 100644 --- a/src/EverCrypt_Hash.c +++ b/src/EverCrypt_Hash.c @@ -25,7 +25,18 @@ #include "internal/EverCrypt_Hash.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA3.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_Blake2s_Simd128.h" +#include "Hacl_Hash_Blake2s.h" +#include "Hacl_Hash_Blake2b_Simd256.h" +#include "Hacl_Hash_Blake2b.h" +#include "EverCrypt_Error.h" +#include "EverCrypt_AutoConfig2.h" #include "internal/Vale.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Hash_SHA3.h" #include "internal/Hacl_Hash_SHA2.h" @@ -37,102 +48,62 @@ #include "internal/Hacl_Hash_Blake2b.h" #include "config.h" -#define MD5_s 0 -#define SHA1_s 1 -#define SHA2_224_s 2 -#define SHA2_256_s 3 -#define SHA2_384_s 4 -#define SHA2_512_s 5 -#define SHA3_224_s 6 -#define SHA3_256_s 7 -#define SHA3_384_s 8 -#define SHA3_512_s 9 -#define Blake2S_s 10 -#define Blake2S_128_s 11 -#define Blake2B_s 12 -#define Blake2B_256_s 13 - -typedef uint8_t state_s_tags; - -typedef struct EverCrypt_Hash_state_s_s -{ - state_s_tags tag; - union { - uint32_t *case_MD5_s; - uint32_t *case_SHA1_s; - uint32_t *case_SHA2_224_s; - uint32_t *case_SHA2_256_s; - uint64_t *case_SHA2_384_s; - uint64_t *case_SHA2_512_s; - uint64_t *case_SHA3_224_s; - uint64_t *case_SHA3_256_s; - uint64_t *case_SHA3_384_s; - uint64_t *case_SHA3_512_s; - uint32_t *case_Blake2S_s; - Lib_IntVector_Intrinsics_vec128 *case_Blake2S_128_s; - uint64_t *case_Blake2B_s; - Lib_IntVector_Intrinsics_vec256 *case_Blake2B_256_s; - } - ; -} -EverCrypt_Hash_state_s; - static Spec_Hash_Definitions_hash_alg alg_of_state(EverCrypt_Hash_state_s *s) { EverCrypt_Hash_state_s scrut = *s; - if (scrut.tag == MD5_s) + if (scrut.tag == EverCrypt_Hash_MD5_s) { return Spec_Hash_Definitions_MD5; } - if (scrut.tag == SHA1_s) + if (scrut.tag == EverCrypt_Hash_SHA1_s) { return Spec_Hash_Definitions_SHA1; } - if (scrut.tag == SHA2_224_s) + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) { return Spec_Hash_Definitions_SHA2_224; } - if (scrut.tag == SHA2_256_s) + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) { return Spec_Hash_Definitions_SHA2_256; } - if (scrut.tag == SHA2_384_s) + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) { return Spec_Hash_Definitions_SHA2_384; } - if (scrut.tag == SHA2_512_s) + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) { return Spec_Hash_Definitions_SHA2_512; } - if (scrut.tag == SHA3_224_s) + if (scrut.tag == EverCrypt_Hash_SHA3_224_s) { return Spec_Hash_Definitions_SHA3_224; } - if (scrut.tag == SHA3_256_s) + if (scrut.tag == EverCrypt_Hash_SHA3_256_s) { return Spec_Hash_Definitions_SHA3_256; } - if (scrut.tag == SHA3_384_s) + if (scrut.tag == EverCrypt_Hash_SHA3_384_s) { return Spec_Hash_Definitions_SHA3_384; } - if (scrut.tag == SHA3_512_s) + if (scrut.tag == EverCrypt_Hash_SHA3_512_s) { return Spec_Hash_Definitions_SHA3_512; } - if (scrut.tag == Blake2S_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_s) { return Spec_Hash_Definitions_Blake2S; } - if (scrut.tag == Blake2S_128_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_128_s) { return Spec_Hash_Definitions_Blake2S; } - if (scrut.tag == Blake2B_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_s) { return Spec_Hash_Definitions_Blake2B; } - if (scrut.tag == Blake2B_256_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_256_s) { return Spec_Hash_Definitions_Blake2B; } @@ -143,70 +114,276 @@ static Spec_Hash_Definitions_hash_alg alg_of_state(EverCrypt_Hash_state_s *s) KRML_HOST_EXIT(255U); } -static EverCrypt_Hash_state_s *create_in(Spec_Hash_Definitions_hash_alg a) +static EverCrypt_Hash_state_s *malloc_(Spec_Hash_Definitions_hash_alg a) { - EverCrypt_Hash_state_s s; switch (a) { case Spec_Hash_Definitions_MD5: { - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = MD5_s, { .case_MD5_s = buf } }); - break; + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_MD5_s, { .case_MD5_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA1: { - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA1_s, { .case_SHA1_s = buf } }); - break; + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_SHA1_s, { .case_SHA1_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA2_224: { - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA2_224_s, { .case_SHA2_224_s = buf } }); - break; + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_SHA2_224_s, + { .case_SHA2_224_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA2_256: { - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA2_256_s, { .case_SHA2_256_s = buf } }); - break; + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_SHA2_256_s, + { .case_SHA2_256_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA2_384: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA2_384_s, { .case_SHA2_384_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_SHA2_384_s, + { .case_SHA2_384_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA2_512: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA2_512_s, { .case_SHA2_512_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_SHA2_512_s, + { .case_SHA2_512_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA3_224: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA3_224_s, { .case_SHA3_224_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_SHA3_224_s, + { .case_SHA3_224_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA3_256: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA3_256_s, { .case_SHA3_256_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_SHA3_256_s, + { .case_SHA3_256_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA3_384: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA3_384_s, { .case_SHA3_384_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_SHA3_384_s, + { .case_SHA3_384_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA3_512: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA3_512_s, { .case_SHA3_512_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_SHA3_512_s, + { .case_SHA3_512_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_Blake2S: { @@ -214,22 +391,70 @@ static EverCrypt_Hash_state_s *create_in(Spec_Hash_Definitions_hash_alg a) bool vec128 = EverCrypt_AutoConfig2_has_vec128(); if (vec128) { - s = - ( - (EverCrypt_Hash_state_s){ - .tag = Blake2S_128_s, - { .case_Blake2S_128_s = Hacl_Hash_Blake2s_Simd128_malloc_with_key() } - } - ); + Lib_IntVector_Intrinsics_vec128 *s = Hacl_Hash_Blake2s_Simd128_malloc_with_key(); + if (s == NULL) + { + return NULL; + } + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_Blake2S_128_s, + { .case_Blake2S_128_s = s } + } + ); + } + if (st == NULL) + { + KRML_ALIGNED_FREE(s); + return NULL; + } + return st; } - else + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + if (s == NULL) { - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = Blake2S_s, { .case_Blake2S_s = buf } }); + return NULL; } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2S_s, { .case_Blake2S_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; #else - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = Blake2S_s, { .case_Blake2S_s = buf } }); + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2S_s, { .case_Blake2S_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; #endif break; } @@ -239,22 +464,70 @@ static EverCrypt_Hash_state_s *create_in(Spec_Hash_Definitions_hash_alg a) bool vec256 = EverCrypt_AutoConfig2_has_vec256(); if (vec256) { - s = - ( - (EverCrypt_Hash_state_s){ - .tag = Blake2B_256_s, - { .case_Blake2B_256_s = Hacl_Hash_Blake2b_Simd256_malloc_with_key() } - } - ); + Lib_IntVector_Intrinsics_vec256 *s = Hacl_Hash_Blake2b_Simd256_malloc_with_key(); + if (s == NULL) + { + return NULL; + } + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_Blake2B_256_s, + { .case_Blake2B_256_s = s } + } + ); + } + if (st == NULL) + { + KRML_ALIGNED_FREE(s); + return NULL; + } + return st; + } + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; } - else + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = Blake2B_s, { .case_Blake2B_s = buf } }); + st[0U] + = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2B_s, { .case_Blake2B_s = s1 } }); } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; #else - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = Blake2B_s, { .case_Blake2B_s = buf } }); + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2B_s, { .case_Blake2B_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; #endif break; } @@ -264,82 +537,95 @@ static EverCrypt_Hash_state_s *create_in(Spec_Hash_Definitions_hash_alg a) KRML_HOST_EXIT(253U); } } - EverCrypt_Hash_state_s - *buf = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); - buf[0U] = s; - return buf; +} + +typedef struct option___EverCrypt_Hash_state_s__s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + EverCrypt_Hash_state_s *v; +} +option___EverCrypt_Hash_state_s_; + +static option___EverCrypt_Hash_state_s_ create_in(Spec_Hash_Definitions_hash_alg a) +{ + EverCrypt_Hash_state_s *s = malloc_(a); + if (s == NULL) + { + return ((option___EverCrypt_Hash_state_s_){ .tag = FStar_Pervasives_Native_None }); + } + return ((option___EverCrypt_Hash_state_s_){ .tag = FStar_Pervasives_Native_Some, .v = s }); } static void init(EverCrypt_Hash_state_s *s) { EverCrypt_Hash_state_s scrut = *s; - if (scrut.tag == MD5_s) + if (scrut.tag == EverCrypt_Hash_MD5_s) { uint32_t *p1 = scrut.case_MD5_s; Hacl_Hash_MD5_init(p1); return; } - if (scrut.tag == SHA1_s) + if (scrut.tag == EverCrypt_Hash_SHA1_s) { uint32_t *p1 = scrut.case_SHA1_s; Hacl_Hash_SHA1_init(p1); return; } - if (scrut.tag == SHA2_224_s) + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) { uint32_t *p1 = scrut.case_SHA2_224_s; Hacl_Hash_SHA2_sha224_init(p1); return; } - if (scrut.tag == SHA2_256_s) + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) { uint32_t *p1 = scrut.case_SHA2_256_s; Hacl_Hash_SHA2_sha256_init(p1); return; } - if (scrut.tag == SHA2_384_s) + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) { uint64_t *p1 = scrut.case_SHA2_384_s; Hacl_Hash_SHA2_sha384_init(p1); return; } - if (scrut.tag == SHA2_512_s) + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) { uint64_t *p1 = scrut.case_SHA2_512_s; Hacl_Hash_SHA2_sha512_init(p1); return; } - if (scrut.tag == SHA3_224_s) + if (scrut.tag == EverCrypt_Hash_SHA3_224_s) { uint64_t *p1 = scrut.case_SHA3_224_s; - memset(p1, 0U, 25U * sizeof (uint64_t)); + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_224, p1); return; } - if (scrut.tag == SHA3_256_s) + if (scrut.tag == EverCrypt_Hash_SHA3_256_s) { uint64_t *p1 = scrut.case_SHA3_256_s; - memset(p1, 0U, 25U * sizeof (uint64_t)); + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_256, p1); return; } - if (scrut.tag == SHA3_384_s) + if (scrut.tag == EverCrypt_Hash_SHA3_384_s) { uint64_t *p1 = scrut.case_SHA3_384_s; - memset(p1, 0U, 25U * sizeof (uint64_t)); + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_384, p1); return; } - if (scrut.tag == SHA3_512_s) + if (scrut.tag == EverCrypt_Hash_SHA3_512_s) { uint64_t *p1 = scrut.case_SHA3_512_s; - memset(p1, 0U, 25U * sizeof (uint64_t)); + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_512, p1); return; } - if (scrut.tag == Blake2S_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_s) { uint32_t *p1 = scrut.case_Blake2S_s; Hacl_Hash_Blake2s_init(p1, 0U, 32U); return; } - if (scrut.tag == Blake2S_128_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_128_s) { Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; #if HACL_CAN_COMPILE_VEC128 @@ -350,13 +636,13 @@ static void init(EverCrypt_Hash_state_s *s) return; #endif } - if (scrut.tag == Blake2B_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_s) { uint64_t *p1 = scrut.case_Blake2B_s; Hacl_Hash_Blake2b_init(p1, 0U, 64U); return; } - if (scrut.tag == Blake2B_256_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_256_s) { Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; #if HACL_CAN_COMPILE_VEC256 @@ -411,77 +697,77 @@ static void update_multi(EverCrypt_Hash_state_s *s, uint64_t prevlen, uint8_t *blocks, uint32_t len) { EverCrypt_Hash_state_s scrut = *s; - if (scrut.tag == MD5_s) + if (scrut.tag == EverCrypt_Hash_MD5_s) { uint32_t *p1 = scrut.case_MD5_s; uint32_t n = len / 64U; Hacl_Hash_MD5_update_multi(p1, blocks, n); return; } - if (scrut.tag == SHA1_s) + if (scrut.tag == EverCrypt_Hash_SHA1_s) { uint32_t *p1 = scrut.case_SHA1_s; uint32_t n = len / 64U; Hacl_Hash_SHA1_update_multi(p1, blocks, n); return; } - if (scrut.tag == SHA2_224_s) + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) { uint32_t *p1 = scrut.case_SHA2_224_s; uint32_t n = len / 64U; EverCrypt_Hash_update_multi_256(p1, blocks, n); return; } - if (scrut.tag == SHA2_256_s) + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) { uint32_t *p1 = scrut.case_SHA2_256_s; uint32_t n = len / 64U; EverCrypt_Hash_update_multi_256(p1, blocks, n); return; } - if (scrut.tag == SHA2_384_s) + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) { uint64_t *p1 = scrut.case_SHA2_384_s; uint32_t n = len / 128U; Hacl_Hash_SHA2_sha384_update_nblocks(n * 128U, blocks, p1); return; } - if (scrut.tag == SHA2_512_s) + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) { uint64_t *p1 = scrut.case_SHA2_512_s; uint32_t n = len / 128U; Hacl_Hash_SHA2_sha512_update_nblocks(n * 128U, blocks, p1); return; } - if (scrut.tag == SHA3_224_s) + if (scrut.tag == EverCrypt_Hash_SHA3_224_s) { uint64_t *p1 = scrut.case_SHA3_224_s; uint32_t n = len / 144U; Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_224, p1, blocks, n); return; } - if (scrut.tag == SHA3_256_s) + if (scrut.tag == EverCrypt_Hash_SHA3_256_s) { uint64_t *p1 = scrut.case_SHA3_256_s; uint32_t n = len / 136U; Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_256, p1, blocks, n); return; } - if (scrut.tag == SHA3_384_s) + if (scrut.tag == EverCrypt_Hash_SHA3_384_s) { uint64_t *p1 = scrut.case_SHA3_384_s; uint32_t n = len / 104U; Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_384, p1, blocks, n); return; } - if (scrut.tag == SHA3_512_s) + if (scrut.tag == EverCrypt_Hash_SHA3_512_s) { uint64_t *p1 = scrut.case_SHA3_512_s; uint32_t n = len / 72U; Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_512, p1, blocks, n); return; } - if (scrut.tag == Blake2S_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_s) { uint32_t *p1 = scrut.case_Blake2S_s; uint32_t n = len / 64U; @@ -489,7 +775,7 @@ update_multi(EverCrypt_Hash_state_s *s, uint64_t prevlen, uint8_t *blocks, uint3 Hacl_Hash_Blake2s_update_multi(n * 64U, wv, p1, prevlen, blocks, n); return; } - if (scrut.tag == Blake2S_128_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_128_s) { Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; #if HACL_CAN_COMPILE_VEC128 @@ -502,7 +788,7 @@ update_multi(EverCrypt_Hash_state_s *s, uint64_t prevlen, uint8_t *blocks, uint3 return; #endif } - if (scrut.tag == Blake2B_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_s) { uint64_t *p1 = scrut.case_Blake2B_s; uint32_t n = len / 128U; @@ -515,7 +801,7 @@ update_multi(EverCrypt_Hash_state_s *s, uint64_t prevlen, uint8_t *blocks, uint3 n); return; } - if (scrut.tag == Blake2B_256_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_256_s) { Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; #if HACL_CAN_COMPILE_VEC256 @@ -544,31 +830,31 @@ static void update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_t last_len) { EverCrypt_Hash_state_s scrut = *s; - if (scrut.tag == MD5_s) + if (scrut.tag == EverCrypt_Hash_MD5_s) { uint32_t *p1 = scrut.case_MD5_s; Hacl_Hash_MD5_update_last(p1, prev_len, last, last_len); return; } - if (scrut.tag == SHA1_s) + if (scrut.tag == EverCrypt_Hash_SHA1_s) { uint32_t *p1 = scrut.case_SHA1_s; Hacl_Hash_SHA1_update_last(p1, prev_len, last, last_len); return; } - if (scrut.tag == SHA2_224_s) + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) { uint32_t *p1 = scrut.case_SHA2_224_s; Hacl_Hash_SHA2_sha224_update_last(prev_len + (uint64_t)last_len, last_len, last, p1); return; } - if (scrut.tag == SHA2_256_s) + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) { uint32_t *p1 = scrut.case_SHA2_256_s; Hacl_Hash_SHA2_sha256_update_last(prev_len + (uint64_t)last_len, last_len, last, p1); return; } - if (scrut.tag == SHA2_384_s) + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) { uint64_t *p1 = scrut.case_SHA2_384_s; Hacl_Hash_SHA2_sha384_update_last(FStar_UInt128_add(FStar_UInt128_uint64_to_uint128(prev_len), @@ -578,7 +864,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ p1); return; } - if (scrut.tag == SHA2_512_s) + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) { uint64_t *p1 = scrut.case_SHA2_512_s; Hacl_Hash_SHA2_sha512_update_last(FStar_UInt128_add(FStar_UInt128_uint64_to_uint128(prev_len), @@ -588,62 +874,63 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ p1); return; } - if (scrut.tag == SHA3_224_s) + if (scrut.tag == EverCrypt_Hash_SHA3_224_s) { uint64_t *p1 = scrut.case_SHA3_224_s; Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_224, p1, last, last_len); return; } - if (scrut.tag == SHA3_256_s) + if (scrut.tag == EverCrypt_Hash_SHA3_256_s) { uint64_t *p1 = scrut.case_SHA3_256_s; Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_256, p1, last, last_len); return; } - if (scrut.tag == SHA3_384_s) + if (scrut.tag == EverCrypt_Hash_SHA3_384_s) { uint64_t *p1 = scrut.case_SHA3_384_s; Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_384, p1, last, last_len); return; } - if (scrut.tag == SHA3_512_s) + if (scrut.tag == EverCrypt_Hash_SHA3_512_s) { uint64_t *p1 = scrut.case_SHA3_512_s; Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_512, p1, last, last_len); return; } - if (scrut.tag == Blake2S_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_s) { uint32_t *p1 = scrut.case_Blake2S_s; uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(last_len, wv, p1, prev_len, last_len, last); + Hacl_Hash_Blake2s_update_last(last_len, wv, p1, false, prev_len, last_len, last); return; } - if (scrut.tag == Blake2S_128_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_128_s) { Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; #if HACL_CAN_COMPILE_VEC128 KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; - Hacl_Hash_Blake2s_Simd128_update_last(last_len, wv, p1, prev_len, last_len, last); + Hacl_Hash_Blake2s_Simd128_update_last(last_len, wv, p1, false, prev_len, last_len, last); return; #else KRML_MAYBE_UNUSED_VAR(p1); return; #endif } - if (scrut.tag == Blake2B_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_s) { uint64_t *p1 = scrut.case_Blake2B_s; uint64_t wv[16U] = { 0U }; Hacl_Hash_Blake2b_update_last(last_len, wv, p1, + false, FStar_UInt128_uint64_to_uint128(prev_len), last_len, last); return; } - if (scrut.tag == Blake2B_256_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_256_s) { Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; #if HACL_CAN_COMPILE_VEC256 @@ -651,6 +938,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ Hacl_Hash_Blake2b_Simd256_update_last(last_len, wv, p1, + false, FStar_UInt128_uint64_to_uint128(prev_len), last_len, last); @@ -670,43 +958,43 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ static void finish(EverCrypt_Hash_state_s *s, uint8_t *dst) { EverCrypt_Hash_state_s scrut = *s; - if (scrut.tag == MD5_s) + if (scrut.tag == EverCrypt_Hash_MD5_s) { uint32_t *p1 = scrut.case_MD5_s; Hacl_Hash_MD5_finish(p1, dst); return; } - if (scrut.tag == SHA1_s) + if (scrut.tag == EverCrypt_Hash_SHA1_s) { uint32_t *p1 = scrut.case_SHA1_s; Hacl_Hash_SHA1_finish(p1, dst); return; } - if (scrut.tag == SHA2_224_s) + if (scrut.tag == EverCrypt_Hash_SHA2_224_s) { uint32_t *p1 = scrut.case_SHA2_224_s; Hacl_Hash_SHA2_sha224_finish(p1, dst); return; } - if (scrut.tag == SHA2_256_s) + if (scrut.tag == EverCrypt_Hash_SHA2_256_s) { uint32_t *p1 = scrut.case_SHA2_256_s; Hacl_Hash_SHA2_sha256_finish(p1, dst); return; } - if (scrut.tag == SHA2_384_s) + if (scrut.tag == EverCrypt_Hash_SHA2_384_s) { uint64_t *p1 = scrut.case_SHA2_384_s; Hacl_Hash_SHA2_sha384_finish(p1, dst); return; } - if (scrut.tag == SHA2_512_s) + if (scrut.tag == EverCrypt_Hash_SHA2_512_s) { uint64_t *p1 = scrut.case_SHA2_512_s; Hacl_Hash_SHA2_sha512_finish(p1, dst); return; } - if (scrut.tag == SHA3_224_s) + if (scrut.tag == EverCrypt_Hash_SHA3_224_s) { uint64_t *p1 = scrut.case_SHA3_224_s; uint32_t remOut = 28U; @@ -720,7 +1008,7 @@ static void finish(EverCrypt_Hash_state_s *s, uint8_t *dst) memcpy(dst + 28U - remOut, hbuf, remOut * sizeof (uint8_t)); return; } - if (scrut.tag == SHA3_256_s) + if (scrut.tag == EverCrypt_Hash_SHA3_256_s) { uint64_t *p1 = scrut.case_SHA3_256_s; uint32_t remOut = 32U; @@ -734,7 +1022,7 @@ static void finish(EverCrypt_Hash_state_s *s, uint8_t *dst) memcpy(dst + 32U - remOut, hbuf, remOut * sizeof (uint8_t)); return; } - if (scrut.tag == SHA3_384_s) + if (scrut.tag == EverCrypt_Hash_SHA3_384_s) { uint64_t *p1 = scrut.case_SHA3_384_s; uint32_t remOut = 48U; @@ -748,7 +1036,7 @@ static void finish(EverCrypt_Hash_state_s *s, uint8_t *dst) memcpy(dst + 48U - remOut, hbuf, remOut * sizeof (uint8_t)); return; } - if (scrut.tag == SHA3_512_s) + if (scrut.tag == EverCrypt_Hash_SHA3_512_s) { uint64_t *p1 = scrut.case_SHA3_512_s; uint32_t remOut = 64U; @@ -762,13 +1050,13 @@ static void finish(EverCrypt_Hash_state_s *s, uint8_t *dst) memcpy(dst + 64U - remOut, hbuf, remOut * sizeof (uint8_t)); return; } - if (scrut.tag == Blake2S_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_s) { uint32_t *p1 = scrut.case_Blake2S_s; Hacl_Hash_Blake2s_finish(32U, dst, p1); return; } - if (scrut.tag == Blake2S_128_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_128_s) { Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; #if HACL_CAN_COMPILE_VEC128 @@ -779,13 +1067,13 @@ static void finish(EverCrypt_Hash_state_s *s, uint8_t *dst) return; #endif } - if (scrut.tag == Blake2B_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_s) { uint64_t *p1 = scrut.case_Blake2B_s; Hacl_Hash_Blake2b_finish(64U, dst, p1); return; } - if (scrut.tag == Blake2B_256_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_256_s) { Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; #if HACL_CAN_COMPILE_VEC256 @@ -806,72 +1094,72 @@ static void finish(EverCrypt_Hash_state_s *s, uint8_t *dst) static void free_(EverCrypt_Hash_state_s *s) { EverCrypt_Hash_state_s scrut = *s; - if (scrut.tag == MD5_s) + if (scrut.tag == EverCrypt_Hash_MD5_s) { uint32_t *p1 = scrut.case_MD5_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == SHA1_s) + else if (scrut.tag == EverCrypt_Hash_SHA1_s) { uint32_t *p1 = scrut.case_SHA1_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == SHA2_224_s) + else if (scrut.tag == EverCrypt_Hash_SHA2_224_s) { uint32_t *p1 = scrut.case_SHA2_224_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == SHA2_256_s) + else if (scrut.tag == EverCrypt_Hash_SHA2_256_s) { uint32_t *p1 = scrut.case_SHA2_256_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == SHA2_384_s) + else if (scrut.tag == EverCrypt_Hash_SHA2_384_s) { uint64_t *p1 = scrut.case_SHA2_384_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == SHA2_512_s) + else if (scrut.tag == EverCrypt_Hash_SHA2_512_s) { uint64_t *p1 = scrut.case_SHA2_512_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == SHA3_224_s) + else if (scrut.tag == EverCrypt_Hash_SHA3_224_s) { uint64_t *p1 = scrut.case_SHA3_224_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == SHA3_256_s) + else if (scrut.tag == EverCrypt_Hash_SHA3_256_s) { uint64_t *p1 = scrut.case_SHA3_256_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == SHA3_384_s) + else if (scrut.tag == EverCrypt_Hash_SHA3_384_s) { uint64_t *p1 = scrut.case_SHA3_384_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == SHA3_512_s) + else if (scrut.tag == EverCrypt_Hash_SHA3_512_s) { uint64_t *p1 = scrut.case_SHA3_512_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == Blake2S_s) + else if (scrut.tag == EverCrypt_Hash_Blake2S_s) { uint32_t *p1 = scrut.case_Blake2S_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == Blake2S_128_s) + else if (scrut.tag == EverCrypt_Hash_Blake2S_128_s) { Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; KRML_ALIGNED_FREE(p1); } - else if (scrut.tag == Blake2B_s) + else if (scrut.tag == EverCrypt_Hash_Blake2B_s) { uint64_t *p1 = scrut.case_Blake2B_s; KRML_HOST_FREE(p1); } - else if (scrut.tag == Blake2B_256_s) + else if (scrut.tag == EverCrypt_Hash_Blake2B_256_s) { Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; KRML_ALIGNED_FREE(p1); @@ -890,12 +1178,12 @@ static void free_(EverCrypt_Hash_state_s *s) static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) { EverCrypt_Hash_state_s scrut0 = *s_src; - if (scrut0.tag == MD5_s) + if (scrut0.tag == EverCrypt_Hash_MD5_s) { uint32_t *p_src = scrut0.case_MD5_s; EverCrypt_Hash_state_s x1 = *s_dst; uint32_t *p_dst; - if (x1.tag == MD5_s) + if (x1.tag == EverCrypt_Hash_MD5_s) { p_dst = x1.case_MD5_s; } @@ -906,12 +1194,12 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) memcpy(p_dst, p_src, 4U * sizeof (uint32_t)); return; } - if (scrut0.tag == SHA1_s) + if (scrut0.tag == EverCrypt_Hash_SHA1_s) { uint32_t *p_src = scrut0.case_SHA1_s; EverCrypt_Hash_state_s x1 = *s_dst; uint32_t *p_dst; - if (x1.tag == SHA1_s) + if (x1.tag == EverCrypt_Hash_SHA1_s) { p_dst = x1.case_SHA1_s; } @@ -922,12 +1210,12 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) memcpy(p_dst, p_src, 5U * sizeof (uint32_t)); return; } - if (scrut0.tag == SHA2_224_s) + if (scrut0.tag == EverCrypt_Hash_SHA2_224_s) { uint32_t *p_src = scrut0.case_SHA2_224_s; EverCrypt_Hash_state_s x1 = *s_dst; uint32_t *p_dst; - if (x1.tag == SHA2_224_s) + if (x1.tag == EverCrypt_Hash_SHA2_224_s) { p_dst = x1.case_SHA2_224_s; } @@ -938,12 +1226,12 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) memcpy(p_dst, p_src, 8U * sizeof (uint32_t)); return; } - if (scrut0.tag == SHA2_256_s) + if (scrut0.tag == EverCrypt_Hash_SHA2_256_s) { uint32_t *p_src = scrut0.case_SHA2_256_s; EverCrypt_Hash_state_s x1 = *s_dst; uint32_t *p_dst; - if (x1.tag == SHA2_256_s) + if (x1.tag == EverCrypt_Hash_SHA2_256_s) { p_dst = x1.case_SHA2_256_s; } @@ -954,12 +1242,12 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) memcpy(p_dst, p_src, 8U * sizeof (uint32_t)); return; } - if (scrut0.tag == SHA2_384_s) + if (scrut0.tag == EverCrypt_Hash_SHA2_384_s) { uint64_t *p_src = scrut0.case_SHA2_384_s; EverCrypt_Hash_state_s x1 = *s_dst; uint64_t *p_dst; - if (x1.tag == SHA2_384_s) + if (x1.tag == EverCrypt_Hash_SHA2_384_s) { p_dst = x1.case_SHA2_384_s; } @@ -970,12 +1258,12 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) memcpy(p_dst, p_src, 8U * sizeof (uint64_t)); return; } - if (scrut0.tag == SHA2_512_s) + if (scrut0.tag == EverCrypt_Hash_SHA2_512_s) { uint64_t *p_src = scrut0.case_SHA2_512_s; EverCrypt_Hash_state_s x1 = *s_dst; uint64_t *p_dst; - if (x1.tag == SHA2_512_s) + if (x1.tag == EverCrypt_Hash_SHA2_512_s) { p_dst = x1.case_SHA2_512_s; } @@ -986,12 +1274,12 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) memcpy(p_dst, p_src, 8U * sizeof (uint64_t)); return; } - if (scrut0.tag == SHA3_224_s) + if (scrut0.tag == EverCrypt_Hash_SHA3_224_s) { uint64_t *p_src = scrut0.case_SHA3_224_s; EverCrypt_Hash_state_s x1 = *s_dst; uint64_t *p_dst; - if (x1.tag == SHA3_224_s) + if (x1.tag == EverCrypt_Hash_SHA3_224_s) { p_dst = x1.case_SHA3_224_s; } @@ -1002,12 +1290,12 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); return; } - if (scrut0.tag == SHA3_256_s) + if (scrut0.tag == EverCrypt_Hash_SHA3_256_s) { uint64_t *p_src = scrut0.case_SHA3_256_s; EverCrypt_Hash_state_s x1 = *s_dst; uint64_t *p_dst; - if (x1.tag == SHA3_256_s) + if (x1.tag == EverCrypt_Hash_SHA3_256_s) { p_dst = x1.case_SHA3_256_s; } @@ -1018,12 +1306,12 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); return; } - if (scrut0.tag == SHA3_384_s) + if (scrut0.tag == EverCrypt_Hash_SHA3_384_s) { uint64_t *p_src = scrut0.case_SHA3_384_s; EverCrypt_Hash_state_s x1 = *s_dst; uint64_t *p_dst; - if (x1.tag == SHA3_384_s) + if (x1.tag == EverCrypt_Hash_SHA3_384_s) { p_dst = x1.case_SHA3_384_s; } @@ -1034,12 +1322,12 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); return; } - if (scrut0.tag == SHA3_512_s) + if (scrut0.tag == EverCrypt_Hash_SHA3_512_s) { uint64_t *p_src = scrut0.case_SHA3_512_s; EverCrypt_Hash_state_s x1 = *s_dst; uint64_t *p_dst; - if (x1.tag == SHA3_512_s) + if (x1.tag == EverCrypt_Hash_SHA3_512_s) { p_dst = x1.case_SHA3_512_s; } @@ -1050,17 +1338,17 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); return; } - if (scrut0.tag == Blake2S_s) + if (scrut0.tag == EverCrypt_Hash_Blake2S_s) { uint32_t *p_src = scrut0.case_Blake2S_s; EverCrypt_Hash_state_s scrut = *s_dst; - if (scrut.tag == Blake2S_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_s) { uint32_t *p_dst = scrut.case_Blake2S_s; memcpy(p_dst, p_src, 16U * sizeof (uint32_t)); return; } - if (scrut.tag == Blake2S_128_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_128_s) { Lib_IntVector_Intrinsics_vec128 *p_dst = scrut.case_Blake2S_128_s; #if HACL_CAN_COMPILE_VEC128 @@ -1077,17 +1365,17 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) "unreachable (pattern matches are exhaustive in F*)"); KRML_HOST_EXIT(255U); } - if (scrut0.tag == Blake2B_s) + if (scrut0.tag == EverCrypt_Hash_Blake2B_s) { uint64_t *p_src = scrut0.case_Blake2B_s; EverCrypt_Hash_state_s scrut = *s_dst; - if (scrut.tag == Blake2B_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_s) { uint64_t *p_dst = scrut.case_Blake2B_s; memcpy(p_dst, p_src, 16U * sizeof (uint64_t)); return; } - if (scrut.tag == Blake2B_256_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_256_s) { Lib_IntVector_Intrinsics_vec256 *p_dst = scrut.case_Blake2B_256_s; #if HACL_CAN_COMPILE_VEC256 @@ -1104,17 +1392,17 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) "unreachable (pattern matches are exhaustive in F*)"); KRML_HOST_EXIT(255U); } - if (scrut0.tag == Blake2S_128_s) + if (scrut0.tag == EverCrypt_Hash_Blake2S_128_s) { Lib_IntVector_Intrinsics_vec128 *p_src = scrut0.case_Blake2S_128_s; EverCrypt_Hash_state_s scrut = *s_dst; - if (scrut.tag == Blake2S_128_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_128_s) { Lib_IntVector_Intrinsics_vec128 *p_dst = scrut.case_Blake2S_128_s; memcpy(p_dst, p_src, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); return; } - if (scrut.tag == Blake2S_s) + if (scrut.tag == EverCrypt_Hash_Blake2S_s) { uint32_t *p_dst = scrut.case_Blake2S_s; #if HACL_CAN_COMPILE_VEC128 @@ -1131,17 +1419,17 @@ static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *s_dst) "unreachable (pattern matches are exhaustive in F*)"); KRML_HOST_EXIT(255U); } - if (scrut0.tag == Blake2B_256_s) + if (scrut0.tag == EverCrypt_Hash_Blake2B_256_s) { Lib_IntVector_Intrinsics_vec256 *p_src = scrut0.case_Blake2B_256_s; EverCrypt_Hash_state_s scrut = *s_dst; - if (scrut.tag == Blake2B_256_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_256_s) { Lib_IntVector_Intrinsics_vec256 *p_dst = scrut.case_Blake2B_256_s; memcpy(p_dst, p_src, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); return; } - if (scrut.tag == Blake2B_s) + if (scrut.tag == EverCrypt_Hash_Blake2B_s) { uint64_t *p_dst = scrut.case_Blake2B_s; #if HACL_CAN_COMPILE_VEC256 @@ -1304,17 +1592,61 @@ EverCrypt_Hash_Incremental_state_t { KRML_CHECK_SIZE(sizeof (uint8_t), block_len(a)); uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(block_len(a), sizeof (uint8_t)); - EverCrypt_Hash_state_s *block_state = create_in(a); - EverCrypt_Hash_Incremental_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - EverCrypt_Hash_Incremental_state_t - *p = - (EverCrypt_Hash_Incremental_state_t *)KRML_HOST_MALLOC(sizeof ( - EverCrypt_Hash_Incremental_state_t - )); - p[0U] = s; - init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + option___EverCrypt_Hash_state_s_ block_state = create_in(a); + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + EverCrypt_Hash_state_s *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + EverCrypt_Hash_Incremental_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + EverCrypt_Hash_Incremental_state_t + *p = + (EverCrypt_Hash_Incremental_state_t *)KRML_HOST_MALLOC(sizeof ( + EverCrypt_Hash_Incremental_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + free_(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -1639,7 +1971,7 @@ static void digest_md5(EverCrypt_Hash_Incremental_state_t *state, uint8_t *outpu } uint8_t *buf_1 = buf_; uint32_t buf[4U] = { 0U }; - EverCrypt_Hash_state_s s = { .tag = MD5_s, { .case_MD5_s = buf } }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_MD5_s, { .case_MD5_s = buf } }; EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; @@ -1677,7 +2009,7 @@ static void digest_sha1(EverCrypt_Hash_Incremental_state_t *state, uint8_t *outp } uint8_t *buf_1 = buf_; uint32_t buf[5U] = { 0U }; - EverCrypt_Hash_state_s s = { .tag = SHA1_s, { .case_SHA1_s = buf } }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA1_s, { .case_SHA1_s = buf } }; EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; @@ -1716,7 +2048,7 @@ static void digest_sha224(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou } uint8_t *buf_1 = buf_; uint32_t buf[8U] = { 0U }; - EverCrypt_Hash_state_s s = { .tag = SHA2_224_s, { .case_SHA2_224_s = buf } }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_224_s, { .case_SHA2_224_s = buf } }; EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; @@ -1755,7 +2087,7 @@ static void digest_sha256(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou } uint8_t *buf_1 = buf_; uint32_t buf[8U] = { 0U }; - EverCrypt_Hash_state_s s = { .tag = SHA2_256_s, { .case_SHA2_256_s = buf } }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_256_s, { .case_SHA2_256_s = buf } }; EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; @@ -1794,7 +2126,7 @@ static void digest_sha3_224(EverCrypt_Hash_Incremental_state_t *state, uint8_t * } uint8_t *buf_1 = buf_; uint64_t buf[25U] = { 0U }; - EverCrypt_Hash_state_s s = { .tag = SHA3_224_s, { .case_SHA3_224_s = buf } }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA3_224_s, { .case_SHA3_224_s = buf } }; EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; @@ -1833,7 +2165,7 @@ static void digest_sha3_256(EverCrypt_Hash_Incremental_state_t *state, uint8_t * } uint8_t *buf_1 = buf_; uint64_t buf[25U] = { 0U }; - EverCrypt_Hash_state_s s = { .tag = SHA3_256_s, { .case_SHA3_256_s = buf } }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA3_256_s, { .case_SHA3_256_s = buf } }; EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; @@ -1872,7 +2204,7 @@ static void digest_sha3_384(EverCrypt_Hash_Incremental_state_t *state, uint8_t * } uint8_t *buf_1 = buf_; uint64_t buf[25U] = { 0U }; - EverCrypt_Hash_state_s s = { .tag = SHA3_384_s, { .case_SHA3_384_s = buf } }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA3_384_s, { .case_SHA3_384_s = buf } }; EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; @@ -1911,7 +2243,7 @@ static void digest_sha3_512(EverCrypt_Hash_Incremental_state_t *state, uint8_t * } uint8_t *buf_1 = buf_; uint64_t buf[25U] = { 0U }; - EverCrypt_Hash_state_s s = { .tag = SHA3_512_s, { .case_SHA3_512_s = buf } }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA3_512_s, { .case_SHA3_512_s = buf } }; EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; @@ -1950,7 +2282,7 @@ static void digest_sha384(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou } uint8_t *buf_1 = buf_; uint64_t buf[8U] = { 0U }; - EverCrypt_Hash_state_s s = { .tag = SHA2_384_s, { .case_SHA2_384_s = buf } }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_384_s, { .case_SHA2_384_s = buf } }; EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; @@ -1989,7 +2321,7 @@ static void digest_sha512(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou } uint8_t *buf_1 = buf_; uint64_t buf[8U] = { 0U }; - EverCrypt_Hash_state_s s = { .tag = SHA2_512_s, { .case_SHA2_512_s = buf } }; + EverCrypt_Hash_state_s s = { .tag = EverCrypt_Hash_SHA2_512_s, { .case_SHA2_512_s = buf } }; EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; @@ -2033,15 +2365,21 @@ static void digest_blake2s(EverCrypt_Hash_Incremental_state_t *state, uint8_t *o uint32_t buf[16U] = { 0U }; if (vec128) { - s = ((EverCrypt_Hash_state_s){ .tag = Blake2S_128_s, { .case_Blake2S_128_s = buf0 } }); + s = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_Blake2S_128_s, + { .case_Blake2S_128_s = buf0 } + } + ); } else { - s = ((EverCrypt_Hash_state_s){ .tag = Blake2S_s, { .case_Blake2S_s = buf } }); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2S_s, { .case_Blake2S_s = buf } }); } #else uint32_t buf[16U] = { 0U }; - s = ((EverCrypt_Hash_state_s){ .tag = Blake2S_s, { .case_Blake2S_s = buf } }); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2S_s, { .case_Blake2S_s = buf } }); #endif EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); @@ -2086,15 +2424,21 @@ static void digest_blake2b(EverCrypt_Hash_Incremental_state_t *state, uint8_t *o uint64_t buf[16U] = { 0U }; if (vec256) { - s = ((EverCrypt_Hash_state_s){ .tag = Blake2B_256_s, { .case_Blake2B_256_s = buf0 } }); + s = + ( + (EverCrypt_Hash_state_s){ + .tag = EverCrypt_Hash_Blake2B_256_s, + { .case_Blake2B_256_s = buf0 } + } + ); } else { - s = ((EverCrypt_Hash_state_s){ .tag = Blake2B_s, { .case_Blake2B_s = buf } }); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2B_s, { .case_Blake2B_s = buf } }); } #else uint64_t buf[16U] = { 0U }; - s = ((EverCrypt_Hash_state_s){ .tag = Blake2B_s, { .case_Blake2B_s = buf } }); + s = ((EverCrypt_Hash_state_s){ .tag = EverCrypt_Hash_Blake2B_s, { .case_Blake2B_s = buf } }); #endif EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); @@ -2213,6 +2557,9 @@ Free a state previously allocated with `create_in`. */ void EverCrypt_Hash_Incremental_free(EverCrypt_Hash_Incremental_state_t *state) { + EverCrypt_Hash_state_s *block_state0 = (*state).block_state; + Spec_Hash_Definitions_hash_alg i1 = alg_of_state(block_state0); + KRML_MAYBE_UNUSED_VAR(i1); EverCrypt_Hash_Incremental_state_t scrut = *state; uint8_t *buf = scrut.buf; EverCrypt_Hash_state_s *block_state = scrut.block_state; diff --git a/src/EverCrypt_Poly1305.c b/src/EverCrypt_Poly1305.c index 33ee20f3..d649e071 100644 --- a/src/EverCrypt_Poly1305.c +++ b/src/EverCrypt_Poly1305.c @@ -25,6 +25,10 @@ #include "EverCrypt_Poly1305.h" +#include "Hacl_MAC_Poly1305_Simd256.h" +#include "Hacl_MAC_Poly1305_Simd128.h" +#include "Hacl_MAC_Poly1305.h" +#include "EverCrypt_AutoConfig2.h" #include "internal/Vale.h" #include "config.h" diff --git a/src/Hacl_AEAD_Chacha20Poly1305.c b/src/Hacl_AEAD_Chacha20Poly1305.c index d5926093..d78add74 100644 --- a/src/Hacl_AEAD_Chacha20Poly1305.c +++ b/src/Hacl_AEAD_Chacha20Poly1305.c @@ -25,6 +25,7 @@ #include "Hacl_AEAD_Chacha20Poly1305.h" +#include "Hacl_Chacha20.h" #include "internal/Hacl_MAC_Poly1305.h" #include "internal/Hacl_Krmllib.h" diff --git a/src/Hacl_AEAD_Chacha20Poly1305_Simd128.c b/src/Hacl_AEAD_Chacha20Poly1305_Simd128.c index 0cfa41fd..796db85e 100644 --- a/src/Hacl_AEAD_Chacha20Poly1305_Simd128.c +++ b/src/Hacl_AEAD_Chacha20Poly1305_Simd128.c @@ -25,6 +25,7 @@ #include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" +#include "Hacl_Chacha20_Vec128.h" #include "internal/Hacl_MAC_Poly1305_Simd128.h" #include "internal/Hacl_Krmllib.h" #include "libintvector.h" diff --git a/src/Hacl_AEAD_Chacha20Poly1305_Simd256.c b/src/Hacl_AEAD_Chacha20Poly1305_Simd256.c index 28414516..452e5b4c 100644 --- a/src/Hacl_AEAD_Chacha20Poly1305_Simd256.c +++ b/src/Hacl_AEAD_Chacha20Poly1305_Simd256.c @@ -25,6 +25,7 @@ #include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" +#include "Hacl_Chacha20_Vec256.h" #include "internal/Hacl_MAC_Poly1305_Simd256.h" #include "internal/Hacl_Krmllib.h" #include "libintvector.h" diff --git a/src/Hacl_Bignum.c b/src/Hacl_Bignum.c index 568bcc26..0f1706bc 100644 --- a/src/Hacl_Bignum.c +++ b/src/Hacl_Bignum.c @@ -25,6 +25,7 @@ #include "internal/Hacl_Bignum.h" +#include "Hacl_Krmllib.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" @@ -832,7 +833,7 @@ uint32_t Hacl_Bignum_Montgomery_bn_check_modulus_u32(uint32_t len, uint32_t *n) { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m1 = acc; return m0 & m1; @@ -1023,7 +1024,7 @@ uint64_t Hacl_Bignum_Montgomery_bn_check_modulus_u64(uint32_t len, uint64_t *n) { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m1 = acc; return m0 & m1; @@ -1415,7 +1416,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc0 = (beq & acc0) | (~beq & blt); } uint32_t m10 = acc0; uint32_t m00 = m0 & m10; @@ -1442,7 +1443,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( { uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t res = acc; m1 = res; @@ -1456,7 +1457,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( { uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m2 = acc; uint32_t m = m1 & m2; @@ -1809,7 +1810,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc0 = (beq & acc0) | (~beq & blt); } uint64_t m10 = acc0; uint64_t m00 = m0 & m10; @@ -1836,7 +1837,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( { uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t res = acc; m1 = res; @@ -1850,7 +1851,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( { uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m2 = acc; uint64_t m = m1 & m2; diff --git a/src/Hacl_Bignum256.c b/src/Hacl_Bignum256.c index 54bbc88a..332fb0cf 100644 --- a/src/Hacl_Bignum256.c +++ b/src/Hacl_Bignum256.c @@ -25,6 +25,8 @@ #include "Hacl_Bignum256.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -512,7 +514,7 @@ bool Hacl_Bignum256_mod(uint64_t *n, uint64_t *a, uint64_t *res) 1U, uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc = (beq & acc) | (~beq & blt);); uint64_t m1 = acc; uint64_t is_valid_m = m0 & m1; uint32_t nBits = 64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(4U, n); @@ -544,7 +546,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) 1U, uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc0 = (beq & acc0) | (~beq & blt);); uint64_t m10 = acc0; uint64_t m00 = m0 & m10; uint32_t bLen; @@ -570,7 +572,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t res = acc; m1 = res; @@ -586,7 +588,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) 1U, uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc = (beq & acc) | (~beq & blt);); uint64_t m2 = acc; uint64_t m = m1 & m2; return m00 & m; @@ -990,7 +992,7 @@ bool Hacl_Bignum256_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *re 1U, uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc0 = (beq & acc0) | (~beq & blt);); uint64_t m1 = acc0; uint64_t m00 = m0 & m1; uint64_t bn_zero[4U] = { 0U }; @@ -1011,7 +1013,7 @@ bool Hacl_Bignum256_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *re 1U, uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc = (beq & acc) | (~beq & blt);); uint64_t m2 = acc; uint64_t is_valid_m = (m00 & ~m10) & m2; uint32_t nBits = 64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(4U, n); @@ -1076,7 +1078,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum256_mont_ctx_init(uint64_ (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } @@ -1351,7 +1356,7 @@ uint64_t Hacl_Bignum256_lt_mask(uint64_t *a, uint64_t *b) 1U, uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc = (beq & acc) | (~beq & blt);); return acc; } diff --git a/src/Hacl_Bignum256_32.c b/src/Hacl_Bignum256_32.c index eed6c65c..ff311e00 100644 --- a/src/Hacl_Bignum256_32.c +++ b/src/Hacl_Bignum256_32.c @@ -25,6 +25,7 @@ #include "Hacl_Bignum256_32.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -532,7 +533,7 @@ bool Hacl_Bignum256_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) 1U, uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc = (beq & acc) | (~beq & blt);); uint32_t m1 = acc; uint32_t is_valid_m = m0 & m1; uint32_t nBits = 32U * Hacl_Bignum_Lib_bn_get_top_index_u32(8U, n); @@ -564,7 +565,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) 1U, uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc0 = (beq & acc0) | (~beq & blt);); uint32_t m10 = acc0; uint32_t m00 = m0 & m10; uint32_t bLen; @@ -590,7 +591,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t res = acc; m1 = res; @@ -606,7 +607,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) 1U, uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc = (beq & acc) | (~beq & blt);); uint32_t m2 = acc; uint32_t m = m1 & m2; return m00 & m; @@ -1010,7 +1011,7 @@ bool Hacl_Bignum256_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t 1U, uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc0 = (beq & acc0) | (~beq & blt);); uint32_t m1 = acc0; uint32_t m00 = m0 & m1; uint32_t bn_zero[8U] = { 0U }; @@ -1031,7 +1032,7 @@ bool Hacl_Bignum256_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t 1U, uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc = (beq & acc) | (~beq & blt);); uint32_t m2 = acc; uint32_t is_valid_m = (m00 & ~m10) & m2; uint32_t nBits = 32U * Hacl_Bignum_Lib_bn_get_top_index_u32(8U, n); @@ -1110,7 +1111,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum256_32_mont_ctx_init(uint (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } @@ -1399,7 +1403,7 @@ uint32_t Hacl_Bignum256_32_lt_mask(uint32_t *a, uint32_t *b) 1U, uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc = (beq & acc) | (~beq & blt);); return acc; } diff --git a/src/Hacl_Bignum32.c b/src/Hacl_Bignum32.c index 34b46324..8c895b43 100644 --- a/src/Hacl_Bignum32.c +++ b/src/Hacl_Bignum32.c @@ -25,6 +25,7 @@ #include "Hacl_Bignum32.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -46,9 +47,18 @@ of `len` unsigned 32-bit integers, i.e. uint32_t[len]. /** Write `a + b mod 2 ^ (32 * len)` in `res`. - This functions returns the carry. - - The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] + This function returns the carry. + + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly equal memory + location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[out] res Points to `len` number of limbs where the carry is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. */ uint32_t Hacl_Bignum32_add(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) { @@ -60,7 +70,16 @@ Write `a - b mod 2 ^ (32 * len)` in `res`. This functions returns the carry. - The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[out] res Points to `len` number of limbs where the carry is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. */ uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) { @@ -70,12 +89,23 @@ uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res /** Write `(a + b) mod n` in `res`. - The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • a < n - • b < n + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `res`. + @param[out] res Points to `len` number of limbs where the result is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `a < n` + - `b < n` */ void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) { @@ -85,12 +115,23 @@ void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, /** Write `(a - b) mod n` in `res`. - The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • a < n - • b < n + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `res`. + @param[out] res Points to `len` number of limbs where the result is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `a < n` + - `b < n` */ void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) { @@ -100,8 +141,13 @@ void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, /** Write `a * b` in `res`. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. - The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `b` and `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a` and `res`. + @param[out] res Points to `2*len` number of limbs where the result is written, i.e. `uint32_t[2*len]`. + Must be disjoint from the memory locations of `a` and `b`. */ void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) { @@ -114,8 +160,10 @@ void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) /** Write `a * a` in `res`. - The argument a is meant to be `len` limbs in size, i.e. uint32_t[len]. - The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `2*len` number of limbs where the result is written, i.e. `uint32_t[2*len]`. + Must be disjoint from the memory location of `a`. */ void Hacl_Bignum32_sqr(uint32_t len, uint32_t *a, uint32_t *res) { @@ -149,13 +197,19 @@ bn_slow_precomp( /** Write `a mod n` in `res`. - The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. - The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • 1 < n - • n % 2 = 1 + @param[in] a Points to `2*len` number of limbs, i.e. `uint32_t[2*len]`. Must be + disjoint from the memory location of `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `n`. + + @return `false` if any precondition is violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `1 < n` + - `n % 2 = 1` */ bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) { @@ -171,7 +225,7 @@ bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m1 = acc; uint32_t is_valid_m = m0 & m1; @@ -195,22 +249,30 @@ bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) /** Write `a ^ b mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - The function is *NOT* constant-time on the argument b. See the - mod_exp_consttime_* functions for constant-time variants. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • b < pow2 bBits - • a < n + This function is *NOT* constant-time on the argument `b`. See the + `mod_exp_consttime_*` functions for constant-time variants. + + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `n`. + + @return `false` if any preconditions are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` + - `b < pow2 bBits` + - `a < n` */ bool Hacl_Bignum32_mod_exp_vartime( @@ -238,22 +300,30 @@ Hacl_Bignum32_mod_exp_vartime( /** Write `a ^ b mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - This function is constant-time over its argument b, at the cost of a slower - execution time than mod_exp_vartime. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • b < pow2 bBits - • a < n + This function is constant-time over its argument `b`, at the cost of a slower + execution time than `mod_exp_vartime_*`. + + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `n`. + + @return `false` if any preconditions are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` + - `b < pow2 bBits` + - `a < n` */ bool Hacl_Bignum32_mod_exp_consttime( @@ -281,18 +351,23 @@ Hacl_Bignum32_mod_exp_consttime( /** Write `a ^ (-1) mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n is a prime - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • 0 < a - • a < n + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a` and `n`. + + @return `false` if any preconditions (except the precondition: `n` is a prime) + are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n` is a prime + - `n % 2 = 1` + - `1 < n` + - `0 < a` + - `a < n` */ bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) { @@ -308,7 +383,7 @@ bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc0 = (beq & acc0) | (~beq & blt); } uint32_t m1 = acc0; uint32_t m00 = m0 & m1; @@ -329,7 +404,7 @@ bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, { uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m2 = acc; uint32_t is_valid_m = (m00 & ~m10) & m2; @@ -393,15 +468,16 @@ bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, /** Heap-allocate and initialize a montgomery context. - The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + @param n Points to `len` number of limbs, i.e. `uint32_t[len]`. - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n % 2 = 1 - • 1 < n - - The caller will need to call Hacl_Bignum32_mont_ctx_free on the return value - to avoid memory leaks. + @return A pointer to an allocated and initialized Montgomery context is returned. + Clients will need to call `Hacl_Bignum32_mont_ctx_free` on the return value to + avoid memory leaks. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` */ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum32_mont_ctx_init(uint32_t len, uint32_t *n) @@ -422,14 +498,17 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } /** Deallocate the memory previously allocated by Hacl_Bignum32_mont_ctx_init. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + @param k Points to a Montgomery context obtained through `Hacl_Bignum32_mont_ctx_init`. */ void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) { @@ -444,9 +523,11 @@ void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) /** Write `a mod n` in `res`. - The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. - The outparam res is meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `2*len` number of limbs, i.e. `uint32_t[2*len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a`. */ void Hacl_Bignum32_mod_precomp( @@ -464,21 +545,25 @@ Hacl_Bignum32_mod_precomp( /** Write `a ^ b mod n` in `res`. - The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - The function is *NOT* constant-time on the argument b. See the - mod_exp_consttime_* functions for constant-time variants. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • b < pow2 bBits - • a < n + This function is *NOT* constant-time on the argument `b`. See the + `mod_exp_consttime_*` functions for constant-time variants. + + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `b < pow2 bBits` + - `a < n` */ void Hacl_Bignum32_mod_exp_vartime_precomp( @@ -505,21 +590,25 @@ Hacl_Bignum32_mod_exp_vartime_precomp( /** Write `a ^ b mod n` in `res`. - The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - This function is constant-time over its argument b, at the cost of a slower - execution time than mod_exp_vartime_*. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • b < pow2 bBits - • a < n + execution time than `mod_exp_vartime_*`. + + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `b < pow2 bBits` + - `a < n` */ void Hacl_Bignum32_mod_exp_consttime_precomp( @@ -546,14 +635,17 @@ Hacl_Bignum32_mod_exp_consttime_precomp( /** Write `a ^ (-1) mod n` in `res`. - The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n is a prime - • 0 < a - • a < n + @param[in] k Points to a Montgomery context obtained through `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n` is a prime + - `0 < a` + - `a < n` */ void Hacl_Bignum32_mod_inv_prime_vartime_precomp( @@ -623,13 +715,13 @@ Hacl_Bignum32_mod_inv_prime_vartime_precomp( /** Load a bid-endian bignum from memory. - The argument b points to `len` bytes of valid memory. - The function returns a heap-allocated bignum of size sufficient to hold the - result of loading b, or NULL if either the allocation failed, or the amount of - required memory would exceed 4GB. - - If the return value is non-null, clients must eventually call free(3) on it to - avoid memory leaks. + @param len Size of `b` as number of bytes. + @param b Points to `len` number of bytes, i.e. `uint8_t[len]`. + + @return A heap-allocated bignum of size sufficient to hold the result of + loading `b`. Otherwise, `NULL`, if either the allocation failed, or the amount + of required memory would exceed 4GB. Clients must `free(3)` any non-null return + value to avoid memory leaks. */ uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) { @@ -664,13 +756,13 @@ uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) /** Load a little-endian bignum from memory. - The argument b points to `len` bytes of valid memory. - The function returns a heap-allocated bignum of size sufficient to hold the - result of loading b, or NULL if either the allocation failed, or the amount of - required memory would exceed 4GB. - - If the return value is non-null, clients must eventually call free(3) on it to - avoid memory leaks. + @param len Size of `b` as number of bytes. + @param b Points to `len` number of bytes, i.e. `uint8_t[len]`. + + @return A heap-allocated bignum of size sufficient to hold the result of + loading `b`. Otherwise, `NULL`, if either the allocation failed, or the amount + of required memory would exceed 4GB. Clients must `free(3)` any non-null return + value to avoid memory leaks. */ uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) { @@ -707,8 +799,11 @@ uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) /** Serialize a bignum into big-endian memory. - The argument b points to a bignum of ⌈len / 4⌉ size. - The outparam res points to `len` bytes of valid memory. + @param[in] len Size of `b` as number of bytes. + @param[in] b Points to a bignum of `ceil(len/4)` size. Must be disjoint from + the memory location of `res`. + @param[out] res Points to `len` number of bytes, i.e. `uint8_t[len]`. Must be + disjoint from the memory location of `b`. */ void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res) { @@ -727,8 +822,11 @@ void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res) /** Serialize a bignum into little-endian memory. - The argument b points to a bignum of ⌈len / 4⌉ size. - The outparam res points to `len` bytes of valid memory. + @param[in] len Size of `b` as number of bytes. + @param[in] b Points to a bignum of `ceil(len/4)` size. Must be disjoint from + the memory location of `res`. + @param[out] res Points to `len` number of bytes, i.e. `uint8_t[len]`. Must be + disjoint from the memory location of `b`. */ void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res) { @@ -753,7 +851,11 @@ void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res) /** Returns 2^32 - 1 if a < b, otherwise returns 0. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + @param len Number of limbs. + @param a Points to `len` number of limbs, i.e. `uint32_t[len]`. + @param b Points to `len` number of limbs, i.e. `uint32_t[len]`. + + @return `2^32 - 1` if `a < b`, otherwise, `0`. */ uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b) { @@ -762,7 +864,7 @@ uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } return acc; } @@ -770,7 +872,11 @@ uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b) /** Returns 2^32 - 1 if a = b, otherwise returns 0. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + @param len Number of limbs. + @param a Points to `len` number of limbs, i.e. `uint32_t[len]`. + @param b Points to `len` number of limbs, i.e. `uint32_t[len]`. + + @return `2^32 - 1` if a = b, otherwise, `0`. */ uint32_t Hacl_Bignum32_eq_mask(uint32_t len, uint32_t *a, uint32_t *b) { diff --git a/src/Hacl_Bignum4096.c b/src/Hacl_Bignum4096.c index 3572db07..c86cfff0 100644 --- a/src/Hacl_Bignum4096.c +++ b/src/Hacl_Bignum4096.c @@ -25,6 +25,8 @@ #include "Hacl_Bignum4096.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -459,7 +461,7 @@ bool Hacl_Bignum4096_mod(uint64_t *n, uint64_t *a, uint64_t *res) { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m1 = acc; uint64_t is_valid_m = m0 & m1; @@ -490,7 +492,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc0 = (beq & acc0) | (~beq & blt); } uint64_t m10 = acc0; uint64_t m00 = m0 & m10; @@ -517,7 +519,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t res = acc; m1 = res; @@ -531,7 +533,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m2 = acc; uint64_t m = m1 & m2; @@ -930,7 +932,7 @@ bool Hacl_Bignum4096_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *r { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc0 = (beq & acc0) | (~beq & blt); } uint64_t m1 = acc0; uint64_t m00 = m0 & m1; @@ -949,7 +951,7 @@ bool Hacl_Bignum4096_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *r { uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m2 = acc; uint64_t is_valid_m = (m00 & ~m10) & m2; @@ -1031,7 +1033,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum4096_mont_ctx_init(uint64 (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } @@ -1326,7 +1331,7 @@ uint64_t Hacl_Bignum4096_lt_mask(uint64_t *a, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } return acc; } diff --git a/src/Hacl_Bignum4096_32.c b/src/Hacl_Bignum4096_32.c index 1a8b361c..0d7e822e 100644 --- a/src/Hacl_Bignum4096_32.c +++ b/src/Hacl_Bignum4096_32.c @@ -25,6 +25,7 @@ #include "Hacl_Bignum4096_32.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -451,7 +452,7 @@ bool Hacl_Bignum4096_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m1 = acc; uint32_t is_valid_m = m0 & m1; @@ -482,7 +483,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc0 = (beq & acc0) | (~beq & blt); } uint32_t m10 = acc0; uint32_t m00 = m0 & m10; @@ -509,7 +510,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t res = acc; m1 = res; @@ -523,7 +524,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m2 = acc; uint32_t m = m1 & m2; @@ -922,7 +923,7 @@ bool Hacl_Bignum4096_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc0 = (beq & acc0) | (~beq & blt); } uint32_t m1 = acc0; uint32_t m00 = m0 & m1; @@ -941,7 +942,7 @@ bool Hacl_Bignum4096_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t { uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m2 = acc; uint32_t is_valid_m = (m00 & ~m10) & m2; @@ -1023,7 +1024,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum4096_32_mont_ctx_init(uin (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } @@ -1317,7 +1321,7 @@ uint32_t Hacl_Bignum4096_32_lt_mask(uint32_t *a, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } return acc; } diff --git a/src/Hacl_Bignum64.c b/src/Hacl_Bignum64.c index f8f5bb6f..56e46c11 100644 --- a/src/Hacl_Bignum64.c +++ b/src/Hacl_Bignum64.c @@ -25,6 +25,8 @@ #include "Hacl_Bignum64.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -170,7 +172,7 @@ bool Hacl_Bignum64_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res) { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m1 = acc; uint64_t is_valid_m = m0 & m1; @@ -307,7 +309,7 @@ bool Hacl_Bignum64_mod_inv_prime_vartime(uint32_t len, uint64_t *n, uint64_t *a, { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc0 = (beq & acc0) | (~beq & blt); } uint64_t m1 = acc0; uint64_t m00 = m0 & m1; @@ -328,7 +330,7 @@ bool Hacl_Bignum64_mod_inv_prime_vartime(uint32_t len, uint64_t *n, uint64_t *a, { uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m2 = acc; uint64_t is_valid_m = (m00 & ~m10) & m2; @@ -421,7 +423,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } @@ -761,7 +766,7 @@ uint64_t Hacl_Bignum64_lt_mask(uint32_t len, uint64_t *a, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } return acc; } diff --git a/src/Hacl_Curve25519_51.c b/src/Hacl_Curve25519_51.c index ca561e89..6b07047b 100644 --- a/src/Hacl_Curve25519_51.c +++ b/src/Hacl_Curve25519_51.c @@ -25,6 +25,7 @@ #include "internal/Hacl_Curve25519_51.h" +#include "Hacl_Krmllib.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum25519_51.h" diff --git a/src/Hacl_Curve25519_64.c b/src/Hacl_Curve25519_64.c index edcab306..6022609b 100644 --- a/src/Hacl_Curve25519_64.c +++ b/src/Hacl_Curve25519_64.c @@ -25,6 +25,7 @@ #include "Hacl_Curve25519_64.h" +#include "Hacl_Krmllib.h" #include "internal/Vale.h" #include "internal/Hacl_Krmllib.h" #include "config.h" diff --git a/src/Hacl_EC_Ed25519.c b/src/Hacl_EC_Ed25519.c index 6ab24a33..0ed3a8c0 100644 --- a/src/Hacl_EC_Ed25519.c +++ b/src/Hacl_EC_Ed25519.c @@ -25,6 +25,7 @@ #include "Hacl_EC_Ed25519.h" +#include "Hacl_Krmllib.h" #include "internal/Hacl_Ed25519.h" #include "internal/Hacl_Bignum25519_51.h" diff --git a/src/Hacl_Ed25519.c b/src/Hacl_Ed25519.c index d1f8edf2..3da362f6 100644 --- a/src/Hacl_Ed25519.c +++ b/src/Hacl_Ed25519.c @@ -25,6 +25,10 @@ #include "internal/Hacl_Ed25519.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA2.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Hash_SHA2.h" #include "internal/Hacl_Ed25519_PrecompTable.h" @@ -509,11 +513,7 @@ static inline bool recover_x(uint64_t *x, uint64_t *y, uint64_t sign) Hacl_Bignum25519_reduce_513(t01); reduce(t01); bool z1 = is_0(t01); - if (z1 == false) - { - res = false; - } - else + if (z1) { uint64_t *x32 = tmp + 5U; uint64_t *t0 = tmp + 10U; @@ -534,6 +534,10 @@ static inline bool recover_x(uint64_t *x, uint64_t *y, uint64_t sign) memcpy(x, x32, 5U * sizeof (uint64_t)); res = true; } + else + { + res = false; + } } } bool res0 = res; @@ -551,11 +555,7 @@ bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t * Hacl_Bignum25519_load_51(y, s); bool z0 = recover_x(x, y, sign); bool res; - if (z0 == false) - { - res = false; - } - else + if (z0) { uint64_t *outx = out; uint64_t *outy = out + 5U; @@ -571,6 +571,10 @@ bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t * fmul0(outt, x, y); res = true; } + else + { + res = false; + } bool res0 = res; return res0; } @@ -1150,11 +1154,7 @@ static inline bool gte_q(uint64_t *s) { return false; } - if (s3 > 0x00000000000000ULL) - { - return true; - } - if (s2 > 0x000000000014deULL) + if (s3 > 0x00000000000000ULL || s2 > 0x000000000014deULL) { return true; } @@ -1170,11 +1170,7 @@ static inline bool gte_q(uint64_t *s) { return false; } - if (s0 >= 0x12631a5cf5d3edULL) - { - return true; - } - return false; + return s0 >= 0x12631a5cf5d3edULL; } static inline bool eq(uint64_t *a, uint64_t *b) diff --git a/src/Hacl_FFDHE.c b/src/Hacl_FFDHE.c index 098aa607..90f24496 100644 --- a/src/Hacl_FFDHE.c +++ b/src/Hacl_FFDHE.c @@ -25,6 +25,8 @@ #include "Hacl_FFDHE.h" +#include "Hacl_Spec.h" +#include "Hacl_Krmllib.h" #include "internal/Hacl_Impl_FFDHE_Constants.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -158,6 +160,7 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui uint64_t p_n1[nLen]; memset(p_n1, 0U, nLen * sizeof (uint64_t)); uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(0ULL, p_n[0U], 1ULL, p_n1); + uint64_t c1; if (1U < nLen) { uint64_t *a1 = p_n + 1U; @@ -184,13 +187,14 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui uint64_t *res_i = res1 + i; c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, 0ULL, res_i); } - uint64_t c1 = c; - KRML_MAYBE_UNUSED_VAR(c1); + uint64_t c10 = c; + c1 = c10; } else { - KRML_MAYBE_UNUSED_VAR(c0); + c1 = c0; } + KRML_MAYBE_UNUSED_VAR(c1); KRML_CHECK_SIZE(sizeof (uint64_t), nLen); uint64_t b2[nLen]; memset(b2, 0U, nLen * sizeof (uint64_t)); @@ -202,7 +206,7 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui { uint64_t beq = FStar_UInt64_eq_mask(b2[i], pk_n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b2[i], pk_n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc0 = (beq & acc0) | (~beq & blt); } uint64_t res = acc0; uint64_t m0 = res; @@ -211,7 +215,7 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui { uint64_t beq = FStar_UInt64_eq_mask(pk_n[i], p_n1[i]); uint64_t blt = ~FStar_UInt64_gte_mask(pk_n[i], p_n1[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m1 = acc; return m0 & m1; diff --git a/src/Hacl_Frodo1344.c b/src/Hacl_Frodo1344.c index 9fe78471..54fe3377 100644 --- a/src/Hacl_Frodo1344.c +++ b/src/Hacl_Frodo1344.c @@ -25,6 +25,7 @@ #include "Hacl_Frodo1344.h" +#include "Hacl_Hash_SHA3.h" #include "internal/Hacl_Spec.h" #include "internal/Hacl_Frodo_KEM.h" #include "lib_memzero0.h" diff --git a/src/Hacl_Frodo64.c b/src/Hacl_Frodo64.c index 19f1562d..ae4b1379 100644 --- a/src/Hacl_Frodo64.c +++ b/src/Hacl_Frodo64.c @@ -25,6 +25,7 @@ #include "Hacl_Frodo64.h" +#include "Hacl_Hash_SHA3.h" #include "internal/Hacl_Spec.h" #include "internal/Hacl_Frodo_KEM.h" #include "lib_memzero0.h" diff --git a/src/Hacl_Frodo640.c b/src/Hacl_Frodo640.c index 8cf0253e..4b1c5980 100644 --- a/src/Hacl_Frodo640.c +++ b/src/Hacl_Frodo640.c @@ -25,6 +25,7 @@ #include "Hacl_Frodo640.h" +#include "Hacl_Hash_SHA3.h" #include "internal/Hacl_Spec.h" #include "internal/Hacl_Frodo_KEM.h" #include "lib_memzero0.h" diff --git a/src/Hacl_Frodo976.c b/src/Hacl_Frodo976.c index 9360e3af..921bbc96 100644 --- a/src/Hacl_Frodo976.c +++ b/src/Hacl_Frodo976.c @@ -25,6 +25,7 @@ #include "Hacl_Frodo976.h" +#include "Hacl_Hash_SHA3.h" #include "internal/Hacl_Spec.h" #include "internal/Hacl_Frodo_KEM.h" #include "lib_memzero0.h" diff --git a/src/Hacl_Frodo_KEM.c b/src/Hacl_Frodo_KEM.c index e0a65a47..263bdbba 100644 --- a/src/Hacl_Frodo_KEM.c +++ b/src/Hacl_Frodo_KEM.c @@ -25,11 +25,15 @@ #include "internal/Hacl_Frodo_KEM.h" +#include "Lib_RandomBuffer_System.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA3.h" #include "internal/Hacl_Spec.h" #include "internal/Hacl_Krmllib.h" void randombytes_(uint32_t len, uint8_t *res) { - Lib_RandomBuffer_System_randombytes(res, len); + bool b = Lib_RandomBuffer_System_randombytes(res, len); + KRML_MAYBE_UNUSED_VAR(b); } diff --git a/src/Hacl_GenericField32.c b/src/Hacl_GenericField32.c index f509e6d4..75d6a538 100644 --- a/src/Hacl_GenericField32.c +++ b/src/Hacl_GenericField32.c @@ -25,6 +25,7 @@ #include "Hacl_GenericField32.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -91,7 +92,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } diff --git a/src/Hacl_GenericField64.c b/src/Hacl_GenericField64.c index 3f291d36..f679d5c9 100644 --- a/src/Hacl_GenericField64.c +++ b/src/Hacl_GenericField64.c @@ -25,6 +25,8 @@ #include "Hacl_GenericField64.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -90,7 +92,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } diff --git a/src/Hacl_HKDF.c b/src/Hacl_HKDF.c index 027b719f..159eb9f1 100644 --- a/src/Hacl_HKDF.c +++ b/src/Hacl_HKDF.c @@ -25,6 +25,8 @@ #include "Hacl_HKDF.h" +#include "Hacl_HMAC.h" + /** Expand pseudorandom key to desired length. diff --git a/src/Hacl_HKDF_Blake2b_256.c b/src/Hacl_HKDF_Blake2b_256.c index fe89115d..c005b8b4 100644 --- a/src/Hacl_HKDF_Blake2b_256.c +++ b/src/Hacl_HKDF_Blake2b_256.c @@ -25,6 +25,8 @@ #include "Hacl_HKDF_Blake2b_256.h" +#include "Hacl_HMAC_Blake2b_256.h" + /** Expand pseudorandom key to desired length. diff --git a/src/Hacl_HKDF_Blake2s_128.c b/src/Hacl_HKDF_Blake2s_128.c index 4c9e9450..fc727d35 100644 --- a/src/Hacl_HKDF_Blake2s_128.c +++ b/src/Hacl_HKDF_Blake2s_128.c @@ -25,6 +25,8 @@ #include "Hacl_HKDF_Blake2s_128.h" +#include "Hacl_HMAC_Blake2s_128.h" + /** Expand pseudorandom key to desired length. diff --git a/src/Hacl_HMAC.c b/src/Hacl_HMAC.c index b03bc7ac..d5aab54a 100644 --- a/src/Hacl_HMAC.c +++ b/src/Hacl_HMAC.c @@ -25,12 +25,130 @@ #include "internal/Hacl_HMAC.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA3.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_Blake2s.h" +#include "Hacl_Hash_Blake2b.h" #include "internal/Hacl_Krmllib.h" +#include "internal/Hacl_Hash_SHA3.h" #include "internal/Hacl_Hash_SHA2.h" #include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_MD5.h" #include "internal/Hacl_Hash_Blake2s.h" #include "internal/Hacl_Hash_Blake2b.h" +/** +Write the HMAC-MD5 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 byte. +`dst` must point to 16 bytes of memory. +*/ +void +Hacl_HMAC_compute_md5( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 64U) + { + ite = key_len; + } + else + { + ite = 16U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_MD5_hash_oneshot(nkey, key, key_len); + } + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint32_t s[4U] = { 0x67452301U, 0xefcdab89U, 0x98badcfeU, 0x10325476U }; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + Hacl_Hash_MD5_update_last(s, 0ULL, ipad, 64U); + } + else + { + uint32_t block_len = 64U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + Hacl_Hash_MD5_update_multi(s, ipad, 1U); + Hacl_Hash_MD5_update_multi(s, full_blocks, n_blocks); + Hacl_Hash_MD5_update_last(s, (uint64_t)64U + (uint64_t)full_blocks_len, rem, rem_len); + } + Hacl_Hash_MD5_finish(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_MD5_init(s); + uint32_t block_len = 64U; + uint32_t n_blocks0 = 16U / block_len; + uint32_t rem0 = 16U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 16U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + Hacl_Hash_MD5_update_multi(s, opad, 1U); + Hacl_Hash_MD5_update_multi(s, full_blocks, n_blocks); + Hacl_Hash_MD5_update_last(s, (uint64_t)64U + (uint64_t)full_blocks_len, rem, rem_len); + Hacl_Hash_MD5_finish(s, dst); +} + /** Write the HMAC-SHA-1 MAC of a message (`data`) by using a key (`key`) into `dst`. @@ -46,10 +164,8 @@ Hacl_HMAC_compute_sha1( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -70,19 +186,17 @@ Hacl_HMAC_compute_sha1( { Hacl_Hash_SHA1_hash_oneshot(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -145,6 +259,130 @@ Hacl_HMAC_compute_sha1( Hacl_Hash_SHA1_finish(s, dst); } +/** +Write the HMAC-SHA-2-224 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 bytes. +`dst` must point to 28 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha2_224( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 64U) + { + ite = key_len; + } + else + { + ite = 28U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_224(nkey, key, key_len); + } + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint32_t st[8U] = { 0U }; + KRML_MAYBE_FOR8(i, + 0U, + 8U, + 1U, + uint32_t *os = st; + uint32_t x = Hacl_Hash_SHA2_h224[i]; + os[i] = x;); + uint32_t *s = st; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + Hacl_Hash_SHA2_sha224_update_last(0ULL + (uint64_t)64U, 64U, ipad, s); + } + else + { + uint32_t block_len = 64U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + Hacl_Hash_SHA2_sha224_update_nblocks(64U, ipad, s); + Hacl_Hash_SHA2_sha224_update_nblocks(n_blocks * 64U, full_blocks, s); + Hacl_Hash_SHA2_sha224_update_last((uint64_t)64U + (uint64_t)full_blocks_len + (uint64_t)rem_len, + rem_len, + rem, + s); + } + Hacl_Hash_SHA2_sha224_finish(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_SHA2_sha224_init(s); + uint32_t block_len = 64U; + uint32_t n_blocks0 = 28U / block_len; + uint32_t rem0 = 28U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 28U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + Hacl_Hash_SHA2_sha224_update_nblocks(64U, opad, s); + Hacl_Hash_SHA2_sha224_update_nblocks(n_blocks * 64U, full_blocks, s); + Hacl_Hash_SHA2_sha224_update_last((uint64_t)64U + (uint64_t)full_blocks_len + (uint64_t)rem_len, + rem_len, + rem, + s); + Hacl_Hash_SHA2_sha224_finish(s, dst); +} + /** Write the HMAC-SHA-2-256 MAC of a message (`data`) by using a key (`key`) into `dst`. @@ -160,10 +398,8 @@ Hacl_HMAC_compute_sha2_256( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -184,19 +420,17 @@ Hacl_HMAC_compute_sha2_256( { Hacl_Hash_SHA2_hash_256(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -288,10 +522,8 @@ Hacl_HMAC_compute_sha2_384( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -312,19 +544,17 @@ Hacl_HMAC_compute_sha2_384( { Hacl_Hash_SHA2_hash_384(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -424,10 +654,8 @@ Hacl_HMAC_compute_sha2_512( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -448,19 +676,17 @@ Hacl_HMAC_compute_sha2_512( { Hacl_Hash_SHA2_hash_512(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -546,13 +772,13 @@ Hacl_HMAC_compute_sha2_512( } /** -Write the HMAC-BLAKE2s MAC of a message (`data`) by using a key (`key`) into `dst`. +Write the HMAC-SHA-3-224 MAC of a message (`data`) by using a key (`key`) into `dst`. -The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 bytes. -`dst` must point to 32 bytes of memory. +The key can be any length and will be hashed if it is longer and padded if it is shorter than 144 bytes. +`dst` must point to 28 bytes of memory. */ void -Hacl_HMAC_compute_blake2s_32( +Hacl_HMAC_compute_sha3_224( uint8_t *dst, uint8_t *key, uint32_t key_len, @@ -560,60 +786,53 @@ Hacl_HMAC_compute_blake2s_32( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[144U]; + memset(key_block, 0U, 144U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; - if (key_len <= 64U) + if (key_len <= 144U) { ite = key_len; } else { - ite = 32U; + ite = 28U; } uint8_t *zeroes = key_block + ite; KRML_MAYBE_UNUSED_VAR(zeroes); - if (key_len <= 64U) + if (key_len <= 144U) { memcpy(nkey, key, key_len * sizeof (uint8_t)); } else { - Hacl_Hash_Blake2s_hash_with_key(nkey, 32U, key, key_len, NULL, 0U); + Hacl_Hash_SHA3_sha3_224(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[144U]; + memset(ipad, 0x36U, 144U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 144U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[144U]; + memset(opad, 0x5cU, 144U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 144U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; opad[i] = (uint32_t)xi ^ (uint32_t)yi; } - uint32_t s[16U] = { 0U }; - Hacl_Hash_Blake2s_init(s, 0U, 32U); - uint32_t *s0 = s; + uint64_t s[25U] = { 0U }; uint8_t *dst1 = ipad; if (data_len == 0U) { - uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_224, s, ipad, 144U); } else { - uint32_t block_len = 64U; + uint32_t block_len = 144U; uint32_t n_blocks0 = data_len / block_len; uint32_t rem0 = data_len % block_len; K___uint32_t_uint32_t scrut; @@ -631,34 +850,29 @@ Hacl_HMAC_compute_blake2s_32( uint32_t full_blocks_len = n_blocks * block_len; uint8_t *full_blocks = data; uint8_t *rem = data + full_blocks_len; - uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_multi(64U, wv, s0, 0ULL, ipad, 1U); - uint32_t wv0[16U] = { 0U }; - Hacl_Hash_Blake2s_update_multi(n_blocks * 64U, - wv0, - s0, - (uint64_t)block_len, - full_blocks, - n_blocks); - uint32_t wv1[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(rem_len, - wv1, - s0, - (uint64_t)64U + (uint64_t)full_blocks_len, - rem_len, - rem); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_224, s, ipad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_224, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_224, s, rem, rem_len); } - Hacl_Hash_Blake2s_finish(32U, dst1, s0); + uint32_t remOut = 28U; + uint8_t hbuf0[256U] = { 0U }; + uint64_t ws0[32U] = { 0U }; + memcpy(ws0, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf0 + i * 8U, ws0[i]); + } + memcpy(dst1 + 28U - remOut, hbuf0, remOut * sizeof (uint8_t)); uint8_t *hash1 = ipad; - Hacl_Hash_Blake2s_init(s0, 0U, 32U); - uint32_t block_len = 64U; - uint32_t n_blocks0 = 32U / block_len; - uint32_t rem0 = 32U % block_len; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_224, s); + uint32_t block_len = 144U; + uint32_t n_blocks0 = 28U / block_len; + uint32_t rem0 = 28U % block_len; K___uint32_t_uint32_t scrut; if (n_blocks0 > 0U && rem0 == 0U) { uint32_t n_blocks_ = n_blocks0 - 1U; - scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 32U - n_blocks_ * block_len }); + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 28U - n_blocks_ * block_len }); } else { @@ -669,33 +883,28 @@ Hacl_HMAC_compute_blake2s_32( uint32_t full_blocks_len = n_blocks * block_len; uint8_t *full_blocks = hash1; uint8_t *rem = hash1 + full_blocks_len; - uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_multi(64U, wv, s0, 0ULL, opad, 1U); - uint32_t wv0[16U] = { 0U }; - Hacl_Hash_Blake2s_update_multi(n_blocks * 64U, - wv0, - s0, - (uint64_t)block_len, - full_blocks, - n_blocks); - uint32_t wv1[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(rem_len, - wv1, - s0, - (uint64_t)64U + (uint64_t)full_blocks_len, - rem_len, - rem); - Hacl_Hash_Blake2s_finish(32U, dst, s0); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_224, s, opad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_224, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_224, s, rem, rem_len); + uint32_t remOut0 = 28U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 28U - remOut0, hbuf, remOut0 * sizeof (uint8_t)); } /** -Write the HMAC-BLAKE2b MAC of a message (`data`) by using a key (`key`) into `dst`. +Write the HMAC-SHA-3-256 MAC of a message (`data`) by using a key (`key`) into `dst`. -The key can be any length and will be hashed if it is longer and padded if it is shorter than 128 bytes. -`dst` must point to 64 bytes of memory. +The key can be any length and will be hashed if it is longer and padded if it is shorter than 136 bytes. +`dst` must point to 32 bytes of memory. */ void -Hacl_HMAC_compute_blake2b_32( +Hacl_HMAC_compute_sha3_256( uint8_t *dst, uint8_t *key, uint32_t key_len, @@ -703,56 +912,577 @@ Hacl_HMAC_compute_blake2b_32( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[136U]; + memset(key_block, 0U, 136U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; - if (key_len <= 128U) + if (key_len <= 136U) { ite = key_len; } else { - ite = 64U; + ite = 32U; } uint8_t *zeroes = key_block + ite; KRML_MAYBE_UNUSED_VAR(zeroes); - if (key_len <= 128U) + if (key_len <= 136U) { memcpy(nkey, key, key_len * sizeof (uint8_t)); } else { - Hacl_Hash_Blake2b_hash_with_key(nkey, 64U, key, key_len, NULL, 0U); + Hacl_Hash_SHA3_sha3_256(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[136U]; + memset(ipad, 0x36U, 136U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 136U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[136U]; + memset(opad, 0x5cU, 136U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 136U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; opad[i] = (uint32_t)xi ^ (uint32_t)yi; } - uint64_t s[16U] = { 0U }; - Hacl_Hash_Blake2b_init(s, 0U, 64U); - uint64_t *s0 = s; + uint64_t s[25U] = { 0U }; uint8_t *dst1 = ipad; if (data_len == 0U) { - uint64_t wv[16U] = { 0U }; - Hacl_Hash_Blake2b_update_last(128U, wv, s0, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_256, s, ipad, 136U); + } + else + { + uint32_t block_len = 136U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_256, s, ipad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_256, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_256, s, rem, rem_len); + } + uint32_t remOut = 32U; + uint8_t hbuf0[256U] = { 0U }; + uint64_t ws0[32U] = { 0U }; + memcpy(ws0, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf0 + i * 8U, ws0[i]); + } + memcpy(dst1 + 32U - remOut, hbuf0, remOut * sizeof (uint8_t)); + uint8_t *hash1 = ipad; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_256, s); + uint32_t block_len = 136U; + uint32_t n_blocks0 = 32U / block_len; + uint32_t rem0 = 32U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 32U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_256, s, opad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_256, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_256, s, rem, rem_len); + uint32_t remOut0 = 32U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 32U - remOut0, hbuf, remOut0 * sizeof (uint8_t)); +} + +/** +Write the HMAC-SHA-3-384 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 104 bytes. +`dst` must point to 48 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[104U]; + memset(key_block, 0U, 104U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 104U) + { + ite = key_len; + } + else + { + ite = 48U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 104U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA3_sha3_384(nkey, key, key_len); + } + uint8_t ipad[104U]; + memset(ipad, 0x36U, 104U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 104U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[104U]; + memset(opad, 0x5cU, 104U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 104U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint64_t s[25U] = { 0U }; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_384, s, ipad, 104U); + } + else + { + uint32_t block_len = 104U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_384, s, ipad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_384, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_384, s, rem, rem_len); + } + uint32_t remOut = 48U; + uint8_t hbuf0[256U] = { 0U }; + uint64_t ws0[32U] = { 0U }; + memcpy(ws0, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf0 + i * 8U, ws0[i]); + } + memcpy(dst1 + 48U - remOut, hbuf0, remOut * sizeof (uint8_t)); + uint8_t *hash1 = ipad; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_384, s); + uint32_t block_len = 104U; + uint32_t n_blocks0 = 48U / block_len; + uint32_t rem0 = 48U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 48U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_384, s, opad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_384, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_384, s, rem, rem_len); + uint32_t remOut0 = 48U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 48U - remOut0, hbuf, remOut0 * sizeof (uint8_t)); +} + +/** +Write the HMAC-SHA-3-512 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 72 bytes. +`dst` must point to 64 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[72U]; + memset(key_block, 0U, 72U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 72U) + { + ite = key_len; + } + else + { + ite = 64U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 72U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA3_sha3_512(nkey, key, key_len); + } + uint8_t ipad[72U]; + memset(ipad, 0x36U, 72U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 72U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[72U]; + memset(opad, 0x5cU, 72U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 72U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint64_t s[25U] = { 0U }; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_512, s, ipad, 72U); + } + else + { + uint32_t block_len = 72U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_512, s, ipad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_512, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_512, s, rem, rem_len); + } + uint32_t remOut = 64U; + uint8_t hbuf0[256U] = { 0U }; + uint64_t ws0[32U] = { 0U }; + memcpy(ws0, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf0 + i * 8U, ws0[i]); + } + memcpy(dst1 + 64U - remOut, hbuf0, remOut * sizeof (uint8_t)); + uint8_t *hash1 = ipad; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_512, s); + uint32_t block_len = 72U; + uint32_t n_blocks0 = 64U / block_len; + uint32_t rem0 = 64U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 64U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_512, s, opad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_512, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_512, s, rem, rem_len); + uint32_t remOut0 = 64U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 64U - remOut0, hbuf, remOut0 * sizeof (uint8_t)); +} + +/** +Write the HMAC-BLAKE2s MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 bytes. +`dst` must point to 32 bytes of memory. +*/ +void +Hacl_HMAC_compute_blake2s_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 64U) + { + ite = key_len; + } + else + { + ite = 32U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2s_hash_with_key(nkey, 32U, key, key_len, NULL, 0U); + } + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint32_t s[16U] = { 0U }; + Hacl_Hash_Blake2s_init(s, 0U, 32U); + uint32_t *s0 = s; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + uint32_t wv[16U] = { 0U }; + Hacl_Hash_Blake2s_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); + } + else + { + uint32_t block_len = 64U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + uint32_t wv[16U] = { 0U }; + Hacl_Hash_Blake2s_update_multi(64U, wv, s0, 0ULL, ipad, 1U); + uint32_t wv0[16U] = { 0U }; + Hacl_Hash_Blake2s_update_multi(n_blocks * 64U, + wv0, + s0, + (uint64_t)block_len, + full_blocks, + n_blocks); + uint32_t wv1[16U] = { 0U }; + Hacl_Hash_Blake2s_update_last(rem_len, + wv1, + s0, + false, + (uint64_t)64U + (uint64_t)full_blocks_len, + rem_len, + rem); + } + Hacl_Hash_Blake2s_finish(32U, dst1, s0); + uint8_t *hash1 = ipad; + Hacl_Hash_Blake2s_init(s0, 0U, 32U); + uint32_t block_len = 64U; + uint32_t n_blocks0 = 32U / block_len; + uint32_t rem0 = 32U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 32U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + uint32_t wv[16U] = { 0U }; + Hacl_Hash_Blake2s_update_multi(64U, wv, s0, 0ULL, opad, 1U); + uint32_t wv0[16U] = { 0U }; + Hacl_Hash_Blake2s_update_multi(n_blocks * 64U, + wv0, + s0, + (uint64_t)block_len, + full_blocks, + n_blocks); + uint32_t wv1[16U] = { 0U }; + Hacl_Hash_Blake2s_update_last(rem_len, + wv1, + s0, + false, + (uint64_t)64U + (uint64_t)full_blocks_len, + rem_len, + rem); + Hacl_Hash_Blake2s_finish(32U, dst, s0); +} + +/** +Write the HMAC-BLAKE2b MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 128 bytes. +`dst` must point to 64 bytes of memory. +*/ +void +Hacl_HMAC_compute_blake2b_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 128U) + { + ite = key_len; + } + else + { + ite = 64U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2b_hash_with_key(nkey, 64U, key, key_len, NULL, 0U); + } + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint64_t s[16U] = { 0U }; + Hacl_Hash_Blake2b_init(s, 0U, 64U); + uint64_t *s0 = s; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + uint64_t wv[16U] = { 0U }; + Hacl_Hash_Blake2b_update_last(128U, + wv, + s0, + false, + FStar_UInt128_uint64_to_uint128(0ULL), + 128U, + ipad); } else { @@ -787,6 +1517,7 @@ Hacl_HMAC_compute_blake2b_32( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -826,6 +1557,7 @@ Hacl_HMAC_compute_blake2b_32( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/Hacl_HMAC_Blake2b_256.c b/src/Hacl_HMAC_Blake2b_256.c index 6197490a..84476d8b 100644 --- a/src/Hacl_HMAC_Blake2b_256.c +++ b/src/Hacl_HMAC_Blake2b_256.c @@ -25,6 +25,8 @@ #include "Hacl_HMAC_Blake2b_256.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_Blake2b_Simd256.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Hash_Blake2b_Simd256.h" #include "internal/Hacl_HMAC.h" @@ -44,10 +46,8 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -68,19 +68,17 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( { Hacl_Hash_Blake2b_Simd256_hash_with_key(nkey, 64U, key, key_len, NULL, 0U); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -96,6 +94,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(128U, wv, s0, + false, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); @@ -138,6 +137,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -182,6 +182,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/Hacl_HMAC_Blake2s_128.c b/src/Hacl_HMAC_Blake2s_128.c index 0741bffb..96248edc 100644 --- a/src/Hacl_HMAC_Blake2s_128.c +++ b/src/Hacl_HMAC_Blake2s_128.c @@ -25,6 +25,7 @@ #include "Hacl_HMAC_Blake2s_128.h" +#include "Hacl_Hash_Blake2s_Simd128.h" #include "internal/Hacl_Hash_Blake2s_Simd128.h" #include "internal/Hacl_HMAC.h" @@ -43,10 +44,8 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t key_block[l]; - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -67,19 +66,17 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( { Hacl_Hash_Blake2s_Simd128_hash_with_key(nkey, 32U, key, key_len, NULL, 0U); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t ipad[l]; - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t opad[l]; - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -92,7 +89,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( if (data_len == 0U) { KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; - Hacl_Hash_Blake2s_Simd128_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_Blake2s_Simd128_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); } else { @@ -127,6 +124,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( Hacl_Hash_Blake2s_Simd128_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -165,6 +163,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( Hacl_Hash_Blake2s_Simd128_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); diff --git a/src/Hacl_HMAC_DRBG.c b/src/Hacl_HMAC_DRBG.c index 13de88bc..0e89f352 100644 --- a/src/Hacl_HMAC_DRBG.c +++ b/src/Hacl_HMAC_DRBG.c @@ -25,6 +25,9 @@ #include "Hacl_HMAC_DRBG.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_HMAC.h" + uint32_t Hacl_HMAC_DRBG_reseed_interval = 1024U; uint32_t Hacl_HMAC_DRBG_max_output_length = 65536U; @@ -154,7 +157,10 @@ Hacl_HMAC_DRBG_state Hacl_HMAC_DRBG_create_in(Spec_Hash_Definitions_hash_alg a) } } uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); - ctr[0U] = 1U; + if (ctr != NULL) + { + ctr[0U] = 1U; + } return ((Hacl_HMAC_DRBG_state){ .k = k, .v = v, .reseed_counter = ctr }); } diff --git a/src/Hacl_HPKE_Curve51_CP128_SHA256.c b/src/Hacl_HPKE_Curve51_CP128_SHA256.c index e8df237e..f072d6e0 100644 --- a/src/Hacl_HPKE_Curve51_CP128_SHA256.c +++ b/src/Hacl_HPKE_Curve51_CP128_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP128_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_Curve51_CP128_SHA512.c b/src/Hacl_HPKE_Curve51_CP128_SHA512.c index 62fce254..866cc944 100644 --- a/src/Hacl_HPKE_Curve51_CP128_SHA512.c +++ b/src/Hacl_HPKE_Curve51_CP128_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP128_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_Curve51_CP256_SHA256.c b/src/Hacl_HPKE_Curve51_CP256_SHA256.c index 9862d19d..0ae21a20 100644 --- a/src/Hacl_HPKE_Curve51_CP256_SHA256.c +++ b/src/Hacl_HPKE_Curve51_CP256_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP256_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_Curve51_CP256_SHA512.c b/src/Hacl_HPKE_Curve51_CP256_SHA512.c index cafcf2c7..cb73666f 100644 --- a/src/Hacl_HPKE_Curve51_CP256_SHA512.c +++ b/src/Hacl_HPKE_Curve51_CP256_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP256_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_Curve51_CP32_SHA256.c b/src/Hacl_HPKE_Curve51_CP32_SHA256.c index 3db57fa8..480e3b0a 100644 --- a/src/Hacl_HPKE_Curve51_CP32_SHA256.c +++ b/src/Hacl_HPKE_Curve51_CP32_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP32_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_Curve51_CP32_SHA512.c b/src/Hacl_HPKE_Curve51_CP32_SHA512.c index 84889570..a9d801a6 100644 --- a/src/Hacl_HPKE_Curve51_CP32_SHA512.c +++ b/src/Hacl_HPKE_Curve51_CP32_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP32_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_Curve64_CP128_SHA256.c b/src/Hacl_HPKE_Curve64_CP128_SHA256.c index 742bc0da..49dc7db8 100644 --- a/src/Hacl_HPKE_Curve64_CP128_SHA256.c +++ b/src/Hacl_HPKE_Curve64_CP128_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP128_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_Curve64_CP128_SHA512.c b/src/Hacl_HPKE_Curve64_CP128_SHA512.c index 915cc6ad..52523c10 100644 --- a/src/Hacl_HPKE_Curve64_CP128_SHA512.c +++ b/src/Hacl_HPKE_Curve64_CP128_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP128_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_Curve64_CP256_SHA256.c b/src/Hacl_HPKE_Curve64_CP256_SHA256.c index c8f5148a..86a3e3f7 100644 --- a/src/Hacl_HPKE_Curve64_CP256_SHA256.c +++ b/src/Hacl_HPKE_Curve64_CP256_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP256_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_Curve64_CP256_SHA512.c b/src/Hacl_HPKE_Curve64_CP256_SHA512.c index 2b581c0a..f22bd5c2 100644 --- a/src/Hacl_HPKE_Curve64_CP256_SHA512.c +++ b/src/Hacl_HPKE_Curve64_CP256_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP256_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_Curve64_CP32_SHA256.c b/src/Hacl_HPKE_Curve64_CP32_SHA256.c index 7389f1f2..3a510c62 100644 --- a/src/Hacl_HPKE_Curve64_CP32_SHA256.c +++ b/src/Hacl_HPKE_Curve64_CP32_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP32_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_Curve64_CP32_SHA512.c b/src/Hacl_HPKE_Curve64_CP32_SHA512.c index 2ec61714..37a6fcc7 100644 --- a/src/Hacl_HPKE_Curve64_CP32_SHA512.c +++ b/src/Hacl_HPKE_Curve64_CP32_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP32_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/Hacl_HPKE_P256_CP128_SHA256.c b/src/Hacl_HPKE_P256_CP128_SHA256.c index 54a217fd..d2accdd0 100644 --- a/src/Hacl_HPKE_P256_CP128_SHA256.c +++ b/src/Hacl_HPKE_P256_CP128_SHA256.c @@ -25,6 +25,9 @@ #include "Hacl_HPKE_P256_CP128_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" #include "internal/Hacl_P256.h" uint32_t diff --git a/src/Hacl_HPKE_P256_CP256_SHA256.c b/src/Hacl_HPKE_P256_CP256_SHA256.c index bccf781a..7473bb19 100644 --- a/src/Hacl_HPKE_P256_CP256_SHA256.c +++ b/src/Hacl_HPKE_P256_CP256_SHA256.c @@ -25,6 +25,9 @@ #include "Hacl_HPKE_P256_CP256_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" #include "internal/Hacl_P256.h" uint32_t diff --git a/src/Hacl_HPKE_P256_CP32_SHA256.c b/src/Hacl_HPKE_P256_CP32_SHA256.c index fc132641..3b473710 100644 --- a/src/Hacl_HPKE_P256_CP32_SHA256.c +++ b/src/Hacl_HPKE_P256_CP32_SHA256.c @@ -25,6 +25,9 @@ #include "Hacl_HPKE_P256_CP32_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" #include "internal/Hacl_P256.h" uint32_t diff --git a/src/Hacl_Hash_Base.c b/src/Hacl_Hash_Base.c index 02d893e3..78e6b915 100644 --- a/src/Hacl_Hash_Base.c +++ b/src/Hacl_Hash_Base.c @@ -25,6 +25,8 @@ #include "Hacl_Hash_Base.h" +#include "Hacl_Streaming_Types.h" + uint32_t Hacl_Hash_Definitions_word_len(Spec_Hash_Definitions_hash_alg a) { switch (a) diff --git a/src/Hacl_Hash_Blake2b.c b/src/Hacl_Hash_Blake2b.c index d490a1a5..45c69de3 100644 --- a/src/Hacl_Hash_Blake2b.c +++ b/src/Hacl_Hash_Blake2b.c @@ -25,11 +25,21 @@ #include "internal/Hacl_Hash_Blake2b.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Impl_Blake2_Constants.h" #include "lib_memzero0.h" static void -update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totlen, uint8_t *d) +update_block( + uint64_t *wv, + uint64_t *hash, + bool flag, + bool last_node, + FStar_UInt128_uint128 totlen, + uint8_t *d +) { uint64_t m_w[16U] = { 0U }; KRML_MAYBE_FOR16(i, @@ -52,7 +62,15 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl { wv_14 = 0ULL; } - uint64_t wv_15 = 0ULL; + uint64_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFFFFFFFFFULL; + } + else + { + wv_15 = 0ULL; + } mask[0U] = FStar_UInt128_uint128_to_uint64(totlen); mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, 64U)); mask[2U] = wv_14; @@ -560,86 +578,6 @@ void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r1[3U] = iv7_; } -static void init_with_params(uint64_t *hash, Hacl_Hash_Blake2b_blake2_params p) -{ - uint64_t tmp[8U] = { 0U }; - uint64_t *r0 = hash; - uint64_t *r1 = hash + 4U; - uint64_t *r2 = hash + 8U; - uint64_t *r3 = hash + 12U; - uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; - uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; - uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; - uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; - uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; - uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; - uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; - uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; - r2[0U] = iv0; - r2[1U] = iv1; - r2[2U] = iv2; - r2[3U] = iv3; - r3[0U] = iv4; - r3[1U] = iv5; - r3[2U] = iv6; - r3[3U] = iv7; - uint8_t kk = p.key_length; - uint8_t nn = p.digest_length; - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint64_t *os = tmp + 4U; - uint8_t *bj = p.salt + i * 8U; - uint64_t u = load64_le(bj); - uint64_t r = u; - uint64_t x = r; - os[i] = x;); - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint64_t *os = tmp + 6U; - uint8_t *bj = p.personal + i * 8U; - uint64_t u = load64_le(bj); - uint64_t r = u; - uint64_t x = r; - os[i] = x;); - tmp[0U] = - (uint64_t)nn - ^ - ((uint64_t)kk - << 8U - ^ ((uint64_t)p.fanout << 16U ^ ((uint64_t)p.depth << 24U ^ (uint64_t)p.leaf_length << 32U))); - tmp[1U] = p.node_offset; - tmp[2U] = (uint64_t)p.node_depth ^ (uint64_t)p.inner_length << 8U; - tmp[3U] = 0ULL; - uint64_t tmp0 = tmp[0U]; - uint64_t tmp1 = tmp[1U]; - uint64_t tmp2 = tmp[2U]; - uint64_t tmp3 = tmp[3U]; - uint64_t tmp4 = tmp[4U]; - uint64_t tmp5 = tmp[5U]; - uint64_t tmp6 = tmp[6U]; - uint64_t tmp7 = tmp[7U]; - uint64_t iv0_ = iv0 ^ tmp0; - uint64_t iv1_ = iv1 ^ tmp1; - uint64_t iv2_ = iv2 ^ tmp2; - uint64_t iv3_ = iv3 ^ tmp3; - uint64_t iv4_ = iv4 ^ tmp4; - uint64_t iv5_ = iv5 ^ tmp5; - uint64_t iv6_ = iv6 ^ tmp6; - uint64_t iv7_ = iv7 ^ tmp7; - r0[0U] = iv0_; - r0[1U] = iv1_; - r0[2U] = iv2_; - r0[3U] = iv3_; - r1[0U] = iv4_; - r1[1U] = iv5_; - r1[2U] = iv6_; - r1[3U] = iv7_; -} - static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) { FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)128U); @@ -647,11 +585,11 @@ static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, ui memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -674,7 +612,7 @@ Hacl_Hash_Blake2b_update_multi( FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)((i + 1U) * 128U))); uint8_t *b = blocks + i * 128U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -683,6 +621,7 @@ Hacl_Hash_Blake2b_update_last( uint32_t len, uint64_t *wv, uint64_t *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d @@ -693,7 +632,7 @@ Hacl_Hash_Blake2b_update_last( memcpy(b, last, rem * sizeof (uint8_t)); FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -727,7 +666,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2b_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2b_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2b_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -762,46 +701,207 @@ void Hacl_Hash_Blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash) } static Hacl_Hash_Blake2b_state_t -*malloc_raw( - Hacl_Hash_Blake2b_index kk, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +*malloc_raw(Hacl_Hash_Blake2b_index kk, Hacl_Hash_Blake2b_params_and_key key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); - uint64_t *wv = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - Hacl_Hash_Blake2b_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; - uint8_t kk10 = kk.key_length; - uint32_t ite; - if (kk10 != 0U) + if (buf == NULL) { - ite = 128U; + return NULL; + } + uint8_t *buf1 = buf; + uint64_t *wv0 = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); } else { - ite = 0U; + uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + if (b == NULL) + { + KRML_HOST_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } } - Hacl_Hash_Blake2b_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - Hacl_Hash_Blake2b_state_t - *p = (Hacl_Hash_Blake2b_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_state_t)); - p[0U] = s; - Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; - uint8_t kk1 = p1->key_length; - uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i.key_length; - uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (128U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + uint8_t kk10 = kk.key_length; + uint32_t ite; + if (kk10 != 0U) + { + ite = 128U; + } + else + { + ite = 0U; + } + Hacl_Hash_Blake2b_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)ite }; + Hacl_Hash_Blake2b_state_t + *p = (Hacl_Hash_Blake2b_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_state_t)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + uint64_t *b = block_state1.f3.snd; + uint64_t *wv = block_state1.f3.fst; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; + uint8_t kk1 = p1->key_length; + uint8_t nn = p1->digest_length; + bool last_node = block_state1.thd; + Hacl_Hash_Blake2b_index + i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + uint64_t *h = block_state1.f3.snd; + uint32_t kk20 = (uint32_t)i.key_length; + uint8_t *k_2 = key.snd; + if (!(kk20 == 0U)) + { + uint8_t *sub_b = buf1 + kk20; + memset(sub_b, 0U, (128U - kk20) * sizeof (uint8_t)); + memcpy(buf1, k_2, kk20 * sizeof (uint8_t)); + } + Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; + uint64_t tmp[8U] = { 0U }; + uint64_t *r0 = h; + uint64_t *r1 = h + 4U; + uint64_t *r2 = h + 8U; + uint64_t *r3 = h + 12U; + uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; + uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; + uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; + uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; + uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; + uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; + uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; + uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint8_t kk2 = pv.key_length; + uint8_t nn1 = pv.digest_length; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r4 = u; + uint64_t x = r4; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r4 = u; + uint64_t x = r4; + os[i0] = x;); + tmp[0U] = + (uint64_t)nn1 + ^ + ((uint64_t)kk2 + << 8U + ^ + ((uint64_t)pv.fanout + << 16U + ^ ((uint64_t)pv.depth << 24U ^ (uint64_t)pv.leaf_length << 32U))); + tmp[1U] = pv.node_offset; + tmp[2U] = (uint64_t)pv.node_depth ^ (uint64_t)pv.inner_length << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = iv0_; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } } - Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); - return p; + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -820,14 +920,16 @@ The caller must satisfy the following requirements. */ Hacl_Hash_Blake2b_state_t -*Hacl_Hash_Blake2b_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k) +*Hacl_Hash_Blake2b_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; - return - malloc_raw(i1, - ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; + return malloc_raw(i1, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** @@ -844,7 +946,7 @@ The caller must satisfy the following requirements. Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc_with_key(uint8_t *k, uint8_t kk) { uint8_t nn = 64U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; uint8_t salt[16U] = { 0U }; uint8_t personal[16U] = { 0U }; Hacl_Hash_Blake2b_blake2_params @@ -855,7 +957,7 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc_with_key(uint8_t *k, uint8_t .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - Hacl_Hash_Blake2b_state_t *s = Hacl_Hash_Blake2b_malloc_with_params_and_key(&p0, k); + Hacl_Hash_Blake2b_state_t *s = Hacl_Hash_Blake2b_malloc_with_params_and_key(&p0, false, k); return s; } @@ -871,39 +973,117 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2b_state_t *s) { - Hacl_Hash_Blake2b_block_state_t block_state = (*s).block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } -static void -reset_raw( - Hacl_Hash_Blake2b_state_t *state, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +static void reset_raw(Hacl_Hash_Blake2b_state_t *state, Hacl_Hash_Blake2b_params_and_key key) { Hacl_Hash_Blake2b_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i1.key_length; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + uint64_t *h = block_state.f3.snd; + uint32_t kk20 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (!(kk20 == 0U)) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (128U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + uint8_t *sub_b = buf + kk20; + memset(sub_b, 0U, (128U - kk20) * sizeof (uint8_t)); + memcpy(buf, k_1, kk20 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + uint64_t tmp[8U] = { 0U }; + uint64_t *r0 = h; + uint64_t *r1 = h + 4U; + uint64_t *r2 = h + 8U; + uint64_t *r3 = h + 12U; + uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; + uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; + uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; + uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; + uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; + uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; + uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; + uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint8_t kk2 = pv.key_length; + uint8_t nn1 = pv.digest_length; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i0] = x;); + tmp[0U] = + (uint64_t)nn1 + ^ + ((uint64_t)kk2 + << 8U + ^ ((uint64_t)pv.fanout << 16U ^ ((uint64_t)pv.depth << 24U ^ (uint64_t)pv.leaf_length << 32U))); + tmp[1U] = pv.node_offset; + tmp[2U] = (uint64_t)pv.node_depth ^ (uint64_t)pv.inner_length << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = iv0_; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -915,13 +1095,13 @@ reset_raw( ite = 0U; } Hacl_Hash_Blake2b_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - state[0U] = tmp; + tmp8 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; + state[0U] = tmp8; } /** General-purpose re-initialization function with parameters and -key. You cannot change digest_length or key_length, meaning those values in +key. You cannot change digest_length, key_length, or last_node, meaning those values in the parameters object must be the same as originally decided via one of the malloc functions. All other values of the parameter can be changed. The behavior is unspecified if you violate this precondition. @@ -933,8 +1113,9 @@ Hacl_Hash_Blake2b_reset_with_key_and_params( uint8_t *k ) { - index_of_state(s); - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + Hacl_Hash_Blake2b_index i1 = index_of_state(s); + KRML_MAYBE_UNUSED_VAR(i1); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** @@ -957,7 +1138,7 @@ void Hacl_Hash_Blake2b_reset_with_key(Hacl_Hash_Blake2b_state_t *s, uint8_t *k) .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = &p0, .snd = k })); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = &p0, .snd = k })); } /** @@ -997,7 +1178,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (chunk_len <= 128U - sz) { Hacl_Hash_Blake2b_state_t s1 = *state; - Hacl_Hash_Blake2b_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -1025,7 +1206,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 else if (sz == 0U) { Hacl_Hash_Blake2b_state_t s1 = *state; - Hacl_Hash_Blake2b_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -1040,7 +1221,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = 1U; @@ -1065,7 +1246,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1093,7 +1274,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; Hacl_Hash_Blake2b_state_t s1 = *state; - Hacl_Hash_Blake2b_block_state_t block_state10 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state10 = s1.block_state; uint8_t *buf0 = s1.buf; uint64_t total_len10 = s1.total_len; uint32_t sz10; @@ -1118,7 +1299,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 } ); Hacl_Hash_Blake2b_state_t s10 = *state; - Hacl_Hash_Blake2b_block_state_t block_state1 = s10.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = s10.block_state; uint8_t *buf = s10.buf; uint64_t total_len1 = s10.total_len; uint32_t sz1; @@ -1133,7 +1314,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = 1U; @@ -1159,7 +1340,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1190,17 +1371,21 @@ at least `digest_length` bytes, where `digest_length` was determined by your choice of `malloc` function. Concretely, if you used `malloc` or `malloc_with_key`, then the expected length is 32 for S, or 64 for B (default digest length). If you used `malloc_with_params_and_key`, then the expected -length is whatever you chose for the `digest_length` field of your -parameters. +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2b_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2b_state_t scrut = *state; - Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2b_state_t scrut = *s; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; uint32_t r; @@ -1215,11 +1400,16 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) uint8_t *buf_1 = buf_; uint64_t wv0[16U] = { 0U }; uint64_t b[16U] = { 0U }; - Hacl_Hash_Blake2b_block_state_t + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - uint64_t *src_b = block_state.thd.snd; - uint64_t *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + uint64_t *src_b = block_state.f3.snd; + uint64_t *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint64_t)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1233,7 +1423,7 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) } uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; - K____uint64_t___uint64_t_ acc0 = tmp_block_state.thd; + K____uint64_t___uint64_t_ acc0 = tmp_block_state.f3; uint64_t *wv1 = acc0.fst; uint64_t *hash0 = acc0.snd; uint32_t nb = 0U; @@ -1244,17 +1434,35 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; - K____uint64_t___uint64_t_ acc = tmp_block_state.thd; + K____uint64_t___uint64_t_ acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; Hacl_Hash_Blake2b_update_last(r, wv, hash, + last_node1, FStar_UInt128_uint64_to_uint128(prev_len_last), r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2b_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2b_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_info(Hacl_Hash_Blake2b_state_t *s) +{ + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1264,9 +1472,9 @@ void Hacl_Hash_Blake2b_free(Hacl_Hash_Blake2b_state_t *state) { Hacl_Hash_Blake2b_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; - uint64_t *b = block_state.thd.snd; - uint64_t *wv = block_state.thd.fst; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state = scrut.block_state; + uint64_t *b = block_state.f3.snd; + uint64_t *wv = block_state.f3.fst; KRML_HOST_FREE(wv); KRML_HOST_FREE(b); KRML_HOST_FREE(buf); @@ -1279,27 +1487,110 @@ void Hacl_Hash_Blake2b_free(Hacl_Hash_Blake2b_state_t *state) Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_copy(Hacl_Hash_Blake2b_state_t *state) { Hacl_Hash_Blake2b_state_t scrut = *state; - Hacl_Hash_Blake2b_block_state_t block_state0 = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 128U * sizeof (uint8_t)); - uint64_t *wv = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - Hacl_Hash_Blake2b_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - uint64_t *src_b = block_state0.thd.snd; - uint64_t *dst_b = block_state.thd.snd; - memcpy(dst_b, src_b, 16U * sizeof (uint64_t)); - Hacl_Hash_Blake2b_state_t - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Hash_Blake2b_state_t - *p = (Hacl_Hash_Blake2b_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_state_t)); - p[0U] = s; - return p; + uint64_t *wv0 = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + if (b == NULL) + { + KRML_HOST_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = block_state.v; + uint64_t *src_b = block_state0.f3.snd; + uint64_t *dst_b = block_state1.f3.snd; + memcpy(dst_b, src_b, 16U * sizeof (uint64_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_Blake2b_state_t + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Hash_Blake2b_state_t + *p = (Hacl_Hash_Blake2b_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_state_t)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + uint64_t *b = block_state1.f3.snd; + uint64_t *wv = block_state1.f3.fst; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -1335,10 +1626,10 @@ Hacl_Hash_Blake2b_hash_with_key( Write the BLAKE2b digest of message `input` using key `key` and parameters `params` into `output`. The `key` array must be of length `params.key_length`. The `output` array must be of length -`params.digest_length`. +`params.digest_length`. */ void -Hacl_Hash_Blake2b_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/Hacl_Hash_Blake2b_Simd256.c b/src/Hacl_Hash_Blake2b_Simd256.c index 0afd93bc..d74616e8 100644 --- a/src/Hacl_Hash_Blake2b_Simd256.c +++ b/src/Hacl_Hash_Blake2b_Simd256.c @@ -25,6 +25,10 @@ #include "internal/Hacl_Hash_Blake2b_Simd256.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_Blake2b.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Impl_Blake2_Constants.h" #include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" @@ -34,6 +38,7 @@ update_block( Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, bool flag, + bool last_node, FStar_UInt128_uint128 totlen, uint8_t *d ) @@ -59,7 +64,15 @@ update_block( { wv_14 = 0ULL; } - uint64_t wv_15 = 0ULL; + uint64_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFFFFFFFFFULL; + } + else + { + wv_15 = 0ULL; + } mask = Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen), FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, 64U)), @@ -289,75 +302,6 @@ Hacl_Hash_Blake2b_Simd256_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t k r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); } -static void -init_with_params(Lib_IntVector_Intrinsics_vec256 *hash, Hacl_Hash_Blake2b_blake2_params p) -{ - uint64_t tmp[8U] = { 0U }; - Lib_IntVector_Intrinsics_vec256 *r0 = hash; - Lib_IntVector_Intrinsics_vec256 *r1 = hash + 1U; - Lib_IntVector_Intrinsics_vec256 *r2 = hash + 2U; - Lib_IntVector_Intrinsics_vec256 *r3 = hash + 3U; - uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; - uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; - uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; - uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; - uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; - uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; - uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; - uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; - r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); - r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); - uint8_t kk = p.key_length; - uint8_t nn = p.digest_length; - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint64_t *os = tmp + 4U; - uint8_t *bj = p.salt + i * 8U; - uint64_t u = load64_le(bj); - uint64_t r = u; - uint64_t x = r; - os[i] = x;); - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint64_t *os = tmp + 6U; - uint8_t *bj = p.personal + i * 8U; - uint64_t u = load64_le(bj); - uint64_t r = u; - uint64_t x = r; - os[i] = x;); - tmp[0U] = - (uint64_t)nn - ^ - ((uint64_t)kk - << 8U - ^ ((uint64_t)p.fanout << 16U ^ ((uint64_t)p.depth << 24U ^ (uint64_t)p.leaf_length << 32U))); - tmp[1U] = p.node_offset; - tmp[2U] = (uint64_t)p.node_depth ^ (uint64_t)p.inner_length << 8U; - tmp[3U] = 0ULL; - uint64_t tmp0 = tmp[0U]; - uint64_t tmp1 = tmp[1U]; - uint64_t tmp2 = tmp[2U]; - uint64_t tmp3 = tmp[3U]; - uint64_t tmp4 = tmp[4U]; - uint64_t tmp5 = tmp[5U]; - uint64_t tmp6 = tmp[6U]; - uint64_t tmp7 = tmp[7U]; - uint64_t iv0_ = iv0 ^ tmp0; - uint64_t iv1_ = iv1 ^ tmp1; - uint64_t iv2_ = iv2 ^ tmp2; - uint64_t iv3_ = iv3 ^ tmp3; - uint64_t iv4_ = iv4 ^ tmp4; - uint64_t iv5_ = iv5 ^ tmp5; - uint64_t iv6_ = iv6 ^ tmp6; - uint64_t iv7_ = iv7 ^ tmp7; - r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); - r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); -} - static void update_key( Lib_IntVector_Intrinsics_vec256 *wv, @@ -372,11 +316,11 @@ update_key( memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -399,7 +343,7 @@ Hacl_Hash_Blake2b_Simd256_update_multi( FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)((i + 1U) * 128U))); uint8_t *b = blocks + i * 128U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -408,6 +352,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d @@ -418,7 +363,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( memcpy(b, last, rem * sizeof (uint8_t)); FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -452,7 +397,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2b_Simd256_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2b_Simd256_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2b_Simd256_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -588,96 +533,268 @@ Lib_IntVector_Intrinsics_vec256 *Hacl_Hash_Blake2b_Simd256_malloc_with_key(void) *buf = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); - memset(buf, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + if (buf != NULL) + { + memset(buf, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } return buf; } static Hacl_Hash_Blake2b_Simd256_state_t -*malloc_raw( - Hacl_Hash_Blake2b_index kk, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +*malloc_raw(Hacl_Hash_Blake2b_index kk, Hacl_Hash_Blake2b_params_and_key key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; Lib_IntVector_Intrinsics_vec256 - *wv = - (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, - sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); - memset(wv, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Lib_IntVector_Intrinsics_vec256 - *b = + *wv0 = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); - memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Hacl_Hash_Blake2b_Simd256_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; - uint8_t kk10 = kk.key_length; - uint32_t ite; - if (kk10 != 0U) + if (wv0 != NULL) { - ite = 128U; + memset(wv0, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); } else { - ite = 0U; + Lib_IntVector_Intrinsics_vec256 + *b = + (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, + sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); + if (b != NULL) + { + memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } + if (b == NULL) + { + KRML_ALIGNED_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } } - Hacl_Hash_Blake2b_Simd256_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - Hacl_Hash_Blake2b_Simd256_state_t - *p = - (Hacl_Hash_Blake2b_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_Hash_Blake2b_Simd256_state_t - )); - p[0U] = s; - Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; - uint8_t kk1 = p1->key_length; - uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i.key_length; - uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (128U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + KRML_HOST_FREE(buf1); + return NULL; } - Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); - return p; + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + uint8_t kk10 = kk.key_length; + uint32_t ite; + if (kk10 != 0U) + { + ite = 128U; + } + else + { + ite = 0U; + } + Hacl_Hash_Blake2b_Simd256_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)ite }; + Hacl_Hash_Blake2b_Simd256_state_t + *p = + (Hacl_Hash_Blake2b_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_Hash_Blake2b_Simd256_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Lib_IntVector_Intrinsics_vec256 *b = block_state1.f3.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state1.f3.fst; + KRML_ALIGNED_FREE(wv); + KRML_ALIGNED_FREE(b); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; + uint8_t kk1 = p1->key_length; + uint8_t nn = p1->digest_length; + bool last_node = block_state1.thd; + Hacl_Hash_Blake2b_index + i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + Lib_IntVector_Intrinsics_vec256 *h = block_state1.f3.snd; + uint32_t kk20 = (uint32_t)i.key_length; + uint8_t *k_2 = key.snd; + if (!(kk20 == 0U)) + { + uint8_t *sub_b = buf1 + kk20; + memset(sub_b, 0U, (128U - kk20) * sizeof (uint8_t)); + memcpy(buf1, k_2, kk20 * sizeof (uint8_t)); + } + Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; + uint64_t tmp[8U] = { 0U }; + Lib_IntVector_Intrinsics_vec256 *r0 = h; + Lib_IntVector_Intrinsics_vec256 *r1 = h + 1U; + Lib_IntVector_Intrinsics_vec256 *r2 = h + 2U; + Lib_IntVector_Intrinsics_vec256 *r3 = h + 3U; + uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; + uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; + uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; + uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; + uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; + uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; + uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; + uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t kk2 = pv.key_length; + uint8_t nn1 = pv.digest_length; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r4 = u; + uint64_t x = r4; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r4 = u; + uint64_t x = r4; + os[i0] = x;); + tmp[0U] = + (uint64_t)nn1 + ^ + ((uint64_t)kk2 + << 8U + ^ + ((uint64_t)pv.fanout + << 16U + ^ ((uint64_t)pv.depth << 24U ^ (uint64_t)pv.leaf_length << 32U))); + tmp[1U] = pv.node_offset; + tmp[2U] = (uint64_t)pv.node_depth ^ (uint64_t)pv.inner_length << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (256 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 256 for S, 64 for B. +- The digest_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; - return - malloc_raw(i1, - ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; + return malloc_raw(i1, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (256 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_key0(uint8_t *k, uint8_t kk) { uint8_t nn = 64U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(16U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(16U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -685,21 +802,16 @@ Hacl_Hash_Blake2b_Simd256_state_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; + Hacl_Hash_Blake2b_blake2_params p0 = p; Hacl_Hash_Blake2b_Simd256_state_t - *s = Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + *s = Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void) { @@ -708,39 +820,106 @@ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2b_Simd256_state_t *s) { - Hacl_Hash_Blake2b_Simd256_block_state_t block_state = (*s).block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void -reset_raw( - Hacl_Hash_Blake2b_Simd256_state_t *state, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +reset_raw(Hacl_Hash_Blake2b_Simd256_state_t *state, Hacl_Hash_Blake2b_params_and_key key) { Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i1.key_length; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + Lib_IntVector_Intrinsics_vec256 *h = block_state.f3.snd; + uint32_t kk20 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (!(kk20 == 0U)) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (128U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + uint8_t *sub_b = buf + kk20; + memset(sub_b, 0U, (128U - kk20) * sizeof (uint8_t)); + memcpy(buf, k_1, kk20 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + uint64_t tmp[8U] = { 0U }; + Lib_IntVector_Intrinsics_vec256 *r0 = h; + Lib_IntVector_Intrinsics_vec256 *r1 = h + 1U; + Lib_IntVector_Intrinsics_vec256 *r2 = h + 2U; + Lib_IntVector_Intrinsics_vec256 *r3 = h + 3U; + uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; + uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; + uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; + uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; + uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; + uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; + uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; + uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t kk2 = pv.key_length; + uint8_t nn1 = pv.digest_length; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i0] = x;); + tmp[0U] = + (uint64_t)nn1 + ^ + ((uint64_t)kk2 + << 8U + ^ ((uint64_t)pv.fanout << 16U ^ ((uint64_t)pv.depth << 24U ^ (uint64_t)pv.leaf_length << 32U))); + tmp[1U] = pv.node_offset; + tmp[2U] = (uint64_t)pv.node_depth ^ (uint64_t)pv.inner_length << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -752,14 +931,16 @@ reset_raw( ite = 0U; } Hacl_Hash_Blake2b_Simd256_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - state[0U] = tmp; + tmp8 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; + state[0U] = tmp8; } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( @@ -768,15 +949,17 @@ Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( uint8_t *k ) { - index_of_state(s); - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + Hacl_Hash_Blake2b_index i1 = index_of_state(s); + KRML_MAYBE_UNUSED_VAR(i1); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *k) { @@ -791,11 +974,16 @@ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = &p0, .snd = k })); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = &p0, .snd = k })); } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s) { @@ -803,7 +991,7 @@ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2b_Simd256_update( @@ -830,7 +1018,7 @@ Hacl_Hash_Blake2b_Simd256_update( if (chunk_len <= 128U - sz) { Hacl_Hash_Blake2b_Simd256_state_t s1 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -858,7 +1046,7 @@ Hacl_Hash_Blake2b_Simd256_update( else if (sz == 0U) { Hacl_Hash_Blake2b_Simd256_state_t s1 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -873,8 +1061,7 @@ Hacl_Hash_Blake2b_Simd256_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = 1U; @@ -899,7 +1086,7 @@ Hacl_Hash_Blake2b_Simd256_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -927,7 +1114,7 @@ Hacl_Hash_Blake2b_Simd256_update( uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; Hacl_Hash_Blake2b_Simd256_state_t s1 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state10 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state10 = s1.block_state; uint8_t *buf0 = s1.buf; uint64_t total_len10 = s1.total_len; uint32_t sz10; @@ -952,7 +1139,7 @@ Hacl_Hash_Blake2b_Simd256_update( } ); Hacl_Hash_Blake2b_Simd256_state_t s10 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state1 = s10.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = s10.block_state; uint8_t *buf = s10.buf; uint64_t total_len1 = s10.total_len; uint32_t sz1; @@ -967,8 +1154,7 @@ Hacl_Hash_Blake2b_Simd256_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = 1U; @@ -994,7 +1180,7 @@ Hacl_Hash_Blake2b_Simd256_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1020,17 +1206,26 @@ Hacl_Hash_Blake2b_Simd256_update( } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 256 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_256_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2b_Simd256_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2b_Simd256_state_t scrut = *s; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; uint32_t r; @@ -1045,11 +1240,16 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 uint8_t *buf_1 = buf_; KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 wv0[4U] KRML_POST_ALIGN(32) = { 0U }; KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 b[4U] KRML_POST_ALIGN(32) = { 0U }; - Hacl_Hash_Blake2b_Simd256_block_state_t + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - Lib_IntVector_Intrinsics_vec256 *src_b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec256 *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + Lib_IntVector_Intrinsics_vec256 *src_b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec256 *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1064,7 +1264,7 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc0 = tmp_block_state.thd; + acc0 = tmp_block_state.f3; Lib_IntVector_Intrinsics_vec256 *wv1 = acc0.fst; Lib_IntVector_Intrinsics_vec256 *hash0 = acc0.snd; uint32_t nb = 0U; @@ -1076,17 +1276,35 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 nb); uint64_t prev_len_last = total_len - (uint64_t)r; K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = tmp_block_state.thd; + acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; Hacl_Hash_Blake2b_Simd256_update_last(r, wv, hash, + last_node1, FStar_UInt128_uint64_to_uint128(prev_len_last), r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2b_Simd256_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2b_Simd256_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_Simd256_info(Hacl_Hash_Blake2b_Simd256_state_t *s) +{ + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1096,9 +1314,9 @@ void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state) { Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; - Lib_IntVector_Intrinsics_vec256 *b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec256 *wv = block_state.thd.fst; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec256 *b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state.f3.fst; KRML_ALIGNED_FREE(wv); KRML_ALIGNED_FREE(b); KRML_HOST_FREE(buf); @@ -1106,44 +1324,133 @@ void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_copy(Hacl_Hash_Blake2b_Simd256_state_t *state) { Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state0 = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 128U * sizeof (uint8_t)); Lib_IntVector_Intrinsics_vec256 - *wv = + *wv0 = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); - memset(wv, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Lib_IntVector_Intrinsics_vec256 - *b = - (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, - sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); - memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Hacl_Hash_Blake2b_Simd256_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - Lib_IntVector_Intrinsics_vec256 *src_b = block_state0.thd.snd; - Lib_IntVector_Intrinsics_vec256 *dst_b = block_state.thd.snd; - memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Hacl_Hash_Blake2b_Simd256_state_t - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Hash_Blake2b_Simd256_state_t - *p = - (Hacl_Hash_Blake2b_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_Hash_Blake2b_Simd256_state_t - )); - p[0U] = s; - return p; + if (wv0 != NULL) + { + memset(wv0, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + Lib_IntVector_Intrinsics_vec256 + *b = + (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, + sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); + if (b != NULL) + { + memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } + if (b == NULL) + { + KRML_ALIGNED_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = block_state.v; + Lib_IntVector_Intrinsics_vec256 *src_b = block_state0.f3.snd; + Lib_IntVector_Intrinsics_vec256 *dst_b = block_state1.f3.snd; + memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_Blake2b_Simd256_state_t + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Hash_Blake2b_Simd256_state_t + *p = + (Hacl_Hash_Blake2b_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_Hash_Blake2b_Simd256_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Lib_IntVector_Intrinsics_vec256 *b = block_state1.f3.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state1.f3.fst; + KRML_ALIGNED_FREE(wv); + KRML_ALIGNED_FREE(b); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -1175,8 +1482,14 @@ Hacl_Hash_Blake2b_Simd256_hash_with_key( Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec256, void *); } +/** +Write the BLAKE2b digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_Simd256_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/Hacl_Hash_Blake2s.c b/src/Hacl_Hash_Blake2s.c index 6e19d83d..23b312b6 100644 --- a/src/Hacl_Hash_Blake2s.c +++ b/src/Hacl_Hash_Blake2s.c @@ -25,12 +25,22 @@ #include "internal/Hacl_Hash_Blake2s.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Hash_Blake2b.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Impl_Blake2_Constants.h" #include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void -update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t *d) +update_block( + uint32_t *wv, + uint32_t *hash, + bool flag, + bool last_node, + uint64_t totlen, + uint8_t *d +) { uint32_t m_w[16U] = { 0U }; KRML_MAYBE_FOR16(i, @@ -53,7 +63,15 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * { wv_14 = 0U; } - uint32_t wv_15 = 0U; + uint32_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFU; + } + else + { + wv_15 = 0U; + } mask[0U] = (uint32_t)totlen; mask[1U] = (uint32_t)(totlen >> 32U); mask[2U] = wv_14; @@ -558,83 +576,6 @@ void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r1[3U] = iv7_; } -static void init_with_params(uint32_t *hash, Hacl_Hash_Blake2b_blake2_params p) -{ - uint32_t tmp[8U] = { 0U }; - uint32_t *r0 = hash; - uint32_t *r1 = hash + 4U; - uint32_t *r2 = hash + 8U; - uint32_t *r3 = hash + 12U; - uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; - uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; - uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; - uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; - uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; - uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; - uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; - uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; - r2[0U] = iv0; - r2[1U] = iv1; - r2[2U] = iv2; - r2[3U] = iv3; - r3[0U] = iv4; - r3[1U] = iv5; - r3[2U] = iv6; - r3[3U] = iv7; - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint32_t *os = tmp + 4U; - uint8_t *bj = p.salt + i * 4U; - uint32_t u = load32_le(bj); - uint32_t r = u; - uint32_t x = r; - os[i] = x;); - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint32_t *os = tmp + 6U; - uint8_t *bj = p.personal + i * 4U; - uint32_t u = load32_le(bj); - uint32_t r = u; - uint32_t x = r; - os[i] = x;); - tmp[0U] = - (uint32_t)p.digest_length - ^ ((uint32_t)p.key_length << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); - tmp[1U] = p.leaf_length; - tmp[2U] = (uint32_t)p.node_offset; - tmp[3U] = - (uint32_t)(p.node_offset >> 32U) - ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); - uint32_t tmp0 = tmp[0U]; - uint32_t tmp1 = tmp[1U]; - uint32_t tmp2 = tmp[2U]; - uint32_t tmp3 = tmp[3U]; - uint32_t tmp4 = tmp[4U]; - uint32_t tmp5 = tmp[5U]; - uint32_t tmp6 = tmp[6U]; - uint32_t tmp7 = tmp[7U]; - uint32_t iv0_ = iv0 ^ tmp0; - uint32_t iv1_ = iv1 ^ tmp1; - uint32_t iv2_ = iv2 ^ tmp2; - uint32_t iv3_ = iv3 ^ tmp3; - uint32_t iv4_ = iv4 ^ tmp4; - uint32_t iv5_ = iv5 ^ tmp5; - uint32_t iv6_ = iv6 ^ tmp6; - uint32_t iv7_ = iv7 ^ tmp7; - r0[0U] = iv0_; - r0[1U] = iv1_; - r0[2U] = iv2_; - r0[3U] = iv3_; - r1[0U] = iv4_; - r1[1U] = iv5_; - r1[2U] = iv6_; - r1[3U] = iv7_; -} - static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) { uint64_t lb = (uint64_t)64U; @@ -642,11 +583,11 @@ static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, ui memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -666,7 +607,7 @@ Hacl_Hash_Blake2s_update_multi( { uint64_t totlen = prev + (uint64_t)((i + 1U) * 64U); uint8_t *b = blocks + i * 64U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -675,6 +616,7 @@ Hacl_Hash_Blake2s_update_last( uint32_t len, uint32_t *wv, uint32_t *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d @@ -684,7 +626,7 @@ Hacl_Hash_Blake2s_update_last( uint8_t *last = d + len - rem; memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -712,7 +654,7 @@ update_blocks(uint32_t len, uint32_t *wv, uint32_t *hash, uint64_t prev, uint8_t rem = rem0; } Hacl_Hash_Blake2s_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2s_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2s_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -747,76 +689,251 @@ void Hacl_Hash_Blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash) } static Hacl_Hash_Blake2s_state_t -*malloc_raw( - Hacl_Hash_Blake2b_index kk, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +*malloc_raw(Hacl_Hash_Blake2b_index kk, Hacl_Hash_Blake2b_params_and_key key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); - uint32_t *wv = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - Hacl_Hash_Blake2s_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; - uint8_t kk10 = kk.key_length; - uint32_t ite; - if (kk10 != 0U) + if (buf == NULL) { - ite = 64U; + return NULL; + } + uint8_t *buf1 = buf; + uint32_t *wv0 = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); } else { - ite = 0U; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + if (b == NULL) + { + KRML_HOST_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } } - Hacl_Hash_Blake2s_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - Hacl_Hash_Blake2s_state_t - *p = (Hacl_Hash_Blake2s_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2s_state_t)); - p[0U] = s; - Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; - uint8_t kk1 = p1->key_length; - uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i.key_length; - uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (64U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + uint8_t kk10 = kk.key_length; + uint32_t ite; + if (kk10 != 0U) + { + ite = 64U; + } + else + { + ite = 0U; + } + Hacl_Hash_Blake2s_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)ite }; + Hacl_Hash_Blake2s_state_t + *p = (Hacl_Hash_Blake2s_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2s_state_t)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + uint32_t *b = block_state1.f3.snd; + uint32_t *wv = block_state1.f3.fst; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; + uint8_t kk1 = p1->key_length; + uint8_t nn = p1->digest_length; + bool last_node = block_state1.thd; + Hacl_Hash_Blake2b_index + i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + uint32_t *h = block_state1.f3.snd; + uint32_t kk2 = (uint32_t)i.key_length; + uint8_t *k_2 = key.snd; + if (!(kk2 == 0U)) + { + uint8_t *sub_b = buf1 + kk2; + memset(sub_b, 0U, (64U - kk2) * sizeof (uint8_t)); + memcpy(buf1, k_2, kk2 * sizeof (uint8_t)); + } + Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; + uint32_t tmp[8U] = { 0U }; + uint32_t *r0 = h; + uint32_t *r1 = h + 4U; + uint32_t *r2 = h + 8U; + uint32_t *r3 = h + 12U; + uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; + uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; + uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; + uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; + uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; + uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; + uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; + uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r4 = u; + uint32_t x = r4; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r4 = u; + uint32_t x = r4; + os[i0] = x;); + tmp[0U] = + (uint32_t)pv.digest_length + ^ + ((uint32_t)pv.key_length + << 8U + ^ ((uint32_t)pv.fanout << 16U ^ (uint32_t)pv.depth << 24U)); + tmp[1U] = pv.leaf_length; + tmp[2U] = (uint32_t)pv.node_offset; + tmp[3U] = + (uint32_t)(pv.node_offset >> 32U) + ^ ((uint32_t)pv.node_depth << 16U ^ (uint32_t)pv.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = iv0_; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } } - Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); - return p; + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (32 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 32 for S, 64 for B. +- The digest_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t -*Hacl_Hash_Blake2s_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k) +*Hacl_Hash_Blake2s_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; - return - malloc_raw(i1, - ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; + return malloc_raw(i1, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (32 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t kk) { uint8_t nn = 32U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -824,20 +941,15 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; - Hacl_Hash_Blake2s_state_t *s = Hacl_Hash_Blake2s_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + Hacl_Hash_Blake2b_blake2_params p0 = p; + Hacl_Hash_Blake2s_state_t *s = Hacl_Hash_Blake2s_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void) { @@ -846,29 +958,32 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2s_state_t *s) { - Hacl_Hash_Blake2s_block_state_t block_state = (*s).block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } -static void -reset_raw( - Hacl_Hash_Blake2s_state_t *state, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +static void reset_raw(Hacl_Hash_Blake2s_state_t *state, Hacl_Hash_Blake2b_params_and_key key) { Hacl_Hash_Blake2s_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + uint32_t *h = block_state.f3.snd; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -878,7 +993,79 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + uint32_t tmp[8U] = { 0U }; + uint32_t *r0 = h; + uint32_t *r1 = h + 4U; + uint32_t *r2 = h + 8U; + uint32_t *r3 = h + 12U; + uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; + uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; + uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; + uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; + uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; + uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; + uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; + uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i0] = x;); + tmp[0U] = + (uint32_t)pv.digest_length + ^ ((uint32_t)pv.key_length << 8U ^ ((uint32_t)pv.fanout << 16U ^ (uint32_t)pv.depth << 24U)); + tmp[1U] = pv.leaf_length; + tmp[2U] = (uint32_t)pv.node_offset; + tmp[3U] = + (uint32_t)(pv.node_offset >> 32U) + ^ ((uint32_t)pv.node_depth << 16U ^ (uint32_t)pv.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = iv0_; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -890,14 +1077,16 @@ reset_raw( ite = 0U; } Hacl_Hash_Blake2s_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - state[0U] = tmp; + tmp8 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; + state[0U] = tmp8; } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key_and_params( @@ -906,15 +1095,17 @@ Hacl_Hash_Blake2s_reset_with_key_and_params( uint8_t *k ) { - index_of_state(s); - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + Hacl_Hash_Blake2b_index i1 = index_of_state(s); + KRML_MAYBE_UNUSED_VAR(i1); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k) { @@ -929,11 +1120,16 @@ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k) .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = &p0, .snd = k })); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = &p0, .snd = k })); } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s) { @@ -941,7 +1137,7 @@ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint32_t chunk_len) @@ -964,7 +1160,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (chunk_len <= 64U - sz) { Hacl_Hash_Blake2s_state_t s1 = *state; - Hacl_Hash_Blake2s_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -992,7 +1188,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 else if (sz == 0U) { Hacl_Hash_Blake2s_state_t s1 = *state; - Hacl_Hash_Blake2s_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -1007,7 +1203,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = 1U; @@ -1027,7 +1223,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -1050,7 +1246,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; Hacl_Hash_Blake2s_state_t s1 = *state; - Hacl_Hash_Blake2s_block_state_t block_state10 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state10 = s1.block_state; uint8_t *buf0 = s1.buf; uint64_t total_len10 = s1.total_len; uint32_t sz10; @@ -1075,7 +1271,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 } ); Hacl_Hash_Blake2s_state_t s10 = *state; - Hacl_Hash_Blake2s_block_state_t block_state1 = s10.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = s10.block_state; uint8_t *buf = s10.buf; uint64_t total_len1 = s10.total_len; uint32_t sz1; @@ -1090,7 +1286,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = 1U; @@ -1111,7 +1307,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -1132,16 +1328,26 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 32 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2s_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2s_state_t scrut = *state; - Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2s_state_t scrut = *s; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; uint32_t r; @@ -1156,11 +1362,16 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) uint8_t *buf_1 = buf_; uint32_t wv0[16U] = { 0U }; uint32_t b[16U] = { 0U }; - Hacl_Hash_Blake2s_block_state_t + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - uint32_t *src_b = block_state.thd.snd; - uint32_t *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + uint32_t *src_b = block_state.f3.snd; + uint32_t *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint32_t)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1174,18 +1385,35 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) } uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; - K____uint32_t___uint32_t_ acc0 = tmp_block_state.thd; + K____uint32_t___uint32_t_ acc0 = tmp_block_state.f3; uint32_t *wv1 = acc0.fst; uint32_t *hash0 = acc0.snd; uint32_t nb = 0U; Hacl_Hash_Blake2s_update_multi(0U, wv1, hash0, prev_len, buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; - K____uint32_t___uint32_t_ acc = tmp_block_state.thd; + K____uint32_t___uint32_t_ acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; - Hacl_Hash_Blake2s_update_last(r, wv, hash, prev_len_last, r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2s_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + Hacl_Hash_Blake2s_update_last(r, wv, hash, last_node1, prev_len_last, r, buf_last); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2s_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_info(Hacl_Hash_Blake2s_state_t *s) +{ + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1195,9 +1423,9 @@ void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state) { Hacl_Hash_Blake2s_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; - uint32_t *b = block_state.thd.snd; - uint32_t *wv = block_state.thd.fst; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state = scrut.block_state; + uint32_t *b = block_state.f3.snd; + uint32_t *wv = block_state.f3.fst; KRML_HOST_FREE(wv); KRML_HOST_FREE(b); KRML_HOST_FREE(buf); @@ -1205,32 +1433,115 @@ void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_copy(Hacl_Hash_Blake2s_state_t *state) { Hacl_Hash_Blake2s_state_t scrut = *state; - Hacl_Hash_Blake2s_block_state_t block_state0 = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 64U * sizeof (uint8_t)); - uint32_t *wv = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - Hacl_Hash_Blake2s_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - uint32_t *src_b = block_state0.thd.snd; - uint32_t *dst_b = block_state.thd.snd; - memcpy(dst_b, src_b, 16U * sizeof (uint32_t)); - Hacl_Hash_Blake2s_state_t - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Hash_Blake2s_state_t - *p = (Hacl_Hash_Blake2s_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2s_state_t)); - p[0U] = s; - return p; + uint32_t *wv0 = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + if (b == NULL) + { + KRML_HOST_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = block_state.v; + uint32_t *src_b = block_state0.f3.snd; + uint32_t *dst_b = block_state1.f3.snd; + memcpy(dst_b, src_b, 16U * sizeof (uint32_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_Blake2s_state_t + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Hash_Blake2s_state_t + *p = (Hacl_Hash_Blake2s_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2s_state_t)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + uint32_t *b = block_state1.f3.snd; + uint32_t *wv = block_state1.f3.fst; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -1262,8 +1573,14 @@ Hacl_Hash_Blake2s_hash_with_key( Lib_Memzero0_memzero(b, 16U, uint32_t, void *); } +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/Hacl_Hash_Blake2s_Simd128.c b/src/Hacl_Hash_Blake2s_Simd128.c index c02da8fa..f18cf412 100644 --- a/src/Hacl_Hash_Blake2s_Simd128.c +++ b/src/Hacl_Hash_Blake2s_Simd128.c @@ -25,6 +25,9 @@ #include "internal/Hacl_Hash_Blake2s_Simd128.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Hash_Blake2b.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Impl_Blake2_Constants.h" #include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" @@ -34,6 +37,7 @@ update_block( Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, bool flag, + bool last_node, uint64_t totlen, uint8_t *d ) @@ -59,7 +63,15 @@ update_block( { wv_14 = 0U; } - uint32_t wv_15 = 0U; + uint32_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFU; + } + else + { + wv_15 = 0U; + } mask = Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen, (uint32_t)(totlen >> 32U), @@ -286,72 +298,6 @@ Hacl_Hash_Blake2s_Simd128_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t k r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); } -static void -init_with_params(Lib_IntVector_Intrinsics_vec128 *hash, Hacl_Hash_Blake2b_blake2_params p) -{ - uint32_t tmp[8U] = { 0U }; - Lib_IntVector_Intrinsics_vec128 *r0 = hash; - Lib_IntVector_Intrinsics_vec128 *r1 = hash + 1U; - Lib_IntVector_Intrinsics_vec128 *r2 = hash + 2U; - Lib_IntVector_Intrinsics_vec128 *r3 = hash + 3U; - uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; - uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; - uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; - uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; - uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; - uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; - uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; - uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; - r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); - r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint32_t *os = tmp + 4U; - uint8_t *bj = p.salt + i * 4U; - uint32_t u = load32_le(bj); - uint32_t r = u; - uint32_t x = r; - os[i] = x;); - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint32_t *os = tmp + 6U; - uint8_t *bj = p.personal + i * 4U; - uint32_t u = load32_le(bj); - uint32_t r = u; - uint32_t x = r; - os[i] = x;); - tmp[0U] = - (uint32_t)p.digest_length - ^ ((uint32_t)p.key_length << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); - tmp[1U] = p.leaf_length; - tmp[2U] = (uint32_t)p.node_offset; - tmp[3U] = - (uint32_t)(p.node_offset >> 32U) - ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); - uint32_t tmp0 = tmp[0U]; - uint32_t tmp1 = tmp[1U]; - uint32_t tmp2 = tmp[2U]; - uint32_t tmp3 = tmp[3U]; - uint32_t tmp4 = tmp[4U]; - uint32_t tmp5 = tmp[5U]; - uint32_t tmp6 = tmp[6U]; - uint32_t tmp7 = tmp[7U]; - uint32_t iv0_ = iv0 ^ tmp0; - uint32_t iv1_ = iv1 ^ tmp1; - uint32_t iv2_ = iv2 ^ tmp2; - uint32_t iv3_ = iv3 ^ tmp3; - uint32_t iv4_ = iv4 ^ tmp4; - uint32_t iv5_ = iv5 ^ tmp5; - uint32_t iv6_ = iv6 ^ tmp6; - uint32_t iv7_ = iv7 ^ tmp7; - r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); - r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); -} - static void update_key( Lib_IntVector_Intrinsics_vec128 *wv, @@ -366,11 +312,11 @@ update_key( memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -390,7 +336,7 @@ Hacl_Hash_Blake2s_Simd128_update_multi( { uint64_t totlen = prev + (uint64_t)((i + 1U) * 64U); uint8_t *b = blocks + i * 64U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -399,6 +345,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d @@ -408,7 +355,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint8_t *last = d + len - rem; memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -442,7 +389,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2s_Simd128_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2s_Simd128_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2s_Simd128_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -578,96 +525,265 @@ Lib_IntVector_Intrinsics_vec128 *Hacl_Hash_Blake2s_Simd128_malloc_with_key(void) *buf = (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); - memset(buf, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + if (buf != NULL) + { + memset(buf, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } return buf; } static Hacl_Hash_Blake2s_Simd128_state_t -*malloc_raw( - Hacl_Hash_Blake2b_index kk, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +*malloc_raw(Hacl_Hash_Blake2b_index kk, Hacl_Hash_Blake2b_params_and_key key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; Lib_IntVector_Intrinsics_vec128 - *wv = - (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, - sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); - memset(wv, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Lib_IntVector_Intrinsics_vec128 - *b = + *wv0 = (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); - memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Hacl_Hash_Blake2s_Simd128_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; - uint8_t kk10 = kk.key_length; - uint32_t ite; - if (kk10 != 0U) + if (wv0 != NULL) { - ite = 64U; + memset(wv0, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } + Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); } else { - ite = 0U; + Lib_IntVector_Intrinsics_vec128 + *b = + (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, + sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); + if (b != NULL) + { + memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } + if (b == NULL) + { + KRML_ALIGNED_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } } - Hacl_Hash_Blake2s_Simd128_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - Hacl_Hash_Blake2s_Simd128_state_t - *p = - (Hacl_Hash_Blake2s_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_Hash_Blake2s_Simd128_state_t - )); - p[0U] = s; - Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; - uint8_t kk1 = p1->key_length; - uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i.key_length; - uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (64U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + KRML_HOST_FREE(buf1); + return NULL; } - Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); - return p; + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + uint8_t kk10 = kk.key_length; + uint32_t ite; + if (kk10 != 0U) + { + ite = 64U; + } + else + { + ite = 0U; + } + Hacl_Hash_Blake2s_Simd128_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)ite }; + Hacl_Hash_Blake2s_Simd128_state_t + *p = + (Hacl_Hash_Blake2s_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_Hash_Blake2s_Simd128_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Lib_IntVector_Intrinsics_vec128 *b = block_state1.f3.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state1.f3.fst; + KRML_ALIGNED_FREE(wv); + KRML_ALIGNED_FREE(b); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; + uint8_t kk1 = p1->key_length; + uint8_t nn = p1->digest_length; + bool last_node = block_state1.thd; + Hacl_Hash_Blake2b_index + i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + Lib_IntVector_Intrinsics_vec128 *h = block_state1.f3.snd; + uint32_t kk2 = (uint32_t)i.key_length; + uint8_t *k_2 = key.snd; + if (!(kk2 == 0U)) + { + uint8_t *sub_b = buf1 + kk2; + memset(sub_b, 0U, (64U - kk2) * sizeof (uint8_t)); + memcpy(buf1, k_2, kk2 * sizeof (uint8_t)); + } + Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; + uint32_t tmp[8U] = { 0U }; + Lib_IntVector_Intrinsics_vec128 *r0 = h; + Lib_IntVector_Intrinsics_vec128 *r1 = h + 1U; + Lib_IntVector_Intrinsics_vec128 *r2 = h + 2U; + Lib_IntVector_Intrinsics_vec128 *r3 = h + 3U; + uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; + uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; + uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; + uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; + uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; + uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; + uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; + uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r4 = u; + uint32_t x = r4; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r4 = u; + uint32_t x = r4; + os[i0] = x;); + tmp[0U] = + (uint32_t)pv.digest_length + ^ + ((uint32_t)pv.key_length + << 8U + ^ ((uint32_t)pv.fanout << 16U ^ (uint32_t)pv.depth << 24U)); + tmp[1U] = pv.leaf_length; + tmp[2U] = (uint32_t)pv.node_offset; + tmp[3U] = + (uint32_t)(pv.node_offset >> 32U) + ^ ((uint32_t)pv.node_depth << 16U ^ (uint32_t)pv.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (128 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 128 for S, 64 for B. +- The digest_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; - return - malloc_raw(i1, - ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; + return malloc_raw(i1, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (128 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_key0(uint8_t *k, uint8_t kk) { uint8_t nn = 32U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -675,21 +791,16 @@ Hacl_Hash_Blake2s_Simd128_state_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; + Hacl_Hash_Blake2b_blake2_params p0 = p; Hacl_Hash_Blake2s_Simd128_state_t - *s = Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + *s = Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void) { @@ -698,29 +809,33 @@ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2s_Simd128_state_t *s) { - Hacl_Hash_Blake2s_Simd128_block_state_t block_state = (*s).block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void -reset_raw( - Hacl_Hash_Blake2s_Simd128_state_t *state, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +reset_raw(Hacl_Hash_Blake2s_Simd128_state_t *state, Hacl_Hash_Blake2b_params_and_key key) { Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + Lib_IntVector_Intrinsics_vec128 *h = block_state.f3.snd; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -730,7 +845,67 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + uint32_t tmp[8U] = { 0U }; + Lib_IntVector_Intrinsics_vec128 *r0 = h; + Lib_IntVector_Intrinsics_vec128 *r1 = h + 1U; + Lib_IntVector_Intrinsics_vec128 *r2 = h + 2U; + Lib_IntVector_Intrinsics_vec128 *r3 = h + 3U; + uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; + uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; + uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; + uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; + uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; + uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; + uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; + uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i0] = x;); + tmp[0U] = + (uint32_t)pv.digest_length + ^ ((uint32_t)pv.key_length << 8U ^ ((uint32_t)pv.fanout << 16U ^ (uint32_t)pv.depth << 24U)); + tmp[1U] = pv.leaf_length; + tmp[2U] = (uint32_t)pv.node_offset; + tmp[3U] = + (uint32_t)(pv.node_offset >> 32U) + ^ ((uint32_t)pv.node_depth << 16U ^ (uint32_t)pv.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -742,14 +917,16 @@ reset_raw( ite = 0U; } Hacl_Hash_Blake2s_Simd128_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - state[0U] = tmp; + tmp8 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; + state[0U] = tmp8; } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( @@ -758,15 +935,17 @@ Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( uint8_t *k ) { - index_of_state(s); - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + Hacl_Hash_Blake2b_index i1 = index_of_state(s); + KRML_MAYBE_UNUSED_VAR(i1); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *k) { @@ -781,11 +960,16 @@ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = &p0, .snd = k })); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = &p0, .snd = k })); } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s) { @@ -793,7 +977,7 @@ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_Simd128_update( @@ -820,7 +1004,7 @@ Hacl_Hash_Blake2s_Simd128_update( if (chunk_len <= 64U - sz) { Hacl_Hash_Blake2s_Simd128_state_t s1 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -848,7 +1032,7 @@ Hacl_Hash_Blake2s_Simd128_update( else if (sz == 0U) { Hacl_Hash_Blake2s_Simd128_state_t s1 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -863,8 +1047,7 @@ Hacl_Hash_Blake2s_Simd128_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = 1U; @@ -884,7 +1067,7 @@ Hacl_Hash_Blake2s_Simd128_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -907,7 +1090,7 @@ Hacl_Hash_Blake2s_Simd128_update( uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; Hacl_Hash_Blake2s_Simd128_state_t s1 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state10 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state10 = s1.block_state; uint8_t *buf0 = s1.buf; uint64_t total_len10 = s1.total_len; uint32_t sz10; @@ -932,7 +1115,7 @@ Hacl_Hash_Blake2s_Simd128_update( } ); Hacl_Hash_Blake2s_Simd128_state_t s10 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state1 = s10.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = s10.block_state; uint8_t *buf = s10.buf; uint64_t total_len1 = s10.total_len; uint32_t sz1; @@ -947,8 +1130,7 @@ Hacl_Hash_Blake2s_Simd128_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = 1U; @@ -969,7 +1151,7 @@ Hacl_Hash_Blake2s_Simd128_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -990,17 +1172,26 @@ Hacl_Hash_Blake2s_Simd128_update( } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 128 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_128_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2s_Simd128_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2s_Simd128_state_t scrut = *s; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; uint32_t r; @@ -1015,11 +1206,16 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 uint8_t *buf_1 = buf_; KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv0[4U] KRML_POST_ALIGN(16) = { 0U }; KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 b[4U] KRML_POST_ALIGN(16) = { 0U }; - Hacl_Hash_Blake2s_Simd128_block_state_t + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - Lib_IntVector_Intrinsics_vec128 *src_b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec128 *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + Lib_IntVector_Intrinsics_vec128 *src_b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec128 *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1034,19 +1230,36 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc0 = tmp_block_state.thd; + acc0 = tmp_block_state.f3; Lib_IntVector_Intrinsics_vec128 *wv1 = acc0.fst; Lib_IntVector_Intrinsics_vec128 *hash0 = acc0.snd; uint32_t nb = 0U; Hacl_Hash_Blake2s_Simd128_update_multi(0U, wv1, hash0, prev_len, buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = tmp_block_state.thd; + acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; - Hacl_Hash_Blake2s_Simd128_update_last(r, wv, hash, prev_len_last, r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2s_Simd128_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + Hacl_Hash_Blake2s_Simd128_update_last(r, wv, hash, last_node1, prev_len_last, r, buf_last); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2s_Simd128_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_Simd128_info(Hacl_Hash_Blake2s_Simd128_state_t *s) +{ + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1056,9 +1269,9 @@ void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state) { Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; - Lib_IntVector_Intrinsics_vec128 *b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec128 *wv = block_state.thd.fst; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec128 *b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state.f3.fst; KRML_ALIGNED_FREE(wv); KRML_ALIGNED_FREE(b); KRML_HOST_FREE(buf); @@ -1066,44 +1279,133 @@ void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_copy(Hacl_Hash_Blake2s_Simd128_state_t *state) { Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state0 = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 64U * sizeof (uint8_t)); Lib_IntVector_Intrinsics_vec128 - *wv = - (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, - sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); - memset(wv, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Lib_IntVector_Intrinsics_vec128 - *b = + *wv0 = (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); - memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Hacl_Hash_Blake2s_Simd128_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - Lib_IntVector_Intrinsics_vec128 *src_b = block_state0.thd.snd; - Lib_IntVector_Intrinsics_vec128 *dst_b = block_state.thd.snd; - memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Hacl_Hash_Blake2s_Simd128_state_t - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Hash_Blake2s_Simd128_state_t - *p = - (Hacl_Hash_Blake2s_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_Hash_Blake2s_Simd128_state_t - )); - p[0U] = s; - return p; + if (wv0 != NULL) + { + memset(wv0, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } + Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + Lib_IntVector_Intrinsics_vec128 + *b = + (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, + sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); + if (b != NULL) + { + memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } + if (b == NULL) + { + KRML_ALIGNED_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = block_state.v; + Lib_IntVector_Intrinsics_vec128 *src_b = block_state0.f3.snd; + Lib_IntVector_Intrinsics_vec128 *dst_b = block_state1.f3.snd; + memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_Blake2s_Simd128_state_t + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Hash_Blake2s_Simd128_state_t + *p = + (Hacl_Hash_Blake2s_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_Hash_Blake2s_Simd128_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Lib_IntVector_Intrinsics_vec128 *b = block_state1.f3.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state1.f3.fst; + KRML_ALIGNED_FREE(wv); + KRML_ALIGNED_FREE(b); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -1135,8 +1437,14 @@ Hacl_Hash_Blake2s_Simd128_hash_with_key( Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec128, void *); } +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_Simd128_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/Hacl_Hash_MD5.c b/src/Hacl_Hash_MD5.c index ed294839..f0edd91b 100644 --- a/src/Hacl_Hash_MD5.c +++ b/src/Hacl_Hash_MD5.c @@ -25,6 +25,9 @@ #include "internal/Hacl_Hash_MD5.h" +#include "Hacl_Streaming_Types.h" +#include "internal/Hacl_Streaming_Types.h" + static uint32_t _h0[4U] = { 0x67452301U, 0xefcdab89U, 0x98badcfeU, 0x10325476U }; static uint32_t @@ -1166,14 +1169,67 @@ void Hacl_Hash_MD5_hash_oneshot(uint8_t *output, uint8_t *input, uint32_t input_ Hacl_Streaming_MD_state_32 *Hacl_Hash_MD5_malloc(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - Hacl_Hash_MD5_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_MD5_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_MD5_reset(Hacl_Streaming_MD_state_32 *state) @@ -1412,15 +1468,67 @@ Hacl_Streaming_MD_state_32 *Hacl_Hash_MD5_copy(Hacl_Streaming_MD_state_32 *state uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 64U * sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); - memcpy(block_state, block_state0, 4U * sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - return p; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + memcpy(block_state1, block_state0, 4U * sizeof (uint32_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_MD5_hash(uint8_t *output, uint8_t *input, uint32_t input_len) diff --git a/src/Hacl_Hash_SHA1.c b/src/Hacl_Hash_SHA1.c index 1a8b09b1..edb5f062 100644 --- a/src/Hacl_Hash_SHA1.c +++ b/src/Hacl_Hash_SHA1.c @@ -25,6 +25,9 @@ #include "internal/Hacl_Hash_SHA1.h" +#include "Hacl_Streaming_Types.h" +#include "internal/Hacl_Streaming_Types.h" + static uint32_t _h0[5U] = { 0x67452301U, 0xefcdab89U, 0x98badcfeU, 0x10325476U, 0xc3d2e1f0U }; void Hacl_Hash_SHA1_init(uint32_t *s) @@ -199,14 +202,67 @@ void Hacl_Hash_SHA1_hash_oneshot(uint8_t *output, uint8_t *input, uint32_t input Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA1_malloc(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - Hacl_Hash_SHA1_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_SHA1_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA1_reset(Hacl_Streaming_MD_state_32 *state) @@ -445,15 +501,67 @@ Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA1_copy(Hacl_Streaming_MD_state_32 *stat uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 64U * sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); - memcpy(block_state, block_state0, 5U * sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - return p; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + memcpy(block_state1, block_state0, 5U * sizeof (uint32_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA1_hash(uint8_t *output, uint8_t *input, uint32_t input_len) diff --git a/src/Hacl_Hash_SHA2.c b/src/Hacl_Hash_SHA2.c index 995fe707..4d130968 100644 --- a/src/Hacl_Hash_SHA2.c +++ b/src/Hacl_Hash_SHA2.c @@ -25,6 +25,9 @@ #include "internal/Hacl_Hash_SHA2.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Krmllib.h" void Hacl_Hash_SHA2_sha256_init(uint32_t *hash) @@ -211,7 +214,7 @@ void Hacl_Hash_SHA2_sha224_init(uint32_t *hash) os[i] = x;); } -static inline void sha224_update_nblocks(uint32_t len, uint8_t *b, uint32_t *st) +void Hacl_Hash_SHA2_sha224_update_nblocks(uint32_t len, uint8_t *b, uint32_t *st) { Hacl_Hash_SHA2_sha256_update_nblocks(len, b, st); } @@ -447,14 +450,67 @@ calling `free_256`. Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_256(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - Hacl_Hash_SHA2_sha256_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_SHA2_sha256_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -470,15 +526,67 @@ Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_copy_256(Hacl_Streaming_MD_state_32 * uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 64U * sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); - memcpy(block_state, block_state0, 8U * sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - return p; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + memcpy(block_state1, block_state0, 8U * sizeof (uint32_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -760,14 +868,67 @@ void Hacl_Hash_SHA2_hash_256(uint8_t *output, uint8_t *input, uint32_t input_len Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_224(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - Hacl_Hash_SHA2_sha224_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_SHA2_sha224_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA2_reset_224(Hacl_Streaming_MD_state_32 *state) @@ -825,7 +986,7 @@ void Hacl_Hash_SHA2_digest_224(Hacl_Streaming_MD_state_32 *state, uint8_t *outpu } uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; - sha224_update_nblocks(0U, buf_multi, tmp_block_state); + Hacl_Hash_SHA2_sha224_update_nblocks(0U, buf_multi, tmp_block_state); uint64_t prev_len_last = total_len - (uint64_t)r; Hacl_Hash_SHA2_sha224_update_last(prev_len_last + (uint64_t)r, r, buf_last, tmp_block_state); Hacl_Hash_SHA2_sha224_finish(tmp_block_state, output); @@ -847,7 +1008,7 @@ void Hacl_Hash_SHA2_hash_224(uint8_t *output, uint8_t *input, uint32_t input_len Hacl_Hash_SHA2_sha224_init(st); uint32_t rem = input_len % 64U; uint64_t len_ = (uint64_t)input_len; - sha224_update_nblocks(input_len, ib, st); + Hacl_Hash_SHA2_sha224_update_nblocks(input_len, ib, st); uint32_t rem1 = input_len % 64U; uint8_t *b0 = ib; uint8_t *lb = b0 + input_len - rem1; @@ -858,14 +1019,67 @@ void Hacl_Hash_SHA2_hash_224(uint8_t *output, uint8_t *input, uint32_t input_len Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_512(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); - uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); - Hacl_Streaming_MD_state_64 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_64 - *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); - p[0U] = s; - Hacl_Hash_SHA2_sha512_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + Hacl_Streaming_Types_optional_64 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint64_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_64 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_64 + *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_SHA2_sha512_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -881,15 +1095,67 @@ Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_copy_512(Hacl_Streaming_MD_state_64 * uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 128U * sizeof (uint8_t)); - uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); - memcpy(block_state, block_state0, 8U * sizeof (uint64_t)); - Hacl_Streaming_MD_state_64 - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Streaming_MD_state_64 - *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); - p[0U] = s; - return p; + uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + Hacl_Streaming_Types_optional_64 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint64_t *block_state1 = block_state.v; + memcpy(block_state1, block_state0, 8U * sizeof (uint64_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_64 + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Streaming_MD_state_64 + *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA2_reset_512(Hacl_Streaming_MD_state_64 *state) @@ -1172,14 +1438,67 @@ void Hacl_Hash_SHA2_hash_512(uint8_t *output, uint8_t *input, uint32_t input_len Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_384(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); - uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); - Hacl_Streaming_MD_state_64 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_64 - *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); - p[0U] = s; - Hacl_Hash_SHA2_sha384_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + Hacl_Streaming_Types_optional_64 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint64_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_64 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_64 + *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_SHA2_sha384_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA2_reset_384(Hacl_Streaming_MD_state_64 *state) diff --git a/src/Hacl_Hash_SHA3.c b/src/Hacl_Hash_SHA3.c index 89bb0491..9903596d 100644 --- a/src/Hacl_Hash_SHA3.c +++ b/src/Hacl_Hash_SHA3.c @@ -25,6 +25,9 @@ #include "internal/Hacl_Hash_SHA3.h" +#include "Hacl_Streaming_Types.h" +#include "internal/Hacl_Streaming_Types.h" + const uint32_t Hacl_Hash_SHA3_keccak_rotc[24U] = @@ -234,6 +237,12 @@ static uint32_t hash_len(Spec_Hash_Definitions_hash_alg a) } } +void Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_hash_alg a, uint64_t *s) +{ + KRML_MAYBE_UNUSED_VAR(a); + memset(s, 0U, 25U * sizeof (uint64_t)); +} + void Hacl_Hash_SHA3_update_multi_sha3( Spec_Hash_Definitions_hash_alg a, @@ -251,7 +260,8 @@ Hacl_Hash_SHA3_update_multi_sha3( uint8_t *bl0 = b_; uint8_t *uu____0 = b0 + i * block_len(a); memcpy(bl0, uu____0, block_len(a) * sizeof (uint8_t)); - block_len(a); + uint32_t unused = block_len(a); + KRML_MAYBE_UNUSED_VAR(unused); absorb_inner_32(b_, s); } } @@ -544,6 +554,74 @@ Hacl_Hash_SHA3_update_last_sha3( absorb_inner_32(b3, s); } +static void squeeze(uint64_t *s, uint32_t rateInBytes, uint32_t outputByteLen, uint8_t *b) +{ + for (uint32_t i0 = 0U; i0 < outputByteLen / rateInBytes; i0++) + { + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + uint8_t *b0 = b; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + for (uint32_t i1 = 0U; i1 < 24U; i1++) + { + uint64_t _C[5U] = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + _C[i] = s[i + 0U] ^ (s[i + 5U] ^ (s[i + 10U] ^ (s[i + 15U] ^ s[i + 20U])));); + KRML_MAYBE_FOR5(i2, + 0U, + 5U, + 1U, + uint64_t uu____0 = _C[(i2 + 1U) % 5U]; + uint64_t _D = _C[(i2 + 4U) % 5U] ^ (uu____0 << 1U | uu____0 >> 63U); + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, s[i2 + 5U * i] = s[i2 + 5U * i] ^ _D;);); + uint64_t x = s[1U]; + uint64_t current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Hash_SHA3_keccak_piln[i]; + uint32_t r = Hacl_Hash_SHA3_keccak_rotc[i]; + uint64_t temp = s[_Y]; + uint64_t uu____1 = current; + s[_Y] = uu____1 << r | uu____1 >> (64U - r); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + uint64_t v0 = s[0U + 5U * i] ^ (~s[1U + 5U * i] & s[2U + 5U * i]); + uint64_t v1 = s[1U + 5U * i] ^ (~s[2U + 5U * i] & s[3U + 5U * i]); + uint64_t v2 = s[2U + 5U * i] ^ (~s[3U + 5U * i] & s[4U + 5U * i]); + uint64_t v3 = s[3U + 5U * i] ^ (~s[4U + 5U * i] & s[0U + 5U * i]); + uint64_t v4 = s[4U + 5U * i] ^ (~s[0U + 5U * i] & s[1U + 5U * i]); + s[0U + 5U * i] = v0; + s[1U + 5U * i] = v1; + s[2U + 5U * i] = v2; + s[3U + 5U * i] = v3; + s[4U + 5U * i] = v4;); + uint64_t c = Hacl_Hash_SHA3_keccak_rndc[i1]; + s[0U] = s[0U] ^ c; + } + } + uint32_t remOut = outputByteLen % rateInBytes; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(b + outputByteLen - remOut, hbuf, remOut * sizeof (uint8_t)); +} + typedef struct hash_buf2_s { Hacl_Hash_SHA3_hash_buf fst; @@ -557,20 +635,92 @@ Spec_Hash_Definitions_hash_alg Hacl_Hash_SHA3_get_alg(Hacl_Hash_SHA3_state_t *s) return block_state.fst; } +typedef struct option___Spec_Hash_Definitions_hash_alg____uint64_t___s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + Hacl_Hash_SHA3_hash_buf v; +} +option___Spec_Hash_Definitions_hash_alg____uint64_t__; + Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_malloc(Spec_Hash_Definitions_hash_alg a) { KRML_CHECK_SIZE(sizeof (uint8_t), block_len(a)); - uint8_t *buf0 = (uint8_t *)KRML_HOST_CALLOC(block_len(a), sizeof (uint8_t)); - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - Hacl_Hash_SHA3_hash_buf block_state = { .fst = a, .snd = buf }; - Hacl_Hash_SHA3_state_t - s = { .block_state = block_state, .buf = buf0, .total_len = (uint64_t)0U }; - Hacl_Hash_SHA3_state_t - *p = (Hacl_Hash_SHA3_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_SHA3_state_t)); - p[0U] = s; - uint64_t *s1 = block_state.snd; - memset(s1, 0U, 25U * sizeof (uint64_t)); - return p; + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(block_len(a), sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + option___Spec_Hash_Definitions_hash_alg____uint64_t__ block_state; + if (s == NULL) + { + block_state = + ( + (option___Spec_Hash_Definitions_hash_alg____uint64_t__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + block_state = + ( + (option___Spec_Hash_Definitions_hash_alg____uint64_t__){ + .tag = FStar_Pervasives_Native_Some, + .v = { .fst = a, .snd = s } + } + ); + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Hacl_Hash_SHA3_hash_buf block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_SHA3_state_t + s0 = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Hash_SHA3_state_t + *p = (Hacl_Hash_SHA3_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_SHA3_state_t)); + if (p != NULL) + { + p[0U] = s0; + } + if (p == NULL) + { + uint64_t *s1 = block_state1.snd; + KRML_HOST_FREE(s1); + KRML_HOST_FREE(buf1); + return NULL; + } + Spec_Hash_Definitions_hash_alg a1 = block_state1.fst; + uint64_t *s1 = block_state1.snd; + Hacl_Hash_SHA3_init_(a1, s1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA3_free(Hacl_Hash_SHA3_state_t *state) @@ -592,20 +742,83 @@ Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_copy(Hacl_Hash_SHA3_state_t *state) uint64_t total_len0 = scrut0.total_len; Spec_Hash_Definitions_hash_alg i = block_state0.fst; KRML_CHECK_SIZE(sizeof (uint8_t), block_len(i)); - uint8_t *buf1 = (uint8_t *)KRML_HOST_CALLOC(block_len(i), sizeof (uint8_t)); - memcpy(buf1, buf0, block_len(i) * sizeof (uint8_t)); - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - Hacl_Hash_SHA3_hash_buf block_state = { .fst = i, .snd = buf }; - hash_buf2 scrut = { .fst = block_state0, .snd = block_state }; - uint64_t *s_dst = scrut.snd.snd; - uint64_t *s_src = scrut.fst.snd; - memcpy(s_dst, s_src, 25U * sizeof (uint64_t)); - Hacl_Hash_SHA3_state_t - s = { .block_state = block_state, .buf = buf1, .total_len = total_len0 }; - Hacl_Hash_SHA3_state_t - *p = (Hacl_Hash_SHA3_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_SHA3_state_t)); - p[0U] = s; - return p; + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(block_len(i), sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + memcpy(buf, buf0, block_len(i) * sizeof (uint8_t)); + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + option___Spec_Hash_Definitions_hash_alg____uint64_t__ block_state; + if (s == NULL) + { + block_state = + ( + (option___Spec_Hash_Definitions_hash_alg____uint64_t__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + block_state = + ( + (option___Spec_Hash_Definitions_hash_alg____uint64_t__){ + .tag = FStar_Pervasives_Native_Some, + .v = { .fst = i, .snd = s } + } + ); + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Hacl_Hash_SHA3_hash_buf block_state1 = block_state.v; + hash_buf2 scrut = { .fst = block_state0, .snd = block_state1 }; + uint64_t *s_dst = scrut.snd.snd; + uint64_t *s_src = scrut.fst.snd; + memcpy(s_dst, s_src, 25U * sizeof (uint64_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_SHA3_state_t + s0 = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Hash_SHA3_state_t + *p = (Hacl_Hash_SHA3_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_SHA3_state_t)); + if (p != NULL) + { + p[0U] = s0; + } + if (p == NULL) + { + uint64_t *s1 = block_state1.snd; + KRML_HOST_FREE(s1); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA3_reset(Hacl_Hash_SHA3_state_t *state) @@ -615,8 +828,9 @@ void Hacl_Hash_SHA3_reset(Hacl_Hash_SHA3_state_t *state) Hacl_Hash_SHA3_hash_buf block_state = scrut.block_state; Spec_Hash_Definitions_hash_alg i = block_state.fst; KRML_MAYBE_UNUSED_VAR(i); + Spec_Hash_Definitions_hash_alg a1 = block_state.fst; uint64_t *s = block_state.snd; - memset(s, 0U, 25U * sizeof (uint64_t)); + Hacl_Hash_SHA3_init_(a1, s); Hacl_Hash_SHA3_state_t tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; state[0U] = tmp; @@ -848,141 +1062,30 @@ digest_( Hacl_Hash_SHA3_update_last_sha3(a10, s1, buf_last, r); Spec_Hash_Definitions_hash_alg a11 = tmp_block_state.fst; uint64_t *s = tmp_block_state.snd; - if (a11 == Spec_Hash_Definitions_Shake128 || a11 == Spec_Hash_Definitions_Shake256) + bool sw; + switch (a11) { - for (uint32_t i0 = 0U; i0 < l / block_len(a11); i0++) - { - uint8_t hbuf[256U] = { 0U }; - uint64_t ws[32U] = { 0U }; - memcpy(ws, s, 25U * sizeof (uint64_t)); - for (uint32_t i = 0U; i < 32U; i++) + case Spec_Hash_Definitions_Shake128: { - store64_le(hbuf + i * 8U, ws[i]); + sw = true; + break; } - uint8_t *b0 = output; - uint8_t *uu____0 = hbuf; - memcpy(b0 + i0 * block_len(a11), uu____0, block_len(a11) * sizeof (uint8_t)); - for (uint32_t i1 = 0U; i1 < 24U; i1++) + case Spec_Hash_Definitions_Shake256: { - uint64_t _C[5U] = { 0U }; - KRML_MAYBE_FOR5(i, - 0U, - 5U, - 1U, - _C[i] = s[i + 0U] ^ (s[i + 5U] ^ (s[i + 10U] ^ (s[i + 15U] ^ s[i + 20U])));); - KRML_MAYBE_FOR5(i2, - 0U, - 5U, - 1U, - uint64_t uu____1 = _C[(i2 + 1U) % 5U]; - uint64_t _D = _C[(i2 + 4U) % 5U] ^ (uu____1 << 1U | uu____1 >> 63U); - KRML_MAYBE_FOR5(i, 0U, 5U, 1U, s[i2 + 5U * i] = s[i2 + 5U * i] ^ _D;);); - uint64_t x = s[1U]; - uint64_t current = x; - for (uint32_t i = 0U; i < 24U; i++) - { - uint32_t _Y = Hacl_Hash_SHA3_keccak_piln[i]; - uint32_t r1 = Hacl_Hash_SHA3_keccak_rotc[i]; - uint64_t temp = s[_Y]; - uint64_t uu____2 = current; - s[_Y] = uu____2 << r1 | uu____2 >> (64U - r1); - current = temp; - } - KRML_MAYBE_FOR5(i, - 0U, - 5U, - 1U, - uint64_t v0 = s[0U + 5U * i] ^ (~s[1U + 5U * i] & s[2U + 5U * i]); - uint64_t v1 = s[1U + 5U * i] ^ (~s[2U + 5U * i] & s[3U + 5U * i]); - uint64_t v2 = s[2U + 5U * i] ^ (~s[3U + 5U * i] & s[4U + 5U * i]); - uint64_t v3 = s[3U + 5U * i] ^ (~s[4U + 5U * i] & s[0U + 5U * i]); - uint64_t v4 = s[4U + 5U * i] ^ (~s[0U + 5U * i] & s[1U + 5U * i]); - s[0U + 5U * i] = v0; - s[1U + 5U * i] = v1; - s[2U + 5U * i] = v2; - s[3U + 5U * i] = v3; - s[4U + 5U * i] = v4;); - uint64_t c = Hacl_Hash_SHA3_keccak_rndc[i1]; - s[0U] = s[0U] ^ c; + sw = true; + break; } - } - uint32_t remOut = l % block_len(a11); - uint8_t hbuf[256U] = { 0U }; - uint64_t ws[32U] = { 0U }; - memcpy(ws, s, 25U * sizeof (uint64_t)); - for (uint32_t i = 0U; i < 32U; i++) - { - store64_le(hbuf + i * 8U, ws[i]); - } - memcpy(output + l - remOut, hbuf, remOut * sizeof (uint8_t)); - return; - } - for (uint32_t i0 = 0U; i0 < hash_len(a11) / block_len(a11); i0++) - { - uint8_t hbuf[256U] = { 0U }; - uint64_t ws[32U] = { 0U }; - memcpy(ws, s, 25U * sizeof (uint64_t)); - for (uint32_t i = 0U; i < 32U; i++) - { - store64_le(hbuf + i * 8U, ws[i]); - } - uint8_t *b0 = output; - uint8_t *uu____3 = hbuf; - memcpy(b0 + i0 * block_len(a11), uu____3, block_len(a11) * sizeof (uint8_t)); - for (uint32_t i1 = 0U; i1 < 24U; i1++) - { - uint64_t _C[5U] = { 0U }; - KRML_MAYBE_FOR5(i, - 0U, - 5U, - 1U, - _C[i] = s[i + 0U] ^ (s[i + 5U] ^ (s[i + 10U] ^ (s[i + 15U] ^ s[i + 20U])));); - KRML_MAYBE_FOR5(i2, - 0U, - 5U, - 1U, - uint64_t uu____4 = _C[(i2 + 1U) % 5U]; - uint64_t _D = _C[(i2 + 4U) % 5U] ^ (uu____4 << 1U | uu____4 >> 63U); - KRML_MAYBE_FOR5(i, 0U, 5U, 1U, s[i2 + 5U * i] = s[i2 + 5U * i] ^ _D;);); - uint64_t x = s[1U]; - uint64_t current = x; - for (uint32_t i = 0U; i < 24U; i++) + default: { - uint32_t _Y = Hacl_Hash_SHA3_keccak_piln[i]; - uint32_t r1 = Hacl_Hash_SHA3_keccak_rotc[i]; - uint64_t temp = s[_Y]; - uint64_t uu____5 = current; - s[_Y] = uu____5 << r1 | uu____5 >> (64U - r1); - current = temp; + sw = false; } - KRML_MAYBE_FOR5(i, - 0U, - 5U, - 1U, - uint64_t v0 = s[0U + 5U * i] ^ (~s[1U + 5U * i] & s[2U + 5U * i]); - uint64_t v1 = s[1U + 5U * i] ^ (~s[2U + 5U * i] & s[3U + 5U * i]); - uint64_t v2 = s[2U + 5U * i] ^ (~s[3U + 5U * i] & s[4U + 5U * i]); - uint64_t v3 = s[3U + 5U * i] ^ (~s[4U + 5U * i] & s[0U + 5U * i]); - uint64_t v4 = s[4U + 5U * i] ^ (~s[0U + 5U * i] & s[1U + 5U * i]); - s[0U + 5U * i] = v0; - s[1U + 5U * i] = v1; - s[2U + 5U * i] = v2; - s[3U + 5U * i] = v3; - s[4U + 5U * i] = v4;); - uint64_t c = Hacl_Hash_SHA3_keccak_rndc[i1]; - s[0U] = s[0U] ^ c; - } } - uint32_t remOut = hash_len(a11) % block_len(a11); - uint8_t hbuf[256U] = { 0U }; - uint64_t ws[32U] = { 0U }; - memcpy(ws, s, 25U * sizeof (uint64_t)); - for (uint32_t i = 0U; i < 32U; i++) + if (sw) { - store64_le(hbuf + i * 8U, ws[i]); + squeeze(s, block_len(a11), l, output); + return; } - uint8_t *uu____6 = hbuf; - memcpy(output + hash_len(a11) - remOut, uu____6, remOut * sizeof (uint8_t)); + squeeze(s, block_len(a11), hash_len(a11), output); } Hacl_Streaming_Types_error_code @@ -2166,7 +2269,7 @@ void Hacl_Hash_SHA3_state_free(uint64_t *s) Absorb number of input blocks and write the output state This function is intended to receive a hash state and input buffer. - It prcoesses an input of multiple of 168-bytes (SHAKE128 block size), + It processes an input of multiple of 168-bytes (SHAKE128 block size), any additional bytes of final partial block are ignored. The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] @@ -2191,14 +2294,14 @@ Hacl_Hash_SHA3_shake128_absorb_nblocks(uint64_t *state, uint8_t *input, uint32_t Absorb a final partial block of input and write the output state This function is intended to receive a hash state and input buffer. - It prcoesses a sequence of bytes at end of input buffer that is less + It processes a sequence of bytes at end of input buffer that is less than 168-bytes (SHAKE128 block size), any bytes of full blocks at start of input buffer are ignored. The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] The argument `input` (IN) points to `inputByteLen` bytes of valid memory, i.e., uint8_t[inputByteLen] - + Note: Full size of input buffer must be passed to `inputByteLen` including the number of full-block bytes at start of input buffer that are ignored */ diff --git a/src/Hacl_Hash_SHA3_Simd256.c b/src/Hacl_Hash_SHA3_Simd256.c index 131c34e6..55ef124d 100644 --- a/src/Hacl_Hash_SHA3_Simd256.c +++ b/src/Hacl_Hash_SHA3_Simd256.c @@ -25,6 +25,7 @@ #include "Hacl_Hash_SHA3_Simd256.h" +#include "Hacl_SHA2_Types.h" #include "internal/Hacl_Hash_SHA3.h" void @@ -5976,7 +5977,10 @@ Lib_IntVector_Intrinsics_vec256 *Hacl_Hash_SHA3_Simd256_state_malloc(void) *buf = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, sizeof (Lib_IntVector_Intrinsics_vec256) * 25U); - memset(buf, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); + if (buf != NULL) + { + memset(buf, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } return buf; } @@ -5992,12 +5996,12 @@ void Hacl_Hash_SHA3_Simd256_state_free(Lib_IntVector_Intrinsics_vec256 *s) Absorb number of blocks of 4 input buffers and write the output states This function is intended to receive a quadruple hash state and 4 input buffers. - It prcoesses an inputs of multiple of 168-bytes (SHAKE128 block size), + It processes an inputs of multiple of 168-bytes (SHAKE128 block size), any additional bytes of final partial block for each buffer are ignored. The argument `state` (IN/OUT) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] */ void @@ -6038,15 +6042,15 @@ Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks( Absorb a final partial blocks of 4 input buffers and write the output states This function is intended to receive a quadruple hash state and 4 input buffers. - It prcoesses a sequence of bytes at end of each input buffer that is less + It processes a sequence of bytes at end of each input buffer that is less than 168-bytes (SHAKE128 block size), any bytes of full blocks at start of input buffers are ignored. The argument `state` (IN/OUT) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] - + Note: Full size of input buffers must be passed to `inputByteLen` including the number of full-block bytes at start of each input buffer that are ignored */ @@ -6378,7 +6382,7 @@ Squeeze a quadruple hash state to 4 output buffers The argument `state` (IN) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `output0/output1/output2/output3` (OUT) point to `outputByteLen` bytes + The arguments `output0/output1/output2/output3` (OUT) point to `outputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] */ void diff --git a/src/Hacl_K256_ECDSA.c b/src/Hacl_K256_ECDSA.c index 0b72b166..55338ba9 100644 --- a/src/Hacl_K256_ECDSA.c +++ b/src/Hacl_K256_ECDSA.c @@ -25,6 +25,8 @@ #include "internal/Hacl_K256_ECDSA.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA2.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_K256_PrecompTable.h" #include "internal/Hacl_Bignum_K256.h" @@ -351,7 +353,7 @@ static inline uint64_t load_qelem_check(uint64_t *f, uint8_t *b) 1U, uint64_t beq = FStar_UInt64_eq_mask(f[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(f[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc = (beq & acc) | (~beq & blt);); uint64_t is_lt_q = acc; return ~is_zero & is_lt_q; } @@ -372,11 +374,7 @@ static inline bool load_qelem_vartime(uint64_t *f, uint8_t *b) uint64_t a2 = f[2U]; uint64_t a3 = f[3U]; bool is_lt_q_b; - if (a3 < 0xffffffffffffffffULL) - { - is_lt_q_b = true; - } - else if (a2 < 0xfffffffffffffffeULL) + if (a3 < 0xffffffffffffffffULL || a2 < 0xfffffffffffffffeULL) { is_lt_q_b = true; } @@ -510,12 +508,14 @@ static inline void modq(uint64_t *out, uint64_t *a) uint64_t *t01 = tmp; uint64_t m[7U] = { 0U }; uint64_t p[5U] = { 0U }; - mul_pow2_256_minus_q_add(4U, 7U, t01, a + 4U, a, m); - mul_pow2_256_minus_q_add(3U, 5U, t01, m + 4U, m, p); + uint64_t c0 = mul_pow2_256_minus_q_add(4U, 7U, t01, a + 4U, a, m); + KRML_MAYBE_UNUSED_VAR(c0); + uint64_t c10 = mul_pow2_256_minus_q_add(3U, 5U, t01, m + 4U, m, p); + KRML_MAYBE_UNUSED_VAR(c10); uint64_t c2 = mul_pow2_256_minus_q_add(1U, 4U, t01, p + 4U, p, r); - uint64_t c0 = c2; + uint64_t c00 = c2; uint64_t c1 = add4(r, tmp, out); - uint64_t mask = 0ULL - (c0 + c1); + uint64_t mask = 0ULL - (c00 + c1); KRML_MAYBE_FOR4(i, 0U, 4U, @@ -567,11 +567,7 @@ static inline bool is_qelem_le_q_halved_vartime(uint64_t *f) { return false; } - if (a2 < 0xffffffffffffffffULL) - { - return true; - } - if (a1 < 0x5d576e7357a4501dULL) + if (a2 < 0xffffffffffffffffULL || a1 < 0x5d576e7357a4501dULL) { return true; } diff --git a/src/Hacl_MAC_Poly1305.c b/src/Hacl_MAC_Poly1305.c index 28cbca5a..9c5005d7 100644 --- a/src/Hacl_MAC_Poly1305.c +++ b/src/Hacl_MAC_Poly1305.c @@ -25,6 +25,11 @@ #include "internal/Hacl_MAC_Poly1305.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "internal/Hacl_Streaming_Types.h" +#include "internal/Hacl_Hash_SHA3.h" + void Hacl_MAC_Poly1305_poly1305_init(uint64_t *ctx, uint8_t *key) { uint64_t *acc = ctx; @@ -443,18 +448,101 @@ void Hacl_MAC_Poly1305_poly1305_finish(uint8_t *tag, uint8_t *key, uint64_t *ctx Hacl_MAC_Poly1305_state_t *Hacl_MAC_Poly1305_malloc(uint8_t *key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(16U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; uint64_t *r1 = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - uint64_t *block_state = r1; - uint8_t *k_ = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); - memcpy(k_, key, 32U * sizeof (uint8_t)); - uint8_t *k_0 = k_; - Hacl_MAC_Poly1305_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U, .p_key = k_0 }; - Hacl_MAC_Poly1305_state_t - *p = (Hacl_MAC_Poly1305_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_MAC_Poly1305_state_t)); - p[0U] = s; - Hacl_MAC_Poly1305_poly1305_init(block_state, key); - return p; + Hacl_Streaming_Types_optional_64 block_state; + if (r1 == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_Some, .v = r1 }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint64_t *block_state1 = block_state.v; + uint8_t *b = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); + FStar_Pervasives_Native_option___uint8_t_ k_; + if (b == NULL) + { + k_ = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else + { + k_ = + ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_Some, .v = b }); + } + FStar_Pervasives_Native_option___uint8_t_ k_0; + if (k_.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + k_0 = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else if (k_.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_.v; + memcpy(k_1, key, 32U * sizeof (uint8_t)); + k_0 = + ( + (FStar_Pervasives_Native_option___uint8_t_){ + .tag = FStar_Pervasives_Native_Some, + .v = k_1 + } + ); + } + else + { + k_0 = + KRML_EABORT(FStar_Pervasives_Native_option___uint8_t_, + "unreachable (pattern matches are exhaustive in F*)"); + } + if (k_0.tag == FStar_Pervasives_Native_None) + { + return NULL; + } + if (k_0.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_0.v; + Hacl_MAC_Poly1305_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U, .p_key = k_1 }; + Hacl_MAC_Poly1305_state_t + *p = (Hacl_MAC_Poly1305_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_MAC_Poly1305_state_t)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(k_1); + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_MAC_Poly1305_poly1305_init(block_state1, key); + return p; + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_MAC_Poly1305_reset(Hacl_MAC_Poly1305_state_t *state, uint8_t *key) diff --git a/src/Hacl_MAC_Poly1305_Simd128.c b/src/Hacl_MAC_Poly1305_Simd128.c index 17e26978..a8e35d3f 100644 --- a/src/Hacl_MAC_Poly1305_Simd128.c +++ b/src/Hacl_MAC_Poly1305_Simd128.c @@ -25,6 +25,10 @@ #include "internal/Hacl_MAC_Poly1305_Simd128.h" +#include "Hacl_Streaming_Types.h" +#include "internal/Hacl_MAC_Poly1305.h" +#include "internal/Hacl_Hash_SHA3.h" + void Hacl_MAC_Poly1305_Simd128_load_acc2(Lib_IntVector_Intrinsics_vec128 *acc, uint8_t *b) { KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 e[5U] KRML_POST_ALIGN(16) = { 0U }; @@ -1301,28 +1305,123 @@ Hacl_MAC_Poly1305_Simd128_poly1305_finish( store64_le(tag + 8U, f31); } +typedef struct option___Lib_IntVector_Intrinsics_vec128__s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + Lib_IntVector_Intrinsics_vec128 *v; +} +option___Lib_IntVector_Intrinsics_vec128_; + Hacl_MAC_Poly1305_Simd128_state_t *Hacl_MAC_Poly1305_Simd128_malloc(uint8_t *key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; Lib_IntVector_Intrinsics_vec128 *r1 = (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, sizeof (Lib_IntVector_Intrinsics_vec128) * 25U); - memset(r1, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Lib_IntVector_Intrinsics_vec128 *block_state = r1; - uint8_t *k_ = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); - memcpy(k_, key, 32U * sizeof (uint8_t)); - uint8_t *k_0 = k_; - Hacl_MAC_Poly1305_Simd128_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U, .p_key = k_0 }; - Hacl_MAC_Poly1305_Simd128_state_t - *p = - (Hacl_MAC_Poly1305_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_MAC_Poly1305_Simd128_state_t - )); - p[0U] = s; - Hacl_MAC_Poly1305_Simd128_poly1305_init(block_state, key); - return p; + if (r1 != NULL) + { + memset(r1, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } + option___Lib_IntVector_Intrinsics_vec128_ block_state; + if (r1 == NULL) + { + block_state = + ((option___Lib_IntVector_Intrinsics_vec128_){ .tag = FStar_Pervasives_Native_None }); + } + else + { + block_state = + ((option___Lib_IntVector_Intrinsics_vec128_){ .tag = FStar_Pervasives_Native_Some, .v = r1 }); + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Lib_IntVector_Intrinsics_vec128 *block_state1 = block_state.v; + uint8_t *b = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); + FStar_Pervasives_Native_option___uint8_t_ k_; + if (b == NULL) + { + k_ = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else + { + k_ = + ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_Some, .v = b }); + } + FStar_Pervasives_Native_option___uint8_t_ k_0; + if (k_.tag == FStar_Pervasives_Native_None) + { + KRML_ALIGNED_FREE(block_state1); + KRML_HOST_FREE(buf1); + k_0 = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else if (k_.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_.v; + memcpy(k_1, key, 32U * sizeof (uint8_t)); + k_0 = + ( + (FStar_Pervasives_Native_option___uint8_t_){ + .tag = FStar_Pervasives_Native_Some, + .v = k_1 + } + ); + } + else + { + k_0 = + KRML_EABORT(FStar_Pervasives_Native_option___uint8_t_, + "unreachable (pattern matches are exhaustive in F*)"); + } + if (k_0.tag == FStar_Pervasives_Native_None) + { + return NULL; + } + if (k_0.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_0.v; + Hacl_MAC_Poly1305_Simd128_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U, .p_key = k_1 }; + Hacl_MAC_Poly1305_Simd128_state_t + *p = + (Hacl_MAC_Poly1305_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_MAC_Poly1305_Simd128_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(k_1); + KRML_ALIGNED_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_MAC_Poly1305_Simd128_poly1305_init(block_state1, key); + return p; + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_MAC_Poly1305_Simd128_reset(Hacl_MAC_Poly1305_Simd128_state_t *state, uint8_t *key) diff --git a/src/Hacl_MAC_Poly1305_Simd256.c b/src/Hacl_MAC_Poly1305_Simd256.c index f25e8fff..9d41b990 100644 --- a/src/Hacl_MAC_Poly1305_Simd256.c +++ b/src/Hacl_MAC_Poly1305_Simd256.c @@ -25,6 +25,10 @@ #include "internal/Hacl_MAC_Poly1305_Simd256.h" +#include "Hacl_Streaming_Types.h" +#include "internal/Hacl_MAC_Poly1305.h" +#include "internal/Hacl_Hash_SHA3.h" + void Hacl_MAC_Poly1305_Simd256_load_acc4(Lib_IntVector_Intrinsics_vec256 *acc, uint8_t *b) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 e[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -1752,28 +1756,123 @@ Hacl_MAC_Poly1305_Simd256_poly1305_finish( store64_le(tag + 8U, f31); } +typedef struct option___Lib_IntVector_Intrinsics_vec256__s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + Lib_IntVector_Intrinsics_vec256 *v; +} +option___Lib_IntVector_Intrinsics_vec256_; + Hacl_MAC_Poly1305_Simd256_state_t *Hacl_MAC_Poly1305_Simd256_malloc(uint8_t *key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; Lib_IntVector_Intrinsics_vec256 *r1 = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, sizeof (Lib_IntVector_Intrinsics_vec256) * 25U); - memset(r1, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Lib_IntVector_Intrinsics_vec256 *block_state = r1; - uint8_t *k_ = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); - memcpy(k_, key, 32U * sizeof (uint8_t)); - uint8_t *k_0 = k_; - Hacl_MAC_Poly1305_Simd256_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U, .p_key = k_0 }; - Hacl_MAC_Poly1305_Simd256_state_t - *p = - (Hacl_MAC_Poly1305_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_MAC_Poly1305_Simd256_state_t - )); - p[0U] = s; - Hacl_MAC_Poly1305_Simd256_poly1305_init(block_state, key); - return p; + if (r1 != NULL) + { + memset(r1, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } + option___Lib_IntVector_Intrinsics_vec256_ block_state; + if (r1 == NULL) + { + block_state = + ((option___Lib_IntVector_Intrinsics_vec256_){ .tag = FStar_Pervasives_Native_None }); + } + else + { + block_state = + ((option___Lib_IntVector_Intrinsics_vec256_){ .tag = FStar_Pervasives_Native_Some, .v = r1 }); + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Lib_IntVector_Intrinsics_vec256 *block_state1 = block_state.v; + uint8_t *b = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); + FStar_Pervasives_Native_option___uint8_t_ k_; + if (b == NULL) + { + k_ = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else + { + k_ = + ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_Some, .v = b }); + } + FStar_Pervasives_Native_option___uint8_t_ k_0; + if (k_.tag == FStar_Pervasives_Native_None) + { + KRML_ALIGNED_FREE(block_state1); + KRML_HOST_FREE(buf1); + k_0 = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else if (k_.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_.v; + memcpy(k_1, key, 32U * sizeof (uint8_t)); + k_0 = + ( + (FStar_Pervasives_Native_option___uint8_t_){ + .tag = FStar_Pervasives_Native_Some, + .v = k_1 + } + ); + } + else + { + k_0 = + KRML_EABORT(FStar_Pervasives_Native_option___uint8_t_, + "unreachable (pattern matches are exhaustive in F*)"); + } + if (k_0.tag == FStar_Pervasives_Native_None) + { + return NULL; + } + if (k_0.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_0.v; + Hacl_MAC_Poly1305_Simd256_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U, .p_key = k_1 }; + Hacl_MAC_Poly1305_Simd256_state_t + *p = + (Hacl_MAC_Poly1305_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_MAC_Poly1305_Simd256_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(k_1); + KRML_ALIGNED_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_MAC_Poly1305_Simd256_poly1305_init(block_state1, key); + return p; + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_MAC_Poly1305_Simd256_reset(Hacl_MAC_Poly1305_Simd256_state_t *state, uint8_t *key) diff --git a/src/Hacl_NaCl.c b/src/Hacl_NaCl.c index a1bbd25c..e51782b3 100644 --- a/src/Hacl_NaCl.c +++ b/src/Hacl_NaCl.c @@ -25,6 +25,9 @@ #include "Hacl_NaCl.h" +#include "Hacl_Salsa20.h" +#include "Hacl_MAC_Poly1305.h" +#include "Hacl_Curve25519_51.h" #include "internal/Hacl_Krmllib.h" static void secretbox_init(uint8_t *xkeys, uint8_t *k, uint8_t *n) diff --git a/src/Hacl_P256.c b/src/Hacl_P256.c index 609fed81..689e4e1f 100644 --- a/src/Hacl_P256.c +++ b/src/Hacl_P256.c @@ -25,6 +25,8 @@ #include "internal/Hacl_P256.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA2.h" #include "internal/Hacl_P256_PrecompTable.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" diff --git a/src/Hacl_RSAPSS.c b/src/Hacl_RSAPSS.c index 71e141d0..b8215ea7 100644 --- a/src/Hacl_RSAPSS.c +++ b/src/Hacl_RSAPSS.c @@ -25,6 +25,9 @@ #include "Hacl_RSAPSS.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA2.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -167,7 +170,7 @@ static inline uint64_t check_num_bits_u64(uint32_t bs, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t res = acc; return res; @@ -189,7 +192,7 @@ static inline uint64_t check_modulus_u64(uint32_t modBits, uint64_t *n) { uint64_t beq = FStar_UInt64_eq_mask(b2[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b2[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t res = acc; uint64_t m1 = res; @@ -288,11 +291,7 @@ pss_verify( em_0 = 0U; } uint8_t em_last = em[emLen - 1U]; - if (emLen < saltLen + hash_len(a) + 2U) - { - return false; - } - if (!(em_last == 0xbcU && em_0 == 0U)) + if (emLen < saltLen + hash_len(a) + 2U || !(em_last == 0xbcU && em_0 == 0U)) { return false; } @@ -553,7 +552,7 @@ Hacl_RSAPSS_rsapss_verify( { uint64_t beq = FStar_UInt64_eq_mask(s[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(s[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t mask = acc; bool res; @@ -568,10 +567,9 @@ Hacl_RSAPSS_rsapss_verify( eBits, e, m); - bool ite; if (!((modBits - 1U) % 8U == 0U)) { - ite = true; + res = true; } else { @@ -579,15 +577,7 @@ Hacl_RSAPSS_rsapss_verify( uint32_t j = (modBits - 1U) % 64U; uint64_t tmp = m[i]; uint64_t get_bit = tmp >> j & 1ULL; - ite = get_bit == 0ULL; - } - if (ite) - { - res = true; - } - else - { - res = false; + res = get_bit == 0ULL; } } else diff --git a/src/Hacl_SHA2_Vec128.c b/src/Hacl_SHA2_Vec128.c index 02af75b1..2dff212e 100644 --- a/src/Hacl_SHA2_Vec128.c +++ b/src/Hacl_SHA2_Vec128.c @@ -25,6 +25,7 @@ #include "Hacl_SHA2_Vec128.h" +#include "Hacl_SHA2_Types.h" #include "internal/Hacl_SHA2_Types.h" #include "internal/Hacl_Hash_SHA2.h" #include "libintvector.h" diff --git a/src/Hacl_SHA2_Vec256.c b/src/Hacl_SHA2_Vec256.c index c34767f5..60fa7457 100644 --- a/src/Hacl_SHA2_Vec256.c +++ b/src/Hacl_SHA2_Vec256.c @@ -25,6 +25,8 @@ #include "Hacl_SHA2_Vec256.h" +#include "Hacl_SHA2_Types.h" +#include "Hacl_Krmllib.h" #include "internal/Hacl_SHA2_Types.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Hash_SHA2.h" diff --git a/src/Hacl_Streaming_HMAC.c b/src/Hacl_Streaming_HMAC.c new file mode 100644 index 00000000..23ee68aa --- /dev/null +++ b/src/Hacl_Streaming_HMAC.c @@ -0,0 +1,2858 @@ +/* MIT License + * + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "internal/Hacl_Streaming_HMAC.h" + +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA3.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_Blake2s_Simd128.h" +#include "Hacl_Hash_Blake2s.h" +#include "Hacl_Hash_Blake2b_Simd256.h" +#include "Hacl_Hash_Blake2b.h" +#include "internal/Hacl_Streaming_Types.h" +#include "internal/Hacl_Krmllib.h" +#include "internal/Hacl_Hash_SHA3.h" +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_MD5.h" +#include "internal/Hacl_Hash_Blake2s_Simd128.h" +#include "internal/Hacl_Hash_Blake2s.h" +#include "internal/Hacl_Hash_Blake2b_Simd256.h" +#include "internal/Hacl_Hash_Blake2b.h" + +static Spec_Hash_Definitions_hash_alg alg_of_impl(Hacl_Agile_Hash_impl i) +{ + switch (i) + { + case Hacl_Agile_Hash_MD5: + { + return Spec_Hash_Definitions_MD5; + } + case Hacl_Agile_Hash_SHA1: + { + return Spec_Hash_Definitions_SHA1; + } + case Hacl_Agile_Hash_SHA2_224: + { + return Spec_Hash_Definitions_SHA2_224; + } + case Hacl_Agile_Hash_SHA2_256: + { + return Spec_Hash_Definitions_SHA2_256; + } + case Hacl_Agile_Hash_SHA2_384: + { + return Spec_Hash_Definitions_SHA2_384; + } + case Hacl_Agile_Hash_SHA2_512: + { + return Spec_Hash_Definitions_SHA2_512; + } + case Hacl_Agile_Hash_SHA3_224: + { + return Spec_Hash_Definitions_SHA3_224; + } + case Hacl_Agile_Hash_SHA3_256: + { + return Spec_Hash_Definitions_SHA3_256; + } + case Hacl_Agile_Hash_SHA3_384: + { + return Spec_Hash_Definitions_SHA3_384; + } + case Hacl_Agile_Hash_SHA3_512: + { + return Spec_Hash_Definitions_SHA3_512; + } + case Hacl_Agile_Hash_Blake2S_32: + { + return Spec_Hash_Definitions_Blake2S; + } + case Hacl_Agile_Hash_Blake2S_128: + { + return Spec_Hash_Definitions_Blake2S; + } + case Hacl_Agile_Hash_Blake2B_32: + { + return Spec_Hash_Definitions_Blake2B; + } + case Hacl_Agile_Hash_Blake2B_256: + { + return Spec_Hash_Definitions_Blake2B; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static Hacl_Agile_Hash_impl impl_of_state_s(Hacl_Agile_Hash_state_s s) +{ + if (s.tag == Hacl_Agile_Hash_MD5_s) + { + return Hacl_Agile_Hash_MD5; + } + if (s.tag == Hacl_Agile_Hash_SHA1_s) + { + return Hacl_Agile_Hash_SHA1; + } + if (s.tag == Hacl_Agile_Hash_SHA2_224_s) + { + return Hacl_Agile_Hash_SHA2_224; + } + if (s.tag == Hacl_Agile_Hash_SHA2_256_s) + { + return Hacl_Agile_Hash_SHA2_256; + } + if (s.tag == Hacl_Agile_Hash_SHA2_384_s) + { + return Hacl_Agile_Hash_SHA2_384; + } + if (s.tag == Hacl_Agile_Hash_SHA2_512_s) + { + return Hacl_Agile_Hash_SHA2_512; + } + if (s.tag == Hacl_Agile_Hash_SHA3_224_s) + { + return Hacl_Agile_Hash_SHA3_224; + } + if (s.tag == Hacl_Agile_Hash_SHA3_256_s) + { + return Hacl_Agile_Hash_SHA3_256; + } + if (s.tag == Hacl_Agile_Hash_SHA3_384_s) + { + return Hacl_Agile_Hash_SHA3_384; + } + if (s.tag == Hacl_Agile_Hash_SHA3_512_s) + { + return Hacl_Agile_Hash_SHA3_512; + } + if (s.tag == Hacl_Agile_Hash_Blake2S_s) + { + return Hacl_Agile_Hash_Blake2S_32; + } + if (s.tag == Hacl_Agile_Hash_Blake2S_128_s) + { + return Hacl_Agile_Hash_Blake2S_128; + } + if (s.tag == Hacl_Agile_Hash_Blake2B_s) + { + return Hacl_Agile_Hash_Blake2B_32; + } + if (s.tag == Hacl_Agile_Hash_Blake2B_256_s) + { + return Hacl_Agile_Hash_Blake2B_256; + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static Hacl_Agile_Hash_impl impl_of_state(Hacl_Agile_Hash_state_s *s) +{ + return impl_of_state_s(*s); +} + +static Hacl_Agile_Hash_state_s *malloc_(Hacl_Agile_Hash_impl a) +{ + switch (a) + { + case Hacl_Agile_Hash_MD5: + { + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = ((Hacl_Agile_Hash_state_s){ .tag = Hacl_Agile_Hash_MD5_s, { .case_MD5_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA1: + { + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = ((Hacl_Agile_Hash_state_s){ .tag = Hacl_Agile_Hash_SHA1_s, { .case_SHA1_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA2_224: + { + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_224_s, + { .case_SHA2_224_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA2_256: + { + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_256_s, + { .case_SHA2_256_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA2_384: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_384_s, + { .case_SHA2_384_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA2_512: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_512_s, + { .case_SHA2_512_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA3_224: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_224_s, + { .case_SHA3_224_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA3_256: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_256_s, + { .case_SHA3_256_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA3_384: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_384_s, + { .case_SHA3_384_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA3_512: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_512_s, + { .case_SHA3_512_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_Blake2S_32: + { + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2S_s, + { .case_Blake2S_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_Blake2S_128: + { + #if HACL_CAN_COMPILE_VEC128 + Lib_IntVector_Intrinsics_vec128 *s = Hacl_Hash_Blake2s_Simd128_malloc_with_key(); + if (s == NULL) + { + return NULL; + } + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2S_128_s, + { .case_Blake2S_128_s = s } + } + ); + } + if (st == NULL) + { + KRML_ALIGNED_FREE(s); + return NULL; + } + return st; + #else + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "provably unreachable code: did an unverified caller violate a precondition\?"); + KRML_HOST_EXIT(255U); + #endif + break; + } + case Hacl_Agile_Hash_Blake2B_32: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2B_s, + { .case_Blake2B_s = s1 } + } + ); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_Blake2B_256: + { + #if HACL_CAN_COMPILE_VEC256 + Lib_IntVector_Intrinsics_vec256 *s = Hacl_Hash_Blake2b_Simd256_malloc_with_key(); + if (s == NULL) + { + return NULL; + } + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] + = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2B_256_s, + { .case_Blake2B_256_s = s } + } + ); + } + if (st == NULL) + { + KRML_ALIGNED_FREE(s); + return NULL; + } + return st; + #else + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "provably unreachable code: did an unverified caller violate a precondition\?"); + KRML_HOST_EXIT(255U); + #endif + break; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static void init(Hacl_Agile_Hash_state_s *s) +{ + Hacl_Agile_Hash_state_s scrut = *s; + if (scrut.tag == Hacl_Agile_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_MD5_init(p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_SHA1_init(p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + Hacl_Hash_SHA2_sha224_init(p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + Hacl_Hash_SHA2_sha256_init(p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_SHA2_sha384_init(p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_SHA2_sha512_init(p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_224_s) + { + uint64_t *p1 = scrut.case_SHA3_224_s; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_224, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_256_s) + { + uint64_t *p1 = scrut.case_SHA3_256_s; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_256, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_384_s) + { + uint64_t *p1 = scrut.case_SHA3_384_s; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_384, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_512_s) + { + uint64_t *p1 = scrut.case_SHA3_512_s; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_512, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + Hacl_Hash_Blake2s_init(p1, 0U, 32U); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; + #if HACL_CAN_COMPILE_VEC128 + Hacl_Hash_Blake2s_Simd128_init(p1, 0U, 32U); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + if (scrut.tag == Hacl_Agile_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + Hacl_Hash_Blake2b_init(p1, 0U, 64U); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; + #if HACL_CAN_COMPILE_VEC256 + Hacl_Hash_Blake2b_Simd256_init(p1, 0U, 64U); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static void +update_multi(Hacl_Agile_Hash_state_s *s, uint64_t prevlen, uint8_t *blocks, uint32_t len) +{ + Hacl_Agile_Hash_state_s scrut = *s; + if (scrut.tag == Hacl_Agile_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + uint32_t n = len / 64U; + Hacl_Hash_MD5_update_multi(p1, blocks, n); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + uint32_t n = len / 64U; + Hacl_Hash_SHA1_update_multi(p1, blocks, n); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + uint32_t n = len / 64U; + Hacl_Hash_SHA2_sha224_update_nblocks(n * 64U, blocks, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + uint32_t n = len / 64U; + Hacl_Hash_SHA2_sha256_update_nblocks(n * 64U, blocks, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + uint32_t n = len / 128U; + Hacl_Hash_SHA2_sha384_update_nblocks(n * 128U, blocks, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + uint32_t n = len / 128U; + Hacl_Hash_SHA2_sha512_update_nblocks(n * 128U, blocks, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_224_s) + { + uint64_t *p1 = scrut.case_SHA3_224_s; + uint32_t n = len / 144U; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_224, p1, blocks, n); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_256_s) + { + uint64_t *p1 = scrut.case_SHA3_256_s; + uint32_t n = len / 136U; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_256, p1, blocks, n); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_384_s) + { + uint64_t *p1 = scrut.case_SHA3_384_s; + uint32_t n = len / 104U; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_384, p1, blocks, n); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_512_s) + { + uint64_t *p1 = scrut.case_SHA3_512_s; + uint32_t n = len / 72U; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_512, p1, blocks, n); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint32_t n = len / 64U; + uint32_t wv[16U] = { 0U }; + Hacl_Hash_Blake2s_update_multi(n * 64U, wv, p1, prevlen, blocks, n); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; + #if HACL_CAN_COMPILE_VEC128 + uint32_t n = len / 64U; + KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; + Hacl_Hash_Blake2s_Simd128_update_multi(n * 64U, wv, p1, prevlen, blocks, n); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + if (scrut.tag == Hacl_Agile_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + uint32_t n = len / 128U; + uint64_t wv[16U] = { 0U }; + Hacl_Hash_Blake2b_update_multi(n * 128U, + wv, + p1, + FStar_UInt128_uint64_to_uint128(prevlen), + blocks, + n); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; + #if HACL_CAN_COMPILE_VEC256 + uint32_t n = len / 128U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 wv[4U] KRML_POST_ALIGN(32) = { 0U }; + Hacl_Hash_Blake2b_Simd256_update_multi(n * 128U, + wv, + p1, + FStar_UInt128_uint64_to_uint128(prevlen), + blocks, + n); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static void +update_last(Hacl_Agile_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_t last_len) +{ + Hacl_Agile_Hash_state_s scrut = *s; + if (scrut.tag == Hacl_Agile_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_MD5_update_last(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_SHA1_update_last(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + Hacl_Hash_SHA2_sha224_update_last(prev_len + (uint64_t)last_len, last_len, last, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + Hacl_Hash_SHA2_sha256_update_last(prev_len + (uint64_t)last_len, last_len, last, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_SHA2_sha384_update_last(FStar_UInt128_add(FStar_UInt128_uint64_to_uint128(prev_len), + FStar_UInt128_uint64_to_uint128((uint64_t)last_len)), + last_len, + last, + p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_SHA2_sha512_update_last(FStar_UInt128_add(FStar_UInt128_uint64_to_uint128(prev_len), + FStar_UInt128_uint64_to_uint128((uint64_t)last_len)), + last_len, + last, + p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_224_s) + { + uint64_t *p1 = scrut.case_SHA3_224_s; + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_224, p1, last, last_len); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_256_s) + { + uint64_t *p1 = scrut.case_SHA3_256_s; + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_256, p1, last, last_len); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_384_s) + { + uint64_t *p1 = scrut.case_SHA3_384_s; + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_384, p1, last, last_len); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_512_s) + { + uint64_t *p1 = scrut.case_SHA3_512_s; + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_512, p1, last, last_len); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint32_t wv[16U] = { 0U }; + Hacl_Hash_Blake2s_update_last(last_len, wv, p1, false, prev_len, last_len, last); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; + #if HACL_CAN_COMPILE_VEC128 + KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; + Hacl_Hash_Blake2s_Simd128_update_last(last_len, wv, p1, false, prev_len, last_len, last); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + if (scrut.tag == Hacl_Agile_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + uint64_t wv[16U] = { 0U }; + Hacl_Hash_Blake2b_update_last(last_len, + wv, + p1, + false, + FStar_UInt128_uint64_to_uint128(prev_len), + last_len, + last); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; + #if HACL_CAN_COMPILE_VEC256 + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 wv[4U] KRML_POST_ALIGN(32) = { 0U }; + Hacl_Hash_Blake2b_Simd256_update_last(last_len, + wv, + p1, + false, + FStar_UInt128_uint64_to_uint128(prev_len), + last_len, + last); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static void finish(Hacl_Agile_Hash_state_s *s, uint8_t *dst) +{ + Hacl_Agile_Hash_state_s scrut = *s; + if (scrut.tag == Hacl_Agile_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_MD5_finish(p1, dst); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_SHA1_finish(p1, dst); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + Hacl_Hash_SHA2_sha224_finish(p1, dst); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + Hacl_Hash_SHA2_sha256_finish(p1, dst); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_SHA2_sha384_finish(p1, dst); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_SHA2_sha512_finish(p1, dst); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_224_s) + { + uint64_t *p1 = scrut.case_SHA3_224_s; + uint32_t remOut = 28U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, p1, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 28U - remOut, hbuf, remOut * sizeof (uint8_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_256_s) + { + uint64_t *p1 = scrut.case_SHA3_256_s; + uint32_t remOut = 32U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, p1, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 32U - remOut, hbuf, remOut * sizeof (uint8_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_384_s) + { + uint64_t *p1 = scrut.case_SHA3_384_s; + uint32_t remOut = 48U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, p1, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 48U - remOut, hbuf, remOut * sizeof (uint8_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_512_s) + { + uint64_t *p1 = scrut.case_SHA3_512_s; + uint32_t remOut = 64U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, p1, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 64U - remOut, hbuf, remOut * sizeof (uint8_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + Hacl_Hash_Blake2s_finish(32U, dst, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; + #if HACL_CAN_COMPILE_VEC128 + Hacl_Hash_Blake2s_Simd128_finish(32U, dst, p1); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + if (scrut.tag == Hacl_Agile_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + Hacl_Hash_Blake2b_finish(64U, dst, p1); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; + #if HACL_CAN_COMPILE_VEC256 + Hacl_Hash_Blake2b_Simd256_finish(64U, dst, p1); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static void free_(Hacl_Agile_Hash_state_s *s) +{ + Hacl_Agile_Hash_state_s scrut = *s; + if (scrut.tag == Hacl_Agile_Hash_MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_SHA3_224_s) + { + uint64_t *p1 = scrut.case_SHA3_224_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_SHA3_256_s) + { + uint64_t *p1 = scrut.case_SHA3_256_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_SHA3_384_s) + { + uint64_t *p1 = scrut.case_SHA3_384_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_SHA3_512_s) + { + uint64_t *p1 = scrut.case_SHA3_512_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; + KRML_ALIGNED_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Hacl_Agile_Hash_Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; + KRML_ALIGNED_FREE(p1); + } + else + { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + KRML_HOST_FREE(s); +} + +static void copy(Hacl_Agile_Hash_state_s *s_src, Hacl_Agile_Hash_state_s *s_dst) +{ + Hacl_Agile_Hash_state_s scrut = *s_src; + if (scrut.tag == Hacl_Agile_Hash_MD5_s) + { + uint32_t *p_src = scrut.case_MD5_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_MD5_s) + { + p_dst = x1.case_MD5_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 4U * sizeof (uint32_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA1_s) + { + uint32_t *p_src = scrut.case_SHA1_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_SHA1_s) + { + p_dst = x1.case_SHA1_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 5U * sizeof (uint32_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_224_s) + { + uint32_t *p_src = scrut.case_SHA2_224_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_SHA2_224_s) + { + p_dst = x1.case_SHA2_224_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 8U * sizeof (uint32_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_256_s) + { + uint32_t *p_src = scrut.case_SHA2_256_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_SHA2_256_s) + { + p_dst = x1.case_SHA2_256_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 8U * sizeof (uint32_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_384_s) + { + uint64_t *p_src = scrut.case_SHA2_384_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_SHA2_384_s) + { + p_dst = x1.case_SHA2_384_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 8U * sizeof (uint64_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA2_512_s) + { + uint64_t *p_src = scrut.case_SHA2_512_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_SHA2_512_s) + { + p_dst = x1.case_SHA2_512_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 8U * sizeof (uint64_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_224_s) + { + uint64_t *p_src = scrut.case_SHA3_224_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_SHA3_224_s) + { + p_dst = x1.case_SHA3_224_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_256_s) + { + uint64_t *p_src = scrut.case_SHA3_256_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_SHA3_256_s) + { + p_dst = x1.case_SHA3_256_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_384_s) + { + uint64_t *p_src = scrut.case_SHA3_384_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_SHA3_384_s) + { + p_dst = x1.case_SHA3_384_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_SHA3_512_s) + { + uint64_t *p_src = scrut.case_SHA3_512_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_SHA3_512_s) + { + p_dst = x1.case_SHA3_512_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2S_s) + { + uint32_t *p_src = scrut.case_Blake2S_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_Blake2S_s) + { + p_dst = x1.case_Blake2S_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 16U * sizeof (uint32_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p_src = scrut.case_Blake2S_128_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + Lib_IntVector_Intrinsics_vec128 *p_dst; + if (x1.tag == Hacl_Agile_Hash_Blake2S_128_s) + { + p_dst = x1.case_Blake2S_128_s; + } + else + { + p_dst = + KRML_EABORT(Lib_IntVector_Intrinsics_vec128 *, + "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2B_s) + { + uint64_t *p_src = scrut.case_Blake2B_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == Hacl_Agile_Hash_Blake2B_s) + { + p_dst = x1.case_Blake2B_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 16U * sizeof (uint64_t)); + return; + } + if (scrut.tag == Hacl_Agile_Hash_Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p_src = scrut.case_Blake2B_256_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + Lib_IntVector_Intrinsics_vec256 *p_dst; + if (x1.tag == Hacl_Agile_Hash_Blake2B_256_s) + { + p_dst = x1.case_Blake2B_256_s; + } + else + { + p_dst = + KRML_EABORT(Lib_IntVector_Intrinsics_vec256 *, + "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + return; + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static void hash(Hacl_Agile_Hash_impl i, uint8_t *dst, uint8_t *input, uint32_t input_len) +{ + switch (i) + { + case Hacl_Agile_Hash_MD5: + { + Hacl_Hash_MD5_hash_oneshot(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA1: + { + Hacl_Hash_SHA1_hash_oneshot(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA2_224: + { + Hacl_Hash_SHA2_hash_224(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA2_256: + { + Hacl_Hash_SHA2_hash_256(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA3_224: + { + Hacl_Hash_SHA3_sha3_224(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA3_256: + { + Hacl_Hash_SHA3_sha3_256(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA3_384: + { + Hacl_Hash_SHA3_sha3_384(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA3_512: + { + Hacl_Hash_SHA3_sha3_512(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_Blake2S_32: + { + Hacl_Hash_Blake2s_hash_with_key(dst, 32U, input, input_len, NULL, 0U); + break; + } + case Hacl_Agile_Hash_Blake2S_128: + { + #if HACL_CAN_COMPILE_VEC128 + Hacl_Hash_Blake2s_Simd128_hash_with_key(dst, 32U, input, input_len, NULL, 0U); + #endif + break; + } + case Hacl_Agile_Hash_Blake2B_32: + { + Hacl_Hash_Blake2b_hash_with_key(dst, 64U, input, input_len, NULL, 0U); + break; + } + case Hacl_Agile_Hash_Blake2B_256: + { + #if HACL_CAN_COMPILE_VEC256 + Hacl_Hash_Blake2b_Simd256_hash_with_key(dst, 64U, input, input_len, NULL, 0U); + #endif + break; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static uint32_t hash_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return 16U; + } + case Spec_Hash_Definitions_SHA1: + { + return 20U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return 28U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return 32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return 48U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return 64U; + } + case Spec_Hash_Definitions_Blake2S: + { + return 32U; + } + case Spec_Hash_Definitions_Blake2B: + { + return 64U; + } + case Spec_Hash_Definitions_SHA3_224: + { + return 28U; + } + case Spec_Hash_Definitions_SHA3_256: + { + return 32U; + } + case Spec_Hash_Definitions_SHA3_384: + { + return 48U; + } + case Spec_Hash_Definitions_SHA3_512: + { + return 64U; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static uint32_t block_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return 64U; + } + case Spec_Hash_Definitions_SHA1: + { + return 64U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return 64U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return 64U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return 128U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return 128U; + } + case Spec_Hash_Definitions_SHA3_224: + { + return 144U; + } + case Spec_Hash_Definitions_SHA3_256: + { + return 136U; + } + case Spec_Hash_Definitions_SHA3_384: + { + return 104U; + } + case Spec_Hash_Definitions_SHA3_512: + { + return 72U; + } + case Spec_Hash_Definitions_Shake128: + { + return 168U; + } + case Spec_Hash_Definitions_Shake256: + { + return 136U; + } + case Spec_Hash_Definitions_Blake2S: + { + return 64U; + } + case Spec_Hash_Definitions_Blake2B: + { + return 128U; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static uint64_t max_input_len64(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return 2305843009213693951ULL; + } + case Spec_Hash_Definitions_SHA1: + { + return 2305843009213693951ULL; + } + case Spec_Hash_Definitions_SHA2_224: + { + return 2305843009213693951ULL; + } + case Spec_Hash_Definitions_SHA2_256: + { + return 2305843009213693951ULL; + } + case Spec_Hash_Definitions_SHA2_384: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_SHA2_512: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_Blake2S: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_Blake2B: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_SHA3_224: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_SHA3_256: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_SHA3_384: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_SHA3_512: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_Shake128: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_Shake256: + { + return 18446744073709551615ULL; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static void wrap_key(Hacl_Agile_Hash_impl impl, uint8_t *output, uint8_t *key, uint32_t len) +{ + uint8_t *nkey = output; + uint32_t ite; + if (len <= block_len(alg_of_impl(impl))) + { + ite = len; + } + else + { + ite = hash_len(alg_of_impl(impl)); + } + uint8_t *zeroes = output + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (len <= block_len(alg_of_impl(impl))) + { + if (len > 0U) + { + memcpy(nkey, key, len * sizeof (uint8_t)); + return; + } + return; + } + hash(impl, nkey, key, len); +} + +static void init0(uint8_t *k, uint8_t *buf, Hacl_Streaming_HMAC_Definitions_two_state s) +{ + uint32_t k_len = s.fst; + Hacl_Agile_Hash_state_s *s1 = s.snd; + Hacl_Agile_Hash_state_s *s2 = s.thd; + init(s1); + init(s2); + Hacl_Agile_Hash_impl i1 = impl_of_state(s1); + Spec_Hash_Definitions_hash_alg a = alg_of_impl(i1); + uint8_t b0[168U] = { 0U }; + uint8_t *block = b0; + wrap_key(i1, block, k, k_len); + uint8_t b1[168U]; + memset(b1, 0x36U, 168U * sizeof (uint8_t)); + uint8_t *ipad = b1; + uint8_t b[168U]; + memset(b, 0x5cU, 168U * sizeof (uint8_t)); + uint8_t *opad = b; + for (uint32_t i = 0U; i < block_len(a); i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = block[i]; + buf[i] = (uint32_t)xi ^ (uint32_t)yi; + } + for (uint32_t i = 0U; i < block_len(a); i++) + { + uint8_t xi = opad[i]; + uint8_t yi = block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + update_multi(s2, 0ULL, opad, block_len(a)); +} + +static void finish0(Hacl_Streaming_HMAC_Definitions_two_state s, uint8_t *dst) +{ + Hacl_Agile_Hash_state_s *s2 = s.thd; + Hacl_Agile_Hash_state_s *s1 = s.snd; + Hacl_Agile_Hash_impl i1 = impl_of_state(s1); + Spec_Hash_Definitions_hash_alg a = alg_of_impl(i1); + finish(s1, dst); + update_last(s2, (uint64_t)block_len(a), dst, hash_len(a)); + finish(s2, dst); +} + +Hacl_Agile_Hash_state_s +*Hacl_Streaming_HMAC_s1( + Hacl_Streaming_HMAC_Definitions_index i, + Hacl_Streaming_HMAC_Definitions_two_state s +) +{ + KRML_MAYBE_UNUSED_VAR(i); + return s.snd; +} + +Hacl_Agile_Hash_state_s +*Hacl_Streaming_HMAC_s2( + Hacl_Streaming_HMAC_Definitions_index i, + Hacl_Streaming_HMAC_Definitions_two_state s +) +{ + KRML_MAYBE_UNUSED_VAR(i); + return s.thd; +} + +Hacl_Streaming_HMAC_Definitions_index +Hacl_Streaming_HMAC_index_of_state(Hacl_Streaming_HMAC_Definitions_two_state s) +{ + Hacl_Agile_Hash_state_s *s11 = s.snd; + uint32_t kl = s.fst; + Hacl_Agile_Hash_impl i1 = impl_of_state(s11); + return ((Hacl_Streaming_HMAC_Definitions_index){ .fst = i1, .snd = kl }); +} + +static Hacl_Agile_Hash_impl +__proj__Mkdtuple2__item___1__Hacl_Agile_Hash_impl_uint32_t( + Hacl_Streaming_HMAC_Definitions_index pair +) +{ + return pair.fst; +} + +static Hacl_Agile_Hash_impl +dfst__Hacl_Agile_Hash_impl_uint32_t(Hacl_Streaming_HMAC_Definitions_index t) +{ + return __proj__Mkdtuple2__item___1__Hacl_Agile_Hash_impl_uint32_t(t); +} + +static uint32_t +__proj__Mkdtuple2__item___2__Hacl_Agile_Hash_impl_uint32_t( + Hacl_Streaming_HMAC_Definitions_index pair +) +{ + return pair.snd; +} + +static uint32_t dsnd__Hacl_Agile_Hash_impl_uint32_t(Hacl_Streaming_HMAC_Definitions_index t) +{ + return __proj__Mkdtuple2__item___2__Hacl_Agile_Hash_impl_uint32_t(t); +} + +typedef struct option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s___s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + Hacl_Streaming_HMAC_Definitions_two_state v; +} +option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__; + +KRML_MAYBE_UNUSED static Hacl_Streaming_HMAC_agile_state +*malloc_internal(Hacl_Streaming_HMAC_Definitions_index i, uint8_t *key) +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i)))); + uint8_t + *buf = + (uint8_t *)KRML_HOST_CALLOC(block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i))), + sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + Hacl_Agile_Hash_state_s *s110 = malloc_(dfst__Hacl_Agile_Hash_impl_uint32_t(i)); + option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__ block_state; + if (s110 == NULL) + { + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + Hacl_Agile_Hash_state_s *s21 = malloc_(dfst__Hacl_Agile_Hash_impl_uint32_t(i)); + if (s21 == NULL) + { + KRML_HOST_FREE(s110); + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_Some, + .v = { .fst = dsnd__Hacl_Agile_Hash_impl_uint32_t(i), .snd = s110, .thd = s21 } + } + ); + } + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Hacl_Streaming_HMAC_Definitions_two_state block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_HMAC_agile_state + s = + { + .block_state = block_state1, + .buf = buf1, + .total_len = (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i))) + }; + Hacl_Streaming_HMAC_agile_state + *p = + (Hacl_Streaming_HMAC_agile_state *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_HMAC_agile_state + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Hacl_Agile_Hash_state_s *s21 = block_state1.thd; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + free_(s11); + free_(s21); + KRML_HOST_FREE(buf1); + return NULL; + } + init0(key, buf1, block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +KRML_MAYBE_UNUSED static bool is_blake2b_256(Hacl_Agile_Hash_impl uu___) +{ + switch (uu___) + { + case Hacl_Agile_Hash_Blake2B_256: + { + return true; + } + default: + { + return false; + } + } +} + +KRML_MAYBE_UNUSED static bool is_blake2s_128(Hacl_Agile_Hash_impl uu___) +{ + switch (uu___) + { + case Hacl_Agile_Hash_Blake2S_128: + { + return true; + } + default: + { + return false; + } + } +} + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_malloc_( + Hacl_Agile_Hash_impl impl, + uint8_t *key, + uint32_t key_length, + Hacl_Streaming_HMAC_agile_state **dst +) +{ + KRML_MAYBE_UNUSED_VAR(key); + KRML_MAYBE_UNUSED_VAR(key_length); + KRML_MAYBE_UNUSED_VAR(dst); + #if !HACL_CAN_COMPILE_VEC256 + if (is_blake2b_256(impl)) + { + return Hacl_Streaming_Types_InvalidAlgorithm; + } + #endif + #if !HACL_CAN_COMPILE_VEC128 + if (is_blake2s_128(impl)) + { + return Hacl_Streaming_Types_InvalidAlgorithm; + } + #endif + Hacl_Streaming_HMAC_agile_state + *st = + malloc_internal(((Hacl_Streaming_HMAC_Definitions_index){ .fst = impl, .snd = key_length }), + key); + if (st == NULL) + { + return Hacl_Streaming_Types_OutOfMemory; + } + *dst = st; + return Hacl_Streaming_Types_Success; +} + +Hacl_Streaming_HMAC_Definitions_index +Hacl_Streaming_HMAC_get_impl(Hacl_Streaming_HMAC_agile_state *s) +{ + Hacl_Streaming_HMAC_Definitions_two_state block_state = (*s).block_state; + return Hacl_Streaming_HMAC_index_of_state(block_state); +} + +static void reset_internal(Hacl_Streaming_HMAC_agile_state *state, uint8_t *key) +{ + Hacl_Streaming_HMAC_agile_state scrut = *state; + uint8_t *buf = scrut.buf; + Hacl_Streaming_HMAC_Definitions_two_state block_state = scrut.block_state; + Hacl_Streaming_HMAC_Definitions_index i1 = Hacl_Streaming_HMAC_index_of_state(block_state); + KRML_MAYBE_UNUSED_VAR(i1); + init0(key, buf, block_state); + Hacl_Streaming_HMAC_agile_state + tmp = + { + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + }; + state[0U] = tmp; +} + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_reset( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *key, + uint32_t key_length +) +{ + uint32_t k_len = Hacl_Streaming_HMAC_get_impl(state).snd; + if (key_length != k_len) + { + return Hacl_Streaming_Types_InvalidLength; + } + reset_internal(state, key); + return Hacl_Streaming_Types_Success; +} + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_update( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *chunk, + uint32_t chunk_len +) +{ + Hacl_Streaming_HMAC_agile_state s = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state = s.block_state; + uint64_t total_len = s.total_len; + Hacl_Streaming_HMAC_Definitions_index i1 = Hacl_Streaming_HMAC_index_of_state(block_state); + if + ( + (uint64_t)chunk_len + > max_input_len64(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) - total_len + ) + { + return Hacl_Streaming_Types_MaximumLengthExceeded; + } + uint32_t sz; + if + ( + total_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len > 0ULL + ) + { + sz = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + sz = + (uint32_t)(total_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + if (chunk_len <= block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) - sz) + { + Hacl_Streaming_HMAC_agile_state s3 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state1 = s3.block_state; + uint8_t *buf = s3.buf; + uint64_t total_len1 = s3.total_len; + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len1 > 0ULL + ) + { + sz1 = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + sz1 = + (uint32_t)(total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; + *state + = + ( + (Hacl_Streaming_HMAC_agile_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + } + else if (sz == 0U) + { + Hacl_Streaming_HMAC_agile_state s3 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state1 = s3.block_state; + uint8_t *buf = s3.buf; + uint64_t total_len1 = s3.total_len; + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len1 > 0ULL + ) + { + sz1 = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + sz1 = + (uint32_t)(total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + if (!(sz1 == 0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + update_multi(s11, + prevlen, + buf, + block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint32_t ite; + if + ( + (uint64_t)chunk_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && (uint64_t)chunk_len > 0ULL + ) + { + ite = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + ite = + (uint32_t)((uint64_t)chunk_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint32_t + n_blocks = (chunk_len - ite) / block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + uint32_t + data1_len = n_blocks * block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + uint32_t data2_len = chunk_len - data1_len; + uint8_t *data1 = chunk; + uint8_t *data2 = chunk + data1_len; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + update_multi(s11, total_len1, data1, data1_len); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *state + = + ( + (Hacl_Streaming_HMAC_agile_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)chunk_len + } + ); + } + else + { + uint32_t diff = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) - sz; + uint8_t *chunk1 = chunk; + uint8_t *chunk2 = chunk + diff; + Hacl_Streaming_HMAC_agile_state s3 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state10 = s3.block_state; + uint8_t *buf0 = s3.buf; + uint64_t total_len10 = s3.total_len; + uint32_t sz10; + if + ( + total_len10 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len10 > 0ULL + ) + { + sz10 = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + sz10 = + (uint32_t)(total_len10 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, chunk1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *state + = + ( + (Hacl_Streaming_HMAC_agile_state){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_HMAC_agile_state s30 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state1 = s30.block_state; + uint8_t *buf = s30.buf; + uint64_t total_len1 = s30.total_len; + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len1 > 0ULL + ) + { + sz1 = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + sz1 = + (uint32_t)(total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + if (!(sz1 == 0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + update_multi(s11, + prevlen, + buf, + block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint32_t ite; + if + ( + (uint64_t)(chunk_len - diff) + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && (uint64_t)(chunk_len - diff) > 0ULL + ) + { + ite = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + ite = + (uint32_t)((uint64_t)(chunk_len - diff) + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint32_t + n_blocks = + (chunk_len - diff - ite) + / block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + uint32_t + data1_len = n_blocks * block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + uint32_t data2_len = chunk_len - diff - data1_len; + uint8_t *data1 = chunk2; + uint8_t *data2 = chunk2 + data1_len; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + update_multi(s11, total_len1, data1, data1_len); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *state + = + ( + (Hacl_Streaming_HMAC_agile_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(chunk_len - diff) + } + ); + } + return Hacl_Streaming_Types_Success; +} + +typedef struct +___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s____uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s___s +{ + Hacl_Streaming_HMAC_Definitions_two_state fst; + Hacl_Streaming_HMAC_Definitions_two_state snd; +} +___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s____uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__; + +void +Hacl_Streaming_HMAC_digest( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *output, + uint32_t digest_length +) +{ + KRML_MAYBE_UNUSED_VAR(digest_length); + Hacl_Streaming_HMAC_Definitions_two_state block_state0 = (*state).block_state; + Hacl_Streaming_HMAC_Definitions_index i1 = Hacl_Streaming_HMAC_index_of_state(block_state0); + Hacl_Streaming_HMAC_agile_state scrut0 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state = scrut0.block_state; + uint8_t *buf_ = scrut0.buf; + uint64_t total_len = scrut0.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len > 0ULL + ) + { + r = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint8_t *buf_1 = buf_; + Hacl_Agile_Hash_state_s s0; + uint32_t buf0[4U] = { 0U }; + uint32_t buf1[5U] = { 0U }; + uint32_t buf2[8U] = { 0U }; + uint32_t buf3[8U] = { 0U }; + uint64_t buf4[8U] = { 0U }; + uint64_t buf5[8U] = { 0U }; + uint64_t buf6[25U] = { 0U }; + uint64_t buf7[25U] = { 0U }; + uint64_t buf8[25U] = { 0U }; + uint64_t buf9[25U] = { 0U }; + uint32_t buf10[16U] = { 0U }; + KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 buf11[4U] KRML_POST_ALIGN(16) = { 0U }; + uint64_t buf12[16U] = { 0U }; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 buf13[4U] KRML_POST_ALIGN(32) = { 0U }; + switch (dfst__Hacl_Agile_Hash_impl_uint32_t(i1)) + { + case Hacl_Agile_Hash_MD5: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = Hacl_Agile_Hash_MD5_s, { .case_MD5_s = buf0 } }); + break; + } + case Hacl_Agile_Hash_SHA1: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = Hacl_Agile_Hash_SHA1_s, { .case_SHA1_s = buf1 } }); + break; + } + case Hacl_Agile_Hash_SHA2_224: + { + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_224_s, + { .case_SHA2_224_s = buf2 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA2_256: + { + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_256_s, + { .case_SHA2_256_s = buf3 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA2_384: + { + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_384_s, + { .case_SHA2_384_s = buf4 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA2_512: + { + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_512_s, + { .case_SHA2_512_s = buf5 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA3_224: + { + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_224_s, + { .case_SHA3_224_s = buf6 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA3_256: + { + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_256_s, + { .case_SHA3_256_s = buf7 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA3_384: + { + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_384_s, + { .case_SHA3_384_s = buf8 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA3_512: + { + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_512_s, + { .case_SHA3_512_s = buf9 } + } + ); + break; + } + case Hacl_Agile_Hash_Blake2S_32: + { + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2S_s, + { .case_Blake2S_s = buf10 } + } + ); + break; + } + case Hacl_Agile_Hash_Blake2S_128: + { + #if HACL_CAN_COMPILE_VEC128 + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2S_128_s, + { .case_Blake2S_128_s = buf11 } + } + ); + #else + s0 = + KRML_EABORT(Hacl_Agile_Hash_state_s, + "provably unreachable code: did an unverified caller violate a precondition\?"); + #endif + break; + } + case Hacl_Agile_Hash_Blake2B_32: + { + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2B_s, + { .case_Blake2B_s = buf12 } + } + ); + break; + } + case Hacl_Agile_Hash_Blake2B_256: + { + #if HACL_CAN_COMPILE_VEC256 + s0 = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2B_256_s, + { .case_Blake2B_256_s = buf13 } + } + ); + #else + s0 = + KRML_EABORT(Hacl_Agile_Hash_state_s, + "provably unreachable code: did an unverified caller violate a precondition\?"); + #endif + break; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + Hacl_Agile_Hash_state_s s110 = s0; + Hacl_Agile_Hash_state_s s; + uint32_t buf14[4U] = { 0U }; + uint32_t buf15[5U] = { 0U }; + uint32_t buf16[8U] = { 0U }; + uint32_t buf17[8U] = { 0U }; + uint64_t buf18[8U] = { 0U }; + uint64_t buf19[8U] = { 0U }; + uint64_t buf20[25U] = { 0U }; + uint64_t buf21[25U] = { 0U }; + uint64_t buf22[25U] = { 0U }; + uint64_t buf23[25U] = { 0U }; + uint32_t buf24[16U] = { 0U }; + KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 buf25[4U] KRML_POST_ALIGN(16) = { 0U }; + uint64_t buf26[16U] = { 0U }; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 buf[4U] KRML_POST_ALIGN(32) = { 0U }; + switch (dfst__Hacl_Agile_Hash_impl_uint32_t(i1)) + { + case Hacl_Agile_Hash_MD5: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = Hacl_Agile_Hash_MD5_s, { .case_MD5_s = buf14 } }); + break; + } + case Hacl_Agile_Hash_SHA1: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = Hacl_Agile_Hash_SHA1_s, { .case_SHA1_s = buf15 } }); + break; + } + case Hacl_Agile_Hash_SHA2_224: + { + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_224_s, + { .case_SHA2_224_s = buf16 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA2_256: + { + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_256_s, + { .case_SHA2_256_s = buf17 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA2_384: + { + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_384_s, + { .case_SHA2_384_s = buf18 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA2_512: + { + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA2_512_s, + { .case_SHA2_512_s = buf19 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA3_224: + { + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_224_s, + { .case_SHA3_224_s = buf20 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA3_256: + { + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_256_s, + { .case_SHA3_256_s = buf21 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA3_384: + { + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_384_s, + { .case_SHA3_384_s = buf22 } + } + ); + break; + } + case Hacl_Agile_Hash_SHA3_512: + { + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_SHA3_512_s, + { .case_SHA3_512_s = buf23 } + } + ); + break; + } + case Hacl_Agile_Hash_Blake2S_32: + { + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2S_s, + { .case_Blake2S_s = buf24 } + } + ); + break; + } + case Hacl_Agile_Hash_Blake2S_128: + { + #if HACL_CAN_COMPILE_VEC128 + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2S_128_s, + { .case_Blake2S_128_s = buf25 } + } + ); + #else + s = + KRML_EABORT(Hacl_Agile_Hash_state_s, + "provably unreachable code: did an unverified caller violate a precondition\?"); + #endif + break; + } + case Hacl_Agile_Hash_Blake2B_32: + { + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2B_s, + { .case_Blake2B_s = buf26 } + } + ); + break; + } + case Hacl_Agile_Hash_Blake2B_256: + { + #if HACL_CAN_COMPILE_VEC256 + s = + ( + (Hacl_Agile_Hash_state_s){ + .tag = Hacl_Agile_Hash_Blake2B_256_s, + { .case_Blake2B_256_s = buf } + } + ); + #else + s = + KRML_EABORT(Hacl_Agile_Hash_state_s, + "provably unreachable code: did an unverified caller violate a precondition\?"); + #endif + break; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + Hacl_Agile_Hash_state_s s210 = s; + Hacl_Streaming_HMAC_Definitions_two_state + tmp_block_state = + { .fst = dsnd__Hacl_Agile_Hash_impl_uint32_t(i1), .snd = &s110, .thd = &s210 }; + ___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s____uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__ + scrut = { .fst = block_state, .snd = tmp_block_state }; + Hacl_Agile_Hash_state_s *s2_ = scrut.snd.thd; + Hacl_Agile_Hash_state_s *s1_ = scrut.snd.snd; + Hacl_Agile_Hash_state_s *s21 = scrut.fst.thd; + Hacl_Agile_Hash_state_s *s111 = scrut.fst.snd; + copy(s111, s1_); + copy(s21, s2_); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if (r % block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) == 0U && r > 0U) + { + ite = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + ite = r % block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Agile_Hash_state_s *s112 = tmp_block_state.snd; + update_multi(s112, prev_len, buf_multi, 0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Agile_Hash_state_s *s11 = tmp_block_state.snd; + update_last(s11, prev_len_last, buf_last, r); + finish0(tmp_block_state, output); +} + +void Hacl_Streaming_HMAC_free(Hacl_Streaming_HMAC_agile_state *state) +{ + Hacl_Streaming_HMAC_Definitions_two_state block_state0 = (*state).block_state; + Hacl_Streaming_HMAC_Definitions_index i1 = Hacl_Streaming_HMAC_index_of_state(block_state0); + KRML_MAYBE_UNUSED_VAR(i1); + Hacl_Streaming_HMAC_agile_state scrut = *state; + uint8_t *buf = scrut.buf; + Hacl_Streaming_HMAC_Definitions_two_state block_state = scrut.block_state; + Hacl_Agile_Hash_state_s *s21 = block_state.thd; + Hacl_Agile_Hash_state_s *s11 = block_state.snd; + free_(s11); + free_(s21); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(state); +} + +Hacl_Streaming_HMAC_agile_state +*Hacl_Streaming_HMAC_copy(Hacl_Streaming_HMAC_agile_state *state) +{ + Hacl_Streaming_HMAC_agile_state scrut0 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state0 = scrut0.block_state; + uint8_t *buf0 = scrut0.buf; + uint64_t total_len0 = scrut0.total_len; + Hacl_Streaming_HMAC_Definitions_index i1 = Hacl_Streaming_HMAC_index_of_state(block_state0); + KRML_CHECK_SIZE(sizeof (uint8_t), + block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + uint8_t + *buf = + (uint8_t *)KRML_HOST_CALLOC(block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))), + sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + memcpy(buf, + buf0, + block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) * sizeof (uint8_t)); + Hacl_Agile_Hash_state_s *s110 = malloc_(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)); + option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__ block_state; + if (s110 == NULL) + { + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + Hacl_Agile_Hash_state_s *s21 = malloc_(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)); + if (s21 == NULL) + { + KRML_HOST_FREE(s110); + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_Some, + .v = { .fst = dsnd__Hacl_Agile_Hash_impl_uint32_t(i1), .snd = s110, .thd = s21 } + } + ); + } + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Hacl_Streaming_HMAC_Definitions_two_state block_state1 = block_state.v; + ___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s____uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__ + scrut = { .fst = block_state0, .snd = block_state1 }; + Hacl_Agile_Hash_state_s *s2_ = scrut.snd.thd; + Hacl_Agile_Hash_state_s *s1_ = scrut.snd.snd; + Hacl_Agile_Hash_state_s *s21 = scrut.fst.thd; + Hacl_Agile_Hash_state_s *s111 = scrut.fst.snd; + copy(s111, s1_); + copy(s21, s2_); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_HMAC_agile_state + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Streaming_HMAC_agile_state + *p = + (Hacl_Streaming_HMAC_agile_state *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_HMAC_agile_state + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Hacl_Agile_Hash_state_s *s210 = block_state1.thd; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + free_(s11); + free_(s210); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + diff --git a/src/Lib_Memzero0.c b/src/Lib_Memzero0.c index 3d8a1e5f..4dbf55ee 100644 --- a/src/Lib_Memzero0.c +++ b/src/Lib_Memzero0.c @@ -8,12 +8,16 @@ #include #endif -#if (defined(__APPLE__) && defined(__MACH__)) || defined(__linux__) +#if defined(__APPLE__) && defined(__MACH__) +#include +#endif + +#if (defined(__APPLE__) && defined(__MACH__)) || defined(__linux__) || defined(__OpenBSD__) #define __STDC_WANT_LIB_EXT1__ 1 #include #endif -#ifdef __FreeBSD__ +#if defined(__FreeBSD__) || defined(__NetBSD__) #include #endif @@ -36,10 +40,10 @@ void Lib_Memzero0_memzero0(void *dst, uint64_t len) { size_t len_ = (size_t) len; #ifdef _WIN32 - SecureZeroMemory(dst, len); - #elif defined(__APPLE__) && defined(__MACH__) + SecureZeroMemory(dst, len_); + #elif defined(__APPLE__) && defined(__MACH__) && defined(MAC_OS_X_VERSION_MIN_REQUIRED) && (MAC_OS_X_VERSION_MIN_REQUIRED >= 1090) memset_s(dst, len_, 0, len_); - #elif (defined(__linux__) && !defined(LINUX_NO_EXPLICIT_BZERO)) || defined(__FreeBSD__) + #elif (defined(__linux__) && !defined(LINUX_NO_EXPLICIT_BZERO)) || defined(__FreeBSD__) || defined(__OpenBSD__) explicit_bzero(dst, len_); #elif defined(__NetBSD__) explicit_memset(dst, 0, len_); diff --git a/src/msvc/EverCrypt_AEAD.c b/src/msvc/EverCrypt_AEAD.c index b0fb4826..dd1fb2e3 100644 --- a/src/msvc/EverCrypt_AEAD.c +++ b/src/msvc/EverCrypt_AEAD.c @@ -25,6 +25,10 @@ #include "EverCrypt_AEAD.h" +#include "Hacl_Spec.h" +#include "EverCrypt_Error.h" +#include "EverCrypt_Chacha20Poly1305.h" +#include "EverCrypt_AutoConfig2.h" #include "internal/Vale.h" #include "internal/Hacl_Spec.h" #include "config.h" @@ -89,7 +93,10 @@ create_in_chacha20_poly1305(EverCrypt_AEAD_state_s **dst, uint8_t *k) uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); - p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }); + if (p != NULL) + { + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }); + } memcpy(ek, k, 32U * sizeof (uint8_t)); dst[0U] = p; return EverCrypt_Error_Success; @@ -115,7 +122,10 @@ create_in_aes128_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) aes128_keyhash_init(keys_b, hkeys_b); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); - p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }); + if (p != NULL) + { + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }); + } *dst = p; return EverCrypt_Error_Success; } @@ -145,7 +155,10 @@ create_in_aes256_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) aes256_keyhash_init(keys_b, hkeys_b); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); - p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }); + if (p != NULL) + { + p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }); + } *dst = p; return EverCrypt_Error_Success; } @@ -538,26 +551,27 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( KRML_MAYBE_UNUSED_VAR(cipher); KRML_MAYBE_UNUSED_VAR(tag); #if HACL_CAN_COMPILE_VALE - uint8_t ek[480U] = { 0U }; - uint8_t *keys_b0 = ek; - uint8_t *hkeys_b0 = ek + 176U; + uint8_t ek0[480U] = { 0U }; + uint8_t *keys_b0 = ek0; + uint8_t *hkeys_b0 = ek0 + 176U; aes128_key_expansion(k, keys_b0); aes128_keyhash_init(keys_b0, hkeys_b0); - EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek0 }; EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; if (s == NULL) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); + r = EverCrypt_Error_InvalidKey; } else if (iv_len == 0U) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); + r = EverCrypt_Error_InvalidIVLength; } else { - uint8_t *ek0 = (*s).ek; - uint8_t *scratch_b = ek0 + 304U; - uint8_t *ek1 = ek0; + uint8_t *ek = (*s).ek; + uint8_t *scratch_b = ek + 304U; + uint8_t *ek1 = ek; uint8_t *keys_b = ek1; uint8_t *hkeys_b = ek1 + 176U; uint8_t tmp_iv[16U] = { 0U }; @@ -637,8 +651,9 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( memcpy(cipher + (uint32_t)(uint64_t)plain_len / 16U * 16U, inout_b, (uint32_t)(uint64_t)plain_len % 16U * sizeof (uint8_t)); - KRML_HOST_IGNORE(EverCrypt_Error_Success); + r = EverCrypt_Error_Success; } + KRML_MAYBE_UNUSED_VAR(r); return EverCrypt_Error_Success; #else KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", @@ -680,26 +695,27 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( KRML_MAYBE_UNUSED_VAR(cipher); KRML_MAYBE_UNUSED_VAR(tag); #if HACL_CAN_COMPILE_VALE - uint8_t ek[544U] = { 0U }; - uint8_t *keys_b0 = ek; - uint8_t *hkeys_b0 = ek + 240U; + uint8_t ek0[544U] = { 0U }; + uint8_t *keys_b0 = ek0; + uint8_t *hkeys_b0 = ek0 + 240U; aes256_key_expansion(k, keys_b0); aes256_keyhash_init(keys_b0, hkeys_b0); - EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek0 }; EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; if (s == NULL) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); + r = EverCrypt_Error_InvalidKey; } else if (iv_len == 0U) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); + r = EverCrypt_Error_InvalidIVLength; } else { - uint8_t *ek0 = (*s).ek; - uint8_t *scratch_b = ek0 + 368U; - uint8_t *ek1 = ek0; + uint8_t *ek = (*s).ek; + uint8_t *scratch_b = ek + 368U; + uint8_t *ek1 = ek; uint8_t *keys_b = ek1; uint8_t *hkeys_b = ek1 + 240U; uint8_t tmp_iv[16U] = { 0U }; @@ -779,8 +795,9 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( memcpy(cipher + (uint32_t)(uint64_t)plain_len / 16U * 16U, inout_b, (uint32_t)(uint64_t)plain_len % 16U * sizeof (uint8_t)); - KRML_HOST_IGNORE(EverCrypt_Error_Success); + r = EverCrypt_Error_Success; } + KRML_MAYBE_UNUSED_VAR(r); return EverCrypt_Error_Success; #else KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", @@ -821,26 +838,27 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) { - uint8_t ek[480U] = { 0U }; - uint8_t *keys_b0 = ek; - uint8_t *hkeys_b0 = ek + 176U; + uint8_t ek0[480U] = { 0U }; + uint8_t *keys_b0 = ek0; + uint8_t *hkeys_b0 = ek0 + 176U; aes128_key_expansion(k, keys_b0); aes128_keyhash_init(keys_b0, hkeys_b0); - EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek0 }; EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; if (s == NULL) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); + r = EverCrypt_Error_InvalidKey; } else if (iv_len == 0U) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); + r = EverCrypt_Error_InvalidIVLength; } else { - uint8_t *ek0 = (*s).ek; - uint8_t *scratch_b = ek0 + 304U; - uint8_t *ek1 = ek0; + uint8_t *ek = (*s).ek; + uint8_t *scratch_b = ek + 304U; + uint8_t *ek1 = ek; uint8_t *keys_b = ek1; uint8_t *hkeys_b = ek1 + 176U; uint8_t tmp_iv[16U] = { 0U }; @@ -920,8 +938,9 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( memcpy(cipher + (uint32_t)(uint64_t)plain_len / 16U * 16U, inout_b, (uint32_t)(uint64_t)plain_len % 16U * sizeof (uint8_t)); - KRML_HOST_IGNORE(EverCrypt_Error_Success); + r = EverCrypt_Error_Success; } + KRML_MAYBE_UNUSED_VAR(r); return EverCrypt_Error_Success; } return EverCrypt_Error_UnsupportedAlgorithm; @@ -960,26 +979,27 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( bool has_aesni = EverCrypt_AutoConfig2_has_aesni(); if (has_aesni && has_pclmulqdq && has_avx && has_sse && has_movbe) { - uint8_t ek[544U] = { 0U }; - uint8_t *keys_b0 = ek; - uint8_t *hkeys_b0 = ek + 240U; + uint8_t ek0[544U] = { 0U }; + uint8_t *keys_b0 = ek0; + uint8_t *hkeys_b0 = ek0 + 240U; aes256_key_expansion(k, keys_b0); aes256_keyhash_init(keys_b0, hkeys_b0); - EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; + EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek0 }; EverCrypt_AEAD_state_s *s = &p; + EverCrypt_Error_error_code r; if (s == NULL) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); + r = EverCrypt_Error_InvalidKey; } else if (iv_len == 0U) { - KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); + r = EverCrypt_Error_InvalidIVLength; } else { - uint8_t *ek0 = (*s).ek; - uint8_t *scratch_b = ek0 + 368U; - uint8_t *ek1 = ek0; + uint8_t *ek = (*s).ek; + uint8_t *scratch_b = ek + 368U; + uint8_t *ek1 = ek; uint8_t *keys_b = ek1; uint8_t *hkeys_b = ek1 + 240U; uint8_t tmp_iv[16U] = { 0U }; @@ -1059,8 +1079,9 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( memcpy(cipher + (uint32_t)(uint64_t)plain_len / 16U * 16U, inout_b, (uint32_t)(uint64_t)plain_len % 16U * sizeof (uint8_t)); - KRML_HOST_IGNORE(EverCrypt_Error_Success); + r = EverCrypt_Error_Success; } + KRML_MAYBE_UNUSED_VAR(r); return EverCrypt_Error_Success; } return EverCrypt_Error_UnsupportedAlgorithm; diff --git a/src/msvc/EverCrypt_Chacha20Poly1305.c b/src/msvc/EverCrypt_Chacha20Poly1305.c index e762f031..ed855681 100644 --- a/src/msvc/EverCrypt_Chacha20Poly1305.c +++ b/src/msvc/EverCrypt_Chacha20Poly1305.c @@ -25,6 +25,10 @@ #include "EverCrypt_Chacha20Poly1305.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" +#include "EverCrypt_AutoConfig2.h" #include "config.h" void diff --git a/src/msvc/EverCrypt_Curve25519.c b/src/msvc/EverCrypt_Curve25519.c index 202f58c1..669cc5d8 100644 --- a/src/msvc/EverCrypt_Curve25519.c +++ b/src/msvc/EverCrypt_Curve25519.c @@ -25,6 +25,9 @@ #include "EverCrypt_Curve25519.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_Curve25519_51.h" +#include "EverCrypt_AutoConfig2.h" #include "config.h" /** diff --git a/src/msvc/EverCrypt_DRBG.c b/src/msvc/EverCrypt_DRBG.c index c76a69cd..407d456f 100644 --- a/src/msvc/EverCrypt_DRBG.c +++ b/src/msvc/EverCrypt_DRBG.c @@ -25,6 +25,9 @@ #include "EverCrypt_DRBG.h" +#include "Lib_RandomBuffer_System.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_HMAC_DRBG.h" #include "internal/EverCrypt_HMAC.h" #include "lib_memzero0.h" @@ -152,7 +155,10 @@ EverCrypt_DRBG_state_s *EverCrypt_DRBG_create_in(Spec_Hash_Definitions_hash_alg uint8_t *k = (uint8_t *)KRML_HOST_CALLOC(20U, sizeof (uint8_t)); uint8_t *v = (uint8_t *)KRML_HOST_CALLOC(20U, sizeof (uint8_t)); uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); - ctr[0U] = 1U; + if (ctr != NULL) + { + ctr[0U] = 1U; + } st = ( (EverCrypt_DRBG_state_s){ @@ -167,7 +173,10 @@ EverCrypt_DRBG_state_s *EverCrypt_DRBG_create_in(Spec_Hash_Definitions_hash_alg uint8_t *k = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); uint8_t *v = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); - ctr[0U] = 1U; + if (ctr != NULL) + { + ctr[0U] = 1U; + } st = ( (EverCrypt_DRBG_state_s){ @@ -182,7 +191,10 @@ EverCrypt_DRBG_state_s *EverCrypt_DRBG_create_in(Spec_Hash_Definitions_hash_alg uint8_t *k = (uint8_t *)KRML_HOST_CALLOC(48U, sizeof (uint8_t)); uint8_t *v = (uint8_t *)KRML_HOST_CALLOC(48U, sizeof (uint8_t)); uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); - ctr[0U] = 1U; + if (ctr != NULL) + { + ctr[0U] = 1U; + } st = ( (EverCrypt_DRBG_state_s){ @@ -197,7 +209,10 @@ EverCrypt_DRBG_state_s *EverCrypt_DRBG_create_in(Spec_Hash_Definitions_hash_alg uint8_t *k = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); uint8_t *v = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); - ctr[0U] = 1U; + if (ctr != NULL) + { + ctr[0U] = 1U; + } st = ( (EverCrypt_DRBG_state_s){ @@ -215,7 +230,10 @@ EverCrypt_DRBG_state_s *EverCrypt_DRBG_create_in(Spec_Hash_Definitions_hash_alg } EverCrypt_DRBG_state_s *buf = (EverCrypt_DRBG_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_DRBG_state_s)); - buf[0U] = st; + if (buf != NULL) + { + buf[0U] = st; + } return buf; } diff --git a/src/msvc/EverCrypt_Ed25519.c b/src/msvc/EverCrypt_Ed25519.c index 8a5c88c0..42d73f82 100644 --- a/src/msvc/EverCrypt_Ed25519.c +++ b/src/msvc/EverCrypt_Ed25519.c @@ -25,6 +25,8 @@ #include "EverCrypt_Ed25519.h" +#include "Hacl_Ed25519.h" + void EverCrypt_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key) { Hacl_Ed25519_secret_to_public(public_key, private_key); diff --git a/src/msvc/EverCrypt_HKDF.c b/src/msvc/EverCrypt_HKDF.c index cbccb94f..1f0733c2 100644 --- a/src/msvc/EverCrypt_HKDF.c +++ b/src/msvc/EverCrypt_HKDF.c @@ -25,6 +25,7 @@ #include "EverCrypt_HKDF.h" +#include "Hacl_Streaming_Types.h" #include "internal/EverCrypt_HMAC.h" static void diff --git a/src/msvc/EverCrypt_HMAC.c b/src/msvc/EverCrypt_HMAC.c index 386cb17f..52362a5c 100644 --- a/src/msvc/EverCrypt_HMAC.c +++ b/src/msvc/EverCrypt_HMAC.c @@ -25,6 +25,11 @@ #include "internal/EverCrypt_HMAC.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_Blake2s.h" +#include "Hacl_Hash_Blake2b.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Hash_SHA2.h" #include "internal/Hacl_Hash_SHA1.h" @@ -68,10 +73,6 @@ bool EverCrypt_HMAC_is_supported_alg(Spec_Hash_Definitions_hash_alg uu___) } } -void -(*EverCrypt_HMAC_hash_256)(uint8_t *x0, uint8_t *x1, uint32_t x2) = - EverCrypt_Hash_Incremental_hash_256; - void EverCrypt_HMAC_compute_sha1( uint8_t *dst, @@ -81,10 +82,8 @@ EverCrypt_HMAC_compute_sha1( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -105,19 +104,17 @@ EverCrypt_HMAC_compute_sha1( { Hacl_Hash_SHA1_hash_oneshot(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -189,10 +186,8 @@ EverCrypt_HMAC_compute_sha2_256( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -211,21 +206,19 @@ EverCrypt_HMAC_compute_sha2_256( } else { - EverCrypt_HMAC_hash_256(nkey, key, key_len); + EverCrypt_Hash_Incremental_hash_256(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -311,10 +304,8 @@ EverCrypt_HMAC_compute_sha2_384( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -335,19 +326,17 @@ EverCrypt_HMAC_compute_sha2_384( { Hacl_Hash_SHA2_hash_384(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -441,10 +430,8 @@ EverCrypt_HMAC_compute_sha2_512( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -465,19 +452,17 @@ EverCrypt_HMAC_compute_sha2_512( { Hacl_Hash_SHA2_hash_512(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -571,10 +556,8 @@ EverCrypt_HMAC_compute_blake2s( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -595,19 +578,17 @@ EverCrypt_HMAC_compute_blake2s( { Hacl_Hash_Blake2s_hash_with_key(nkey, 32U, key, key_len, NULL, 0U); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -620,7 +601,7 @@ EverCrypt_HMAC_compute_blake2s( if (data_len == 0U) { uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_Blake2s_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); } else { @@ -655,6 +636,7 @@ EverCrypt_HMAC_compute_blake2s( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -693,6 +675,7 @@ EverCrypt_HMAC_compute_blake2s( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -708,10 +691,8 @@ EverCrypt_HMAC_compute_blake2b( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -732,19 +713,17 @@ EverCrypt_HMAC_compute_blake2b( { Hacl_Hash_Blake2b_hash_with_key(nkey, 64U, key, key_len, NULL, 0U); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -757,7 +736,13 @@ EverCrypt_HMAC_compute_blake2b( if (data_len == 0U) { uint64_t wv[16U] = { 0U }; - Hacl_Hash_Blake2b_update_last(128U, wv, s0, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); + Hacl_Hash_Blake2b_update_last(128U, + wv, + s0, + false, + FStar_UInt128_uint64_to_uint128(0ULL), + 128U, + ipad); } else { @@ -792,6 +777,7 @@ EverCrypt_HMAC_compute_blake2b( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -831,6 +817,7 @@ EverCrypt_HMAC_compute_blake2b( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/msvc/EverCrypt_Hash.c b/src/msvc/EverCrypt_Hash.c index bfafa9be..386db439 100644 --- a/src/msvc/EverCrypt_Hash.c +++ b/src/msvc/EverCrypt_Hash.c @@ -25,7 +25,18 @@ #include "internal/EverCrypt_Hash.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA3.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_Blake2s_Simd128.h" +#include "Hacl_Hash_Blake2s.h" +#include "Hacl_Hash_Blake2b_Simd256.h" +#include "Hacl_Hash_Blake2b.h" +#include "EverCrypt_Error.h" +#include "EverCrypt_AutoConfig2.h" #include "internal/Vale.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Hash_SHA3.h" #include "internal/Hacl_Hash_SHA2.h" @@ -143,70 +154,219 @@ static Spec_Hash_Definitions_hash_alg alg_of_state(EverCrypt_Hash_state_s *s) KRML_HOST_EXIT(255U); } -static EverCrypt_Hash_state_s *create_in(Spec_Hash_Definitions_hash_alg a) +static EverCrypt_Hash_state_s *malloc_(Spec_Hash_Definitions_hash_alg a) { - EverCrypt_Hash_state_s s; switch (a) { case Spec_Hash_Definitions_MD5: { - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = MD5_s, { .case_MD5_s = buf } }); - break; + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = MD5_s, { .case_MD5_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA1: { - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA1_s, { .case_SHA1_s = buf } }); - break; + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = SHA1_s, { .case_SHA1_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA2_224: { - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA2_224_s, { .case_SHA2_224_s = buf } }); - break; + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = SHA2_224_s, { .case_SHA2_224_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA2_256: { - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA2_256_s, { .case_SHA2_256_s = buf } }); - break; + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = SHA2_256_s, { .case_SHA2_256_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA2_384: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA2_384_s, { .case_SHA2_384_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = SHA2_384_s, { .case_SHA2_384_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA2_512: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA2_512_s, { .case_SHA2_512_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = SHA2_512_s, { .case_SHA2_512_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA3_224: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA3_224_s, { .case_SHA3_224_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = SHA3_224_s, { .case_SHA3_224_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA3_256: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA3_256_s, { .case_SHA3_256_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = SHA3_256_s, { .case_SHA3_256_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA3_384: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA3_384_s, { .case_SHA3_384_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = SHA3_384_s, { .case_SHA3_384_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_SHA3_512: { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = SHA3_512_s, { .case_SHA3_512_s = buf } }); - break; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = SHA3_512_s, { .case_SHA3_512_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; } case Spec_Hash_Definitions_Blake2S: { @@ -214,22 +374,62 @@ static EverCrypt_Hash_state_s *create_in(Spec_Hash_Definitions_hash_alg a) bool vec128 = EverCrypt_AutoConfig2_has_vec128(); if (vec128) { - s = - ( - (EverCrypt_Hash_state_s){ - .tag = Blake2S_128_s, - { .case_Blake2S_128_s = Hacl_Hash_Blake2s_Simd128_malloc_with_key() } - } - ); + Lib_IntVector_Intrinsics_vec128 *s = Hacl_Hash_Blake2s_Simd128_malloc_with_key(); + if (s == NULL) + { + return NULL; + } + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = ((EverCrypt_Hash_state_s){ .tag = Blake2S_128_s, { .case_Blake2S_128_s = s } }); + } + if (st == NULL) + { + KRML_ALIGNED_FREE(s); + return NULL; + } + return st; + } + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = Blake2S_s, { .case_Blake2S_s = s1 } }); } - else + if (st == NULL) { - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = Blake2S_s, { .case_Blake2S_s = buf } }); + KRML_HOST_FREE(s1); + return NULL; } + return st; #else - uint32_t *buf = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - s = ((EverCrypt_Hash_state_s){ .tag = Blake2S_s, { .case_Blake2S_s = buf } }); + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = Blake2S_s, { .case_Blake2S_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; #endif break; } @@ -239,22 +439,62 @@ static EverCrypt_Hash_state_s *create_in(Spec_Hash_Definitions_hash_alg a) bool vec256 = EverCrypt_AutoConfig2_has_vec256(); if (vec256) { - s = - ( - (EverCrypt_Hash_state_s){ - .tag = Blake2B_256_s, - { .case_Blake2B_256_s = Hacl_Hash_Blake2b_Simd256_malloc_with_key() } - } - ); + Lib_IntVector_Intrinsics_vec256 *s = Hacl_Hash_Blake2b_Simd256_malloc_with_key(); + if (s == NULL) + { + return NULL; + } + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] + = ((EverCrypt_Hash_state_s){ .tag = Blake2B_256_s, { .case_Blake2B_256_s = s } }); + } + if (st == NULL) + { + KRML_ALIGNED_FREE(s); + return NULL; + } + return st; + } + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; } - else + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = Blake2B_s, { .case_Blake2B_s = buf } }); + st[0U] = ((EverCrypt_Hash_state_s){ .tag = Blake2B_s, { .case_Blake2B_s = s1 } }); } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; #else - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - s = ((EverCrypt_Hash_state_s){ .tag = Blake2B_s, { .case_Blake2B_s = buf } }); + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + EverCrypt_Hash_state_s + *st = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((EverCrypt_Hash_state_s){ .tag = Blake2B_s, { .case_Blake2B_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; #endif break; } @@ -264,10 +504,23 @@ static EverCrypt_Hash_state_s *create_in(Spec_Hash_Definitions_hash_alg a) KRML_HOST_EXIT(253U); } } - EverCrypt_Hash_state_s - *buf = (EverCrypt_Hash_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_Hash_state_s)); - buf[0U] = s; - return buf; +} + +typedef struct option___EverCrypt_Hash_state_s__s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + EverCrypt_Hash_state_s *v; +} +option___EverCrypt_Hash_state_s_; + +static option___EverCrypt_Hash_state_s_ create_in(Spec_Hash_Definitions_hash_alg a) +{ + EverCrypt_Hash_state_s *s = malloc_(a); + if (s == NULL) + { + return ((option___EverCrypt_Hash_state_s_){ .tag = FStar_Pervasives_Native_None }); + } + return ((option___EverCrypt_Hash_state_s_){ .tag = FStar_Pervasives_Native_Some, .v = s }); } static void init(EverCrypt_Hash_state_s *s) @@ -312,25 +565,25 @@ static void init(EverCrypt_Hash_state_s *s) if (scrut.tag == SHA3_224_s) { uint64_t *p1 = scrut.case_SHA3_224_s; - memset(p1, 0U, 25U * sizeof (uint64_t)); + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_224, p1); return; } if (scrut.tag == SHA3_256_s) { uint64_t *p1 = scrut.case_SHA3_256_s; - memset(p1, 0U, 25U * sizeof (uint64_t)); + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_256, p1); return; } if (scrut.tag == SHA3_384_s) { uint64_t *p1 = scrut.case_SHA3_384_s; - memset(p1, 0U, 25U * sizeof (uint64_t)); + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_384, p1); return; } if (scrut.tag == SHA3_512_s) { uint64_t *p1 = scrut.case_SHA3_512_s; - memset(p1, 0U, 25U * sizeof (uint64_t)); + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_512, p1); return; } if (scrut.tag == Blake2S_s) @@ -616,7 +869,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ { uint32_t *p1 = scrut.case_Blake2S_s; uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(last_len, wv, p1, prev_len, last_len, last); + Hacl_Hash_Blake2s_update_last(last_len, wv, p1, false, prev_len, last_len, last); return; } if (scrut.tag == Blake2S_128_s) @@ -624,7 +877,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; #if HACL_CAN_COMPILE_VEC128 KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; - Hacl_Hash_Blake2s_Simd128_update_last(last_len, wv, p1, prev_len, last_len, last); + Hacl_Hash_Blake2s_Simd128_update_last(last_len, wv, p1, false, prev_len, last_len, last); return; #else KRML_MAYBE_UNUSED_VAR(p1); @@ -638,6 +891,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ Hacl_Hash_Blake2b_update_last(last_len, wv, p1, + false, FStar_UInt128_uint64_to_uint128(prev_len), last_len, last); @@ -651,6 +905,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ Hacl_Hash_Blake2b_Simd256_update_last(last_len, wv, p1, + false, FStar_UInt128_uint64_to_uint128(prev_len), last_len, last); @@ -1304,17 +1559,61 @@ EverCrypt_Hash_Incremental_state_t { KRML_CHECK_SIZE(sizeof (uint8_t), block_len(a)); uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(block_len(a), sizeof (uint8_t)); - EverCrypt_Hash_state_s *block_state = create_in(a); - EverCrypt_Hash_Incremental_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - EverCrypt_Hash_Incremental_state_t - *p = - (EverCrypt_Hash_Incremental_state_t *)KRML_HOST_MALLOC(sizeof ( - EverCrypt_Hash_Incremental_state_t - )); - p[0U] = s; - init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + option___EverCrypt_Hash_state_s_ block_state = create_in(a); + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + EverCrypt_Hash_state_s *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + EverCrypt_Hash_Incremental_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + EverCrypt_Hash_Incremental_state_t + *p = + (EverCrypt_Hash_Incremental_state_t *)KRML_HOST_MALLOC(sizeof ( + EverCrypt_Hash_Incremental_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + free_(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -2213,6 +2512,9 @@ Free a state previously allocated with `create_in`. */ void EverCrypt_Hash_Incremental_free(EverCrypt_Hash_Incremental_state_t *state) { + EverCrypt_Hash_state_s *block_state0 = (*state).block_state; + Spec_Hash_Definitions_hash_alg i1 = alg_of_state(block_state0); + KRML_MAYBE_UNUSED_VAR(i1); EverCrypt_Hash_Incremental_state_t scrut = *state; uint8_t *buf = scrut.buf; EverCrypt_Hash_state_s *block_state = scrut.block_state; diff --git a/src/msvc/EverCrypt_Poly1305.c b/src/msvc/EverCrypt_Poly1305.c index 33ee20f3..d649e071 100644 --- a/src/msvc/EverCrypt_Poly1305.c +++ b/src/msvc/EverCrypt_Poly1305.c @@ -25,6 +25,10 @@ #include "EverCrypt_Poly1305.h" +#include "Hacl_MAC_Poly1305_Simd256.h" +#include "Hacl_MAC_Poly1305_Simd128.h" +#include "Hacl_MAC_Poly1305.h" +#include "EverCrypt_AutoConfig2.h" #include "internal/Vale.h" #include "config.h" diff --git a/src/msvc/Hacl_AEAD_Chacha20Poly1305.c b/src/msvc/Hacl_AEAD_Chacha20Poly1305.c index d5926093..d78add74 100644 --- a/src/msvc/Hacl_AEAD_Chacha20Poly1305.c +++ b/src/msvc/Hacl_AEAD_Chacha20Poly1305.c @@ -25,6 +25,7 @@ #include "Hacl_AEAD_Chacha20Poly1305.h" +#include "Hacl_Chacha20.h" #include "internal/Hacl_MAC_Poly1305.h" #include "internal/Hacl_Krmllib.h" diff --git a/src/msvc/Hacl_AEAD_Chacha20Poly1305_Simd128.c b/src/msvc/Hacl_AEAD_Chacha20Poly1305_Simd128.c index 0cfa41fd..796db85e 100644 --- a/src/msvc/Hacl_AEAD_Chacha20Poly1305_Simd128.c +++ b/src/msvc/Hacl_AEAD_Chacha20Poly1305_Simd128.c @@ -25,6 +25,7 @@ #include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" +#include "Hacl_Chacha20_Vec128.h" #include "internal/Hacl_MAC_Poly1305_Simd128.h" #include "internal/Hacl_Krmllib.h" #include "libintvector.h" diff --git a/src/msvc/Hacl_AEAD_Chacha20Poly1305_Simd256.c b/src/msvc/Hacl_AEAD_Chacha20Poly1305_Simd256.c index 28414516..452e5b4c 100644 --- a/src/msvc/Hacl_AEAD_Chacha20Poly1305_Simd256.c +++ b/src/msvc/Hacl_AEAD_Chacha20Poly1305_Simd256.c @@ -25,6 +25,7 @@ #include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" +#include "Hacl_Chacha20_Vec256.h" #include "internal/Hacl_MAC_Poly1305_Simd256.h" #include "internal/Hacl_Krmllib.h" #include "libintvector.h" diff --git a/src/msvc/Hacl_Bignum.c b/src/msvc/Hacl_Bignum.c index b99423f3..08b896e4 100644 --- a/src/msvc/Hacl_Bignum.c +++ b/src/msvc/Hacl_Bignum.c @@ -25,6 +25,7 @@ #include "internal/Hacl_Bignum.h" +#include "Hacl_Krmllib.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" @@ -832,7 +833,7 @@ uint32_t Hacl_Bignum_Montgomery_bn_check_modulus_u32(uint32_t len, uint32_t *n) { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m1 = acc; return m0 & m1; @@ -1023,7 +1024,7 @@ uint64_t Hacl_Bignum_Montgomery_bn_check_modulus_u64(uint32_t len, uint64_t *n) { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m1 = acc; return m0 & m1; @@ -1415,7 +1416,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc0 = (beq & acc0) | (~beq & blt); } uint32_t m10 = acc0; uint32_t m00 = m0 & m10; @@ -1442,7 +1443,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( { uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t res = acc; m1 = res; @@ -1456,7 +1457,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32( { uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m2 = acc; uint32_t m = m1 & m2; @@ -1809,7 +1810,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc0 = (beq & acc0) | (~beq & blt); } uint64_t m10 = acc0; uint64_t m00 = m0 & m10; @@ -1836,7 +1837,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( { uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t res = acc; m1 = res; @@ -1850,7 +1851,7 @@ Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64( { uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m2 = acc; uint64_t m = m1 & m2; diff --git a/src/msvc/Hacl_Bignum256.c b/src/msvc/Hacl_Bignum256.c index a4f00b83..5b16a102 100644 --- a/src/msvc/Hacl_Bignum256.c +++ b/src/msvc/Hacl_Bignum256.c @@ -25,6 +25,8 @@ #include "Hacl_Bignum256.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -512,7 +514,7 @@ bool Hacl_Bignum256_mod(uint64_t *n, uint64_t *a, uint64_t *res) 1U, uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc = (beq & acc) | (~beq & blt);); uint64_t m1 = acc; uint64_t is_valid_m = m0 & m1; uint32_t nBits = 64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(4U, n); @@ -544,7 +546,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) 1U, uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc0 = (beq & acc0) | (~beq & blt);); uint64_t m10 = acc0; uint64_t m00 = m0 & m10; uint32_t bLen; @@ -570,7 +572,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t res = acc; m1 = res; @@ -586,7 +588,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) 1U, uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc = (beq & acc) | (~beq & blt);); uint64_t m2 = acc; uint64_t m = m1 & m2; return m00 & m; @@ -990,7 +992,7 @@ bool Hacl_Bignum256_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *re 1U, uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc0 = (beq & acc0) | (~beq & blt);); uint64_t m1 = acc0; uint64_t m00 = m0 & m1; uint64_t bn_zero[4U] = { 0U }; @@ -1011,7 +1013,7 @@ bool Hacl_Bignum256_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *re 1U, uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc = (beq & acc) | (~beq & blt);); uint64_t m2 = acc; uint64_t is_valid_m = (m00 & ~m10) & m2; uint32_t nBits = 64U * (uint32_t)Hacl_Bignum_Lib_bn_get_top_index_u64(4U, n); @@ -1076,7 +1078,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum256_mont_ctx_init(uint64_ (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } @@ -1351,7 +1356,7 @@ uint64_t Hacl_Bignum256_lt_mask(uint64_t *a, uint64_t *b) 1U, uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc = (beq & acc) | (~beq & blt);); return acc; } diff --git a/src/msvc/Hacl_Bignum256_32.c b/src/msvc/Hacl_Bignum256_32.c index 29a5a52e..fe848950 100644 --- a/src/msvc/Hacl_Bignum256_32.c +++ b/src/msvc/Hacl_Bignum256_32.c @@ -25,6 +25,7 @@ #include "Hacl_Bignum256_32.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -532,7 +533,7 @@ bool Hacl_Bignum256_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) 1U, uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc = (beq & acc) | (~beq & blt);); uint32_t m1 = acc; uint32_t is_valid_m = m0 & m1; uint32_t nBits = 32U * Hacl_Bignum_Lib_bn_get_top_index_u32(8U, n); @@ -564,7 +565,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) 1U, uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc0 = (beq & acc0) | (~beq & blt);); uint32_t m10 = acc0; uint32_t m00 = m0 & m10; uint32_t bLen; @@ -590,7 +591,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t res = acc; m1 = res; @@ -606,7 +607,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) 1U, uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc = (beq & acc) | (~beq & blt);); uint32_t m2 = acc; uint32_t m = m1 & m2; return m00 & m; @@ -1010,7 +1011,7 @@ bool Hacl_Bignum256_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t 1U, uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc0 = (beq & acc0) | (~beq & blt);); uint32_t m1 = acc0; uint32_t m00 = m0 & m1; uint32_t bn_zero[8U] = { 0U }; @@ -1031,7 +1032,7 @@ bool Hacl_Bignum256_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t 1U, uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc = (beq & acc) | (~beq & blt);); uint32_t m2 = acc; uint32_t is_valid_m = (m00 & ~m10) & m2; uint32_t nBits = 32U * Hacl_Bignum_Lib_bn_get_top_index_u32(8U, n); @@ -1110,7 +1111,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum256_32_mont_ctx_init(uint (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } @@ -1399,7 +1403,7 @@ uint32_t Hacl_Bignum256_32_lt_mask(uint32_t *a, uint32_t *b) 1U, uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U)));); + acc = (beq & acc) | (~beq & blt);); return acc; } diff --git a/src/msvc/Hacl_Bignum32.c b/src/msvc/Hacl_Bignum32.c index 55c3f90c..eca9e771 100644 --- a/src/msvc/Hacl_Bignum32.c +++ b/src/msvc/Hacl_Bignum32.c @@ -25,6 +25,7 @@ #include "Hacl_Bignum32.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -46,9 +47,18 @@ of `len` unsigned 32-bit integers, i.e. uint32_t[len]. /** Write `a + b mod 2 ^ (32 * len)` in `res`. - This functions returns the carry. - - The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] + This function returns the carry. + + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly equal memory + location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[out] res Points to `len` number of limbs where the carry is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. */ uint32_t Hacl_Bignum32_add(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) { @@ -60,7 +70,16 @@ Write `a - b mod 2 ^ (32 * len)` in `res`. This functions returns the carry. - The arguments a, b and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len] + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[out] res Points to `len` number of limbs where the carry is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. */ uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) { @@ -70,12 +89,23 @@ uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res /** Write `(a + b) mod n` in `res`. - The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • a < n - • b < n + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `res`. + @param[out] res Points to `len` number of limbs where the result is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `a < n` + - `b < n` */ void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) { @@ -85,12 +115,23 @@ void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, /** Write `(a - b) mod n` in `res`. - The arguments a, b, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • a < n - • b < n + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `b` or `res`. May have exactly + equal memory location to `b` or `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must not + partially overlap the memory locations of `a` or `res`. May have exactly + equal memory location to `a` or `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `res`. + @param[out] res Points to `len` number of limbs where the result is written, i.e. `uint32_t[len]`. + Must not partially overlap the memory locations of `a` or `b`. May have + exactly equal memory location to `a` or `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `a < n` + - `b < n` */ void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) { @@ -100,8 +141,13 @@ void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, /** Write `a * b` in `res`. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. - The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + @param[in] len Number of limbs. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `b` and `res`. + @param[in] b Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a` and `res`. + @param[out] res Points to `2*len` number of limbs where the result is written, i.e. `uint32_t[2*len]`. + Must be disjoint from the memory locations of `a` and `b`. */ void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) { @@ -114,8 +160,10 @@ void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t *res) /** Write `a * a` in `res`. - The argument a is meant to be `len` limbs in size, i.e. uint32_t[len]. - The outparam res is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `2*len` number of limbs where the result is written, i.e. `uint32_t[2*len]`. + Must be disjoint from the memory location of `a`. */ void Hacl_Bignum32_sqr(uint32_t len, uint32_t *a, uint32_t *res) { @@ -149,13 +197,19 @@ bn_slow_precomp( /** Write `a mod n` in `res`. - The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. - The argument n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • 1 < n - • n % 2 = 1 + @param[in] a Points to `2*len` number of limbs, i.e. `uint32_t[2*len]`. Must be + disjoint from the memory location of `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `n`. + + @return `false` if any precondition is violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `1 < n` + - `n % 2 = 1` */ bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) { @@ -171,7 +225,7 @@ bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m1 = acc; uint32_t is_valid_m = m0 & m1; @@ -195,22 +249,30 @@ bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) /** Write `a ^ b mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - The function is *NOT* constant-time on the argument b. See the - mod_exp_consttime_* functions for constant-time variants. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • b < pow2 bBits - • a < n + This function is *NOT* constant-time on the argument `b`. See the + `mod_exp_consttime_*` functions for constant-time variants. + + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `n`. + + @return `false` if any preconditions are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` + - `b < pow2 bBits` + - `a < n` */ bool Hacl_Bignum32_mod_exp_vartime( @@ -238,22 +300,30 @@ Hacl_Bignum32_mod_exp_vartime( /** Write `a ^ b mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - This function is constant-time over its argument b, at the cost of a slower - execution time than mod_exp_vartime. - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • b < pow2 bBits - • a < n + This function is constant-time over its argument `b`, at the cost of a slower + execution time than `mod_exp_vartime_*`. + + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a`, `b`, and `n`. + + @return `false` if any preconditions are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` + - `b < pow2 bBits` + - `a < n` */ bool Hacl_Bignum32_mod_exp_consttime( @@ -281,18 +351,23 @@ Hacl_Bignum32_mod_exp_consttime( /** Write `a ^ (-1) mod n` in `res`. - The arguments a, n and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n is a prime - - The function returns false if any of the following preconditions are violated, - true otherwise. - • n % 2 = 1 - • 1 < n - • 0 < a - • a < n + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `n` and `res`. + @param[in] n Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a` and `n`. + + @return `false` if any preconditions (except the precondition: `n` is a prime) + are violated, `true` otherwise. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n` is a prime + - `n % 2 = 1` + - `1 < n` + - `0 < a` + - `a < n` */ bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) { @@ -308,7 +383,7 @@ bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc0 = (beq & acc0) | (~beq & blt); } uint32_t m1 = acc0; uint32_t m00 = m0 & m1; @@ -329,7 +404,7 @@ bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, { uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m2 = acc; uint32_t is_valid_m = (m00 & ~m10) & m2; @@ -393,15 +468,16 @@ bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint32_t *a, /** Heap-allocate and initialize a montgomery context. - The argument n is meant to be `len` limbs in size, i.e. uint32_t[len]. + @param n Points to `len` number of limbs, i.e. `uint32_t[len]`. - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n % 2 = 1 - • 1 < n - - The caller will need to call Hacl_Bignum32_mont_ctx_free on the return value - to avoid memory leaks. + @return A pointer to an allocated and initialized Montgomery context is returned. + Clients will need to call `Hacl_Bignum32_mont_ctx_free` on the return value to + avoid memory leaks. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n % 2 = 1` + - `1 < n` */ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum32_mont_ctx_init(uint32_t len, uint32_t *n) @@ -422,14 +498,17 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } /** Deallocate the memory previously allocated by Hacl_Bignum32_mont_ctx_init. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + @param k Points to a Montgomery context obtained through `Hacl_Bignum32_mont_ctx_init`. */ void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) { @@ -444,9 +523,11 @@ void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) /** Write `a mod n` in `res`. - The argument a is meant to be `2*len` limbs in size, i.e. uint32_t[2*len]. - The outparam res is meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `2*len` number of limbs, i.e. `uint32_t[2*len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a`. */ void Hacl_Bignum32_mod_precomp( @@ -464,21 +545,25 @@ Hacl_Bignum32_mod_precomp( /** Write `a ^ b mod n` in `res`. - The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - - The function is *NOT* constant-time on the argument b. See the - mod_exp_consttime_* functions for constant-time variants. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • b < pow2 bBits - • a < n + This function is *NOT* constant-time on the argument `b`. See the + `mod_exp_consttime_*` functions for constant-time variants. + + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `b < pow2 bBits` + - `a < n` */ void Hacl_Bignum32_mod_exp_vartime_precomp( @@ -505,21 +590,25 @@ Hacl_Bignum32_mod_exp_vartime_precomp( /** Write `a ^ b mod n` in `res`. - The arguments a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - The argument b is a bignum of any size, and bBits is an upper bound on the - number of significant bits of b. A tighter bound results in faster execution - time. When in doubt, the number of bits for the bignum size is always a safe - default, e.g. if b is a 4096-bit bignum, bBits should be 4096. - This function is constant-time over its argument b, at the cost of a slower - execution time than mod_exp_vartime_*. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • b < pow2 bBits - • a < n + execution time than `mod_exp_vartime_*`. + + @param[in] k Points to a Montgomery context obtained from `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[in] b Points to a bignum of any size, with an upper bound of `bBits` number of + significant bits. Must be disjoint from the memory location of `res`. + @param[in] bBits An upper bound on the number of significant bits of `b`. + A tighter bound results in faster execution time. When in doubt, the number + of bits for the bignum size is always a safe default, e.g. if `b` is a 4096-bit + bignum, `bBits` should be `4096`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory locations of `a` and `b`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `b < pow2 bBits` + - `a < n` */ void Hacl_Bignum32_mod_exp_consttime_precomp( @@ -546,14 +635,17 @@ Hacl_Bignum32_mod_exp_consttime_precomp( /** Write `a ^ (-1) mod n` in `res`. - The argument a and the outparam res are meant to be `len` limbs in size, i.e. uint32_t[len]. - The argument k is a montgomery context obtained through Hacl_Bignum32_mont_ctx_init. - - Before calling this function, the caller will need to ensure that the following - preconditions are observed. - • n is a prime - • 0 < a - • a < n + @param[in] k Points to a Montgomery context obtained through `Hacl_Bignum32_mont_ctx_init`. + @param[in] a Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `res`. + @param[out] res Points to `len` number of limbs, i.e. `uint32_t[len]`. Must be + disjoint from the memory location of `a`. + + @pre Before calling this function, the caller will need to ensure that the following + preconditions are observed: + - `n` is a prime + - `0 < a` + - `a < n` */ void Hacl_Bignum32_mod_inv_prime_vartime_precomp( @@ -623,13 +715,13 @@ Hacl_Bignum32_mod_inv_prime_vartime_precomp( /** Load a bid-endian bignum from memory. - The argument b points to `len` bytes of valid memory. - The function returns a heap-allocated bignum of size sufficient to hold the - result of loading b, or NULL if either the allocation failed, or the amount of - required memory would exceed 4GB. - - If the return value is non-null, clients must eventually call free(3) on it to - avoid memory leaks. + @param len Size of `b` as number of bytes. + @param b Points to `len` number of bytes, i.e. `uint8_t[len]`. + + @return A heap-allocated bignum of size sufficient to hold the result of + loading `b`. Otherwise, `NULL`, if either the allocation failed, or the amount + of required memory would exceed 4GB. Clients must `free(3)` any non-null return + value to avoid memory leaks. */ uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) { @@ -664,13 +756,13 @@ uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) /** Load a little-endian bignum from memory. - The argument b points to `len` bytes of valid memory. - The function returns a heap-allocated bignum of size sufficient to hold the - result of loading b, or NULL if either the allocation failed, or the amount of - required memory would exceed 4GB. - - If the return value is non-null, clients must eventually call free(3) on it to - avoid memory leaks. + @param len Size of `b` as number of bytes. + @param b Points to `len` number of bytes, i.e. `uint8_t[len]`. + + @return A heap-allocated bignum of size sufficient to hold the result of + loading `b`. Otherwise, `NULL`, if either the allocation failed, or the amount + of required memory would exceed 4GB. Clients must `free(3)` any non-null return + value to avoid memory leaks. */ uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) { @@ -707,8 +799,11 @@ uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) /** Serialize a bignum into big-endian memory. - The argument b points to a bignum of ⌈len / 4⌉ size. - The outparam res points to `len` bytes of valid memory. + @param[in] len Size of `b` as number of bytes. + @param[in] b Points to a bignum of `ceil(len/4)` size. Must be disjoint from + the memory location of `res`. + @param[out] res Points to `len` number of bytes, i.e. `uint8_t[len]`. Must be + disjoint from the memory location of `b`. */ void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res) { @@ -727,8 +822,11 @@ void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res) /** Serialize a bignum into little-endian memory. - The argument b points to a bignum of ⌈len / 4⌉ size. - The outparam res points to `len` bytes of valid memory. + @param[in] len Size of `b` as number of bytes. + @param[in] b Points to a bignum of `ceil(len/4)` size. Must be disjoint from + the memory location of `res`. + @param[out] res Points to `len` number of bytes, i.e. `uint8_t[len]`. Must be + disjoint from the memory location of `b`. */ void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res) { @@ -753,7 +851,11 @@ void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res) /** Returns 2^32 - 1 if a < b, otherwise returns 0. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + @param len Number of limbs. + @param a Points to `len` number of limbs, i.e. `uint32_t[len]`. + @param b Points to `len` number of limbs, i.e. `uint32_t[len]`. + + @return `2^32 - 1` if `a < b`, otherwise, `0`. */ uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b) { @@ -762,7 +864,7 @@ uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } return acc; } @@ -770,7 +872,11 @@ uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b) /** Returns 2^32 - 1 if a = b, otherwise returns 0. - The arguments a and b are meant to be `len` limbs in size, i.e. uint32_t[len]. + @param len Number of limbs. + @param a Points to `len` number of limbs, i.e. `uint32_t[len]`. + @param b Points to `len` number of limbs, i.e. `uint32_t[len]`. + + @return `2^32 - 1` if a = b, otherwise, `0`. */ uint32_t Hacl_Bignum32_eq_mask(uint32_t len, uint32_t *a, uint32_t *b) { diff --git a/src/msvc/Hacl_Bignum4096.c b/src/msvc/Hacl_Bignum4096.c index 920ae2fb..7c4dee39 100644 --- a/src/msvc/Hacl_Bignum4096.c +++ b/src/msvc/Hacl_Bignum4096.c @@ -25,6 +25,8 @@ #include "Hacl_Bignum4096.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -459,7 +461,7 @@ bool Hacl_Bignum4096_mod(uint64_t *n, uint64_t *a, uint64_t *res) { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m1 = acc; uint64_t is_valid_m = m0 & m1; @@ -490,7 +492,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc0 = (beq & acc0) | (~beq & blt); } uint64_t m10 = acc0; uint64_t m00 = m0 & m10; @@ -517,7 +519,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t res = acc; m1 = res; @@ -531,7 +533,7 @@ static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m2 = acc; uint64_t m = m1 & m2; @@ -930,7 +932,7 @@ bool Hacl_Bignum4096_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *r { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc0 = (beq & acc0) | (~beq & blt); } uint64_t m1 = acc0; uint64_t m00 = m0 & m1; @@ -949,7 +951,7 @@ bool Hacl_Bignum4096_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint64_t *r { uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m2 = acc; uint64_t is_valid_m = (m00 & ~m10) & m2; @@ -1031,7 +1033,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum4096_mont_ctx_init(uint64 (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } @@ -1326,7 +1331,7 @@ uint64_t Hacl_Bignum4096_lt_mask(uint64_t *a, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } return acc; } diff --git a/src/msvc/Hacl_Bignum4096_32.c b/src/msvc/Hacl_Bignum4096_32.c index f3330918..1bdbe6ed 100644 --- a/src/msvc/Hacl_Bignum4096_32.c +++ b/src/msvc/Hacl_Bignum4096_32.c @@ -25,6 +25,7 @@ #include "Hacl_Bignum4096_32.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -451,7 +452,7 @@ bool Hacl_Bignum4096_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m1 = acc; uint32_t is_valid_m = m0 & m1; @@ -482,7 +483,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc0 = (beq & acc0) | (~beq & blt); } uint32_t m10 = acc0; uint32_t m00 = m0 & m10; @@ -509,7 +510,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(b[i], b2[i]); uint32_t blt = ~FStar_UInt32_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t res = acc; m1 = res; @@ -523,7 +524,7 @@ static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m2 = acc; uint32_t m = m1 & m2; @@ -922,7 +923,7 @@ bool Hacl_Bignum4096_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t { uint32_t beq = FStar_UInt32_eq_mask(one[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc0 = (beq & acc0) | (~beq & blt); } uint32_t m1 = acc0; uint32_t m00 = m0 & m1; @@ -941,7 +942,7 @@ bool Hacl_Bignum4096_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, uint32_t { uint32_t beq = FStar_UInt32_eq_mask(a[i], n[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } uint32_t m2 = acc; uint32_t is_valid_m = (m00 & ~m10) & m2; @@ -1023,7 +1024,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum4096_32_mont_ctx_init(uin (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } @@ -1317,7 +1321,7 @@ uint32_t Hacl_Bignum4096_32_lt_mask(uint32_t *a, uint32_t *b) { uint32_t beq = FStar_UInt32_eq_mask(a[i], b[i]); uint32_t blt = ~FStar_UInt32_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFU) | (~blt & 0U))); + acc = (beq & acc) | (~beq & blt); } return acc; } diff --git a/src/msvc/Hacl_Bignum64.c b/src/msvc/Hacl_Bignum64.c index e64b1a54..2ce2389d 100644 --- a/src/msvc/Hacl_Bignum64.c +++ b/src/msvc/Hacl_Bignum64.c @@ -25,6 +25,8 @@ #include "Hacl_Bignum64.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -170,7 +172,7 @@ bool Hacl_Bignum64_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res) { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m1 = acc; uint64_t is_valid_m = m0 & m1; @@ -307,7 +309,7 @@ bool Hacl_Bignum64_mod_inv_prime_vartime(uint32_t len, uint64_t *n, uint64_t *a, { uint64_t beq = FStar_UInt64_eq_mask(one[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(one[i], n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc0 = (beq & acc0) | (~beq & blt); } uint64_t m1 = acc0; uint64_t m00 = m0 & m1; @@ -328,7 +330,7 @@ bool Hacl_Bignum64_mod_inv_prime_vartime(uint32_t len, uint64_t *n, uint64_t *a, { uint64_t beq = FStar_UInt64_eq_mask(a[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m2 = acc; uint64_t is_valid_m = (m00 & ~m10) & m2; @@ -421,7 +423,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } @@ -761,7 +766,7 @@ uint64_t Hacl_Bignum64_lt_mask(uint32_t len, uint64_t *a, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(a[i], b[i]); uint64_t blt = ~FStar_UInt64_gte_mask(a[i], b[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } return acc; } diff --git a/src/msvc/Hacl_Curve25519_51.c b/src/msvc/Hacl_Curve25519_51.c index ca561e89..6b07047b 100644 --- a/src/msvc/Hacl_Curve25519_51.c +++ b/src/msvc/Hacl_Curve25519_51.c @@ -25,6 +25,7 @@ #include "internal/Hacl_Curve25519_51.h" +#include "Hacl_Krmllib.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum25519_51.h" diff --git a/src/msvc/Hacl_Curve25519_64.c b/src/msvc/Hacl_Curve25519_64.c index edcab306..6022609b 100644 --- a/src/msvc/Hacl_Curve25519_64.c +++ b/src/msvc/Hacl_Curve25519_64.c @@ -25,6 +25,7 @@ #include "Hacl_Curve25519_64.h" +#include "Hacl_Krmllib.h" #include "internal/Vale.h" #include "internal/Hacl_Krmllib.h" #include "config.h" diff --git a/src/msvc/Hacl_EC_Ed25519.c b/src/msvc/Hacl_EC_Ed25519.c index 6ab24a33..0ed3a8c0 100644 --- a/src/msvc/Hacl_EC_Ed25519.c +++ b/src/msvc/Hacl_EC_Ed25519.c @@ -25,6 +25,7 @@ #include "Hacl_EC_Ed25519.h" +#include "Hacl_Krmllib.h" #include "internal/Hacl_Ed25519.h" #include "internal/Hacl_Bignum25519_51.h" diff --git a/src/msvc/Hacl_Ed25519.c b/src/msvc/Hacl_Ed25519.c index d1f8edf2..c23ab85e 100644 --- a/src/msvc/Hacl_Ed25519.c +++ b/src/msvc/Hacl_Ed25519.c @@ -25,6 +25,9 @@ #include "internal/Hacl_Ed25519.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA2.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Hash_SHA2.h" #include "internal/Hacl_Ed25519_PrecompTable.h" @@ -509,11 +512,7 @@ static inline bool recover_x(uint64_t *x, uint64_t *y, uint64_t sign) Hacl_Bignum25519_reduce_513(t01); reduce(t01); bool z1 = is_0(t01); - if (z1 == false) - { - res = false; - } - else + if (z1) { uint64_t *x32 = tmp + 5U; uint64_t *t0 = tmp + 10U; @@ -534,6 +533,10 @@ static inline bool recover_x(uint64_t *x, uint64_t *y, uint64_t sign) memcpy(x, x32, 5U * sizeof (uint64_t)); res = true; } + else + { + res = false; + } } } bool res0 = res; @@ -551,11 +554,7 @@ bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t * Hacl_Bignum25519_load_51(y, s); bool z0 = recover_x(x, y, sign); bool res; - if (z0 == false) - { - res = false; - } - else + if (z0) { uint64_t *outx = out; uint64_t *outy = out + 5U; @@ -571,6 +570,10 @@ bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t * fmul0(outt, x, y); res = true; } + else + { + res = false; + } bool res0 = res; return res0; } @@ -1150,11 +1153,7 @@ static inline bool gte_q(uint64_t *s) { return false; } - if (s3 > 0x00000000000000ULL) - { - return true; - } - if (s2 > 0x000000000014deULL) + if (s3 > 0x00000000000000ULL || s2 > 0x000000000014deULL) { return true; } @@ -1170,11 +1169,7 @@ static inline bool gte_q(uint64_t *s) { return false; } - if (s0 >= 0x12631a5cf5d3edULL) - { - return true; - } - return false; + return s0 >= 0x12631a5cf5d3edULL; } static inline bool eq(uint64_t *a, uint64_t *b) diff --git a/src/msvc/Hacl_FFDHE.c b/src/msvc/Hacl_FFDHE.c index a2cdfa52..fa813ce4 100644 --- a/src/msvc/Hacl_FFDHE.c +++ b/src/msvc/Hacl_FFDHE.c @@ -25,6 +25,8 @@ #include "Hacl_FFDHE.h" +#include "Hacl_Spec.h" +#include "Hacl_Krmllib.h" #include "internal/Hacl_Impl_FFDHE_Constants.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -158,6 +160,7 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui uint64_t *p_n1 = (uint64_t *)alloca(nLen * sizeof (uint64_t)); memset(p_n1, 0U, nLen * sizeof (uint64_t)); uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(0ULL, p_n[0U], 1ULL, p_n1); + uint64_t c1; if (1U < nLen) { uint64_t *a1 = p_n + 1U; @@ -184,13 +187,14 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui uint64_t *res_i = res1 + i; c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, 0ULL, res_i); } - uint64_t c1 = c; - KRML_MAYBE_UNUSED_VAR(c1); + uint64_t c10 = c; + c1 = c10; } else { - KRML_MAYBE_UNUSED_VAR(c0); + c1 = c0; } + KRML_MAYBE_UNUSED_VAR(c1); KRML_CHECK_SIZE(sizeof (uint64_t), nLen); uint64_t *b2 = (uint64_t *)alloca(nLen * sizeof (uint64_t)); memset(b2, 0U, nLen * sizeof (uint64_t)); @@ -202,7 +206,7 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui { uint64_t beq = FStar_UInt64_eq_mask(b2[i], pk_n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b2[i], pk_n[i]); - acc0 = (beq & acc0) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc0 = (beq & acc0) | (~beq & blt); } uint64_t res = acc0; uint64_t m0 = res; @@ -211,7 +215,7 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui { uint64_t beq = FStar_UInt64_eq_mask(pk_n[i], p_n1[i]); uint64_t blt = ~FStar_UInt64_gte_mask(pk_n[i], p_n1[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t m1 = acc; return m0 & m1; diff --git a/src/msvc/Hacl_Frodo1344.c b/src/msvc/Hacl_Frodo1344.c index ea380d8c..db93b7cf 100644 --- a/src/msvc/Hacl_Frodo1344.c +++ b/src/msvc/Hacl_Frodo1344.c @@ -25,6 +25,7 @@ #include "Hacl_Frodo1344.h" +#include "Hacl_Hash_SHA3.h" #include "internal/Hacl_Spec.h" #include "internal/Hacl_Frodo_KEM.h" #include "lib_memzero0.h" diff --git a/src/msvc/Hacl_Frodo64.c b/src/msvc/Hacl_Frodo64.c index f4a025ce..53e39ff8 100644 --- a/src/msvc/Hacl_Frodo64.c +++ b/src/msvc/Hacl_Frodo64.c @@ -25,6 +25,7 @@ #include "Hacl_Frodo64.h" +#include "Hacl_Hash_SHA3.h" #include "internal/Hacl_Spec.h" #include "internal/Hacl_Frodo_KEM.h" #include "lib_memzero0.h" diff --git a/src/msvc/Hacl_Frodo640.c b/src/msvc/Hacl_Frodo640.c index e3d10300..1f9b762d 100644 --- a/src/msvc/Hacl_Frodo640.c +++ b/src/msvc/Hacl_Frodo640.c @@ -25,6 +25,7 @@ #include "Hacl_Frodo640.h" +#include "Hacl_Hash_SHA3.h" #include "internal/Hacl_Spec.h" #include "internal/Hacl_Frodo_KEM.h" #include "lib_memzero0.h" diff --git a/src/msvc/Hacl_Frodo976.c b/src/msvc/Hacl_Frodo976.c index 982192c1..f990088b 100644 --- a/src/msvc/Hacl_Frodo976.c +++ b/src/msvc/Hacl_Frodo976.c @@ -25,6 +25,7 @@ #include "Hacl_Frodo976.h" +#include "Hacl_Hash_SHA3.h" #include "internal/Hacl_Spec.h" #include "internal/Hacl_Frodo_KEM.h" #include "lib_memzero0.h" diff --git a/src/msvc/Hacl_Frodo_KEM.c b/src/msvc/Hacl_Frodo_KEM.c index e0a65a47..263bdbba 100644 --- a/src/msvc/Hacl_Frodo_KEM.c +++ b/src/msvc/Hacl_Frodo_KEM.c @@ -25,11 +25,15 @@ #include "internal/Hacl_Frodo_KEM.h" +#include "Lib_RandomBuffer_System.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA3.h" #include "internal/Hacl_Spec.h" #include "internal/Hacl_Krmllib.h" void randombytes_(uint32_t len, uint8_t *res) { - Lib_RandomBuffer_System_randombytes(res, len); + bool b = Lib_RandomBuffer_System_randombytes(res, len); + KRML_MAYBE_UNUSED_VAR(b); } diff --git a/src/msvc/Hacl_GenericField32.c b/src/msvc/Hacl_GenericField32.c index 750d56fc..dd041781 100644 --- a/src/msvc/Hacl_GenericField32.c +++ b/src/msvc/Hacl_GenericField32.c @@ -25,6 +25,7 @@ #include "Hacl_GenericField32.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -91,7 +92,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } diff --git a/src/msvc/Hacl_GenericField64.c b/src/msvc/Hacl_GenericField64.c index 04f54288..3e21b6b1 100644 --- a/src/msvc/Hacl_GenericField64.c +++ b/src/msvc/Hacl_GenericField64.c @@ -25,6 +25,8 @@ #include "Hacl_GenericField64.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Bignum.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -90,7 +92,10 @@ Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *)KRML_HOST_MALLOC(sizeof ( Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 )); - buf[0U] = res; + if (buf != NULL) + { + buf[0U] = res; + } return buf; } diff --git a/src/msvc/Hacl_HKDF.c b/src/msvc/Hacl_HKDF.c index f3b4d90f..d9c9a15f 100644 --- a/src/msvc/Hacl_HKDF.c +++ b/src/msvc/Hacl_HKDF.c @@ -25,6 +25,8 @@ #include "Hacl_HKDF.h" +#include "Hacl_HMAC.h" + /** Expand pseudorandom key to desired length. diff --git a/src/msvc/Hacl_HKDF_Blake2b_256.c b/src/msvc/Hacl_HKDF_Blake2b_256.c index 3280cb8f..bd59b29d 100644 --- a/src/msvc/Hacl_HKDF_Blake2b_256.c +++ b/src/msvc/Hacl_HKDF_Blake2b_256.c @@ -25,6 +25,8 @@ #include "Hacl_HKDF_Blake2b_256.h" +#include "Hacl_HMAC_Blake2b_256.h" + /** Expand pseudorandom key to desired length. diff --git a/src/msvc/Hacl_HKDF_Blake2s_128.c b/src/msvc/Hacl_HKDF_Blake2s_128.c index 7007a4eb..a439b25e 100644 --- a/src/msvc/Hacl_HKDF_Blake2s_128.c +++ b/src/msvc/Hacl_HKDF_Blake2s_128.c @@ -25,6 +25,8 @@ #include "Hacl_HKDF_Blake2s_128.h" +#include "Hacl_HMAC_Blake2s_128.h" + /** Expand pseudorandom key to desired length. diff --git a/src/msvc/Hacl_HMAC.c b/src/msvc/Hacl_HMAC.c index 63ab2032..d5aab54a 100644 --- a/src/msvc/Hacl_HMAC.c +++ b/src/msvc/Hacl_HMAC.c @@ -25,12 +25,130 @@ #include "internal/Hacl_HMAC.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA3.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_Blake2s.h" +#include "Hacl_Hash_Blake2b.h" #include "internal/Hacl_Krmllib.h" +#include "internal/Hacl_Hash_SHA3.h" #include "internal/Hacl_Hash_SHA2.h" #include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_MD5.h" #include "internal/Hacl_Hash_Blake2s.h" #include "internal/Hacl_Hash_Blake2b.h" +/** +Write the HMAC-MD5 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 byte. +`dst` must point to 16 bytes of memory. +*/ +void +Hacl_HMAC_compute_md5( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 64U) + { + ite = key_len; + } + else + { + ite = 16U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_MD5_hash_oneshot(nkey, key, key_len); + } + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint32_t s[4U] = { 0x67452301U, 0xefcdab89U, 0x98badcfeU, 0x10325476U }; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + Hacl_Hash_MD5_update_last(s, 0ULL, ipad, 64U); + } + else + { + uint32_t block_len = 64U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + Hacl_Hash_MD5_update_multi(s, ipad, 1U); + Hacl_Hash_MD5_update_multi(s, full_blocks, n_blocks); + Hacl_Hash_MD5_update_last(s, (uint64_t)64U + (uint64_t)full_blocks_len, rem, rem_len); + } + Hacl_Hash_MD5_finish(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_MD5_init(s); + uint32_t block_len = 64U; + uint32_t n_blocks0 = 16U / block_len; + uint32_t rem0 = 16U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 16U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + Hacl_Hash_MD5_update_multi(s, opad, 1U); + Hacl_Hash_MD5_update_multi(s, full_blocks, n_blocks); + Hacl_Hash_MD5_update_last(s, (uint64_t)64U + (uint64_t)full_blocks_len, rem, rem_len); + Hacl_Hash_MD5_finish(s, dst); +} + /** Write the HMAC-SHA-1 MAC of a message (`data`) by using a key (`key`) into `dst`. @@ -46,10 +164,8 @@ Hacl_HMAC_compute_sha1( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -70,19 +186,17 @@ Hacl_HMAC_compute_sha1( { Hacl_Hash_SHA1_hash_oneshot(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -145,6 +259,130 @@ Hacl_HMAC_compute_sha1( Hacl_Hash_SHA1_finish(s, dst); } +/** +Write the HMAC-SHA-2-224 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 bytes. +`dst` must point to 28 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha2_224( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 64U) + { + ite = key_len; + } + else + { + ite = 28U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA2_hash_224(nkey, key, key_len); + } + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint32_t st[8U] = { 0U }; + KRML_MAYBE_FOR8(i, + 0U, + 8U, + 1U, + uint32_t *os = st; + uint32_t x = Hacl_Hash_SHA2_h224[i]; + os[i] = x;); + uint32_t *s = st; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + Hacl_Hash_SHA2_sha224_update_last(0ULL + (uint64_t)64U, 64U, ipad, s); + } + else + { + uint32_t block_len = 64U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + Hacl_Hash_SHA2_sha224_update_nblocks(64U, ipad, s); + Hacl_Hash_SHA2_sha224_update_nblocks(n_blocks * 64U, full_blocks, s); + Hacl_Hash_SHA2_sha224_update_last((uint64_t)64U + (uint64_t)full_blocks_len + (uint64_t)rem_len, + rem_len, + rem, + s); + } + Hacl_Hash_SHA2_sha224_finish(s, dst1); + uint8_t *hash1 = ipad; + Hacl_Hash_SHA2_sha224_init(s); + uint32_t block_len = 64U; + uint32_t n_blocks0 = 28U / block_len; + uint32_t rem0 = 28U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 28U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + Hacl_Hash_SHA2_sha224_update_nblocks(64U, opad, s); + Hacl_Hash_SHA2_sha224_update_nblocks(n_blocks * 64U, full_blocks, s); + Hacl_Hash_SHA2_sha224_update_last((uint64_t)64U + (uint64_t)full_blocks_len + (uint64_t)rem_len, + rem_len, + rem, + s); + Hacl_Hash_SHA2_sha224_finish(s, dst); +} + /** Write the HMAC-SHA-2-256 MAC of a message (`data`) by using a key (`key`) into `dst`. @@ -160,10 +398,8 @@ Hacl_HMAC_compute_sha2_256( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -184,19 +420,17 @@ Hacl_HMAC_compute_sha2_256( { Hacl_Hash_SHA2_hash_256(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -288,10 +522,8 @@ Hacl_HMAC_compute_sha2_384( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -312,19 +544,17 @@ Hacl_HMAC_compute_sha2_384( { Hacl_Hash_SHA2_hash_384(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -424,10 +654,8 @@ Hacl_HMAC_compute_sha2_512( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -448,19 +676,17 @@ Hacl_HMAC_compute_sha2_512( { Hacl_Hash_SHA2_hash_512(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -546,13 +772,13 @@ Hacl_HMAC_compute_sha2_512( } /** -Write the HMAC-BLAKE2s MAC of a message (`data`) by using a key (`key`) into `dst`. +Write the HMAC-SHA-3-224 MAC of a message (`data`) by using a key (`key`) into `dst`. -The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 bytes. -`dst` must point to 32 bytes of memory. +The key can be any length and will be hashed if it is longer and padded if it is shorter than 144 bytes. +`dst` must point to 28 bytes of memory. */ void -Hacl_HMAC_compute_blake2s_32( +Hacl_HMAC_compute_sha3_224( uint8_t *dst, uint8_t *key, uint32_t key_len, @@ -560,60 +786,53 @@ Hacl_HMAC_compute_blake2s_32( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[144U]; + memset(key_block, 0U, 144U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; - if (key_len <= 64U) + if (key_len <= 144U) { ite = key_len; } else { - ite = 32U; + ite = 28U; } uint8_t *zeroes = key_block + ite; KRML_MAYBE_UNUSED_VAR(zeroes); - if (key_len <= 64U) + if (key_len <= 144U) { memcpy(nkey, key, key_len * sizeof (uint8_t)); } else { - Hacl_Hash_Blake2s_hash_with_key(nkey, 32U, key, key_len, NULL, 0U); + Hacl_Hash_SHA3_sha3_224(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[144U]; + memset(ipad, 0x36U, 144U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 144U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[144U]; + memset(opad, 0x5cU, 144U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 144U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; opad[i] = (uint32_t)xi ^ (uint32_t)yi; } - uint32_t s[16U] = { 0U }; - Hacl_Hash_Blake2s_init(s, 0U, 32U); - uint32_t *s0 = s; + uint64_t s[25U] = { 0U }; uint8_t *dst1 = ipad; if (data_len == 0U) { - uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_224, s, ipad, 144U); } else { - uint32_t block_len = 64U; + uint32_t block_len = 144U; uint32_t n_blocks0 = data_len / block_len; uint32_t rem0 = data_len % block_len; K___uint32_t_uint32_t scrut; @@ -631,34 +850,29 @@ Hacl_HMAC_compute_blake2s_32( uint32_t full_blocks_len = n_blocks * block_len; uint8_t *full_blocks = data; uint8_t *rem = data + full_blocks_len; - uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_multi(64U, wv, s0, 0ULL, ipad, 1U); - uint32_t wv0[16U] = { 0U }; - Hacl_Hash_Blake2s_update_multi(n_blocks * 64U, - wv0, - s0, - (uint64_t)block_len, - full_blocks, - n_blocks); - uint32_t wv1[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(rem_len, - wv1, - s0, - (uint64_t)64U + (uint64_t)full_blocks_len, - rem_len, - rem); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_224, s, ipad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_224, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_224, s, rem, rem_len); } - Hacl_Hash_Blake2s_finish(32U, dst1, s0); + uint32_t remOut = 28U; + uint8_t hbuf0[256U] = { 0U }; + uint64_t ws0[32U] = { 0U }; + memcpy(ws0, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf0 + i * 8U, ws0[i]); + } + memcpy(dst1 + 28U - remOut, hbuf0, remOut * sizeof (uint8_t)); uint8_t *hash1 = ipad; - Hacl_Hash_Blake2s_init(s0, 0U, 32U); - uint32_t block_len = 64U; - uint32_t n_blocks0 = 32U / block_len; - uint32_t rem0 = 32U % block_len; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_224, s); + uint32_t block_len = 144U; + uint32_t n_blocks0 = 28U / block_len; + uint32_t rem0 = 28U % block_len; K___uint32_t_uint32_t scrut; if (n_blocks0 > 0U && rem0 == 0U) { uint32_t n_blocks_ = n_blocks0 - 1U; - scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 32U - n_blocks_ * block_len }); + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 28U - n_blocks_ * block_len }); } else { @@ -669,33 +883,28 @@ Hacl_HMAC_compute_blake2s_32( uint32_t full_blocks_len = n_blocks * block_len; uint8_t *full_blocks = hash1; uint8_t *rem = hash1 + full_blocks_len; - uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_multi(64U, wv, s0, 0ULL, opad, 1U); - uint32_t wv0[16U] = { 0U }; - Hacl_Hash_Blake2s_update_multi(n_blocks * 64U, - wv0, - s0, - (uint64_t)block_len, - full_blocks, - n_blocks); - uint32_t wv1[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(rem_len, - wv1, - s0, - (uint64_t)64U + (uint64_t)full_blocks_len, - rem_len, - rem); - Hacl_Hash_Blake2s_finish(32U, dst, s0); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_224, s, opad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_224, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_224, s, rem, rem_len); + uint32_t remOut0 = 28U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 28U - remOut0, hbuf, remOut0 * sizeof (uint8_t)); } /** -Write the HMAC-BLAKE2b MAC of a message (`data`) by using a key (`key`) into `dst`. +Write the HMAC-SHA-3-256 MAC of a message (`data`) by using a key (`key`) into `dst`. -The key can be any length and will be hashed if it is longer and padded if it is shorter than 128 bytes. -`dst` must point to 64 bytes of memory. +The key can be any length and will be hashed if it is longer and padded if it is shorter than 136 bytes. +`dst` must point to 32 bytes of memory. */ void -Hacl_HMAC_compute_blake2b_32( +Hacl_HMAC_compute_sha3_256( uint8_t *dst, uint8_t *key, uint32_t key_len, @@ -703,56 +912,577 @@ Hacl_HMAC_compute_blake2b_32( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[136U]; + memset(key_block, 0U, 136U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; - if (key_len <= 128U) + if (key_len <= 136U) { ite = key_len; } else { - ite = 64U; + ite = 32U; } uint8_t *zeroes = key_block + ite; KRML_MAYBE_UNUSED_VAR(zeroes); - if (key_len <= 128U) + if (key_len <= 136U) { memcpy(nkey, key, key_len * sizeof (uint8_t)); } else { - Hacl_Hash_Blake2b_hash_with_key(nkey, 64U, key, key_len, NULL, 0U); + Hacl_Hash_SHA3_sha3_256(nkey, key, key_len); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[136U]; + memset(ipad, 0x36U, 136U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 136U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[136U]; + memset(opad, 0x5cU, 136U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 136U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; opad[i] = (uint32_t)xi ^ (uint32_t)yi; } - uint64_t s[16U] = { 0U }; - Hacl_Hash_Blake2b_init(s, 0U, 64U); - uint64_t *s0 = s; + uint64_t s[25U] = { 0U }; uint8_t *dst1 = ipad; if (data_len == 0U) { - uint64_t wv[16U] = { 0U }; - Hacl_Hash_Blake2b_update_last(128U, wv, s0, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_256, s, ipad, 136U); + } + else + { + uint32_t block_len = 136U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_256, s, ipad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_256, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_256, s, rem, rem_len); + } + uint32_t remOut = 32U; + uint8_t hbuf0[256U] = { 0U }; + uint64_t ws0[32U] = { 0U }; + memcpy(ws0, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf0 + i * 8U, ws0[i]); + } + memcpy(dst1 + 32U - remOut, hbuf0, remOut * sizeof (uint8_t)); + uint8_t *hash1 = ipad; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_256, s); + uint32_t block_len = 136U; + uint32_t n_blocks0 = 32U / block_len; + uint32_t rem0 = 32U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 32U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_256, s, opad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_256, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_256, s, rem, rem_len); + uint32_t remOut0 = 32U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 32U - remOut0, hbuf, remOut0 * sizeof (uint8_t)); +} + +/** +Write the HMAC-SHA-3-384 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 104 bytes. +`dst` must point to 48 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_384( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[104U]; + memset(key_block, 0U, 104U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 104U) + { + ite = key_len; + } + else + { + ite = 48U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 104U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA3_sha3_384(nkey, key, key_len); + } + uint8_t ipad[104U]; + memset(ipad, 0x36U, 104U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 104U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[104U]; + memset(opad, 0x5cU, 104U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 104U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint64_t s[25U] = { 0U }; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_384, s, ipad, 104U); + } + else + { + uint32_t block_len = 104U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_384, s, ipad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_384, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_384, s, rem, rem_len); + } + uint32_t remOut = 48U; + uint8_t hbuf0[256U] = { 0U }; + uint64_t ws0[32U] = { 0U }; + memcpy(ws0, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf0 + i * 8U, ws0[i]); + } + memcpy(dst1 + 48U - remOut, hbuf0, remOut * sizeof (uint8_t)); + uint8_t *hash1 = ipad; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_384, s); + uint32_t block_len = 104U; + uint32_t n_blocks0 = 48U / block_len; + uint32_t rem0 = 48U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 48U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_384, s, opad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_384, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_384, s, rem, rem_len); + uint32_t remOut0 = 48U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 48U - remOut0, hbuf, remOut0 * sizeof (uint8_t)); +} + +/** +Write the HMAC-SHA-3-512 MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 72 bytes. +`dst` must point to 64 bytes of memory. +*/ +void +Hacl_HMAC_compute_sha3_512( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[72U]; + memset(key_block, 0U, 72U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 72U) + { + ite = key_len; + } + else + { + ite = 64U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 72U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_SHA3_sha3_512(nkey, key, key_len); + } + uint8_t ipad[72U]; + memset(ipad, 0x36U, 72U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 72U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[72U]; + memset(opad, 0x5cU, 72U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 72U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint64_t s[25U] = { 0U }; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_512, s, ipad, 72U); + } + else + { + uint32_t block_len = 72U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_512, s, ipad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_512, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_512, s, rem, rem_len); + } + uint32_t remOut = 64U; + uint8_t hbuf0[256U] = { 0U }; + uint64_t ws0[32U] = { 0U }; + memcpy(ws0, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf0 + i * 8U, ws0[i]); + } + memcpy(dst1 + 64U - remOut, hbuf0, remOut * sizeof (uint8_t)); + uint8_t *hash1 = ipad; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_512, s); + uint32_t block_len = 72U; + uint32_t n_blocks0 = 64U / block_len; + uint32_t rem0 = 64U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 64U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_512, s, opad, 1U); + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_512, s, full_blocks, n_blocks); + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_512, s, rem, rem_len); + uint32_t remOut0 = 64U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 64U - remOut0, hbuf, remOut0 * sizeof (uint8_t)); +} + +/** +Write the HMAC-BLAKE2s MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 64 bytes. +`dst` must point to 32 bytes of memory. +*/ +void +Hacl_HMAC_compute_blake2s_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 64U) + { + ite = key_len; + } + else + { + ite = 32U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 64U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2s_hash_with_key(nkey, 32U, key, key_len, NULL, 0U); + } + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint32_t s[16U] = { 0U }; + Hacl_Hash_Blake2s_init(s, 0U, 32U); + uint32_t *s0 = s; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + uint32_t wv[16U] = { 0U }; + Hacl_Hash_Blake2s_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); + } + else + { + uint32_t block_len = 64U; + uint32_t n_blocks0 = data_len / block_len; + uint32_t rem0 = data_len % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = data_len - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = data; + uint8_t *rem = data + full_blocks_len; + uint32_t wv[16U] = { 0U }; + Hacl_Hash_Blake2s_update_multi(64U, wv, s0, 0ULL, ipad, 1U); + uint32_t wv0[16U] = { 0U }; + Hacl_Hash_Blake2s_update_multi(n_blocks * 64U, + wv0, + s0, + (uint64_t)block_len, + full_blocks, + n_blocks); + uint32_t wv1[16U] = { 0U }; + Hacl_Hash_Blake2s_update_last(rem_len, + wv1, + s0, + false, + (uint64_t)64U + (uint64_t)full_blocks_len, + rem_len, + rem); + } + Hacl_Hash_Blake2s_finish(32U, dst1, s0); + uint8_t *hash1 = ipad; + Hacl_Hash_Blake2s_init(s0, 0U, 32U); + uint32_t block_len = 64U; + uint32_t n_blocks0 = 32U / block_len; + uint32_t rem0 = 32U % block_len; + K___uint32_t_uint32_t scrut; + if (n_blocks0 > 0U && rem0 == 0U) + { + uint32_t n_blocks_ = n_blocks0 - 1U; + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks_, .snd = 32U - n_blocks_ * block_len }); + } + else + { + scrut = ((K___uint32_t_uint32_t){ .fst = n_blocks0, .snd = rem0 }); + } + uint32_t n_blocks = scrut.fst; + uint32_t rem_len = scrut.snd; + uint32_t full_blocks_len = n_blocks * block_len; + uint8_t *full_blocks = hash1; + uint8_t *rem = hash1 + full_blocks_len; + uint32_t wv[16U] = { 0U }; + Hacl_Hash_Blake2s_update_multi(64U, wv, s0, 0ULL, opad, 1U); + uint32_t wv0[16U] = { 0U }; + Hacl_Hash_Blake2s_update_multi(n_blocks * 64U, + wv0, + s0, + (uint64_t)block_len, + full_blocks, + n_blocks); + uint32_t wv1[16U] = { 0U }; + Hacl_Hash_Blake2s_update_last(rem_len, + wv1, + s0, + false, + (uint64_t)64U + (uint64_t)full_blocks_len, + rem_len, + rem); + Hacl_Hash_Blake2s_finish(32U, dst, s0); +} + +/** +Write the HMAC-BLAKE2b MAC of a message (`data`) by using a key (`key`) into `dst`. + +The key can be any length and will be hashed if it is longer and padded if it is shorter than 128 bytes. +`dst` must point to 64 bytes of memory. +*/ +void +Hacl_HMAC_compute_blake2b_32( + uint8_t *dst, + uint8_t *key, + uint32_t key_len, + uint8_t *data, + uint32_t data_len +) +{ + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); + uint8_t *nkey = key_block; + uint32_t ite; + if (key_len <= 128U) + { + ite = key_len; + } + else + { + ite = 64U; + } + uint8_t *zeroes = key_block + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (key_len <= 128U) + { + memcpy(nkey, key, key_len * sizeof (uint8_t)); + } + else + { + Hacl_Hash_Blake2b_hash_with_key(nkey, 64U, key, key_len, NULL, 0U); + } + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = key_block[i]; + ipad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) + { + uint8_t xi = opad[i]; + uint8_t yi = key_block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + uint64_t s[16U] = { 0U }; + Hacl_Hash_Blake2b_init(s, 0U, 64U); + uint64_t *s0 = s; + uint8_t *dst1 = ipad; + if (data_len == 0U) + { + uint64_t wv[16U] = { 0U }; + Hacl_Hash_Blake2b_update_last(128U, + wv, + s0, + false, + FStar_UInt128_uint64_to_uint128(0ULL), + 128U, + ipad); } else { @@ -787,6 +1517,7 @@ Hacl_HMAC_compute_blake2b_32( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -826,6 +1557,7 @@ Hacl_HMAC_compute_blake2b_32( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/msvc/Hacl_HMAC_Blake2b_256.c b/src/msvc/Hacl_HMAC_Blake2b_256.c index cd16e65e..84476d8b 100644 --- a/src/msvc/Hacl_HMAC_Blake2b_256.c +++ b/src/msvc/Hacl_HMAC_Blake2b_256.c @@ -25,6 +25,8 @@ #include "Hacl_HMAC_Blake2b_256.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_Blake2b_Simd256.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Hash_Blake2b_Simd256.h" #include "internal/Hacl_HMAC.h" @@ -44,10 +46,8 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( uint32_t data_len ) { - uint32_t l = 128U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[128U]; + memset(key_block, 0U, 128U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 128U) @@ -68,19 +68,17 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( { Hacl_Hash_Blake2b_Simd256_hash_with_key(nkey, 64U, key, key_len, NULL, 0U); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[128U]; + memset(ipad, 0x36U, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[128U]; + memset(opad, 0x5cU, 128U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 128U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -96,6 +94,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(128U, wv, s0, + false, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); @@ -138,6 +137,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -182,6 +182,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/msvc/Hacl_HMAC_Blake2s_128.c b/src/msvc/Hacl_HMAC_Blake2s_128.c index bf2033a8..96248edc 100644 --- a/src/msvc/Hacl_HMAC_Blake2s_128.c +++ b/src/msvc/Hacl_HMAC_Blake2s_128.c @@ -25,6 +25,7 @@ #include "Hacl_HMAC_Blake2s_128.h" +#include "Hacl_Hash_Blake2s_Simd128.h" #include "internal/Hacl_Hash_Blake2s_Simd128.h" #include "internal/Hacl_HMAC.h" @@ -43,10 +44,8 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( uint32_t data_len ) { - uint32_t l = 64U; - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *key_block = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(key_block, 0U, l * sizeof (uint8_t)); + uint8_t key_block[64U]; + memset(key_block, 0U, 64U * sizeof (uint8_t)); uint8_t *nkey = key_block; uint32_t ite; if (key_len <= 64U) @@ -67,19 +66,17 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( { Hacl_Hash_Blake2s_Simd128_hash_with_key(nkey, 32U, key, key_len, NULL, 0U); } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *ipad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(ipad, 0x36U, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t ipad[64U]; + memset(ipad, 0x36U, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = ipad[i]; uint8_t yi = key_block[i]; ipad[i] = (uint32_t)xi ^ (uint32_t)yi; } - KRML_CHECK_SIZE(sizeof (uint8_t), l); - uint8_t *opad = (uint8_t *)alloca(l * sizeof (uint8_t)); - memset(opad, 0x5cU, l * sizeof (uint8_t)); - for (uint32_t i = 0U; i < l; i++) + uint8_t opad[64U]; + memset(opad, 0x5cU, 64U * sizeof (uint8_t)); + for (uint32_t i = 0U; i < 64U; i++) { uint8_t xi = opad[i]; uint8_t yi = key_block[i]; @@ -92,7 +89,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( if (data_len == 0U) { KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; - Hacl_Hash_Blake2s_Simd128_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_Blake2s_Simd128_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); } else { @@ -127,6 +124,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( Hacl_Hash_Blake2s_Simd128_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -165,6 +163,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( Hacl_Hash_Blake2s_Simd128_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); diff --git a/src/msvc/Hacl_HMAC_DRBG.c b/src/msvc/Hacl_HMAC_DRBG.c index 8f754afb..83abc102 100644 --- a/src/msvc/Hacl_HMAC_DRBG.c +++ b/src/msvc/Hacl_HMAC_DRBG.c @@ -25,6 +25,9 @@ #include "Hacl_HMAC_DRBG.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_HMAC.h" + uint32_t Hacl_HMAC_DRBG_reseed_interval = 1024U; uint32_t Hacl_HMAC_DRBG_max_output_length = 65536U; @@ -154,7 +157,10 @@ Hacl_HMAC_DRBG_state Hacl_HMAC_DRBG_create_in(Spec_Hash_Definitions_hash_alg a) } } uint32_t *ctr = (uint32_t *)KRML_HOST_MALLOC(sizeof (uint32_t)); - ctr[0U] = 1U; + if (ctr != NULL) + { + ctr[0U] = 1U; + } return ((Hacl_HMAC_DRBG_state){ .k = k, .v = v, .reseed_counter = ctr }); } diff --git a/src/msvc/Hacl_HPKE_Curve51_CP128_SHA256.c b/src/msvc/Hacl_HPKE_Curve51_CP128_SHA256.c index ccb6c4f6..b1a19ead 100644 --- a/src/msvc/Hacl_HPKE_Curve51_CP128_SHA256.c +++ b/src/msvc/Hacl_HPKE_Curve51_CP128_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP128_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_Curve51_CP128_SHA512.c b/src/msvc/Hacl_HPKE_Curve51_CP128_SHA512.c index 3691181f..596c98b4 100644 --- a/src/msvc/Hacl_HPKE_Curve51_CP128_SHA512.c +++ b/src/msvc/Hacl_HPKE_Curve51_CP128_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP128_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_Curve51_CP256_SHA256.c b/src/msvc/Hacl_HPKE_Curve51_CP256_SHA256.c index 7c9cfcc6..6695dd92 100644 --- a/src/msvc/Hacl_HPKE_Curve51_CP256_SHA256.c +++ b/src/msvc/Hacl_HPKE_Curve51_CP256_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP256_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_Curve51_CP256_SHA512.c b/src/msvc/Hacl_HPKE_Curve51_CP256_SHA512.c index ff5bccc0..0c71225d 100644 --- a/src/msvc/Hacl_HPKE_Curve51_CP256_SHA512.c +++ b/src/msvc/Hacl_HPKE_Curve51_CP256_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP256_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_Curve51_CP32_SHA256.c b/src/msvc/Hacl_HPKE_Curve51_CP32_SHA256.c index c91ed755..48670770 100644 --- a/src/msvc/Hacl_HPKE_Curve51_CP32_SHA256.c +++ b/src/msvc/Hacl_HPKE_Curve51_CP32_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP32_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_Curve51_CP32_SHA512.c b/src/msvc/Hacl_HPKE_Curve51_CP32_SHA512.c index e97ee4cd..57cd3083 100644 --- a/src/msvc/Hacl_HPKE_Curve51_CP32_SHA512.c +++ b/src/msvc/Hacl_HPKE_Curve51_CP32_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve51_CP32_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_51.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_Curve64_CP128_SHA256.c b/src/msvc/Hacl_HPKE_Curve64_CP128_SHA256.c index 24414b4b..d7d93f15 100644 --- a/src/msvc/Hacl_HPKE_Curve64_CP128_SHA256.c +++ b/src/msvc/Hacl_HPKE_Curve64_CP128_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP128_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_Curve64_CP128_SHA512.c b/src/msvc/Hacl_HPKE_Curve64_CP128_SHA512.c index 81131914..aecd70bd 100644 --- a/src/msvc/Hacl_HPKE_Curve64_CP128_SHA512.c +++ b/src/msvc/Hacl_HPKE_Curve64_CP128_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP128_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_Curve64_CP256_SHA256.c b/src/msvc/Hacl_HPKE_Curve64_CP256_SHA256.c index df58f0e1..e121747d 100644 --- a/src/msvc/Hacl_HPKE_Curve64_CP256_SHA256.c +++ b/src/msvc/Hacl_HPKE_Curve64_CP256_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP256_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_Curve64_CP256_SHA512.c b/src/msvc/Hacl_HPKE_Curve64_CP256_SHA512.c index 8052db8f..07543ffa 100644 --- a/src/msvc/Hacl_HPKE_Curve64_CP256_SHA512.c +++ b/src/msvc/Hacl_HPKE_Curve64_CP256_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP256_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_Curve64_CP32_SHA256.c b/src/msvc/Hacl_HPKE_Curve64_CP32_SHA256.c index 5c6ef179..69d471cf 100644 --- a/src/msvc/Hacl_HPKE_Curve64_CP32_SHA256.c +++ b/src/msvc/Hacl_HPKE_Curve64_CP32_SHA256.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP32_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_Curve64_CP32_SHA512.c b/src/msvc/Hacl_HPKE_Curve64_CP32_SHA512.c index cb24c3ac..bd62bc9f 100644 --- a/src/msvc/Hacl_HPKE_Curve64_CP32_SHA512.c +++ b/src/msvc/Hacl_HPKE_Curve64_CP32_SHA512.c @@ -25,6 +25,10 @@ #include "Hacl_HPKE_Curve64_CP32_SHA512.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_Curve25519_64.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" #include "internal/Hacl_Krmllib.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_P256_CP128_SHA256.c b/src/msvc/Hacl_HPKE_P256_CP128_SHA256.c index 6672d593..79798db5 100644 --- a/src/msvc/Hacl_HPKE_P256_CP128_SHA256.c +++ b/src/msvc/Hacl_HPKE_P256_CP128_SHA256.c @@ -25,6 +25,9 @@ #include "Hacl_HPKE_P256_CP128_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd128.h" #include "internal/Hacl_P256.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_P256_CP256_SHA256.c b/src/msvc/Hacl_HPKE_P256_CP256_SHA256.c index 962abee4..38041008 100644 --- a/src/msvc/Hacl_HPKE_P256_CP256_SHA256.c +++ b/src/msvc/Hacl_HPKE_P256_CP256_SHA256.c @@ -25,6 +25,9 @@ #include "Hacl_HPKE_P256_CP256_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_AEAD_Chacha20Poly1305_Simd256.h" #include "internal/Hacl_P256.h" uint32_t diff --git a/src/msvc/Hacl_HPKE_P256_CP32_SHA256.c b/src/msvc/Hacl_HPKE_P256_CP32_SHA256.c index 0869fe45..486a0179 100644 --- a/src/msvc/Hacl_HPKE_P256_CP32_SHA256.c +++ b/src/msvc/Hacl_HPKE_P256_CP32_SHA256.c @@ -25,6 +25,9 @@ #include "Hacl_HPKE_P256_CP32_SHA256.h" +#include "Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h" +#include "Hacl_HKDF.h" +#include "Hacl_AEAD_Chacha20Poly1305.h" #include "internal/Hacl_P256.h" uint32_t diff --git a/src/msvc/Hacl_Hash_Base.c b/src/msvc/Hacl_Hash_Base.c index 02d893e3..78e6b915 100644 --- a/src/msvc/Hacl_Hash_Base.c +++ b/src/msvc/Hacl_Hash_Base.c @@ -25,6 +25,8 @@ #include "Hacl_Hash_Base.h" +#include "Hacl_Streaming_Types.h" + uint32_t Hacl_Hash_Definitions_word_len(Spec_Hash_Definitions_hash_alg a) { switch (a) diff --git a/src/msvc/Hacl_Hash_Blake2b.c b/src/msvc/Hacl_Hash_Blake2b.c index d490a1a5..45c69de3 100644 --- a/src/msvc/Hacl_Hash_Blake2b.c +++ b/src/msvc/Hacl_Hash_Blake2b.c @@ -25,11 +25,21 @@ #include "internal/Hacl_Hash_Blake2b.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Impl_Blake2_Constants.h" #include "lib_memzero0.h" static void -update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totlen, uint8_t *d) +update_block( + uint64_t *wv, + uint64_t *hash, + bool flag, + bool last_node, + FStar_UInt128_uint128 totlen, + uint8_t *d +) { uint64_t m_w[16U] = { 0U }; KRML_MAYBE_FOR16(i, @@ -52,7 +62,15 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl { wv_14 = 0ULL; } - uint64_t wv_15 = 0ULL; + uint64_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFFFFFFFFFULL; + } + else + { + wv_15 = 0ULL; + } mask[0U] = FStar_UInt128_uint128_to_uint64(totlen); mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, 64U)); mask[2U] = wv_14; @@ -560,86 +578,6 @@ void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r1[3U] = iv7_; } -static void init_with_params(uint64_t *hash, Hacl_Hash_Blake2b_blake2_params p) -{ - uint64_t tmp[8U] = { 0U }; - uint64_t *r0 = hash; - uint64_t *r1 = hash + 4U; - uint64_t *r2 = hash + 8U; - uint64_t *r3 = hash + 12U; - uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; - uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; - uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; - uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; - uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; - uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; - uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; - uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; - r2[0U] = iv0; - r2[1U] = iv1; - r2[2U] = iv2; - r2[3U] = iv3; - r3[0U] = iv4; - r3[1U] = iv5; - r3[2U] = iv6; - r3[3U] = iv7; - uint8_t kk = p.key_length; - uint8_t nn = p.digest_length; - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint64_t *os = tmp + 4U; - uint8_t *bj = p.salt + i * 8U; - uint64_t u = load64_le(bj); - uint64_t r = u; - uint64_t x = r; - os[i] = x;); - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint64_t *os = tmp + 6U; - uint8_t *bj = p.personal + i * 8U; - uint64_t u = load64_le(bj); - uint64_t r = u; - uint64_t x = r; - os[i] = x;); - tmp[0U] = - (uint64_t)nn - ^ - ((uint64_t)kk - << 8U - ^ ((uint64_t)p.fanout << 16U ^ ((uint64_t)p.depth << 24U ^ (uint64_t)p.leaf_length << 32U))); - tmp[1U] = p.node_offset; - tmp[2U] = (uint64_t)p.node_depth ^ (uint64_t)p.inner_length << 8U; - tmp[3U] = 0ULL; - uint64_t tmp0 = tmp[0U]; - uint64_t tmp1 = tmp[1U]; - uint64_t tmp2 = tmp[2U]; - uint64_t tmp3 = tmp[3U]; - uint64_t tmp4 = tmp[4U]; - uint64_t tmp5 = tmp[5U]; - uint64_t tmp6 = tmp[6U]; - uint64_t tmp7 = tmp[7U]; - uint64_t iv0_ = iv0 ^ tmp0; - uint64_t iv1_ = iv1 ^ tmp1; - uint64_t iv2_ = iv2 ^ tmp2; - uint64_t iv3_ = iv3 ^ tmp3; - uint64_t iv4_ = iv4 ^ tmp4; - uint64_t iv5_ = iv5 ^ tmp5; - uint64_t iv6_ = iv6 ^ tmp6; - uint64_t iv7_ = iv7 ^ tmp7; - r0[0U] = iv0_; - r0[1U] = iv1_; - r0[2U] = iv2_; - r0[3U] = iv3_; - r1[0U] = iv4_; - r1[1U] = iv5_; - r1[2U] = iv6_; - r1[3U] = iv7_; -} - static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) { FStar_UInt128_uint128 lb = FStar_UInt128_uint64_to_uint128((uint64_t)128U); @@ -647,11 +585,11 @@ static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, ui memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -674,7 +612,7 @@ Hacl_Hash_Blake2b_update_multi( FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)((i + 1U) * 128U))); uint8_t *b = blocks + i * 128U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -683,6 +621,7 @@ Hacl_Hash_Blake2b_update_last( uint32_t len, uint64_t *wv, uint64_t *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d @@ -693,7 +632,7 @@ Hacl_Hash_Blake2b_update_last( memcpy(b, last, rem * sizeof (uint8_t)); FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -727,7 +666,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2b_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2b_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2b_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -762,46 +701,207 @@ void Hacl_Hash_Blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash) } static Hacl_Hash_Blake2b_state_t -*malloc_raw( - Hacl_Hash_Blake2b_index kk, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +*malloc_raw(Hacl_Hash_Blake2b_index kk, Hacl_Hash_Blake2b_params_and_key key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); - uint64_t *wv = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - Hacl_Hash_Blake2b_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; - uint8_t kk10 = kk.key_length; - uint32_t ite; - if (kk10 != 0U) + if (buf == NULL) { - ite = 128U; + return NULL; + } + uint8_t *buf1 = buf; + uint64_t *wv0 = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); } else { - ite = 0U; + uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + if (b == NULL) + { + KRML_HOST_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } } - Hacl_Hash_Blake2b_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - Hacl_Hash_Blake2b_state_t - *p = (Hacl_Hash_Blake2b_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_state_t)); - p[0U] = s; - Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; - uint8_t kk1 = p1->key_length; - uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i.key_length; - uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (128U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + uint8_t kk10 = kk.key_length; + uint32_t ite; + if (kk10 != 0U) + { + ite = 128U; + } + else + { + ite = 0U; + } + Hacl_Hash_Blake2b_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)ite }; + Hacl_Hash_Blake2b_state_t + *p = (Hacl_Hash_Blake2b_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_state_t)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + uint64_t *b = block_state1.f3.snd; + uint64_t *wv = block_state1.f3.fst; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; + uint8_t kk1 = p1->key_length; + uint8_t nn = p1->digest_length; + bool last_node = block_state1.thd; + Hacl_Hash_Blake2b_index + i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + uint64_t *h = block_state1.f3.snd; + uint32_t kk20 = (uint32_t)i.key_length; + uint8_t *k_2 = key.snd; + if (!(kk20 == 0U)) + { + uint8_t *sub_b = buf1 + kk20; + memset(sub_b, 0U, (128U - kk20) * sizeof (uint8_t)); + memcpy(buf1, k_2, kk20 * sizeof (uint8_t)); + } + Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; + uint64_t tmp[8U] = { 0U }; + uint64_t *r0 = h; + uint64_t *r1 = h + 4U; + uint64_t *r2 = h + 8U; + uint64_t *r3 = h + 12U; + uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; + uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; + uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; + uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; + uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; + uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; + uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; + uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint8_t kk2 = pv.key_length; + uint8_t nn1 = pv.digest_length; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r4 = u; + uint64_t x = r4; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r4 = u; + uint64_t x = r4; + os[i0] = x;); + tmp[0U] = + (uint64_t)nn1 + ^ + ((uint64_t)kk2 + << 8U + ^ + ((uint64_t)pv.fanout + << 16U + ^ ((uint64_t)pv.depth << 24U ^ (uint64_t)pv.leaf_length << 32U))); + tmp[1U] = pv.node_offset; + tmp[2U] = (uint64_t)pv.node_depth ^ (uint64_t)pv.inner_length << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = iv0_; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } } - Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); - return p; + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -820,14 +920,16 @@ The caller must satisfy the following requirements. */ Hacl_Hash_Blake2b_state_t -*Hacl_Hash_Blake2b_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k) +*Hacl_Hash_Blake2b_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; - return - malloc_raw(i1, - ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; + return malloc_raw(i1, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** @@ -844,7 +946,7 @@ The caller must satisfy the following requirements. Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc_with_key(uint8_t *k, uint8_t kk) { uint8_t nn = 64U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; uint8_t salt[16U] = { 0U }; uint8_t personal[16U] = { 0U }; Hacl_Hash_Blake2b_blake2_params @@ -855,7 +957,7 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc_with_key(uint8_t *k, uint8_t .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - Hacl_Hash_Blake2b_state_t *s = Hacl_Hash_Blake2b_malloc_with_params_and_key(&p0, k); + Hacl_Hash_Blake2b_state_t *s = Hacl_Hash_Blake2b_malloc_with_params_and_key(&p0, false, k); return s; } @@ -871,39 +973,117 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2b_state_t *s) { - Hacl_Hash_Blake2b_block_state_t block_state = (*s).block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } -static void -reset_raw( - Hacl_Hash_Blake2b_state_t *state, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +static void reset_raw(Hacl_Hash_Blake2b_state_t *state, Hacl_Hash_Blake2b_params_and_key key) { Hacl_Hash_Blake2b_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i1.key_length; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + uint64_t *h = block_state.f3.snd; + uint32_t kk20 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (!(kk20 == 0U)) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (128U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + uint8_t *sub_b = buf + kk20; + memset(sub_b, 0U, (128U - kk20) * sizeof (uint8_t)); + memcpy(buf, k_1, kk20 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + uint64_t tmp[8U] = { 0U }; + uint64_t *r0 = h; + uint64_t *r1 = h + 4U; + uint64_t *r2 = h + 8U; + uint64_t *r3 = h + 12U; + uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; + uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; + uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; + uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; + uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; + uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; + uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; + uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + uint8_t kk2 = pv.key_length; + uint8_t nn1 = pv.digest_length; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i0] = x;); + tmp[0U] = + (uint64_t)nn1 + ^ + ((uint64_t)kk2 + << 8U + ^ ((uint64_t)pv.fanout << 16U ^ ((uint64_t)pv.depth << 24U ^ (uint64_t)pv.leaf_length << 32U))); + tmp[1U] = pv.node_offset; + tmp[2U] = (uint64_t)pv.node_depth ^ (uint64_t)pv.inner_length << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = iv0_; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -915,13 +1095,13 @@ reset_raw( ite = 0U; } Hacl_Hash_Blake2b_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - state[0U] = tmp; + tmp8 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; + state[0U] = tmp8; } /** General-purpose re-initialization function with parameters and -key. You cannot change digest_length or key_length, meaning those values in +key. You cannot change digest_length, key_length, or last_node, meaning those values in the parameters object must be the same as originally decided via one of the malloc functions. All other values of the parameter can be changed. The behavior is unspecified if you violate this precondition. @@ -933,8 +1113,9 @@ Hacl_Hash_Blake2b_reset_with_key_and_params( uint8_t *k ) { - index_of_state(s); - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + Hacl_Hash_Blake2b_index i1 = index_of_state(s); + KRML_MAYBE_UNUSED_VAR(i1); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** @@ -957,7 +1138,7 @@ void Hacl_Hash_Blake2b_reset_with_key(Hacl_Hash_Blake2b_state_t *s, uint8_t *k) .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = &p0, .snd = k })); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = &p0, .snd = k })); } /** @@ -997,7 +1178,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (chunk_len <= 128U - sz) { Hacl_Hash_Blake2b_state_t s1 = *state; - Hacl_Hash_Blake2b_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -1025,7 +1206,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 else if (sz == 0U) { Hacl_Hash_Blake2b_state_t s1 = *state; - Hacl_Hash_Blake2b_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -1040,7 +1221,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = 1U; @@ -1065,7 +1246,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1093,7 +1274,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; Hacl_Hash_Blake2b_state_t s1 = *state; - Hacl_Hash_Blake2b_block_state_t block_state10 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state10 = s1.block_state; uint8_t *buf0 = s1.buf; uint64_t total_len10 = s1.total_len; uint32_t sz10; @@ -1118,7 +1299,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 } ); Hacl_Hash_Blake2b_state_t s10 = *state; - Hacl_Hash_Blake2b_block_state_t block_state1 = s10.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = s10.block_state; uint8_t *buf = s10.buf; uint64_t total_len1 = s10.total_len; uint32_t sz1; @@ -1133,7 +1314,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = 1U; @@ -1159,7 +1340,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1190,17 +1371,21 @@ at least `digest_length` bytes, where `digest_length` was determined by your choice of `malloc` function. Concretely, if you used `malloc` or `malloc_with_key`, then the expected length is 32 for S, or 64 for B (default digest length). If you used `malloc_with_params_and_key`, then the expected -length is whatever you chose for the `digest_length` field of your -parameters. +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2b_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2b_state_t scrut = *state; - Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2b_state_t scrut = *s; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; uint32_t r; @@ -1215,11 +1400,16 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) uint8_t *buf_1 = buf_; uint64_t wv0[16U] = { 0U }; uint64_t b[16U] = { 0U }; - Hacl_Hash_Blake2b_block_state_t + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - uint64_t *src_b = block_state.thd.snd; - uint64_t *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + uint64_t *src_b = block_state.f3.snd; + uint64_t *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint64_t)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1233,7 +1423,7 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) } uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; - K____uint64_t___uint64_t_ acc0 = tmp_block_state.thd; + K____uint64_t___uint64_t_ acc0 = tmp_block_state.f3; uint64_t *wv1 = acc0.fst; uint64_t *hash0 = acc0.snd; uint32_t nb = 0U; @@ -1244,17 +1434,35 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; - K____uint64_t___uint64_t_ acc = tmp_block_state.thd; + K____uint64_t___uint64_t_ acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; Hacl_Hash_Blake2b_update_last(r, wv, hash, + last_node1, FStar_UInt128_uint64_to_uint128(prev_len_last), r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2b_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2b_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_info(Hacl_Hash_Blake2b_state_t *s) +{ + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1264,9 +1472,9 @@ void Hacl_Hash_Blake2b_free(Hacl_Hash_Blake2b_state_t *state) { Hacl_Hash_Blake2b_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; - uint64_t *b = block_state.thd.snd; - uint64_t *wv = block_state.thd.fst; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state = scrut.block_state; + uint64_t *b = block_state.f3.snd; + uint64_t *wv = block_state.f3.fst; KRML_HOST_FREE(wv); KRML_HOST_FREE(b); KRML_HOST_FREE(buf); @@ -1279,27 +1487,110 @@ void Hacl_Hash_Blake2b_free(Hacl_Hash_Blake2b_state_t *state) Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_copy(Hacl_Hash_Blake2b_state_t *state) { Hacl_Hash_Blake2b_state_t scrut = *state; - Hacl_Hash_Blake2b_block_state_t block_state0 = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 128U * sizeof (uint8_t)); - uint64_t *wv = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); - Hacl_Hash_Blake2b_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - uint64_t *src_b = block_state0.thd.snd; - uint64_t *dst_b = block_state.thd.snd; - memcpy(dst_b, src_b, 16U * sizeof (uint64_t)); - Hacl_Hash_Blake2b_state_t - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Hash_Blake2b_state_t - *p = (Hacl_Hash_Blake2b_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_state_t)); - p[0U] = s; - return p; + uint64_t *wv0 = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + if (b == NULL) + { + KRML_HOST_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2b_32 block_state1 = block_state.v; + uint64_t *src_b = block_state0.f3.snd; + uint64_t *dst_b = block_state1.f3.snd; + memcpy(dst_b, src_b, 16U * sizeof (uint64_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_Blake2b_state_t + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Hash_Blake2b_state_t + *p = (Hacl_Hash_Blake2b_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_state_t)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + uint64_t *b = block_state1.f3.snd; + uint64_t *wv = block_state1.f3.fst; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -1335,10 +1626,10 @@ Hacl_Hash_Blake2b_hash_with_key( Write the BLAKE2b digest of message `input` using key `key` and parameters `params` into `output`. The `key` array must be of length `params.key_length`. The `output` array must be of length -`params.digest_length`. +`params.digest_length`. */ void -Hacl_Hash_Blake2b_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/msvc/Hacl_Hash_Blake2b_Simd256.c b/src/msvc/Hacl_Hash_Blake2b_Simd256.c index 0afd93bc..d74616e8 100644 --- a/src/msvc/Hacl_Hash_Blake2b_Simd256.c +++ b/src/msvc/Hacl_Hash_Blake2b_Simd256.c @@ -25,6 +25,10 @@ #include "internal/Hacl_Hash_Blake2b_Simd256.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_Blake2b.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Impl_Blake2_Constants.h" #include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" @@ -34,6 +38,7 @@ update_block( Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, bool flag, + bool last_node, FStar_UInt128_uint128 totlen, uint8_t *d ) @@ -59,7 +64,15 @@ update_block( { wv_14 = 0ULL; } - uint64_t wv_15 = 0ULL; + uint64_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFFFFFFFFFULL; + } + else + { + wv_15 = 0ULL; + } mask = Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen), FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, 64U)), @@ -289,75 +302,6 @@ Hacl_Hash_Blake2b_Simd256_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t k r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); } -static void -init_with_params(Lib_IntVector_Intrinsics_vec256 *hash, Hacl_Hash_Blake2b_blake2_params p) -{ - uint64_t tmp[8U] = { 0U }; - Lib_IntVector_Intrinsics_vec256 *r0 = hash; - Lib_IntVector_Intrinsics_vec256 *r1 = hash + 1U; - Lib_IntVector_Intrinsics_vec256 *r2 = hash + 2U; - Lib_IntVector_Intrinsics_vec256 *r3 = hash + 3U; - uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; - uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; - uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; - uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; - uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; - uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; - uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; - uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; - r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); - r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); - uint8_t kk = p.key_length; - uint8_t nn = p.digest_length; - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint64_t *os = tmp + 4U; - uint8_t *bj = p.salt + i * 8U; - uint64_t u = load64_le(bj); - uint64_t r = u; - uint64_t x = r; - os[i] = x;); - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint64_t *os = tmp + 6U; - uint8_t *bj = p.personal + i * 8U; - uint64_t u = load64_le(bj); - uint64_t r = u; - uint64_t x = r; - os[i] = x;); - tmp[0U] = - (uint64_t)nn - ^ - ((uint64_t)kk - << 8U - ^ ((uint64_t)p.fanout << 16U ^ ((uint64_t)p.depth << 24U ^ (uint64_t)p.leaf_length << 32U))); - tmp[1U] = p.node_offset; - tmp[2U] = (uint64_t)p.node_depth ^ (uint64_t)p.inner_length << 8U; - tmp[3U] = 0ULL; - uint64_t tmp0 = tmp[0U]; - uint64_t tmp1 = tmp[1U]; - uint64_t tmp2 = tmp[2U]; - uint64_t tmp3 = tmp[3U]; - uint64_t tmp4 = tmp[4U]; - uint64_t tmp5 = tmp[5U]; - uint64_t tmp6 = tmp[6U]; - uint64_t tmp7 = tmp[7U]; - uint64_t iv0_ = iv0 ^ tmp0; - uint64_t iv1_ = iv1 ^ tmp1; - uint64_t iv2_ = iv2 ^ tmp2; - uint64_t iv3_ = iv3 ^ tmp3; - uint64_t iv4_ = iv4 ^ tmp4; - uint64_t iv5_ = iv5 ^ tmp5; - uint64_t iv6_ = iv6 ^ tmp6; - uint64_t iv7_ = iv7 ^ tmp7; - r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); - r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); -} - static void update_key( Lib_IntVector_Intrinsics_vec256 *wv, @@ -372,11 +316,11 @@ update_key( memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -399,7 +343,7 @@ Hacl_Hash_Blake2b_Simd256_update_multi( FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)((i + 1U) * 128U))); uint8_t *b = blocks + i * 128U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -408,6 +352,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d @@ -418,7 +363,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( memcpy(b, last, rem * sizeof (uint8_t)); FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -452,7 +397,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2b_Simd256_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2b_Simd256_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2b_Simd256_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -588,96 +533,268 @@ Lib_IntVector_Intrinsics_vec256 *Hacl_Hash_Blake2b_Simd256_malloc_with_key(void) *buf = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); - memset(buf, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + if (buf != NULL) + { + memset(buf, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } return buf; } static Hacl_Hash_Blake2b_Simd256_state_t -*malloc_raw( - Hacl_Hash_Blake2b_index kk, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +*malloc_raw(Hacl_Hash_Blake2b_index kk, Hacl_Hash_Blake2b_params_and_key key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; Lib_IntVector_Intrinsics_vec256 - *wv = - (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, - sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); - memset(wv, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Lib_IntVector_Intrinsics_vec256 - *b = + *wv0 = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); - memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Hacl_Hash_Blake2b_Simd256_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; - uint8_t kk10 = kk.key_length; - uint32_t ite; - if (kk10 != 0U) + if (wv0 != NULL) { - ite = 128U; + memset(wv0, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); } else { - ite = 0U; + Lib_IntVector_Intrinsics_vec256 + *b = + (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, + sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); + if (b != NULL) + { + memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } + if (b == NULL) + { + KRML_ALIGNED_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } } - Hacl_Hash_Blake2b_Simd256_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - Hacl_Hash_Blake2b_Simd256_state_t - *p = - (Hacl_Hash_Blake2b_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_Hash_Blake2b_Simd256_state_t - )); - p[0U] = s; - Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; - uint8_t kk1 = p1->key_length; - uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i.key_length; - uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (128U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + KRML_HOST_FREE(buf1); + return NULL; } - Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); - return p; + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + uint8_t kk10 = kk.key_length; + uint32_t ite; + if (kk10 != 0U) + { + ite = 128U; + } + else + { + ite = 0U; + } + Hacl_Hash_Blake2b_Simd256_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)ite }; + Hacl_Hash_Blake2b_Simd256_state_t + *p = + (Hacl_Hash_Blake2b_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_Hash_Blake2b_Simd256_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Lib_IntVector_Intrinsics_vec256 *b = block_state1.f3.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state1.f3.fst; + KRML_ALIGNED_FREE(wv); + KRML_ALIGNED_FREE(b); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; + uint8_t kk1 = p1->key_length; + uint8_t nn = p1->digest_length; + bool last_node = block_state1.thd; + Hacl_Hash_Blake2b_index + i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + Lib_IntVector_Intrinsics_vec256 *h = block_state1.f3.snd; + uint32_t kk20 = (uint32_t)i.key_length; + uint8_t *k_2 = key.snd; + if (!(kk20 == 0U)) + { + uint8_t *sub_b = buf1 + kk20; + memset(sub_b, 0U, (128U - kk20) * sizeof (uint8_t)); + memcpy(buf1, k_2, kk20 * sizeof (uint8_t)); + } + Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; + uint64_t tmp[8U] = { 0U }; + Lib_IntVector_Intrinsics_vec256 *r0 = h; + Lib_IntVector_Intrinsics_vec256 *r1 = h + 1U; + Lib_IntVector_Intrinsics_vec256 *r2 = h + 2U; + Lib_IntVector_Intrinsics_vec256 *r3 = h + 3U; + uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; + uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; + uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; + uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; + uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; + uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; + uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; + uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t kk2 = pv.key_length; + uint8_t nn1 = pv.digest_length; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r4 = u; + uint64_t x = r4; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r4 = u; + uint64_t x = r4; + os[i0] = x;); + tmp[0U] = + (uint64_t)nn1 + ^ + ((uint64_t)kk2 + << 8U + ^ + ((uint64_t)pv.fanout + << 16U + ^ ((uint64_t)pv.depth << 24U ^ (uint64_t)pv.leaf_length << 32U))); + tmp[1U] = pv.node_offset; + tmp[2U] = (uint64_t)pv.node_depth ^ (uint64_t)pv.inner_length << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (256 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 256 for S, 64 for B. +- The digest_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; - return - malloc_raw(i1, - ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; + return malloc_raw(i1, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (256 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_key0(uint8_t *k, uint8_t kk) { uint8_t nn = 64U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(16U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(16U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -685,21 +802,16 @@ Hacl_Hash_Blake2b_Simd256_state_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; + Hacl_Hash_Blake2b_blake2_params p0 = p; Hacl_Hash_Blake2b_Simd256_state_t - *s = Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + *s = Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void) { @@ -708,39 +820,106 @@ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2b_Simd256_state_t *s) { - Hacl_Hash_Blake2b_Simd256_block_state_t block_state = (*s).block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void -reset_raw( - Hacl_Hash_Blake2b_Simd256_state_t *state, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +reset_raw(Hacl_Hash_Blake2b_Simd256_state_t *state, Hacl_Hash_Blake2b_params_and_key key) { Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i1.key_length; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + Lib_IntVector_Intrinsics_vec256 *h = block_state.f3.snd; + uint32_t kk20 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (!(kk20 == 0U)) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (128U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + uint8_t *sub_b = buf + kk20; + memset(sub_b, 0U, (128U - kk20) * sizeof (uint8_t)); + memcpy(buf, k_1, kk20 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + uint64_t tmp[8U] = { 0U }; + Lib_IntVector_Intrinsics_vec256 *r0 = h; + Lib_IntVector_Intrinsics_vec256 *r1 = h + 1U; + Lib_IntVector_Intrinsics_vec256 *r2 = h + 2U; + Lib_IntVector_Intrinsics_vec256 *r3 = h + 3U; + uint64_t iv0 = Hacl_Hash_Blake2b_ivTable_B[0U]; + uint64_t iv1 = Hacl_Hash_Blake2b_ivTable_B[1U]; + uint64_t iv2 = Hacl_Hash_Blake2b_ivTable_B[2U]; + uint64_t iv3 = Hacl_Hash_Blake2b_ivTable_B[3U]; + uint64_t iv4 = Hacl_Hash_Blake2b_ivTable_B[4U]; + uint64_t iv5 = Hacl_Hash_Blake2b_ivTable_B[5U]; + uint64_t iv6 = Hacl_Hash_Blake2b_ivTable_B[6U]; + uint64_t iv7 = Hacl_Hash_Blake2b_ivTable_B[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t kk2 = pv.key_length; + uint8_t nn1 = pv.digest_length; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i0] = x;); + tmp[0U] = + (uint64_t)nn1 + ^ + ((uint64_t)kk2 + << 8U + ^ ((uint64_t)pv.fanout << 16U ^ ((uint64_t)pv.depth << 24U ^ (uint64_t)pv.leaf_length << 32U))); + tmp[1U] = pv.node_offset; + tmp[2U] = (uint64_t)pv.node_depth ^ (uint64_t)pv.inner_length << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -752,14 +931,16 @@ reset_raw( ite = 0U; } Hacl_Hash_Blake2b_Simd256_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - state[0U] = tmp; + tmp8 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; + state[0U] = tmp8; } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( @@ -768,15 +949,17 @@ Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( uint8_t *k ) { - index_of_state(s); - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + Hacl_Hash_Blake2b_index i1 = index_of_state(s); + KRML_MAYBE_UNUSED_VAR(i1); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *k) { @@ -791,11 +974,16 @@ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = &p0, .snd = k })); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = &p0, .snd = k })); } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s) { @@ -803,7 +991,7 @@ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2b_Simd256_update( @@ -830,7 +1018,7 @@ Hacl_Hash_Blake2b_Simd256_update( if (chunk_len <= 128U - sz) { Hacl_Hash_Blake2b_Simd256_state_t s1 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -858,7 +1046,7 @@ Hacl_Hash_Blake2b_Simd256_update( else if (sz == 0U) { Hacl_Hash_Blake2b_Simd256_state_t s1 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -873,8 +1061,7 @@ Hacl_Hash_Blake2b_Simd256_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = 1U; @@ -899,7 +1086,7 @@ Hacl_Hash_Blake2b_Simd256_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -927,7 +1114,7 @@ Hacl_Hash_Blake2b_Simd256_update( uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; Hacl_Hash_Blake2b_Simd256_state_t s1 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state10 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state10 = s1.block_state; uint8_t *buf0 = s1.buf; uint64_t total_len10 = s1.total_len; uint32_t sz10; @@ -952,7 +1139,7 @@ Hacl_Hash_Blake2b_Simd256_update( } ); Hacl_Hash_Blake2b_Simd256_state_t s10 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state1 = s10.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = s10.block_state; uint8_t *buf = s10.buf; uint64_t total_len1 = s10.total_len; uint32_t sz1; @@ -967,8 +1154,7 @@ Hacl_Hash_Blake2b_Simd256_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = 1U; @@ -994,7 +1180,7 @@ Hacl_Hash_Blake2b_Simd256_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1020,17 +1206,26 @@ Hacl_Hash_Blake2b_Simd256_update( } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 256 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_256_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2b_Simd256_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2b_Simd256_state_t scrut = *s; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; uint32_t r; @@ -1045,11 +1240,16 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 uint8_t *buf_1 = buf_; KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 wv0[4U] KRML_POST_ALIGN(32) = { 0U }; KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 b[4U] KRML_POST_ALIGN(32) = { 0U }; - Hacl_Hash_Blake2b_Simd256_block_state_t + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - Lib_IntVector_Intrinsics_vec256 *src_b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec256 *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + Lib_IntVector_Intrinsics_vec256 *src_b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec256 *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1064,7 +1264,7 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc0 = tmp_block_state.thd; + acc0 = tmp_block_state.f3; Lib_IntVector_Intrinsics_vec256 *wv1 = acc0.fst; Lib_IntVector_Intrinsics_vec256 *hash0 = acc0.snd; uint32_t nb = 0U; @@ -1076,17 +1276,35 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 nb); uint64_t prev_len_last = total_len - (uint64_t)r; K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = tmp_block_state.thd; + acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; Hacl_Hash_Blake2b_Simd256_update_last(r, wv, hash, + last_node1, FStar_UInt128_uint64_to_uint128(prev_len_last), r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2b_Simd256_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2b_Simd256_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_Simd256_info(Hacl_Hash_Blake2b_Simd256_state_t *s) +{ + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1096,9 +1314,9 @@ void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state) { Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; - Lib_IntVector_Intrinsics_vec256 *b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec256 *wv = block_state.thd.fst; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec256 *b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state.f3.fst; KRML_ALIGNED_FREE(wv); KRML_ALIGNED_FREE(b); KRML_HOST_FREE(buf); @@ -1106,44 +1324,133 @@ void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_copy(Hacl_Hash_Blake2b_Simd256_state_t *state) { Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state0 = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 128U * sizeof (uint8_t)); Lib_IntVector_Intrinsics_vec256 - *wv = + *wv0 = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); - memset(wv, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Lib_IntVector_Intrinsics_vec256 - *b = - (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, - sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); - memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Hacl_Hash_Blake2b_Simd256_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - Lib_IntVector_Intrinsics_vec256 *src_b = block_state0.thd.snd; - Lib_IntVector_Intrinsics_vec256 *dst_b = block_state.thd.snd; - memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Hacl_Hash_Blake2b_Simd256_state_t - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Hash_Blake2b_Simd256_state_t - *p = - (Hacl_Hash_Blake2b_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_Hash_Blake2b_Simd256_state_t - )); - p[0U] = s; - return p; + if (wv0 != NULL) + { + memset(wv0, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } + Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + Lib_IntVector_Intrinsics_vec256 + *b = + (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, + sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); + if (b != NULL) + { + memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } + if (b == NULL) + { + KRML_ALIGNED_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2b_256 block_state1 = block_state.v; + Lib_IntVector_Intrinsics_vec256 *src_b = block_state0.f3.snd; + Lib_IntVector_Intrinsics_vec256 *dst_b = block_state1.f3.snd; + memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_Blake2b_Simd256_state_t + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Hash_Blake2b_Simd256_state_t + *p = + (Hacl_Hash_Blake2b_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_Hash_Blake2b_Simd256_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Lib_IntVector_Intrinsics_vec256 *b = block_state1.f3.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state1.f3.fst; + KRML_ALIGNED_FREE(wv); + KRML_ALIGNED_FREE(b); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -1175,8 +1482,14 @@ Hacl_Hash_Blake2b_Simd256_hash_with_key( Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec256, void *); } +/** +Write the BLAKE2b digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_Simd256_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/msvc/Hacl_Hash_Blake2s.c b/src/msvc/Hacl_Hash_Blake2s.c index 6e19d83d..23b312b6 100644 --- a/src/msvc/Hacl_Hash_Blake2s.c +++ b/src/msvc/Hacl_Hash_Blake2s.c @@ -25,12 +25,22 @@ #include "internal/Hacl_Hash_Blake2s.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Hash_Blake2b.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Impl_Blake2_Constants.h" #include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void -update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t *d) +update_block( + uint32_t *wv, + uint32_t *hash, + bool flag, + bool last_node, + uint64_t totlen, + uint8_t *d +) { uint32_t m_w[16U] = { 0U }; KRML_MAYBE_FOR16(i, @@ -53,7 +63,15 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * { wv_14 = 0U; } - uint32_t wv_15 = 0U; + uint32_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFU; + } + else + { + wv_15 = 0U; + } mask[0U] = (uint32_t)totlen; mask[1U] = (uint32_t)(totlen >> 32U); mask[2U] = wv_14; @@ -558,83 +576,6 @@ void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r1[3U] = iv7_; } -static void init_with_params(uint32_t *hash, Hacl_Hash_Blake2b_blake2_params p) -{ - uint32_t tmp[8U] = { 0U }; - uint32_t *r0 = hash; - uint32_t *r1 = hash + 4U; - uint32_t *r2 = hash + 8U; - uint32_t *r3 = hash + 12U; - uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; - uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; - uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; - uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; - uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; - uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; - uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; - uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; - r2[0U] = iv0; - r2[1U] = iv1; - r2[2U] = iv2; - r2[3U] = iv3; - r3[0U] = iv4; - r3[1U] = iv5; - r3[2U] = iv6; - r3[3U] = iv7; - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint32_t *os = tmp + 4U; - uint8_t *bj = p.salt + i * 4U; - uint32_t u = load32_le(bj); - uint32_t r = u; - uint32_t x = r; - os[i] = x;); - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint32_t *os = tmp + 6U; - uint8_t *bj = p.personal + i * 4U; - uint32_t u = load32_le(bj); - uint32_t r = u; - uint32_t x = r; - os[i] = x;); - tmp[0U] = - (uint32_t)p.digest_length - ^ ((uint32_t)p.key_length << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); - tmp[1U] = p.leaf_length; - tmp[2U] = (uint32_t)p.node_offset; - tmp[3U] = - (uint32_t)(p.node_offset >> 32U) - ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); - uint32_t tmp0 = tmp[0U]; - uint32_t tmp1 = tmp[1U]; - uint32_t tmp2 = tmp[2U]; - uint32_t tmp3 = tmp[3U]; - uint32_t tmp4 = tmp[4U]; - uint32_t tmp5 = tmp[5U]; - uint32_t tmp6 = tmp[6U]; - uint32_t tmp7 = tmp[7U]; - uint32_t iv0_ = iv0 ^ tmp0; - uint32_t iv1_ = iv1 ^ tmp1; - uint32_t iv2_ = iv2 ^ tmp2; - uint32_t iv3_ = iv3 ^ tmp3; - uint32_t iv4_ = iv4 ^ tmp4; - uint32_t iv5_ = iv5 ^ tmp5; - uint32_t iv6_ = iv6 ^ tmp6; - uint32_t iv7_ = iv7 ^ tmp7; - r0[0U] = iv0_; - r0[1U] = iv1_; - r0[2U] = iv2_; - r0[3U] = iv3_; - r1[0U] = iv4_; - r1[1U] = iv5_; - r1[2U] = iv6_; - r1[3U] = iv7_; -} - static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) { uint64_t lb = (uint64_t)64U; @@ -642,11 +583,11 @@ static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, ui memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -666,7 +607,7 @@ Hacl_Hash_Blake2s_update_multi( { uint64_t totlen = prev + (uint64_t)((i + 1U) * 64U); uint8_t *b = blocks + i * 64U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -675,6 +616,7 @@ Hacl_Hash_Blake2s_update_last( uint32_t len, uint32_t *wv, uint32_t *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d @@ -684,7 +626,7 @@ Hacl_Hash_Blake2s_update_last( uint8_t *last = d + len - rem; memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -712,7 +654,7 @@ update_blocks(uint32_t len, uint32_t *wv, uint32_t *hash, uint64_t prev, uint8_t rem = rem0; } Hacl_Hash_Blake2s_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2s_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2s_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -747,76 +689,251 @@ void Hacl_Hash_Blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash) } static Hacl_Hash_Blake2s_state_t -*malloc_raw( - Hacl_Hash_Blake2b_index kk, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +*malloc_raw(Hacl_Hash_Blake2b_index kk, Hacl_Hash_Blake2b_params_and_key key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); - uint32_t *wv = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - Hacl_Hash_Blake2s_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; - uint8_t kk10 = kk.key_length; - uint32_t ite; - if (kk10 != 0U) + if (buf == NULL) { - ite = 64U; + return NULL; + } + uint8_t *buf1 = buf; + uint32_t *wv0 = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); } else { - ite = 0U; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + if (b == NULL) + { + KRML_HOST_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } } - Hacl_Hash_Blake2s_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - Hacl_Hash_Blake2s_state_t - *p = (Hacl_Hash_Blake2s_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2s_state_t)); - p[0U] = s; - Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; - uint8_t kk1 = p1->key_length; - uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i.key_length; - uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (64U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + uint8_t kk10 = kk.key_length; + uint32_t ite; + if (kk10 != 0U) + { + ite = 64U; + } + else + { + ite = 0U; + } + Hacl_Hash_Blake2s_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)ite }; + Hacl_Hash_Blake2s_state_t + *p = (Hacl_Hash_Blake2s_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2s_state_t)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + uint32_t *b = block_state1.f3.snd; + uint32_t *wv = block_state1.f3.fst; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; + uint8_t kk1 = p1->key_length; + uint8_t nn = p1->digest_length; + bool last_node = block_state1.thd; + Hacl_Hash_Blake2b_index + i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + uint32_t *h = block_state1.f3.snd; + uint32_t kk2 = (uint32_t)i.key_length; + uint8_t *k_2 = key.snd; + if (!(kk2 == 0U)) + { + uint8_t *sub_b = buf1 + kk2; + memset(sub_b, 0U, (64U - kk2) * sizeof (uint8_t)); + memcpy(buf1, k_2, kk2 * sizeof (uint8_t)); + } + Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; + uint32_t tmp[8U] = { 0U }; + uint32_t *r0 = h; + uint32_t *r1 = h + 4U; + uint32_t *r2 = h + 8U; + uint32_t *r3 = h + 12U; + uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; + uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; + uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; + uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; + uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; + uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; + uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; + uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r4 = u; + uint32_t x = r4; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r4 = u; + uint32_t x = r4; + os[i0] = x;); + tmp[0U] = + (uint32_t)pv.digest_length + ^ + ((uint32_t)pv.key_length + << 8U + ^ ((uint32_t)pv.fanout << 16U ^ (uint32_t)pv.depth << 24U)); + tmp[1U] = pv.leaf_length; + tmp[2U] = (uint32_t)pv.node_offset; + tmp[3U] = + (uint32_t)(pv.node_offset >> 32U) + ^ ((uint32_t)pv.node_depth << 16U ^ (uint32_t)pv.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = iv0_; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } } - Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); - return p; + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (32 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 32 for S, 64 for B. +- The digest_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t -*Hacl_Hash_Blake2s_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k) +*Hacl_Hash_Blake2s_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; - return - malloc_raw(i1, - ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; + return malloc_raw(i1, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (32 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t kk) { uint8_t nn = 32U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -824,20 +941,15 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; - Hacl_Hash_Blake2s_state_t *s = Hacl_Hash_Blake2s_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + Hacl_Hash_Blake2b_blake2_params p0 = p; + Hacl_Hash_Blake2s_state_t *s = Hacl_Hash_Blake2s_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void) { @@ -846,29 +958,32 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2s_state_t *s) { - Hacl_Hash_Blake2s_block_state_t block_state = (*s).block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } -static void -reset_raw( - Hacl_Hash_Blake2s_state_t *state, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +static void reset_raw(Hacl_Hash_Blake2s_state_t *state, Hacl_Hash_Blake2b_params_and_key key) { Hacl_Hash_Blake2s_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + uint32_t *h = block_state.f3.snd; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -878,7 +993,79 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + uint32_t tmp[8U] = { 0U }; + uint32_t *r0 = h; + uint32_t *r1 = h + 4U; + uint32_t *r2 = h + 8U; + uint32_t *r3 = h + 12U; + uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; + uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; + uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; + uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; + uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; + uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; + uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; + uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; + r2[0U] = iv0; + r2[1U] = iv1; + r2[2U] = iv2; + r2[3U] = iv3; + r3[0U] = iv4; + r3[1U] = iv5; + r3[2U] = iv6; + r3[3U] = iv7; + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i0] = x;); + tmp[0U] = + (uint32_t)pv.digest_length + ^ ((uint32_t)pv.key_length << 8U ^ ((uint32_t)pv.fanout << 16U ^ (uint32_t)pv.depth << 24U)); + tmp[1U] = pv.leaf_length; + tmp[2U] = (uint32_t)pv.node_offset; + tmp[3U] = + (uint32_t)(pv.node_offset >> 32U) + ^ ((uint32_t)pv.node_depth << 16U ^ (uint32_t)pv.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = iv0_; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -890,14 +1077,16 @@ reset_raw( ite = 0U; } Hacl_Hash_Blake2s_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - state[0U] = tmp; + tmp8 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; + state[0U] = tmp8; } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key_and_params( @@ -906,15 +1095,17 @@ Hacl_Hash_Blake2s_reset_with_key_and_params( uint8_t *k ) { - index_of_state(s); - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + Hacl_Hash_Blake2b_index i1 = index_of_state(s); + KRML_MAYBE_UNUSED_VAR(i1); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k) { @@ -929,11 +1120,16 @@ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k) .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = &p0, .snd = k })); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = &p0, .snd = k })); } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s) { @@ -941,7 +1137,7 @@ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint32_t chunk_len) @@ -964,7 +1160,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (chunk_len <= 64U - sz) { Hacl_Hash_Blake2s_state_t s1 = *state; - Hacl_Hash_Blake2s_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -992,7 +1188,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 else if (sz == 0U) { Hacl_Hash_Blake2s_state_t s1 = *state; - Hacl_Hash_Blake2s_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -1007,7 +1203,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = 1U; @@ -1027,7 +1223,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -1050,7 +1246,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; Hacl_Hash_Blake2s_state_t s1 = *state; - Hacl_Hash_Blake2s_block_state_t block_state10 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state10 = s1.block_state; uint8_t *buf0 = s1.buf; uint64_t total_len10 = s1.total_len; uint32_t sz10; @@ -1075,7 +1271,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 } ); Hacl_Hash_Blake2s_state_t s10 = *state; - Hacl_Hash_Blake2s_block_state_t block_state1 = s10.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = s10.block_state; uint8_t *buf = s10.buf; uint64_t total_len1 = s10.total_len; uint32_t sz1; @@ -1090,7 +1286,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = 1U; @@ -1111,7 +1307,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -1132,16 +1328,26 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 32 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2s_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2s_state_t scrut = *state; - Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2s_state_t scrut = *s; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; uint32_t r; @@ -1156,11 +1362,16 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) uint8_t *buf_1 = buf_; uint32_t wv0[16U] = { 0U }; uint32_t b[16U] = { 0U }; - Hacl_Hash_Blake2s_block_state_t + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - uint32_t *src_b = block_state.thd.snd; - uint32_t *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + uint32_t *src_b = block_state.f3.snd; + uint32_t *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint32_t)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1174,18 +1385,35 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) } uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; - K____uint32_t___uint32_t_ acc0 = tmp_block_state.thd; + K____uint32_t___uint32_t_ acc0 = tmp_block_state.f3; uint32_t *wv1 = acc0.fst; uint32_t *hash0 = acc0.snd; uint32_t nb = 0U; Hacl_Hash_Blake2s_update_multi(0U, wv1, hash0, prev_len, buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; - K____uint32_t___uint32_t_ acc = tmp_block_state.thd; + K____uint32_t___uint32_t_ acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; - Hacl_Hash_Blake2s_update_last(r, wv, hash, prev_len_last, r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2s_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + Hacl_Hash_Blake2s_update_last(r, wv, hash, last_node1, prev_len_last, r, buf_last); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2s_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_info(Hacl_Hash_Blake2s_state_t *s) +{ + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1195,9 +1423,9 @@ void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state) { Hacl_Hash_Blake2s_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; - uint32_t *b = block_state.thd.snd; - uint32_t *wv = block_state.thd.fst; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state = scrut.block_state; + uint32_t *b = block_state.f3.snd; + uint32_t *wv = block_state.f3.fst; KRML_HOST_FREE(wv); KRML_HOST_FREE(b); KRML_HOST_FREE(buf); @@ -1205,32 +1433,115 @@ void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_copy(Hacl_Hash_Blake2s_state_t *state) { Hacl_Hash_Blake2s_state_t scrut = *state; - Hacl_Hash_Blake2s_block_state_t block_state0 = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 64U * sizeof (uint8_t)); - uint32_t *wv = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); - Hacl_Hash_Blake2s_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - uint32_t *src_b = block_state0.thd.snd; - uint32_t *dst_b = block_state.thd.snd; - memcpy(dst_b, src_b, 16U * sizeof (uint32_t)); - Hacl_Hash_Blake2s_state_t - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Hash_Blake2s_state_t - *p = (Hacl_Hash_Blake2s_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2s_state_t)); - p[0U] = s; - return p; + uint32_t *wv0 = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + if (b == NULL) + { + KRML_HOST_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2s_32 block_state1 = block_state.v; + uint32_t *src_b = block_state0.f3.snd; + uint32_t *dst_b = block_state1.f3.snd; + memcpy(dst_b, src_b, 16U * sizeof (uint32_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_Blake2s_state_t + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Hash_Blake2s_state_t + *p = (Hacl_Hash_Blake2s_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2s_state_t)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + uint32_t *b = block_state1.f3.snd; + uint32_t *wv = block_state1.f3.fst; + KRML_HOST_FREE(wv); + KRML_HOST_FREE(b); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -1262,8 +1573,14 @@ Hacl_Hash_Blake2s_hash_with_key( Lib_Memzero0_memzero(b, 16U, uint32_t, void *); } +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/msvc/Hacl_Hash_Blake2s_Simd128.c b/src/msvc/Hacl_Hash_Blake2s_Simd128.c index c02da8fa..f18cf412 100644 --- a/src/msvc/Hacl_Hash_Blake2s_Simd128.c +++ b/src/msvc/Hacl_Hash_Blake2s_Simd128.c @@ -25,6 +25,9 @@ #include "internal/Hacl_Hash_Blake2s_Simd128.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Hash_Blake2b.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Impl_Blake2_Constants.h" #include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" @@ -34,6 +37,7 @@ update_block( Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, bool flag, + bool last_node, uint64_t totlen, uint8_t *d ) @@ -59,7 +63,15 @@ update_block( { wv_14 = 0U; } - uint32_t wv_15 = 0U; + uint32_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFU; + } + else + { + wv_15 = 0U; + } mask = Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen, (uint32_t)(totlen >> 32U), @@ -286,72 +298,6 @@ Hacl_Hash_Blake2s_Simd128_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t k r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); } -static void -init_with_params(Lib_IntVector_Intrinsics_vec128 *hash, Hacl_Hash_Blake2b_blake2_params p) -{ - uint32_t tmp[8U] = { 0U }; - Lib_IntVector_Intrinsics_vec128 *r0 = hash; - Lib_IntVector_Intrinsics_vec128 *r1 = hash + 1U; - Lib_IntVector_Intrinsics_vec128 *r2 = hash + 2U; - Lib_IntVector_Intrinsics_vec128 *r3 = hash + 3U; - uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; - uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; - uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; - uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; - uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; - uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; - uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; - uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; - r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); - r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint32_t *os = tmp + 4U; - uint8_t *bj = p.salt + i * 4U; - uint32_t u = load32_le(bj); - uint32_t r = u; - uint32_t x = r; - os[i] = x;); - KRML_MAYBE_FOR2(i, - 0U, - 2U, - 1U, - uint32_t *os = tmp + 6U; - uint8_t *bj = p.personal + i * 4U; - uint32_t u = load32_le(bj); - uint32_t r = u; - uint32_t x = r; - os[i] = x;); - tmp[0U] = - (uint32_t)p.digest_length - ^ ((uint32_t)p.key_length << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); - tmp[1U] = p.leaf_length; - tmp[2U] = (uint32_t)p.node_offset; - tmp[3U] = - (uint32_t)(p.node_offset >> 32U) - ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); - uint32_t tmp0 = tmp[0U]; - uint32_t tmp1 = tmp[1U]; - uint32_t tmp2 = tmp[2U]; - uint32_t tmp3 = tmp[3U]; - uint32_t tmp4 = tmp[4U]; - uint32_t tmp5 = tmp[5U]; - uint32_t tmp6 = tmp[6U]; - uint32_t tmp7 = tmp[7U]; - uint32_t iv0_ = iv0 ^ tmp0; - uint32_t iv1_ = iv1 ^ tmp1; - uint32_t iv2_ = iv2 ^ tmp2; - uint32_t iv3_ = iv3 ^ tmp3; - uint32_t iv4_ = iv4 ^ tmp4; - uint32_t iv5_ = iv5 ^ tmp5; - uint32_t iv6_ = iv6 ^ tmp6; - uint32_t iv7_ = iv7 ^ tmp7; - r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); - r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); -} - static void update_key( Lib_IntVector_Intrinsics_vec128 *wv, @@ -366,11 +312,11 @@ update_key( memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -390,7 +336,7 @@ Hacl_Hash_Blake2s_Simd128_update_multi( { uint64_t totlen = prev + (uint64_t)((i + 1U) * 64U); uint8_t *b = blocks + i * 64U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -399,6 +345,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d @@ -408,7 +355,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint8_t *last = d + len - rem; memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -442,7 +389,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2s_Simd128_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2s_Simd128_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2s_Simd128_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -578,96 +525,265 @@ Lib_IntVector_Intrinsics_vec128 *Hacl_Hash_Blake2s_Simd128_malloc_with_key(void) *buf = (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); - memset(buf, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + if (buf != NULL) + { + memset(buf, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } return buf; } static Hacl_Hash_Blake2s_Simd128_state_t -*malloc_raw( - Hacl_Hash_Blake2b_index kk, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +*malloc_raw(Hacl_Hash_Blake2b_index kk, Hacl_Hash_Blake2b_params_and_key key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; Lib_IntVector_Intrinsics_vec128 - *wv = - (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, - sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); - memset(wv, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Lib_IntVector_Intrinsics_vec128 - *b = + *wv0 = (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); - memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Hacl_Hash_Blake2s_Simd128_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; - uint8_t kk10 = kk.key_length; - uint32_t ite; - if (kk10 != 0U) + if (wv0 != NULL) { - ite = 64U; + memset(wv0, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } + Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); } else { - ite = 0U; + Lib_IntVector_Intrinsics_vec128 + *b = + (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, + sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); + if (b != NULL) + { + memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } + if (b == NULL) + { + KRML_ALIGNED_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } } - Hacl_Hash_Blake2s_Simd128_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - Hacl_Hash_Blake2s_Simd128_state_t - *p = - (Hacl_Hash_Blake2s_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_Hash_Blake2s_Simd128_state_t - )); - p[0U] = s; - Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; - uint8_t kk1 = p1->key_length; - uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - uint32_t kk2 = (uint32_t)i.key_length; - uint8_t *k_1 = key.snd; - if (!(kk2 == 0U)) + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) { - uint8_t *sub_b = buf + kk2; - memset(sub_b, 0U, (64U - kk2) * sizeof (uint8_t)); - memcpy(buf, k_1, kk2 * sizeof (uint8_t)); + KRML_HOST_FREE(buf1); + return NULL; } - Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); - return p; + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + uint8_t kk10 = kk.key_length; + uint32_t ite; + if (kk10 != 0U) + { + ite = 64U; + } + else + { + ite = 0U; + } + Hacl_Hash_Blake2s_Simd128_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)ite }; + Hacl_Hash_Blake2s_Simd128_state_t + *p = + (Hacl_Hash_Blake2s_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_Hash_Blake2s_Simd128_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Lib_IntVector_Intrinsics_vec128 *b = block_state1.f3.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state1.f3.fst; + KRML_ALIGNED_FREE(wv); + KRML_ALIGNED_FREE(b); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; + uint8_t kk1 = p1->key_length; + uint8_t nn = p1->digest_length; + bool last_node = block_state1.thd; + Hacl_Hash_Blake2b_index + i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + Lib_IntVector_Intrinsics_vec128 *h = block_state1.f3.snd; + uint32_t kk2 = (uint32_t)i.key_length; + uint8_t *k_2 = key.snd; + if (!(kk2 == 0U)) + { + uint8_t *sub_b = buf1 + kk2; + memset(sub_b, 0U, (64U - kk2) * sizeof (uint8_t)); + memcpy(buf1, k_2, kk2 * sizeof (uint8_t)); + } + Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; + uint32_t tmp[8U] = { 0U }; + Lib_IntVector_Intrinsics_vec128 *r0 = h; + Lib_IntVector_Intrinsics_vec128 *r1 = h + 1U; + Lib_IntVector_Intrinsics_vec128 *r2 = h + 2U; + Lib_IntVector_Intrinsics_vec128 *r3 = h + 3U; + uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; + uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; + uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; + uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; + uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; + uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; + uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; + uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r4 = u; + uint32_t x = r4; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r4 = u; + uint32_t x = r4; + os[i0] = x;); + tmp[0U] = + (uint32_t)pv.digest_length + ^ + ((uint32_t)pv.key_length + << 8U + ^ ((uint32_t)pv.fanout << 16U ^ (uint32_t)pv.depth << 24U)); + tmp[1U] = pv.leaf_length; + tmp[2U] = (uint32_t)pv.node_offset; + tmp[3U] = + (uint32_t)(pv.node_offset >> 32U) + ^ ((uint32_t)pv.node_depth << 16U ^ (uint32_t)pv.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (128 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 128 for S, 64 for B. +- The digest_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; - return - malloc_raw(i1, - ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; + return malloc_raw(i1, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (128 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_key0(uint8_t *k, uint8_t kk) { uint8_t nn = 32U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -675,21 +791,16 @@ Hacl_Hash_Blake2s_Simd128_state_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; + Hacl_Hash_Blake2b_blake2_params p0 = p; Hacl_Hash_Blake2s_Simd128_state_t - *s = Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + *s = Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void) { @@ -698,29 +809,33 @@ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2s_Simd128_state_t *s) { - Hacl_Hash_Blake2s_Simd128_block_state_t block_state = (*s).block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void -reset_raw( - Hacl_Hash_Blake2s_Simd128_state_t *state, - K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_ key -) +reset_raw(Hacl_Hash_Blake2s_Simd128_state_t *state, Hacl_Hash_Blake2b_params_and_key key) { Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; + Lib_IntVector_Intrinsics_vec128 *h = block_state.f3.snd; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -730,7 +845,67 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + uint32_t tmp[8U] = { 0U }; + Lib_IntVector_Intrinsics_vec128 *r0 = h; + Lib_IntVector_Intrinsics_vec128 *r1 = h + 1U; + Lib_IntVector_Intrinsics_vec128 *r2 = h + 2U; + Lib_IntVector_Intrinsics_vec128 *r3 = h + 3U; + uint32_t iv0 = Hacl_Hash_Blake2b_ivTable_S[0U]; + uint32_t iv1 = Hacl_Hash_Blake2b_ivTable_S[1U]; + uint32_t iv2 = Hacl_Hash_Blake2b_ivTable_S[2U]; + uint32_t iv3 = Hacl_Hash_Blake2b_ivTable_S[3U]; + uint32_t iv4 = Hacl_Hash_Blake2b_ivTable_S[4U]; + uint32_t iv5 = Hacl_Hash_Blake2b_ivTable_S[5U]; + uint32_t iv6 = Hacl_Hash_Blake2b_ivTable_S[6U]; + uint32_t iv7 = Hacl_Hash_Blake2b_ivTable_S[7U]; + r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); + r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = pv.salt + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i0] = x;); + KRML_MAYBE_FOR2(i0, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = pv.personal + i0 * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i0] = x;); + tmp[0U] = + (uint32_t)pv.digest_length + ^ ((uint32_t)pv.key_length << 8U ^ ((uint32_t)pv.fanout << 16U ^ (uint32_t)pv.depth << 24U)); + tmp[1U] = pv.leaf_length; + tmp[2U] = (uint32_t)pv.node_offset; + tmp[3U] = + (uint32_t)(pv.node_offset >> 32U) + ^ ((uint32_t)pv.node_depth << 16U ^ (uint32_t)pv.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -742,14 +917,16 @@ reset_raw( ite = 0U; } Hacl_Hash_Blake2s_Simd128_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; - state[0U] = tmp; + tmp8 = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)ite }; + state[0U] = tmp8; } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( @@ -758,15 +935,17 @@ Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( uint8_t *k ) { - index_of_state(s); - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); + Hacl_Hash_Blake2b_index i1 = index_of_state(s); + KRML_MAYBE_UNUSED_VAR(i1); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = p, .snd = k })); } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *k) { @@ -781,11 +960,16 @@ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - reset_raw(s, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = &p0, .snd = k })); + reset_raw(s, ((Hacl_Hash_Blake2b_params_and_key){ .fst = &p0, .snd = k })); } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s) { @@ -793,7 +977,7 @@ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_Simd128_update( @@ -820,7 +1004,7 @@ Hacl_Hash_Blake2s_Simd128_update( if (chunk_len <= 64U - sz) { Hacl_Hash_Blake2s_Simd128_state_t s1 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -848,7 +1032,7 @@ Hacl_Hash_Blake2s_Simd128_update( else if (sz == 0U) { Hacl_Hash_Blake2s_Simd128_state_t s1 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state1 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = s1.block_state; uint8_t *buf = s1.buf; uint64_t total_len1 = s1.total_len; uint32_t sz1; @@ -863,8 +1047,7 @@ Hacl_Hash_Blake2s_Simd128_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = 1U; @@ -884,7 +1067,7 @@ Hacl_Hash_Blake2s_Simd128_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -907,7 +1090,7 @@ Hacl_Hash_Blake2s_Simd128_update( uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; Hacl_Hash_Blake2s_Simd128_state_t s1 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state10 = s1.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state10 = s1.block_state; uint8_t *buf0 = s1.buf; uint64_t total_len10 = s1.total_len; uint32_t sz10; @@ -932,7 +1115,7 @@ Hacl_Hash_Blake2s_Simd128_update( } ); Hacl_Hash_Blake2s_Simd128_state_t s10 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state1 = s10.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = s10.block_state; uint8_t *buf = s10.buf; uint64_t total_len1 = s10.total_len; uint32_t sz1; @@ -947,8 +1130,7 @@ Hacl_Hash_Blake2s_Simd128_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = 1U; @@ -969,7 +1151,7 @@ Hacl_Hash_Blake2s_Simd128_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -990,17 +1172,26 @@ Hacl_Hash_Blake2s_Simd128_update( } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 128 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_128_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2s_Simd128_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2s_Simd128_state_t scrut = *s; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; uint32_t r; @@ -1015,11 +1206,16 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 uint8_t *buf_1 = buf_; KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv0[4U] KRML_POST_ALIGN(16) = { 0U }; KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 b[4U] KRML_POST_ALIGN(16) = { 0U }; - Hacl_Hash_Blake2s_Simd128_block_state_t + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - Lib_IntVector_Intrinsics_vec128 *src_b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec128 *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + Lib_IntVector_Intrinsics_vec128 *src_b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec128 *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1034,19 +1230,36 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc0 = tmp_block_state.thd; + acc0 = tmp_block_state.f3; Lib_IntVector_Intrinsics_vec128 *wv1 = acc0.fst; Lib_IntVector_Intrinsics_vec128 *hash0 = acc0.snd; uint32_t nb = 0U; Hacl_Hash_Blake2s_Simd128_update_multi(0U, wv1, hash0, prev_len, buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = tmp_block_state.thd; + acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; - Hacl_Hash_Blake2s_Simd128_update_last(r, wv, hash, prev_len_last, r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2s_Simd128_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + Hacl_Hash_Blake2s_Simd128_update_last(r, wv, hash, last_node1, prev_len_last, r, buf_last); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2s_Simd128_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_Simd128_info(Hacl_Hash_Blake2s_Simd128_state_t *s) +{ + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1056,9 +1269,9 @@ void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state) { Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; - Lib_IntVector_Intrinsics_vec128 *b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec128 *wv = block_state.thd.fst; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec128 *b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state.f3.fst; KRML_ALIGNED_FREE(wv); KRML_ALIGNED_FREE(b); KRML_HOST_FREE(buf); @@ -1066,44 +1279,133 @@ void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_copy(Hacl_Hash_Blake2s_Simd128_state_t *state) { Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state0 = scrut.block_state; + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 64U * sizeof (uint8_t)); Lib_IntVector_Intrinsics_vec128 - *wv = - (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, - sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); - memset(wv, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Lib_IntVector_Intrinsics_vec128 - *b = + *wv0 = (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); - memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Hacl_Hash_Blake2s_Simd128_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - Lib_IntVector_Intrinsics_vec128 *src_b = block_state0.thd.snd; - Lib_IntVector_Intrinsics_vec128 *dst_b = block_state.thd.snd; - memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Hacl_Hash_Blake2s_Simd128_state_t - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Hash_Blake2s_Simd128_state_t - *p = - (Hacl_Hash_Blake2s_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_Hash_Blake2s_Simd128_state_t - )); - p[0U] = s; - return p; + if (wv0 != NULL) + { + memset(wv0, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } + Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128 block_state; + if (wv0 == NULL) + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + Lib_IntVector_Intrinsics_vec128 + *b = + (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, + sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); + if (b != NULL) + { + memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } + if (b == NULL) + { + KRML_ALIGNED_FREE(wv0); + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_None + } + ); + } + else + { + block_state = + ( + (Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128){ + .tag = Hacl_Streaming_Blake2_Types_Some, + .v = { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv0, .snd = b } + } + } + ); + } + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Blake2_Types_Some) + { + Hacl_Streaming_Blake2_Types_block_state_blake2s_128 block_state1 = block_state.v; + Lib_IntVector_Intrinsics_vec128 *src_b = block_state0.f3.snd; + Lib_IntVector_Intrinsics_vec128 *dst_b = block_state1.f3.snd; + memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_Blake2s_Simd128_state_t + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Hash_Blake2s_Simd128_state_t + *p = + (Hacl_Hash_Blake2s_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_Hash_Blake2s_Simd128_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Lib_IntVector_Intrinsics_vec128 *b = block_state1.f3.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state1.f3.fst; + KRML_ALIGNED_FREE(wv); + KRML_ALIGNED_FREE(b); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -1135,8 +1437,14 @@ Hacl_Hash_Blake2s_Simd128_hash_with_key( Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec128, void *); } +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_Simd128_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/msvc/Hacl_Hash_MD5.c b/src/msvc/Hacl_Hash_MD5.c index ed294839..f0edd91b 100644 --- a/src/msvc/Hacl_Hash_MD5.c +++ b/src/msvc/Hacl_Hash_MD5.c @@ -25,6 +25,9 @@ #include "internal/Hacl_Hash_MD5.h" +#include "Hacl_Streaming_Types.h" +#include "internal/Hacl_Streaming_Types.h" + static uint32_t _h0[4U] = { 0x67452301U, 0xefcdab89U, 0x98badcfeU, 0x10325476U }; static uint32_t @@ -1166,14 +1169,67 @@ void Hacl_Hash_MD5_hash_oneshot(uint8_t *output, uint8_t *input, uint32_t input_ Hacl_Streaming_MD_state_32 *Hacl_Hash_MD5_malloc(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - Hacl_Hash_MD5_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_MD5_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_MD5_reset(Hacl_Streaming_MD_state_32 *state) @@ -1412,15 +1468,67 @@ Hacl_Streaming_MD_state_32 *Hacl_Hash_MD5_copy(Hacl_Streaming_MD_state_32 *state uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 64U * sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); - memcpy(block_state, block_state0, 4U * sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - return p; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + memcpy(block_state1, block_state0, 4U * sizeof (uint32_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_MD5_hash(uint8_t *output, uint8_t *input, uint32_t input_len) diff --git a/src/msvc/Hacl_Hash_SHA1.c b/src/msvc/Hacl_Hash_SHA1.c index 1a8b09b1..edb5f062 100644 --- a/src/msvc/Hacl_Hash_SHA1.c +++ b/src/msvc/Hacl_Hash_SHA1.c @@ -25,6 +25,9 @@ #include "internal/Hacl_Hash_SHA1.h" +#include "Hacl_Streaming_Types.h" +#include "internal/Hacl_Streaming_Types.h" + static uint32_t _h0[5U] = { 0x67452301U, 0xefcdab89U, 0x98badcfeU, 0x10325476U, 0xc3d2e1f0U }; void Hacl_Hash_SHA1_init(uint32_t *s) @@ -199,14 +202,67 @@ void Hacl_Hash_SHA1_hash_oneshot(uint8_t *output, uint8_t *input, uint32_t input Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA1_malloc(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - Hacl_Hash_SHA1_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_SHA1_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA1_reset(Hacl_Streaming_MD_state_32 *state) @@ -445,15 +501,67 @@ Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA1_copy(Hacl_Streaming_MD_state_32 *stat uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 64U * sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); - memcpy(block_state, block_state0, 5U * sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - return p; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + memcpy(block_state1, block_state0, 5U * sizeof (uint32_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA1_hash(uint8_t *output, uint8_t *input, uint32_t input_len) diff --git a/src/msvc/Hacl_Hash_SHA2.c b/src/msvc/Hacl_Hash_SHA2.c index 995fe707..4d130968 100644 --- a/src/msvc/Hacl_Hash_SHA2.c +++ b/src/msvc/Hacl_Hash_SHA2.c @@ -25,6 +25,9 @@ #include "internal/Hacl_Hash_SHA2.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "internal/Hacl_Streaming_Types.h" #include "internal/Hacl_Krmllib.h" void Hacl_Hash_SHA2_sha256_init(uint32_t *hash) @@ -211,7 +214,7 @@ void Hacl_Hash_SHA2_sha224_init(uint32_t *hash) os[i] = x;); } -static inline void sha224_update_nblocks(uint32_t len, uint8_t *b, uint32_t *st) +void Hacl_Hash_SHA2_sha224_update_nblocks(uint32_t len, uint8_t *b, uint32_t *st) { Hacl_Hash_SHA2_sha256_update_nblocks(len, b, st); } @@ -447,14 +450,67 @@ calling `free_256`. Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_256(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - Hacl_Hash_SHA2_sha256_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_SHA2_sha256_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -470,15 +526,67 @@ Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_copy_256(Hacl_Streaming_MD_state_32 * uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 64U * sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); - memcpy(block_state, block_state0, 8U * sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - return p; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + memcpy(block_state1, block_state0, 8U * sizeof (uint32_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -760,14 +868,67 @@ void Hacl_Hash_SHA2_hash_256(uint8_t *output, uint8_t *input, uint32_t input_len Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_224(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); - Hacl_Streaming_MD_state_32 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_32 - *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); - p[0U] = s; - Hacl_Hash_SHA2_sha224_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + Hacl_Streaming_Types_optional_32 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_32){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint32_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_32 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_32 + *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_SHA2_sha224_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA2_reset_224(Hacl_Streaming_MD_state_32 *state) @@ -825,7 +986,7 @@ void Hacl_Hash_SHA2_digest_224(Hacl_Streaming_MD_state_32 *state, uint8_t *outpu } uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; - sha224_update_nblocks(0U, buf_multi, tmp_block_state); + Hacl_Hash_SHA2_sha224_update_nblocks(0U, buf_multi, tmp_block_state); uint64_t prev_len_last = total_len - (uint64_t)r; Hacl_Hash_SHA2_sha224_update_last(prev_len_last + (uint64_t)r, r, buf_last, tmp_block_state); Hacl_Hash_SHA2_sha224_finish(tmp_block_state, output); @@ -847,7 +1008,7 @@ void Hacl_Hash_SHA2_hash_224(uint8_t *output, uint8_t *input, uint32_t input_len Hacl_Hash_SHA2_sha224_init(st); uint32_t rem = input_len % 64U; uint64_t len_ = (uint64_t)input_len; - sha224_update_nblocks(input_len, ib, st); + Hacl_Hash_SHA2_sha224_update_nblocks(input_len, ib, st); uint32_t rem1 = input_len % 64U; uint8_t *b0 = ib; uint8_t *lb = b0 + input_len - rem1; @@ -858,14 +1019,67 @@ void Hacl_Hash_SHA2_hash_224(uint8_t *output, uint8_t *input, uint32_t input_len Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_512(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); - uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); - Hacl_Streaming_MD_state_64 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_64 - *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); - p[0U] = s; - Hacl_Hash_SHA2_sha512_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + Hacl_Streaming_Types_optional_64 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint64_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_64 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_64 + *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_SHA2_sha512_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } /** @@ -881,15 +1095,67 @@ Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_copy_512(Hacl_Streaming_MD_state_64 * uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } memcpy(buf, buf0, 128U * sizeof (uint8_t)); - uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); - memcpy(block_state, block_state0, 8U * sizeof (uint64_t)); - Hacl_Streaming_MD_state_64 - s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; - Hacl_Streaming_MD_state_64 - *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); - p[0U] = s; - return p; + uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + Hacl_Streaming_Types_optional_64 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint64_t *block_state1 = block_state.v; + memcpy(block_state1, block_state0, 8U * sizeof (uint64_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_64 + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Streaming_MD_state_64 + *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA2_reset_512(Hacl_Streaming_MD_state_64 *state) @@ -1172,14 +1438,67 @@ void Hacl_Hash_SHA2_hash_512(uint8_t *output, uint8_t *input, uint32_t input_len Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_384(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); - uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); - Hacl_Streaming_MD_state_64 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_MD_state_64 - *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); - p[0U] = s; - Hacl_Hash_SHA2_sha384_init(block_state); - return p; + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + Hacl_Streaming_Types_optional_64 block_state; + if (b == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_Some, .v = b }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint64_t *block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_MD_state_64 + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Streaming_MD_state_64 + *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_Hash_SHA2_sha384_init(block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA2_reset_384(Hacl_Streaming_MD_state_64 *state) diff --git a/src/msvc/Hacl_Hash_SHA3.c b/src/msvc/Hacl_Hash_SHA3.c index 89bb0491..9903596d 100644 --- a/src/msvc/Hacl_Hash_SHA3.c +++ b/src/msvc/Hacl_Hash_SHA3.c @@ -25,6 +25,9 @@ #include "internal/Hacl_Hash_SHA3.h" +#include "Hacl_Streaming_Types.h" +#include "internal/Hacl_Streaming_Types.h" + const uint32_t Hacl_Hash_SHA3_keccak_rotc[24U] = @@ -234,6 +237,12 @@ static uint32_t hash_len(Spec_Hash_Definitions_hash_alg a) } } +void Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_hash_alg a, uint64_t *s) +{ + KRML_MAYBE_UNUSED_VAR(a); + memset(s, 0U, 25U * sizeof (uint64_t)); +} + void Hacl_Hash_SHA3_update_multi_sha3( Spec_Hash_Definitions_hash_alg a, @@ -251,7 +260,8 @@ Hacl_Hash_SHA3_update_multi_sha3( uint8_t *bl0 = b_; uint8_t *uu____0 = b0 + i * block_len(a); memcpy(bl0, uu____0, block_len(a) * sizeof (uint8_t)); - block_len(a); + uint32_t unused = block_len(a); + KRML_MAYBE_UNUSED_VAR(unused); absorb_inner_32(b_, s); } } @@ -544,6 +554,74 @@ Hacl_Hash_SHA3_update_last_sha3( absorb_inner_32(b3, s); } +static void squeeze(uint64_t *s, uint32_t rateInBytes, uint32_t outputByteLen, uint8_t *b) +{ + for (uint32_t i0 = 0U; i0 < outputByteLen / rateInBytes; i0++) + { + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + uint8_t *b0 = b; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + for (uint32_t i1 = 0U; i1 < 24U; i1++) + { + uint64_t _C[5U] = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + _C[i] = s[i + 0U] ^ (s[i + 5U] ^ (s[i + 10U] ^ (s[i + 15U] ^ s[i + 20U])));); + KRML_MAYBE_FOR5(i2, + 0U, + 5U, + 1U, + uint64_t uu____0 = _C[(i2 + 1U) % 5U]; + uint64_t _D = _C[(i2 + 4U) % 5U] ^ (uu____0 << 1U | uu____0 >> 63U); + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, s[i2 + 5U * i] = s[i2 + 5U * i] ^ _D;);); + uint64_t x = s[1U]; + uint64_t current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Hash_SHA3_keccak_piln[i]; + uint32_t r = Hacl_Hash_SHA3_keccak_rotc[i]; + uint64_t temp = s[_Y]; + uint64_t uu____1 = current; + s[_Y] = uu____1 << r | uu____1 >> (64U - r); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + uint64_t v0 = s[0U + 5U * i] ^ (~s[1U + 5U * i] & s[2U + 5U * i]); + uint64_t v1 = s[1U + 5U * i] ^ (~s[2U + 5U * i] & s[3U + 5U * i]); + uint64_t v2 = s[2U + 5U * i] ^ (~s[3U + 5U * i] & s[4U + 5U * i]); + uint64_t v3 = s[3U + 5U * i] ^ (~s[4U + 5U * i] & s[0U + 5U * i]); + uint64_t v4 = s[4U + 5U * i] ^ (~s[0U + 5U * i] & s[1U + 5U * i]); + s[0U + 5U * i] = v0; + s[1U + 5U * i] = v1; + s[2U + 5U * i] = v2; + s[3U + 5U * i] = v3; + s[4U + 5U * i] = v4;); + uint64_t c = Hacl_Hash_SHA3_keccak_rndc[i1]; + s[0U] = s[0U] ^ c; + } + } + uint32_t remOut = outputByteLen % rateInBytes; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, s, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(b + outputByteLen - remOut, hbuf, remOut * sizeof (uint8_t)); +} + typedef struct hash_buf2_s { Hacl_Hash_SHA3_hash_buf fst; @@ -557,20 +635,92 @@ Spec_Hash_Definitions_hash_alg Hacl_Hash_SHA3_get_alg(Hacl_Hash_SHA3_state_t *s) return block_state.fst; } +typedef struct option___Spec_Hash_Definitions_hash_alg____uint64_t___s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + Hacl_Hash_SHA3_hash_buf v; +} +option___Spec_Hash_Definitions_hash_alg____uint64_t__; + Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_malloc(Spec_Hash_Definitions_hash_alg a) { KRML_CHECK_SIZE(sizeof (uint8_t), block_len(a)); - uint8_t *buf0 = (uint8_t *)KRML_HOST_CALLOC(block_len(a), sizeof (uint8_t)); - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - Hacl_Hash_SHA3_hash_buf block_state = { .fst = a, .snd = buf }; - Hacl_Hash_SHA3_state_t - s = { .block_state = block_state, .buf = buf0, .total_len = (uint64_t)0U }; - Hacl_Hash_SHA3_state_t - *p = (Hacl_Hash_SHA3_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_SHA3_state_t)); - p[0U] = s; - uint64_t *s1 = block_state.snd; - memset(s1, 0U, 25U * sizeof (uint64_t)); - return p; + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(block_len(a), sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + option___Spec_Hash_Definitions_hash_alg____uint64_t__ block_state; + if (s == NULL) + { + block_state = + ( + (option___Spec_Hash_Definitions_hash_alg____uint64_t__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + block_state = + ( + (option___Spec_Hash_Definitions_hash_alg____uint64_t__){ + .tag = FStar_Pervasives_Native_Some, + .v = { .fst = a, .snd = s } + } + ); + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Hacl_Hash_SHA3_hash_buf block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_SHA3_state_t + s0 = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U }; + Hacl_Hash_SHA3_state_t + *p = (Hacl_Hash_SHA3_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_SHA3_state_t)); + if (p != NULL) + { + p[0U] = s0; + } + if (p == NULL) + { + uint64_t *s1 = block_state1.snd; + KRML_HOST_FREE(s1); + KRML_HOST_FREE(buf1); + return NULL; + } + Spec_Hash_Definitions_hash_alg a1 = block_state1.fst; + uint64_t *s1 = block_state1.snd; + Hacl_Hash_SHA3_init_(a1, s1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA3_free(Hacl_Hash_SHA3_state_t *state) @@ -592,20 +742,83 @@ Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_copy(Hacl_Hash_SHA3_state_t *state) uint64_t total_len0 = scrut0.total_len; Spec_Hash_Definitions_hash_alg i = block_state0.fst; KRML_CHECK_SIZE(sizeof (uint8_t), block_len(i)); - uint8_t *buf1 = (uint8_t *)KRML_HOST_CALLOC(block_len(i), sizeof (uint8_t)); - memcpy(buf1, buf0, block_len(i) * sizeof (uint8_t)); - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - Hacl_Hash_SHA3_hash_buf block_state = { .fst = i, .snd = buf }; - hash_buf2 scrut = { .fst = block_state0, .snd = block_state }; - uint64_t *s_dst = scrut.snd.snd; - uint64_t *s_src = scrut.fst.snd; - memcpy(s_dst, s_src, 25U * sizeof (uint64_t)); - Hacl_Hash_SHA3_state_t - s = { .block_state = block_state, .buf = buf1, .total_len = total_len0 }; - Hacl_Hash_SHA3_state_t - *p = (Hacl_Hash_SHA3_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_SHA3_state_t)); - p[0U] = s; - return p; + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(block_len(i), sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + memcpy(buf, buf0, block_len(i) * sizeof (uint8_t)); + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + option___Spec_Hash_Definitions_hash_alg____uint64_t__ block_state; + if (s == NULL) + { + block_state = + ( + (option___Spec_Hash_Definitions_hash_alg____uint64_t__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + block_state = + ( + (option___Spec_Hash_Definitions_hash_alg____uint64_t__){ + .tag = FStar_Pervasives_Native_Some, + .v = { .fst = i, .snd = s } + } + ); + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Hacl_Hash_SHA3_hash_buf block_state1 = block_state.v; + hash_buf2 scrut = { .fst = block_state0, .snd = block_state1 }; + uint64_t *s_dst = scrut.snd.snd; + uint64_t *s_src = scrut.fst.snd; + memcpy(s_dst, s_src, 25U * sizeof (uint64_t)); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Hash_SHA3_state_t + s0 = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Hash_SHA3_state_t + *p = (Hacl_Hash_SHA3_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_SHA3_state_t)); + if (p != NULL) + { + p[0U] = s0; + } + if (p == NULL) + { + uint64_t *s1 = block_state1.snd; + KRML_HOST_FREE(s1); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_Hash_SHA3_reset(Hacl_Hash_SHA3_state_t *state) @@ -615,8 +828,9 @@ void Hacl_Hash_SHA3_reset(Hacl_Hash_SHA3_state_t *state) Hacl_Hash_SHA3_hash_buf block_state = scrut.block_state; Spec_Hash_Definitions_hash_alg i = block_state.fst; KRML_MAYBE_UNUSED_VAR(i); + Spec_Hash_Definitions_hash_alg a1 = block_state.fst; uint64_t *s = block_state.snd; - memset(s, 0U, 25U * sizeof (uint64_t)); + Hacl_Hash_SHA3_init_(a1, s); Hacl_Hash_SHA3_state_t tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; state[0U] = tmp; @@ -848,141 +1062,30 @@ digest_( Hacl_Hash_SHA3_update_last_sha3(a10, s1, buf_last, r); Spec_Hash_Definitions_hash_alg a11 = tmp_block_state.fst; uint64_t *s = tmp_block_state.snd; - if (a11 == Spec_Hash_Definitions_Shake128 || a11 == Spec_Hash_Definitions_Shake256) + bool sw; + switch (a11) { - for (uint32_t i0 = 0U; i0 < l / block_len(a11); i0++) - { - uint8_t hbuf[256U] = { 0U }; - uint64_t ws[32U] = { 0U }; - memcpy(ws, s, 25U * sizeof (uint64_t)); - for (uint32_t i = 0U; i < 32U; i++) + case Spec_Hash_Definitions_Shake128: { - store64_le(hbuf + i * 8U, ws[i]); + sw = true; + break; } - uint8_t *b0 = output; - uint8_t *uu____0 = hbuf; - memcpy(b0 + i0 * block_len(a11), uu____0, block_len(a11) * sizeof (uint8_t)); - for (uint32_t i1 = 0U; i1 < 24U; i1++) + case Spec_Hash_Definitions_Shake256: { - uint64_t _C[5U] = { 0U }; - KRML_MAYBE_FOR5(i, - 0U, - 5U, - 1U, - _C[i] = s[i + 0U] ^ (s[i + 5U] ^ (s[i + 10U] ^ (s[i + 15U] ^ s[i + 20U])));); - KRML_MAYBE_FOR5(i2, - 0U, - 5U, - 1U, - uint64_t uu____1 = _C[(i2 + 1U) % 5U]; - uint64_t _D = _C[(i2 + 4U) % 5U] ^ (uu____1 << 1U | uu____1 >> 63U); - KRML_MAYBE_FOR5(i, 0U, 5U, 1U, s[i2 + 5U * i] = s[i2 + 5U * i] ^ _D;);); - uint64_t x = s[1U]; - uint64_t current = x; - for (uint32_t i = 0U; i < 24U; i++) - { - uint32_t _Y = Hacl_Hash_SHA3_keccak_piln[i]; - uint32_t r1 = Hacl_Hash_SHA3_keccak_rotc[i]; - uint64_t temp = s[_Y]; - uint64_t uu____2 = current; - s[_Y] = uu____2 << r1 | uu____2 >> (64U - r1); - current = temp; - } - KRML_MAYBE_FOR5(i, - 0U, - 5U, - 1U, - uint64_t v0 = s[0U + 5U * i] ^ (~s[1U + 5U * i] & s[2U + 5U * i]); - uint64_t v1 = s[1U + 5U * i] ^ (~s[2U + 5U * i] & s[3U + 5U * i]); - uint64_t v2 = s[2U + 5U * i] ^ (~s[3U + 5U * i] & s[4U + 5U * i]); - uint64_t v3 = s[3U + 5U * i] ^ (~s[4U + 5U * i] & s[0U + 5U * i]); - uint64_t v4 = s[4U + 5U * i] ^ (~s[0U + 5U * i] & s[1U + 5U * i]); - s[0U + 5U * i] = v0; - s[1U + 5U * i] = v1; - s[2U + 5U * i] = v2; - s[3U + 5U * i] = v3; - s[4U + 5U * i] = v4;); - uint64_t c = Hacl_Hash_SHA3_keccak_rndc[i1]; - s[0U] = s[0U] ^ c; + sw = true; + break; } - } - uint32_t remOut = l % block_len(a11); - uint8_t hbuf[256U] = { 0U }; - uint64_t ws[32U] = { 0U }; - memcpy(ws, s, 25U * sizeof (uint64_t)); - for (uint32_t i = 0U; i < 32U; i++) - { - store64_le(hbuf + i * 8U, ws[i]); - } - memcpy(output + l - remOut, hbuf, remOut * sizeof (uint8_t)); - return; - } - for (uint32_t i0 = 0U; i0 < hash_len(a11) / block_len(a11); i0++) - { - uint8_t hbuf[256U] = { 0U }; - uint64_t ws[32U] = { 0U }; - memcpy(ws, s, 25U * sizeof (uint64_t)); - for (uint32_t i = 0U; i < 32U; i++) - { - store64_le(hbuf + i * 8U, ws[i]); - } - uint8_t *b0 = output; - uint8_t *uu____3 = hbuf; - memcpy(b0 + i0 * block_len(a11), uu____3, block_len(a11) * sizeof (uint8_t)); - for (uint32_t i1 = 0U; i1 < 24U; i1++) - { - uint64_t _C[5U] = { 0U }; - KRML_MAYBE_FOR5(i, - 0U, - 5U, - 1U, - _C[i] = s[i + 0U] ^ (s[i + 5U] ^ (s[i + 10U] ^ (s[i + 15U] ^ s[i + 20U])));); - KRML_MAYBE_FOR5(i2, - 0U, - 5U, - 1U, - uint64_t uu____4 = _C[(i2 + 1U) % 5U]; - uint64_t _D = _C[(i2 + 4U) % 5U] ^ (uu____4 << 1U | uu____4 >> 63U); - KRML_MAYBE_FOR5(i, 0U, 5U, 1U, s[i2 + 5U * i] = s[i2 + 5U * i] ^ _D;);); - uint64_t x = s[1U]; - uint64_t current = x; - for (uint32_t i = 0U; i < 24U; i++) + default: { - uint32_t _Y = Hacl_Hash_SHA3_keccak_piln[i]; - uint32_t r1 = Hacl_Hash_SHA3_keccak_rotc[i]; - uint64_t temp = s[_Y]; - uint64_t uu____5 = current; - s[_Y] = uu____5 << r1 | uu____5 >> (64U - r1); - current = temp; + sw = false; } - KRML_MAYBE_FOR5(i, - 0U, - 5U, - 1U, - uint64_t v0 = s[0U + 5U * i] ^ (~s[1U + 5U * i] & s[2U + 5U * i]); - uint64_t v1 = s[1U + 5U * i] ^ (~s[2U + 5U * i] & s[3U + 5U * i]); - uint64_t v2 = s[2U + 5U * i] ^ (~s[3U + 5U * i] & s[4U + 5U * i]); - uint64_t v3 = s[3U + 5U * i] ^ (~s[4U + 5U * i] & s[0U + 5U * i]); - uint64_t v4 = s[4U + 5U * i] ^ (~s[0U + 5U * i] & s[1U + 5U * i]); - s[0U + 5U * i] = v0; - s[1U + 5U * i] = v1; - s[2U + 5U * i] = v2; - s[3U + 5U * i] = v3; - s[4U + 5U * i] = v4;); - uint64_t c = Hacl_Hash_SHA3_keccak_rndc[i1]; - s[0U] = s[0U] ^ c; - } } - uint32_t remOut = hash_len(a11) % block_len(a11); - uint8_t hbuf[256U] = { 0U }; - uint64_t ws[32U] = { 0U }; - memcpy(ws, s, 25U * sizeof (uint64_t)); - for (uint32_t i = 0U; i < 32U; i++) + if (sw) { - store64_le(hbuf + i * 8U, ws[i]); + squeeze(s, block_len(a11), l, output); + return; } - uint8_t *uu____6 = hbuf; - memcpy(output + hash_len(a11) - remOut, uu____6, remOut * sizeof (uint8_t)); + squeeze(s, block_len(a11), hash_len(a11), output); } Hacl_Streaming_Types_error_code @@ -2166,7 +2269,7 @@ void Hacl_Hash_SHA3_state_free(uint64_t *s) Absorb number of input blocks and write the output state This function is intended to receive a hash state and input buffer. - It prcoesses an input of multiple of 168-bytes (SHAKE128 block size), + It processes an input of multiple of 168-bytes (SHAKE128 block size), any additional bytes of final partial block are ignored. The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] @@ -2191,14 +2294,14 @@ Hacl_Hash_SHA3_shake128_absorb_nblocks(uint64_t *state, uint8_t *input, uint32_t Absorb a final partial block of input and write the output state This function is intended to receive a hash state and input buffer. - It prcoesses a sequence of bytes at end of input buffer that is less + It processes a sequence of bytes at end of input buffer that is less than 168-bytes (SHAKE128 block size), any bytes of full blocks at start of input buffer are ignored. The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] The argument `input` (IN) points to `inputByteLen` bytes of valid memory, i.e., uint8_t[inputByteLen] - + Note: Full size of input buffer must be passed to `inputByteLen` including the number of full-block bytes at start of input buffer that are ignored */ diff --git a/src/msvc/Hacl_Hash_SHA3_Simd256.c b/src/msvc/Hacl_Hash_SHA3_Simd256.c index 131c34e6..55ef124d 100644 --- a/src/msvc/Hacl_Hash_SHA3_Simd256.c +++ b/src/msvc/Hacl_Hash_SHA3_Simd256.c @@ -25,6 +25,7 @@ #include "Hacl_Hash_SHA3_Simd256.h" +#include "Hacl_SHA2_Types.h" #include "internal/Hacl_Hash_SHA3.h" void @@ -5976,7 +5977,10 @@ Lib_IntVector_Intrinsics_vec256 *Hacl_Hash_SHA3_Simd256_state_malloc(void) *buf = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, sizeof (Lib_IntVector_Intrinsics_vec256) * 25U); - memset(buf, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); + if (buf != NULL) + { + memset(buf, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } return buf; } @@ -5992,12 +5996,12 @@ void Hacl_Hash_SHA3_Simd256_state_free(Lib_IntVector_Intrinsics_vec256 *s) Absorb number of blocks of 4 input buffers and write the output states This function is intended to receive a quadruple hash state and 4 input buffers. - It prcoesses an inputs of multiple of 168-bytes (SHAKE128 block size), + It processes an inputs of multiple of 168-bytes (SHAKE128 block size), any additional bytes of final partial block for each buffer are ignored. The argument `state` (IN/OUT) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] */ void @@ -6038,15 +6042,15 @@ Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks( Absorb a final partial blocks of 4 input buffers and write the output states This function is intended to receive a quadruple hash state and 4 input buffers. - It prcoesses a sequence of bytes at end of each input buffer that is less + It processes a sequence of bytes at end of each input buffer that is less than 168-bytes (SHAKE128 block size), any bytes of full blocks at start of input buffers are ignored. The argument `state` (IN/OUT) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] - + Note: Full size of input buffers must be passed to `inputByteLen` including the number of full-block bytes at start of each input buffer that are ignored */ @@ -6378,7 +6382,7 @@ Squeeze a quadruple hash state to 4 output buffers The argument `state` (IN) points to quadruple hash state, i.e., Lib_IntVector_Intrinsics_vec256[25] - The arguments `output0/output1/output2/output3` (OUT) point to `outputByteLen` bytes + The arguments `output0/output1/output2/output3` (OUT) point to `outputByteLen` bytes of valid memory for each buffer, i.e., uint8_t[inputByteLen] */ void diff --git a/src/msvc/Hacl_K256_ECDSA.c b/src/msvc/Hacl_K256_ECDSA.c index 0aaab085..6169b04b 100644 --- a/src/msvc/Hacl_K256_ECDSA.c +++ b/src/msvc/Hacl_K256_ECDSA.c @@ -25,6 +25,8 @@ #include "internal/Hacl_K256_ECDSA.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA2.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_K256_PrecompTable.h" #include "internal/Hacl_Bignum_K256.h" @@ -351,7 +353,7 @@ static inline uint64_t load_qelem_check(uint64_t *f, uint8_t *b) 1U, uint64_t beq = FStar_UInt64_eq_mask(f[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(f[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL)));); + acc = (beq & acc) | (~beq & blt);); uint64_t is_lt_q = acc; return ~is_zero & is_lt_q; } @@ -372,11 +374,7 @@ static inline bool load_qelem_vartime(uint64_t *f, uint8_t *b) uint64_t a2 = f[2U]; uint64_t a3 = f[3U]; bool is_lt_q_b; - if (a3 < 0xffffffffffffffffULL) - { - is_lt_q_b = true; - } - else if (a2 < 0xfffffffffffffffeULL) + if (a3 < 0xffffffffffffffffULL || a2 < 0xfffffffffffffffeULL) { is_lt_q_b = true; } @@ -510,12 +508,14 @@ static inline void modq(uint64_t *out, uint64_t *a) uint64_t *t01 = tmp; uint64_t m[7U] = { 0U }; uint64_t p[5U] = { 0U }; - mul_pow2_256_minus_q_add(4U, 7U, t01, a + 4U, a, m); - mul_pow2_256_minus_q_add(3U, 5U, t01, m + 4U, m, p); + uint64_t c0 = mul_pow2_256_minus_q_add(4U, 7U, t01, a + 4U, a, m); + KRML_MAYBE_UNUSED_VAR(c0); + uint64_t c10 = mul_pow2_256_minus_q_add(3U, 5U, t01, m + 4U, m, p); + KRML_MAYBE_UNUSED_VAR(c10); uint64_t c2 = mul_pow2_256_minus_q_add(1U, 4U, t01, p + 4U, p, r); - uint64_t c0 = c2; + uint64_t c00 = c2; uint64_t c1 = add4(r, tmp, out); - uint64_t mask = 0ULL - (c0 + c1); + uint64_t mask = 0ULL - (c00 + c1); KRML_MAYBE_FOR4(i, 0U, 4U, @@ -567,11 +567,7 @@ static inline bool is_qelem_le_q_halved_vartime(uint64_t *f) { return false; } - if (a2 < 0xffffffffffffffffULL) - { - return true; - } - if (a1 < 0x5d576e7357a4501dULL) + if (a2 < 0xffffffffffffffffULL || a1 < 0x5d576e7357a4501dULL) { return true; } diff --git a/src/msvc/Hacl_MAC_Poly1305.c b/src/msvc/Hacl_MAC_Poly1305.c index 28cbca5a..9c5005d7 100644 --- a/src/msvc/Hacl_MAC_Poly1305.c +++ b/src/msvc/Hacl_MAC_Poly1305.c @@ -25,6 +25,11 @@ #include "internal/Hacl_MAC_Poly1305.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "internal/Hacl_Streaming_Types.h" +#include "internal/Hacl_Hash_SHA3.h" + void Hacl_MAC_Poly1305_poly1305_init(uint64_t *ctx, uint8_t *key) { uint64_t *acc = ctx; @@ -443,18 +448,101 @@ void Hacl_MAC_Poly1305_poly1305_finish(uint8_t *tag, uint8_t *key, uint64_t *ctx Hacl_MAC_Poly1305_state_t *Hacl_MAC_Poly1305_malloc(uint8_t *key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(16U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; uint64_t *r1 = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); - uint64_t *block_state = r1; - uint8_t *k_ = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); - memcpy(k_, key, 32U * sizeof (uint8_t)); - uint8_t *k_0 = k_; - Hacl_MAC_Poly1305_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U, .p_key = k_0 }; - Hacl_MAC_Poly1305_state_t - *p = (Hacl_MAC_Poly1305_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_MAC_Poly1305_state_t)); - p[0U] = s; - Hacl_MAC_Poly1305_poly1305_init(block_state, key); - return p; + Hacl_Streaming_Types_optional_64 block_state; + if (r1 == NULL) + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_None }); + } + else + { + block_state = ((Hacl_Streaming_Types_optional_64){ .tag = Hacl_Streaming_Types_Some, .v = r1 }); + } + if (block_state.tag == Hacl_Streaming_Types_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == Hacl_Streaming_Types_Some) + { + uint64_t *block_state1 = block_state.v; + uint8_t *b = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); + FStar_Pervasives_Native_option___uint8_t_ k_; + if (b == NULL) + { + k_ = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else + { + k_ = + ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_Some, .v = b }); + } + FStar_Pervasives_Native_option___uint8_t_ k_0; + if (k_.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + k_0 = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else if (k_.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_.v; + memcpy(k_1, key, 32U * sizeof (uint8_t)); + k_0 = + ( + (FStar_Pervasives_Native_option___uint8_t_){ + .tag = FStar_Pervasives_Native_Some, + .v = k_1 + } + ); + } + else + { + k_0 = + KRML_EABORT(FStar_Pervasives_Native_option___uint8_t_, + "unreachable (pattern matches are exhaustive in F*)"); + } + if (k_0.tag == FStar_Pervasives_Native_None) + { + return NULL; + } + if (k_0.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_0.v; + Hacl_MAC_Poly1305_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U, .p_key = k_1 }; + Hacl_MAC_Poly1305_state_t + *p = (Hacl_MAC_Poly1305_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_MAC_Poly1305_state_t)); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(k_1); + KRML_HOST_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_MAC_Poly1305_poly1305_init(block_state1, key); + return p; + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_MAC_Poly1305_reset(Hacl_MAC_Poly1305_state_t *state, uint8_t *key) diff --git a/src/msvc/Hacl_MAC_Poly1305_Simd128.c b/src/msvc/Hacl_MAC_Poly1305_Simd128.c index 17e26978..a8e35d3f 100644 --- a/src/msvc/Hacl_MAC_Poly1305_Simd128.c +++ b/src/msvc/Hacl_MAC_Poly1305_Simd128.c @@ -25,6 +25,10 @@ #include "internal/Hacl_MAC_Poly1305_Simd128.h" +#include "Hacl_Streaming_Types.h" +#include "internal/Hacl_MAC_Poly1305.h" +#include "internal/Hacl_Hash_SHA3.h" + void Hacl_MAC_Poly1305_Simd128_load_acc2(Lib_IntVector_Intrinsics_vec128 *acc, uint8_t *b) { KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 e[5U] KRML_POST_ALIGN(16) = { 0U }; @@ -1301,28 +1305,123 @@ Hacl_MAC_Poly1305_Simd128_poly1305_finish( store64_le(tag + 8U, f31); } +typedef struct option___Lib_IntVector_Intrinsics_vec128__s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + Lib_IntVector_Intrinsics_vec128 *v; +} +option___Lib_IntVector_Intrinsics_vec128_; + Hacl_MAC_Poly1305_Simd128_state_t *Hacl_MAC_Poly1305_Simd128_malloc(uint8_t *key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; Lib_IntVector_Intrinsics_vec128 *r1 = (Lib_IntVector_Intrinsics_vec128 *)KRML_ALIGNED_MALLOC(16, sizeof (Lib_IntVector_Intrinsics_vec128) * 25U); - memset(r1, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec128)); - Lib_IntVector_Intrinsics_vec128 *block_state = r1; - uint8_t *k_ = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); - memcpy(k_, key, 32U * sizeof (uint8_t)); - uint8_t *k_0 = k_; - Hacl_MAC_Poly1305_Simd128_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U, .p_key = k_0 }; - Hacl_MAC_Poly1305_Simd128_state_t - *p = - (Hacl_MAC_Poly1305_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_MAC_Poly1305_Simd128_state_t - )); - p[0U] = s; - Hacl_MAC_Poly1305_Simd128_poly1305_init(block_state, key); - return p; + if (r1 != NULL) + { + memset(r1, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec128)); + } + option___Lib_IntVector_Intrinsics_vec128_ block_state; + if (r1 == NULL) + { + block_state = + ((option___Lib_IntVector_Intrinsics_vec128_){ .tag = FStar_Pervasives_Native_None }); + } + else + { + block_state = + ((option___Lib_IntVector_Intrinsics_vec128_){ .tag = FStar_Pervasives_Native_Some, .v = r1 }); + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Lib_IntVector_Intrinsics_vec128 *block_state1 = block_state.v; + uint8_t *b = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); + FStar_Pervasives_Native_option___uint8_t_ k_; + if (b == NULL) + { + k_ = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else + { + k_ = + ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_Some, .v = b }); + } + FStar_Pervasives_Native_option___uint8_t_ k_0; + if (k_.tag == FStar_Pervasives_Native_None) + { + KRML_ALIGNED_FREE(block_state1); + KRML_HOST_FREE(buf1); + k_0 = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else if (k_.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_.v; + memcpy(k_1, key, 32U * sizeof (uint8_t)); + k_0 = + ( + (FStar_Pervasives_Native_option___uint8_t_){ + .tag = FStar_Pervasives_Native_Some, + .v = k_1 + } + ); + } + else + { + k_0 = + KRML_EABORT(FStar_Pervasives_Native_option___uint8_t_, + "unreachable (pattern matches are exhaustive in F*)"); + } + if (k_0.tag == FStar_Pervasives_Native_None) + { + return NULL; + } + if (k_0.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_0.v; + Hacl_MAC_Poly1305_Simd128_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U, .p_key = k_1 }; + Hacl_MAC_Poly1305_Simd128_state_t + *p = + (Hacl_MAC_Poly1305_Simd128_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_MAC_Poly1305_Simd128_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(k_1); + KRML_ALIGNED_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_MAC_Poly1305_Simd128_poly1305_init(block_state1, key); + return p; + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_MAC_Poly1305_Simd128_reset(Hacl_MAC_Poly1305_Simd128_state_t *state, uint8_t *key) diff --git a/src/msvc/Hacl_MAC_Poly1305_Simd256.c b/src/msvc/Hacl_MAC_Poly1305_Simd256.c index f25e8fff..9d41b990 100644 --- a/src/msvc/Hacl_MAC_Poly1305_Simd256.c +++ b/src/msvc/Hacl_MAC_Poly1305_Simd256.c @@ -25,6 +25,10 @@ #include "internal/Hacl_MAC_Poly1305_Simd256.h" +#include "Hacl_Streaming_Types.h" +#include "internal/Hacl_MAC_Poly1305.h" +#include "internal/Hacl_Hash_SHA3.h" + void Hacl_MAC_Poly1305_Simd256_load_acc4(Lib_IntVector_Intrinsics_vec256 *acc, uint8_t *b) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 e[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -1752,28 +1756,123 @@ Hacl_MAC_Poly1305_Simd256_poly1305_finish( store64_le(tag + 8U, f31); } +typedef struct option___Lib_IntVector_Intrinsics_vec256__s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + Lib_IntVector_Intrinsics_vec256 *v; +} +option___Lib_IntVector_Intrinsics_vec256_; + Hacl_MAC_Poly1305_Simd256_state_t *Hacl_MAC_Poly1305_Simd256_malloc(uint8_t *key) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; Lib_IntVector_Intrinsics_vec256 *r1 = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, sizeof (Lib_IntVector_Intrinsics_vec256) * 25U); - memset(r1, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); - Lib_IntVector_Intrinsics_vec256 *block_state = r1; - uint8_t *k_ = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); - memcpy(k_, key, 32U * sizeof (uint8_t)); - uint8_t *k_0 = k_; - Hacl_MAC_Poly1305_Simd256_state_t - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U, .p_key = k_0 }; - Hacl_MAC_Poly1305_Simd256_state_t - *p = - (Hacl_MAC_Poly1305_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( - Hacl_MAC_Poly1305_Simd256_state_t - )); - p[0U] = s; - Hacl_MAC_Poly1305_Simd256_poly1305_init(block_state, key); - return p; + if (r1 != NULL) + { + memset(r1, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); + } + option___Lib_IntVector_Intrinsics_vec256_ block_state; + if (r1 == NULL) + { + block_state = + ((option___Lib_IntVector_Intrinsics_vec256_){ .tag = FStar_Pervasives_Native_None }); + } + else + { + block_state = + ((option___Lib_IntVector_Intrinsics_vec256_){ .tag = FStar_Pervasives_Native_Some, .v = r1 }); + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Lib_IntVector_Intrinsics_vec256 *block_state1 = block_state.v; + uint8_t *b = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); + FStar_Pervasives_Native_option___uint8_t_ k_; + if (b == NULL) + { + k_ = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else + { + k_ = + ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_Some, .v = b }); + } + FStar_Pervasives_Native_option___uint8_t_ k_0; + if (k_.tag == FStar_Pervasives_Native_None) + { + KRML_ALIGNED_FREE(block_state1); + KRML_HOST_FREE(buf1); + k_0 = ((FStar_Pervasives_Native_option___uint8_t_){ .tag = FStar_Pervasives_Native_None }); + } + else if (k_.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_.v; + memcpy(k_1, key, 32U * sizeof (uint8_t)); + k_0 = + ( + (FStar_Pervasives_Native_option___uint8_t_){ + .tag = FStar_Pervasives_Native_Some, + .v = k_1 + } + ); + } + else + { + k_0 = + KRML_EABORT(FStar_Pervasives_Native_option___uint8_t_, + "unreachable (pattern matches are exhaustive in F*)"); + } + if (k_0.tag == FStar_Pervasives_Native_None) + { + return NULL; + } + if (k_0.tag == FStar_Pervasives_Native_Some) + { + uint8_t *k_1 = k_0.v; + Hacl_MAC_Poly1305_Simd256_state_t + s = { .block_state = block_state1, .buf = buf1, .total_len = (uint64_t)0U, .p_key = k_1 }; + Hacl_MAC_Poly1305_Simd256_state_t + *p = + (Hacl_MAC_Poly1305_Simd256_state_t *)KRML_HOST_MALLOC(sizeof ( + Hacl_MAC_Poly1305_Simd256_state_t + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + KRML_HOST_FREE(k_1); + KRML_ALIGNED_FREE(block_state1); + KRML_HOST_FREE(buf1); + return NULL; + } + Hacl_MAC_Poly1305_Simd256_poly1305_init(block_state1, key); + return p; + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); } void Hacl_MAC_Poly1305_Simd256_reset(Hacl_MAC_Poly1305_Simd256_state_t *state, uint8_t *key) diff --git a/src/msvc/Hacl_NaCl.c b/src/msvc/Hacl_NaCl.c index a1bbd25c..e51782b3 100644 --- a/src/msvc/Hacl_NaCl.c +++ b/src/msvc/Hacl_NaCl.c @@ -25,6 +25,9 @@ #include "Hacl_NaCl.h" +#include "Hacl_Salsa20.h" +#include "Hacl_MAC_Poly1305.h" +#include "Hacl_Curve25519_51.h" #include "internal/Hacl_Krmllib.h" static void secretbox_init(uint8_t *xkeys, uint8_t *k, uint8_t *n) diff --git a/src/msvc/Hacl_P256.c b/src/msvc/Hacl_P256.c index 609fed81..689e4e1f 100644 --- a/src/msvc/Hacl_P256.c +++ b/src/msvc/Hacl_P256.c @@ -25,6 +25,8 @@ #include "internal/Hacl_P256.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA2.h" #include "internal/Hacl_P256_PrecompTable.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" diff --git a/src/msvc/Hacl_RSAPSS.c b/src/msvc/Hacl_RSAPSS.c index cd19195d..0f0d9ca5 100644 --- a/src/msvc/Hacl_RSAPSS.c +++ b/src/msvc/Hacl_RSAPSS.c @@ -25,6 +25,9 @@ #include "Hacl_RSAPSS.h" +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA2.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Bignum_Base.h" #include "internal/Hacl_Bignum.h" @@ -167,7 +170,7 @@ static inline uint64_t check_num_bits_u64(uint32_t bs, uint64_t *b) { uint64_t beq = FStar_UInt64_eq_mask(b[i], b2[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b[i], b2[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t res = acc; return res; @@ -189,7 +192,7 @@ static inline uint64_t check_modulus_u64(uint32_t modBits, uint64_t *n) { uint64_t beq = FStar_UInt64_eq_mask(b2[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(b2[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t res = acc; uint64_t m1 = res; @@ -288,11 +291,7 @@ pss_verify( em_0 = 0U; } uint8_t em_last = em[emLen - 1U]; - if (emLen < saltLen + hash_len(a) + 2U) - { - return false; - } - if (!(em_last == 0xbcU && em_0 == 0U)) + if (emLen < saltLen + hash_len(a) + 2U || !(em_last == 0xbcU && em_0 == 0U)) { return false; } @@ -553,7 +552,7 @@ Hacl_RSAPSS_rsapss_verify( { uint64_t beq = FStar_UInt64_eq_mask(s[i], n[i]); uint64_t blt = ~FStar_UInt64_gte_mask(s[i], n[i]); - acc = (beq & acc) | (~beq & ((blt & 0xFFFFFFFFFFFFFFFFULL) | (~blt & 0ULL))); + acc = (beq & acc) | (~beq & blt); } uint64_t mask = acc; bool res; @@ -568,10 +567,9 @@ Hacl_RSAPSS_rsapss_verify( eBits, e, m); - bool ite; if (!((modBits - 1U) % 8U == 0U)) { - ite = true; + res = true; } else { @@ -579,15 +577,7 @@ Hacl_RSAPSS_rsapss_verify( uint32_t j = (modBits - 1U) % 64U; uint64_t tmp = m[i]; uint64_t get_bit = tmp >> j & 1ULL; - ite = get_bit == 0ULL; - } - if (ite) - { - res = true; - } - else - { - res = false; + res = get_bit == 0ULL; } } else diff --git a/src/msvc/Hacl_SHA2_Vec128.c b/src/msvc/Hacl_SHA2_Vec128.c index 02af75b1..2dff212e 100644 --- a/src/msvc/Hacl_SHA2_Vec128.c +++ b/src/msvc/Hacl_SHA2_Vec128.c @@ -25,6 +25,7 @@ #include "Hacl_SHA2_Vec128.h" +#include "Hacl_SHA2_Types.h" #include "internal/Hacl_SHA2_Types.h" #include "internal/Hacl_Hash_SHA2.h" #include "libintvector.h" diff --git a/src/msvc/Hacl_SHA2_Vec256.c b/src/msvc/Hacl_SHA2_Vec256.c index c34767f5..60fa7457 100644 --- a/src/msvc/Hacl_SHA2_Vec256.c +++ b/src/msvc/Hacl_SHA2_Vec256.c @@ -25,6 +25,8 @@ #include "Hacl_SHA2_Vec256.h" +#include "Hacl_SHA2_Types.h" +#include "Hacl_Krmllib.h" #include "internal/Hacl_SHA2_Types.h" #include "internal/Hacl_Krmllib.h" #include "internal/Hacl_Hash_SHA2.h" diff --git a/src/msvc/Hacl_Streaming_HMAC.c b/src/msvc/Hacl_Streaming_HMAC.c new file mode 100644 index 00000000..c19977ab --- /dev/null +++ b/src/msvc/Hacl_Streaming_HMAC.c @@ -0,0 +1,2668 @@ +/* MIT License + * + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_HMAC.h" + +#include "Hacl_Streaming_Types.h" +#include "Hacl_Krmllib.h" +#include "Hacl_Hash_SHA3.h" +#include "Hacl_Hash_SHA2.h" +#include "Hacl_Hash_Blake2s_Simd128.h" +#include "Hacl_Hash_Blake2s.h" +#include "Hacl_Hash_Blake2b_Simd256.h" +#include "Hacl_Hash_Blake2b.h" +#include "internal/Hacl_Streaming_Types.h" +#include "internal/Hacl_Krmllib.h" +#include "internal/Hacl_Hash_SHA3.h" +#include "internal/Hacl_Hash_SHA2.h" +#include "internal/Hacl_Hash_SHA1.h" +#include "internal/Hacl_Hash_MD5.h" +#include "internal/Hacl_Hash_Blake2s_Simd128.h" +#include "internal/Hacl_Hash_Blake2s.h" +#include "internal/Hacl_Hash_Blake2b_Simd256.h" +#include "internal/Hacl_Hash_Blake2b.h" + +static Spec_Hash_Definitions_hash_alg alg_of_impl(Hacl_Agile_Hash_impl i) +{ + switch (i) + { + case Hacl_Agile_Hash_MD5: + { + return Spec_Hash_Definitions_MD5; + } + case Hacl_Agile_Hash_SHA1: + { + return Spec_Hash_Definitions_SHA1; + } + case Hacl_Agile_Hash_SHA2_224: + { + return Spec_Hash_Definitions_SHA2_224; + } + case Hacl_Agile_Hash_SHA2_256: + { + return Spec_Hash_Definitions_SHA2_256; + } + case Hacl_Agile_Hash_SHA2_384: + { + return Spec_Hash_Definitions_SHA2_384; + } + case Hacl_Agile_Hash_SHA2_512: + { + return Spec_Hash_Definitions_SHA2_512; + } + case Hacl_Agile_Hash_SHA3_224: + { + return Spec_Hash_Definitions_SHA3_224; + } + case Hacl_Agile_Hash_SHA3_256: + { + return Spec_Hash_Definitions_SHA3_256; + } + case Hacl_Agile_Hash_SHA3_384: + { + return Spec_Hash_Definitions_SHA3_384; + } + case Hacl_Agile_Hash_SHA3_512: + { + return Spec_Hash_Definitions_SHA3_512; + } + case Hacl_Agile_Hash_Blake2S_32: + { + return Spec_Hash_Definitions_Blake2S; + } + case Hacl_Agile_Hash_Blake2S_128: + { + return Spec_Hash_Definitions_Blake2S; + } + case Hacl_Agile_Hash_Blake2B_32: + { + return Spec_Hash_Definitions_Blake2B; + } + case Hacl_Agile_Hash_Blake2B_256: + { + return Spec_Hash_Definitions_Blake2B; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +#define MD5_s 0 +#define SHA1_s 1 +#define SHA2_224_s 2 +#define SHA2_256_s 3 +#define SHA2_384_s 4 +#define SHA2_512_s 5 +#define SHA3_224_s 6 +#define SHA3_256_s 7 +#define SHA3_384_s 8 +#define SHA3_512_s 9 +#define Blake2S_s 10 +#define Blake2S_128_s 11 +#define Blake2B_s 12 +#define Blake2B_256_s 13 + +typedef uint8_t state_s_tags; + +typedef struct Hacl_Agile_Hash_state_s_s +{ + state_s_tags tag; + union { + uint32_t *case_MD5_s; + uint32_t *case_SHA1_s; + uint32_t *case_SHA2_224_s; + uint32_t *case_SHA2_256_s; + uint64_t *case_SHA2_384_s; + uint64_t *case_SHA2_512_s; + uint64_t *case_SHA3_224_s; + uint64_t *case_SHA3_256_s; + uint64_t *case_SHA3_384_s; + uint64_t *case_SHA3_512_s; + uint32_t *case_Blake2S_s; + Lib_IntVector_Intrinsics_vec128 *case_Blake2S_128_s; + uint64_t *case_Blake2B_s; + Lib_IntVector_Intrinsics_vec256 *case_Blake2B_256_s; + } + ; +} +Hacl_Agile_Hash_state_s; + +static Hacl_Agile_Hash_impl impl_of_state_s(Hacl_Agile_Hash_state_s s) +{ + if (s.tag == MD5_s) + { + return Hacl_Agile_Hash_MD5; + } + if (s.tag == SHA1_s) + { + return Hacl_Agile_Hash_SHA1; + } + if (s.tag == SHA2_224_s) + { + return Hacl_Agile_Hash_SHA2_224; + } + if (s.tag == SHA2_256_s) + { + return Hacl_Agile_Hash_SHA2_256; + } + if (s.tag == SHA2_384_s) + { + return Hacl_Agile_Hash_SHA2_384; + } + if (s.tag == SHA2_512_s) + { + return Hacl_Agile_Hash_SHA2_512; + } + if (s.tag == SHA3_224_s) + { + return Hacl_Agile_Hash_SHA3_224; + } + if (s.tag == SHA3_256_s) + { + return Hacl_Agile_Hash_SHA3_256; + } + if (s.tag == SHA3_384_s) + { + return Hacl_Agile_Hash_SHA3_384; + } + if (s.tag == SHA3_512_s) + { + return Hacl_Agile_Hash_SHA3_512; + } + if (s.tag == Blake2S_s) + { + return Hacl_Agile_Hash_Blake2S_32; + } + if (s.tag == Blake2S_128_s) + { + return Hacl_Agile_Hash_Blake2S_128; + } + if (s.tag == Blake2B_s) + { + return Hacl_Agile_Hash_Blake2B_32; + } + if (s.tag == Blake2B_256_s) + { + return Hacl_Agile_Hash_Blake2B_256; + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static Hacl_Agile_Hash_impl impl_of_state(Hacl_Agile_Hash_state_s *s) +{ + return impl_of_state_s(*s); +} + +static Hacl_Agile_Hash_state_s *malloc_(Hacl_Agile_Hash_impl a) +{ + switch (a) + { + case Hacl_Agile_Hash_MD5: + { + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = MD5_s, { .case_MD5_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA1: + { + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = SHA1_s, { .case_SHA1_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA2_224: + { + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_224_s, { .case_SHA2_224_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA2_256: + { + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_256_s, { .case_SHA2_256_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA2_384: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_384_s, { .case_SHA2_384_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA2_512: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_512_s, { .case_SHA2_512_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA3_224: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_224_s, { .case_SHA3_224_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA3_256: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_256_s, { .case_SHA3_256_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA3_384: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_384_s, { .case_SHA3_384_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_SHA3_512: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_512_s, { .case_SHA3_512_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_Blake2S_32: + { + uint32_t *s = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); + if (s == NULL) + { + return NULL; + } + uint32_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = Blake2S_s, { .case_Blake2S_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_Blake2S_128: + { + #if HACL_CAN_COMPILE_VEC128 + Lib_IntVector_Intrinsics_vec128 *s = Hacl_Hash_Blake2s_Simd128_malloc_with_key(); + if (s == NULL) + { + return NULL; + } + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = Blake2S_128_s, { .case_Blake2S_128_s = s } }); + } + if (st == NULL) + { + KRML_ALIGNED_FREE(s); + return NULL; + } + return st; + #else + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "provably unreachable code: did an unverified caller violate a precondition\?"); + KRML_HOST_EXIT(255U); + #endif + break; + } + case Hacl_Agile_Hash_Blake2B_32: + { + uint64_t *s = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); + if (s == NULL) + { + return NULL; + } + uint64_t *s1 = s; + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = Blake2B_s, { .case_Blake2B_s = s1 } }); + } + if (st == NULL) + { + KRML_HOST_FREE(s1); + return NULL; + } + return st; + } + case Hacl_Agile_Hash_Blake2B_256: + { + #if HACL_CAN_COMPILE_VEC256 + Lib_IntVector_Intrinsics_vec256 *s = Hacl_Hash_Blake2b_Simd256_malloc_with_key(); + if (s == NULL) + { + return NULL; + } + Hacl_Agile_Hash_state_s + *st = (Hacl_Agile_Hash_state_s *)KRML_HOST_MALLOC(sizeof (Hacl_Agile_Hash_state_s)); + if (st != NULL) + { + st[0U] = ((Hacl_Agile_Hash_state_s){ .tag = Blake2B_256_s, { .case_Blake2B_256_s = s } }); + } + if (st == NULL) + { + KRML_ALIGNED_FREE(s); + return NULL; + } + return st; + #else + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "provably unreachable code: did an unverified caller violate a precondition\?"); + KRML_HOST_EXIT(255U); + #endif + break; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static void init(Hacl_Agile_Hash_state_s *s) +{ + Hacl_Agile_Hash_state_s scrut = *s; + if (scrut.tag == MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_MD5_init(p1); + return; + } + if (scrut.tag == SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_SHA1_init(p1); + return; + } + if (scrut.tag == SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + Hacl_Hash_SHA2_sha224_init(p1); + return; + } + if (scrut.tag == SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + Hacl_Hash_SHA2_sha256_init(p1); + return; + } + if (scrut.tag == SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_SHA2_sha384_init(p1); + return; + } + if (scrut.tag == SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_SHA2_sha512_init(p1); + return; + } + if (scrut.tag == SHA3_224_s) + { + uint64_t *p1 = scrut.case_SHA3_224_s; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_224, p1); + return; + } + if (scrut.tag == SHA3_256_s) + { + uint64_t *p1 = scrut.case_SHA3_256_s; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_256, p1); + return; + } + if (scrut.tag == SHA3_384_s) + { + uint64_t *p1 = scrut.case_SHA3_384_s; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_384, p1); + return; + } + if (scrut.tag == SHA3_512_s) + { + uint64_t *p1 = scrut.case_SHA3_512_s; + Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_SHA3_512, p1); + return; + } + if (scrut.tag == Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + Hacl_Hash_Blake2s_init(p1, 0U, 32U); + return; + } + if (scrut.tag == Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; + #if HACL_CAN_COMPILE_VEC128 + Hacl_Hash_Blake2s_Simd128_init(p1, 0U, 32U); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + if (scrut.tag == Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + Hacl_Hash_Blake2b_init(p1, 0U, 64U); + return; + } + if (scrut.tag == Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; + #if HACL_CAN_COMPILE_VEC256 + Hacl_Hash_Blake2b_Simd256_init(p1, 0U, 64U); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static void +update_multi(Hacl_Agile_Hash_state_s *s, uint64_t prevlen, uint8_t *blocks, uint32_t len) +{ + Hacl_Agile_Hash_state_s scrut = *s; + if (scrut.tag == MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + uint32_t n = len / 64U; + Hacl_Hash_MD5_update_multi(p1, blocks, n); + return; + } + if (scrut.tag == SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + uint32_t n = len / 64U; + Hacl_Hash_SHA1_update_multi(p1, blocks, n); + return; + } + if (scrut.tag == SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + uint32_t n = len / 64U; + Hacl_Hash_SHA2_sha224_update_nblocks(n * 64U, blocks, p1); + return; + } + if (scrut.tag == SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + uint32_t n = len / 64U; + Hacl_Hash_SHA2_sha256_update_nblocks(n * 64U, blocks, p1); + return; + } + if (scrut.tag == SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + uint32_t n = len / 128U; + Hacl_Hash_SHA2_sha384_update_nblocks(n * 128U, blocks, p1); + return; + } + if (scrut.tag == SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + uint32_t n = len / 128U; + Hacl_Hash_SHA2_sha512_update_nblocks(n * 128U, blocks, p1); + return; + } + if (scrut.tag == SHA3_224_s) + { + uint64_t *p1 = scrut.case_SHA3_224_s; + uint32_t n = len / 144U; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_224, p1, blocks, n); + return; + } + if (scrut.tag == SHA3_256_s) + { + uint64_t *p1 = scrut.case_SHA3_256_s; + uint32_t n = len / 136U; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_256, p1, blocks, n); + return; + } + if (scrut.tag == SHA3_384_s) + { + uint64_t *p1 = scrut.case_SHA3_384_s; + uint32_t n = len / 104U; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_384, p1, blocks, n); + return; + } + if (scrut.tag == SHA3_512_s) + { + uint64_t *p1 = scrut.case_SHA3_512_s; + uint32_t n = len / 72U; + Hacl_Hash_SHA3_update_multi_sha3(Spec_Hash_Definitions_SHA3_512, p1, blocks, n); + return; + } + if (scrut.tag == Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint32_t n = len / 64U; + uint32_t wv[16U] = { 0U }; + Hacl_Hash_Blake2s_update_multi(n * 64U, wv, p1, prevlen, blocks, n); + return; + } + if (scrut.tag == Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; + #if HACL_CAN_COMPILE_VEC128 + uint32_t n = len / 64U; + KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; + Hacl_Hash_Blake2s_Simd128_update_multi(n * 64U, wv, p1, prevlen, blocks, n); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + if (scrut.tag == Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + uint32_t n = len / 128U; + uint64_t wv[16U] = { 0U }; + Hacl_Hash_Blake2b_update_multi(n * 128U, + wv, + p1, + FStar_UInt128_uint64_to_uint128(prevlen), + blocks, + n); + return; + } + if (scrut.tag == Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; + #if HACL_CAN_COMPILE_VEC256 + uint32_t n = len / 128U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 wv[4U] KRML_POST_ALIGN(32) = { 0U }; + Hacl_Hash_Blake2b_Simd256_update_multi(n * 128U, + wv, + p1, + FStar_UInt128_uint64_to_uint128(prevlen), + blocks, + n); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static void +update_last(Hacl_Agile_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_t last_len) +{ + Hacl_Agile_Hash_state_s scrut = *s; + if (scrut.tag == MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_MD5_update_last(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_SHA1_update_last(p1, prev_len, last, last_len); + return; + } + if (scrut.tag == SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + Hacl_Hash_SHA2_sha224_update_last(prev_len + (uint64_t)last_len, last_len, last, p1); + return; + } + if (scrut.tag == SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + Hacl_Hash_SHA2_sha256_update_last(prev_len + (uint64_t)last_len, last_len, last, p1); + return; + } + if (scrut.tag == SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_SHA2_sha384_update_last(FStar_UInt128_add(FStar_UInt128_uint64_to_uint128(prev_len), + FStar_UInt128_uint64_to_uint128((uint64_t)last_len)), + last_len, + last, + p1); + return; + } + if (scrut.tag == SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_SHA2_sha512_update_last(FStar_UInt128_add(FStar_UInt128_uint64_to_uint128(prev_len), + FStar_UInt128_uint64_to_uint128((uint64_t)last_len)), + last_len, + last, + p1); + return; + } + if (scrut.tag == SHA3_224_s) + { + uint64_t *p1 = scrut.case_SHA3_224_s; + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_224, p1, last, last_len); + return; + } + if (scrut.tag == SHA3_256_s) + { + uint64_t *p1 = scrut.case_SHA3_256_s; + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_256, p1, last, last_len); + return; + } + if (scrut.tag == SHA3_384_s) + { + uint64_t *p1 = scrut.case_SHA3_384_s; + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_384, p1, last, last_len); + return; + } + if (scrut.tag == SHA3_512_s) + { + uint64_t *p1 = scrut.case_SHA3_512_s; + Hacl_Hash_SHA3_update_last_sha3(Spec_Hash_Definitions_SHA3_512, p1, last, last_len); + return; + } + if (scrut.tag == Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + uint32_t wv[16U] = { 0U }; + Hacl_Hash_Blake2s_update_last(last_len, wv, p1, false, prev_len, last_len, last); + return; + } + if (scrut.tag == Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; + #if HACL_CAN_COMPILE_VEC128 + KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; + Hacl_Hash_Blake2s_Simd128_update_last(last_len, wv, p1, false, prev_len, last_len, last); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + if (scrut.tag == Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + uint64_t wv[16U] = { 0U }; + Hacl_Hash_Blake2b_update_last(last_len, + wv, + p1, + false, + FStar_UInt128_uint64_to_uint128(prev_len), + last_len, + last); + return; + } + if (scrut.tag == Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; + #if HACL_CAN_COMPILE_VEC256 + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 wv[4U] KRML_POST_ALIGN(32) = { 0U }; + Hacl_Hash_Blake2b_Simd256_update_last(last_len, + wv, + p1, + false, + FStar_UInt128_uint64_to_uint128(prev_len), + last_len, + last); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static void finish(Hacl_Agile_Hash_state_s *s, uint8_t *dst) +{ + Hacl_Agile_Hash_state_s scrut = *s; + if (scrut.tag == MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + Hacl_Hash_MD5_finish(p1, dst); + return; + } + if (scrut.tag == SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + Hacl_Hash_SHA1_finish(p1, dst); + return; + } + if (scrut.tag == SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + Hacl_Hash_SHA2_sha224_finish(p1, dst); + return; + } + if (scrut.tag == SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + Hacl_Hash_SHA2_sha256_finish(p1, dst); + return; + } + if (scrut.tag == SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + Hacl_Hash_SHA2_sha384_finish(p1, dst); + return; + } + if (scrut.tag == SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + Hacl_Hash_SHA2_sha512_finish(p1, dst); + return; + } + if (scrut.tag == SHA3_224_s) + { + uint64_t *p1 = scrut.case_SHA3_224_s; + uint32_t remOut = 28U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, p1, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 28U - remOut, hbuf, remOut * sizeof (uint8_t)); + return; + } + if (scrut.tag == SHA3_256_s) + { + uint64_t *p1 = scrut.case_SHA3_256_s; + uint32_t remOut = 32U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, p1, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 32U - remOut, hbuf, remOut * sizeof (uint8_t)); + return; + } + if (scrut.tag == SHA3_384_s) + { + uint64_t *p1 = scrut.case_SHA3_384_s; + uint32_t remOut = 48U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, p1, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 48U - remOut, hbuf, remOut * sizeof (uint8_t)); + return; + } + if (scrut.tag == SHA3_512_s) + { + uint64_t *p1 = scrut.case_SHA3_512_s; + uint32_t remOut = 64U; + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, p1, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(dst + 64U - remOut, hbuf, remOut * sizeof (uint8_t)); + return; + } + if (scrut.tag == Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + Hacl_Hash_Blake2s_finish(32U, dst, p1); + return; + } + if (scrut.tag == Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; + #if HACL_CAN_COMPILE_VEC128 + Hacl_Hash_Blake2s_Simd128_finish(32U, dst, p1); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + if (scrut.tag == Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + Hacl_Hash_Blake2b_finish(64U, dst, p1); + return; + } + if (scrut.tag == Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; + #if HACL_CAN_COMPILE_VEC256 + Hacl_Hash_Blake2b_Simd256_finish(64U, dst, p1); + return; + #else + KRML_MAYBE_UNUSED_VAR(p1); + return; + #endif + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static void free_(Hacl_Agile_Hash_state_s *s) +{ + Hacl_Agile_Hash_state_s scrut = *s; + if (scrut.tag == MD5_s) + { + uint32_t *p1 = scrut.case_MD5_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == SHA1_s) + { + uint32_t *p1 = scrut.case_SHA1_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == SHA2_224_s) + { + uint32_t *p1 = scrut.case_SHA2_224_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == SHA2_256_s) + { + uint32_t *p1 = scrut.case_SHA2_256_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == SHA2_384_s) + { + uint64_t *p1 = scrut.case_SHA2_384_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == SHA2_512_s) + { + uint64_t *p1 = scrut.case_SHA2_512_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == SHA3_224_s) + { + uint64_t *p1 = scrut.case_SHA3_224_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == SHA3_256_s) + { + uint64_t *p1 = scrut.case_SHA3_256_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == SHA3_384_s) + { + uint64_t *p1 = scrut.case_SHA3_384_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == SHA3_512_s) + { + uint64_t *p1 = scrut.case_SHA3_512_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Blake2S_s) + { + uint32_t *p1 = scrut.case_Blake2S_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; + KRML_ALIGNED_FREE(p1); + } + else if (scrut.tag == Blake2B_s) + { + uint64_t *p1 = scrut.case_Blake2B_s; + KRML_HOST_FREE(p1); + } + else if (scrut.tag == Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p1 = scrut.case_Blake2B_256_s; + KRML_ALIGNED_FREE(p1); + } + else + { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); + } + KRML_HOST_FREE(s); +} + +static void copy(Hacl_Agile_Hash_state_s *s_src, Hacl_Agile_Hash_state_s *s_dst) +{ + Hacl_Agile_Hash_state_s scrut = *s_src; + if (scrut.tag == MD5_s) + { + uint32_t *p_src = scrut.case_MD5_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == MD5_s) + { + p_dst = x1.case_MD5_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 4U * sizeof (uint32_t)); + return; + } + if (scrut.tag == SHA1_s) + { + uint32_t *p_src = scrut.case_SHA1_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == SHA1_s) + { + p_dst = x1.case_SHA1_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 5U * sizeof (uint32_t)); + return; + } + if (scrut.tag == SHA2_224_s) + { + uint32_t *p_src = scrut.case_SHA2_224_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == SHA2_224_s) + { + p_dst = x1.case_SHA2_224_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 8U * sizeof (uint32_t)); + return; + } + if (scrut.tag == SHA2_256_s) + { + uint32_t *p_src = scrut.case_SHA2_256_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == SHA2_256_s) + { + p_dst = x1.case_SHA2_256_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 8U * sizeof (uint32_t)); + return; + } + if (scrut.tag == SHA2_384_s) + { + uint64_t *p_src = scrut.case_SHA2_384_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == SHA2_384_s) + { + p_dst = x1.case_SHA2_384_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 8U * sizeof (uint64_t)); + return; + } + if (scrut.tag == SHA2_512_s) + { + uint64_t *p_src = scrut.case_SHA2_512_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == SHA2_512_s) + { + p_dst = x1.case_SHA2_512_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 8U * sizeof (uint64_t)); + return; + } + if (scrut.tag == SHA3_224_s) + { + uint64_t *p_src = scrut.case_SHA3_224_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == SHA3_224_s) + { + p_dst = x1.case_SHA3_224_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); + return; + } + if (scrut.tag == SHA3_256_s) + { + uint64_t *p_src = scrut.case_SHA3_256_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == SHA3_256_s) + { + p_dst = x1.case_SHA3_256_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); + return; + } + if (scrut.tag == SHA3_384_s) + { + uint64_t *p_src = scrut.case_SHA3_384_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == SHA3_384_s) + { + p_dst = x1.case_SHA3_384_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); + return; + } + if (scrut.tag == SHA3_512_s) + { + uint64_t *p_src = scrut.case_SHA3_512_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == SHA3_512_s) + { + p_dst = x1.case_SHA3_512_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 25U * sizeof (uint64_t)); + return; + } + if (scrut.tag == Blake2S_s) + { + uint32_t *p_src = scrut.case_Blake2S_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint32_t *p_dst; + if (x1.tag == Blake2S_s) + { + p_dst = x1.case_Blake2S_s; + } + else + { + p_dst = KRML_EABORT(uint32_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 16U * sizeof (uint32_t)); + return; + } + if (scrut.tag == Blake2S_128_s) + { + Lib_IntVector_Intrinsics_vec128 *p_src = scrut.case_Blake2S_128_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + Lib_IntVector_Intrinsics_vec128 *p_dst; + if (x1.tag == Blake2S_128_s) + { + p_dst = x1.case_Blake2S_128_s; + } + else + { + p_dst = + KRML_EABORT(Lib_IntVector_Intrinsics_vec128 *, + "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); + return; + } + if (scrut.tag == Blake2B_s) + { + uint64_t *p_src = scrut.case_Blake2B_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + uint64_t *p_dst; + if (x1.tag == Blake2B_s) + { + p_dst = x1.case_Blake2B_s; + } + else + { + p_dst = KRML_EABORT(uint64_t *, "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 16U * sizeof (uint64_t)); + return; + } + if (scrut.tag == Blake2B_256_s) + { + Lib_IntVector_Intrinsics_vec256 *p_src = scrut.case_Blake2B_256_s; + Hacl_Agile_Hash_state_s x1 = *s_dst; + Lib_IntVector_Intrinsics_vec256 *p_dst; + if (x1.tag == Blake2B_256_s) + { + p_dst = x1.case_Blake2B_256_s; + } + else + { + p_dst = + KRML_EABORT(Lib_IntVector_Intrinsics_vec256 *, + "unreachable (pattern matches are exhaustive in F*)"); + } + memcpy(p_dst, p_src, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); + return; + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +static void hash(Hacl_Agile_Hash_impl i, uint8_t *dst, uint8_t *input, uint32_t input_len) +{ + switch (i) + { + case Hacl_Agile_Hash_MD5: + { + Hacl_Hash_MD5_hash_oneshot(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA1: + { + Hacl_Hash_SHA1_hash_oneshot(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA2_224: + { + Hacl_Hash_SHA2_hash_224(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA2_256: + { + Hacl_Hash_SHA2_hash_256(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA2_384: + { + Hacl_Hash_SHA2_hash_384(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA2_512: + { + Hacl_Hash_SHA2_hash_512(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA3_224: + { + Hacl_Hash_SHA3_sha3_224(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA3_256: + { + Hacl_Hash_SHA3_sha3_256(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA3_384: + { + Hacl_Hash_SHA3_sha3_384(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_SHA3_512: + { + Hacl_Hash_SHA3_sha3_512(dst, input, input_len); + break; + } + case Hacl_Agile_Hash_Blake2S_32: + { + Hacl_Hash_Blake2s_hash_with_key(dst, 32U, input, input_len, NULL, 0U); + break; + } + case Hacl_Agile_Hash_Blake2S_128: + { + #if HACL_CAN_COMPILE_VEC128 + Hacl_Hash_Blake2s_Simd128_hash_with_key(dst, 32U, input, input_len, NULL, 0U); + #endif + break; + } + case Hacl_Agile_Hash_Blake2B_32: + { + Hacl_Hash_Blake2b_hash_with_key(dst, 64U, input, input_len, NULL, 0U); + break; + } + case Hacl_Agile_Hash_Blake2B_256: + { + #if HACL_CAN_COMPILE_VEC256 + Hacl_Hash_Blake2b_Simd256_hash_with_key(dst, 64U, input, input_len, NULL, 0U); + #endif + break; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static uint32_t hash_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return 16U; + } + case Spec_Hash_Definitions_SHA1: + { + return 20U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return 28U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return 32U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return 48U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return 64U; + } + case Spec_Hash_Definitions_Blake2S: + { + return 32U; + } + case Spec_Hash_Definitions_Blake2B: + { + return 64U; + } + case Spec_Hash_Definitions_SHA3_224: + { + return 28U; + } + case Spec_Hash_Definitions_SHA3_256: + { + return 32U; + } + case Spec_Hash_Definitions_SHA3_384: + { + return 48U; + } + case Spec_Hash_Definitions_SHA3_512: + { + return 64U; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static uint32_t block_len(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return 64U; + } + case Spec_Hash_Definitions_SHA1: + { + return 64U; + } + case Spec_Hash_Definitions_SHA2_224: + { + return 64U; + } + case Spec_Hash_Definitions_SHA2_256: + { + return 64U; + } + case Spec_Hash_Definitions_SHA2_384: + { + return 128U; + } + case Spec_Hash_Definitions_SHA2_512: + { + return 128U; + } + case Spec_Hash_Definitions_SHA3_224: + { + return 144U; + } + case Spec_Hash_Definitions_SHA3_256: + { + return 136U; + } + case Spec_Hash_Definitions_SHA3_384: + { + return 104U; + } + case Spec_Hash_Definitions_SHA3_512: + { + return 72U; + } + case Spec_Hash_Definitions_Shake128: + { + return 168U; + } + case Spec_Hash_Definitions_Shake256: + { + return 136U; + } + case Spec_Hash_Definitions_Blake2S: + { + return 64U; + } + case Spec_Hash_Definitions_Blake2B: + { + return 128U; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static uint64_t max_input_len64(Spec_Hash_Definitions_hash_alg a) +{ + switch (a) + { + case Spec_Hash_Definitions_MD5: + { + return 2305843009213693951ULL; + } + case Spec_Hash_Definitions_SHA1: + { + return 2305843009213693951ULL; + } + case Spec_Hash_Definitions_SHA2_224: + { + return 2305843009213693951ULL; + } + case Spec_Hash_Definitions_SHA2_256: + { + return 2305843009213693951ULL; + } + case Spec_Hash_Definitions_SHA2_384: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_SHA2_512: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_Blake2S: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_Blake2B: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_SHA3_224: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_SHA3_256: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_SHA3_384: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_SHA3_512: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_Shake128: + { + return 18446744073709551615ULL; + } + case Spec_Hash_Definitions_Shake256: + { + return 18446744073709551615ULL; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } +} + +static void wrap_key(Hacl_Agile_Hash_impl impl, uint8_t *output, uint8_t *key, uint32_t len) +{ + uint8_t *nkey = output; + uint32_t ite; + if (len <= block_len(alg_of_impl(impl))) + { + ite = len; + } + else + { + ite = hash_len(alg_of_impl(impl)); + } + uint8_t *zeroes = output + ite; + KRML_MAYBE_UNUSED_VAR(zeroes); + if (len <= block_len(alg_of_impl(impl))) + { + if (len > 0U) + { + memcpy(nkey, key, len * sizeof (uint8_t)); + return; + } + return; + } + hash(impl, nkey, key, len); +} + +static void init0(uint8_t *k, uint8_t *buf, Hacl_Streaming_HMAC_Definitions_two_state s) +{ + uint32_t k_len = s.fst; + Hacl_Agile_Hash_state_s *s1 = s.snd; + Hacl_Agile_Hash_state_s *s2 = s.thd; + init(s1); + init(s2); + Hacl_Agile_Hash_impl i1 = impl_of_state(s1); + Spec_Hash_Definitions_hash_alg a = alg_of_impl(i1); + uint8_t b0[168U] = { 0U }; + uint8_t *block = b0; + wrap_key(i1, block, k, k_len); + uint8_t b1[168U]; + memset(b1, 0x36U, 168U * sizeof (uint8_t)); + uint8_t *ipad = b1; + uint8_t b[168U]; + memset(b, 0x5cU, 168U * sizeof (uint8_t)); + uint8_t *opad = b; + for (uint32_t i = 0U; i < block_len(a); i++) + { + uint8_t xi = ipad[i]; + uint8_t yi = block[i]; + buf[i] = (uint32_t)xi ^ (uint32_t)yi; + } + for (uint32_t i = 0U; i < block_len(a); i++) + { + uint8_t xi = opad[i]; + uint8_t yi = block[i]; + opad[i] = (uint32_t)xi ^ (uint32_t)yi; + } + update_multi(s2, 0ULL, opad, block_len(a)); +} + +static void finish0(Hacl_Streaming_HMAC_Definitions_two_state s, uint8_t *dst) +{ + Hacl_Agile_Hash_state_s *s2 = s.thd; + Hacl_Agile_Hash_state_s *s1 = s.snd; + Hacl_Agile_Hash_impl i1 = impl_of_state(s1); + Spec_Hash_Definitions_hash_alg a = alg_of_impl(i1); + finish(s1, dst); + update_last(s2, (uint64_t)block_len(a), dst, hash_len(a)); + finish(s2, dst); +} + +Hacl_Agile_Hash_state_s +*Hacl_Streaming_HMAC_s1( + Hacl_Streaming_HMAC_Definitions_index i, + Hacl_Streaming_HMAC_Definitions_two_state s +) +{ + KRML_MAYBE_UNUSED_VAR(i); + return s.snd; +} + +Hacl_Agile_Hash_state_s +*Hacl_Streaming_HMAC_s2( + Hacl_Streaming_HMAC_Definitions_index i, + Hacl_Streaming_HMAC_Definitions_two_state s +) +{ + KRML_MAYBE_UNUSED_VAR(i); + return s.thd; +} + +Hacl_Streaming_HMAC_Definitions_index +Hacl_Streaming_HMAC_index_of_state(Hacl_Streaming_HMAC_Definitions_two_state s) +{ + Hacl_Agile_Hash_state_s *s11 = s.snd; + uint32_t kl = s.fst; + Hacl_Agile_Hash_impl i1 = impl_of_state(s11); + return ((Hacl_Streaming_HMAC_Definitions_index){ .fst = i1, .snd = kl }); +} + +static Hacl_Agile_Hash_impl +__proj__Mkdtuple2__item___1__Hacl_Agile_Hash_impl_uint32_t( + Hacl_Streaming_HMAC_Definitions_index pair +) +{ + return pair.fst; +} + +static Hacl_Agile_Hash_impl +dfst__Hacl_Agile_Hash_impl_uint32_t(Hacl_Streaming_HMAC_Definitions_index t) +{ + return __proj__Mkdtuple2__item___1__Hacl_Agile_Hash_impl_uint32_t(t); +} + +static uint32_t +__proj__Mkdtuple2__item___2__Hacl_Agile_Hash_impl_uint32_t( + Hacl_Streaming_HMAC_Definitions_index pair +) +{ + return pair.snd; +} + +static uint32_t dsnd__Hacl_Agile_Hash_impl_uint32_t(Hacl_Streaming_HMAC_Definitions_index t) +{ + return __proj__Mkdtuple2__item___2__Hacl_Agile_Hash_impl_uint32_t(t); +} + +typedef struct option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s___s +{ + FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags tag; + Hacl_Streaming_HMAC_Definitions_two_state v; +} +option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__; + +KRML_MAYBE_UNUSED static Hacl_Streaming_HMAC_agile_state +*malloc_internal(Hacl_Streaming_HMAC_Definitions_index i, uint8_t *key) +{ + KRML_CHECK_SIZE(sizeof (uint8_t), + block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i)))); + uint8_t + *buf = + (uint8_t *)KRML_HOST_CALLOC(block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i))), + sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + uint8_t *buf1 = buf; + Hacl_Agile_Hash_state_s *s110 = malloc_(dfst__Hacl_Agile_Hash_impl_uint32_t(i)); + option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__ block_state; + if (s110 == NULL) + { + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + Hacl_Agile_Hash_state_s *s21 = malloc_(dfst__Hacl_Agile_Hash_impl_uint32_t(i)); + if (s21 == NULL) + { + KRML_HOST_FREE(s110); + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_Some, + .v = { .fst = dsnd__Hacl_Agile_Hash_impl_uint32_t(i), .snd = s110, .thd = s21 } + } + ); + } + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf1); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Hacl_Streaming_HMAC_Definitions_two_state block_state1 = block_state.v; + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_HMAC_agile_state + s = + { + .block_state = block_state1, + .buf = buf1, + .total_len = (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i))) + }; + Hacl_Streaming_HMAC_agile_state + *p = + (Hacl_Streaming_HMAC_agile_state *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_HMAC_agile_state + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Hacl_Agile_Hash_state_s *s21 = block_state1.thd; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + free_(s11); + free_(s21); + KRML_HOST_FREE(buf1); + return NULL; + } + init0(key, buf1, block_state1); + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + +KRML_MAYBE_UNUSED static bool is_blake2b_256(Hacl_Agile_Hash_impl uu___) +{ + switch (uu___) + { + case Hacl_Agile_Hash_Blake2B_256: + { + return true; + } + default: + { + return false; + } + } +} + +KRML_MAYBE_UNUSED static bool is_blake2s_128(Hacl_Agile_Hash_impl uu___) +{ + switch (uu___) + { + case Hacl_Agile_Hash_Blake2S_128: + { + return true; + } + default: + { + return false; + } + } +} + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_malloc_( + Hacl_Agile_Hash_impl impl, + uint8_t *key, + uint32_t key_length, + Hacl_Streaming_HMAC_agile_state **dst +) +{ + KRML_MAYBE_UNUSED_VAR(key); + KRML_MAYBE_UNUSED_VAR(key_length); + KRML_MAYBE_UNUSED_VAR(dst); + #if !HACL_CAN_COMPILE_VEC256 + if (is_blake2b_256(impl)) + { + return Hacl_Streaming_Types_InvalidAlgorithm; + } + #endif + #if !HACL_CAN_COMPILE_VEC128 + if (is_blake2s_128(impl)) + { + return Hacl_Streaming_Types_InvalidAlgorithm; + } + #endif + Hacl_Streaming_HMAC_agile_state + *st = + malloc_internal(((Hacl_Streaming_HMAC_Definitions_index){ .fst = impl, .snd = key_length }), + key); + if (st == NULL) + { + return Hacl_Streaming_Types_OutOfMemory; + } + *dst = st; + return Hacl_Streaming_Types_Success; +} + +Hacl_Streaming_HMAC_Definitions_index +Hacl_Streaming_HMAC_get_impl(Hacl_Streaming_HMAC_agile_state *s) +{ + Hacl_Streaming_HMAC_Definitions_two_state block_state = (*s).block_state; + return Hacl_Streaming_HMAC_index_of_state(block_state); +} + +static void reset_internal(Hacl_Streaming_HMAC_agile_state *state, uint8_t *key) +{ + Hacl_Streaming_HMAC_agile_state scrut = *state; + uint8_t *buf = scrut.buf; + Hacl_Streaming_HMAC_Definitions_two_state block_state = scrut.block_state; + Hacl_Streaming_HMAC_Definitions_index i1 = Hacl_Streaming_HMAC_index_of_state(block_state); + KRML_MAYBE_UNUSED_VAR(i1); + init0(key, buf, block_state); + Hacl_Streaming_HMAC_agile_state + tmp = + { + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + }; + state[0U] = tmp; +} + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_reset( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *key, + uint32_t key_length +) +{ + uint32_t k_len = Hacl_Streaming_HMAC_get_impl(state).snd; + if (key_length != k_len) + { + return Hacl_Streaming_Types_InvalidLength; + } + reset_internal(state, key); + return Hacl_Streaming_Types_Success; +} + +Hacl_Streaming_Types_error_code +Hacl_Streaming_HMAC_update( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *chunk, + uint32_t chunk_len +) +{ + Hacl_Streaming_HMAC_agile_state s = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state = s.block_state; + uint64_t total_len = s.total_len; + Hacl_Streaming_HMAC_Definitions_index i1 = Hacl_Streaming_HMAC_index_of_state(block_state); + if + ( + (uint64_t)chunk_len + > max_input_len64(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) - total_len + ) + { + return Hacl_Streaming_Types_MaximumLengthExceeded; + } + uint32_t sz; + if + ( + total_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len > 0ULL + ) + { + sz = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + sz = + (uint32_t)(total_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + if (chunk_len <= block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) - sz) + { + Hacl_Streaming_HMAC_agile_state s3 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state1 = s3.block_state; + uint8_t *buf = s3.buf; + uint64_t total_len1 = s3.total_len; + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len1 > 0ULL + ) + { + sz1 = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + sz1 = + (uint32_t)(total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; + *state + = + ( + (Hacl_Streaming_HMAC_agile_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + } + else if (sz == 0U) + { + Hacl_Streaming_HMAC_agile_state s3 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state1 = s3.block_state; + uint8_t *buf = s3.buf; + uint64_t total_len1 = s3.total_len; + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len1 > 0ULL + ) + { + sz1 = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + sz1 = + (uint32_t)(total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + if (!(sz1 == 0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + update_multi(s11, + prevlen, + buf, + block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint32_t ite; + if + ( + (uint64_t)chunk_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && (uint64_t)chunk_len > 0ULL + ) + { + ite = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + ite = + (uint32_t)((uint64_t)chunk_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint32_t + n_blocks = (chunk_len - ite) / block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + uint32_t + data1_len = n_blocks * block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + uint32_t data2_len = chunk_len - data1_len; + uint8_t *data1 = chunk; + uint8_t *data2 = chunk + data1_len; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + update_multi(s11, total_len1, data1, data1_len); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *state + = + ( + (Hacl_Streaming_HMAC_agile_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)chunk_len + } + ); + } + else + { + uint32_t diff = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) - sz; + uint8_t *chunk1 = chunk; + uint8_t *chunk2 = chunk + diff; + Hacl_Streaming_HMAC_agile_state s3 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state10 = s3.block_state; + uint8_t *buf0 = s3.buf; + uint64_t total_len10 = s3.total_len; + uint32_t sz10; + if + ( + total_len10 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len10 > 0ULL + ) + { + sz10 = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + sz10 = + (uint32_t)(total_len10 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, chunk1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *state + = + ( + (Hacl_Streaming_HMAC_agile_state){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_HMAC_agile_state s30 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state1 = s30.block_state; + uint8_t *buf = s30.buf; + uint64_t total_len1 = s30.total_len; + uint32_t sz1; + if + ( + total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len1 > 0ULL + ) + { + sz1 = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + sz1 = + (uint32_t)(total_len1 + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + if (!(sz1 == 0U)) + { + uint64_t prevlen = total_len1 - (uint64_t)sz1; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + update_multi(s11, + prevlen, + buf, + block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint32_t ite; + if + ( + (uint64_t)(chunk_len - diff) + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && (uint64_t)(chunk_len - diff) > 0ULL + ) + { + ite = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + ite = + (uint32_t)((uint64_t)(chunk_len - diff) + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint32_t + n_blocks = + (chunk_len - diff - ite) + / block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + uint32_t + data1_len = n_blocks * block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + uint32_t data2_len = chunk_len - diff - data1_len; + uint8_t *data1 = chunk2; + uint8_t *data2 = chunk2 + data1_len; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + update_multi(s11, total_len1, data1, data1_len); + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *state + = + ( + (Hacl_Streaming_HMAC_agile_state){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(chunk_len - diff) + } + ); + } + return Hacl_Streaming_Types_Success; +} + +typedef struct +___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s____uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s___s +{ + Hacl_Streaming_HMAC_Definitions_two_state fst; + Hacl_Streaming_HMAC_Definitions_two_state snd; +} +___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s____uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__; + +void +Hacl_Streaming_HMAC_digest( + Hacl_Streaming_HMAC_agile_state *state, + uint8_t *output, + uint32_t digest_length +) +{ + KRML_MAYBE_UNUSED_VAR(digest_length); + Hacl_Streaming_HMAC_Definitions_two_state block_state0 = (*state).block_state; + Hacl_Streaming_HMAC_Definitions_index i1 = Hacl_Streaming_HMAC_index_of_state(block_state0); + Hacl_Streaming_HMAC_agile_state scrut0 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state = scrut0.block_state; + uint8_t *buf_ = scrut0.buf; + uint64_t total_len = scrut0.total_len; + uint32_t r; + if + ( + total_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) + == 0ULL + && total_len > 0ULL + ) + { + r = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + r = + (uint32_t)(total_len + % (uint64_t)block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + } + uint8_t *buf_1 = buf_; + Hacl_Agile_Hash_state_s s0; + uint32_t buf0[4U] = { 0U }; + uint32_t buf1[5U] = { 0U }; + uint32_t buf2[8U] = { 0U }; + uint32_t buf3[8U] = { 0U }; + uint64_t buf4[8U] = { 0U }; + uint64_t buf5[8U] = { 0U }; + uint64_t buf6[25U] = { 0U }; + uint64_t buf7[25U] = { 0U }; + uint64_t buf8[25U] = { 0U }; + uint64_t buf9[25U] = { 0U }; + uint32_t buf10[16U] = { 0U }; + KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 buf11[4U] KRML_POST_ALIGN(16) = { 0U }; + uint64_t buf12[16U] = { 0U }; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 buf13[4U] KRML_POST_ALIGN(32) = { 0U }; + switch (dfst__Hacl_Agile_Hash_impl_uint32_t(i1)) + { + case Hacl_Agile_Hash_MD5: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = MD5_s, { .case_MD5_s = buf0 } }); + break; + } + case Hacl_Agile_Hash_SHA1: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = SHA1_s, { .case_SHA1_s = buf1 } }); + break; + } + case Hacl_Agile_Hash_SHA2_224: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_224_s, { .case_SHA2_224_s = buf2 } }); + break; + } + case Hacl_Agile_Hash_SHA2_256: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_256_s, { .case_SHA2_256_s = buf3 } }); + break; + } + case Hacl_Agile_Hash_SHA2_384: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_384_s, { .case_SHA2_384_s = buf4 } }); + break; + } + case Hacl_Agile_Hash_SHA2_512: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_512_s, { .case_SHA2_512_s = buf5 } }); + break; + } + case Hacl_Agile_Hash_SHA3_224: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_224_s, { .case_SHA3_224_s = buf6 } }); + break; + } + case Hacl_Agile_Hash_SHA3_256: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_256_s, { .case_SHA3_256_s = buf7 } }); + break; + } + case Hacl_Agile_Hash_SHA3_384: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_384_s, { .case_SHA3_384_s = buf8 } }); + break; + } + case Hacl_Agile_Hash_SHA3_512: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_512_s, { .case_SHA3_512_s = buf9 } }); + break; + } + case Hacl_Agile_Hash_Blake2S_32: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = Blake2S_s, { .case_Blake2S_s = buf10 } }); + break; + } + case Hacl_Agile_Hash_Blake2S_128: + { + #if HACL_CAN_COMPILE_VEC128 + s0 = ((Hacl_Agile_Hash_state_s){ .tag = Blake2S_128_s, { .case_Blake2S_128_s = buf11 } }); + #else + s0 = + KRML_EABORT(Hacl_Agile_Hash_state_s, + "provably unreachable code: did an unverified caller violate a precondition\?"); + #endif + break; + } + case Hacl_Agile_Hash_Blake2B_32: + { + s0 = ((Hacl_Agile_Hash_state_s){ .tag = Blake2B_s, { .case_Blake2B_s = buf12 } }); + break; + } + case Hacl_Agile_Hash_Blake2B_256: + { + #if HACL_CAN_COMPILE_VEC256 + s0 = ((Hacl_Agile_Hash_state_s){ .tag = Blake2B_256_s, { .case_Blake2B_256_s = buf13 } }); + #else + s0 = + KRML_EABORT(Hacl_Agile_Hash_state_s, + "provably unreachable code: did an unverified caller violate a precondition\?"); + #endif + break; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + Hacl_Agile_Hash_state_s s110 = s0; + Hacl_Agile_Hash_state_s s; + uint32_t buf14[4U] = { 0U }; + uint32_t buf15[5U] = { 0U }; + uint32_t buf16[8U] = { 0U }; + uint32_t buf17[8U] = { 0U }; + uint64_t buf18[8U] = { 0U }; + uint64_t buf19[8U] = { 0U }; + uint64_t buf20[25U] = { 0U }; + uint64_t buf21[25U] = { 0U }; + uint64_t buf22[25U] = { 0U }; + uint64_t buf23[25U] = { 0U }; + uint32_t buf24[16U] = { 0U }; + KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 buf25[4U] KRML_POST_ALIGN(16) = { 0U }; + uint64_t buf26[16U] = { 0U }; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 buf[4U] KRML_POST_ALIGN(32) = { 0U }; + switch (dfst__Hacl_Agile_Hash_impl_uint32_t(i1)) + { + case Hacl_Agile_Hash_MD5: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = MD5_s, { .case_MD5_s = buf14 } }); + break; + } + case Hacl_Agile_Hash_SHA1: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = SHA1_s, { .case_SHA1_s = buf15 } }); + break; + } + case Hacl_Agile_Hash_SHA2_224: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_224_s, { .case_SHA2_224_s = buf16 } }); + break; + } + case Hacl_Agile_Hash_SHA2_256: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_256_s, { .case_SHA2_256_s = buf17 } }); + break; + } + case Hacl_Agile_Hash_SHA2_384: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_384_s, { .case_SHA2_384_s = buf18 } }); + break; + } + case Hacl_Agile_Hash_SHA2_512: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = SHA2_512_s, { .case_SHA2_512_s = buf19 } }); + break; + } + case Hacl_Agile_Hash_SHA3_224: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_224_s, { .case_SHA3_224_s = buf20 } }); + break; + } + case Hacl_Agile_Hash_SHA3_256: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_256_s, { .case_SHA3_256_s = buf21 } }); + break; + } + case Hacl_Agile_Hash_SHA3_384: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_384_s, { .case_SHA3_384_s = buf22 } }); + break; + } + case Hacl_Agile_Hash_SHA3_512: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = SHA3_512_s, { .case_SHA3_512_s = buf23 } }); + break; + } + case Hacl_Agile_Hash_Blake2S_32: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = Blake2S_s, { .case_Blake2S_s = buf24 } }); + break; + } + case Hacl_Agile_Hash_Blake2S_128: + { + #if HACL_CAN_COMPILE_VEC128 + s = ((Hacl_Agile_Hash_state_s){ .tag = Blake2S_128_s, { .case_Blake2S_128_s = buf25 } }); + #else + s = + KRML_EABORT(Hacl_Agile_Hash_state_s, + "provably unreachable code: did an unverified caller violate a precondition\?"); + #endif + break; + } + case Hacl_Agile_Hash_Blake2B_32: + { + s = ((Hacl_Agile_Hash_state_s){ .tag = Blake2B_s, { .case_Blake2B_s = buf26 } }); + break; + } + case Hacl_Agile_Hash_Blake2B_256: + { + #if HACL_CAN_COMPILE_VEC256 + s = ((Hacl_Agile_Hash_state_s){ .tag = Blake2B_256_s, { .case_Blake2B_256_s = buf } }); + #else + s = + KRML_EABORT(Hacl_Agile_Hash_state_s, + "provably unreachable code: did an unverified caller violate a precondition\?"); + #endif + break; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + Hacl_Agile_Hash_state_s s210 = s; + Hacl_Streaming_HMAC_Definitions_two_state + tmp_block_state = + { .fst = dsnd__Hacl_Agile_Hash_impl_uint32_t(i1), .snd = &s110, .thd = &s210 }; + ___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s____uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__ + scrut = { .fst = block_state, .snd = tmp_block_state }; + Hacl_Agile_Hash_state_s *s2_ = scrut.snd.thd; + Hacl_Agile_Hash_state_s *s1_ = scrut.snd.snd; + Hacl_Agile_Hash_state_s *s21 = scrut.fst.thd; + Hacl_Agile_Hash_state_s *s111 = scrut.fst.snd; + copy(s111, s1_); + copy(s21, s2_); + uint64_t prev_len = total_len - (uint64_t)r; + uint32_t ite; + if (r % block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) == 0U && r > 0U) + { + ite = block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + else + { + ite = r % block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))); + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + Hacl_Agile_Hash_state_s *s112 = tmp_block_state.snd; + update_multi(s112, prev_len, buf_multi, 0U); + uint64_t prev_len_last = total_len - (uint64_t)r; + Hacl_Agile_Hash_state_s *s11 = tmp_block_state.snd; + update_last(s11, prev_len_last, buf_last, r); + finish0(tmp_block_state, output); +} + +void Hacl_Streaming_HMAC_free(Hacl_Streaming_HMAC_agile_state *state) +{ + Hacl_Streaming_HMAC_Definitions_two_state block_state0 = (*state).block_state; + Hacl_Streaming_HMAC_Definitions_index i1 = Hacl_Streaming_HMAC_index_of_state(block_state0); + KRML_MAYBE_UNUSED_VAR(i1); + Hacl_Streaming_HMAC_agile_state scrut = *state; + uint8_t *buf = scrut.buf; + Hacl_Streaming_HMAC_Definitions_two_state block_state = scrut.block_state; + Hacl_Agile_Hash_state_s *s21 = block_state.thd; + Hacl_Agile_Hash_state_s *s11 = block_state.snd; + free_(s11); + free_(s21); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(state); +} + +Hacl_Streaming_HMAC_agile_state +*Hacl_Streaming_HMAC_copy(Hacl_Streaming_HMAC_agile_state *state) +{ + Hacl_Streaming_HMAC_agile_state scrut0 = *state; + Hacl_Streaming_HMAC_Definitions_two_state block_state0 = scrut0.block_state; + uint8_t *buf0 = scrut0.buf; + uint64_t total_len0 = scrut0.total_len; + Hacl_Streaming_HMAC_Definitions_index i1 = Hacl_Streaming_HMAC_index_of_state(block_state0); + KRML_CHECK_SIZE(sizeof (uint8_t), + block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)))); + uint8_t + *buf = + (uint8_t *)KRML_HOST_CALLOC(block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))), + sizeof (uint8_t)); + if (buf == NULL) + { + return NULL; + } + memcpy(buf, + buf0, + block_len(alg_of_impl(dfst__Hacl_Agile_Hash_impl_uint32_t(i1))) * sizeof (uint8_t)); + Hacl_Agile_Hash_state_s *s110 = malloc_(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)); + option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__ block_state; + if (s110 == NULL) + { + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + Hacl_Agile_Hash_state_s *s21 = malloc_(dfst__Hacl_Agile_Hash_impl_uint32_t(i1)); + if (s21 == NULL) + { + KRML_HOST_FREE(s110); + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_None + } + ); + } + else + { + block_state = + ( + (option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__){ + .tag = FStar_Pervasives_Native_Some, + .v = { .fst = dsnd__Hacl_Agile_Hash_impl_uint32_t(i1), .snd = s110, .thd = s21 } + } + ); + } + } + if (block_state.tag == FStar_Pervasives_Native_None) + { + KRML_HOST_FREE(buf); + return NULL; + } + if (block_state.tag == FStar_Pervasives_Native_Some) + { + Hacl_Streaming_HMAC_Definitions_two_state block_state1 = block_state.v; + ___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s____uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__ + scrut = { .fst = block_state0, .snd = block_state1 }; + Hacl_Agile_Hash_state_s *s2_ = scrut.snd.thd; + Hacl_Agile_Hash_state_s *s1_ = scrut.snd.snd; + Hacl_Agile_Hash_state_s *s21 = scrut.fst.thd; + Hacl_Agile_Hash_state_s *s111 = scrut.fst.snd; + copy(s111, s1_); + copy(s21, s2_); + Hacl_Streaming_Types_optional_unit k_ = Hacl_Streaming_Types_Some; + switch (k_) + { + case Hacl_Streaming_Types_None: + { + return NULL; + } + case Hacl_Streaming_Types_Some: + { + Hacl_Streaming_HMAC_agile_state + s = { .block_state = block_state1, .buf = buf, .total_len = total_len0 }; + Hacl_Streaming_HMAC_agile_state + *p = + (Hacl_Streaming_HMAC_agile_state *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_HMAC_agile_state + )); + if (p != NULL) + { + p[0U] = s; + } + if (p == NULL) + { + Hacl_Agile_Hash_state_s *s210 = block_state1.thd; + Hacl_Agile_Hash_state_s *s11 = block_state1.snd; + free_(s11); + free_(s210); + KRML_HOST_FREE(buf); + return NULL; + } + return p; + } + default: + { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, __LINE__); + KRML_HOST_EXIT(253U); + } + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", + __FILE__, + __LINE__, + "unreachable (pattern matches are exhaustive in F*)"); + KRML_HOST_EXIT(255U); +} + diff --git a/src/msvc/Lib_Memzero0.c b/src/msvc/Lib_Memzero0.c index 3d8a1e5f..4dbf55ee 100644 --- a/src/msvc/Lib_Memzero0.c +++ b/src/msvc/Lib_Memzero0.c @@ -8,12 +8,16 @@ #include #endif -#if (defined(__APPLE__) && defined(__MACH__)) || defined(__linux__) +#if defined(__APPLE__) && defined(__MACH__) +#include +#endif + +#if (defined(__APPLE__) && defined(__MACH__)) || defined(__linux__) || defined(__OpenBSD__) #define __STDC_WANT_LIB_EXT1__ 1 #include #endif -#ifdef __FreeBSD__ +#if defined(__FreeBSD__) || defined(__NetBSD__) #include #endif @@ -36,10 +40,10 @@ void Lib_Memzero0_memzero0(void *dst, uint64_t len) { size_t len_ = (size_t) len; #ifdef _WIN32 - SecureZeroMemory(dst, len); - #elif defined(__APPLE__) && defined(__MACH__) + SecureZeroMemory(dst, len_); + #elif defined(__APPLE__) && defined(__MACH__) && defined(MAC_OS_X_VERSION_MIN_REQUIRED) && (MAC_OS_X_VERSION_MIN_REQUIRED >= 1090) memset_s(dst, len_, 0, len_); - #elif (defined(__linux__) && !defined(LINUX_NO_EXPLICIT_BZERO)) || defined(__FreeBSD__) + #elif (defined(__linux__) && !defined(LINUX_NO_EXPLICIT_BZERO)) || defined(__FreeBSD__) || defined(__OpenBSD__) explicit_bzero(dst, len_); #elif defined(__NetBSD__) explicit_memset(dst, 0, len_); diff --git a/src/wasm/EverCrypt_Hash.wasm b/src/wasm/EverCrypt_Hash.wasm index 1447feb3..86d36d68 100644 Binary files a/src/wasm/EverCrypt_Hash.wasm and b/src/wasm/EverCrypt_Hash.wasm differ diff --git a/src/wasm/Hacl_Bignum.wasm b/src/wasm/Hacl_Bignum.wasm index 6e090b50..0ad9988a 100644 Binary files a/src/wasm/Hacl_Bignum.wasm and b/src/wasm/Hacl_Bignum.wasm differ diff --git a/src/wasm/Hacl_Bignum256.wasm b/src/wasm/Hacl_Bignum256.wasm index b28b276b..ed099987 100644 Binary files a/src/wasm/Hacl_Bignum256.wasm and b/src/wasm/Hacl_Bignum256.wasm differ diff --git a/src/wasm/Hacl_Bignum256_32.wasm b/src/wasm/Hacl_Bignum256_32.wasm index 5fcc70ae..31c7d5a7 100644 Binary files a/src/wasm/Hacl_Bignum256_32.wasm and b/src/wasm/Hacl_Bignum256_32.wasm differ diff --git a/src/wasm/Hacl_Bignum32.wasm b/src/wasm/Hacl_Bignum32.wasm index c2102b81..b34c2c74 100644 Binary files a/src/wasm/Hacl_Bignum32.wasm and b/src/wasm/Hacl_Bignum32.wasm differ diff --git a/src/wasm/Hacl_Bignum4096.wasm b/src/wasm/Hacl_Bignum4096.wasm index 6cc1bf47..1088ab54 100644 Binary files a/src/wasm/Hacl_Bignum4096.wasm and b/src/wasm/Hacl_Bignum4096.wasm differ diff --git a/src/wasm/Hacl_Bignum4096_32.wasm b/src/wasm/Hacl_Bignum4096_32.wasm index 35bcb037..7c38ab06 100644 Binary files a/src/wasm/Hacl_Bignum4096_32.wasm and b/src/wasm/Hacl_Bignum4096_32.wasm differ diff --git a/src/wasm/Hacl_Bignum64.wasm b/src/wasm/Hacl_Bignum64.wasm index d7db1531..221c3e39 100644 Binary files a/src/wasm/Hacl_Bignum64.wasm and b/src/wasm/Hacl_Bignum64.wasm differ diff --git a/src/wasm/Hacl_Bignum_Base.wasm b/src/wasm/Hacl_Bignum_Base.wasm index e407cd78..9e75139e 100644 Binary files a/src/wasm/Hacl_Bignum_Base.wasm and b/src/wasm/Hacl_Bignum_Base.wasm differ diff --git a/src/wasm/Hacl_Ed25519.wasm b/src/wasm/Hacl_Ed25519.wasm index 5fa25fad..cdd77fd6 100644 Binary files a/src/wasm/Hacl_Ed25519.wasm and b/src/wasm/Hacl_Ed25519.wasm differ diff --git a/src/wasm/Hacl_GenericField32.wasm b/src/wasm/Hacl_GenericField32.wasm index 52efafdf..12c62b40 100644 Binary files a/src/wasm/Hacl_GenericField32.wasm and b/src/wasm/Hacl_GenericField32.wasm differ diff --git a/src/wasm/Hacl_GenericField64.wasm b/src/wasm/Hacl_GenericField64.wasm index a475b2db..fa41a05b 100644 Binary files a/src/wasm/Hacl_GenericField64.wasm and b/src/wasm/Hacl_GenericField64.wasm differ diff --git a/src/wasm/Hacl_HKDF_Blake2s_128.wasm b/src/wasm/Hacl_HKDF_Blake2s_128.wasm index 03362c9f..d3975181 100644 Binary files a/src/wasm/Hacl_HKDF_Blake2s_128.wasm and b/src/wasm/Hacl_HKDF_Blake2s_128.wasm differ diff --git a/src/wasm/Hacl_HMAC.wasm b/src/wasm/Hacl_HMAC.wasm index 8752dda8..9f478611 100644 Binary files a/src/wasm/Hacl_HMAC.wasm and b/src/wasm/Hacl_HMAC.wasm differ diff --git a/src/wasm/Hacl_HMAC_Blake2b_256.wasm b/src/wasm/Hacl_HMAC_Blake2b_256.wasm index 9ee78af8..38740139 100644 Binary files a/src/wasm/Hacl_HMAC_Blake2b_256.wasm and b/src/wasm/Hacl_HMAC_Blake2b_256.wasm differ diff --git a/src/wasm/Hacl_HMAC_Blake2s_128.wasm b/src/wasm/Hacl_HMAC_Blake2s_128.wasm index 22fce826..f9259a47 100644 Binary files a/src/wasm/Hacl_HMAC_Blake2s_128.wasm and b/src/wasm/Hacl_HMAC_Blake2s_128.wasm differ diff --git a/src/wasm/Hacl_HMAC_DRBG.wasm b/src/wasm/Hacl_HMAC_DRBG.wasm index f536237d..aac0b09e 100644 Binary files a/src/wasm/Hacl_HMAC_DRBG.wasm and b/src/wasm/Hacl_HMAC_DRBG.wasm differ diff --git a/src/wasm/Hacl_HPKE_Curve51_CP32_SHA256.wasm b/src/wasm/Hacl_HPKE_Curve51_CP32_SHA256.wasm index 37798d12..655c8058 100644 Binary files a/src/wasm/Hacl_HPKE_Curve51_CP32_SHA256.wasm and b/src/wasm/Hacl_HPKE_Curve51_CP32_SHA256.wasm differ diff --git a/src/wasm/Hacl_HPKE_Curve51_CP32_SHA512.wasm b/src/wasm/Hacl_HPKE_Curve51_CP32_SHA512.wasm index 2b7c2496..a4c5a62d 100644 Binary files a/src/wasm/Hacl_HPKE_Curve51_CP32_SHA512.wasm and b/src/wasm/Hacl_HPKE_Curve51_CP32_SHA512.wasm differ diff --git a/src/wasm/Hacl_Hash_Base.wasm b/src/wasm/Hacl_Hash_Base.wasm index 3b04e240..d32d9a3e 100644 Binary files a/src/wasm/Hacl_Hash_Base.wasm and b/src/wasm/Hacl_Hash_Base.wasm differ diff --git a/src/wasm/Hacl_Hash_Blake2b.wasm b/src/wasm/Hacl_Hash_Blake2b.wasm index 29138d3d..1d3417a0 100644 Binary files a/src/wasm/Hacl_Hash_Blake2b.wasm and b/src/wasm/Hacl_Hash_Blake2b.wasm differ diff --git a/src/wasm/Hacl_Hash_Blake2b_Simd256.wasm b/src/wasm/Hacl_Hash_Blake2b_Simd256.wasm index 1e2c80b7..6afcb41e 100644 Binary files a/src/wasm/Hacl_Hash_Blake2b_Simd256.wasm and b/src/wasm/Hacl_Hash_Blake2b_Simd256.wasm differ diff --git a/src/wasm/Hacl_Hash_Blake2s.wasm b/src/wasm/Hacl_Hash_Blake2s.wasm index 8e69e8f7..2e588521 100644 Binary files a/src/wasm/Hacl_Hash_Blake2s.wasm and b/src/wasm/Hacl_Hash_Blake2s.wasm differ diff --git a/src/wasm/Hacl_Hash_Blake2s_Simd128.wasm b/src/wasm/Hacl_Hash_Blake2s_Simd128.wasm index b1a26f75..418dfec3 100644 Binary files a/src/wasm/Hacl_Hash_Blake2s_Simd128.wasm and b/src/wasm/Hacl_Hash_Blake2s_Simd128.wasm differ diff --git a/src/wasm/Hacl_Hash_MD5.wasm b/src/wasm/Hacl_Hash_MD5.wasm index 0efb5420..31caef99 100644 Binary files a/src/wasm/Hacl_Hash_MD5.wasm and b/src/wasm/Hacl_Hash_MD5.wasm differ diff --git a/src/wasm/Hacl_Hash_SHA1.wasm b/src/wasm/Hacl_Hash_SHA1.wasm index 35f56707..28c4805a 100644 Binary files a/src/wasm/Hacl_Hash_SHA1.wasm and b/src/wasm/Hacl_Hash_SHA1.wasm differ diff --git a/src/wasm/Hacl_Hash_SHA2.wasm b/src/wasm/Hacl_Hash_SHA2.wasm index 09296bcc..d4b91adb 100644 Binary files a/src/wasm/Hacl_Hash_SHA2.wasm and b/src/wasm/Hacl_Hash_SHA2.wasm differ diff --git a/src/wasm/Hacl_Hash_SHA3.wasm b/src/wasm/Hacl_Hash_SHA3.wasm index 8104d0a6..32d54dd0 100644 Binary files a/src/wasm/Hacl_Hash_SHA3.wasm and b/src/wasm/Hacl_Hash_SHA3.wasm differ diff --git a/src/wasm/Hacl_IntTypes_Intrinsics.wasm b/src/wasm/Hacl_IntTypes_Intrinsics.wasm index d63ddd1a..b5cece2c 100644 Binary files a/src/wasm/Hacl_IntTypes_Intrinsics.wasm and b/src/wasm/Hacl_IntTypes_Intrinsics.wasm differ diff --git a/src/wasm/Hacl_K256_ECDSA.wasm b/src/wasm/Hacl_K256_ECDSA.wasm index 5022a27e..a68d42d9 100644 Binary files a/src/wasm/Hacl_K256_ECDSA.wasm and b/src/wasm/Hacl_K256_ECDSA.wasm differ diff --git a/src/wasm/Hacl_MAC_Poly1305.wasm b/src/wasm/Hacl_MAC_Poly1305.wasm index c4e38920..0e7aa9de 100644 Binary files a/src/wasm/Hacl_MAC_Poly1305.wasm and b/src/wasm/Hacl_MAC_Poly1305.wasm differ diff --git a/src/wasm/Hacl_P256.wasm b/src/wasm/Hacl_P256.wasm index 017ee9e8..05109e51 100644 Binary files a/src/wasm/Hacl_P256.wasm and b/src/wasm/Hacl_P256.wasm differ diff --git a/src/wasm/Hacl_Streaming_HMAC.wasm b/src/wasm/Hacl_Streaming_HMAC.wasm new file mode 100644 index 00000000..28e3c3fd Binary files /dev/null and b/src/wasm/Hacl_Streaming_HMAC.wasm differ diff --git a/src/wasm/INFO.txt b/src/wasm/INFO.txt index e7adb2e4..32e2ddd7 100644 --- a/src/wasm/INFO.txt +++ b/src/wasm/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. -F* version: 96f90842af8c0137bdee87ccb7bd3ea92485efb6 -Karamel version: 1282f04f16a4e193f329708b22e0a4577d5dd092 +F* version: f40b6017c95e4ee8cbea5003f243da6b2cad8b78 +Karamel version: ec77220557a6f6ff5de564b789fd2e8db8bdc2a0 Vale version: 0.3.19 diff --git a/src/wasm/WasmSupport.wasm b/src/wasm/WasmSupport.wasm index 00717e5b..794daf78 100644 Binary files a/src/wasm/WasmSupport.wasm and b/src/wasm/WasmSupport.wasm differ diff --git a/src/wasm/layouts.json b/src/wasm/layouts.json index c7e414d8..3e69defb 100644 --- a/src/wasm/layouts.json +++ b/src/wasm/layouts.json @@ -1 +1 @@ -{"Spec_Hash_Definitions_hash_alg":["LEnum"],"Prims_string":["LBuiltin",["I32"],["A32"]],"Prims_int":["LBuiltin",["I32"],["A32"]],"K___uint32_t_uint32_t":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Int",["A32"]]]]]}],"__bool_bool_bool_bool":["LFlat",{"size":4,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[3,["Int",["A8"]]]]]}],"__bool_bool":["LFlat",{"size":2,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]]]}],"K____uint64_t___uint64_t_":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A64"]]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"K____uint32_t___uint32_t_":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A32"]]]]],["snd",[4,["Pointer",["Int",["A32"]]]]]]}],"K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Layout","Hacl_Hash_Blake2b_blake2_params"]]]],["snd",[4,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Streaming_Types_error_code":["LEnum"],"Hacl_MAC_Poly1305_state_t":["LFlat",{"size":20,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]],["p_key",[16,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Streaming_MD_state_64":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Streaming_MD_state_32":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A32"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Hash_SHA3_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"hash_buf2":["LFlat",{"size":16,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["snd",[8,["Layout","Hacl_Hash_SHA3_hash_buf"]]]]}],"Hacl_Hash_SHA3_hash_buf":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Hash_Blake2s_state_t":["LFlat",{"size":32,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2s_block_state_t"]]],["buf",[16,["Pointer",["Int",["A8"]]]]],["total_len",[24,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_block_state_t":["LFlat",{"size":16,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[8,["Layout","K____uint32_t___uint32_t_"]]]]}],"Hacl_Hash_Blake2s_Simd128_state_t":["LFlat",{"size":32,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2s_Simd128_block_state_t"]]],["buf",[16,["Pointer",["Int",["A8"]]]]],["total_len",[24,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_Simd128_block_state_t":["LFlat",{"size":16,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[8,["Layout","K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_"]]]]}],"Hacl_Hash_Blake2b_state_t":["LFlat",{"size":32,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2b_block_state_t"]]],["buf",[16,["Pointer",["Int",["A8"]]]]],["total_len",[24,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_block_state_t":["LFlat",{"size":16,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[8,["Layout","K____uint64_t___uint64_t_"]]]]}],"Hacl_Hash_Blake2b_Simd256_state_t":["LFlat",{"size":32,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2b_Simd256_block_state_t"]]],["buf",[16,["Pointer",["Int",["A8"]]]]],["total_len",[24,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_Simd256_block_state_t":["LFlat",{"size":16,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[8,["Layout","K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_"]]]]}],"Hacl_Hash_Blake2b_index":["LFlat",{"size":2,"fields":[["key_length",[0,["Int",["A8"]]]],["digest_length",[1,["Int",["A8"]]]]]}],"Hacl_Hash_SHA2_uint8_8p":["LFlat",{"size":56,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_7p"]]]]}],"Hacl_Hash_SHA2_uint8_7p":["LFlat",{"size":48,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_6p"]]]]}],"Hacl_Hash_SHA2_uint8_6p":["LFlat",{"size":40,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_5p"]]]]}],"Hacl_Hash_SHA2_uint8_5p":["LFlat",{"size":32,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_4p":["LFlat",{"size":24,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_3p"]]]]}],"Hacl_Hash_SHA2_uint8_3p":["LFlat",{"size":16,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_2p"]]]]}],"Hacl_Hash_SHA2_uint8_2x8p":["LFlat",{"size":112,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_8p"]]],["snd",[56,["Layout","Hacl_Hash_SHA2_uint8_8p"]]]]}],"Hacl_Hash_SHA2_uint8_2x4p":["LFlat",{"size":48,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_4p"]]],["snd",[24,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_2p":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[4,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Impl_HPKE_context_s":["LFlat",{"size":16,"fields":[["ctx_key",[0,["Pointer",["Int",["A8"]]]]],["ctx_nonce",[4,["Pointer",["Int",["A8"]]]]],["ctx_seq",[8,["Pointer",["Int",["A64"]]]]],["ctx_exporter",[12,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Hash_Blake2b_blake2_params":["LFlat",{"size":28,"fields":[["digest_length",[0,["Int",["A8"]]]],["key_length",[1,["Int",["A8"]]]],["fanout",[2,["Int",["A8"]]]],["depth",[3,["Int",["A8"]]]],["leaf_length",[4,["Int",["A32"]]]],["node_offset",[8,["Int",["A64"]]]],["node_depth",[16,["Int",["A8"]]]],["inner_length",[17,["Int",["A8"]]]],["salt",[20,["Pointer",["Int",["A8"]]]]],["personal",[24,["Pointer",["Int",["A8"]]]]]]}],"Hacl_HMAC_DRBG_state":["LFlat",{"size":12,"fields":[["k",[0,["Pointer",["Int",["A8"]]]]],["v",[4,["Pointer",["Int",["A8"]]]]],["reseed_counter",[8,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64":["LFlat",{"size":20,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A64"]]]]],["mu",[8,["Int",["A64"]]]],["r2",[16,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32":["LFlat",{"size":16,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A32"]]]]],["mu",[8,["Int",["A32"]]]],["r2",[12,["Pointer",["Int",["A32"]]]]]]}],"FStar_UInt128_uint128":["LFlat",{"size":16,"fields":[["low",[0,["Int",["A64"]]]],["high",[8,["Int",["A64"]]]]]}],"EverCrypt_Hash_Incremental_state_t":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Layout","EverCrypt_Hash_state_s"]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"state_s_tags":["LEnum"],"EverCrypt_Hash_state_s":["LFlat",{"size":12,"fields":[["tag",[0,["Int",["A32"]]]],["val",[8,["Union",[["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A32"]]],["Pointer",["Unknown"]],["Pointer",["Int",["A64"]]],["Pointer",["Unknown"]]]]]]]}],"EverCrypt_Error_error_code":["LEnum"],"C_String_t_":["LBuiltin",["I32"],["A32"]],"C_String_t":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t_":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t":["LBuiltin",["I32"],["A32"]],"exit_code":["LBuiltin",["I32"],["A32"]],"clock_t":["LBuiltin",["I32"],["A32"]]} \ No newline at end of file +{"Spec_Hash_Definitions_hash_alg":["LEnum"],"Prims_string":["LBuiltin",["I32"],["A32"]],"Prims_int":["LBuiltin",["I32"],["A32"]],"K___uint32_t_uint32_t":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Int",["A32"]]]]]}],"__bool_bool_bool_bool":["LFlat",{"size":4,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[3,["Int",["A8"]]]]]}],"__bool_bool":["LFlat",{"size":2,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]]]}],"___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s____uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__":["LFlat",{"size":28,"fields":[["fst",[0,["Layout","Hacl_Streaming_HMAC_Definitions_two_state"]]],["snd",[16,["Layout","Hacl_Streaming_HMAC_Definitions_two_state"]]]]}],"K____uint64_t___uint64_t_":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A64"]]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"K____uint32_t___uint32_t_":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A32"]]]]],["snd",[4,["Pointer",["Int",["A32"]]]]]]}],"K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Streaming_Types_optional_64":["LFlat",{"size":8,"fields":[["tag",[0,["Int",["A32"]]]],["v",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Streaming_Types_optional_32_tags":["LEnum"],"Hacl_Streaming_Types_optional_32":["LFlat",{"size":8,"fields":[["tag",[0,["Int",["A32"]]]],["v",[4,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Streaming_Types_error_code":["LEnum"],"Hacl_MAC_Poly1305_state_t":["LFlat",{"size":20,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]],["p_key",[16,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Streaming_MD_state_64":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Streaming_MD_state_32":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A32"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Hash_SHA3_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"hash_buf2":["LFlat",{"size":16,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["snd",[8,["Layout","Hacl_Hash_SHA3_hash_buf"]]]]}],"Hacl_Hash_SHA3_hash_buf":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Streaming_HMAC_Definitions_two_state":["LFlat",{"size":12,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Pointer",["Layout","Hacl_Agile_Hash_state_s"]]]],["thd",[8,["Pointer",["Layout","Hacl_Agile_Hash_state_s"]]]]]}],"Hacl_Streaming_HMAC_Definitions_index":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Int",["A32"]]]]]}],"Hacl_Streaming_HMAC_agile_state":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Streaming_HMAC_Definitions_two_state"]]],["buf",[12,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_state_t":["LFlat",{"size":32,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2_Types_block_state_blake2s_32"]]],["buf",[16,["Pointer",["Int",["A8"]]]]],["total_len",[24,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_Simd128_state_t":["LFlat",{"size":32,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2_Types_block_state_blake2s_128"]]],["buf",[16,["Pointer",["Int",["A8"]]]]],["total_len",[24,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_state_t":["LFlat",{"size":32,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2_Types_block_state_blake2b_32"]]],["buf",[16,["Pointer",["Int",["A8"]]]]],["total_len",[24,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_Simd256_state_t":["LFlat",{"size":32,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2_Types_block_state_blake2b_256"]]],["buf",[16,["Pointer",["Int",["A8"]]]]],["total_len",[24,["Int",["A64"]]]]]}],"Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_32":["LFlat",{"size":24,"fields":[["tag",[0,["Int",["A32"]]]],["v",[8,["Layout","Hacl_Streaming_Blake2_Types_block_state_blake2s_32"]]]]}],"Hacl_Streaming_Blake2_Types_optional_block_state_blake2s_128":["LFlat",{"size":24,"fields":[["tag",[0,["Int",["A32"]]]],["v",[8,["Layout","Hacl_Streaming_Blake2_Types_block_state_blake2s_128"]]]]}],"Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32_tags":["LEnum"],"Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_32":["LFlat",{"size":24,"fields":[["tag",[0,["Int",["A32"]]]],["v",[8,["Layout","Hacl_Streaming_Blake2_Types_block_state_blake2b_32"]]]]}],"Hacl_Streaming_Blake2_Types_optional_block_state_blake2b_256":["LFlat",{"size":24,"fields":[["tag",[0,["Int",["A32"]]]],["v",[8,["Layout","Hacl_Streaming_Blake2_Types_block_state_blake2b_256"]]]]}],"Hacl_Streaming_Blake2_Types_block_state_blake2s_32":["LFlat",{"size":16,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[8,["Layout","K____uint32_t___uint32_t_"]]]]}],"Hacl_Streaming_Blake2_Types_block_state_blake2s_128":["LFlat",{"size":16,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[8,["Layout","K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_"]]]]}],"Hacl_Streaming_Blake2_Types_block_state_blake2b_32":["LFlat",{"size":16,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[8,["Layout","K____uint64_t___uint64_t_"]]]]}],"Hacl_Streaming_Blake2_Types_block_state_blake2b_256":["LFlat",{"size":16,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[8,["Layout","K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_"]]]]}],"Hacl_Hash_Blake2b_index":["LFlat",{"size":3,"fields":[["key_length",[0,["Int",["A8"]]]],["digest_length",[1,["Int",["A8"]]]],["last_node",[2,["Int",["A8"]]]]]}],"Hacl_Hash_Blake2b_params_and_key":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Layout","Hacl_Hash_Blake2b_blake2_params"]]]],["snd",[4,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Hash_SHA2_uint8_8p":["LFlat",{"size":56,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_7p"]]]]}],"Hacl_Hash_SHA2_uint8_7p":["LFlat",{"size":48,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_6p"]]]]}],"Hacl_Hash_SHA2_uint8_6p":["LFlat",{"size":40,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_5p"]]]]}],"Hacl_Hash_SHA2_uint8_5p":["LFlat",{"size":32,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_4p":["LFlat",{"size":24,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_3p"]]]]}],"Hacl_Hash_SHA2_uint8_3p":["LFlat",{"size":16,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_2p"]]]]}],"Hacl_Hash_SHA2_uint8_2x8p":["LFlat",{"size":112,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_8p"]]],["snd",[56,["Layout","Hacl_Hash_SHA2_uint8_8p"]]]]}],"Hacl_Hash_SHA2_uint8_2x4p":["LFlat",{"size":48,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_4p"]]],["snd",[24,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_2p":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[4,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Impl_HPKE_context_s":["LFlat",{"size":16,"fields":[["ctx_key",[0,["Pointer",["Int",["A8"]]]]],["ctx_nonce",[4,["Pointer",["Int",["A8"]]]]],["ctx_seq",[8,["Pointer",["Int",["A64"]]]]],["ctx_exporter",[12,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Hash_Blake2b_blake2_params":["LFlat",{"size":28,"fields":[["digest_length",[0,["Int",["A8"]]]],["key_length",[1,["Int",["A8"]]]],["fanout",[2,["Int",["A8"]]]],["depth",[3,["Int",["A8"]]]],["leaf_length",[4,["Int",["A32"]]]],["node_offset",[8,["Int",["A64"]]]],["node_depth",[16,["Int",["A8"]]]],["inner_length",[17,["Int",["A8"]]]],["salt",[20,["Pointer",["Int",["A8"]]]]],["personal",[24,["Pointer",["Int",["A8"]]]]]]}],"Hacl_HMAC_DRBG_state":["LFlat",{"size":12,"fields":[["k",[0,["Pointer",["Int",["A8"]]]]],["v",[4,["Pointer",["Int",["A8"]]]]],["reseed_counter",[8,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64":["LFlat",{"size":20,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A64"]]]]],["mu",[8,["Int",["A64"]]]],["r2",[16,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32":["LFlat",{"size":16,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A32"]]]]],["mu",[8,["Int",["A32"]]]],["r2",[12,["Pointer",["Int",["A32"]]]]]]}],"state_s_tags":["LEnum"],"Hacl_Agile_Hash_state_s":["LFlat",{"size":12,"fields":[["tag",[0,["Int",["A32"]]]],["val",[8,["Union",[["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A32"]]],["Pointer",["Unknown"]],["Pointer",["Int",["A64"]]],["Pointer",["Unknown"]]]]]]]}],"Hacl_Agile_Hash_impl":["LEnum"],"FStar_UInt128_uint128":["LFlat",{"size":16,"fields":[["low",[0,["Int",["A64"]]]],["high",[8,["Int",["A64"]]]]]}],"option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__":["LFlat",{"size":20,"fields":[["tag",[0,["Int",["A32"]]]],["v",[8,["Layout","Hacl_Streaming_HMAC_Definitions_two_state"]]]]}],"FStar_Pervasives_Native_option___Spec_Hash_Definitions_hash_alg____uint64_t___tags":["LEnum"],"option___Spec_Hash_Definitions_hash_alg____uint64_t__":["LFlat",{"size":16,"fields":[["tag",[0,["Int",["A32"]]]],["v",[8,["Layout","Hacl_Hash_SHA3_hash_buf"]]]]}],"option___uint8_t_":["LFlat",{"size":8,"fields":[["tag",[0,["Int",["A32"]]]],["v",[4,["Pointer",["Int",["A8"]]]]]]}],"option___EverCrypt_Hash_state_s_":["LFlat",{"size":8,"fields":[["tag",[0,["Int",["A32"]]]],["v",[4,["Pointer",["Layout","EverCrypt_Hash_state_s"]]]]]}],"EverCrypt_Hash_Incremental_state_t":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Layout","EverCrypt_Hash_state_s"]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"state_s_tags":["LEnum"],"EverCrypt_Hash_state_s":["LFlat",{"size":12,"fields":[["tag",[0,["Int",["A32"]]]],["val",[8,["Union",[["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A32"]]],["Pointer",["Unknown"]],["Pointer",["Int",["A64"]]],["Pointer",["Unknown"]]]]]]]}],"EverCrypt_Error_error_code":["LEnum"],"C_String_t_":["LBuiltin",["I32"],["A32"]],"C_String_t":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t_":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t":["LBuiltin",["I32"],["A32"]],"exit_code":["LBuiltin",["I32"],["A32"]],"clock_t":["LBuiltin",["I32"],["A32"]]} \ No newline at end of file diff --git a/src/wasm/main.html b/src/wasm/main.html index 8e3823bf..7aa63b76 100644 --- a/src/wasm/main.html +++ b/src/wasm/main.html @@ -8,7 +8,7 @@ diff --git a/src/wasm/shell.js b/src/wasm/shell.js index 28a02c3e..618502b1 100644 --- a/src/wasm/shell.js +++ b/src/wasm/shell.js @@ -1,7 +1,7 @@ // To be loaded by main.js var my_js_files = ["./test.js"]; -var my_modules = ["WasmSupport", "FStar", "LowStar_Endianness", "Hacl_Impl_Blake2_Constants", "Hacl_Lib", "Hacl_Hash_Blake2b", "Hacl_Hash_Blake2s", "Hacl_Hash_Blake2b_Simd256", "Hacl_Hash_Blake2s_Simd128", "Hacl_Hash_Base", "Hacl_Hash_SHA1", "Hacl_Hash_SHA2", "Hacl_HMAC", "Hacl_HMAC_Blake2s_128", "Hacl_HMAC_Blake2b_256", "Hacl_Hash_SHA3", "Hacl_Hash_SHA3_Simd256", "Hacl_Hash_MD5", "EverCrypt_TargetConfig", "EverCrypt", "Vale", "EverCrypt_Hash", "Hacl_Chacha20", "Hacl_Chacha20_Vec128_Hacl_Chacha20_Vec256", "Hacl_Salsa20", "Hacl_IntTypes_Intrinsics", "Hacl_Bignum_Base", "Hacl_Bignum", "Hacl_Bignum25519_51", "Hacl_Curve25519_51", "Hacl_MAC_Poly1305", "Hacl_AEAD_Chacha20Poly1305", "Hacl_Poly1305_128_Hacl_Poly1305_256_Hacl_Impl_Poly1305", "Hacl_AEAD_Chacha20Poly1305_Simd128", "Hacl_AEAD_Chacha20Poly1305_Simd256", "Hacl_Ed25519_PrecompTable", "Hacl_Ed25519", "Hacl_NaCl", "Hacl_P256_PrecompTable", "Hacl_P256", "Hacl_Bignum_K256", "Hacl_K256_PrecompTable", "Hacl_K256_ECDSA", "Hacl_HKDF", "Hacl_HPKE_Curve51_CP32_SHA256", "Hacl_HPKE_Curve51_CP32_SHA512", "Hacl_GenericField32", "Hacl_SHA2_Vec256", "Hacl_EC_K256", "Hacl_Bignum4096", "Hacl_Chacha20_Vec32", "Hacl_Bignum4096_32", "Hacl_HKDF_Blake2s_128", "Hacl_GenericField64", "Hacl_Bignum32", "Hacl_Bignum256_32", "Hacl_SHA2_Vec128", "Hacl_HMAC_DRBG", "Hacl_Bignum64", "Hacl_HKDF_Blake2b_256", "Hacl_EC_Ed25519", "Hacl_Bignum256"]; +var my_modules = ["WasmSupport", "FStar", "LowStar_Endianness", "Hacl_Impl_Blake2_Constants", "Hacl_Lib", "Hacl_Hash_Blake2b", "Hacl_Hash_Blake2s", "Hacl_Hash_Blake2b_Simd256", "Hacl_Hash_Blake2s_Simd128", "Hacl_Hash_Base", "Hacl_Hash_MD5", "Hacl_Hash_SHA1", "Hacl_Hash_SHA3", "Hacl_Hash_SHA2", "Hacl_HMAC", "Hacl_HMAC_Blake2s_128", "Hacl_HMAC_Blake2b_256", "Hacl_Hash_SHA3_Simd256", "EverCrypt_TargetConfig", "EverCrypt", "Vale", "EverCrypt_Hash", "Hacl_Chacha20", "Hacl_Chacha20_Vec128_Hacl_Chacha20_Vec256", "Hacl_Salsa20", "Hacl_IntTypes_Intrinsics", "Hacl_Bignum_Base", "Hacl_Bignum", "Hacl_Bignum25519_51", "Hacl_Curve25519_51", "Hacl_MAC_Poly1305", "Hacl_AEAD_Chacha20Poly1305", "Hacl_Poly1305_128_Hacl_Poly1305_256_Hacl_Impl_Poly1305", "Hacl_AEAD_Chacha20Poly1305_Simd128", "Hacl_AEAD_Chacha20Poly1305_Simd256", "Hacl_Ed25519_PrecompTable", "Hacl_Ed25519", "Hacl_NaCl", "Hacl_P256_PrecompTable", "Hacl_P256", "Hacl_Bignum_K256", "Hacl_K256_PrecompTable", "Hacl_K256_ECDSA", "Hacl_HKDF", "Hacl_HPKE_Curve51_CP32_SHA256", "Hacl_HPKE_Curve51_CP32_SHA512", "Hacl_Streaming_HMAC", "Hacl_GenericField32", "Hacl_SHA2_Vec256", "Hacl_EC_K256", "Hacl_Bignum4096", "Hacl_Chacha20_Vec32", "Hacl_Bignum4096_32", "Hacl_HKDF_Blake2s_128", "Hacl_GenericField64", "Hacl_Bignum32", "Hacl_Bignum256_32", "Hacl_SHA2_Vec128", "Hacl_HMAC_DRBG", "Hacl_Bignum64", "Hacl_HKDF_Blake2b_256", "Hacl_EC_Ed25519", "Hacl_Bignum256"]; var my_debug = false; if (typeof module !== "undefined") diff --git a/vale/include/Vale.h b/vale/include/Vale.h index bc5b8d4a..7b24f3db 100644 --- a/vale/include/Vale.h +++ b/vale/include/Vale.h @@ -30,10 +30,7 @@ extern "C" { #endif -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" +#include "libintvector.h" extern uint64_t add_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); @@ -41,8 +38,6 @@ extern uint64_t fadd_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); extern uint64_t sha256_update(uint32_t *x0, uint8_t *x1, uint64_t x2, uint32_t *x3); -extern uint64_t x64_poly1305(uint8_t *x0, uint8_t *x1, uint64_t x2, uint64_t x3); - extern uint64_t check_aesni(void); extern uint64_t check_sha(void); @@ -183,6 +178,8 @@ extern uint64_t fmul_scalar_e(uint64_t *x0, uint64_t *x1, uint64_t x2); extern uint64_t fsub_e(uint64_t *x0, uint64_t *x1, uint64_t *x2); +extern uint64_t x64_poly1305(uint8_t *x0, uint8_t *x1, uint64_t x2, uint64_t x3); + #if defined(__cplusplus) } #endif